fs/vfs/security: pass last path component to LSM on inode creation
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/dcache.h>
43 #include <linux/file.h>
44 #include <linux/fdtable.h>
45 #include <linux/namei.h>
46 #include <linux/mount.h>
47 #include <linux/proc_fs.h>
48 #include <linux/netfilter_ipv4.h>
49 #include <linux/netfilter_ipv6.h>
50 #include <linux/tty.h>
51 #include <net/icmp.h>
52 #include <net/ip.h>             /* for local_port_range[] */
53 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
54 #include <net/net_namespace.h>
55 #include <net/netlabel.h>
56 #include <linux/uaccess.h>
57 #include <asm/ioctls.h>
58 #include <asm/atomic.h>
59 #include <linux/bitops.h>
60 #include <linux/interrupt.h>
61 #include <linux/netdevice.h>    /* for network interface checks */
62 #include <linux/netlink.h>
63 #include <linux/tcp.h>
64 #include <linux/udp.h>
65 #include <linux/dccp.h>
66 #include <linux/quota.h>
67 #include <linux/un.h>           /* for Unix socket types */
68 #include <net/af_unix.h>        /* for Unix socket types */
69 #include <linux/parser.h>
70 #include <linux/nfs_mount.h>
71 #include <net/ipv6.h>
72 #include <linux/hugetlb.h>
73 #include <linux/personality.h>
74 #include <linux/sysctl.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79 #include <linux/posix-timers.h>
80 #include <linux/syslog.h>
81
82 #include "avc.h"
83 #include "objsec.h"
84 #include "netif.h"
85 #include "netnode.h"
86 #include "netport.h"
87 #include "xfrm.h"
88 #include "netlabel.h"
89 #include "audit.h"
90
91 #define NUM_SEL_MNT_OPTS 5
92
93 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing;
101
102 static int __init enforcing_setup(char *str)
103 {
104         unsigned long enforcing;
105         if (!strict_strtoul(str, 0, &enforcing))
106                 selinux_enforcing = enforcing ? 1 : 0;
107         return 1;
108 }
109 __setup("enforcing=", enforcing_setup);
110 #endif
111
112 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
113 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
114
115 static int __init selinux_enabled_setup(char *str)
116 {
117         unsigned long enabled;
118         if (!strict_strtoul(str, 0, &enabled))
119                 selinux_enabled = enabled ? 1 : 0;
120         return 1;
121 }
122 __setup("selinux=", selinux_enabled_setup);
123 #else
124 int selinux_enabled = 1;
125 #endif
126
127 static struct kmem_cache *sel_inode_cache;
128
129 /**
130  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
131  *
132  * Description:
133  * This function checks the SECMARK reference counter to see if any SECMARK
134  * targets are currently configured, if the reference counter is greater than
135  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
136  * enabled, false (0) if SECMARK is disabled.
137  *
138  */
139 static int selinux_secmark_enabled(void)
140 {
141         return (atomic_read(&selinux_secmark_refcount) > 0);
142 }
143
144 /*
145  * initialise the security for the init task
146  */
147 static void cred_init_security(void)
148 {
149         struct cred *cred = (struct cred *) current->real_cred;
150         struct task_security_struct *tsec;
151
152         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
153         if (!tsec)
154                 panic("SELinux:  Failed to initialize initial task.\n");
155
156         tsec->osid = tsec->sid = SECINITSID_KERNEL;
157         cred->security = tsec;
158 }
159
160 /*
161  * get the security ID of a set of credentials
162  */
163 static inline u32 cred_sid(const struct cred *cred)
164 {
165         const struct task_security_struct *tsec;
166
167         tsec = cred->security;
168         return tsec->sid;
169 }
170
171 /*
172  * get the objective security ID of a task
173  */
174 static inline u32 task_sid(const struct task_struct *task)
175 {
176         u32 sid;
177
178         rcu_read_lock();
179         sid = cred_sid(__task_cred(task));
180         rcu_read_unlock();
181         return sid;
182 }
183
184 /*
185  * get the subjective security ID of the current task
186  */
187 static inline u32 current_sid(void)
188 {
189         const struct task_security_struct *tsec = current_security();
190
191         return tsec->sid;
192 }
193
194 /* Allocate and free functions for each kind of security blob. */
195
196 static int inode_alloc_security(struct inode *inode)
197 {
198         struct inode_security_struct *isec;
199         u32 sid = current_sid();
200
201         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
202         if (!isec)
203                 return -ENOMEM;
204
205         mutex_init(&isec->lock);
206         INIT_LIST_HEAD(&isec->list);
207         isec->inode = inode;
208         isec->sid = SECINITSID_UNLABELED;
209         isec->sclass = SECCLASS_FILE;
210         isec->task_sid = sid;
211         inode->i_security = isec;
212
213         return 0;
214 }
215
216 static void inode_free_security(struct inode *inode)
217 {
218         struct inode_security_struct *isec = inode->i_security;
219         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
220
221         spin_lock(&sbsec->isec_lock);
222         if (!list_empty(&isec->list))
223                 list_del_init(&isec->list);
224         spin_unlock(&sbsec->isec_lock);
225
226         inode->i_security = NULL;
227         kmem_cache_free(sel_inode_cache, isec);
228 }
229
230 static int file_alloc_security(struct file *file)
231 {
232         struct file_security_struct *fsec;
233         u32 sid = current_sid();
234
235         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
236         if (!fsec)
237                 return -ENOMEM;
238
239         fsec->sid = sid;
240         fsec->fown_sid = sid;
241         file->f_security = fsec;
242
243         return 0;
244 }
245
246 static void file_free_security(struct file *file)
247 {
248         struct file_security_struct *fsec = file->f_security;
249         file->f_security = NULL;
250         kfree(fsec);
251 }
252
253 static int superblock_alloc_security(struct super_block *sb)
254 {
255         struct superblock_security_struct *sbsec;
256
257         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
258         if (!sbsec)
259                 return -ENOMEM;
260
261         mutex_init(&sbsec->lock);
262         INIT_LIST_HEAD(&sbsec->isec_head);
263         spin_lock_init(&sbsec->isec_lock);
264         sbsec->sb = sb;
265         sbsec->sid = SECINITSID_UNLABELED;
266         sbsec->def_sid = SECINITSID_FILE;
267         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
268         sb->s_security = sbsec;
269
270         return 0;
271 }
272
273 static void superblock_free_security(struct super_block *sb)
274 {
275         struct superblock_security_struct *sbsec = sb->s_security;
276         sb->s_security = NULL;
277         kfree(sbsec);
278 }
279
280 /* The security server must be initialized before
281    any labeling or access decisions can be provided. */
282 extern int ss_initialized;
283
284 /* The file system's label must be initialized prior to use. */
285
286 static const char *labeling_behaviors[6] = {
287         "uses xattr",
288         "uses transition SIDs",
289         "uses task SIDs",
290         "uses genfs_contexts",
291         "not configured for labeling",
292         "uses mountpoint labeling",
293 };
294
295 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296
297 static inline int inode_doinit(struct inode *inode)
298 {
299         return inode_doinit_with_dentry(inode, NULL);
300 }
301
302 enum {
303         Opt_error = -1,
304         Opt_context = 1,
305         Opt_fscontext = 2,
306         Opt_defcontext = 3,
307         Opt_rootcontext = 4,
308         Opt_labelsupport = 5,
309 };
310
311 static const match_table_t tokens = {
312         {Opt_context, CONTEXT_STR "%s"},
313         {Opt_fscontext, FSCONTEXT_STR "%s"},
314         {Opt_defcontext, DEFCONTEXT_STR "%s"},
315         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
316         {Opt_labelsupport, LABELSUPP_STR},
317         {Opt_error, NULL},
318 };
319
320 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
321
322 static int may_context_mount_sb_relabel(u32 sid,
323                         struct superblock_security_struct *sbsec,
324                         const struct cred *cred)
325 {
326         const struct task_security_struct *tsec = cred->security;
327         int rc;
328
329         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
330                           FILESYSTEM__RELABELFROM, NULL);
331         if (rc)
332                 return rc;
333
334         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
335                           FILESYSTEM__RELABELTO, NULL);
336         return rc;
337 }
338
339 static int may_context_mount_inode_relabel(u32 sid,
340                         struct superblock_security_struct *sbsec,
341                         const struct cred *cred)
342 {
343         const struct task_security_struct *tsec = cred->security;
344         int rc;
345         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELFROM, NULL);
347         if (rc)
348                 return rc;
349
350         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
351                           FILESYSTEM__ASSOCIATE, NULL);
352         return rc;
353 }
354
355 static int sb_finish_set_opts(struct super_block *sb)
356 {
357         struct superblock_security_struct *sbsec = sb->s_security;
358         struct dentry *root = sb->s_root;
359         struct inode *root_inode = root->d_inode;
360         int rc = 0;
361
362         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
363                 /* Make sure that the xattr handler exists and that no
364                    error other than -ENODATA is returned by getxattr on
365                    the root directory.  -ENODATA is ok, as this may be
366                    the first boot of the SELinux kernel before we have
367                    assigned xattr values to the filesystem. */
368                 if (!root_inode->i_op->getxattr) {
369                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
370                                "xattr support\n", sb->s_id, sb->s_type->name);
371                         rc = -EOPNOTSUPP;
372                         goto out;
373                 }
374                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
375                 if (rc < 0 && rc != -ENODATA) {
376                         if (rc == -EOPNOTSUPP)
377                                 printk(KERN_WARNING "SELinux: (dev %s, type "
378                                        "%s) has no security xattr handler\n",
379                                        sb->s_id, sb->s_type->name);
380                         else
381                                 printk(KERN_WARNING "SELinux: (dev %s, type "
382                                        "%s) getxattr errno %d\n", sb->s_id,
383                                        sb->s_type->name, -rc);
384                         goto out;
385                 }
386         }
387
388         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
389
390         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392                        sb->s_id, sb->s_type->name);
393         else
394                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395                        sb->s_id, sb->s_type->name,
396                        labeling_behaviors[sbsec->behavior-1]);
397
398         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
399             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
400             sbsec->behavior == SECURITY_FS_USE_NONE ||
401             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 sbsec->flags &= ~SE_SBLABELSUPP;
403
404         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406                 sbsec->flags |= SE_SBLABELSUPP;
407
408         /* Initialize the root inode. */
409         rc = inode_doinit_with_dentry(root_inode, root);
410
411         /* Initialize any other inodes associated with the superblock, e.g.
412            inodes created prior to initial policy load or inodes created
413            during get_sb by a pseudo filesystem that directly
414            populates itself. */
415         spin_lock(&sbsec->isec_lock);
416 next_inode:
417         if (!list_empty(&sbsec->isec_head)) {
418                 struct inode_security_struct *isec =
419                                 list_entry(sbsec->isec_head.next,
420                                            struct inode_security_struct, list);
421                 struct inode *inode = isec->inode;
422                 spin_unlock(&sbsec->isec_lock);
423                 inode = igrab(inode);
424                 if (inode) {
425                         if (!IS_PRIVATE(inode))
426                                 inode_doinit(inode);
427                         iput(inode);
428                 }
429                 spin_lock(&sbsec->isec_lock);
430                 list_del_init(&isec->list);
431                 goto next_inode;
432         }
433         spin_unlock(&sbsec->isec_lock);
434 out:
435         return rc;
436 }
437
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444                                 struct security_mnt_opts *opts)
445 {
446         int rc = 0, i;
447         struct superblock_security_struct *sbsec = sb->s_security;
448         char *context = NULL;
449         u32 len;
450         char tmp;
451
452         security_init_mnt_opts(opts);
453
454         if (!(sbsec->flags & SE_SBINITIALIZED))
455                 return -EINVAL;
456
457         if (!ss_initialized)
458                 return -EINVAL;
459
460         tmp = sbsec->flags & SE_MNTMASK;
461         /* count the number of mount options for this sb */
462         for (i = 0; i < 8; i++) {
463                 if (tmp & 0x01)
464                         opts->num_mnt_opts++;
465                 tmp >>= 1;
466         }
467         /* Check if the Label support flag is set */
468         if (sbsec->flags & SE_SBLABELSUPP)
469                 opts->num_mnt_opts++;
470
471         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472         if (!opts->mnt_opts) {
473                 rc = -ENOMEM;
474                 goto out_free;
475         }
476
477         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478         if (!opts->mnt_opts_flags) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         i = 0;
484         if (sbsec->flags & FSCONTEXT_MNT) {
485                 rc = security_sid_to_context(sbsec->sid, &context, &len);
486                 if (rc)
487                         goto out_free;
488                 opts->mnt_opts[i] = context;
489                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490         }
491         if (sbsec->flags & CONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497         }
498         if (sbsec->flags & DEFCONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504         }
505         if (sbsec->flags & ROOTCONTEXT_MNT) {
506                 struct inode *root = sbsec->sb->s_root->d_inode;
507                 struct inode_security_struct *isec = root->i_security;
508
509                 rc = security_sid_to_context(isec->sid, &context, &len);
510                 if (rc)
511                         goto out_free;
512                 opts->mnt_opts[i] = context;
513                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514         }
515         if (sbsec->flags & SE_SBLABELSUPP) {
516                 opts->mnt_opts[i] = NULL;
517                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         char mnt_flags = sbsec->flags & SE_MNTMASK;
533
534         /* check if the old mount command had the same options */
535         if (sbsec->flags & SE_SBINITIALIZED)
536                 if (!(sbsec->flags & flag) ||
537                     (old_sid != new_sid))
538                         return 1;
539
540         /* check if we were passed the same options twice,
541          * aka someone passed context=a,context=b
542          */
543         if (!(sbsec->flags & SE_SBINITIALIZED))
544                 if (mnt_flags & flag)
545                         return 1;
546         return 0;
547 }
548
549 /*
550  * Allow filesystems with binary mount data to explicitly set mount point
551  * labeling information.
552  */
553 static int selinux_set_mnt_opts(struct super_block *sb,
554                                 struct security_mnt_opts *opts)
555 {
556         const struct cred *cred = current_cred();
557         int rc = 0, i;
558         struct superblock_security_struct *sbsec = sb->s_security;
559         const char *name = sb->s_type->name;
560         struct inode *inode = sbsec->sb->s_root->d_inode;
561         struct inode_security_struct *root_isec = inode->i_security;
562         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563         u32 defcontext_sid = 0;
564         char **mount_options = opts->mnt_opts;
565         int *flags = opts->mnt_opts_flags;
566         int num_opts = opts->num_mnt_opts;
567
568         mutex_lock(&sbsec->lock);
569
570         if (!ss_initialized) {
571                 if (!num_opts) {
572                         /* Defer initialization until selinux_complete_init,
573                            after the initial policy is loaded and the security
574                            server is ready to handle calls. */
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605
606                 if (flags[i] == SE_SBLABELSUPP)
607                         continue;
608                 rc = security_context_to_sid(mount_options[i],
609                                              strlen(mount_options[i]), &sid);
610                 if (rc) {
611                         printk(KERN_WARNING "SELinux: security_context_to_sid"
612                                "(%s) failed for (dev %s, type %s) errno=%d\n",
613                                mount_options[i], sb->s_id, name, rc);
614                         goto out;
615                 }
616                 switch (flags[i]) {
617                 case FSCONTEXT_MNT:
618                         fscontext_sid = sid;
619
620                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
621                                         fscontext_sid))
622                                 goto out_double_mount;
623
624                         sbsec->flags |= FSCONTEXT_MNT;
625                         break;
626                 case CONTEXT_MNT:
627                         context_sid = sid;
628
629                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
630                                         context_sid))
631                                 goto out_double_mount;
632
633                         sbsec->flags |= CONTEXT_MNT;
634                         break;
635                 case ROOTCONTEXT_MNT:
636                         rootcontext_sid = sid;
637
638                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
639                                         rootcontext_sid))
640                                 goto out_double_mount;
641
642                         sbsec->flags |= ROOTCONTEXT_MNT;
643
644                         break;
645                 case DEFCONTEXT_MNT:
646                         defcontext_sid = sid;
647
648                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
649                                         defcontext_sid))
650                                 goto out_double_mount;
651
652                         sbsec->flags |= DEFCONTEXT_MNT;
653
654                         break;
655                 default:
656                         rc = -EINVAL;
657                         goto out;
658                 }
659         }
660
661         if (sbsec->flags & SE_SBINITIALIZED) {
662                 /* previously mounted with options, but not on this attempt? */
663                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
664                         goto out_double_mount;
665                 rc = 0;
666                 goto out;
667         }
668
669         if (strcmp(sb->s_type->name, "proc") == 0)
670                 sbsec->flags |= SE_SBPROC;
671
672         /* Determine the labeling behavior to use for this filesystem type. */
673         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
674         if (rc) {
675                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
676                        __func__, sb->s_type->name, rc);
677                 goto out;
678         }
679
680         /* sets the context of the superblock for the fs being mounted. */
681         if (fscontext_sid) {
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
697                                                           cred);
698                         if (rc)
699                                 goto out;
700                         sbsec->sid = context_sid;
701                 } else {
702                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
703                                                              cred);
704                         if (rc)
705                                 goto out;
706                 }
707                 if (!rootcontext_sid)
708                         rootcontext_sid = context_sid;
709
710                 sbsec->mntpoint_sid = context_sid;
711                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
712         }
713
714         if (rootcontext_sid) {
715                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
716                                                      cred);
717                 if (rc)
718                         goto out;
719
720                 root_isec->sid = rootcontext_sid;
721                 root_isec->initialized = 1;
722         }
723
724         if (defcontext_sid) {
725                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726                         rc = -EINVAL;
727                         printk(KERN_WARNING "SELinux: defcontext option is "
728                                "invalid for this filesystem type\n");
729                         goto out;
730                 }
731
732                 if (defcontext_sid != sbsec->def_sid) {
733                         rc = may_context_mount_inode_relabel(defcontext_sid,
734                                                              sbsec, cred);
735                         if (rc)
736                                 goto out;
737                 }
738
739                 sbsec->def_sid = defcontext_sid;
740         }
741
742         rc = sb_finish_set_opts(sb);
743 out:
744         mutex_unlock(&sbsec->lock);
745         return rc;
746 out_double_mount:
747         rc = -EINVAL;
748         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
749                "security settings for (dev %s, type %s)\n", sb->s_id, name);
750         goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754                                         struct super_block *newsb)
755 {
756         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757         struct superblock_security_struct *newsbsec = newsb->s_security;
758
759         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
760         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
761         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763         /*
764          * if the parent was able to be mounted it clearly had no special lsm
765          * mount options.  thus we can safely deal with this superblock later
766          */
767         if (!ss_initialized)
768                 return;
769
770         /* how can we clone if the old one wasn't set up?? */
771         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
772
773         /* if fs is reusing a sb, just let its options stand... */
774         if (newsbsec->flags & SE_SBINITIALIZED)
775                 return;
776
777         mutex_lock(&newsbsec->lock);
778
779         newsbsec->flags = oldsbsec->flags;
780
781         newsbsec->sid = oldsbsec->sid;
782         newsbsec->def_sid = oldsbsec->def_sid;
783         newsbsec->behavior = oldsbsec->behavior;
784
785         if (set_context) {
786                 u32 sid = oldsbsec->mntpoint_sid;
787
788                 if (!set_fscontext)
789                         newsbsec->sid = sid;
790                 if (!set_rootcontext) {
791                         struct inode *newinode = newsb->s_root->d_inode;
792                         struct inode_security_struct *newisec = newinode->i_security;
793                         newisec->sid = sid;
794                 }
795                 newsbsec->mntpoint_sid = sid;
796         }
797         if (set_rootcontext) {
798                 const struct inode *oldinode = oldsb->s_root->d_inode;
799                 const struct inode_security_struct *oldisec = oldinode->i_security;
800                 struct inode *newinode = newsb->s_root->d_inode;
801                 struct inode_security_struct *newisec = newinode->i_security;
802
803                 newisec->sid = oldisec->sid;
804         }
805
806         sb_finish_set_opts(newsb);
807         mutex_unlock(&newsbsec->lock);
808 }
809
810 static int selinux_parse_opts_str(char *options,
