Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79 #include <linux/syslog.h>
80
81 #include "avc.h"
82 #include "objsec.h"
83 #include "netif.h"
84 #include "netnode.h"
85 #include "netport.h"
86 #include "xfrm.h"
87 #include "netlabel.h"
88 #include "audit.h"
89
90 #define XATTR_SELINUX_SUFFIX "selinux"
91 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92
93 #define NUM_SEL_MNT_OPTS 5
94
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 /* Lists of inode and superblock security structures initialized
130    before the policy was loaded. */
131 static LIST_HEAD(superblock_security_head);
132 static DEFINE_SPINLOCK(sb_security_lock);
133
134 static struct kmem_cache *sel_inode_cache;
135
136 /**
137  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138  *
139  * Description:
140  * This function checks the SECMARK reference counter to see if any SECMARK
141  * targets are currently configured, if the reference counter is greater than
142  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
143  * enabled, false (0) if SECMARK is disabled.
144  *
145  */
146 static int selinux_secmark_enabled(void)
147 {
148         return (atomic_read(&selinux_secmark_refcount) > 0);
149 }
150
151 /*
152  * initialise the security for the init task
153  */
154 static void cred_init_security(void)
155 {
156         struct cred *cred = (struct cred *) current->real_cred;
157         struct task_security_struct *tsec;
158
159         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
160         if (!tsec)
161                 panic("SELinux:  Failed to initialize initial task.\n");
162
163         tsec->osid = tsec->sid = SECINITSID_KERNEL;
164         cred->security = tsec;
165 }
166
167 /*
168  * get the security ID of a set of credentials
169  */
170 static inline u32 cred_sid(const struct cred *cred)
171 {
172         const struct task_security_struct *tsec;
173
174         tsec = cred->security;
175         return tsec->sid;
176 }
177
178 /*
179  * get the objective security ID of a task
180  */
181 static inline u32 task_sid(const struct task_struct *task)
182 {
183         u32 sid;
184
185         rcu_read_lock();
186         sid = cred_sid(__task_cred(task));
187         rcu_read_unlock();
188         return sid;
189 }
190
191 /*
192  * get the subjective security ID of the current task
193  */
194 static inline u32 current_sid(void)
195 {
196         const struct task_security_struct *tsec = current_cred()->security;
197
198         return tsec->sid;
199 }
200
201 /* Allocate and free functions for each kind of security blob. */
202
203 static int inode_alloc_security(struct inode *inode)
204 {
205         struct inode_security_struct *isec;
206         u32 sid = current_sid();
207
208         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
209         if (!isec)
210                 return -ENOMEM;
211
212         mutex_init(&isec->lock);
213         INIT_LIST_HEAD(&isec->list);
214         isec->inode = inode;
215         isec->sid = SECINITSID_UNLABELED;
216         isec->sclass = SECCLASS_FILE;
217         isec->task_sid = sid;
218         inode->i_security = isec;
219
220         return 0;
221 }
222
223 static void inode_free_security(struct inode *inode)
224 {
225         struct inode_security_struct *isec = inode->i_security;
226         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
227
228         spin_lock(&sbsec->isec_lock);
229         if (!list_empty(&isec->list))
230                 list_del_init(&isec->list);
231         spin_unlock(&sbsec->isec_lock);
232
233         inode->i_security = NULL;
234         kmem_cache_free(sel_inode_cache, isec);
235 }
236
237 static int file_alloc_security(struct file *file)
238 {
239         struct file_security_struct *fsec;
240         u32 sid = current_sid();
241
242         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
243         if (!fsec)
244                 return -ENOMEM;
245
246         fsec->sid = sid;
247         fsec->fown_sid = sid;
248         file->f_security = fsec;
249
250         return 0;
251 }
252
253 static void file_free_security(struct file *file)
254 {
255         struct file_security_struct *fsec = file->f_security;
256         file->f_security = NULL;
257         kfree(fsec);
258 }
259
260 static int superblock_alloc_security(struct super_block *sb)
261 {
262         struct superblock_security_struct *sbsec;
263
264         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
265         if (!sbsec)
266                 return -ENOMEM;
267
268         mutex_init(&sbsec->lock);
269         INIT_LIST_HEAD(&sbsec->list);
270         INIT_LIST_HEAD(&sbsec->isec_head);
271         spin_lock_init(&sbsec->isec_lock);
272         sbsec->sb = sb;
273         sbsec->sid = SECINITSID_UNLABELED;
274         sbsec->def_sid = SECINITSID_FILE;
275         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
276         sb->s_security = sbsec;
277
278         return 0;
279 }
280
281 static void superblock_free_security(struct super_block *sb)
282 {
283         struct superblock_security_struct *sbsec = sb->s_security;
284
285         spin_lock(&sb_security_lock);
286         if (!list_empty(&sbsec->list))
287                 list_del_init(&sbsec->list);
288         spin_unlock(&sb_security_lock);
289
290         sb->s_security = NULL;
291         kfree(sbsec);
292 }
293
294 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
295 {
296         struct sk_security_struct *ssec;
297
298         ssec = kzalloc(sizeof(*ssec), priority);
299         if (!ssec)
300                 return -ENOMEM;
301
302         ssec->peer_sid = SECINITSID_UNLABELED;
303         ssec->sid = SECINITSID_UNLABELED;
304         sk->sk_security = ssec;
305
306         selinux_netlbl_sk_security_reset(ssec);
307
308         return 0;
309 }
310
311 static void sk_free_security(struct sock *sk)
312 {
313         struct sk_security_struct *ssec = sk->sk_security;
314
315         sk->sk_security = NULL;
316         selinux_netlbl_sk_security_free(ssec);
317         kfree(ssec);
318 }
319
320 /* The security server must be initialized before
321    any labeling or access decisions can be provided. */
322 extern int ss_initialized;
323
324 /* The file system's label must be initialized prior to use. */
325
326 static char *labeling_behaviors[6] = {
327         "uses xattr",
328         "uses transition SIDs",
329         "uses task SIDs",
330         "uses genfs_contexts",
331         "not configured for labeling",
332         "uses mountpoint labeling",
333 };
334
335 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
336
337 static inline int inode_doinit(struct inode *inode)
338 {
339         return inode_doinit_with_dentry(inode, NULL);
340 }
341
342 enum {
343         Opt_error = -1,
344         Opt_context = 1,
345         Opt_fscontext = 2,
346         Opt_defcontext = 3,
347         Opt_rootcontext = 4,
348         Opt_labelsupport = 5,
349 };
350
351 static const match_table_t tokens = {
352         {Opt_context, CONTEXT_STR "%s"},
353         {Opt_fscontext, FSCONTEXT_STR "%s"},
354         {Opt_defcontext, DEFCONTEXT_STR "%s"},
355         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
356         {Opt_labelsupport, LABELSUPP_STR},
357         {Opt_error, NULL},
358 };
359
360 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
361
362 static int may_context_mount_sb_relabel(u32 sid,
363                         struct superblock_security_struct *sbsec,
364                         const struct cred *cred)
365 {
366         const struct task_security_struct *tsec = cred->security;
367         int rc;
368
369         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
370                           FILESYSTEM__RELABELFROM, NULL);
371         if (rc)
372                 return rc;
373
374         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
375                           FILESYSTEM__RELABELTO, NULL);
376         return rc;
377 }
378
379 static int may_context_mount_inode_relabel(u32 sid,
380                         struct superblock_security_struct *sbsec,
381                         const struct cred *cred)
382 {
383         const struct task_security_struct *tsec = cred->security;
384         int rc;
385         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
386                           FILESYSTEM__RELABELFROM, NULL);
387         if (rc)
388                 return rc;
389
390         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
391                           FILESYSTEM__ASSOCIATE, NULL);
392         return rc;
393 }
394
395 static int sb_finish_set_opts(struct super_block *sb)
396 {
397         struct superblock_security_struct *sbsec = sb->s_security;
398         struct dentry *root = sb->s_root;
399         struct inode *root_inode = root->d_inode;
400         int rc = 0;
401
402         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
403                 /* Make sure that the xattr handler exists and that no
404                    error other than -ENODATA is returned by getxattr on
405                    the root directory.  -ENODATA is ok, as this may be
406                    the first boot of the SELinux kernel before we have
407                    assigned xattr values to the filesystem. */
408                 if (!root_inode->i_op->getxattr) {
409                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
410                                "xattr support\n", sb->s_id, sb->s_type->name);
411                         rc = -EOPNOTSUPP;
412                         goto out;
413                 }
414                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
415                 if (rc < 0 && rc != -ENODATA) {
416                         if (rc == -EOPNOTSUPP)
417                                 printk(KERN_WARNING "SELinux: (dev %s, type "
418                                        "%s) has no security xattr handler\n",
419                                        sb->s_id, sb->s_type->name);
420                         else
421                                 printk(KERN_WARNING "SELinux: (dev %s, type "
422                                        "%s) getxattr errno %d\n", sb->s_id,
423                                        sb->s_type->name, -rc);
424                         goto out;
425                 }
426         }
427
428         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
429
430         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
431                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
432                        sb->s_id, sb->s_type->name);
433         else
434                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
435                        sb->s_id, sb->s_type->name,
436                        labeling_behaviors[sbsec->behavior-1]);
437
438         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
439             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
440             sbsec->behavior == SECURITY_FS_USE_NONE ||
441             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
442                 sbsec->flags &= ~SE_SBLABELSUPP;
443
444         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
445         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
446                 sbsec->flags |= SE_SBLABELSUPP;
447
448         /* Initialize the root inode. */
449         rc = inode_doinit_with_dentry(root_inode, root);
450
451         /* Initialize any other inodes associated with the superblock, e.g.
452            inodes created prior to initial policy load or inodes created
453            during get_sb by a pseudo filesystem that directly
454            populates itself. */
455         spin_lock(&sbsec->isec_lock);
456 next_inode:
457         if (!list_empty(&sbsec->isec_head)) {
458                 struct inode_security_struct *isec =
459                                 list_entry(sbsec->isec_head.next,
460                                            struct inode_security_struct, list);
461                 struct inode *inode = isec->inode;
462                 spin_unlock(&sbsec->isec_lock);
463                 inode = igrab(inode);
464                 if (inode) {
465                         if (!IS_PRIVATE(inode))
466                                 inode_doinit(inode);
467                         iput(inode);
468                 }
469                 spin_lock(&sbsec->isec_lock);
470                 list_del_init(&isec->list);
471                 goto next_inode;
472         }
473         spin_unlock(&sbsec->isec_lock);
474 out:
475         return rc;
476 }
477
478 /*
479  * This function should allow an FS to ask what it's mount security
480  * options were so it can use those later for submounts, displaying
481  * mount options, or whatever.
482  */
483 static int selinux_get_mnt_opts(const struct super_block *sb,
484                                 struct security_mnt_opts *opts)
485 {
486         int rc = 0, i;
487         struct superblock_security_struct *sbsec = sb->s_security;
488         char *context = NULL;
489         u32 len;
490         char tmp;
491
492         security_init_mnt_opts(opts);
493
494         if (!(sbsec->flags & SE_SBINITIALIZED))
495                 return -EINVAL;
496
497         if (!ss_initialized)
498                 return -EINVAL;
499
500         tmp = sbsec->flags & SE_MNTMASK;
501         /* count the number of mount options for this sb */
502         for (i = 0; i < 8; i++) {
503                 if (tmp & 0x01)
504                         opts->num_mnt_opts++;
505                 tmp >>= 1;
506         }
507         /* Check if the Label support flag is set */
508         if (sbsec->flags & SE_SBLABELSUPP)
509                 opts->num_mnt_opts++;
510
511         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
512         if (!opts->mnt_opts) {
513                 rc = -ENOMEM;
514                 goto out_free;
515         }
516
517         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
518         if (!opts->mnt_opts_flags) {
519                 rc = -ENOMEM;
520                 goto out_free;
521         }
522
523         i = 0;
524         if (sbsec->flags & FSCONTEXT_MNT) {
525                 rc = security_sid_to_context(sbsec->sid, &context, &len);
526                 if (rc)
527                         goto out_free;
528                 opts->mnt_opts[i] = context;
529                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
530         }
531         if (sbsec->flags & CONTEXT_MNT) {
532                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
533                 if (rc)
534                         goto out_free;
535                 opts->mnt_opts[i] = context;
536                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
537         }
538         if (sbsec->flags & DEFCONTEXT_MNT) {
539                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
540                 if (rc)
541                         goto out_free;
542                 opts->mnt_opts[i] = context;
543                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
544         }
545         if (sbsec->flags & ROOTCONTEXT_MNT) {
546                 struct inode *root = sbsec->sb->s_root->d_inode;
547                 struct inode_security_struct *isec = root->i_security;
548
549                 rc = security_sid_to_context(isec->sid, &context, &len);
550                 if (rc)
551                         goto out_free;
552                 opts->mnt_opts[i] = context;
553                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
554         }
555         if (sbsec->flags & SE_SBLABELSUPP) {
556                 opts->mnt_opts[i] = NULL;
557                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
558         }
559
560         BUG_ON(i != opts->num_mnt_opts);
561
562         return 0;
563
564 out_free:
565         security_free_mnt_opts(opts);
566         return rc;
567 }
568
569 static int bad_option(struct superblock_security_struct *sbsec, char flag,
570                       u32 old_sid, u32 new_sid)
571 {
572         char mnt_flags = sbsec->flags & SE_MNTMASK;
573
574         /* check if the old mount command had the same options */
575         if (sbsec->flags & SE_SBINITIALIZED)
576                 if (!(sbsec->flags & flag) ||
577                     (old_sid != new_sid))
578                         return 1;
579
580         /* check if we were passed the same options twice,
581          * aka someone passed context=a,context=b
582          */
583         if (!(sbsec->flags & SE_SBINITIALIZED))
584                 if (mnt_flags & flag)
585                         return 1;
586         return 0;
587 }
588
589 /*
590  * Allow filesystems with binary mount data to explicitly set mount point
591  * labeling information.