811                                   struct security_mnt_opts *opts)
812 {
813         char *p;
814         char *context = NULL, *defcontext = NULL;
815         char *fscontext = NULL, *rootcontext = NULL;
816         int rc, num_mnt_opts = 0;
817
818         opts->num_mnt_opts = 0;
819
820         /* Standard string-based options. */
821         while ((p = strsep(&options, "|")) != NULL) {
822                 int token;
823                 substring_t args[MAX_OPT_ARGS];
824
825                 if (!*p)
826                         continue;
827
828                 token = match_token(p, tokens, args);
829
830                 switch (token) {
831                 case Opt_context:
832                         if (context || defcontext) {
833                                 rc = -EINVAL;
834                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
835                                 goto out_err;
836                         }
837                         context = match_strdup(&args[0]);
838                         if (!context) {
839                                 rc = -ENOMEM;
840                                 goto out_err;
841                         }
842                         break;
843
844                 case Opt_fscontext:
845                         if (fscontext) {
846                                 rc = -EINVAL;
847                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848                                 goto out_err;
849                         }
850                         fscontext = match_strdup(&args[0]);
851                         if (!fscontext) {
852                                 rc = -ENOMEM;
853                                 goto out_err;
854                         }
855                         break;
856
857                 case Opt_rootcontext:
858                         if (rootcontext) {
859                                 rc = -EINVAL;
860                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861                                 goto out_err;
862                         }
863                         rootcontext = match_strdup(&args[0]);
864                         if (!rootcontext) {
865                                 rc = -ENOMEM;
866                                 goto out_err;
867                         }
868                         break;
869
870                 case Opt_defcontext:
871                         if (context || defcontext) {
872                                 rc = -EINVAL;
873                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874                                 goto out_err;
875                         }
876                         defcontext = match_strdup(&args[0]);
877                         if (!defcontext) {
878                                 rc = -ENOMEM;
879                                 goto out_err;
880                         }
881                         break;
882                 case Opt_labelsupport:
883                         break;
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static void selinux_write_opts(struct seq_file *m,
959                                struct security_mnt_opts *opts)
960 {
961         int i;
962         char *prefix;
963
964         for (i = 0; i < opts->num_mnt_opts; i++) {
965                 char *has_comma;
966
967                 if (opts->mnt_opts[i])
968                         has_comma = strchr(opts->mnt_opts[i], ',');
969                 else
970                         has_comma = NULL;
971
972                 switch (opts->mnt_opts_flags[i]) {
973                 case CONTEXT_MNT:
974                         prefix = CONTEXT_STR;
975                         break;
976                 case FSCONTEXT_MNT:
977                         prefix = FSCONTEXT_STR;
978                         break;
979                 case ROOTCONTEXT_MNT:
980                         prefix = ROOTCONTEXT_STR;
981                         break;
982                 case DEFCONTEXT_MNT:
983                         prefix = DEFCONTEXT_STR;
984                         break;
985                 case SE_SBLABELSUPP:
986                         seq_putc(m, ',');
987                         seq_puts(m, LABELSUPP_STR);
988                         continue;
989                 default:
990                         BUG();
991                 };
992                 /* we need a comma before each option */
993                 seq_putc(m, ',');
994                 seq_puts(m, prefix);
995                 if (has_comma)
996                         seq_putc(m, '\"');
997                 seq_puts(m, opts->mnt_opts[i]);
998                 if (has_comma)
999                         seq_putc(m, '\"');
1000         }
1001 }
1002
1003 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1004 {
1005         struct security_mnt_opts opts;
1006         int rc;
1007
1008         rc = selinux_get_mnt_opts(sb, &opts);
1009         if (rc) {
1010                 /* before policy load we may get EINVAL, don't show anything */
1011                 if (rc == -EINVAL)
1012                         rc = 0;
1013                 return rc;
1014         }
1015
1016         selinux_write_opts(m, &opts);
1017
1018         security_free_mnt_opts(&opts);
1019
1020         return rc;
1021 }
1022
1023 static inline u16 inode_mode_to_security_class(umode_t mode)
1024 {
1025         switch (mode & S_IFMT) {
1026         case S_IFSOCK:
1027                 return SECCLASS_SOCK_FILE;
1028         case S_IFLNK:
1029                 return SECCLASS_LNK_FILE;
1030         case S_IFREG:
1031                 return SECCLASS_FILE;
1032         case S_IFBLK:
1033                 return SECCLASS_BLK_FILE;
1034         case S_IFDIR:
1035                 return SECCLASS_DIR;
1036         case S_IFCHR:
1037                 return SECCLASS_CHR_FILE;
1038         case S_IFIFO:
1039                 return SECCLASS_FIFO_FILE;
1040
1041         }
1042
1043         return SECCLASS_FILE;
1044 }
1045
1046 static inline int default_protocol_stream(int protocol)
1047 {
1048         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1049 }
1050
1051 static inline int default_protocol_dgram(int protocol)
1052 {
1053         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1054 }
1055
1056 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1057 {
1058         switch (family) {
1059         case PF_UNIX:
1060                 switch (type) {
1061                 case SOCK_STREAM:
1062                 case SOCK_SEQPACKET:
1063                         return SECCLASS_UNIX_STREAM_SOCKET;
1064                 case SOCK_DGRAM:
1065                         return SECCLASS_UNIX_DGRAM_SOCKET;
1066                 }
1067                 break;
1068         case PF_INET:
1069         case PF_INET6:
1070                 switch (type) {
1071                 case SOCK_STREAM:
1072                         if (default_protocol_stream(protocol))
1073                                 return SECCLASS_TCP_SOCKET;
1074                         else
1075                                 return SECCLASS_RAWIP_SOCKET;
1076                 case SOCK_DGRAM:
1077                         if (default_protocol_dgram(protocol))
1078                                 return SECCLASS_UDP_SOCKET;
1079                         else
1080                                 return SECCLASS_RAWIP_SOCKET;
1081                 case SOCK_DCCP:
1082                         return SECCLASS_DCCP_SOCKET;
1083                 default:
1084                         return SECCLASS_RAWIP_SOCKET;
1085                 }
1086                 break;
1087         case PF_NETLINK:
1088                 switch (protocol) {
1089                 case NETLINK_ROUTE:
1090                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1091                 case NETLINK_FIREWALL:
1092                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1093                 case NETLINK_INET_DIAG:
1094                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1095                 case NETLINK_NFLOG:
1096                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1097                 case NETLINK_XFRM:
1098                         return SECCLASS_NETLINK_XFRM_SOCKET;
1099                 case NETLINK_SELINUX:
1100                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1101                 case NETLINK_AUDIT:
1102                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1103                 case NETLINK_IP6_FW:
1104                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1105                 case NETLINK_DNRTMSG:
1106                         return SECCLASS_NETLINK_DNRT_SOCKET;
1107                 case NETLINK_KOBJECT_UEVENT:
1108                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1109                 default:
1110                         return SECCLASS_NETLINK_SOCKET;
1111                 }
1112         case PF_PACKET:
1113                 return SECCLASS_PACKET_SOCKET;
1114         case PF_KEY:
1115                 return SECCLASS_KEY_SOCKET;
1116         case PF_APPLETALK:
1117                 return SECCLASS_APPLETALK_SOCKET;
1118         }
1119
1120         return SECCLASS_SOCKET;
1121 }
1122
1123 #ifdef CONFIG_PROC_FS
1124 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1125                                 u16 tclass,
1126                                 u32 *sid)
1127 {
1128         int buflen, rc;
1129         char *buffer, *path, *end;
1130
1131         buffer = (char *)__get_free_page(GFP_KERNEL);
1132         if (!buffer)
1133                 return -ENOMEM;
1134
1135         buflen = PAGE_SIZE;
1136         end = buffer+buflen;
1137         *--end = '\0';
1138         buflen--;
1139         path = end-1;
1140         *path = '/';
1141         while (de && de != de->parent) {
1142                 buflen -= de->namelen + 1;
1143                 if (buflen < 0)
1144                         break;
1145                 end -= de->namelen;
1146                 memcpy(end, de->name, de->namelen);
1147                 *--end = '/';
1148                 path = end;
1149                 de = de->parent;
1150         }
1151         rc = security_genfs_sid("proc", path, tclass, sid);
1152         free_page((unsigned long)buffer);
1153         return rc;
1154 }
1155 #else
1156 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1157                                 u16 tclass,
1158                                 u32 *sid)
1159 {
1160         return -EINVAL;
1161 }
1162 #endif
1163
1164 /* The inode's security attributes must be initialized before first use. */
1165 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1166 {
1167         struct superblock_security_struct *sbsec = NULL;
1168         struct inode_security_struct *isec = inode->i_security;
1169         u32 sid;
1170         struct dentry *dentry;
1171 #define INITCONTEXTLEN 255
1172         char *context = NULL;
1173         unsigned len = 0;
1174         int rc = 0;
1175
1176         if (isec->initialized)
1177                 goto out;
1178
1179         mutex_lock(&isec->lock);
1180         if (isec->initialized)
1181                 goto out_unlock;
1182
1183         sbsec = inode->i_sb->s_security;
1184         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1185                 /* Defer initialization until selinux_complete_init,
1186                    after the initial policy is loaded and the security
1187                    server is ready to handle calls. */
1188                 spin_lock(&sbsec->isec_lock);
1189                 if (list_empty(&isec->list))
1190                         list_add(&isec->list, &sbsec->isec_head);
1191                 spin_unlock(&sbsec->isec_lock);
1192                 goto out_unlock;
1193         }
1194
1195         switch (sbsec->behavior) {
1196         case SECURITY_FS_USE_XATTR:
1197                 if (!inode->i_op->getxattr) {
1198                         isec->sid = sbsec->def_sid;
1199                         break;
1200                 }
1201
1202                 /* Need a dentry, since the xattr API requires one.
1203                    Life would be simpler if we could just pass the inode. */
1204                 if (opt_dentry) {
1205                         /* Called from d_instantiate or d_splice_alias. */
1206                         dentry = dget(opt_dentry);
1207                 } else {
1208                         /* Called from selinux_complete_init, try to find a dentry. */
1209                         dentry = d_find_alias(inode);
1210                 }
1211                 if (!dentry) {
1212                         /*
1213                          * this is can be hit on boot when a file is accessed
1214                          * before the policy is loaded.  When we load policy we
1215                          * may find inodes that have no dentry on the
1216                          * sbsec->isec_head list.  No reason to complain as these
1217                          * will get fixed up the next time we go through
1218                          * inode_doinit with a dentry, before these inodes could
1219                          * be used again by userspace.
1220                          */
1221                         goto out_unlock;
1222                 }
1223
1224                 len = INITCONTEXTLEN;
1225                 context = kmalloc(len+1, GFP_NOFS);
1226                 if (!context) {
1227                         rc = -ENOMEM;
1228                         dput(dentry);
1229                         goto out_unlock;
1230                 }
1231                 context[len] = '\0';
1232                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1233                                            context, len);
1234                 if (rc == -ERANGE) {
1235                         kfree(context);
1236
1237                         /* Need a larger buffer.  Query for the right size. */
1238                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1239                                                    NULL, 0);
1240                         if (rc < 0) {
1241                                 dput(dentry);
1242                                 goto out_unlock;
1243                         }
1244                         len = rc;
1245                         context = kmalloc(len+1, GFP_NOFS);
1246                         if (!context) {
1247                                 rc = -ENOMEM;
1248                                 dput(dentry);
1249                                 goto out_unlock;
1250                         }
1251                         context[len] = '\0';
1252                         rc = inode->i_op->getxattr(dentry,
1253                                                    XATTR_NAME_SELINUX,
1254                                                    context, len);
1255                 }
1256                 dput(dentry);
1257                 if (rc < 0) {
1258                         if (rc != -ENODATA) {
1259                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1260                                        "%d for dev=%s ino=%ld\n", __func__,
1261                                        -rc, inode->i_sb->s_id, inode->i_ino);
1262                                 kfree(context);
1263                                 goto out_unlock;
1264                         }
1265                         /* Map ENODATA to the default file SID */
1266                         sid = sbsec->def_sid;
1267                         rc = 0;
1268                 } else {
1269                         rc = security_context_to_sid_default(context, rc, &sid,
1270                                                              sbsec->def_sid,
1271                                                              GFP_NOFS);
1272                         if (rc) {
1273                                 char *dev = inode->i_sb->s_id;
1274                                 unsigned long ino = inode->i_ino;
1275
1276                                 if (rc == -EINVAL) {
1277                                         if (printk_ratelimit())
1278                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1279                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1280                                                         "filesystem in question.\n", ino, dev, context);
1281                                 } else {
1282                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1283                                                "returned %d for dev=%s ino=%ld\n",
1284                                                __func__, context, -rc, dev, ino);
1285                                 }
1286                                 kfree(context);
1287                                 /* Leave with the unlabeled SID */
1288                                 rc = 0;
1289                                 break;
1290                         }
1291                 }
1292                 kfree(context);
1293                 isec->sid = sid;
1294                 break;
1295         case SECURITY_FS_USE_TASK:
1296                 isec->sid = isec->task_sid;
1297                 break;
1298         case SECURITY_FS_USE_TRANS:
1299                 /* Default to the fs SID. */
1300                 isec->sid = sbsec->sid;
1301
1302                 /* Try to obtain a transition SID. */
1303                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1304                 rc = security_transition_sid(isec->task_sid,
1305                                              sbsec->sid,
1306                                              isec->sclass,
1307                                              &sid);
1308                 if (rc)
1309                         goto out_unlock;
1310                 isec->sid = sid;
1311                 break;
1312         case SECURITY_FS_USE_MNTPOINT:
1313                 isec->sid = sbsec->mntpoint_sid;
1314                 break;
1315         default:
1316                 /* Default to the fs superblock SID. */
1317                 isec->sid = sbsec->sid;
1318
1319                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1320                         struct proc_inode *proci = PROC_I(inode);
1321                         if (proci->pde) {
1322                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1323                                 rc = selinux_proc_get_sid(proci->pde,
1324                                                           isec->sclass,
1325                                                           &sid);
1326                                 if (rc)
1327                                         goto out_unlock;
1328                                 isec->sid = sid;
1329                         }
1330                 }
1331                 break;
1332         }
1333
1334         isec->initialized = 1;
1335
1336 out_unlock:
1337         mutex_unlock(&isec->lock);
1338 out:
1339         if (isec->sclass == SECCLASS_FILE)
1340                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1341         return rc;
1342 }
1343
1344 /* Convert a Linux signal to an access vector. */
1345 static inline u32 signal_to_av(int sig)
1346 {
1347         u32 perm = 0;
1348
1349         switch (sig) {
1350         case SIGCHLD:
1351                 /* Commonly granted from child to parent. */
1352                 perm = PROCESS__SIGCHLD;
1353                 break;
1354         case SIGKILL:
1355                 /* Cannot be caught or ignored */
1356                 perm = PROCESS__SIGKILL;
1357                 break;
1358         case SIGSTOP:
1359                 /* Cannot be caught or ignored */
1360                 perm = PROCESS__SIGSTOP;
1361                 break;
1362         default:
1363                 /* All other signals. */
1364                 perm = PROCESS__SIGNAL;
1365                 break;
1366         }
1367
1368         return perm;
1369 }
1370
1371 /*
1372  * Check permission between a pair of credentials
1373  * fork check, ptrace check, etc.
1374  */
1375 static int cred_has_perm(const struct cred *actor,
1376                          const struct cred *target,
1377                          u32 perms)
1378 {
1379         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1380
1381         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1382 }
1383
1384 /*
1385  * Check permission between a pair of tasks, e.g. signal checks,
1386  * fork check, ptrace check, etc.
1387  * tsk1 is the actor and tsk2 is the target
1388  * - this uses the default subjective creds of tsk1
1389  */
1390 static int task_has_perm(const struct task_struct *tsk1,
1391                          const struct task_struct *tsk2,
1392                          u32 perms)
1393 {
1394         const struct task_security_struct *__tsec1, *__tsec2;
1395         u32 sid1, sid2;
1396
1397         rcu_read_lock();
1398         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1399         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1400         rcu_read_unlock();
1401         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1402 }
1403
1404 /*
1405  * Check permission between current and another task, e.g. signal checks,
1406  * fork check, ptrace check, etc.
1407  * current is the actor and tsk2 is the target
1408  * - this uses current's subjective creds
1409  */
1410 static int current_has_perm(const struct task_struct *tsk,
1411                             u32 perms)
1412 {
1413         u32 sid, tsid;
1414
1415         sid = current_sid();
1416         tsid = task_sid(tsk);
1417         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1418 }
1419
1420 #if CAP_LAST_CAP > 63
1421 #error Fix SELinux to handle capabilities > 63.
1422 #endif
1423
1424 /* Check whether a task is allowed to use a capability. */
1425 static int task_has_capability(struct task_struct *tsk,
1426                                const struct cred *cred,
1427                                int cap, int audit)
1428 {
1429         struct common_audit_data ad;
1430         struct av_decision avd;
1431         u16 sclass;
1432         u32 sid = cred_sid(cred);
1433         u32 av = CAP_TO_MASK(cap);
1434         int rc;
1435
1436         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1437         ad.tsk = tsk;
1438         ad.u.cap = cap;
1439
1440         switch (CAP_TO_INDEX(cap)) {
1441         case 0:
1442                 sclass = SECCLASS_CAPABILITY;
1443                 break;
1444         case 1:
1445                 sclass = SECCLASS_CAPABILITY2;
1446                 break;
1447         default:
1448                 printk(KERN_ERR
1449                        "SELinux:  out of range capability %d\n", cap);
1450                 BUG();
1451         }
1452
1453         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1454         if (audit == SECURITY_CAP_AUDIT)
1455                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1456         return rc;
1457 }
1458
1459 /* Check whether a task is allowed to use a system operation. */
1460 static int task_has_system(struct task_struct *tsk,
1461                            u32 perms)
1462 {
1463         u32 sid = task_sid(tsk);
1464
1465         return avc_has_perm(sid, SECINITSID_KERNEL,
1466                             SECCLASS_SYSTEM, perms, NULL);
1467 }
1468
1469 /* Check whether a task has a particular permission to an inode.
1470    The 'adp' parameter is optional and allows other audit
1471    data to be passed (e.g. the dentry). */
1472 static int inode_has_perm(const struct cred *cred,
1473                           struct inode *inode,
1474                           u32 perms,
1475                           struct common_audit_data *adp)
1476 {
1477         struct inode_security_struct *isec;
1478         struct common_audit_data ad;
1479         u32 sid;
1480
1481         validate_creds(cred);
1482
1483         if (unlikely(IS_PRIVATE(inode)))
1484                 return 0;
1485
1486         sid = cred_sid(cred);
1487         isec = inode->i_security;
1488
1489         if (!adp) {
1490                 adp = &ad;
1491                 COMMON_AUDIT_DATA_INIT(&ad, FS);
1492                 ad.u.fs.inode = inode;
1493         }
1494
1495         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1496 }
1497
1498 /* Same as inode_has_perm, but pass explicit audit data containing
1499    the dentry to help the auditing code to more easily generate the
1500    pathname if needed. */
1501 static inline int dentry_has_perm(const struct cred *cred,
1502                                   struct vfsmount *mnt,
1503                                   struct dentry *dentry,
1504                                   u32 av)
1505 {
1506         struct inode *inode = dentry->d_inode;
1507         struct common_audit_data ad;
1508
1509         COMMON_AUDIT_DATA_INIT(&ad, FS);
1510         ad.u.fs.path.mnt = mnt;
1511         ad.u.fs.path.dentry = dentry;
1512         return inode_has_perm(cred, inode, av, &ad);
1513 }
1514
1515 /* Check whether a task can use an open file descriptor to
1516    access an inode in a given way.  Check access to the
1517    descriptor itself, and then use dentry_has_perm to
1518    check a particular permission to the file.