592  */
593 static int selinux_set_mnt_opts(struct super_block *sb,
594                                 struct security_mnt_opts *opts)
595 {
596         const struct cred *cred = current_cred();
597         int rc = 0, i;
598         struct superblock_security_struct *sbsec = sb->s_security;
599         const char *name = sb->s_type->name;
600         struct inode *inode = sbsec->sb->s_root->d_inode;
601         struct inode_security_struct *root_isec = inode->i_security;
602         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
603         u32 defcontext_sid = 0;
604         char **mount_options = opts->mnt_opts;
605         int *flags = opts->mnt_opts_flags;
606         int num_opts = opts->num_mnt_opts;
607
608         mutex_lock(&sbsec->lock);
609
610         if (!ss_initialized) {
611                 if (!num_opts) {
612                         /* Defer initialization until selinux_complete_init,
613                            after the initial policy is loaded and the security
614                            server is ready to handle calls. */
615                         spin_lock(&sb_security_lock);
616                         if (list_empty(&sbsec->list))
617                                 list_add(&sbsec->list, &superblock_security_head);
618                         spin_unlock(&sb_security_lock);
619                         goto out;
620                 }
621                 rc = -EINVAL;
622                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
623                         "before the security server is initialized\n");
624                 goto out;
625         }
626
627         /*
628          * Binary mount data FS will come through this function twice.  Once
629          * from an explicit call and once from the generic calls from the vfs.
630          * Since the generic VFS calls will not contain any security mount data
631          * we need to skip the double mount verification.
632          *
633          * This does open a hole in which we will not notice if the first
634          * mount using this sb set explict options and a second mount using
635          * this sb does not set any security options.  (The first options
636          * will be used for both mounts)
637          */
638         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
639             && (num_opts == 0))
640                 goto out;
641
642         /*
643          * parse the mount options, check if they are valid sids.
644          * also check if someone is trying to mount the same sb more
645          * than once with different security options.
646          */
647         for (i = 0; i < num_opts; i++) {
648                 u32 sid;
649
650                 if (flags[i] == SE_SBLABELSUPP)
651                         continue;
652                 rc = security_context_to_sid(mount_options[i],
653                                              strlen(mount_options[i]), &sid);
654                 if (rc) {
655                         printk(KERN_WARNING "SELinux: security_context_to_sid"
656                                "(%s) failed for (dev %s, type %s) errno=%d\n",
657                                mount_options[i], sb->s_id, name, rc);
658                         goto out;
659                 }
660                 switch (flags[i]) {
661                 case FSCONTEXT_MNT:
662                         fscontext_sid = sid;
663
664                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
665                                         fscontext_sid))
666                                 goto out_double_mount;
667
668                         sbsec->flags |= FSCONTEXT_MNT;
669                         break;
670                 case CONTEXT_MNT:
671                         context_sid = sid;
672
673                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
674                                         context_sid))
675                                 goto out_double_mount;
676
677                         sbsec->flags |= CONTEXT_MNT;
678                         break;
679                 case ROOTCONTEXT_MNT:
680                         rootcontext_sid = sid;
681
682                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
683                                         rootcontext_sid))
684                                 goto out_double_mount;
685
686                         sbsec->flags |= ROOTCONTEXT_MNT;
687
688                         break;
689                 case DEFCONTEXT_MNT:
690                         defcontext_sid = sid;
691
692                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
693                                         defcontext_sid))
694                                 goto out_double_mount;
695
696                         sbsec->flags |= DEFCONTEXT_MNT;
697
698                         break;
699                 default:
700                         rc = -EINVAL;
701                         goto out;
702                 }
703         }
704
705         if (sbsec->flags & SE_SBINITIALIZED) {
706                 /* previously mounted with options, but not on this attempt? */
707                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
708                         goto out_double_mount;
709                 rc = 0;
710                 goto out;
711         }
712
713         if (strcmp(sb->s_type->name, "proc") == 0)
714                 sbsec->flags |= SE_SBPROC;
715
716         /* Determine the labeling behavior to use for this filesystem type. */
717         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
718         if (rc) {
719                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
720                        __func__, sb->s_type->name, rc);
721                 goto out;
722         }
723
724         /* sets the context of the superblock for the fs being mounted. */
725         if (fscontext_sid) {
726                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
727                 if (rc)
728                         goto out;
729
730                 sbsec->sid = fscontext_sid;
731         }
732
733         /*
734          * Switch to using mount point labeling behavior.
735          * sets the label used on all file below the mountpoint, and will set
736          * the superblock context if not already set.
737          */
738         if (context_sid) {
739                 if (!fscontext_sid) {
740                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
741                                                           cred);
742                         if (rc)
743                                 goto out;
744                         sbsec->sid = context_sid;
745                 } else {
746                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
747                                                              cred);
748                         if (rc)
749                                 goto out;
750                 }
751                 if (!rootcontext_sid)
752                         rootcontext_sid = context_sid;
753
754                 sbsec->mntpoint_sid = context_sid;
755                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
756         }
757
758         if (rootcontext_sid) {
759                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
760                                                      cred);
761                 if (rc)
762                         goto out;
763
764                 root_isec->sid = rootcontext_sid;
765                 root_isec->initialized = 1;
766         }
767
768         if (defcontext_sid) {
769                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
770                         rc = -EINVAL;
771                         printk(KERN_WARNING "SELinux: defcontext option is "
772                                "invalid for this filesystem type\n");
773                         goto out;
774                 }
775
776                 if (defcontext_sid != sbsec->def_sid) {
777                         rc = may_context_mount_inode_relabel(defcontext_sid,
778                                                              sbsec, cred);
779                         if (rc)
780                                 goto out;
781                 }
782
783                 sbsec->def_sid = defcontext_sid;
784         }
785
786         rc = sb_finish_set_opts(sb);
787 out:
788         mutex_unlock(&sbsec->lock);
789         return rc;
790 out_double_mount:
791         rc = -EINVAL;
792         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
793                "security settings for (dev %s, type %s)\n", sb->s_id, name);
794         goto out;
795 }
796
797 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
798                                         struct super_block *newsb)
799 {
800         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
801         struct superblock_security_struct *newsbsec = newsb->s_security;
802
803         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
804         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
805         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
806
807         /*
808          * if the parent was able to be mounted it clearly had no special lsm
809          * mount options.  thus we can safely put this sb on the list and deal
810          * with it later
811          */
812         if (!ss_initialized) {
813                 spin_lock(&sb_security_lock);
814                 if (list_empty(&newsbsec->list))
815                         list_add(&newsbsec->list, &superblock_security_head);
816                 spin_unlock(&sb_security_lock);
817                 return;
818         }
819
820         /* how can we clone if the old one wasn't set up?? */
821         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
822
823         /* if fs is reusing a sb, just let its options stand... */
824         if (newsbsec->flags & SE_SBINITIALIZED)
825                 return;
826
827         mutex_lock(&newsbsec->lock);
828
829         newsbsec->flags = oldsbsec->flags;
830
831         newsbsec->sid = oldsbsec->sid;
832         newsbsec->def_sid = oldsbsec->def_sid;
833         newsbsec->behavior = oldsbsec->behavior;
834
835         if (set_context) {
836                 u32 sid = oldsbsec->mntpoint_sid;
837
838                 if (!set_fscontext)
839                         newsbsec->sid = sid;
840                 if (!set_rootcontext) {
841                         struct inode *newinode = newsb->s_root->d_inode;
842                         struct inode_security_struct *newisec = newinode->i_security;
843                         newisec->sid = sid;
844                 }
845                 newsbsec->mntpoint_sid = sid;
846         }
847         if (set_rootcontext) {
848                 const struct inode *oldinode = oldsb->s_root->d_inode;
849                 const struct inode_security_struct *oldisec = oldinode->i_security;
850                 struct inode *newinode = newsb->s_root->d_inode;
851                 struct inode_security_struct *newisec = newinode->i_security;
852
853                 newisec->sid = oldisec->sid;
854         }
855
856         sb_finish_set_opts(newsb);
857         mutex_unlock(&newsbsec->lock);
858 }
859
860 static int selinux_parse_opts_str(char *options,
861                                   struct security_mnt_opts *opts)
862 {
863         char *p;
864         char *context = NULL, *defcontext = NULL;
865         char *fscontext = NULL, *rootcontext = NULL;
866         int rc, num_mnt_opts = 0;
867
868         opts->num_mnt_opts = 0;
869
870         /* Standard string-based options. */
871         while ((p = strsep(&options, "|")) != NULL) {
872                 int token;
873                 substring_t args[MAX_OPT_ARGS];
874
875                 if (!*p)
876                         continue;
877
878                 token = match_token(p, tokens, args);
879
880                 switch (token) {
881                 case Opt_context:
882                         if (context || defcontext) {
883                                 rc = -EINVAL;
884                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
885                                 goto out_err;
886                         }
887                         context = match_strdup(&args[0]);
888                         if (!context) {
889                                 rc = -ENOMEM;
890                                 goto out_err;
891                         }
892                         break;
893
894                 case Opt_fscontext:
895                         if (fscontext) {
896                                 rc = -EINVAL;
897                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
898                                 goto out_err;
899                         }
900                         fscontext = match_strdup(&args[0]);
901                         if (!fscontext) {
902                                 rc = -ENOMEM;
903                                 goto out_err;
904                         }
905                         break;
906
907                 case Opt_rootcontext:
908                         if (rootcontext) {
909                                 rc = -EINVAL;
910                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
911                                 goto out_err;
912                         }
913                         rootcontext = match_strdup(&args[0]);
914                         if (!rootcontext) {
915                                 rc = -ENOMEM;
916                                 goto out_err;
917                         }
918                         break;
919
920                 case Opt_defcontext:
921                         if (context || defcontext) {
922                                 rc = -EINVAL;
923                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
924                                 goto out_err;
925                         }
926                         defcontext = match_strdup(&args[0]);
927                         if (!defcontext) {
928                                 rc = -ENOMEM;
929                                 goto out_err;
930                         }
931                         break;
932                 case Opt_labelsupport:
933                         break;
934                 default:
935                         rc = -EINVAL;
936                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
937                         goto out_err;
938
939                 }
940         }
941
942         rc = -ENOMEM;
943         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
944         if (!opts->mnt_opts)
945                 goto out_err;
946
947         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
948         if (!opts->mnt_opts_flags) {
949                 kfree(opts->mnt_opts);
950                 goto out_err;
951         }
952
953         if (fscontext) {
954                 opts->mnt_opts[num_mnt_opts] = fscontext;
955                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
956         }
957         if (context) {
958                 opts->mnt_opts[num_mnt_opts] = context;
959                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
960         }
961         if (rootcontext) {
962                 opts->mnt_opts[num_mnt_opts] = rootcontext;
963                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
964         }
965         if (defcontext) {
966                 opts->mnt_opts[num_mnt_opts] = defcontext;
967                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
968         }
969
970         opts->num_mnt_opts = num_mnt_opts;
971         return 0;
972
973 out_err:
974         kfree(context);
975         kfree(defcontext);
976         kfree(fscontext);
977         kfree(rootcontext);
978         return rc;
979 }
980 /*
981  * string mount options parsing and call set the sbsec
982  */
983 static int superblock_doinit(struct super_block *sb, void *data)
984 {
985         int rc = 0;
986         char *options = data;
987         struct security_mnt_opts opts;
988
989         security_init_mnt_opts(&opts);
990
991         if (!data)
992                 goto out;
993
994         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
995
996         rc = selinux_parse_opts_str(options, &opts);
997         if (rc)
998                 goto out_err;
999
1000 out:
1001         rc = selinux_set_mnt_opts(sb, &opts);
1002
1003 out_err:
1004         security_free_mnt_opts(&opts);
1005         return rc;
1006 }
1007
1008 static void selinux_write_opts(struct seq_file *m,
1009                                struct security_mnt_opts *opts)
1010 {
1011         int i;
1012         char *prefix;
1013
1014         for (i = 0; i < opts->num_mnt_opts; i++) {
1015                 char *has_comma;
1016
1017                 if (opts->mnt_opts[i])
1018                         has_comma = strchr(opts->mnt_opts[i], ',');
1019                 else
1020                         has_comma = NULL;
1021
1022                 switch (opts->mnt_opts_flags[i]) {
1023                 case CONTEXT_MNT:
1024                         prefix = CONTEXT_STR;
1025                         break;
1026                 case FSCONTEXT_MNT:
1027                         prefix = FSCONTEXT_STR;
1028                         break;
1029                 case ROOTCONTEXT_MNT:
1030                         prefix = ROOTCONTEXT_STR;
1031                         break;
1032                 case DEFCONTEXT_MNT:
1033                         prefix = DEFCONTEXT_STR;
1034                         break;
1035                 case SE_SBLABELSUPP:
1036                         seq_putc(m, ',');
1037                         seq_puts(m, LABELSUPP_STR);
1038                         continue;
1039                 default:
1040                         BUG();
1041                 };
1042                 /* we need a comma before each option */
1043                 seq_putc(m, ',');
1044                 seq_puts(m, prefix);
1045                 if (has_comma)
1046                         seq_putc(m, '\"');
1047                 seq_puts(m, opts->mnt_opts[i]);
1048                 if (has_comma)
1049                         seq_putc(m, '\"');
1050         }
1051 }
1052
1053 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1054 {
1055         struct security_mnt_opts opts;
1056         int rc;
1057
1058         rc = selinux_get_mnt_opts(sb, &opts);
1059         if (rc) {
1060                 /* before policy load we may get EINVAL, don't show anything */
1061                 if (rc == -EINVAL)
1062                         rc = 0;
1063                 return rc;
1064         }
1065
1066         selinux_write_opts(m, &opts);
1067
1068         security_free_mnt_opts(&opts);
1069
1070         return rc;
1071 }
1072
1073 static inline u16 inode_mode_to_security_class(umode_t mode)
1074 {
1075         switch (mode & S_IFMT) {
1076         case S_IFSOCK:
1077                 return SECCLASS_SOCK_FILE;
1078         case S_IFLNK:
1079                 return SECCLASS_LNK_FILE;
1080         case S_IFREG:
1081                 return SECCLASS_FILE;
1082         case S_IFBLK:
1083                 return SECCLASS_BLK_FILE;
1084         case S_IFDIR:
1085                 return SECCLASS_DIR;
1086         case S_IFCHR:
1087                 return SECCLASS_CHR_FILE;
1088         case S_IFIFO:
1089                 return SECCLASS_FIFO_FILE;
1090
1091         }
1092
1093         return SECCLASS_FILE;
1094 }
1095
1096 static inline int default_protocol_stream(int protocol)
1097 {
1098         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1099 }
1100
1101 static inline int default_protocol_dgram(int protocol)
1102 {
1103         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1104 }
1105
1106 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1107 {
1108         switch (family) {
1109         case PF_UNIX:
1110                 switch (type) {
1111                 case SOCK_STREAM:
1112                 case SOCK_SEQPACKET:
1113                         return SECCLASS_UNIX_STREAM_SOCKET;
1114                 case SOCK_DGRAM:
1115                         return SECCLASS_UNIX_DGRAM_SOCKET;
1116                 }
1117                 break;
1118         case PF_INET:
1119         case PF_INET6:
1120                 switch (type) {
1121                 case SOCK_STREAM:
1122                         if (default_protocol_stream(protocol))
1123                                 return SECCLASS_TCP_SOCKET;
1124                         else
1125                                 return SECCLASS_RAWIP_SOCKET;
1126                 case SOCK_DGRAM:
1127                         if (default_protocol_dgram(protocol))
1128                                 return SECCLASS_UDP_SOCKET;
1129                         else
1130                                 return SECCLASS_RAWIP_SOCKET;
1131                 case SOCK_DCCP:
1132                         return SECCLASS_DCCP_SOCKET;
1133                 default:
1134                         return SECCLASS_RAWIP_SOCKET;
1135                 }
1136                 break;
1137         case PF_NETLINK:
1138                 switch (protocol) {
1139                 case NETLINK_ROUTE:
1140                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1141                 case NETLINK_FIREWALL:
1142                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1143                 case NETLINK_INET_DIAG:
1144                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1145                 case NETLINK_NFLOG:
1146                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1147                 case NETLINK_XFRM:
1148                         return SECCLASS_NETLINK_XFRM_SOCKET;
1149                 case NETLINK_SELINUX:
1150                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1151                 case NETLINK_AUDIT:
1152                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1153                 case NETLINK_IP6_FW:
1154                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1155                 case NETLINK_DNRTMSG:
1156                         return SECCLASS_NETLINK_DNRT_SOCKET;
1157                 case NETLINK_KOBJECT_UEVENT:
1158                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1159                 default:
1160                         return SECCLASS_NETLINK_SOCKET;
1161                 }
1162         case PF_PACKET:
1163                 return SECCLASS_PACKET_SOCKET;
1164         case PF_KEY:
1165                 return SECCLASS_KEY_SOCKET;
1166         case PF_APPLETALK:
1167                 return SECCLASS_APPLETALK_SOCKET;
1168         }
1169
1170         return SECCLASS_SOCKET;
1171 }
1172
1173 #ifdef CONFIG_PROC_FS
1174 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1175                                 u16 tclass,
1176                                 u32 *sid)
1177 {
1178         int buflen, rc;
1179         char *buffer, *path, *end;
1180
1181         buffer = (char *)__get_free_page(GFP_KERNEL);
1182         if (!buffer)
1183                 return -ENOMEM;
1184
1185         buflen = PAGE_SIZE;
1186         end = buffer+buflen;
1187         *--end = '\0';
1188         buflen--;
1189         path = end-1;
1190         *path = '/';
1191         while (de && de != de->parent) {
1192                 buflen -= de->namelen + 1;
1193                 if (buflen < 0)
1194                         break;
1195                 end -= de->namelen;
1196                 memcpy(end, de->name, de->namelen);
1197                 *--end = '/';
1198                 path = end;
1199                 de = de->parent;
1200         }
1201         rc = security_genfs_sid("proc", path, tclass, sid);
1202         free_page((unsigned long)buffer);
1203         return rc;
1204 }
1205 #else
1206 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1207                                 u16 tclass,
1208                                 u32 *sid)
1209 {
1210         return -EINVAL;
1211 }
1212 #endif
1213
1214 /* The inode's security attributes must be initialized before first use. */
1215 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1216 {
1217         struct superblock_security_struct *sbsec = NULL;
1218         struct inode_security_struct *isec = inode->i_security;
1219         u32 sid;
1220         struct dentry *dentry;
1221 #define INITCONTEXTLEN 255
1222         char *context = NULL;
1223         unsigned len = 0;
1224         int rc = 0;
1225
1226         if (isec->initialized)
1227                 goto out;
1228
1229         mutex_lock(&isec->lock);
1230         if (isec->initialized)
1231                 goto out_unlock;
1232
1233         sbsec = inode->i_sb->s_security;
1234         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1235                 /* Defer initialization until selinux_complete_init,
1236                    after the initial policy is loaded and the security
1237                    server is ready to handle calls. */
1238                 spin_lock(&sbsec->isec_lock);
1239                 if (list_empty(&isec->list))
1240                         list_add(&isec->list, &sbsec->isec_head);
1241                 spin_unlock(&sbsec->isec_lock);
1242                 goto out_unlock;
1243         }
1244
1245         switch (sbsec->behavior) {
1246         case SECURITY_FS_USE_XATTR:
1247                 if (!inode->i_op->getxattr) {
1248                         isec->sid = sbsec->def_sid;
1249                         break;
1250                 }
1251
1252                 /* Need a dentry, since the xattr API requires one.
1253                    Life would be simpler if we could just pass the inode. */
1254                 if (opt_dentry) {
1255                         /* Called from d_instantiate or d_splice_alias. */
1256                         dentry = dget(opt_dentry);
1257                 } else {
1258                         /* Called from selinux_complete_init, try to find a dentry. */
1259                         dentry = d_find_alias(inode);
1260                 }
1261                 if (!dentry) {
1262                         /*
1263                          * this is can be hit on boot when a file is accessed
1264                          * before the policy is loaded.  When we load policy we
1265                          * may find inodes that have no dentry on the
1266                          * sbsec->isec_head list.  No reason to complain as these
1267                          * will get fixed up the next time we go through
1268                          * inode_doinit with a dentry, before these inodes could
1269                          * be used again by userspace.
1270                          */
1271                         goto out_unlock;
1272                 }
1273
1274                 len = INITCONTEXTLEN;
1275                 context = kmalloc(len+1, GFP_NOFS);
1276                 if (!context) {
1277                         rc = -ENOMEM;
1278                         dput(dentry);
1279                         goto out_unlock;
1280                 }
1281                 context[len] = '\0';
1282                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1283                                            context, len);
1284                 if (rc == -ERANGE) {
1285                         kfree(context);
1286
1287                         /* Need a larger buffer.  Query for the right size. */
1288                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1289                                                    NULL, 0);
1290                         if (rc < 0) {
1291                                 dput(dentry);
1292                                 goto out_unlock;
1293                         }
1294                         len = rc;
1295                         context = kmalloc(len+1, GFP_NOFS);
1296                         if (!context) {
1297                                 rc = -ENOMEM;
1298                                 dput(dentry);
1299                                 goto out_unlock;
1300                         }
1301                         context[len] = '\0';
1302                         rc = inode->i_op->getxattr(dentry,
1303                                                    XATTR_NAME_SELINUX,
1304                                                    context, len);
1305                 }
1306                 dput(dentry);
1307                 if (rc < 0) {
1308                         if (rc != -ENODATA) {
1309                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1310                                        "%d for dev=%s ino=%ld\n", __func__,
1311                                        -rc, inode->i_sb->s_id, inode->i_ino);
1312                                 kfree(context);
1313                                 goto out_unlock;
1314                         }
1315                         /* Map ENODATA to the default file SID */
1316                         sid = sbsec->def_sid;
1317                         rc = 0;
1318                 } else {
1319                         rc = security_context_to_sid_default(context, rc, &sid,
1320                                                              sbsec->def_sid,
1321                                                              GFP_NOFS);
1322                         if (rc) {
1323                                 char *dev = inode->i_sb->s_id;
1324                                 unsigned long ino = inode->i_ino;
1325
1326                                 if (rc == -EINVAL) {
1327                                         if (printk_ratelimit())
1328                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1329                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1330                                                         "filesystem in question.\n", ino, dev, context);
1331                                 } else {
1332                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1333                                                "returned %d for dev=%s ino=%ld\n",
1334                                                __func__, context, -rc, dev, ino);
1335                                 }
1336                                 kfree(context);
1337                                 /* Leave with the unlabeled SID */
1338                                 rc = 0;
1339                                 break;
1340                         }
1341                 }
1342                 kfree(context);
1343                 isec->sid = sid;
1344                 break;
1345         case SECURITY_FS_USE_TASK:
1346                 isec->sid = isec->task_sid;
1347                 break;
1348         case SECURITY_FS_USE_TRANS:
1349                 /* Default to the fs SID. */
1350                 isec->sid = sbsec->sid;
1351
1352                 /* Try to obtain a transition SID. */
1353                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1354                 rc = security_transition_sid(isec->task_sid,
1355                                              sbsec->sid,
1356                                              isec->sclass,
1357                                              &sid);
1358                 if (rc)
1359                         goto out_unlock;
1360                 isec->sid = sid;
1361                 break;
1362         case SECURITY_FS_USE_MNTPOINT:
1363                 isec->sid = sbsec->mntpoint_sid;
1364                 break;
1365         default:
1366                 /* Default to the fs superblock SID. */
1367                 isec->sid = sbsec->sid;
1368
1369                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1370                         struct proc_inode *proci = PROC_I(inode);
1371                         if (proci->pde) {
1372                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1373                                 rc = selinux_proc_get_sid(proci->pde,
1374                                                           isec->sclass,
1375                                                           &sid);
1376                                 if (rc)
1377                                         goto out_unlock;
1378                                 isec->sid = sid;
1379                         }
1380                 }
1381                 break;
1382         }
1383
1384         isec->initialized = 1;
1385
1386 out_unlock:
1387         mutex_unlock(&isec->lock);
1388 out:
1389         if (isec->sclass == SECCLASS_FILE)
1390                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1391         return rc;
1392 }
1393
1394 /* Convert a Linux signal to an access vector. */
1395 static inline u32 signal_to_av(int sig)
1396 {
1397         u32 perm = 0;
1398
1399         switch (sig) {
1400         case SIGCHLD:
1401                 /* Commonly granted from child to parent. */
1402                 perm = PROCESS__SIGCHLD;
1403                 break;
1404         case SIGKILL:
1405                 /* Cannot be caught or ignored */
1406                 perm = PROCESS__SIGKILL;
1407                 break;
1408         case SIGSTOP:
1409                 /* Cannot be caught or ignored */
1410                 perm = PROCESS__SIGSTOP;
1411                 break;
1412         default:
1413                 /* All other signals. */
1414                 perm = PROCESS__SIGNAL;
1415                 break;
1416         }
1417
1418         return perm;
1419 }
1420
1421 /*
1422  * Check permission between a pair of credentials
1423  * fork check, ptrace check, etc.
1424  */
1425 static int cred_has_perm(const struct cred *actor,
1426                          const struct cred *target,
1427                          u32 perms)
1428 {
1429         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1430
1431         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1432 }
1433
1434 /*
1435  * Check permission between a pair of tasks, e.g. signal checks,
1436  * fork check, ptrace check, etc.
1437  * tsk1 is the actor and tsk2 is the target
1438  * - this uses the default subjective creds of tsk1
1439  */
1440 static int task_has_perm(const struct task_struct *tsk1,
1441                          const struct task_struct *tsk2,
1442                          u32 perms)
1443 {
1444         const struct task_security_struct *__tsec1, *__tsec2;
1445         u32 sid1, sid2;
1446
1447         rcu_read_lock();
1448         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1449         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1450         rcu_read_unlock();
1451         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1452 }
1453
1454 /*
1455  * Check permission between current and another task, e.g. signal checks,
1456  * fork check, ptrace check, etc.
1457  * current is the actor and tsk2 is the target
1458  * - this uses current's subjective creds
1459  */
1460 static int current_has_perm(const struct task_struct *tsk,
1461                             u32 perms)
1462 {
1463         u32 sid, tsid;
1464
1465         sid = current_sid();
1466         tsid = task_sid(tsk);
1467         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1468 }
1469
1470 #if CAP_LAST_CAP > 63
1471 #error Fix SELinux to handle capabilities > 63.
1472 #endif
1473
1474 /* Check whether a task is allowed to use a capability. */
1475 static int task_has_capability(struct task_struct *tsk,
1476                                const struct cred *cred,
1477                                int cap, int audit)
1478 {
1479         struct common_audit_data ad;
1480         struct av_decision avd;
1481         u16 sclass;
1482         u32 sid = cred_sid(cred);
1483         u32 av = CAP_TO_MASK(cap);
1484         int rc;
1485
1486         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1487         ad.tsk = tsk;
1488         ad.u.cap = cap;
1489
1490         switch (CAP_TO_INDEX(cap)) {
1491         case 0:
1492                 sclass = SECCLASS_CAPABILITY;
1493                 break;
1494         case 1:
1495                 sclass = SECCLASS_CAPABILITY2;
1496                 break;
1497         default:
1498                 printk(KERN_ERR
1499                        "SELinux:  out of range capability %d\n", cap);
1500                 BUG();
1501         }
1502
1503         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1504         if (audit == SECURITY_CAP_AUDIT)
1505                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1506         return rc;
1507 }
1508
1509 /* Check whether a task is allowed to use a system operation. */
1510 static int task_has_system(struct task_struct *tsk,
1511                            u32 perms)
1512 {
1513         u32 sid = task_sid(tsk);
1514
1515         return avc_has_perm(sid, SECINITSID_KERNEL,
1516                             SECCLASS_SYSTEM, perms, NULL);
1517 }
1518
1519 /* Check whether a task has a particular permission to an inode.