1519    Access to the descriptor is implicitly granted if it
1520    has the same SID as the process.  If av is zero, then
1521    access to the file is not checked, e.g. for cases
1522    where only the descriptor is affected like seek. */
1523 static int file_has_perm(const struct cred *cred,
1524                          struct file *file,
1525                          u32 av)
1526 {
1527         struct file_security_struct *fsec = file->f_security;
1528         struct inode *inode = file->f_path.dentry->d_inode;
1529         struct common_audit_data ad;
1530         u32 sid = cred_sid(cred);
1531         int rc;
1532
1533         COMMON_AUDIT_DATA_INIT(&ad, FS);
1534         ad.u.fs.path = file->f_path;
1535
1536         if (sid != fsec->sid) {
1537                 rc = avc_has_perm(sid, fsec->sid,
1538                                   SECCLASS_FD,
1539                                   FD__USE,
1540                                   &ad);
1541                 if (rc)
1542                         goto out;
1543         }
1544
1545         /* av is zero if only checking access to the descriptor. */
1546         rc = 0;
1547         if (av)
1548                 rc = inode_has_perm(cred, inode, av, &ad);
1549
1550 out:
1551         return rc;
1552 }
1553
1554 /* Check whether a task can create a file. */
1555 static int may_create(struct inode *dir,
1556                       struct dentry *dentry,
1557                       u16 tclass)
1558 {
1559         const struct task_security_struct *tsec = current_security();
1560         struct inode_security_struct *dsec;
1561         struct superblock_security_struct *sbsec;
1562         u32 sid, newsid;
1563         struct common_audit_data ad;
1564         int rc;
1565
1566         dsec = dir->i_security;
1567         sbsec = dir->i_sb->s_security;
1568
1569         sid = tsec->sid;
1570         newsid = tsec->create_sid;
1571
1572         COMMON_AUDIT_DATA_INIT(&ad, FS);
1573         ad.u.fs.path.dentry = dentry;
1574
1575         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1576                           DIR__ADD_NAME | DIR__SEARCH,
1577                           &ad);
1578         if (rc)
1579                 return rc;
1580
1581         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1582                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1583                 if (rc)
1584                         return rc;
1585         }
1586
1587         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1588         if (rc)
1589                 return rc;
1590
1591         return avc_has_perm(newsid, sbsec->sid,
1592                             SECCLASS_FILESYSTEM,
1593                             FILESYSTEM__ASSOCIATE, &ad);
1594 }
1595
1596 /* Check whether a task can create a key. */
1597 static int may_create_key(u32 ksid,
1598                           struct task_struct *ctx)
1599 {
1600         u32 sid = task_sid(ctx);
1601
1602         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1603 }
1604
1605 #define MAY_LINK        0
1606 #define MAY_UNLINK      1
1607 #define MAY_RMDIR       2
1608
1609 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1610 static int may_link(struct inode *dir,
1611                     struct dentry *dentry,
1612                     int kind)
1613
1614 {
1615         struct inode_security_struct *dsec, *isec;
1616         struct common_audit_data ad;
1617         u32 sid = current_sid();
1618         u32 av;
1619         int rc;
1620
1621         dsec = dir->i_security;
1622         isec = dentry->d_inode->i_security;
1623
1624         COMMON_AUDIT_DATA_INIT(&ad, FS);
1625         ad.u.fs.path.dentry = dentry;
1626
1627         av = DIR__SEARCH;
1628         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1629         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1630         if (rc)
1631                 return rc;
1632
1633         switch (kind) {
1634         case MAY_LINK:
1635                 av = FILE__LINK;
1636                 break;
1637         case MAY_UNLINK:
1638                 av = FILE__UNLINK;
1639                 break;
1640         case MAY_RMDIR:
1641                 av = DIR__RMDIR;
1642                 break;
1643         default:
1644                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1645                         __func__, kind);
1646                 return 0;
1647         }
1648
1649         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1650         return rc;
1651 }
1652
1653 static inline int may_rename(struct inode *old_dir,
1654                              struct dentry *old_dentry,
1655                              struct inode *new_dir,
1656                              struct dentry *new_dentry)
1657 {
1658         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1659         struct common_audit_data ad;
1660         u32 sid = current_sid();
1661         u32 av;
1662         int old_is_dir, new_is_dir;
1663         int rc;
1664
1665         old_dsec = old_dir->i_security;
1666         old_isec = old_dentry->d_inode->i_security;
1667         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1668         new_dsec = new_dir->i_security;
1669
1670         COMMON_AUDIT_DATA_INIT(&ad, FS);
1671
1672         ad.u.fs.path.dentry = old_dentry;
1673         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1674                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1675         if (rc)
1676                 return rc;
1677         rc = avc_has_perm(sid, old_isec->sid,
1678                           old_isec->sclass, FILE__RENAME, &ad);
1679         if (rc)
1680                 return rc;
1681         if (old_is_dir && new_dir != old_dir) {
1682                 rc = avc_has_perm(sid, old_isec->sid,
1683                                   old_isec->sclass, DIR__REPARENT, &ad);
1684                 if (rc)
1685                         return rc;
1686         }
1687
1688         ad.u.fs.path.dentry = new_dentry;
1689         av = DIR__ADD_NAME | DIR__SEARCH;
1690         if (new_dentry->d_inode)
1691                 av |= DIR__REMOVE_NAME;
1692         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1693         if (rc)
1694                 return rc;
1695         if (new_dentry->d_inode) {
1696                 new_isec = new_dentry->d_inode->i_security;
1697                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1698                 rc = avc_has_perm(sid, new_isec->sid,
1699                                   new_isec->sclass,
1700                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1701                 if (rc)
1702                         return rc;
1703         }
1704
1705         return 0;
1706 }
1707
1708 /* Check whether a task can perform a filesystem operation. */
1709 static int superblock_has_perm(const struct cred *cred,
1710                                struct super_block *sb,
1711                                u32 perms,
1712                                struct common_audit_data *ad)
1713 {
1714         struct superblock_security_struct *sbsec;
1715         u32 sid = cred_sid(cred);
1716
1717         sbsec = sb->s_security;
1718         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1719 }
1720
1721 /* Convert a Linux mode and permission mask to an access vector. */
1722 static inline u32 file_mask_to_av(int mode, int mask)
1723 {
1724         u32 av = 0;
1725
1726         if ((mode & S_IFMT) != S_IFDIR) {
1727                 if (mask & MAY_EXEC)
1728                         av |= FILE__EXECUTE;
1729                 if (mask & MAY_READ)
1730                         av |= FILE__READ;
1731
1732                 if (mask & MAY_APPEND)
1733                         av |= FILE__APPEND;
1734                 else if (mask & MAY_WRITE)
1735                         av |= FILE__WRITE;
1736
1737         } else {
1738                 if (mask & MAY_EXEC)
1739                         av |= DIR__SEARCH;
1740                 if (mask & MAY_WRITE)
1741                         av |= DIR__WRITE;
1742                 if (mask & MAY_READ)
1743                         av |= DIR__READ;
1744         }
1745
1746         return av;
1747 }
1748
1749 /* Convert a Linux file to an access vector. */
1750 static inline u32 file_to_av(struct file *file)
1751 {
1752         u32 av = 0;
1753
1754         if (file->f_mode & FMODE_READ)
1755                 av |= FILE__READ;
1756         if (file->f_mode & FMODE_WRITE) {
1757                 if (file->f_flags & O_APPEND)
1758                         av |= FILE__APPEND;
1759                 else
1760                         av |= FILE__WRITE;
1761         }
1762         if (!av) {
1763                 /*
1764                  * Special file opened with flags 3 for ioctl-only use.
1765                  */
1766                 av = FILE__IOCTL;
1767         }
1768
1769         return av;
1770 }
1771
1772 /*
1773  * Convert a file to an access vector and include the correct open
1774  * open permission.
1775  */
1776 static inline u32 open_file_to_av(struct file *file)
1777 {
1778         u32 av = file_to_av(file);
1779
1780         if (selinux_policycap_openperm)
1781                 av |= FILE__OPEN;
1782
1783         return av;
1784 }
1785
1786 /* Hook functions begin here. */
1787
1788 static int selinux_ptrace_access_check(struct task_struct *child,
1789                                      unsigned int mode)
1790 {
1791         int rc;
1792
1793         rc = cap_ptrace_access_check(child, mode);
1794         if (rc)
1795                 return rc;
1796
1797         if (mode == PTRACE_MODE_READ) {
1798                 u32 sid = current_sid();
1799                 u32 csid = task_sid(child);
1800                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1801         }
1802
1803         return current_has_perm(child, PROCESS__PTRACE);
1804 }
1805
1806 static int selinux_ptrace_traceme(struct task_struct *parent)
1807 {
1808         int rc;
1809
1810         rc = cap_ptrace_traceme(parent);
1811         if (rc)
1812                 return rc;
1813
1814         return task_has_perm(parent, current, PROCESS__PTRACE);
1815 }
1816
1817 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1818                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1819 {
1820         int error;
1821
1822         error = current_has_perm(target, PROCESS__GETCAP);
1823         if (error)
1824                 return error;
1825
1826         return cap_capget(target, effective, inheritable, permitted);
1827 }
1828
1829 static int selinux_capset(struct cred *new, const struct cred *old,
1830                           const kernel_cap_t *effective,
1831                           const kernel_cap_t *inheritable,
1832                           const kernel_cap_t *permitted)
1833 {
1834         int error;
1835
1836         error = cap_capset(new, old,
1837                                       effective, inheritable, permitted);
1838         if (error)
1839                 return error;
1840
1841         return cred_has_perm(old, new, PROCESS__SETCAP);
1842 }
1843
1844 /*
1845  * (This comment used to live with the selinux_task_setuid hook,
1846  * which was removed).
1847  *
1848  * Since setuid only affects the current process, and since the SELinux
1849  * controls are not based on the Linux identity attributes, SELinux does not
1850  * need to control this operation.  However, SELinux does control the use of
1851  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1852  */
1853
1854 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1855                            int cap, int audit)
1856 {
1857         int rc;
1858
1859         rc = cap_capable(tsk, cred, cap, audit);
1860         if (rc)
1861                 return rc;
1862
1863         return task_has_capability(tsk, cred, cap, audit);
1864 }
1865
1866 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1867 {
1868         int buflen, rc;
1869         char *buffer, *path, *end;
1870
1871         rc = -ENOMEM;
1872         buffer = (char *)__get_free_page(GFP_KERNEL);
1873         if (!buffer)
1874                 goto out;
1875
1876         buflen = PAGE_SIZE;
1877         end = buffer+buflen;
1878         *--end = '\0';
1879         buflen--;
1880         path = end-1;
1881         *path = '/';
1882         while (table) {
1883                 const char *name = table->procname;
1884                 size_t namelen = strlen(name);
1885                 buflen -= namelen + 1;
1886                 if (buflen < 0)
1887                         goto out_free;
1888                 end -= namelen;
1889                 memcpy(end, name, namelen);
1890                 *--end = '/';
1891                 path = end;
1892                 table = table->parent;
1893         }
1894         buflen -= 4;
1895         if (buflen < 0)
1896                 goto out_free;
1897         end -= 4;
1898         memcpy(end, "/sys", 4);
1899         path = end;
1900         rc = security_genfs_sid("proc", path, tclass, sid);
1901 out_free:
1902         free_page((unsigned long)buffer);
1903 out:
1904         return rc;
1905 }
1906
1907 static int selinux_sysctl(ctl_table *table, int op)
1908 {
1909         int error = 0;
1910         u32 av;
1911         u32 tsid, sid;
1912         int rc;
1913
1914         sid = current_sid();
1915
1916         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1917                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1918         if (rc) {
1919                 /* Default to the well-defined sysctl SID. */
1920                 tsid = SECINITSID_SYSCTL;
1921         }
1922
1923         /* The op values are "defined" in sysctl.c, thereby creating
1924          * a bad coupling between this module and sysctl.c */
1925         if (op == 001) {
1926                 error = avc_has_perm(sid, tsid,
1927                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1928         } else {
1929                 av = 0;
1930                 if (op & 004)
1931                         av |= FILE__READ;
1932                 if (op & 002)
1933                         av |= FILE__WRITE;
1934                 if (av)
1935                         error = avc_has_perm(sid, tsid,
1936                                              SECCLASS_FILE, av, NULL);
1937         }
1938
1939         return error;
1940 }
1941
1942 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1943 {
1944         const struct cred *cred = current_cred();
1945         int rc = 0;
1946
1947         if (!sb)
1948                 return 0;
1949
1950         switch (cmds) {
1951         case Q_SYNC:
1952         case Q_QUOTAON:
1953         case Q_QUOTAOFF:
1954         case Q_SETINFO:
1955         case Q_SETQUOTA:
1956                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1957                 break;
1958         case Q_GETFMT:
1959         case Q_GETINFO:
1960         case Q_GETQUOTA:
1961                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1962                 break;
1963         default:
1964                 rc = 0;  /* let the kernel handle invalid cmds */
1965                 break;
1966         }
1967         return rc;
1968 }
1969
1970 static int selinux_quota_on(struct dentry *dentry)
1971 {
1972         const struct cred *cred = current_cred();
1973
1974         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1975 }
1976
1977 static int selinux_syslog(int type)
1978 {
1979         int rc;
1980
1981         switch (type) {
1982         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1983         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1984                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1985                 break;
1986         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1987         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1988         /* Set level of messages printed to console */
1989         case SYSLOG_ACTION_CONSOLE_LEVEL:
1990                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1991                 break;
1992         case SYSLOG_ACTION_CLOSE:       /* Close log */
1993         case SYSLOG_ACTION_OPEN:        /* Open log */
1994         case SYSLOG_ACTION_READ:        /* Read from log */
1995         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1996         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1997         default:
1998                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1999                 break;
2000         }
2001         return rc;
2002 }
2003
2004 /*
2005  * Check that a process has enough memory to allocate a new virtual
2006  * mapping. 0 means there is enough memory for the allocation to
2007  * succeed and -ENOMEM implies there is not.
2008  *
2009  * Do not audit the selinux permission check, as this is applied to all
2010  * processes that allocate mappings.
2011  */
2012 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2013 {
2014         int rc, cap_sys_admin = 0;
2015
2016         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2017                              SECURITY_CAP_NOAUDIT);
2018         if (rc == 0)
2019                 cap_sys_admin = 1;
2020
2021         return __vm_enough_memory(mm, pages, cap_sys_admin);
2022 }
2023
2024 /* binprm security operations */
2025
2026 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2027 {
2028         const struct task_security_struct *old_tsec;
2029         struct task_security_struct *new_tsec;
2030         struct inode_security_struct *isec;
2031         struct common_audit_data ad;
2032         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2033         int rc;
2034
2035         rc = cap_bprm_set_creds(bprm);
2036         if (rc)
2037                 return rc;
2038
2039         /* SELinux context only depends on initial program or script and not
2040          * the script interpreter */
2041         if (bprm->cred_prepared)
2042                 return 0;
2043
2044         old_tsec = current_security();
2045         new_tsec = bprm->cred->security;
2046         isec = inode->i_security;
2047
2048         /* Default to the current task SID. */
2049         new_tsec->sid = old_tsec->sid;
2050         new_tsec->osid = old_tsec->sid;
2051
2052         /* Reset fs, key, and sock SIDs on execve. */
2053         new_tsec->create_sid = 0;
2054         new_tsec->keycreate_sid = 0;
2055         new_tsec->sockcreate_sid = 0;
2056
2057         if (old_tsec->exec_sid) {
2058                 new_tsec->sid = old_tsec->exec_sid;
2059                 /* Reset exec SID on execve. */
2060                 new_tsec->exec_sid = 0;
2061         } else {
2062                 /* Check for a default transition on this program. */
2063                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2064                                              SECCLASS_PROCESS, &new_tsec->sid);
2065                 if (rc)
2066                         return rc;
2067         }
2068
2069         COMMON_AUDIT_DATA_INIT(&ad, FS);
2070         ad.u.fs.path = bprm->file->f_path;
2071
2072         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2073                 new_tsec->sid = old_tsec->sid;
2074
2075         if (new_tsec->sid == old_tsec->sid) {
2076                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2077                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2078                 if (rc)
2079                         return rc;
2080         } else {
2081                 /* Check permissions for the transition. */
2082                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2083                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2084                 if (rc)
2085                         return rc;
2086
2087                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2088                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2089                 if (rc)
2090                         return rc;
2091
2092                 /* Check for shared state */
2093                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2094                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2095                                           SECCLASS_PROCESS, PROCESS__SHARE,
2096                                           NULL);
2097                         if (rc)
2098                                 return -EPERM;
2099                 }
2100
2101                 /* Make sure that anyone attempting to ptrace over a task that
2102                  * changes its SID has the appropriate permit */
2103                 if (bprm->unsafe &
2104                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2105                         struct task_struct *tracer;
2106                         struct task_security_struct *sec;
2107                         u32 ptsid = 0;
2108
2109                         rcu_read_lock();
2110                         tracer = tracehook_tracer_task(current);
2111                         if (likely(tracer != NULL)) {
2112                                 sec = __task_cred(tracer)->security;
2113                                 ptsid = sec->sid;
2114                         }
2115                         rcu_read_unlock();
2116
2117                         if (ptsid != 0) {
2118                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2119                                                   SECCLASS_PROCESS,
2120                                                   PROCESS__PTRACE, NULL);
2121                                 if (rc)
2122                                         return -EPERM;
2123                         }
2124                 }
2125
2126                 /* Clear any possibly unsafe personality bits on exec: */
2127                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2128         }
2129
2130         return 0;
2131 }
2132
2133 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2134 {
2135         const struct task_security_struct *tsec = current_security();
2136         u32 sid, osid;
2137         int atsecure = 0;
2138
2139         sid = tsec->sid;
2140         osid = tsec->osid;
2141
2142         if (osid != sid) {
2143                 /* Enable secure mode for SIDs transitions unless
2144                    the noatsecure permission is granted between
2145                    the two SIDs, i.e. ahp returns 0. */
2146                 atsecure = avc_has_perm(osid, sid,
2147                                         SECCLASS_PROCESS,
2148                                         PROCESS__NOATSECURE, NULL);
2149         }
2150
2151         return (atsecure || cap_bprm_secureexec(bprm));
2152 }
2153
2154 extern struct vfsmount *selinuxfs_mount;
2155 extern struct dentry *selinux_null;
2156
2157 /* Derived from fs/exec.c:flush_old_files. */
2158 static inline void flush_unauthorized_files(const struct cred *cred,
2159                                             struct files_struct *files)
2160 {
2161         struct common_audit_data ad;
2162         struct file *file, *devnull = NULL;
2163         struct tty_struct *tty;
2164         struct fdtable *fdt;
2165         long j = -1;
2166         int drop_tty = 0;
2167
2168         tty = get_current_tty();
2169         if (tty) {
2170                 spin_lock(&tty_files_lock);
2171                 if (!list_empty(&tty->tty_files)) {
2172                         struct tty_file_private *file_priv;
2173                         struct inode *inode;
2174
2175                         /* Revalidate access to controlling tty.
2176                            Use inode_has_perm on the tty inode directly rather
2177                            than using file_has_perm, as this particular open
2178                            file may belong to another process and we are only
2179                            interested in the inode-based check here. */
2180                         file_priv = list_first_entry(&tty->tty_files,
2181                                                 struct tty_file_private, list);
2182                         file = file_priv->file;
2183                         inode = file->f_path.dentry->d_inode;
2184                         if (inode_has_perm(cred, inode,
2185                                            FILE__READ | FILE__WRITE, NULL)) {
2186                                 drop_tty = 1;
2187                         }
2188                 }
2189                 spin_unlock(&tty_files_lock);
2190                 tty_kref_put(tty);
2191         }
2192         /* Reset controlling tty. */
2193         if (drop_tty)
2194                 no_tty();
2195
2196         /* Revalidate access to inherited open files. */
2197
2198         COMMON_AUDIT_DATA_INIT(&ad, FS);
2199
2200         spin_lock(&files->file_lock);
2201         for (;;) {
2202                 unsigned long set, i;
2203                 int fd;
2204
2205                 j++;
2206                 i = j * __NFDBITS;
2207                 fdt = files_fdtable(files);
2208                 if (i >= fdt->max_fds)
2209                         break;
2210                 set = fdt->open_fds->fds_bits[j];
2211                 if (!set)
2212                         continue;
2213                 spin_unlock(&files->file_lock);
2214                 for ( ; set ; i++, set >>= 1) {
2215                         if (set & 1) {
2216                                 file = fget(i);
2217                                 if (!file)
2218                                         continue;
2219                                 if (file_has_perm(cred,
2220                                                   file,
2221                                                   file_to_av(file))) {
2222                                         sys_close(i);
2223                                         fd = get_unused_fd();
2224                                         if (fd != i) {
2225                                                 if (fd >= 0)
2226                                                         put_unused_fd(fd);
2227                                                 fput(file);
2228                                                 continue;
2229                                         }
2230                                         if (devnull) {
2231                                                 get_file(devnull);
2232                                         } else {
2233                                                 devnull = dentry_open(
2234                                                         dget(selinux_null),
2235                                                         mntget(selinuxfs_mount),
2236                                                         O_RDWR, cred);
2237                                                 if (IS_ERR(devnull)) {
2238                                                         devnull = NULL;
2239                                                         put_unused_fd(fd);
2240                                                         fput(file);
2241                                                         continue;
2242                                                 }
2243                                         }
2244                                         fd_install(fd, devnull);
2245                                 }
2246                                 fput(file);
2247                         }
2248                 }
2249                 spin_lock(&files->file_lock);
2250
2251         }
2252         spin_unlock(&files->file_lock);
2253 }
2254
2255 /*
2256  * Prepare a process for imminent new credential changes due to exec
2257  */
2258 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2259 {
2260         struct task_security_struct *new_tsec;
2261         struct rlimit *rlim, *initrlim;
2262         int rc, i;
2263
2264         new_tsec = bprm->cred->security;
2265         if (new_tsec->sid == new_tsec->osid)
2266                 return;
2267
2268         /* Close files for which the new task SID is not authorized. */
2269         flush_unauthorized_files(bprm->cred, current->files);
2270
2271         /* Always clear parent death signal on SID transitions. */
2272         current->pdeath_signal = 0;
2273
2274         /* Check whether the new SID can inherit resource limits from the old
2275          * SID.  If not, reset all soft limits to the lower of the current
2276          * task's hard limit and the init task's soft limit.