1520    The 'adp' parameter is optional and allows other audit
1521    data to be passed (e.g. the dentry). */
1522 static int inode_has_perm(const struct cred *cred,
1523                           struct inode *inode,
1524                           u32 perms,
1525                           struct common_audit_data *adp)
1526 {
1527         struct inode_security_struct *isec;
1528         struct common_audit_data ad;
1529         u32 sid;
1530
1531         validate_creds(cred);
1532
1533         if (unlikely(IS_PRIVATE(inode)))
1534                 return 0;
1535
1536         sid = cred_sid(cred);
1537         isec = inode->i_security;
1538
1539         if (!adp) {
1540                 adp = &ad;
1541                 COMMON_AUDIT_DATA_INIT(&ad, FS);
1542                 ad.u.fs.inode = inode;
1543         }
1544
1545         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1546 }
1547
1548 /* Same as inode_has_perm, but pass explicit audit data containing
1549    the dentry to help the auditing code to more easily generate the
1550    pathname if needed. */
1551 static inline int dentry_has_perm(const struct cred *cred,
1552                                   struct vfsmount *mnt,
1553                                   struct dentry *dentry,
1554                                   u32 av)
1555 {
1556         struct inode *inode = dentry->d_inode;
1557         struct common_audit_data ad;
1558
1559         COMMON_AUDIT_DATA_INIT(&ad, FS);
1560         ad.u.fs.path.mnt = mnt;
1561         ad.u.fs.path.dentry = dentry;
1562         return inode_has_perm(cred, inode, av, &ad);
1563 }
1564
1565 /* Check whether a task can use an open file descriptor to
1566    access an inode in a given way.  Check access to the
1567    descriptor itself, and then use dentry_has_perm to
1568    check a particular permission to the file.
1569    Access to the descriptor is implicitly granted if it
1570    has the same SID as the process.  If av is zero, then
1571    access to the file is not checked, e.g. for cases
1572    where only the descriptor is affected like seek. */
1573 static int file_has_perm(const struct cred *cred,
1574                          struct file *file,
1575                          u32 av)
1576 {
1577         struct file_security_struct *fsec = file->f_security;
1578         struct inode *inode = file->f_path.dentry->d_inode;
1579         struct common_audit_data ad;
1580         u32 sid = cred_sid(cred);
1581         int rc;
1582
1583         COMMON_AUDIT_DATA_INIT(&ad, FS);
1584         ad.u.fs.path = file->f_path;
1585
1586         if (sid != fsec->sid) {
1587                 rc = avc_has_perm(sid, fsec->sid,
1588                                   SECCLASS_FD,
1589                                   FD__USE,
1590                                   &ad);
1591                 if (rc)
1592                         goto out;
1593         }
1594
1595         /* av is zero if only checking access to the descriptor. */
1596         rc = 0;
1597         if (av)
1598                 rc = inode_has_perm(cred, inode, av, &ad);
1599
1600 out:
1601         return rc;
1602 }
1603
1604 /* Check whether a task can create a file. */
1605 static int may_create(struct inode *dir,
1606                       struct dentry *dentry,
1607                       u16 tclass)
1608 {
1609         const struct cred *cred = current_cred();
1610         const struct task_security_struct *tsec = cred->security;
1611         struct inode_security_struct *dsec;
1612         struct superblock_security_struct *sbsec;
1613         u32 sid, newsid;
1614         struct common_audit_data ad;
1615         int rc;
1616
1617         dsec = dir->i_security;
1618         sbsec = dir->i_sb->s_security;
1619
1620         sid = tsec->sid;
1621         newsid = tsec->create_sid;
1622
1623         COMMON_AUDIT_DATA_INIT(&ad, FS);
1624         ad.u.fs.path.dentry = dentry;
1625
1626         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1627                           DIR__ADD_NAME | DIR__SEARCH,
1628                           &ad);
1629         if (rc)
1630                 return rc;
1631
1632         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1633                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1634                 if (rc)
1635                         return rc;
1636         }
1637
1638         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1639         if (rc)
1640                 return rc;
1641
1642         return avc_has_perm(newsid, sbsec->sid,
1643                             SECCLASS_FILESYSTEM,
1644                             FILESYSTEM__ASSOCIATE, &ad);
1645 }
1646
1647 /* Check whether a task can create a key. */
1648 static int may_create_key(u32 ksid,
1649                           struct task_struct *ctx)
1650 {
1651         u32 sid = task_sid(ctx);
1652
1653         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1654 }
1655
1656 #define MAY_LINK        0
1657 #define MAY_UNLINK      1
1658 #define MAY_RMDIR       2
1659
1660 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1661 static int may_link(struct inode *dir,
1662                     struct dentry *dentry,
1663                     int kind)
1664
1665 {
1666         struct inode_security_struct *dsec, *isec;
1667         struct common_audit_data ad;
1668         u32 sid = current_sid();
1669         u32 av;
1670         int rc;
1671
1672         dsec = dir->i_security;
1673         isec = dentry->d_inode->i_security;
1674
1675         COMMON_AUDIT_DATA_INIT(&ad, FS);
1676         ad.u.fs.path.dentry = dentry;
1677
1678         av = DIR__SEARCH;
1679         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1680         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1681         if (rc)
1682                 return rc;
1683
1684         switch (kind) {
1685         case MAY_LINK:
1686                 av = FILE__LINK;
1687                 break;
1688         case MAY_UNLINK:
1689                 av = FILE__UNLINK;
1690                 break;
1691         case MAY_RMDIR:
1692                 av = DIR__RMDIR;
1693                 break;
1694         default:
1695                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1696                         __func__, kind);
1697                 return 0;
1698         }
1699
1700         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1701         return rc;
1702 }
1703
1704 static inline int may_rename(struct inode *old_dir,
1705                              struct dentry *old_dentry,
1706                              struct inode *new_dir,
1707                              struct dentry *new_dentry)
1708 {
1709         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1710         struct common_audit_data ad;
1711         u32 sid = current_sid();
1712         u32 av;
1713         int old_is_dir, new_is_dir;
1714         int rc;
1715
1716         old_dsec = old_dir->i_security;
1717         old_isec = old_dentry->d_inode->i_security;
1718         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1719         new_dsec = new_dir->i_security;
1720
1721         COMMON_AUDIT_DATA_INIT(&ad, FS);
1722
1723         ad.u.fs.path.dentry = old_dentry;
1724         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1725                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1726         if (rc)
1727                 return rc;
1728         rc = avc_has_perm(sid, old_isec->sid,
1729                           old_isec->sclass, FILE__RENAME, &ad);
1730         if (rc)
1731                 return rc;
1732         if (old_is_dir && new_dir != old_dir) {
1733                 rc = avc_has_perm(sid, old_isec->sid,
1734                                   old_isec->sclass, DIR__REPARENT, &ad);
1735                 if (rc)
1736                         return rc;
1737         }
1738
1739         ad.u.fs.path.dentry = new_dentry;
1740         av = DIR__ADD_NAME | DIR__SEARCH;
1741         if (new_dentry->d_inode)
1742                 av |= DIR__REMOVE_NAME;
1743         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1744         if (rc)
1745                 return rc;
1746         if (new_dentry->d_inode) {
1747                 new_isec = new_dentry->d_inode->i_security;
1748                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1749                 rc = avc_has_perm(sid, new_isec->sid,
1750                                   new_isec->sclass,
1751                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1752                 if (rc)
1753                         return rc;
1754         }
1755
1756         return 0;
1757 }
1758
1759 /* Check whether a task can perform a filesystem operation. */
1760 static int superblock_has_perm(const struct cred *cred,
1761                                struct super_block *sb,
1762                                u32 perms,
1763                                struct common_audit_data *ad)
1764 {
1765         struct superblock_security_struct *sbsec;
1766         u32 sid = cred_sid(cred);
1767
1768         sbsec = sb->s_security;
1769         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1770 }
1771
1772 /* Convert a Linux mode and permission mask to an access vector. */
1773 static inline u32 file_mask_to_av(int mode, int mask)
1774 {
1775         u32 av = 0;
1776
1777         if ((mode & S_IFMT) != S_IFDIR) {
1778                 if (mask & MAY_EXEC)
1779                         av |= FILE__EXECUTE;
1780                 if (mask & MAY_READ)
1781                         av |= FILE__READ;
1782
1783                 if (mask & MAY_APPEND)
1784                         av |= FILE__APPEND;
1785                 else if (mask & MAY_WRITE)
1786                         av |= FILE__WRITE;
1787
1788         } else {
1789                 if (mask & MAY_EXEC)
1790                         av |= DIR__SEARCH;
1791                 if (mask & MAY_WRITE)
1792                         av |= DIR__WRITE;
1793                 if (mask & MAY_READ)
1794                         av |= DIR__READ;
1795         }
1796
1797         return av;
1798 }
1799
1800 /* Convert a Linux file to an access vector. */
1801 static inline u32 file_to_av(struct file *file)
1802 {
1803         u32 av = 0;
1804
1805         if (file->f_mode & FMODE_READ)
1806                 av |= FILE__READ;
1807         if (file->f_mode & FMODE_WRITE) {
1808                 if (file->f_flags & O_APPEND)
1809                         av |= FILE__APPEND;
1810                 else
1811                         av |= FILE__WRITE;
1812         }
1813         if (!av) {
1814                 /*
1815                  * Special file opened with flags 3 for ioctl-only use.
1816                  */
1817                 av = FILE__IOCTL;
1818         }
1819
1820         return av;
1821 }
1822
1823 /*
1824  * Convert a file to an access vector and include the correct open
1825  * open permission.
1826  */
1827 static inline u32 open_file_to_av(struct file *file)
1828 {
1829         u32 av = file_to_av(file);
1830
1831         if (selinux_policycap_openperm) {
1832                 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1833                 /*
1834                  * lnk files and socks do not really have an 'open'
1835                  */
1836                 if (S_ISREG(mode))
1837                         av |= FILE__OPEN;
1838                 else if (S_ISCHR(mode))
1839                         av |= CHR_FILE__OPEN;
1840                 else if (S_ISBLK(mode))
1841                         av |= BLK_FILE__OPEN;
1842                 else if (S_ISFIFO(mode))
1843                         av |= FIFO_FILE__OPEN;
1844                 else if (S_ISDIR(mode))
1845                         av |= DIR__OPEN;
1846                 else if (S_ISSOCK(mode))
1847                         av |= SOCK_FILE__OPEN;
1848                 else
1849                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1850                                 "unknown mode:%o\n", __func__, mode);
1851         }
1852         return av;
1853 }
1854
1855 /* Hook functions begin here. */
1856
1857 static int selinux_ptrace_access_check(struct task_struct *child,
1858                                      unsigned int mode)
1859 {
1860         int rc;
1861
1862         rc = cap_ptrace_access_check(child, mode);
1863         if (rc)
1864                 return rc;
1865
1866         if (mode == PTRACE_MODE_READ) {
1867                 u32 sid = current_sid();
1868                 u32 csid = task_sid(child);
1869                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1870         }
1871
1872         return current_has_perm(child, PROCESS__PTRACE);
1873 }
1874
1875 static int selinux_ptrace_traceme(struct task_struct *parent)
1876 {
1877         int rc;
1878
1879         rc = cap_ptrace_traceme(parent);
1880         if (rc)
1881                 return rc;
1882
1883         return task_has_perm(parent, current, PROCESS__PTRACE);
1884 }
1885
1886 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1887                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1888 {
1889         int error;
1890
1891         error = current_has_perm(target, PROCESS__GETCAP);
1892         if (error)
1893                 return error;
1894
1895         return cap_capget(target, effective, inheritable, permitted);
1896 }
1897
1898 static int selinux_capset(struct cred *new, const struct cred *old,
1899                           const kernel_cap_t *effective,
1900                           const kernel_cap_t *inheritable,
1901                           const kernel_cap_t *permitted)
1902 {
1903         int error;
1904
1905         error = cap_capset(new, old,
1906                                       effective, inheritable, permitted);
1907         if (error)
1908                 return error;
1909
1910         return cred_has_perm(old, new, PROCESS__SETCAP);
1911 }
1912
1913 /*
1914  * (This comment used to live with the selinux_task_setuid hook,
1915  * which was removed).
1916  *
1917  * Since setuid only affects the current process, and since the SELinux
1918  * controls are not based on the Linux identity attributes, SELinux does not
1919  * need to control this operation.  However, SELinux does control the use of
1920  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1921  */
1922
1923 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1924                            int cap, int audit)
1925 {
1926         int rc;
1927
1928         rc = cap_capable(tsk, cred, cap, audit);
1929         if (rc)
1930                 return rc;
1931
1932         return task_has_capability(tsk, cred, cap, audit);
1933 }
1934
1935 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1936 {
1937         int buflen, rc;
1938         char *buffer, *path, *end;
1939
1940         rc = -ENOMEM;
1941         buffer = (char *)__get_free_page(GFP_KERNEL);
1942         if (!buffer)
1943                 goto out;
1944
1945         buflen = PAGE_SIZE;
1946         end = buffer+buflen;
1947         *--end = '\0';
1948         buflen--;
1949         path = end-1;
1950         *path = '/';
1951         while (table) {
1952                 const char *name = table->procname;
1953                 size_t namelen = strlen(name);
1954                 buflen -= namelen + 1;
1955                 if (buflen < 0)
1956                         goto out_free;
1957                 end -= namelen;
1958                 memcpy(end, name, namelen);
1959                 *--end = '/';
1960                 path = end;
1961                 table = table->parent;
1962         }
1963         buflen -= 4;
1964         if (buflen < 0)
1965                 goto out_free;
1966         end -= 4;
1967         memcpy(end, "/sys", 4);
1968         path = end;
1969         rc = security_genfs_sid("proc", path, tclass, sid);
1970 out_free:
1971         free_page((unsigned long)buffer);
1972 out:
1973         return rc;
1974 }
1975
1976 static int selinux_sysctl(ctl_table *table, int op)
1977 {
1978         int error = 0;
1979         u32 av;
1980         u32 tsid, sid;
1981         int rc;
1982
1983         sid = current_sid();
1984
1985         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1986                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1987         if (rc) {
1988                 /* Default to the well-defined sysctl SID. */
1989                 tsid = SECINITSID_SYSCTL;
1990         }
1991
1992         /* The op values are "defined" in sysctl.c, thereby creating
1993          * a bad coupling between this module and sysctl.c */
1994         if (op == 001) {
1995                 error = avc_has_perm(sid, tsid,
1996                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1997         } else {
1998                 av = 0;
1999                 if (op & 004)
2000                         av |= FILE__READ;
2001                 if (op & 002)
2002                         av |= FILE__WRITE;
2003                 if (av)
2004                         error = avc_has_perm(sid, tsid,
2005                                              SECCLASS_FILE, av, NULL);
2006         }
2007
2008         return error;
2009 }
2010
2011 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2012 {
2013         const struct cred *cred = current_cred();
2014         int rc = 0;
2015
2016         if (!sb)
2017                 return 0;
2018
2019         switch (cmds) {
2020         case Q_SYNC:
2021         case Q_QUOTAON:
2022         case Q_QUOTAOFF:
2023         case Q_SETINFO:
2024         case Q_SETQUOTA:
2025                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2026                 break;
2027         case Q_GETFMT:
2028         case Q_GETINFO:
2029         case Q_GETQUOTA:
2030                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2031                 break;
2032         default:
2033                 rc = 0;  /* let the kernel handle invalid cmds */
2034                 break;
2035         }
2036         return rc;
2037 }
2038
2039 static int selinux_quota_on(struct dentry *dentry)
2040 {
2041         const struct cred *cred = current_cred();
2042
2043         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
2044 }
2045
2046 static int selinux_syslog(int type, bool from_file)
2047 {
2048         int rc;
2049
2050         rc = cap_syslog(type, from_file);
2051         if (rc)
2052                 return rc;
2053
2054         switch (type) {
2055         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2056         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2057                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2058                 break;
2059         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2060         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2061         /* Set level of messages printed to console */
2062         case SYSLOG_ACTION_CONSOLE_LEVEL:
2063                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2064                 break;
2065         case SYSLOG_ACTION_CLOSE:       /* Close log */
2066         case SYSLOG_ACTION_OPEN:        /* Open log */
2067         case SYSLOG_ACTION_READ:        /* Read from log */
2068         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
2069         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
2070         default:
2071                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2072                 break;
2073         }
2074         return rc;
2075 }
2076
2077 /*
2078  * Check that a process has enough memory to allocate a new virtual
2079  * mapping. 0 means there is enough memory for the allocation to
2080  * succeed and -ENOMEM implies there is not.
2081  *
2082  * Do not audit the selinux permission check, as this is applied to all
2083  * processes that allocate mappings.
2084  */
2085 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2086 {
2087         int rc, cap_sys_admin = 0;
2088
2089         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2090                              SECURITY_CAP_NOAUDIT);
2091         if (rc == 0)
2092                 cap_sys_admin = 1;
2093
2094         return __vm_enough_memory(mm, pages, cap_sys_admin);
2095 }
2096
2097 /* binprm security operations */
2098
2099 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2100 {
2101         const struct task_security_struct *old_tsec;
2102         struct task_security_struct *new_tsec;
2103         struct inode_security_struct *isec;
2104         struct common_audit_data ad;
2105         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2106         int rc;
2107
2108         rc = cap_bprm_set_creds(bprm);
2109         if (rc)
2110                 return rc;
2111
2112         /* SELinux context only depends on initial program or script and not
2113          * the script interpreter */
2114         if (bprm->cred_prepared)
2115                 return 0;
2116
2117         old_tsec = current_security();
2118         new_tsec = bprm->cred->security;
2119         isec = inode->i_security;
2120
2121         /* Default to the current task SID. */
2122         new_tsec->sid = old_tsec->sid;
2123         new_tsec->osid = old_tsec->sid;
2124
2125         /* Reset fs, key, and sock SIDs on execve. */
2126         new_tsec->create_sid = 0;
2127         new_tsec->keycreate_sid = 0;
2128         new_tsec->sockcreate_sid = 0;
2129
2130         if (old_tsec->exec_sid) {
2131                 new_tsec->sid = old_tsec->exec_sid;
2132                 /* Reset exec SID on execve. */
2133                 new_tsec->exec_sid = 0;
2134         } else {
2135                 /* Check for a default transition on this program. */
2136                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2137                                              SECCLASS_PROCESS, &new_tsec->sid);
2138                 if (rc)
2139                         return rc;
2140         }
2141
2142         COMMON_AUDIT_DATA_INIT(&ad, FS);
2143         ad.u.fs.path = bprm->file->f_path;
2144
2145         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2146                 new_tsec->sid = old_tsec->sid;
2147
2148         if (new_tsec->sid == old_tsec->sid) {
2149                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2150                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2151                 if (rc)
2152                         return rc;
2153         } else {
2154                 /* Check permissions for the transition. */
2155                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2156                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2157                 if (rc)
2158                         return rc;
2159
2160                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2161                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2162                 if (rc)
2163                         return rc;
2164
2165                 /* Check for shared state */
2166                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2167                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2168                                           SECCLASS_PROCESS, PROCESS__SHARE,
2169                                           NULL);
2170                         if (rc)
2171                                 return -EPERM;
2172                 }
2173
2174                 /* Make sure that anyone attempting to ptrace over a task that
2175                  * changes its SID has the appropriate permit */
2176                 if (bprm->unsafe &
2177                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2178                         struct task_struct *tracer;
2179                         struct task_security_struct *sec;
2180                         u32 ptsid = 0;
2181
2182                         rcu_read_lock();
2183                         tracer = tracehook_tracer_task(current);
2184                         if (likely(tracer != NULL)) {
2185                                 sec = __task_cred(tracer)->security;
2186                                 ptsid = sec->sid;
2187                         }
2188                         rcu_read_unlock();
2189
2190                         if (ptsid != 0) {
2191                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2192                                                   SECCLASS_PROCESS,
2193                                                   PROCESS__PTRACE, NULL);
2194                                 if (rc)
2195                                         return -EPERM;
2196                         }
2197                 }
2198
2199                 /* Clear any possibly unsafe personality bits on exec: */
2200                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2201         }
2202
2203         return 0;
2204 }
2205
2206 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2207 {
2208         const struct cred *cred = current_cred();
2209         const struct task_security_struct *tsec = cred->security;
2210         u32 sid, osid;
2211         int atsecure = 0;
2212
2213         sid = tsec->sid;
2214         osid = tsec->osid;
2215
2216         if (osid != sid) {
2217                 /* Enable secure mode for SIDs transitions unless
2218                    the noatsecure permission is granted between
2219                    the two SIDs, i.e. ahp returns 0. */
2220                 atsecure = avc_has_perm(osid, sid,
2221                                         SECCLASS_PROCESS,
2222                                         PROCESS__NOATSECURE, NULL);
2223         }
2224
2225         return (atsecure || cap_bprm_secureexec(bprm));
2226 }
2227
2228 extern struct vfsmount *selinuxfs_mount;
2229 extern struct dentry *selinux_null;
2230
2231 /* Derived from fs/exec.c:flush_old_files. */
2232 static inline void flush_unauthorized_files(const struct cred *cred,
2233                                             struct files_struct *files)
2234 {
2235         struct common_audit_data ad;
2236         struct file *file, *devnull = NULL;
2237         struct tty_struct *tty;
2238         struct fdtable *fdt;
2239         long j = -1;
2240         int drop_tty = 0;
2241
2242         tty = get_current_tty();
2243         if (tty) {
2244                 file_list_lock();
2245                 if (!list_empty(&tty->tty_files)) {
2246                         struct inode *inode;
2247
2248                         /* Revalidate access to controlling tty.
2249                            Use inode_has_perm on the tty inode directly rather
2250                            than using file_has_perm, as this particular open
2251                            file may belong to another process and we are only
2252                            interested in the inode-based check here. */
2253                         file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2254                         inode = file->f_path.dentry->d_inode;
2255                         if (inode_has_perm(cred, inode,
2256                                            FILE__READ | FILE__WRITE, NULL)) {
2257                                 drop_tty = 1;
2258                         }
2259                 }
2260                 file_list_unlock();
2261                 tty_kref_put(tty);
2262         }
2263         /* Reset controlling tty. */
2264         if (drop_tty)
2265                 no_tty();
2266
2267         /* Revalidate access to inherited open files. */
2268
2269         COMMON_AUDIT_DATA_INIT(&ad, FS);
2270
2271         spin_lock(&files->file_lock);
2272         for (;;) {
2273                 unsigned long set, i;
2274                 int fd;
2275
2276                 j++;
2277                 i = j * __NFDBITS;
2278                 fdt = files_fdtable(files);
2279                 if (i >= fdt->max_fds)
2280                         break;
2281                 set = fdt->open_fds->fds_bits[j];
2282                 if (!set)
2283                         continue;
2284                 spin_unlock(&files->file_lock);
2285                 for ( ; set ; i++, set >>= 1) {
2286                         if (set & 1) {
2287                                 file = fget(i);
2288                                 if (!file)
2289                                         continue;
2290                                 if (file_has_perm(cred,
2291                                                   file,
2292                                                   file_to_av(file))) {
2293                                         sys_close(i);
2294                                         fd = get_unused_fd();
2295                                         if (fd != i) {
2296                                                 if (fd >= 0)
2297                                                         put_unused_fd(fd);
2298                                                 fput(file);
2299                                                 continue;
2300                                         }
2301                                         if (devnull) {
2302                                                 get_file(devnull);
2303                                         } else {
2304                                                 devnull = dentry_open(
2305                                                         dget(selinux_null),
2306                                                         mntget(selinuxfs_mount),
2307                                                         O_RDWR, cred);
2308                                                 if (IS_ERR(devnull)) {
2309                                                         devnull = NULL;
2310                                                         put_unused_fd(fd);
2311                                                         fput(file);
2312                                                         continue;
2313                                                 }
2314                                         }
2315                                         fd_install(fd, devnull);
2316                                 }
2317                                 fput(file);
2318                         }
2319                 }
2320                 spin_lock(&files->file_lock);
2321
2322         }
2323         spin_unlock(&files->file_lock);
2324 }
2325
2326 /*
2327  * Prepare a process for imminent new credential changes due to exec
2328  */
2329 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2330 {
2331         struct task_security_struct *new_tsec;
2332         struct rlimit *rlim, *initrlim;
2333         int rc, i;
2334
2335         new_tsec = bprm->cred->security;
2336         if (new_tsec->sid == new_tsec->osid)
2337                 return;
2338
2339         /* Close files for which the new task SID is not authorized. */
2340         flush_unauthorized_files(bprm->cred, current->files);
2341
2342         /* Always clear parent death signal on SID transitions. */
2343         current->pdeath_signal = 0;
2344
2345         /* Check whether the new SID can inherit resource limits from the old
2346          * SID.  If not, reset all soft limits to the lower of the current
2347          * task's hard limit and the init task's soft limit.
2348          *
2349          * Note that the setting of hard limits (even to lower them) can be
2350          * controlled by the setrlimit check.  The inclusion of the init task's
2351          * soft limit into the computation is to avoid resetting soft limits
2352          * higher than the default soft limit for cases where the default is
2353          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2354          */
2355         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2356                           PROCESS__RLIMITINH, NULL);
2357         if (rc) {
2358                 for (i = 0; i < RLIM_NLIMITS; i++) {
2359                         rlim = current->signal->rlim + i;
2360                         initrlim = init_task.signal->rlim + i;
2361                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2362                 }
2363                 update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur);
2364         }
2365 }
2366
2367 /*
2368  * Clean up the process immediately after the installation of new credentials
2369  * due to exec
2370  */
2371 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2372 {
2373         const struct task_security_struct *tsec = current_security();
2374         struct itimerval itimer;
2375         u32 osid, sid;
2376         int rc, i;
2377
2378         osid = tsec->osid;
2379         sid = tsec->sid;
2380
2381         if (sid == osid)
2382                 return;
2383
2384         /* Check whether the new SID can inherit signal state from the old SID.
2385          * If not, clear itimers to avoid subsequent signal generation and
2386          * flush and unblock signals.
2387          *
2388          * This must occur _after_ the task SID has been updated so that any
2389          * kill done after the flush will be checked against the new SID.