2277          *
2278          * Note that the setting of hard limits (even to lower them) can be
2279          * controlled by the setrlimit check.  The inclusion of the init task's
2280          * soft limit into the computation is to avoid resetting soft limits
2281          * higher than the default soft limit for cases where the default is
2282          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2283          */
2284         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2285                           PROCESS__RLIMITINH, NULL);
2286         if (rc) {
2287                 /* protect against do_prlimit() */
2288                 task_lock(current);
2289                 for (i = 0; i < RLIM_NLIMITS; i++) {
2290                         rlim = current->signal->rlim + i;
2291                         initrlim = init_task.signal->rlim + i;
2292                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2293                 }
2294                 task_unlock(current);
2295                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2296         }
2297 }
2298
2299 /*
2300  * Clean up the process immediately after the installation of new credentials
2301  * due to exec
2302  */
2303 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2304 {
2305         const struct task_security_struct *tsec = current_security();
2306         struct itimerval itimer;
2307         u32 osid, sid;
2308         int rc, i;
2309
2310         osid = tsec->osid;
2311         sid = tsec->sid;
2312
2313         if (sid == osid)
2314                 return;
2315
2316         /* Check whether the new SID can inherit signal state from the old SID.
2317          * If not, clear itimers to avoid subsequent signal generation and
2318          * flush and unblock signals.
2319          *
2320          * This must occur _after_ the task SID has been updated so that any
2321          * kill done after the flush will be checked against the new SID.
2322          */
2323         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2324         if (rc) {
2325                 memset(&itimer, 0, sizeof itimer);
2326                 for (i = 0; i < 3; i++)
2327                         do_setitimer(i, &itimer, NULL);
2328                 spin_lock_irq(&current->sighand->siglock);
2329                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2330                         __flush_signals(current);
2331                         flush_signal_handlers(current, 1);
2332                         sigemptyset(&current->blocked);
2333                 }
2334                 spin_unlock_irq(&current->sighand->siglock);
2335         }
2336
2337         /* Wake up the parent if it is waiting so that it can recheck
2338          * wait permission to the new task SID. */
2339         read_lock(&tasklist_lock);
2340         __wake_up_parent(current, current->real_parent);
2341         read_unlock(&tasklist_lock);
2342 }
2343
2344 /* superblock security operations */
2345
2346 static int selinux_sb_alloc_security(struct super_block *sb)
2347 {
2348         return superblock_alloc_security(sb);
2349 }
2350
2351 static void selinux_sb_free_security(struct super_block *sb)
2352 {
2353         superblock_free_security(sb);
2354 }
2355
2356 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2357 {
2358         if (plen > olen)
2359                 return 0;
2360
2361         return !memcmp(prefix, option, plen);
2362 }
2363
2364 static inline int selinux_option(char *option, int len)
2365 {
2366         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2367                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2368                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2369                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2370                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2371 }
2372
2373 static inline void take_option(char **to, char *from, int *first, int len)
2374 {
2375         if (!*first) {
2376                 **to = ',';
2377                 *to += 1;
2378         } else
2379                 *first = 0;
2380         memcpy(*to, from, len);
2381         *to += len;
2382 }
2383
2384 static inline void take_selinux_option(char **to, char *from, int *first,
2385                                        int len)
2386 {
2387         int current_size = 0;
2388
2389         if (!*first) {
2390                 **to = '|';
2391                 *to += 1;
2392         } else
2393                 *first = 0;
2394
2395         while (current_size < len) {
2396                 if (*from != '"') {
2397                         **to = *from;
2398                         *to += 1;
2399                 }
2400                 from += 1;
2401                 current_size += 1;
2402         }
2403 }
2404
2405 static int selinux_sb_copy_data(char *orig, char *copy)
2406 {
2407         int fnosec, fsec, rc = 0;
2408         char *in_save, *in_curr, *in_end;
2409         char *sec_curr, *nosec_save, *nosec;
2410         int open_quote = 0;
2411
2412         in_curr = orig;
2413         sec_curr = copy;
2414
2415         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2416         if (!nosec) {
2417                 rc = -ENOMEM;
2418                 goto out;
2419         }
2420
2421         nosec_save = nosec;
2422         fnosec = fsec = 1;
2423         in_save = in_end = orig;
2424
2425         do {
2426                 if (*in_end == '"')
2427                         open_quote = !open_quote;
2428                 if ((*in_end == ',' && open_quote == 0) ||
2429                                 *in_end == '\0') {
2430                         int len = in_end - in_curr;
2431
2432                         if (selinux_option(in_curr, len))
2433                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2434                         else
2435                                 take_option(&nosec, in_curr, &fnosec, len);
2436
2437                         in_curr = in_end + 1;
2438                 }
2439         } while (*in_end++);
2440
2441         strcpy(in_save, nosec_save);
2442         free_page((unsigned long)nosec_save);
2443 out:
2444         return rc;
2445 }
2446
2447 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2448 {
2449         const struct cred *cred = current_cred();
2450         struct common_audit_data ad;
2451         int rc;
2452
2453         rc = superblock_doinit(sb, data);
2454         if (rc)
2455                 return rc;
2456
2457         /* Allow all mounts performed by the kernel */
2458         if (flags & MS_KERNMOUNT)
2459                 return 0;
2460
2461         COMMON_AUDIT_DATA_INIT(&ad, FS);
2462         ad.u.fs.path.dentry = sb->s_root;
2463         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2464 }
2465
2466 static int selinux_sb_statfs(struct dentry *dentry)
2467 {
2468         const struct cred *cred = current_cred();
2469         struct common_audit_data ad;
2470
2471         COMMON_AUDIT_DATA_INIT(&ad, FS);
2472         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2473         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2474 }
2475
2476 static int selinux_mount(char *dev_name,
2477                          struct path *path,
2478                          char *type,
2479                          unsigned long flags,
2480                          void *data)
2481 {
2482         const struct cred *cred = current_cred();
2483
2484         if (flags & MS_REMOUNT)
2485                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2486                                            FILESYSTEM__REMOUNT, NULL);
2487         else
2488                 return dentry_has_perm(cred, path->mnt, path->dentry,
2489                                        FILE__MOUNTON);
2490 }
2491
2492 static int selinux_umount(struct vfsmount *mnt, int flags)
2493 {
2494         const struct cred *cred = current_cred();
2495
2496         return superblock_has_perm(cred, mnt->mnt_sb,
2497                                    FILESYSTEM__UNMOUNT, NULL);
2498 }
2499
2500 /* inode security operations */
2501
2502 static int selinux_inode_alloc_security(struct inode *inode)
2503 {
2504         return inode_alloc_security(inode);
2505 }
2506
2507 static void selinux_inode_free_security(struct inode *inode)
2508 {
2509         inode_free_security(inode);
2510 }
2511
2512 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2513                                        const struct qstr *qstr, char **name,
2514                                        void **value, size_t *len)
2515 {
2516         const struct task_security_struct *tsec = current_security();
2517         struct inode_security_struct *dsec;
2518         struct superblock_security_struct *sbsec;
2519         u32 sid, newsid, clen;
2520         int rc;
2521         char *namep = NULL, *context;
2522
2523         dsec = dir->i_security;
2524         sbsec = dir->i_sb->s_security;
2525
2526         sid = tsec->sid;
2527         newsid = tsec->create_sid;
2528
2529         if ((sbsec->flags & SE_SBINITIALIZED) &&
2530             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2531                 newsid = sbsec->mntpoint_sid;
2532         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2533                 rc = security_transition_sid(sid, dsec->sid,
2534                                              inode_mode_to_security_class(inode->i_mode),
2535                                              &newsid);
2536                 if (rc) {
2537                         printk(KERN_WARNING "%s:  "
2538                                "security_transition_sid failed, rc=%d (dev=%s "
2539                                "ino=%ld)\n",
2540                                __func__,
2541                                -rc, inode->i_sb->s_id, inode->i_ino);
2542                         return rc;
2543                 }
2544         }
2545
2546         /* Possibly defer initialization to selinux_complete_init. */
2547         if (sbsec->flags & SE_SBINITIALIZED) {
2548                 struct inode_security_struct *isec = inode->i_security;
2549                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2550                 isec->sid = newsid;
2551                 isec->initialized = 1;
2552         }
2553
2554         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2555                 return -EOPNOTSUPP;
2556
2557         if (name) {
2558                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2559                 if (!namep)
2560                         return -ENOMEM;
2561                 *name = namep;
2562         }
2563
2564         if (value && len) {
2565                 rc = security_sid_to_context_force(newsid, &context, &clen);
2566                 if (rc) {
2567                         kfree(namep);
2568                         return rc;
2569                 }
2570                 *value = context;
2571                 *len = clen;
2572         }
2573
2574         return 0;
2575 }
2576
2577 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2578 {
2579         return may_create(dir, dentry, SECCLASS_FILE);
2580 }
2581
2582 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2583 {
2584         return may_link(dir, old_dentry, MAY_LINK);
2585 }
2586
2587 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2588 {
2589         return may_link(dir, dentry, MAY_UNLINK);
2590 }
2591
2592 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2593 {
2594         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2595 }
2596
2597 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2598 {
2599         return may_create(dir, dentry, SECCLASS_DIR);
2600 }
2601
2602 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2603 {
2604         return may_link(dir, dentry, MAY_RMDIR);
2605 }
2606
2607 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2608 {
2609         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2610 }
2611
2612 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2613                                 struct inode *new_inode, struct dentry *new_dentry)
2614 {
2615         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2616 }
2617
2618 static int selinux_inode_readlink(struct dentry *dentry)
2619 {
2620         const struct cred *cred = current_cred();
2621
2622         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2623 }
2624
2625 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2626 {
2627         const struct cred *cred = current_cred();
2628
2629         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2630 }
2631
2632 static int selinux_inode_permission(struct inode *inode, int mask)
2633 {
2634         const struct cred *cred = current_cred();
2635         struct common_audit_data ad;
2636         u32 perms;
2637         bool from_access;
2638
2639         from_access = mask & MAY_ACCESS;
2640         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2641
2642         /* No permission to check.  Existence test. */
2643         if (!mask)
2644                 return 0;
2645
2646         COMMON_AUDIT_DATA_INIT(&ad, FS);
2647         ad.u.fs.inode = inode;
2648
2649         if (from_access)
2650                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2651
2652         perms = file_mask_to_av(inode->i_mode, mask);
2653
2654         return inode_has_perm(cred, inode, perms, &ad);
2655 }
2656
2657 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2658 {
2659         const struct cred *cred = current_cred();
2660         unsigned int ia_valid = iattr->ia_valid;
2661
2662         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2663         if (ia_valid & ATTR_FORCE) {
2664                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2665                               ATTR_FORCE);
2666                 if (!ia_valid)
2667                         return 0;
2668         }
2669
2670         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2671                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2672                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2673
2674         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2675 }
2676
2677 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2678 {
2679         const struct cred *cred = current_cred();
2680
2681         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2682 }
2683
2684 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2685 {
2686         const struct cred *cred = current_cred();
2687
2688         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2689                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2690                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2691                         if (!capable(CAP_SETFCAP))
2692                                 return -EPERM;
2693                 } else if (!capable(CAP_SYS_ADMIN)) {
2694                         /* A different attribute in the security namespace.
2695                            Restrict to administrator. */
2696                         return -EPERM;
2697                 }
2698         }
2699
2700         /* Not an attribute we recognize, so just check the
2701            ordinary setattr permission. */
2702         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2703 }
2704
2705 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2706                                   const void *value, size_t size, int flags)
2707 {
2708         struct inode *inode = dentry->d_inode;
2709         struct inode_security_struct *isec = inode->i_security;
2710         struct superblock_security_struct *sbsec;
2711         struct common_audit_data ad;
2712         u32 newsid, sid = current_sid();
2713         int rc = 0;
2714
2715         if (strcmp(name, XATTR_NAME_SELINUX))
2716                 return selinux_inode_setotherxattr(dentry, name);
2717
2718         sbsec = inode->i_sb->s_security;
2719         if (!(sbsec->flags & SE_SBLABELSUPP))
2720                 return -EOPNOTSUPP;
2721
2722         if (!is_owner_or_cap(inode))
2723                 return -EPERM;
2724
2725         COMMON_AUDIT_DATA_INIT(&ad, FS);
2726         ad.u.fs.path.dentry = dentry;
2727
2728         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2729                           FILE__RELABELFROM, &ad);
2730         if (rc)
2731                 return rc;
2732
2733         rc = security_context_to_sid(value, size, &newsid);
2734         if (rc == -EINVAL) {
2735                 if (!capable(CAP_MAC_ADMIN))
2736                         return rc;
2737                 rc = security_context_to_sid_force(value, size, &newsid);
2738         }
2739         if (rc)
2740                 return rc;
2741
2742         rc = avc_has_perm(sid, newsid, isec->sclass,
2743                           FILE__RELABELTO, &ad);
2744         if (rc)
2745                 return rc;
2746
2747         rc = security_validate_transition(isec->sid, newsid, sid,
2748                                           isec->sclass);
2749         if (rc)
2750                 return rc;
2751
2752         return avc_has_perm(newsid,
2753                             sbsec->sid,
2754                             SECCLASS_FILESYSTEM,
2755                             FILESYSTEM__ASSOCIATE,
2756                             &ad);
2757 }
2758
2759 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2760                                         const void *value, size_t size,
2761                                         int flags)
2762 {
2763         struct inode *inode = dentry->d_inode;
2764         struct inode_security_struct *isec = inode->i_security;
2765         u32 newsid;
2766         int rc;
2767
2768         if (strcmp(name, XATTR_NAME_SELINUX)) {
2769                 /* Not an attribute we recognize, so nothing to do. */
2770                 return;
2771         }
2772
2773         rc = security_context_to_sid_force(value, size, &newsid);
2774         if (rc) {
2775                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2776                        "for (%s, %lu), rc=%d\n",
2777                        inode->i_sb->s_id, inode->i_ino, -rc);
2778                 return;
2779         }
2780
2781         isec->sid = newsid;
2782         return;
2783 }
2784
2785 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2786 {
2787         const struct cred *cred = current_cred();
2788
2789         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2790 }
2791
2792 static int selinux_inode_listxattr(struct dentry *dentry)
2793 {
2794         const struct cred *cred = current_cred();
2795
2796         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2797 }
2798
2799 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2800 {
2801         if (strcmp(name, XATTR_NAME_SELINUX))
2802                 return selinux_inode_setotherxattr(dentry, name);
2803
2804         /* No one is allowed to remove a SELinux security label.
2805            You can change the label, but all data must be labeled. */
2806         return -EACCES;
2807 }
2808
2809 /*
2810  * Copy the inode security context value to the user.
2811  *
2812  * Permission check is handled by selinux_inode_getxattr hook.
2813  */
2814 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2815 {
2816         u32 size;
2817         int error;
2818         char *context = NULL;
2819         struct inode_security_struct *isec = inode->i_security;
2820
2821         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2822                 return -EOPNOTSUPP;
2823
2824         /*
2825          * If the caller has CAP_MAC_ADMIN, then get the raw context
2826          * value even if it is not defined by current policy; otherwise,
2827          * use the in-core value under current policy.
2828          * Use the non-auditing forms of the permission checks since
2829          * getxattr may be called by unprivileged processes commonly
2830          * and lack of permission just means that we fall back to the
2831          * in-core context value, not a denial.
2832          */
2833         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2834                                 SECURITY_CAP_NOAUDIT);
2835         if (!error)
2836                 error = security_sid_to_context_force(isec->sid, &context,
2837                                                       &size);
2838         else
2839                 error = security_sid_to_context(isec->sid, &context, &size);
2840         if (error)
2841                 return error;
2842         error = size;
2843         if (alloc) {
2844                 *buffer = context;
2845                 goto out_nofree;
2846         }
2847         kfree(context);
2848 out_nofree:
2849         return error;
2850 }
2851
2852 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2853                                      const void *value, size_t size, int flags)
2854 {
2855         struct inode_security_struct *isec = inode->i_security;
2856         u32 newsid;
2857         int rc;
2858
2859         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2860                 return -EOPNOTSUPP;
2861
2862         if (!value || !size)
2863                 return -EACCES;
2864
2865         rc = security_context_to_sid((void *)value, size, &newsid);
2866         if (rc)
2867                 return rc;
2868
2869         isec->sid = newsid;
2870         isec->initialized = 1;
2871         return 0;
2872 }
2873
2874 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2875 {
2876         const int len = sizeof(XATTR_NAME_SELINUX);
2877         if (buffer && len <= buffer_size)
2878                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2879         return len;
2880 }
2881
2882 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2883 {
2884         struct inode_security_struct *isec = inode->i_security;
2885         *secid = isec->sid;
2886 }
2887
2888 /* file security operations */
2889
2890 static int selinux_revalidate_file_permission(struct file *file, int mask)
2891 {
2892         const struct cred *cred = current_cred();
2893         struct inode *inode = file->f_path.dentry->d_inode;
2894
2895         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2896         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2897                 mask |= MAY_APPEND;
2898
2899         return file_has_perm(cred, file,
2900                              file_mask_to_av(inode->i_mode, mask));
2901 }
2902
2903 static int selinux_file_permission(struct file *file, int mask)
2904 {
2905         struct inode *inode = file->f_path.dentry->d_inode;
2906         struct file_security_struct *fsec = file->f_security;
2907         struct inode_security_struct *isec = inode->i_security;
2908         u32 sid = current_sid();
2909
2910         if (!mask)
2911                 /* No permission to check.  Existence test. */
2912                 return 0;
2913
2914         if (sid == fsec->sid && fsec->isid == isec->sid &&
2915             fsec->pseqno == avc_policy_seqno())
2916                 /* No change since dentry_open check. */
2917                 return 0;
2918
2919         return selinux_revalidate_file_permission(file, mask);
2920 }
2921
2922 static int selinux_file_alloc_security(struct file *file)
2923 {
2924         return file_alloc_security(file);
2925 }
2926
2927 static void selinux_file_free_security(struct file *file)
2928 {
2929         file_free_security(file);
2930 }
2931
2932 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2933                               unsigned long arg)
2934 {
2935         const struct cred *cred = current_cred();
2936         u32 av = 0;
2937
2938         if (_IOC_DIR(cmd) & _IOC_WRITE)
2939                 av |= FILE__WRITE;
2940         if (_IOC_DIR(cmd) & _IOC_READ)
2941                 av |= FILE__READ;
2942         if (!av)
2943                 av = FILE__IOCTL;
2944
2945         return file_has_perm(cred, file, av);
2946 }
2947
2948 static int default_noexec;
2949
2950 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2951 {
2952         const struct cred *cred = current_cred();
2953         int rc = 0;
2954
2955         if (default_noexec &&
2956             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2957                 /*
2958                  * We are making executable an anonymous mapping or a
2959                  * private file mapping that will also be writable.