2390          */
2391         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2392         if (rc) {
2393                 memset(&itimer, 0, sizeof itimer);
2394                 for (i = 0; i < 3; i++)
2395                         do_setitimer(i, &itimer, NULL);
2396                 spin_lock_irq(&current->sighand->siglock);
2397                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2398                         __flush_signals(current);
2399                         flush_signal_handlers(current, 1);
2400                         sigemptyset(&current->blocked);
2401                 }
2402                 spin_unlock_irq(&current->sighand->siglock);
2403         }
2404
2405         /* Wake up the parent if it is waiting so that it can recheck
2406          * wait permission to the new task SID. */
2407         read_lock(&tasklist_lock);
2408         __wake_up_parent(current, current->real_parent);
2409         read_unlock(&tasklist_lock);
2410 }
2411
2412 /* superblock security operations */
2413
2414 static int selinux_sb_alloc_security(struct super_block *sb)
2415 {
2416         return superblock_alloc_security(sb);
2417 }
2418
2419 static void selinux_sb_free_security(struct super_block *sb)
2420 {
2421         superblock_free_security(sb);
2422 }
2423
2424 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2425 {
2426         if (plen > olen)
2427                 return 0;
2428
2429         return !memcmp(prefix, option, plen);
2430 }
2431
2432 static inline int selinux_option(char *option, int len)
2433 {
2434         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2435                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2436                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2437                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2438                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2439 }
2440
2441 static inline void take_option(char **to, char *from, int *first, int len)
2442 {
2443         if (!*first) {
2444                 **to = ',';
2445                 *to += 1;
2446         } else
2447                 *first = 0;
2448         memcpy(*to, from, len);
2449         *to += len;
2450 }
2451
2452 static inline void take_selinux_option(char **to, char *from, int *first,
2453                                        int len)
2454 {
2455         int current_size = 0;
2456
2457         if (!*first) {
2458                 **to = '|';
2459                 *to += 1;
2460         } else
2461                 *first = 0;
2462
2463         while (current_size < len) {
2464                 if (*from != '"') {
2465                         **to = *from;
2466                         *to += 1;
2467                 }
2468                 from += 1;
2469                 current_size += 1;
2470         }
2471 }
2472
2473 static int selinux_sb_copy_data(char *orig, char *copy)
2474 {
2475         int fnosec, fsec, rc = 0;
2476         char *in_save, *in_curr, *in_end;
2477         char *sec_curr, *nosec_save, *nosec;
2478         int open_quote = 0;
2479
2480         in_curr = orig;
2481         sec_curr = copy;
2482
2483         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2484         if (!nosec) {
2485                 rc = -ENOMEM;
2486                 goto out;
2487         }
2488
2489         nosec_save = nosec;
2490         fnosec = fsec = 1;
2491         in_save = in_end = orig;
2492
2493         do {
2494                 if (*in_end == '"')
2495                         open_quote = !open_quote;
2496                 if ((*in_end == ',' && open_quote == 0) ||
2497                                 *in_end == '\0') {
2498                         int len = in_end - in_curr;
2499
2500                         if (selinux_option(in_curr, len))
2501                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2502                         else
2503                                 take_option(&nosec, in_curr, &fnosec, len);
2504
2505                         in_curr = in_end + 1;
2506                 }
2507         } while (*in_end++);
2508
2509         strcpy(in_save, nosec_save);
2510         free_page((unsigned long)nosec_save);
2511 out:
2512         return rc;
2513 }
2514
2515 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2516 {
2517         const struct cred *cred = current_cred();
2518         struct common_audit_data ad;
2519         int rc;
2520
2521         rc = superblock_doinit(sb, data);
2522         if (rc)
2523                 return rc;
2524
2525         /* Allow all mounts performed by the kernel */
2526         if (flags & MS_KERNMOUNT)
2527                 return 0;
2528
2529         COMMON_AUDIT_DATA_INIT(&ad, FS);
2530         ad.u.fs.path.dentry = sb->s_root;
2531         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2532 }
2533
2534 static int selinux_sb_statfs(struct dentry *dentry)
2535 {
2536         const struct cred *cred = current_cred();
2537         struct common_audit_data ad;
2538
2539         COMMON_AUDIT_DATA_INIT(&ad, FS);
2540         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2541         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2542 }
2543
2544 static int selinux_mount(char *dev_name,
2545                          struct path *path,
2546                          char *type,
2547                          unsigned long flags,
2548                          void *data)
2549 {
2550         const struct cred *cred = current_cred();
2551
2552         if (flags & MS_REMOUNT)
2553                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2554                                            FILESYSTEM__REMOUNT, NULL);
2555         else
2556                 return dentry_has_perm(cred, path->mnt, path->dentry,
2557                                        FILE__MOUNTON);
2558 }
2559
2560 static int selinux_umount(struct vfsmount *mnt, int flags)
2561 {
2562         const struct cred *cred = current_cred();
2563
2564         return superblock_has_perm(cred, mnt->mnt_sb,
2565                                    FILESYSTEM__UNMOUNT, NULL);
2566 }
2567
2568 /* inode security operations */
2569
2570 static int selinux_inode_alloc_security(struct inode *inode)
2571 {
2572         return inode_alloc_security(inode);
2573 }
2574
2575 static void selinux_inode_free_security(struct inode *inode)
2576 {
2577         inode_free_security(inode);
2578 }
2579
2580 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2581                                        char **name, void **value,
2582                                        size_t *len)
2583 {
2584         const struct cred *cred = current_cred();
2585         const struct task_security_struct *tsec = cred->security;
2586         struct inode_security_struct *dsec;
2587         struct superblock_security_struct *sbsec;
2588         u32 sid, newsid, clen;
2589         int rc;
2590         char *namep = NULL, *context;
2591
2592         dsec = dir->i_security;
2593         sbsec = dir->i_sb->s_security;
2594
2595         sid = tsec->sid;
2596         newsid = tsec->create_sid;
2597
2598         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2599                 rc = security_transition_sid(sid, dsec->sid,
2600                                              inode_mode_to_security_class(inode->i_mode),
2601                                              &newsid);
2602                 if (rc) {
2603                         printk(KERN_WARNING "%s:  "
2604                                "security_transition_sid failed, rc=%d (dev=%s "
2605                                "ino=%ld)\n",
2606                                __func__,
2607                                -rc, inode->i_sb->s_id, inode->i_ino);
2608                         return rc;
2609                 }
2610         }
2611
2612         /* Possibly defer initialization to selinux_complete_init. */
2613         if (sbsec->flags & SE_SBINITIALIZED) {
2614                 struct inode_security_struct *isec = inode->i_security;
2615                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2616                 isec->sid = newsid;
2617                 isec->initialized = 1;
2618         }
2619
2620         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2621                 return -EOPNOTSUPP;
2622
2623         if (name) {
2624                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2625                 if (!namep)
2626                         return -ENOMEM;
2627                 *name = namep;
2628         }
2629
2630         if (value && len) {
2631                 rc = security_sid_to_context_force(newsid, &context, &clen);
2632                 if (rc) {
2633                         kfree(namep);
2634                         return rc;
2635                 }
2636                 *value = context;
2637                 *len = clen;
2638         }
2639
2640         return 0;
2641 }
2642
2643 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2644 {
2645         return may_create(dir, dentry, SECCLASS_FILE);
2646 }
2647
2648 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2649 {
2650         return may_link(dir, old_dentry, MAY_LINK);
2651 }
2652
2653 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2654 {
2655         return may_link(dir, dentry, MAY_UNLINK);
2656 }
2657
2658 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2659 {
2660         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2661 }
2662
2663 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2664 {
2665         return may_create(dir, dentry, SECCLASS_DIR);
2666 }
2667
2668 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2669 {
2670         return may_link(dir, dentry, MAY_RMDIR);
2671 }
2672
2673 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2674 {
2675         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2676 }
2677
2678 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2679                                 struct inode *new_inode, struct dentry *new_dentry)
2680 {
2681         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2682 }
2683
2684 static int selinux_inode_readlink(struct dentry *dentry)
2685 {
2686         const struct cred *cred = current_cred();
2687
2688         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2689 }
2690
2691 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2692 {
2693         const struct cred *cred = current_cred();
2694
2695         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2696 }
2697
2698 static int selinux_inode_permission(struct inode *inode, int mask)
2699 {
2700         const struct cred *cred = current_cred();
2701
2702         if (!mask) {
2703                 /* No permission to check.  Existence test. */
2704                 return 0;
2705         }
2706
2707         return inode_has_perm(cred, inode,
2708                               file_mask_to_av(inode->i_mode, mask), NULL);
2709 }
2710
2711 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2712 {
2713         const struct cred *cred = current_cred();
2714         unsigned int ia_valid = iattr->ia_valid;
2715
2716         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2717         if (ia_valid & ATTR_FORCE) {
2718                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2719                               ATTR_FORCE);
2720                 if (!ia_valid)
2721                         return 0;
2722         }
2723
2724         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2725                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2726                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2727
2728         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2729 }
2730
2731 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2732 {
2733         const struct cred *cred = current_cred();
2734
2735         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2736 }
2737
2738 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2739 {
2740         const struct cred *cred = current_cred();
2741
2742         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2743                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2744                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2745                         if (!capable(CAP_SETFCAP))
2746                                 return -EPERM;
2747                 } else if (!capable(CAP_SYS_ADMIN)) {
2748                         /* A different attribute in the security namespace.
2749                            Restrict to administrator. */
2750                         return -EPERM;
2751                 }
2752         }
2753
2754         /* Not an attribute we recognize, so just check the
2755            ordinary setattr permission. */
2756         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2757 }
2758
2759 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2760                                   const void *value, size_t size, int flags)
2761 {
2762         struct inode *inode = dentry->d_inode;
2763         struct inode_security_struct *isec = inode->i_security;
2764         struct superblock_security_struct *sbsec;
2765         struct common_audit_data ad;
2766         u32 newsid, sid = current_sid();
2767         int rc = 0;
2768
2769         if (strcmp(name, XATTR_NAME_SELINUX))
2770                 return selinux_inode_setotherxattr(dentry, name);
2771
2772         sbsec = inode->i_sb->s_security;
2773         if (!(sbsec->flags & SE_SBLABELSUPP))
2774                 return -EOPNOTSUPP;
2775
2776         if (!is_owner_or_cap(inode))
2777                 return -EPERM;
2778
2779         COMMON_AUDIT_DATA_INIT(&ad, FS);
2780         ad.u.fs.path.dentry = dentry;
2781
2782         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2783                           FILE__RELABELFROM, &ad);
2784         if (rc)
2785                 return rc;
2786
2787         rc = security_context_to_sid(value, size, &newsid);
2788         if (rc == -EINVAL) {
2789                 if (!capable(CAP_MAC_ADMIN))
2790                         return rc;
2791                 rc = security_context_to_sid_force(value, size, &newsid);
2792         }
2793         if (rc)
2794                 return rc;
2795
2796         rc = avc_has_perm(sid, newsid, isec->sclass,
2797                           FILE__RELABELTO, &ad);
2798         if (rc)
2799                 return rc;
2800
2801         rc = security_validate_transition(isec->sid, newsid, sid,
2802                                           isec->sclass);
2803         if (rc)
2804                 return rc;
2805
2806         return avc_has_perm(newsid,
2807                             sbsec->sid,
2808                             SECCLASS_FILESYSTEM,
2809                             FILESYSTEM__ASSOCIATE,
2810                             &ad);
2811 }
2812
2813 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2814                                         const void *value, size_t size,
2815                                         int flags)
2816 {
2817         struct inode *inode = dentry->d_inode;
2818         struct inode_security_struct *isec = inode->i_security;
2819         u32 newsid;
2820         int rc;
2821
2822         if (strcmp(name, XATTR_NAME_SELINUX)) {
2823                 /* Not an attribute we recognize, so nothing to do. */
2824                 return;
2825         }
2826
2827         rc = security_context_to_sid_force(value, size, &newsid);
2828         if (rc) {
2829                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2830                        "for (%s, %lu), rc=%d\n",
2831                        inode->i_sb->s_id, inode->i_ino, -rc);
2832                 return;
2833         }
2834
2835         isec->sid = newsid;
2836         return;
2837 }
2838
2839 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2840 {
2841         const struct cred *cred = current_cred();
2842
2843         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2844 }
2845
2846 static int selinux_inode_listxattr(struct dentry *dentry)
2847 {
2848         const struct cred *cred = current_cred();
2849
2850         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2851 }
2852
2853 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2854 {
2855         if (strcmp(name, XATTR_NAME_SELINUX))
2856                 return selinux_inode_setotherxattr(dentry, name);
2857
2858         /* No one is allowed to remove a SELinux security label.
2859            You can change the label, but all data must be labeled. */
2860         return -EACCES;
2861 }
2862
2863 /*
2864  * Copy the inode security context value to the user.
2865  *
2866  * Permission check is handled by selinux_inode_getxattr hook.
2867  */
2868 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2869 {
2870         u32 size;
2871         int error;
2872         char *context = NULL;
2873         struct inode_security_struct *isec = inode->i_security;
2874
2875         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2876                 return -EOPNOTSUPP;
2877
2878         /*
2879          * If the caller has CAP_MAC_ADMIN, then get the raw context
2880          * value even if it is not defined by current policy; otherwise,
2881          * use the in-core value under current policy.
2882          * Use the non-auditing forms of the permission checks since
2883          * getxattr may be called by unprivileged processes commonly
2884          * and lack of permission just means that we fall back to the
2885          * in-core context value, not a denial.
2886          */
2887         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2888                                 SECURITY_CAP_NOAUDIT);
2889         if (!error)
2890                 error = security_sid_to_context_force(isec->sid, &context,
2891                                                       &size);
2892         else
2893                 error = security_sid_to_context(isec->sid, &context, &size);
2894         if (error)
2895                 return error;
2896         error = size;
2897         if (alloc) {
2898                 *buffer = context;
2899                 goto out_nofree;
2900         }
2901         kfree(context);
2902 out_nofree:
2903         return error;
2904 }
2905
2906 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2907                                      const void *value, size_t size, int flags)
2908 {
2909         struct inode_security_struct *isec = inode->i_security;
2910         u32 newsid;
2911         int rc;
2912
2913         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2914                 return -EOPNOTSUPP;
2915
2916         if (!value || !size)
2917                 return -EACCES;
2918
2919         rc = security_context_to_sid((void *)value, size, &newsid);
2920         if (rc)
2921                 return rc;
2922
2923         isec->sid = newsid;
2924         isec->initialized = 1;
2925         return 0;
2926 }
2927
2928 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2929 {
2930         const int len = sizeof(XATTR_NAME_SELINUX);
2931         if (buffer && len <= buffer_size)
2932                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2933         return len;
2934 }
2935
2936 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2937 {
2938         struct inode_security_struct *isec = inode->i_security;
2939         *secid = isec->sid;
2940 }
2941
2942 /* file security operations */
2943
2944 static int selinux_revalidate_file_permission(struct file *file, int mask)
2945 {
2946         const struct cred *cred = current_cred();
2947         struct inode *inode = file->f_path.dentry->d_inode;
2948
2949         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2950         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2951                 mask |= MAY_APPEND;
2952
2953         return file_has_perm(cred, file,
2954                              file_mask_to_av(inode->i_mode, mask));
2955 }
2956
2957 static int selinux_file_permission(struct file *file, int mask)
2958 {
2959         struct inode *inode = file->f_path.dentry->d_inode;
2960         struct file_security_struct *fsec = file->f_security;
2961         struct inode_security_struct *isec = inode->i_security;
2962         u32 sid = current_sid();
2963
2964         if (!mask)
2965                 /* No permission to check.  Existence test. */
2966                 return 0;
2967
2968         if (sid == fsec->sid && fsec->isid == isec->sid &&
2969             fsec->pseqno == avc_policy_seqno())
2970                 /* No change since dentry_open check. */
2971                 return 0;
2972
2973         return selinux_revalidate_file_permission(file, mask);
2974 }
2975
2976 static int selinux_file_alloc_security(struct file *file)
2977 {
2978         return file_alloc_security(file);
2979 }
2980
2981 static void selinux_file_free_security(struct file *file)
2982 {
2983         file_free_security(file);
2984 }
2985
2986 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2987                               unsigned long arg)
2988 {
2989         const struct cred *cred = current_cred();
2990         u32 av = 0;
2991
2992         if (_IOC_DIR(cmd) & _IOC_WRITE)
2993                 av |= FILE__WRITE;
2994         if (_IOC_DIR(cmd) & _IOC_READ)
2995                 av |= FILE__READ;
2996         if (!av)
2997                 av = FILE__IOCTL;
2998
2999         return file_has_perm(cred, file, av);
3000 }
3001
3002 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3003 {
3004         const struct cred *cred = current_cred();
3005         int rc = 0;
3006
3007 #ifndef CONFIG_PPC32
3008         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3009                 /*
3010                  * We are making executable an anonymous mapping or a
3011                  * private file mapping that will also be writable.
3012                  * This has an additional check.
3013                  */
3014                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3015                 if (rc)
3016                         goto error;
3017         }
3018 #endif
3019
3020         if (file) {
3021                 /* read access is always possible with a mapping */
3022                 u32 av = FILE__READ;
3023
3024                 /* write access only matters if the mapping is shared */
3025                 if (shared && (prot & PROT_WRITE))
3026                         av |= FILE__WRITE;
3027
3028                 if (prot & PROT_EXEC)
3029                         av |= FILE__EXECUTE;
3030
3031                 return file_has_perm(cred, file, av);
3032         }
3033
3034 error:
3035         return rc;
3036 }
3037
3038 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3039                              unsigned long prot, unsigned long flags,
3040                              unsigned long addr, unsigned long addr_only)
3041 {
3042         int rc = 0;
3043         u32 sid = current_sid();
3044
3045         /*
3046          * notice that we are intentionally putting the SELinux check before
3047          * the secondary cap_file_mmap check.  This is such a likely attempt
3048          * at bad behaviour/exploit that we always want to get the AVC, even
3049          * if DAC would have also denied the operation.
3050          */
3051         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3052                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3053                                   MEMPROTECT__MMAP_ZERO, NULL);
3054                 if (rc)
3055                         return rc;
3056         }
3057
3058         /* do DAC check on address space usage */
3059         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3060         if (rc || addr_only)
3061                 return rc;
3062
3063         if (selinux_checkreqprot)
3064                 prot = reqprot;
3065
3066         return file_map_prot_check(file, prot,
3067                                    (flags & MAP_TYPE) == MAP_SHARED);
3068 }
3069
3070 static int selinux_file_mprotect(struct vm_area_struct *vma,
3071                                  unsigned long reqprot,
3072                                  unsigned long prot)
3073 {
3074         const struct cred *cred = current_cred();
3075
3076         if (selinux_checkreqprot)
3077                 prot = reqprot;
3078
3079 #ifndef CONFIG_PPC32
3080         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3081                 int rc = 0;
3082                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3083                     vma->vm_end <= vma->vm_mm->brk) {
3084                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3085                 } else if (!vma->vm_file &&
3086                            vma->vm_start <= vma->vm_mm->start_stack &&
3087                            vma->vm_end >= vma->vm_mm->start_stack) {
3088                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3089                 } else if (vma->vm_file && vma->anon_vma) {
3090                         /*
3091                          * We are making executable a file mapping that has
3092                          * had some COW done. Since pages might have been
3093                          * written, check ability to execute the possibly
3094                          * modified content.  This typically should only
3095                          * occur for text relocations.
3096                          */
3097                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3098                 }
3099                 if (rc)
3100                         return rc;
3101         }
3102 #endif
3103
3104         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3105 }
3106
3107 static int selinux_file_lock(struct file *file, unsigned int cmd)
3108 {
3109         const struct cred *cred = current_cred();
3110
3111         return file_has_perm(cred, file, FILE__LOCK);
3112 }
3113
3114 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3115                               unsigned long arg)
3116 {
3117         const struct cred *cred = current_cred();
3118         int err = 0;
3119
3120         switch (cmd) {
3121         case F_SETFL:
3122                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3123                         err = -EINVAL;
3124                         break;
3125                 }
3126
3127                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3128                         err = file_has_perm(cred, file, FILE__WRITE);
3129                         break;
3130                 }
3131                 /* fall through */
3132         case F_SETOWN:
3133         case F_SETSIG:
3134         case F_GETFL:
3135         case F_GETOWN:
3136         case F_GETSIG:
3137                 /* Just check FD__USE permission */
3138                 err = file_has_perm(cred, file, 0);
3139                 break;
3140         case F_GETLK:
3141         case F_SETLK:
3142         case F_SETLKW:
3143 #if BITS_PER_LONG == 32
3144         case F_GETLK64:
3145         case F_SETLK64:
3146         case F_SETLKW64:
3147 #endif
3148                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3149                         err = -EINVAL;
3150                         break;
3151                 }
3152                 err = file_has_perm(cred, file, FILE__LOCK);
3153                 break;
3154         }
3155
3156         return err;
3157 }
3158
3159 static int selinux_file_set_fowner(struct file *file)
3160 {
3161         struct file_security_struct *fsec;
3162
3163         fsec = file->f_security;
3164         fsec->fown_sid = current_sid();
3165
3166         return 0;
3167 }
3168
3169 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3170                                        struct fown_struct *fown, int signum)
3171 {
3172         struct file *file;
3173         u32 sid = task_sid(tsk);
3174         u32 perm;
3175         struct file_security_struct *fsec;
3176
3177         /* struct fown_struct is never outside the context of a struct file */
3178         file = container_of(fown, struct file, f_owner);
3179
3180         fsec = file->f_security;
3181
3182         if (!signum)
3183                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3184         else
3185                 perm = signal_to_av(signum);
3186
3187         return avc_has_perm(fsec->fown_sid, sid,
3188                             SECCLASS_PROCESS, perm, NULL);
3189 }
3190
3191 static int selinux_file_receive(struct file *file)
3192 {
3193         const struct cred *cred = current_cred();
3194
3195         return file_has_perm(cred, file, file_to_av(file));
3196 }
3197
3198 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3199 {
3200         struct file_security_struct *fsec;
3201         struct inode *inode;
3202         struct inode_security_struct *isec;
3203
3204         inode = file->f_path.dentry->d_inode;
3205         fsec = file->f_security;
3206         isec = inode->i_security;
3207         /*
3208          * Save inode label and policy sequence number
3209          * at open-time so that selinux_file_permission
3210          * can determine whether revalidation is necessary.
3211          * Task label is already saved in the file security
3212          * struct as its SID.
3213          */
3214         fsec->isid = isec->sid;
3215         fsec->pseqno = avc_policy_seqno();
3216         /*
3217          * Since the inode label or policy seqno may have changed
3218          * between the selinux_inode_permission check and the saving
3219          * of state above, recheck that access is still permitted.
3220          * Otherwise, access might never be revalidated against the
3221          * new inode label or new policy.
3222          * This check is not redundant - do not remove.
3223          */
3224         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3225 }
3226
3227 /* task security operations */
3228
3229 static int selinux_task_create(unsigned long clone_flags)
3230 {
3231         return current_has_perm(current, PROCESS__FORK);
3232 }
3233
3234 /*
3235  * allocate the SELinux part of blank credentials
3236  */
3237 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3238 {
3239         struct task_security_struct *tsec;
3240
3241         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3242         if (!tsec)
3243                 return -ENOMEM;
3244
3245         cred->security = tsec;
3246         return 0;
3247 }
3248
3249 /*
3250  * detach and free the LSM part of a set of credentials
3251  */
3252 static void selinux_cred_free(struct cred *cred)
3253 {
3254         struct task_security_struct *tsec = cred->security;
3255
3256         BUG_ON((unsigned long) cred->security < PAGE_SIZE);
3257         cred->security = (void *) 0x7UL;
3258         kfree(tsec);
3259 }
3260
3261 /*
3262  * prepare a new set of credentials for modification
3263  */
3264 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3265                                 gfp_t gfp)
3266 {
3267         const struct task_security_struct *old_tsec;
3268         struct task_security_struct *tsec;
3269
3270         old_tsec = old->security;
3271
3272         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3273         if (!tsec)
3274                 return -ENOMEM;
3275
3276         new->security = tsec;
3277         return 0;
3278 }
3279
3280 /*
3281  * transfer the SELinux data to a blank set of creds
3282  */
3283 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3284 {
3285         const struct task_security_struct *old_tsec = old->security;
3286         struct task_security_struct *tsec = new->security;
3287
3288         *tsec = *old_tsec;
3289 }
3290
3291 /*
3292  * set the security data for a kernel service
3293  * - all the creation contexts are set to unlabelled
3294  */
3295 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3296 {
3297         struct task_security_struct *tsec = new->security;
3298         u32 sid = current_sid();
3299         int ret;
3300
3301         ret = avc_has_perm(sid, secid,
3302                            SECCLASS_KERNEL_SERVICE,
3303                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3304                            NULL);
3305         if (ret == 0) {
3306                 tsec->sid = secid;
3307                 tsec->create_sid = 0;
3308                 tsec->keycreate_sid = 0;
3309                 tsec->sockcreate_sid = 0;
3310         }
3311         return ret;
3312 }
3313
3314 /*
3315  * set the file creation context in a security record to the same as the
3316  * objective context of the specified inode
3317  */
3318 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3319 {
3320         struct inode_security_struct *isec = inode->i_security;
3321         struct task_security_struct *tsec = new->security;
3322         u32 sid = current_sid();
3323         int ret;
3324
3325         ret = avc_has_perm(sid, isec->sid,
3326                            SECCLASS_KERNEL_SERVICE,
3327                            KERNEL_SERVICE__CREATE_FILES_AS,
3328                            NULL);
3329
3330         if (ret == 0)
3331                 tsec->create_sid = isec->sid;
3332         return ret;
3333 }
3334
3335 static int selinux_kernel_module_request(char *kmod_name)
3336 {
3337         u32 sid;
3338         struct common_audit_data ad;
3339
3340         sid = task_sid(current);
3341
3342         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3343         ad.u.kmod_name = kmod_name;
3344
3345         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3346                             SYSTEM__MODULE_REQUEST, &ad);
3347 }
3348
3349 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3350 {
3351         return current_has_perm(p, PROCESS__SETPGID);
3352 }
3353
3354 static int selinux_task_getpgid(struct task_struct *p)
3355 {
3356         return current_has_perm(p, PROCESS__GETPGID);
3357 }
3358
3359 static int selinux_task_getsid(struct task_struct *p)
3360 {
3361         return current_has_perm(p, PROCESS__GETSESSION);
3362 }
3363
3364 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3365 {
3366         *secid = task_sid(p);
3367 }
3368
3369 static int selinux_task_setnice(struct task_struct *p, int nice)
3370 {
3371         int rc;
3372
3373         rc = cap_task_setnice(p, nice);
3374         if (rc)
3375                 return rc;
3376
3377         return current_has_perm(p, PROCESS__SETSCHED);
3378 }
3379
3380 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3381 {
3382         int rc;
3383
3384         rc = cap_task_setioprio(p, ioprio);
3385         if (rc)
3386                 return rc;
3387
3388         return current_has_perm(p, PROCESS__SETSCHED);
3389 }
3390
3391 static int selinux_task_getioprio(struct task_struct *p)
3392 {
3393         return current_has_perm(p, PROCESS__GETSCHED);
3394 }
3395
3396 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3397 {
3398         struct rlimit *old_rlim = current->signal->rlim + resource;
3399
3400         /* Control the ability to change the hard limit (whether
3401            lowering or raising it), so that the hard limit can
3402            later be used as a safe reset point for the soft limit
3403            upon context transitions.  See selinux_bprm_committing_creds. */
3404         if (old_rlim->rlim_max != new_rlim->rlim_max)
3405                 return current_has_perm(current, PROCESS__SETRLIMIT);
3406
3407         return 0;
3408 }
3409
3410 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3411 {
3412         int rc;
3413
3414         rc = cap_task_setscheduler(p, policy, lp);
3415         if (rc)
3416                 return rc;
3417
3418         return current_has_perm(p, PROCESS__SETSCHED);
3419 }
3420
3421 static int selinux_task_getscheduler(struct task_struct *p)
3422 {
3423         return current_has_perm(p, PROCESS__GETSCHED);
3424 }
3425