2960                  * This has an additional check.
2961                  */
2962                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2963                 if (rc)
2964                         goto error;
2965         }
2966
2967         if (file) {
2968                 /* read access is always possible with a mapping */
2969                 u32 av = FILE__READ;
2970
2971                 /* write access only matters if the mapping is shared */
2972                 if (shared && (prot & PROT_WRITE))
2973                         av |= FILE__WRITE;
2974
2975                 if (prot & PROT_EXEC)
2976                         av |= FILE__EXECUTE;
2977
2978                 return file_has_perm(cred, file, av);
2979         }
2980
2981 error:
2982         return rc;
2983 }
2984
2985 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2986                              unsigned long prot, unsigned long flags,
2987                              unsigned long addr, unsigned long addr_only)
2988 {
2989         int rc = 0;
2990         u32 sid = current_sid();
2991
2992         /*
2993          * notice that we are intentionally putting the SELinux check before
2994          * the secondary cap_file_mmap check.  This is such a likely attempt
2995          * at bad behaviour/exploit that we always want to get the AVC, even
2996          * if DAC would have also denied the operation.
2997          */
2998         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
2999                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3000                                   MEMPROTECT__MMAP_ZERO, NULL);
3001                 if (rc)
3002                         return rc;
3003         }
3004
3005         /* do DAC check on address space usage */
3006         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3007         if (rc || addr_only)
3008                 return rc;
3009
3010         if (selinux_checkreqprot)
3011                 prot = reqprot;
3012
3013         return file_map_prot_check(file, prot,
3014                                    (flags & MAP_TYPE) == MAP_SHARED);
3015 }
3016
3017 static int selinux_file_mprotect(struct vm_area_struct *vma,
3018                                  unsigned long reqprot,
3019                                  unsigned long prot)
3020 {
3021         const struct cred *cred = current_cred();
3022
3023         if (selinux_checkreqprot)
3024                 prot = reqprot;
3025
3026         if (default_noexec &&
3027             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3028                 int rc = 0;
3029                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3030                     vma->vm_end <= vma->vm_mm->brk) {
3031                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3032                 } else if (!vma->vm_file &&
3033                            vma->vm_start <= vma->vm_mm->start_stack &&
3034                            vma->vm_end >= vma->vm_mm->start_stack) {
3035                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3036                 } else if (vma->vm_file && vma->anon_vma) {
3037                         /*
3038                          * We are making executable a file mapping that has
3039                          * had some COW done. Since pages might have been
3040                          * written, check ability to execute the possibly
3041                          * modified content.  This typically should only
3042                          * occur for text relocations.
3043                          */
3044                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3045                 }
3046                 if (rc)
3047                         return rc;
3048         }
3049
3050         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3051 }
3052
3053 static int selinux_file_lock(struct file *file, unsigned int cmd)
3054 {
3055         const struct cred *cred = current_cred();
3056
3057         return file_has_perm(cred, file, FILE__LOCK);
3058 }
3059
3060 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3061                               unsigned long arg)
3062 {
3063         const struct cred *cred = current_cred();
3064         int err = 0;
3065
3066         switch (cmd) {
3067         case F_SETFL:
3068                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3069                         err = -EINVAL;
3070                         break;
3071                 }
3072
3073                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3074                         err = file_has_perm(cred, file, FILE__WRITE);
3075                         break;
3076                 }
3077                 /* fall through */
3078         case F_SETOWN:
3079         case F_SETSIG:
3080         case F_GETFL:
3081         case F_GETOWN:
3082         case F_GETSIG:
3083                 /* Just check FD__USE permission */
3084                 err = file_has_perm(cred, file, 0);
3085                 break;
3086         case F_GETLK:
3087         case F_SETLK:
3088         case F_SETLKW:
3089 #if BITS_PER_LONG == 32
3090         case F_GETLK64:
3091         case F_SETLK64:
3092         case F_SETLKW64:
3093 #endif
3094                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3095                         err = -EINVAL;
3096                         break;
3097                 }
3098                 err = file_has_perm(cred, file, FILE__LOCK);
3099                 break;
3100         }
3101
3102         return err;
3103 }
3104
3105 static int selinux_file_set_fowner(struct file *file)
3106 {
3107         struct file_security_struct *fsec;
3108
3109         fsec = file->f_security;
3110         fsec->fown_sid = current_sid();
3111
3112         return 0;
3113 }
3114
3115 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3116                                        struct fown_struct *fown, int signum)
3117 {
3118         struct file *file;
3119         u32 sid = task_sid(tsk);
3120         u32 perm;
3121         struct file_security_struct *fsec;
3122
3123         /* struct fown_struct is never outside the context of a struct file */
3124         file = container_of(fown, struct file, f_owner);
3125
3126         fsec = file->f_security;
3127
3128         if (!signum)
3129                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3130         else
3131                 perm = signal_to_av(signum);
3132
3133         return avc_has_perm(fsec->fown_sid, sid,
3134                             SECCLASS_PROCESS, perm, NULL);
3135 }
3136
3137 static int selinux_file_receive(struct file *file)
3138 {
3139         const struct cred *cred = current_cred();
3140
3141         return file_has_perm(cred, file, file_to_av(file));
3142 }
3143
3144 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3145 {
3146         struct file_security_struct *fsec;
3147         struct inode *inode;
3148         struct inode_security_struct *isec;
3149
3150         inode = file->f_path.dentry->d_inode;
3151         fsec = file->f_security;
3152         isec = inode->i_security;
3153         /*
3154          * Save inode label and policy sequence number
3155          * at open-time so that selinux_file_permission
3156          * can determine whether revalidation is necessary.
3157          * Task label is already saved in the file security
3158          * struct as its SID.
3159          */
3160         fsec->isid = isec->sid;
3161         fsec->pseqno = avc_policy_seqno();
3162         /*
3163          * Since the inode label or policy seqno may have changed
3164          * between the selinux_inode_permission check and the saving
3165          * of state above, recheck that access is still permitted.
3166          * Otherwise, access might never be revalidated against the
3167          * new inode label or new policy.
3168          * This check is not redundant - do not remove.
3169          */
3170         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3171 }
3172
3173 /* task security operations */
3174
3175 static int selinux_task_create(unsigned long clone_flags)
3176 {
3177         return current_has_perm(current, PROCESS__FORK);
3178 }
3179
3180 /*
3181  * allocate the SELinux part of blank credentials
3182  */
3183 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3184 {
3185         struct task_security_struct *tsec;
3186
3187         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3188         if (!tsec)
3189                 return -ENOMEM;
3190
3191         cred->security = tsec;
3192         return 0;
3193 }
3194
3195 /*
3196  * detach and free the LSM part of a set of credentials
3197  */
3198 static void selinux_cred_free(struct cred *cred)
3199 {
3200         struct task_security_struct *tsec = cred->security;
3201
3202         BUG_ON((unsigned long) cred->security < PAGE_SIZE);
3203         cred->security = (void *) 0x7UL;
3204         kfree(tsec);
3205 }
3206
3207 /*
3208  * prepare a new set of credentials for modification
3209  */
3210 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3211                                 gfp_t gfp)
3212 {
3213         const struct task_security_struct *old_tsec;
3214         struct task_security_struct *tsec;
3215
3216         old_tsec = old->security;
3217
3218         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3219         if (!tsec)
3220                 return -ENOMEM;
3221
3222         new->security = tsec;
3223         return 0;
3224 }
3225
3226 /*
3227  * transfer the SELinux data to a blank set of creds
3228  */
3229 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3230 {
3231         const struct task_security_struct *old_tsec = old->security;
3232         struct task_security_struct *tsec = new->security;
3233
3234         *tsec = *old_tsec;
3235 }
3236
3237 /*
3238  * set the security data for a kernel service
3239  * - all the creation contexts are set to unlabelled
3240  */
3241 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3242 {
3243         struct task_security_struct *tsec = new->security;
3244         u32 sid = current_sid();
3245         int ret;
3246
3247         ret = avc_has_perm(sid, secid,
3248                            SECCLASS_KERNEL_SERVICE,
3249                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3250                            NULL);
3251         if (ret == 0) {
3252                 tsec->sid = secid;
3253                 tsec->create_sid = 0;
3254                 tsec->keycreate_sid = 0;
3255                 tsec->sockcreate_sid = 0;
3256         }
3257         return ret;
3258 }
3259
3260 /*
3261  * set the file creation context in a security record to the same as the
3262  * objective context of the specified inode
3263  */
3264 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3265 {
3266         struct inode_security_struct *isec = inode->i_security;
3267         struct task_security_struct *tsec = new->security;
3268         u32 sid = current_sid();
3269         int ret;
3270
3271         ret = avc_has_perm(sid, isec->sid,
3272                            SECCLASS_KERNEL_SERVICE,
3273                            KERNEL_SERVICE__CREATE_FILES_AS,
3274                            NULL);
3275
3276         if (ret == 0)
3277                 tsec->create_sid = isec->sid;
3278         return ret;
3279 }
3280
3281 static int selinux_kernel_module_request(char *kmod_name)
3282 {
3283         u32 sid;
3284         struct common_audit_data ad;
3285
3286         sid = task_sid(current);
3287
3288         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3289         ad.u.kmod_name = kmod_name;
3290
3291         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3292                             SYSTEM__MODULE_REQUEST, &ad);
3293 }
3294
3295 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3296 {
3297         return current_has_perm(p, PROCESS__SETPGID);
3298 }
3299
3300 static int selinux_task_getpgid(struct task_struct *p)
3301 {
3302         return current_has_perm(p, PROCESS__GETPGID);
3303 }
3304
3305 static int selinux_task_getsid(struct task_struct *p)
3306 {
3307         return current_has_perm(p, PROCESS__GETSESSION);
3308 }
3309
3310 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3311 {
3312         *secid = task_sid(p);
3313 }
3314
3315 static int selinux_task_setnice(struct task_struct *p, int nice)
3316 {
3317         int rc;
3318
3319         rc = cap_task_setnice(p, nice);
3320         if (rc)
3321                 return rc;
3322
3323         return current_has_perm(p, PROCESS__SETSCHED);
3324 }
3325
3326 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3327 {
3328         int rc;
3329
3330         rc = cap_task_setioprio(p, ioprio);
3331         if (rc)
3332                 return rc;
3333
3334         return current_has_perm(p, PROCESS__SETSCHED);
3335 }
3336
3337 static int selinux_task_getioprio(struct task_struct *p)
3338 {
3339         return current_has_perm(p, PROCESS__GETSCHED);
3340 }
3341
3342 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3343                 struct rlimit *new_rlim)
3344 {
3345         struct rlimit *old_rlim = p->signal->rlim + resource;
3346
3347         /* Control the ability to change the hard limit (whether
3348            lowering or raising it), so that the hard limit can
3349            later be used as a safe reset point for the soft limit
3350            upon context transitions.  See selinux_bprm_committing_creds. */
3351         if (old_rlim->rlim_max != new_rlim->rlim_max)
3352                 return current_has_perm(p, PROCESS__SETRLIMIT);
3353
3354         return 0;
3355 }
3356
3357 static int selinux_task_setscheduler(struct task_struct *p)
3358 {
3359         int rc;
3360
3361         rc = cap_task_setscheduler(p);
3362         if (rc)
3363                 return rc;
3364
3365         return current_has_perm(p, PROCESS__SETSCHED);
3366 }
3367
3368 static int selinux_task_getscheduler(struct task_struct *p)
3369 {
3370         return current_has_perm(p, PROCESS__GETSCHED);
3371 }
3372
3373 static int selinux_task_movememory(struct task_struct *p)
3374 {
3375         return current_has_perm(p, PROCESS__SETSCHED);
3376 }
3377
3378 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3379                                 int sig, u32 secid)
3380 {
3381         u32 perm;
3382         int rc;
3383
3384         if (!sig)
3385                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3386         else
3387                 perm = signal_to_av(sig);
3388         if (secid)
3389                 rc = avc_has_perm(secid, task_sid(p),
3390                                   SECCLASS_PROCESS, perm, NULL);
3391         else
3392                 rc = current_has_perm(p, perm);
3393         return rc;
3394 }
3395
3396 static int selinux_task_wait(struct task_struct *p)
3397 {
3398         return task_has_perm(p, current, PROCESS__SIGCHLD);
3399 }
3400
3401 static void selinux_task_to_inode(struct task_struct *p,
3402                                   struct inode *inode)
3403 {
3404         struct inode_security_struct *isec = inode->i_security;
3405         u32 sid = task_sid(p);
3406
3407         isec->sid = sid;
3408         isec->initialized = 1;
3409 }
3410
3411 /* Returns error only if unable to parse addresses */
3412 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3413                         struct common_audit_data *ad, u8 *proto)
3414 {
3415         int offset, ihlen, ret = -EINVAL;
3416         struct iphdr _iph, *ih;
3417
3418         offset = skb_network_offset(skb);
3419         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3420         if (ih == NULL)
3421                 goto out;
3422
3423         ihlen = ih->ihl * 4;
3424         if (ihlen < sizeof(_iph))
3425                 goto out;
3426
3427         ad->u.net.v4info.saddr = ih->saddr;
3428         ad->u.net.v4info.daddr = ih->daddr;
3429         ret = 0;
3430
3431         if (proto)
3432                 *proto = ih->protocol;
3433
3434         switch (ih->protocol) {
3435         case IPPROTO_TCP: {
3436                 struct tcphdr _tcph, *th;
3437
3438                 if (ntohs(ih->frag_off) & IP_OFFSET)
3439                         break;
3440
3441                 offset += ihlen;
3442                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3443                 if (th == NULL)
3444                         break;
3445
3446                 ad->u.net.sport = th->source;
3447                 ad->u.net.dport = th->dest;
3448                 break;
3449         }
3450
3451         case IPPROTO_UDP: {
3452                 struct udphdr _udph, *uh;
3453
3454                 if (ntohs(ih->frag_off) & IP_OFFSET)
3455                         break;
3456
3457                 offset += ihlen;
3458                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3459                 if (uh == NULL)
3460                         break;
3461
3462                 ad->u.net.sport = uh->source;
3463                 ad->u.net.dport = uh->dest;
3464                 break;
3465         }
3466
3467         case IPPROTO_DCCP: {
3468                 struct dccp_hdr _dccph, *dh;
3469
3470                 if (ntohs(ih->frag_off) & IP_OFFSET)
3471                         break;
3472
3473                 offset += ihlen;
3474                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3475                 if (dh == NULL)
3476                         break;
3477
3478                 ad->u.net.sport = dh->dccph_sport;
3479                 ad->u.net.dport = dh->dccph_dport;
3480                 break;
3481         }
3482
3483         default:
3484                 break;
3485         }
3486 out:
3487         return ret;
3488 }
3489
3490 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3491
3492 /* Returns error only if unable to parse addresses */
3493 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3494                         struct common_audit_data *ad, u8 *proto)
3495 {
3496         u8 nexthdr;
3497         int ret = -EINVAL, offset;
3498         struct ipv6hdr _ipv6h, *ip6;
3499
3500         offset = skb_network_offset(skb);
3501         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3502         if (ip6 == NULL)
3503                 goto out;
3504
3505         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3506         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3507         ret = 0;
3508
3509         nexthdr = ip6->nexthdr;
3510         offset += sizeof(_ipv6h);
3511         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3512         if (offset < 0)
3513                 goto out;
3514
3515         if (proto)
3516                 *proto = nexthdr;
3517
3518         switch (nexthdr) {
3519         case IPPROTO_TCP: {
3520                 struct tcphdr _tcph, *th;
3521
3522                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3523                 if (th == NULL)
3524                         break;
3525
3526                 ad->u.net.sport = th->source;
3527                 ad->u.net.dport = th->dest;
3528                 break;
3529         }
3530
3531         case IPPROTO_UDP: {
3532                 struct udphdr _udph, *uh;
3533
3534                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3535                 if (uh == NULL)
3536                         break;
3537
3538                 ad->u.net.sport = uh->source;
3539                 ad->u.net.dport = uh->dest;
3540                 break;
3541         }
3542
3543         case IPPROTO_DCCP: {
3544                 struct dccp_hdr _dccph, *dh;
3545
3546                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3547                 if (dh == NULL)
3548                         break;
3549
3550                 ad->u.net.sport = dh->dccph_sport;
3551                 ad->u.net.dport = dh->dccph_dport;
3552                 break;
3553         }
3554
3555         /* includes fragments */
3556         default:
3557                 break;
3558         }
3559 out:
3560         return ret;
3561 }
3562
3563 #endif /* IPV6 */
3564
3565 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3566                              char **_addrp, int src, u8 *proto)
3567 {
3568         char *addrp;
3569         int ret;
3570
3571         switch (ad->u.net.family) {
3572         case PF_INET:
3573                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3574                 if (ret)
3575                         goto parse_error;
3576                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3577                                        &ad->u.net.v4info.daddr);
3578                 goto okay;
3579
3580 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3581         case PF_INET6:
3582                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3583                 if (ret)
3584                         goto parse_error;
3585                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3586                                        &ad->u.net.v6info.daddr);
3587                 goto okay;
3588 #endif  /* IPV6 */
3589         default:
3590                 addrp = NULL;
3591                 goto okay;
3592         }
3593
3594 parse_error:
3595         printk(KERN_WARNING
3596                "SELinux: failure in selinux_parse_skb(),"
3597                " unable to parse packet\n");
3598         return ret;
3599
3600 okay:
3601         if (_addrp)
3602                 *_addrp = addrp;
3603         return 0;
3604 }
3605
3606 /**
3607  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3608  * @skb: the packet
3609  * @family: protocol family
3610  * @sid: the packet's peer label SID
3611  *
3612  * Description:
3613  * Check the various different forms of network peer labeling and determine
3614  * the peer label/SID for the packet; most of the magic actually occurs in
3615  * the security server function security_net_peersid_cmp().  The function
3616  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3617  * or -EACCES if @sid is invalid due to inconsistencies with the different
3618  * peer labels.
3619  *
3620  */
3621 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3622 {
3623         int err;
3624         u32 xfrm_sid;
3625         u32 nlbl_sid;
3626         u32 nlbl_type;
3627
3628         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3629         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3630
3631         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3632         if (unlikely(err)) {
3633                 printk(KERN_WARNING
3634                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3635                        " unable to determine packet's peer label\n");
3636                 return -EACCES;
3637         }
3638
3639         return 0;
3640 }
3641
3642 /* socket security operations */
3643
3644 static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
3645 {
3646         return tsec->sockcreate_sid ? : tsec->sid;
3647 }
3648
3649 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3650 {
3651         struct sk_security_struct *sksec = sk->sk_security;
3652         struct common_audit_data ad;
3653         u32 tsid = task_sid(task);
3654
3655         if (sksec->sid == SECINITSID_KERNEL)
3656                 return 0;
3657
3658         COMMON_AUDIT_DATA_INIT(&ad, NET);
3659         ad.u.net.sk = sk;
3660
3661         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3662 }
3663
3664 static int selinux_socket_create(int family, int type,
3665                                  int protocol, int kern)
3666 {
3667         const struct task_security_struct *tsec = current_security();
3668         u32 newsid;
3669         u16 secclass;
3670
3671         if (kern)
3672                 return 0;
3673
3674         newsid = socket_sockcreate_sid(tsec);
3675         secclass = socket_type_to_security_class(family, type, protocol);
3676         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3677 }
3678
3679 static int selinux_socket_post_create(struct socket *sock, int family,
3680                                       int type, int protocol, int kern)
3681 {
3682         const struct task_security_struct *tsec = current_security();
3683         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3684         struct sk_security_struct *sksec;
3685         int err = 0;
3686
3687         if (kern)
3688                 isec->sid = SECINITSID_KERNEL;
3689         else
3690                 isec->sid = socket_sockcreate_sid(tsec);
3691
3692         isec->sclass = socket_type_to_security_class(family, type, protocol);
3693         isec->initialized = 1;
3694
3695         if (sock->sk) {
3696                 sksec = sock->sk->sk_security;
3697                 sksec->sid = isec->sid;
3698                 sksec->sclass = isec->sclass;
3699                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3700         }
3701
3702         return err;
3703 }
3704
3705 /* Range of port numbers used to automatically bind.
3706    Need to determine whether we should perform a name_bind
3707    permission check between the socket and the port number. */
3708
3709 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3710 {
3711         struct sock *sk = sock->sk;
3712         u16 family;
3713         int err;
3714
3715         err = sock_has_perm(current, sk, SOCKET__BIND);
3716         if (err)
3717                 goto out;
3718
3719         /*
3720          * If PF_INET or PF_INET6, check name_bind permission for the port.
3721          * Multiple address binding for SCTP is not supported yet: we just
3722          * check the first address now.
3723          */
3724         family = sk->sk_family;
3725         if (family == PF_INET || family == PF_INET6) {
3726                 char *addrp;
3727                 struct sk_security_struct *sksec = sk->sk_security;
3728                 struct common_audit_data ad;
3729                 struct sockaddr_in *addr4 = NULL;
3730                 struct sockaddr_in6 *addr6 = NULL;
3731                 unsigned short snum;
3732                 u32 sid, node_perm;
3733
3734                 if (family == PF_INET) {
3735                         addr4 = (struct sockaddr_in *)address;
3736                         snum = ntohs(addr4->sin_port);
3737                         addrp = (char *)&addr4->sin_addr.s_addr;
3738                 } else {
3739                         addr6 = (struct sockaddr_in6 *)address;
3740                         snum = ntohs(addr6->sin6_port);
3741                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3742                 }
3743
3744                 if (snum) {
3745                         int low, high;
3746
3747                         inet_get_local_port_range(&low, &high);
3748
3749                         if (snum < max(PROT_SOCK, low) || snum > high) {
3750                                 err = sel_netport_sid(sk->sk_protocol,
3751                                                       snum, &sid);
3752                                 if (err)
3753                                         goto out;
3754                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3755                                 ad.u.net.sport = htons(snum);
3756                                 ad.u.net.family = family;
3757                                 err = avc_has_perm(sksec->sid, sid,
3758                                                    sksec->sclass,
3759                                                    SOCKET__NAME_BIND, &ad);
3760                                 if (err)
3761                                         goto out;
3762                         }
3763                 }
3764
3765                 switch (sksec->sclass) {
3766                 case SECCLASS_TCP_SOCKET:
3767                         node_perm = TCP_SOCKET__NODE_BIND;
3768                         break;
3769
3770                 case SECCLASS_UDP_SOCKET:
3771                         node_perm = UDP_SOCKET__NODE_BIND;
3772                         break;
3773
3774                 case SECCLASS_DCCP_SOCKET:
3775                         node_perm = DCCP_SOCKET__NODE_BIND;
3776                         break;
3777
3778                 default:
3779                         node_perm = RAWIP_SOCKET__NODE_BIND;
3780                         break;
3781                 }
3782
3783                 err = sel_netnode_sid(addrp, family, &sid);
3784                 if (err)
3785                         goto out;
3786
3787                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3788                 ad.u.net.sport = htons(snum);
3789                 ad.u.net.family = family;
3790
3791                 if (family == PF_INET)
3792                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3793                 else
3794                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3795
3796                 err = avc_has_perm(sksec->sid, sid,
3797                                    sksec->sclass, node_perm, &ad);
3798                 if (err)
3799                         goto out;
3800         }
3801 out:
3802         return err;
3803 }
3804
3805 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3806 {
3807         struct sock *sk = sock->sk;
3808         struct sk_security_struct *sksec = sk->sk_security;
3809         int err;
3810
3811         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3812         if (err)
3813                 return err;
3814
3815         /*
3816          * If a TCP or DCCP socket, check name_connect permission for the port.
3817          */
3818         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3819             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3820                 struct common_audit_data ad;
3821                 struct sockaddr_in *addr4 = NULL;
3822                 struct sockaddr_in6 *addr6 = NULL;
3823                 unsigned short snum;
3824                 u32 sid, perm;
3825
3826                 if (sk->sk_family == PF_INET) {
3827                         addr4 = (struct sockaddr_in *)address;
3828                         if (addrlen < sizeof(struct sockaddr_in))
3829                                 return -EINVAL;
3830                         snum = ntohs(addr4->sin_port);
3831                 } else {
3832                         addr6 = (struct sockaddr_in6 *)address;
3833                         if (addrlen < SIN6_LEN_RFC2133)
3834                                 return -EINVAL;
3835                         snum = ntohs(addr6->sin6_port);
3836                 }
3837
3838                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3839                 if (err)
3840                         goto out;
3841
3842                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3843                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3844
3845                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3846                 ad.u.net.dport = htons(snum);
3847                 ad.u.net.family = sk->sk_family;
3848                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3849                 if (err)
3850                         goto out;
3851         }
3852
3853         err = selinux_netlbl_socket_connect(sk, address);
3854
3855 out:
3856         return err;
3857 }
3858
3859 static int selinux_socket_listen(struct socket *sock, int backlog)
3860 {
3861         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3862 }
3863
3864 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3865 {
3866         int err;
3867         struct inode_security_struct *isec;
3868         struct inode_security_struct *newisec;
3869
3870         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3871         if (err)
3872                 return err;
3873
3874         newisec = SOCK_INODE(newsock)->i_security;
3875
3876         isec = SOCK_INODE(sock)->i_security;
3877         newisec->sclass = isec->sclass;
3878         newisec->sid = isec->sid;
3879         newisec->initialized = 1;
3880
3881         return 0;
3882 }
3883
3884 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3885                                   int size)
3886 {
3887         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3888 }
3889
3890 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3891                                   int size, int flags)
3892 {
3893         return sock_has_perm(current, sock->sk, SOCKET__READ);
3894 }
3895
3896 static int selinux_socket_getsockname(struct socket *sock)
3897 {
3898         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3899 }
3900
3901 static int selinux_socket_getpeername(struct socket *sock)
3902 {
3903         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3904 }
3905
3906 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3907 {
3908         int err;
3909
3910         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3911         if (err)
3912                 return err;
3913
3914         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3915 }
3916
3917 static int selinux_socket_getsockopt(struct socket *sock, int level,
3918                                      int optname)
3919 {
3920         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3921 }
3922
3923 static int selinux_socket_shutdown(struct socket *sock, int how)
3924 {
3925         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3926 }
3927
3928 static int selinux_socket_unix_stream_connect(struct sock *sock,
3929                                               struct sock *other,
3930                                               struct sock *newsk)
3931 {
3932         struct sk_security_struct *sksec_sock = sock->sk_security;
3933         struct sk_security_struct *sksec_other = other->sk_security;
3934         struct sk_security_struct *sksec_new = newsk->sk_security;
3935         struct common_audit_data ad;
3936         int err;
3937
3938         COMMON_AUDIT_DATA_INIT(&ad, NET);
3939         ad.u.net.sk = other;
3940
3941         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3942                            sksec_other->sclass,
3943                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3944         if (err)
3945                 return err;
3946
3947         /* server child socket */
3948         sksec_new->peer_sid = sksec_sock->sid;
3949         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
3950                                     &sksec_new->sid);
3951         if (err)
3952                 return err;
3953
3954         /* connecting socket */
3955         sksec_sock->peer_sid = sksec_new->sid;
3956
3957         return 0;
3958 }
3959
3960 static int selinux_socket_unix_may_send(struct socket *sock,
3961                                         struct socket *other)
3962 {
3963         struct sk_security_struct *ssec = sock->sk->sk_security;
3964         struct sk_security_struct *osec = other->sk->sk_security;
3965         struct common_audit_data ad;
3966
3967         COMMON_AUDIT_DATA_INIT(&ad, NET);
3968         ad.u.net.sk = other->sk;
3969
3970         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
3971                             &ad);
3972 }
3973
3974 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3975                                     u32 peer_sid,
3976                                     struct common_audit_data *ad)
3977 {
3978         int err;
3979         u32 if_sid;
3980         u32 node_sid;
3981
3982         err = sel_netif_sid(ifindex, &if_sid);
3983         if (err)
3984                 return err;
3985         err = avc_has_perm(peer_sid, if_sid,
3986                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3987         if (err)
3988                 return err;
3989
3990         err = sel_netnode_sid(addrp, family, &node_sid);
3991         if (err)
3992                 return err;
3993         return avc_has_perm(peer_sid, node_sid,
3994                             SECCLASS_NODE, NODE__RECVFROM, ad);
3995 }
3996
3997 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3998                                        u16 family)
3999 {
4000         int err = 0;
4001         struct sk_security_struct *sksec = sk->sk_security;
4002         u32 peer_sid;
4003         u32 sk_sid = sksec->sid;
4004         struct common_audit_data ad;
4005         char *addrp;
4006
4007         COMMON_AUDIT_DATA_INIT(&ad, NET);
4008         ad.u.net.netif = skb->skb_iif;
4009         ad.u.net.family = family;
4010         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4011         if (err)
4012                 return err;
4013
4014         if (selinux_secmark_enabled()) {
4015                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4016                                    PACKET__RECV, &ad);
4017                 if (err)
4018                         return err;
4019         }
4020
4021         if (selinux_policycap_netpeer) {
4022                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4023                 if (err)
4024                         return err;
4025                 err = avc_has_perm(sk_sid, peer_sid,
4026                                    SECCLASS_PEER, PEER__RECV, &ad);
4027                 if (err)
4028                         selinux_netlbl_err(skb, err, 0);
4029         } else {
4030                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4031                 if (err)
4032                         return err;
4033                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4034         }
4035
4036         return err;
4037 }
4038
4039 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4040 {
4041         int err;
4042         struct sk_security_struct *sksec = sk->sk_security;
4043         u16 family = sk->sk_family;
4044         u32 sk_sid = sksec->sid;
4045         struct common_audit_data ad;
4046         char *addrp;
4047         u8 secmark_active;
4048         u8 peerlbl_active;
4049
4050         if (family != PF_INET && family != PF_INET6)
4051                 return 0;
4052
4053         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4054         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4055                 family = PF_INET;
4056
4057         /* If any sort of compatibility mode is enabled then handoff processing
4058          * to the selinux_sock_rcv_skb_compat() function to deal with the
4059          * special handling.  We do this in an attempt to keep this function
4060          * as fast and as clean as possible. */
4061         if (!selinux_policycap_netpeer)
4062                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4063
4064         secmark_active = selinux_secmark_enabled();
4065         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4066         if (!secmark_active && !peerlbl_active)
4067                 return 0;
4068
4069         COMMON_AUDIT_DATA_INIT(&ad, NET);
4070         ad.u.net.netif = skb->skb_iif;
4071         ad.u.net.family = family;
4072         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4073         if (err)
4074                 return err;
4075
4076         if (peerlbl_active) {
4077                 u32 peer_sid;
4078
4079                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4080                 if (err)
4081                         return err;
4082                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4083                                                peer_sid, &ad);
4084                 if (err) {
4085                         selinux_netlbl_err(skb, err, 0);
4086                         return err;
4087                 }
4088                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4089                                    PEER__RECV, &ad);
4090                 if (err)
4091                         selinux_netlbl_err(skb, err, 0);
4092         }
4093
4094         if (secmark_active) {
4095                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4096                                    PACKET__RECV, &ad);
4097                 if (err)
4098                         return err;
4099         }
4100
4101         return err;
4102 }
4103
4104 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4105                                             int __user *optlen, unsigned len)
4106 {
4107         int err = 0;
4108         char *scontext;
4109         u32 scontext_len;
4110         struct sk_security_struct *sksec = sock->sk->sk_security;
4111         u32 peer_sid = SECSID_NULL;
4112
4113         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4114             sksec->sclass == SECCLASS_TCP_SOCKET)
4115                 peer_sid = sksec->peer_sid;
4116         if (peer_sid == SECSID_NULL)
4117                 return -ENOPROTOOPT;
4118
4119         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4120         if (err)
4121                 return err;
4122
4123         if (scontext_len > len) {
4124                 err = -ERANGE;
4125                 goto out_len;
4126         }
4127
4128         if (copy_to_user(optval, scontext, scontext_len))
4129                 err = -EFAULT;
4130
4131 out_len:
4132         if (put_user(scontext_len, optlen))
4133                 err = -EFAULT;
4134         kfree(scontext);
4135         return err;
4136 }
4137
4138 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4139 {
4140         u32 peer_secid = SECSID_NULL;
4141         u16 family;
4142
4143         if (skb && skb->protocol == htons(ETH_P_IP))
4144                 family = PF_INET;
4145         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4146                 family = PF_INET6;
4147         else if (sock)
4148                 family = sock->sk->sk_family;
4149         else
4150                 goto out;
4151
4152         if (sock && family == PF_UNIX)
4153                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4154         else if (skb)
4155                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4156
4157 out:
4158         *secid = peer_secid;
4159         if (peer_secid == SECSID_NULL)
4160                 return -EINVAL;
4161         return 0;
4162 }
4163
4164 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4165 {
4166         struct sk_security_struct *sksec;
4167
4168         sksec = kzalloc(sizeof(*sksec), priority);
4169         if (!sksec)
4170                 return -ENOMEM;
4171
4172         sksec->peer_sid = SECINITSID_UNLABELED;
4173         sksec->sid = SECINITSID_UNLABELED;
4174         selinux_netlbl_sk_security_reset(sksec);
4175         sk->sk_security = sksec;
4176
4177         return 0;
4178 }
4179
4180 static void selinux_sk_free_security(struct sock *sk)
4181 {
4182         struct sk_security_struct *sksec = sk->sk_security;
4183
4184         sk->sk_security = NULL;
4185         selinux_netlbl_sk_security_free(sksec);
4186         kfree(sksec);
4187 }
4188
4189 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4190 {
4191         struct sk_security_struct *sksec = sk->sk_security;
4192         struct sk_security_struct *newsksec = newsk->sk_security;
4193
4194         newsksec->sid = sksec->sid;
4195         newsksec->peer_sid = sksec->peer_sid;
4196         newsksec->sclass = sksec->sclass;
4197
4198         selinux_netlbl_sk_security_reset(newsksec);
4199 }
4200
4201 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4202 {
4203         if (!sk)
4204                 *secid = SECINITSID_ANY_SOCKET;
4205         else {
4206                 struct sk_security_struct *sksec = sk->sk_security;
4207
4208                 *secid = sksec->sid;
4209         }
4210 }
4211
4212 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4213 {
4214         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4215         struct sk_security_struct *sksec = sk->sk_security;
4216
4217         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4218             sk->sk_family == PF_UNIX)
4219                 isec->sid = sksec->sid;
4220         sksec->sclass = isec->sclass;
4221 }
4222
4223 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4224                                      struct request_sock *req)
4225 {
4226         struct sk_security_struct *sksec = sk->sk_security;
4227         int err;
4228         u16 family = sk->sk_family;
4229         u32 newsid;
4230         u32 peersid;
4231
4232         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4233         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4234                 family = PF_INET;
4235
4236         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4237         if (err)
4238                 return err;
4239         if (peersid == SECSID_NULL) {
4240                 req->secid = sksec->sid;
4241                 req->peer_secid = SECSID_NULL;
4242         } else {
4243                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4244                 if (err)
4245                         return err;
4246                 req->secid = newsid;
4247                 req->peer_secid = peersid;
4248         }
4249
4250         return selinux_netlbl_inet_conn_request(req, family);
4251 }
4252
4253 static void selinux_inet_csk_clone(struct sock *newsk,
4254                                    const struct request_sock *req)
4255 {
4256         struct sk_security_struct *newsksec = newsk->sk_security;
4257
4258         newsksec->sid = req->secid;
4259         newsksec->peer_sid = req->peer_secid;
4260         /* NOTE: Ideally, we should also get the isec->sid for the
4261            new socket in sync, but we don't have the isec available yet.
4262            So we will wait until sock_graft to do it, by which
4263            time it will have been created and available. */
4264
4265         /* We don't need to take any sort of lock here as we are the only
4266          * thread with access to newsksec */
4267         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4268 }
4269
4270 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4271 {
4272         u16 family = sk->sk_family;
4273         struct sk_security_struct *sksec = sk->sk_security;
4274
4275         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4276         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4277                 family = PF_INET;
4278
4279         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4280 }
4281
4282 static int selinux_secmark_relabel_packet(u32 sid)
4283 {
4284         const struct task_security_struct *__tsec;
4285         u32 tsid;
4286
4287         __tsec = current_security();
4288         tsid = __tsec->sid;
4289
4290         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4291 }
4292
4293 static void selinux_secmark_refcount_inc(void)
4294 {
4295         atomic_inc(&selinux_secmark_refcount);
4296 }
4297
4298 static void selinux_secmark_refcount_dec(void)
4299 {
4300         atomic_dec(&selinux_secmark_refcount);
4301 }
4302
4303 static void selinux_req_classify_flow(const struct request_sock *req,
4304                                       struct flowi *fl)
4305 {
4306         fl->secid = req->secid;
4307 }
4308
4309 static int selinux_tun_dev_create(void)
4310 {
4311         u32 sid = current_sid();
4312
4313         /* we aren't taking into account the "sockcreate" SID since the socket
4314          * that is being created here is not a socket in the traditional sense,
4315          * instead it is a private sock, accessible only to the kernel, and
4316          * representing a wide range of network traffic spanning multiple
4317          * connections unlike traditional sockets - check the TUN driver to
4318          * get a better understanding of why this socket is special */
4319
4320         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4321                             NULL);
4322 }
4323
4324 static void selinux_tun_dev_post_create(struct sock *sk)
4325 {
4326         struct sk_security_struct *sksec = sk->sk_security;
4327
4328         /* we don't currently perform any NetLabel based labeling here and it
4329          * isn't clear that we would want to do so anyway; while we could apply
4330          * labeling without the support of the TUN user the resulting labeled
4331          * traffic from the other end of the connection would almost certainly
4332          * cause confusion to the TUN user that had no idea network labeling
4333          * protocols were being used */
4334
4335         /* see the comments in selinux_tun_dev_create() about why we don't use
4336          * the sockcreate SID here */
4337
4338         sksec->sid = current_sid();
4339         sksec->sclass = SECCLASS_TUN_SOCKET;
4340 }
4341
4342 static int selinux_tun_dev_attach(struct sock *sk)
4343 {
4344         struct sk_security_struct *sksec = sk->sk_security;
4345         u32 sid = current_sid();
4346         int err;
4347
4348         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4349                            TUN_SOCKET__RELABELFROM, NULL);
4350         if (err)
4351                 return err;
4352         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4353                            TUN_SOCKET__RELABELTO, NULL);
4354         if (err)
4355                 return err;
4356
4357         sksec->sid = sid;
4358
4359         return 0;
4360 }
4361
4362 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4363 {
4364         int err = 0;
4365         u32 perm;
4366         struct nlmsghdr *nlh;
4367         struct sk_security_struct *sksec = sk->sk_security;
4368
4369         if (skb->len < NLMSG_SPACE(0)) {
4370                 err = -EINVAL;
4371                 goto out;
4372         }
4373         nlh = nlmsg_hdr(skb);
4374
4375         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4376         if (err) {
4377                 if (err == -EINVAL) {
4378                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4379                                   "SELinux:  unrecognized netlink message"
4380                                   " type=%hu for sclass=%hu\n",
4381                                   nlh->nlmsg_type, sksec->sclass);
4382                         if (!selinux_enforcing || security_get_allow_unknown())
4383                                 err = 0;
4384                 }
4385
4386                 /* Ignore */
4387                 if (err == -ENOENT)
4388                         err = 0;
4389                 goto out;
4390         }
4391
4392         err = sock_has_perm(current, sk, perm);
4393 out:
4394         return err;
4395 }
4396
4397 #ifdef CONFIG_NETFILTER
4398
4399 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4400                                        u16 family)
4401 {
4402         int err;
4403         char *addrp;
4404         u32 peer_sid;
4405         struct common_audit_data ad;
4406         u8 secmark_active;
4407         u8 netlbl_active;
4408         u8 peerlbl_active;
4409
4410         if (!selinux_policycap_netpeer)
4411                 return NF_ACCEPT;
4412
4413         secmark_active = selinux_secmark_enabled();
4414         netlbl_active = netlbl_enabled();
4415         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4416         if (!secmark_active && !peerlbl_active)
4417                 return NF_ACCEPT;
4418
4419         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4420                 return NF_DROP;
4421
4422         COMMON_AUDIT_DATA_INIT(&ad, NET);
4423         ad.u.net.netif = ifindex;
4424         ad.u.net.family = family;
4425         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4426                 return NF_DROP;
4427
4428         if (peerlbl_active) {
4429                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4430                                                peer_sid, &ad);
4431                 if (err) {
4432                         selinux_netlbl_err(skb, err, 1);
4433                         return NF_DROP;
4434                 }
4435         }
4436
4437         if (secmark_active)
4438                 if (avc_has_perm(peer_sid, skb->secmark,
4439                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4440                         return NF_DROP;
4441
4442         if (netlbl_active)
4443                 /* we do this in the FORWARD path and not the POST_ROUTING
4444                  * path because we want to make sure we apply the necessary
4445                  * labeling before IPsec is applied so we can leverage AH
4446                  * protection */
4447                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4448                         return NF_DROP;
4449
4450         return NF_ACCEPT;
4451 }
4452
4453 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4454                                          struct sk_buff *skb,
4455                                          const struct net_device *in,
4456                                          const struct net_device *out,
4457                                          int (*okfn)(struct sk_buff *))
4458 {
4459         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4460 }
4461
4462 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4463 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4464                                          struct sk_buff *skb,
4465                                          const struct net_device *in,
4466                                          const struct net_device *out,
4467                                          int (*okfn)(struct sk_buff *))
4468 {
4469         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4470 }
4471 #endif  /* IPV6 */
4472
4473 static unsigned int selinux_ip_output(struct sk_buff *skb,
4474                                       u16 family)
4475 {
4476         u32 sid;
4477
4478         if (!netlbl_enabled())
4479                 return NF_ACCEPT;
4480
4481         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4482          * because we want to make sure we apply the necessary labeling
4483          * before IPsec is applied so we can leverage AH protection */
4484         if (skb->sk) {
4485                 struct sk_security_struct *sksec = skb->sk->sk_security;
4486                 sid = sksec->sid;
4487         } else
4488                 sid = SECINITSID_KERNEL;
4489         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4490                 return NF_DROP;
4491
4492         return NF_ACCEPT;
4493 }
4494
4495 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4496                                         struct sk_buff *skb,
4497                                         const struct net_device *in,
4498                                         const struct net_device *out,
4499                                         int (*okfn)(struct sk_buff *))
4500 {
4501         return selinux_ip_output(skb, PF_INET);
4502 }
4503
4504 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4505                                                 int ifindex,
4506                                                 u16 family)
4507 {
4508         struct sock *sk = skb->sk;
4509         struct sk_security_struct *sksec;
4510         struct common_audit_data ad;
4511         char *addrp;
4512         u8 proto;
4513
4514         if (sk == NULL)
4515                 return NF_ACCEPT;
4516         sksec = sk->sk_security;
4517
4518         COMMON_AUDIT_DATA_INIT(&ad, NET);
4519         ad.u.net.netif = ifindex;
4520         ad.u.net.family = family;
4521         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4522                 return NF_DROP;
4523
4524         if (selinux_secmark_enabled())
4525                 if (avc_has_perm(sksec->sid, skb->secmark,
4526                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4527                         return NF_DROP_ERR(-ECONNREFUSED);
4528
4529         if (selinux_policycap_netpeer)
4530                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4531                         return NF_DROP_ERR(-ECONNREFUSED);
4532
4533         return NF_ACCEPT;
4534 }
4535
4536 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4537                                          u16 family)
4538 {
4539         u32 secmark_perm;
4540         u32 peer_sid;
4541         struct sock *sk;
4542         struct common_audit_data ad;
4543         char *addrp;
4544         u8 secmark_active;
4545         u8 peerlbl_active;
4546
4547         /* If any sort of compatibility mode is enabled then handoff processing
4548          * to the selinux_ip_postroute_compat() function to deal with the
4549          * special handling.  We do this in an attempt to keep this function
4550          * as fast and as clean as possible. */
4551         if (!selinux_policycap_netpeer)
4552                 return selinux_ip_postroute_compat(skb, ifindex, family);
4553 #ifdef CONFIG_XFRM
4554         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4555          * packet transformation so allow the packet to pass without any checks
4556          * since we'll have another chance to perform access control checks
4557          * when the packet is on it's final way out.
4558          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4559          *       is NULL, in this case go ahead and apply access control. */
4560         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4561                 return NF_ACCEPT;
4562 #endif
4563         secmark_active = selinux_secmark_enabled();
4564         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4565         if (!secmark_active && !peerlbl_active)
4566                 return NF_ACCEPT;
4567
4568         /* if the packet is being forwarded then get the peer label from the
4569          * packet itself; otherwise check to see if it is from a local
4570          * application or the kernel, if from an application get the peer label
4571          * from the sending socket, otherwise use the kernel's sid */
4572         sk = skb->sk;
4573         if (sk == NULL) {
4574                 switch (family) {
4575                 case PF_INET:
4576                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4577                                 secmark_perm = PACKET__FORWARD_OUT;
4578                         else
4579                                 secmark_perm = PACKET__SEND;
4580                         break;
4581                 case PF_INET6:
4582                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4583                                 secmark_perm = PACKET__FORWARD_OUT;
4584                         else
4585                                 secmark_perm = PACKET__SEND;
4586                         break;
4587                 default:
4588                         return NF_DROP_ERR(-ECONNREFUSED);
4589                 }
4590                 if (secmark_perm == PACKET__FORWARD_OUT) {
4591                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4592                                 return NF_DROP;
4593                 } else
4594                         peer_sid = SECINITSID_KERNEL;
4595         } else {
4596                 struct sk_security_struct *sksec = sk->sk_security;
4597                 peer_sid = sksec->sid;
4598                 secmark_perm = PACKET__SEND;
4599         }
4600
4601         COMMON_AUDIT_DATA_INIT(&ad, NET);
4602         ad.u.net.netif = ifindex;
4603         ad.u.net.family = family;
4604         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4605                 return NF_DROP;
4606
4607         if (secmark_active)
4608                 if (avc_has_perm(peer_sid, skb->secmark,
4609                                  SECCLASS_PACKET, secmark_perm, &ad))
4610                         return NF_DROP_ERR(-ECONNREFUSED);
4611
4612         if (peerlbl_active) {
4613                 u32 if_sid;
4614                 u32 node_sid;
4615
4616                 if (sel_netif_sid(ifindex, &if_sid))
4617                         return NF_DROP;
4618                 if (avc_has_perm(peer_sid, if_sid,
4619                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4620                         return NF_DROP_ERR(-ECONNREFUSED);
4621
4622                 if (sel_netnode_sid(addrp, family, &node_sid))
4623                         return NF_DROP;
4624                 if (avc_has_perm(peer_sid, node_sid,
4625                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4626                         return NF_DROP_ERR(-ECONNREFUSED);
4627         }
4628
4629         return NF_ACCEPT;
4630 }
4631
4632 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4633                                            struct sk_buff *skb,
4634                                            const struct net_device *in,
4635                                            const struct net_device *out,
4636                                            int (*okfn)(struct sk_buff *))
4637 {
4638         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4639 }
4640
4641 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4642 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4643                                            struct sk_buff *skb,
4644                                            const struct net_device *in,
4645                                            const struct net_device *out,
4646                                            int (*okfn)(struct sk_buff *))
4647 {
4648         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4649 }
4650 #endif  /* IPV6 */
4651
4652 #endif  /* CONFIG_NETFILTER */
4653
4654 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4655 {
4656         int err;
4657
4658         err = cap_netlink_send(sk, skb);
4659         if (err)
4660                 return err;
4661
4662         return selinux_nlmsg_perm(sk, skb);
4663 }
4664
4665 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4666 {
4667         int err;
4668         struct common_audit_data ad;
4669
4670         err = cap_netlink_recv(skb, capability);
4671         if (err)
4672                 return err;
4673
4674         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4675         ad.u.cap = capability;
4676
4677         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4678                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4679 }
4680
4681 static int ipc_alloc_security(struct task_struct *task,
4682                               struct kern_ipc_perm *perm,
4683                               u16 sclass)
4684 {
4685         struct ipc_security_struct *isec;
4686         u32 sid;
4687
4688         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4689         if (!isec)
4690                 return -ENOMEM;
4691
4692         sid = task_sid(task);
4693         isec->sclass = sclass;
4694         isec->sid = sid;
4695         perm->security = isec;
4696
4697         return 0;
4698 }
4699
4700 static void ipc_free_security(struct kern_ipc_perm *perm)
4701 {
4702         struct ipc_security_struct *isec = perm->security;
4703         perm->security = NULL;
4704         kfree(isec);
4705 }
4706
4707 static int msg_msg_alloc_security(struct msg_msg *msg)
4708 {
4709         struct msg_security_struct *msec;
4710
4711         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4712         if (!msec)
4713                 return -ENOMEM;
4714
4715         msec->sid = SECINITSID_UNLABELED;
4716         msg->security = msec;
4717
4718         return 0;
4719 }
4720
4721 static void msg_msg_free_security(struct msg_msg *msg)
4722 {
4723         struct msg_security_struct *msec = msg->security;
4724
4725         msg->security = NULL;
4726         kfree(msec);
4727 }
4728
4729 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4730                         u32 perms)
4731 {
4732         struct ipc_security_struct *isec;
4733         struct common_audit_data ad;
4734         u32 sid = current_sid();
4735
4736         isec = ipc_perms->security;
4737
4738         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4739         ad.u.ipc_id = ipc_perms->key;
4740
4741         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4742 }
4743
4744 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4745 {
4746         return msg_msg_alloc_security(msg);
4747 }
4748
4749 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4750 {
4751         msg_msg_free_security(msg);
4752 }
4753
4754 /* message queue security operations */
4755 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4756 {
4757         struct ipc_security_struct *isec;
4758         struct common_audit_data ad;
4759         u32 sid = current_sid();
4760         int rc;
4761
4762         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4763         if (rc)
4764                 return rc;
4765
4766         isec = msq->q_perm.security;
4767
4768         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4769         ad.u.ipc_id = msq->q_perm.key;
4770
4771         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4772                           MSGQ__CREATE, &ad);
4773         if (rc) {
4774                 ipc_free_security(&msq->q_perm);
4775                 return rc;
4776         }
4777         return 0;
4778 }
4779
4780 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4781 {
4782         ipc_free_security(&msq->q_perm);
4783 }
4784
4785 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4786 {
4787         struct ipc_security_struct *isec;
4788         struct common_audit_data ad;
4789         u32 sid = current_sid();
4790
4791         isec = msq->q_perm.security;
4792
4793         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4794         ad.u.ipc_id = msq->q_perm.key;
4795
4796         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4797                             MSGQ__ASSOCIATE, &ad);
4798 }
4799
4800 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4801 {
4802         int err;
4803         int perms;
4804
4805         switch (cmd) {
4806         case IPC_INFO:
4807         case MSG_INFO:
4808                 /* No specific object, just general system-wide information. */
4809                 return task_has_system(current, SYSTEM__IPC_INFO);
4810         case IPC_STAT:
4811         case MSG_STAT:
4812                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4813                 break;
4814         case IPC_SET:
4815                 perms = MSGQ__SETATTR;
4816                 break;
4817         case IPC_RMID:
4818                 perms = MSGQ__DESTROY;
4819                 break;
4820         default:
4821                 return 0;
4822         }
4823
4824         err = ipc_has_perm(&msq->q_perm, perms);
4825         return err;
4826 }
4827
4828 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4829 {
4830         struct ipc_security_struct *isec;
4831         struct msg_security_struct *msec;
4832         struct common_audit_data ad;
4833         u32 sid = current_sid();
4834         int rc;
4835
4836         isec = msq->q_perm.security;
4837         msec = msg->security;
4838
4839         /*
4840          * First time through, need to assign label to the message
4841          */
4842         if (msec->sid == SECINITSID_UNLABELED) {
4843                 /*
4844                  * Compute new sid based on current process and
4845                  * message queue this message will be stored in
4846                  */
4847                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4848                                              &msec->sid);
4849                 if (rc)
4850                         return rc;
4851         }
4852
4853         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4854         ad.u.ipc_id = msq->q_perm.key;
4855
4856         /* Can this process write to the queue? */
4857         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4858                           MSGQ__WRITE, &ad);
4859         if (!rc)
4860                 /* Can this process send the message */
4861                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4862                                   MSG__SEND, &ad);
4863         if (!rc)
4864                 /* Can the message be put in the queue? */
4865                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4866                                   MSGQ__ENQUEUE, &ad);
4867
4868         return rc;
4869 }
4870
4871 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4872                                     struct task_struct *target,
4873                                     long type, int mode)
4874 {
4875         struct ipc_security_struct *isec;
4876         struct msg_security_struct *msec;
4877         struct common_audit_data ad;
4878         u32 sid = task_sid(target);
4879         int rc;
4880
4881         isec = msq->q_perm.security;
4882         msec = msg->security;
4883
4884         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4885         ad.u.ipc_id = msq->q_perm.key;
4886
4887         rc = avc_has_perm(sid, isec->sid,
4888                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4889         if (!rc)
4890                 rc = avc_has_perm(sid, msec->sid,
4891                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4892         return rc;
4893 }
4894
4895 /* Shared Memory security operations */
4896 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4897 {
4898         struct ipc_security_struct *isec;
4899         struct common_audit_data ad;
4900         u32 sid = current_sid();
4901         int rc;
4902
4903         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4904         if (rc)
4905                 return rc;
4906
4907         isec = shp->shm_perm.security;
4908
4909         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4910         ad.u.ipc_id = shp->shm_perm.key;
4911
4912         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4913                           SHM__CREATE, &ad);
4914         if (rc) {
4915                 ipc_free_security(&shp->shm_perm);
4916                 return rc;
4917         }
4918         return 0;
4919 }
4920
4921 static void selinux_shm_free_security(struct shmid_kernel *shp)
4922 {
4923         ipc_free_security(&shp->shm_perm);
4924 }
4925
4926 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4927 {
4928         struct ipc_security_struct *isec;
4929         struct common_audit_data ad;
4930         u32 sid = current_sid();
4931
4932         isec = shp->shm_perm.security;
4933
4934         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4935         ad.u.ipc_id = shp->shm_perm.key;
4936
4937         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4938                             SHM__ASSOCIATE, &ad);
4939 }
4940
4941 /* Note, at this point, shp is locked down */
4942 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4943 {
4944         int perms;
4945         int err;
4946
4947         switch (cmd) {
4948         case IPC_INFO:
4949         case SHM_INFO:
4950                 /* No specific object, just general system-wide information. */
4951                 return task_has_system(current, SYSTEM__IPC_INFO);
4952         case IPC_STAT:
4953         case SHM_STAT:
4954                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4955                 break;
4956         case IPC_SET:
4957                 perms = SHM__SETATTR;
4958                 break;
4959         case SHM_LOCK:
4960         case SHM_UNLOCK:
4961                 perms = SHM__LOCK;
4962                 break;
4963         case IPC_RMID:
4964                 perms = SHM__DESTROY;
4965                 break;
4966         default:
4967                 return 0;
4968         }
4969
4970         err = ipc_has_perm(&shp->shm_perm, perms);
4971         return err;
4972 }
4973
4974 static int selinux_shm_shmat(struct shmid_kernel *shp,
4975                              char __user *shmaddr, int shmflg)
4976 {
4977         u32 perms;
4978
4979         if (shmflg & SHM_RDONLY)
4980                 perms = SHM__READ;
4981         else
4982                 perms = SHM__READ | SHM__WRITE;
4983
4984         return ipc_has_perm(&shp->shm_perm, perms);
4985 }
4986
4987 /* Semaphore security operations */
4988 static int selinux_sem_alloc_security(struct sem_array *sma)
4989 {
4990         struct ipc_security_struct *isec;
4991         struct common_audit_data ad;
4992         u32 sid = current_sid();
4993         int rc;
4994
4995         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4996         if (rc)
4997                 return rc;
4998
4999         isec = sma->sem_perm.security;
5000
5001         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5002         ad.u.ipc_id = sma->sem_perm.key;
5003
5004         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5005                           SEM__CREATE, &ad);
5006         if (rc) {
5007                 ipc_free_security(&sma->sem_perm);
5008                 return rc;
5009         }
5010         return 0;
5011 }
5012
5013 static void selinux_sem_free_security(struct sem_array *sma)
5014 {
5015         ipc_free_security(&sma->sem_perm);
5016 }
5017
5018 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5019 {
5020         struct ipc_security_struct *isec;
5021         struct common_audit_data ad;
5022         u32 sid = current_sid();
5023
5024         isec = sma->sem_perm.security;
5025
5026         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5027         ad.u.ipc_id = sma->sem_perm.key;
5028
5029         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5030                             SEM__ASSOCIATE, &ad);
5031 }
5032
5033 /* Note, at this point, sma is locked down */
5034 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5035 {
5036         int err;
5037         u32 perms;
5038
5039         switch (cmd) {
5040         case IPC_INFO:
5041         case SEM_INFO:
5042                 /* No specific object, just general system-wide information. */
5043                 return task_has_system(current, SYSTEM__IPC_INFO);
5044         case GETPID:
5045         case GETNCNT:
5046         case GETZCNT:
5047                 perms = SEM__GETATTR;
5048                 break;
5049         case GETVAL:
5050         case GETALL:
5051                 perms = SEM__READ;
5052                 break;
5053         case SETVAL:
5054         case SETALL:
5055                 perms = SEM__WRITE;
5056                 break;
5057         case IPC_RMID:
5058                 perms = SEM__DESTROY;
5059                 break;
5060         case IPC_SET:
5061                 perms = SEM__SETATTR;
5062                 break;
5063         case IPC_STAT:
5064         case SEM_STAT:
5065                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5066                 break;
5067         default:
5068                 return 0;
5069         }
5070
5071         err = ipc_has_perm(&sma->sem_perm, perms);
5072         return err;
5073 }
5074
5075 static int selinux_sem_semop(struct sem_array *sma,
5076                              struct sembuf *sops, unsigned nsops, int alter)
5077 {
5078         u32 perms;
5079
5080         if (alter)
5081                 perms = SEM__READ | SEM__WRITE;
5082         else
5083                 perms = SEM__READ;
5084
5085         return ipc_has_perm(&sma->sem_perm, perms);
5086 }
5087
5088 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5089 {
5090         u32 av = 0;
5091
5092         av = 0;
5093         if (flag & S_IRUGO)
5094                 av |= IPC__UNIX_READ;
5095         if (flag & S_IWUGO)
5096                 av |= IPC__UNIX_WRITE;
5097
5098         if (av == 0)
5099                 return 0;
5100
5101         return ipc_has_perm(ipcp, av);
5102 }
5103
5104 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5105 {
5106         struct ipc_security_struct *isec = ipcp->security;
5107         *secid = isec->sid;
5108 }
5109
5110 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5111 {
5112         if (inode)
5113                 inode_doinit_with_dentry(inode, dentry);
5114 }
5115
5116 static int selinux_getprocattr(struct task_struct *p,
5117                                char *name, char **value)
5118 {
5119         const struct task_security_struct *__tsec;
5120         u32 sid;
5121         int error;
5122         unsigned len;
5123
5124         if (current != p) {
5125                 error = current_has_perm(p, PROCESS__GETATTR);
5126                 if (error)
5127                         return error;
5128         }
5129
5130         rcu_read_lock();
5131         __tsec = __task_cred(p)->security;
5132
5133         if (!strcmp(name, "current"))
5134                 sid = __tsec->sid;
5135         else if (!strcmp(name, "prev"))
5136                 sid = __tsec->osid;
5137         else if (!strcmp(name, "exec"))
5138                 sid = __tsec->exec_sid;
5139         else if (!strcmp(name, "fscreate"))
5140                 sid = __tsec->create_sid;
5141         else if (!strcmp(name, "keycreate"))
5142                 sid = __tsec->keycreate_sid;
5143         else if (!strcmp(name, "sockcreate"))
5144                 sid = __tsec->sockcreate_sid;
5145         else
5146                 goto invalid;
5147         rcu_read_unlock();
5148
5149         if (!sid)
5150                 return 0;
5151
5152         error = security_sid_to_context(sid, value, &len);
5153         if (error)
5154                 return error;
5155         return len;
5156
5157 invalid:
5158         rcu_read_unlock();
5159         return -EINVAL;
5160 }
5161
5162 static int selinux_setprocattr(struct task_struct *p,
5163                                char *name, void *value, size_t size)
5164 {
5165         struct task_security_struct *tsec;
5166         struct task_struct *tracer;
5167         struct cred *new;
5168         u32 sid = 0, ptsid;
5169         int error;
5170         char *str = value;
5171
5172         if (current != p) {
5173                 /* SELinux only allows a process to change its own
5174                    security attributes. */
5175                 return -EACCES;
5176         }
5177
5178         /*
5179          * Basic control over ability to set these attributes at all.
5180          * current == p, but we'll pass them separately in case the
5181          * above restriction is ever removed.
5182          */
5183         if (!strcmp(name, "exec"))
5184                 error = current_has_perm(p, PROCESS__SETEXEC);
5185         else if (!strcmp(name, "fscreate"))
5186                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5187         else if (!strcmp(name, "keycreate"))
5188                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5189         else if (!strcmp(name, "sockcreate"))
5190                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5191         else if (!strcmp(name, "current"))
5192                 error = current_has_perm(p, PROCESS__SETCURRENT);
5193         else
5194                 error = -EINVAL;
5195         if (error)
5196                 return error;
5197
5198         /* Obtain a SID for the context, if one was specified. */
5199         if (size && str[1] && str[1] != '\n') {
5200                 if (str[size-1] == '\n') {
5201                         str[size-1] = 0;
5202                         size--;
5203                 }
5204                 error = security_context_to_sid(value, size, &sid);
5205                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5206                         if (!capable(CAP_MAC_ADMIN))
5207                                 return error;
5208                         error = security_context_to_sid_force(value, size,
5209                                                               &sid);
5210                 }
5211                 if (error)
5212                         return error;
5213         }
5214
5215         new = prepare_creds();
5216         if (!new)
5217                 return -ENOMEM;
5218
5219         /* Permission checking based on the specified context is
5220            performed during the actual operation (execve,
5221            open/mkdir/...), when we know the full context of the
5222            operation.  See selinux_bprm_set_creds for the execve
5223            checks and may_create for the file creation checks. The
5224            operation will then fail if the context is not permitted. */
5225         tsec = new->security;
5226         if (!strcmp(name, "exec")) {
5227                 tsec->exec_sid = sid;
5228         } else if (!strcmp(name, "fscreate")) {
5229                 tsec->create_sid = sid;
5230         } else if (!strcmp(name, "keycreate")) {
5231                 error = may_create_key(sid, p);
5232                 if (error)
5233                         goto abort_change;
5234                 tsec->keycreate_sid = sid;
5235         } else if (!strcmp(name, "sockcreate")) {
5236                 tsec->sockcreate_sid = sid;
5237         } else if (!strcmp(name, "current")) {
5238                 error = -EINVAL;
5239                 if (sid == 0)
5240                         goto abort_change;
5241
5242                 /* Only allow single threaded processes to change context */
5243                 error = -EPERM;
5244                 if (!current_is_single_threaded()) {
5245                         error = security_bounded_transition(tsec->sid, sid);
5246                         if (error)
5247                                 goto abort_change;
5248                 }
5249
5250                 /* Check permissions for the transition. */
5251                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5252                                      PROCESS__DYNTRANSITION, NULL);
5253                 if (error)
5254                         goto abort_change;
5255
5256                 /* Check for ptracing, and update the task SID if ok.
5257                    Otherwise, leave SID unchanged and fail. */
5258                 ptsid = 0;
5259                 task_lock(p);
5260                 tracer = tracehook_tracer_task(p);
5261                 if (tracer)
5262                         ptsid = task_sid(tracer);
5263                 task_unlock(p);
5264
5265                 if (tracer) {
5266                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5267                                              PROCESS__PTRACE, NULL);
5268                         if (error)
5269                                 goto abort_change;
5270                 }
5271
5272                 tsec->sid = sid;
5273         } else {
5274                 error = -EINVAL;
5275                 goto abort_change;
5276         }
5277
5278         commit_creds(new);
5279         return size;
5280
5281 abort_change:
5282         abort_creds(new);
5283         return error;
5284 }
5285
5286 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5287 {
5288         return security_sid_to_context(secid, secdata, seclen);
5289 }
5290
5291 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5292 {
5293         return security_context_to_sid(secdata, seclen, secid);
5294 }
5295
5296 static void selinux_release_secctx(char *secdata, u32 seclen)
5297 {
5298         kfree(secdata);
5299 }
5300
5301 /*
5302  *      called with inode->i_mutex locked
5303  */
5304 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5305 {
5306         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5307 }
5308
5309 /*
5310  *      called with inode->i_mutex locked
5311  */
5312 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5313 {
5314         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5315 }
5316
5317 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5318 {
5319         int len = 0;
5320         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5321                                                 ctx, true);
5322         if (len < 0)
5323                 return len;
5324         *ctxlen = len;
5325         return 0;
5326 }
5327 #ifdef CONFIG_KEYS
5328
5329 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5330                              unsigned long flags)
5331 {
5332         const struct task_security_struct *tsec;
5333         struct key_security_struct *ksec;
5334
5335         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5336         if (!ksec)
5337                 return -ENOMEM;
5338
5339         tsec = cred->security;
5340         if (tsec->keycreate_sid)
5341                 ksec->sid = tsec->keycreate_sid;
5342         else
5343                 ksec->sid = tsec->sid;
5344
5345         k->security = ksec;
5346         return 0;
5347 }
5348
5349 static void selinux_key_free(struct key *k)
5350 {
5351         struct key_security_struct *ksec = k->security;
5352
5353         k->security = NULL;
5354         kfree(ksec);
5355 }
5356
5357 static int selinux_key_permission(key_ref_t key_ref,
5358                                   const struct cred *cred,
5359                                   key_perm_t perm)
5360 {
5361         struct key *key;
5362         struct key_security_struct *ksec;
5363         u32 sid;
5364
5365         /* if no specific permissions are requested, we skip the
5366            permission check. No serious, additional covert channels
5367            appear to be created. */
5368         if (perm == 0)
5369                 return 0;
5370
5371         sid = cred_sid(cred);
5372
5373         key = key_ref_to_ptr(key_ref);
5374         ksec = key->security;
5375
5376         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5377 }
5378
5379 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5380 {
5381         struct key_security_struct *ksec = key->security;
5382         char *context = NULL;
5383         unsigned len;
5384         int rc;
5385
5386         rc = security_sid_to_context(ksec->sid, &context, &len);
5387         if (!rc)
5388                 rc = len;
5389         *_buffer = context;
5390         return rc;
5391 }
5392
5393 #endif
5394
5395 static struct security_operations selinux_ops = {
5396         .name =                         "selinux",
5397
5398         .ptrace_access_check =          selinux_ptrace_access_check,
5399         .ptrace_traceme =               selinux_ptrace_traceme,
5400         .capget =                       selinux_capget,
5401         .capset =                       selinux_capset,
5402         .sysctl =                       selinux_sysctl,
5403         .capable =                      selinux_capable,
5404         .quotactl =                     selinux_quotactl,
5405         .quota_on =                     selinux_quota_on,
5406         .syslog =                       selinux_syslog,
5407         .vm_enough_memory =             selinux_vm_enough_memory,
5408
5409         .netlink_send =                 selinux_netlink_send,
5410         .netlink_recv =                 selinux_netlink_recv,
5411
5412         .bprm_set_creds =               selinux_bprm_set_creds,
5413         .bprm_committing_creds =        selinux_bprm_committing_creds,
5414         .bprm_committed_creds =         selinux_bprm_committed_creds,
5415         .bprm_secureexec =              selinux_bprm_secureexec,
5416
5417         .sb_alloc_security =            selinux_sb_alloc_security,
5418         .sb_free_security =             selinux_sb_free_security,
5419         .sb_copy_data =                 selinux_sb_copy_data,
5420         .sb_kern_mount =                selinux_sb_kern_mount,
5421         .sb_show_options =              selinux_sb_show_options,
5422         .sb_statfs =                    selinux_sb_statfs,
5423         .sb_mount =                     selinux_mount,
5424         .sb_umount =                    selinux_umount,
5425         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5426         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5427         .sb_parse_opts_str =            selinux_parse_opts_str,
5428
5429
5430         .inode_alloc_security =         selinux_inode_alloc_security,
5431         .inode_free_security =          selinux_inode_free_security,
5432         .inode_init_security =          selinux_inode_init_security,
5433         .inode_create =                 selinux_inode_create,
5434         .inode_link =                   selinux_inode_link,
5435         .inode_unlink =                 selinux_inode_unlink,
5436         .inode_symlink =                selinux_inode_symlink,
5437         .inode_mkdir =                  selinux_inode_mkdir,
5438         .inode_rmdir =                  selinux_inode_rmdir,
5439         .inode_mknod =                  selinux_inode_mknod,
5440         .inode_rename =                 selinux_inode_rename,
5441         .inode_readlink =               selinux_inode_readlink,
5442         .inode_follow_link =            selinux_inode_follow_link,
5443         .inode_permission =             selinux_inode_permission,
5444         .inode_setattr =                selinux_inode_setattr,
5445         .inode_getattr =                selinux_inode_getattr,
5446         .inode_setxattr =               selinux_inode_setxattr,
5447         .inode_post_setxattr =          selinux_inode_post_setxattr,
5448         .inode_getxattr =               selinux_inode_getxattr,
5449         .inode_listxattr =              selinux_inode_listxattr,
5450         .inode_removexattr =            selinux_inode_removexattr,
5451         .inode_getsecurity =            selinux_inode_getsecurity,
5452         .inode_setsecurity =            selinux_inode_setsecurity,
5453         .inode_listsecurity =           selinux_inode_listsecurity,
5454         .inode_getsecid =               selinux_inode_getsecid,
5455
5456         .file_permission =              selinux_file_permission,
5457         .file_alloc_security =          selinux_file_alloc_security,
5458         .file_free_security =           selinux_file_free_security,
5459         .file_ioctl =                   selinux_file_ioctl,
5460         .file_mmap =                    selinux_file_mmap,
5461         .file_mprotect =                selinux_file_mprotect,
5462         .file_lock =                    selinux_file_lock,
5463         .file_fcntl =                   selinux_file_fcntl,
5464         .file_set_fowner =              selinux_file_set_fowner,
5465         .file_send_sigiotask =          selinux_file_send_sigiotask,
5466         .file_receive =                 selinux_file_receive,
5467
5468         .dentry_open =                  selinux_dentry_open,
5469
5470         .task_create =                  selinux_task_create,
5471         .cred_alloc_blank =             selinux_cred_alloc_blank,
5472         .cred_free =                    selinux_cred_free,
5473         .cred_prepare =                 selinux_cred_prepare,
5474         .cred_transfer =                selinux_cred_transfer,
5475         .kernel_act_as =                selinux_kernel_act_as,
5476         .kernel_create_files_as =       selinux_kernel_create_files_as,
5477         .kernel_module_request =        selinux_kernel_module_request,
5478         .task_setpgid =                 selinux_task_setpgid,
5479         .task_getpgid =                 selinux_task_getpgid,
5480         .task_getsid =                  selinux_task_getsid,
5481         .task_getsecid =                selinux_task_getsecid,
5482         .task_setnice =                 selinux_task_setnice,
5483         .task_setioprio =               selinux_task_setioprio,
5484         .task_getioprio =               selinux_task_getioprio,
5485         .task_setrlimit =               selinux_task_setrlimit,
5486         .task_setscheduler =            selinux_task_setscheduler,
5487         .task_getscheduler =            selinux_task_getscheduler,
5488         .task_movememory =              selinux_task_movememory,
5489         .task_kill =                    selinux_task_kill,
5490         .task_wait =                    selinux_task_wait,
5491         .task_to_inode =                selinux_task_to_inode,
5492
5493         .ipc_permission =               selinux_ipc_permission,
5494         .ipc_getsecid =                 selinux_ipc_getsecid,
5495
5496         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5497         .msg_msg_free_security =        selinux_msg_msg_free_security,
5498
5499         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5500         .msg_queue_free_security =      selinux_msg_queue_free_security,
5501         .msg_queue_associate =          selinux_msg_queue_associate,
5502         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5503         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5504         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5505
5506         .shm_alloc_security =           selinux_shm_alloc_security,
5507         .shm_free_security =            selinux_shm_free_security,
5508         .shm_associate =                selinux_shm_associate,
5509         .shm_shmctl =                   selinux_shm_shmctl,
5510         .shm_shmat =                    selinux_shm_shmat,
5511
5512         .sem_alloc_security =           selinux_sem_alloc_security,
5513         .sem_free_security =            selinux_sem_free_security,
5514         .sem_associate =                selinux_sem_associate,
5515         .sem_semctl =                   selinux_sem_semctl,
5516         .sem_semop =                    selinux_sem_semop,
5517
5518         .d_instantiate =                selinux_d_instantiate,
5519
5520         .getprocattr =                  selinux_getprocattr,
5521         .setprocattr =                  selinux_setprocattr,
5522
5523         .secid_to_secctx =              selinux_secid_to_secctx,
5524         .secctx_to_secid =              selinux_secctx_to_secid,
5525         .release_secctx =               selinux_release_secctx,
5526         .inode_notifysecctx =           selinux_inode_notifysecctx,
5527         .inode_setsecctx =              selinux_inode_setsecctx,
5528         .inode_getsecctx =              selinux_inode_getsecctx,
5529
5530         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5531         .unix_may_send =                selinux_socket_unix_may_send,
5532
5533         .socket_create =                selinux_socket_create,
5534         .socket_post_create =           selinux_socket_post_create,
5535         .socket_bind =                  selinux_socket_bind,
5536         .socket_connect =               selinux_socket_connect,
5537         .socket_listen =                selinux_socket_listen,
5538         .socket_accept =                selinux_socket_accept,
5539         .socket_sendmsg =               selinux_socket_sendmsg,
5540         .socket_recvmsg =               selinux_socket_recvmsg,
5541         .socket_getsockname =           selinux_socket_getsockname,
5542         .socket_getpeername =           selinux_socket_getpeername,
5543         .socket_getsockopt =            selinux_socket_getsockopt,
5544         .socket_setsockopt =            selinux_socket_setsockopt,
5545         .socket_shutdown =              selinux_socket_shutdown,
5546         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5547         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5548         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5549         .sk_alloc_security =            selinux_sk_alloc_security,
5550         .sk_free_security =             selinux_sk_free_security,
5551         .sk_clone_security =            selinux_sk_clone_security,
5552         .sk_getsecid =                  selinux_sk_getsecid,
5553         .sock_graft =                   selinux_sock_graft,
5554         .inet_conn_request =            selinux_inet_conn_request,
5555         .inet_csk_clone =               selinux_inet_csk_clone,
5556         .inet_conn_established =        selinux_inet_conn_established,
5557         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5558         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5559         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5560         .req_classify_flow =            selinux_req_classify_flow,
5561         .tun_dev_create =               selinux_tun_dev_create,
5562         .tun_dev_post_create =          selinux_tun_dev_post_create,
5563         .tun_dev_attach =               selinux_tun_dev_attach,
5564
5565 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5566         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5567         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5568         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5569         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5570         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5571         .xfrm_state_free_security =     selinux_xfrm_state_free,
5572         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5573         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5574         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5575         .xfrm_decode_session =          selinux_xfrm_decode_session,
5576 #endif
5577
5578 #ifdef CONFIG_KEYS
5579         .key_alloc =                    selinux_key_alloc,
5580         .key_free =                     selinux_key_free,
5581         .key_permission =               selinux_key_permission,
5582         .key_getsecurity =              selinux_key_getsecurity,
5583 #endif
5584
5585 #ifdef CONFIG_AUDIT
5586         .audit_rule_init =              selinux_audit_rule_init,
5587         .audit_rule_known =             selinux_audit_rule_known,
5588         .audit_rule_match =             selinux_audit_rule_match,
5589         .audit_rule_free =              selinux_audit_rule_free,
5590 #endif
5591 };
5592
5593 static __init int selinux_init(void)
5594 {
5595         if (!security_module_enable(&selinux_ops)) {
5596                 selinux_enabled = 0;
5597                 return 0;
5598         }
5599
5600         if (!selinux_enabled) {
5601                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5602                 return 0;
5603         }
5604
5605         printk(KERN_INFO "SELinux:  Initializing.\n");
5606
5607         /* Set the security state for the initial task. */
5608         cred_init_security();
5609
5610         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5611
5612         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5613                                             sizeof(struct inode_security_struct),
5614                                             0, SLAB_PANIC, NULL);
5615         avc_init();
5616
5617         if (register_security(&selinux_ops))
5618                 panic("SELinux: Unable to register with kernel.\n");
5619
5620         if (selinux_enforcing)
5621                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5622         else
5623                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5624
5625         return 0;
5626 }
5627
5628 static void delayed_superblock_init(struct super_block *sb, void *unused)
5629 {
5630         superblock_doinit(sb, NULL);
5631 }
5632
5633 void selinux_complete_init(void)
5634 {
5635         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5636
5637         /* Set up any superblocks initialized prior to the policy load. */
5638         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5639         iterate_supers(delayed_superblock_init, NULL);
5640 }
5641
5642 /* SELinux requires early initialization in order to label
5643    all processes and objects when they are created. */
5644 security_initcall(selinux_init);
5645
5646 #if defined(CONFIG_NETFILTER)
5647
5648 static struct nf_hook_ops selinux_ipv4_ops[] = {
5649         {
5650                 .hook =         selinux_ipv4_postroute,
5651                 .owner =        THIS_MODULE,
5652                 .pf =           PF_INET,
5653                 .hooknum =      NF_INET_POST_ROUTING,
5654                 .priority =     NF_IP_PRI_SELINUX_LAST,
5655         },
5656         {
5657                 .hook =         selinux_ipv4_forward,
5658                 .owner =        THIS_MODULE,
5659                 .pf =           PF_INET,
5660                 .hooknum =      NF_INET_FORWARD,
5661                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5662         },
5663         {
5664                 .hook =         selinux_ipv4_output,
5665                 .owner =        THIS_MODULE,
5666                 .pf =           PF_INET,
5667                 .hooknum =      NF_INET_LOCAL_OUT,
5668                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5669         }
5670 };
5671
5672 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5673
5674 static struct nf_hook_ops selinux_ipv6_ops[] = {
5675         {
5676                 .hook =         selinux_ipv6_postroute,
5677                 .owner =        THIS_MODULE,
5678                 .pf =           PF_INET6,
5679                 .hooknum =      NF_INET_POST_ROUTING,
5680                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5681         },
5682         {
5683                 .hook =         selinux_ipv6_forward,
5684                 .owner =        THIS_MODULE,
5685                 .pf =           PF_INET6,
5686                 .hooknum =      NF_INET_FORWARD,
5687                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5688         }
5689 };
5690
5691 #endif  /* IPV6 */
5692
5693 static int __init selinux_nf_ip_init(void)
5694 {
5695         int err = 0;
5696
5697         if (!selinux_enabled)
5698                 goto out;
5699
5700         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5701
5702         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5703         if (err)
5704                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5705
5706 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5707         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5708         if (err)
5709                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5710 #endif  /* IPV6 */
5711
5712 out:
5713         return err;
5714 }
5715
5716 __initcall(selinux_nf_ip_init);
5717
5718 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5719 static void selinux_nf_ip_exit(void)
5720 {
5721         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5722
5723         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5724 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5725         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5726 #endif  /* IPV6 */
5727 }
5728 #endif
5729
5730 #else /* CONFIG_NETFILTER */
5731
5732 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5733 #define selinux_nf_ip_exit()
5734 #endif
5735
5736 #endif /* CONFIG_NETFILTER */
5737
5738 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5739 static int selinux_disabled;
5740
5741 int selinux_disable(void)
5742 {
5743         extern void exit_sel_fs(void);
5744
5745         if (ss_initialized) {
5746                 /* Not permitted after initial policy load. */
5747                 return -EINVAL;
5748         }
5749
5750         if (selinux_disabled) {
5751                 /* Only do this once. */
5752                 return -EINVAL;
5753         }
5754
5755         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5756
5757         selinux_disabled = 1;
5758         selinux_enabled = 0;
5759
5760         reset_security_ops();
5761
5762         /* Try to destroy the avc node cache */
5763         avc_disable();
5764
5765         /* Unregister netfilter hooks. */
5766         selinux_nf_ip_exit();
5767
5768         /* Unregister selinuxfs. */
5769         exit_sel_fs();
5770
5771         return 0;
5772 }
5773 #endif