3426 static int selinux_task_movememory(struct task_struct *p)
3427 {
3428         return current_has_perm(p, PROCESS__SETSCHED);
3429 }
3430
3431 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3432                                 int sig, u32 secid)
3433 {
3434         u32 perm;
3435         int rc;
3436
3437         if (!sig)
3438                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3439         else
3440                 perm = signal_to_av(sig);
3441         if (secid)
3442                 rc = avc_has_perm(secid, task_sid(p),
3443                                   SECCLASS_PROCESS, perm, NULL);
3444         else
3445                 rc = current_has_perm(p, perm);
3446         return rc;
3447 }
3448
3449 static int selinux_task_wait(struct task_struct *p)
3450 {
3451         return task_has_perm(p, current, PROCESS__SIGCHLD);
3452 }
3453
3454 static void selinux_task_to_inode(struct task_struct *p,
3455                                   struct inode *inode)
3456 {
3457         struct inode_security_struct *isec = inode->i_security;
3458         u32 sid = task_sid(p);
3459
3460         isec->sid = sid;
3461         isec->initialized = 1;
3462 }
3463
3464 /* Returns error only if unable to parse addresses */
3465 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3466                         struct common_audit_data *ad, u8 *proto)
3467 {
3468         int offset, ihlen, ret = -EINVAL;
3469         struct iphdr _iph, *ih;
3470
3471         offset = skb_network_offset(skb);
3472         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3473         if (ih == NULL)
3474                 goto out;
3475
3476         ihlen = ih->ihl * 4;
3477         if (ihlen < sizeof(_iph))
3478                 goto out;
3479
3480         ad->u.net.v4info.saddr = ih->saddr;
3481         ad->u.net.v4info.daddr = ih->daddr;
3482         ret = 0;
3483
3484         if (proto)
3485                 *proto = ih->protocol;
3486
3487         switch (ih->protocol) {
3488         case IPPROTO_TCP: {
3489                 struct tcphdr _tcph, *th;
3490
3491                 if (ntohs(ih->frag_off) & IP_OFFSET)
3492                         break;
3493
3494                 offset += ihlen;
3495                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3496                 if (th == NULL)
3497                         break;
3498
3499                 ad->u.net.sport = th->source;
3500                 ad->u.net.dport = th->dest;
3501                 break;
3502         }
3503
3504         case IPPROTO_UDP: {
3505                 struct udphdr _udph, *uh;
3506
3507                 if (ntohs(ih->frag_off) & IP_OFFSET)
3508                         break;
3509
3510                 offset += ihlen;
3511                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3512                 if (uh == NULL)
3513                         break;
3514
3515                 ad->u.net.sport = uh->source;
3516                 ad->u.net.dport = uh->dest;
3517                 break;
3518         }
3519
3520         case IPPROTO_DCCP: {
3521                 struct dccp_hdr _dccph, *dh;
3522
3523                 if (ntohs(ih->frag_off) & IP_OFFSET)
3524                         break;
3525
3526                 offset += ihlen;
3527                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3528                 if (dh == NULL)
3529                         break;
3530
3531                 ad->u.net.sport = dh->dccph_sport;
3532                 ad->u.net.dport = dh->dccph_dport;
3533                 break;
3534         }
3535
3536         default:
3537                 break;
3538         }
3539 out:
3540         return ret;
3541 }
3542
3543 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3544
3545 /* Returns error only if unable to parse addresses */
3546 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3547                         struct common_audit_data *ad, u8 *proto)
3548 {
3549         u8 nexthdr;
3550         int ret = -EINVAL, offset;
3551         struct ipv6hdr _ipv6h, *ip6;
3552
3553         offset = skb_network_offset(skb);
3554         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3555         if (ip6 == NULL)
3556                 goto out;
3557
3558         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3559         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3560         ret = 0;
3561
3562         nexthdr = ip6->nexthdr;
3563         offset += sizeof(_ipv6h);
3564         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3565         if (offset < 0)
3566                 goto out;
3567
3568         if (proto)
3569                 *proto = nexthdr;
3570
3571         switch (nexthdr) {
3572         case IPPROTO_TCP: {
3573                 struct tcphdr _tcph, *th;
3574
3575                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3576                 if (th == NULL)
3577                         break;
3578
3579                 ad->u.net.sport = th->source;
3580                 ad->u.net.dport = th->dest;
3581                 break;
3582         }
3583
3584         case IPPROTO_UDP: {
3585                 struct udphdr _udph, *uh;
3586
3587                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3588                 if (uh == NULL)
3589                         break;
3590
3591                 ad->u.net.sport = uh->source;
3592                 ad->u.net.dport = uh->dest;
3593                 break;
3594         }
3595
3596         case IPPROTO_DCCP: {
3597                 struct dccp_hdr _dccph, *dh;
3598
3599                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3600                 if (dh == NULL)
3601                         break;
3602
3603                 ad->u.net.sport = dh->dccph_sport;
3604                 ad->u.net.dport = dh->dccph_dport;
3605                 break;
3606         }
3607
3608         /* includes fragments */
3609         default:
3610                 break;
3611         }
3612 out:
3613         return ret;
3614 }
3615
3616 #endif /* IPV6 */
3617
3618 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3619                              char **_addrp, int src, u8 *proto)
3620 {
3621         char *addrp;
3622         int ret;
3623
3624         switch (ad->u.net.family) {
3625         case PF_INET:
3626                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3627                 if (ret)
3628                         goto parse_error;
3629                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3630                                        &ad->u.net.v4info.daddr);
3631                 goto okay;
3632
3633 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3634         case PF_INET6:
3635                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3636                 if (ret)
3637                         goto parse_error;
3638                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3639                                        &ad->u.net.v6info.daddr);
3640                 goto okay;
3641 #endif  /* IPV6 */
3642         default:
3643                 addrp = NULL;
3644                 goto okay;
3645         }
3646
3647 parse_error:
3648         printk(KERN_WARNING
3649                "SELinux: failure in selinux_parse_skb(),"
3650                " unable to parse packet\n");
3651         return ret;
3652
3653 okay:
3654         if (_addrp)
3655                 *_addrp = addrp;
3656         return 0;
3657 }
3658
3659 /**
3660  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3661  * @skb: the packet
3662  * @family: protocol family
3663  * @sid: the packet's peer label SID
3664  *
3665  * Description:
3666  * Check the various different forms of network peer labeling and determine
3667  * the peer label/SID for the packet; most of the magic actually occurs in
3668  * the security server function security_net_peersid_cmp().  The function
3669  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3670  * or -EACCES if @sid is invalid due to inconsistencies with the different
3671  * peer labels.
3672  *
3673  */
3674 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3675 {
3676         int err;
3677         u32 xfrm_sid;
3678         u32 nlbl_sid;
3679         u32 nlbl_type;
3680
3681         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3682         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3683
3684         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3685         if (unlikely(err)) {
3686                 printk(KERN_WARNING
3687                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3688                        " unable to determine packet's peer label\n");
3689                 return -EACCES;
3690         }
3691
3692         return 0;
3693 }
3694
3695 /* socket security operations */
3696 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3697                            u32 perms)
3698 {
3699         struct inode_security_struct *isec;
3700         struct common_audit_data ad;
3701         u32 sid;
3702         int err = 0;
3703
3704         isec = SOCK_INODE(sock)->i_security;
3705
3706         if (isec->sid == SECINITSID_KERNEL)
3707                 goto out;
3708         sid = task_sid(task);
3709
3710         COMMON_AUDIT_DATA_INIT(&ad, NET);
3711         ad.u.net.sk = sock->sk;
3712         err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3713
3714 out:
3715         return err;
3716 }
3717
3718 static int selinux_socket_create(int family, int type,
3719                                  int protocol, int kern)
3720 {
3721         const struct cred *cred = current_cred();
3722         const struct task_security_struct *tsec = cred->security;
3723         u32 sid, newsid;
3724         u16 secclass;
3725         int err = 0;
3726
3727         if (kern)
3728                 goto out;
3729
3730         sid = tsec->sid;
3731         newsid = tsec->sockcreate_sid ?: sid;
3732
3733         secclass = socket_type_to_security_class(family, type, protocol);
3734         err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3735
3736 out:
3737         return err;
3738 }
3739
3740 static int selinux_socket_post_create(struct socket *sock, int family,
3741                                       int type, int protocol, int kern)
3742 {
3743         const struct cred *cred = current_cred();
3744         const struct task_security_struct *tsec = cred->security;
3745         struct inode_security_struct *isec;
3746         struct sk_security_struct *sksec;
3747         u32 sid, newsid;
3748         int err = 0;
3749
3750         sid = tsec->sid;
3751         newsid = tsec->sockcreate_sid;
3752
3753         isec = SOCK_INODE(sock)->i_security;
3754
3755         if (kern)
3756                 isec->sid = SECINITSID_KERNEL;
3757         else if (newsid)
3758                 isec->sid = newsid;
3759         else
3760                 isec->sid = sid;
3761
3762         isec->sclass = socket_type_to_security_class(family, type, protocol);
3763         isec->initialized = 1;
3764
3765         if (sock->sk) {
3766                 sksec = sock->sk->sk_security;
3767                 sksec->sid = isec->sid;
3768                 sksec->sclass = isec->sclass;
3769                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3770         }
3771
3772         return err;
3773 }
3774
3775 /* Range of port numbers used to automatically bind.
3776    Need to determine whether we should perform a name_bind
3777    permission check between the socket and the port number. */
3778
3779 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3780 {
3781         u16 family;
3782         int err;
3783
3784         err = socket_has_perm(current, sock, SOCKET__BIND);
3785         if (err)
3786                 goto out;
3787
3788         /*
3789          * If PF_INET or PF_INET6, check name_bind permission for the port.
3790          * Multiple address binding for SCTP is not supported yet: we just
3791          * check the first address now.
3792          */
3793         family = sock->sk->sk_family;
3794         if (family == PF_INET || family == PF_INET6) {
3795                 char *addrp;
3796                 struct inode_security_struct *isec;
3797                 struct common_audit_data ad;
3798                 struct sockaddr_in *addr4 = NULL;
3799                 struct sockaddr_in6 *addr6 = NULL;
3800                 unsigned short snum;
3801                 struct sock *sk = sock->sk;
3802                 u32 sid, node_perm;
3803
3804                 isec = SOCK_INODE(sock)->i_security;
3805
3806                 if (family == PF_INET) {
3807                         addr4 = (struct sockaddr_in *)address;
3808                         snum = ntohs(addr4->sin_port);
3809                         addrp = (char *)&addr4->sin_addr.s_addr;
3810                 } else {
3811                         addr6 = (struct sockaddr_in6 *)address;
3812                         snum = ntohs(addr6->sin6_port);
3813                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3814                 }
3815
3816                 if (snum) {
3817                         int low, high;
3818
3819                         inet_get_local_port_range(&low, &high);
3820
3821                         if (snum < max(PROT_SOCK, low) || snum > high) {
3822                                 err = sel_netport_sid(sk->sk_protocol,
3823                                                       snum, &sid);
3824                                 if (err)
3825                                         goto out;
3826                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3827                                 ad.u.net.sport = htons(snum);
3828                                 ad.u.net.family = family;
3829                                 err = avc_has_perm(isec->sid, sid,
3830                                                    isec->sclass,
3831                                                    SOCKET__NAME_BIND, &ad);
3832                                 if (err)
3833                                         goto out;
3834                         }
3835                 }
3836
3837                 switch (isec->sclass) {
3838                 case SECCLASS_TCP_SOCKET:
3839                         node_perm = TCP_SOCKET__NODE_BIND;
3840                         break;
3841
3842                 case SECCLASS_UDP_SOCKET:
3843                         node_perm = UDP_SOCKET__NODE_BIND;
3844                         break;
3845
3846                 case SECCLASS_DCCP_SOCKET:
3847                         node_perm = DCCP_SOCKET__NODE_BIND;
3848                         break;
3849
3850                 default:
3851                         node_perm = RAWIP_SOCKET__NODE_BIND;
3852                         break;
3853                 }
3854
3855                 err = sel_netnode_sid(addrp, family, &sid);
3856                 if (err)
3857                         goto out;
3858
3859                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3860                 ad.u.net.sport = htons(snum);
3861                 ad.u.net.family = family;
3862
3863                 if (family == PF_INET)
3864                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3865                 else
3866                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3867
3868                 err = avc_has_perm(isec->sid, sid,
3869                                    isec->sclass, node_perm, &ad);
3870                 if (err)
3871                         goto out;
3872         }
3873 out:
3874         return err;
3875 }
3876
3877 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3878 {
3879         struct sock *sk = sock->sk;
3880         struct inode_security_struct *isec;
3881         int err;
3882
3883         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3884         if (err)
3885                 return err;
3886
3887         /*
3888          * If a TCP or DCCP socket, check name_connect permission for the port.
3889          */
3890         isec = SOCK_INODE(sock)->i_security;
3891         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3892             isec->sclass == SECCLASS_DCCP_SOCKET) {
3893                 struct common_audit_data ad;
3894                 struct sockaddr_in *addr4 = NULL;
3895                 struct sockaddr_in6 *addr6 = NULL;
3896                 unsigned short snum;
3897                 u32 sid, perm;
3898
3899                 if (sk->sk_family == PF_INET) {
3900                         addr4 = (struct sockaddr_in *)address;
3901                         if (addrlen < sizeof(struct sockaddr_in))
3902                                 return -EINVAL;
3903                         snum = ntohs(addr4->sin_port);
3904                 } else {
3905                         addr6 = (struct sockaddr_in6 *)address;
3906                         if (addrlen < SIN6_LEN_RFC2133)
3907                                 return -EINVAL;
3908                         snum = ntohs(addr6->sin6_port);
3909                 }
3910
3911                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3912                 if (err)
3913                         goto out;
3914
3915                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3916                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3917
3918                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3919                 ad.u.net.dport = htons(snum);
3920                 ad.u.net.family = sk->sk_family;
3921                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3922                 if (err)
3923                         goto out;
3924         }
3925
3926         err = selinux_netlbl_socket_connect(sk, address);
3927
3928 out:
3929         return err;
3930 }
3931
3932 static int selinux_socket_listen(struct socket *sock, int backlog)
3933 {
3934         return socket_has_perm(current, sock, SOCKET__LISTEN);
3935 }
3936
3937 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3938 {
3939         int err;
3940         struct inode_security_struct *isec;
3941         struct inode_security_struct *newisec;
3942
3943         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3944         if (err)
3945                 return err;
3946
3947         newisec = SOCK_INODE(newsock)->i_security;
3948
3949         isec = SOCK_INODE(sock)->i_security;
3950         newisec->sclass = isec->sclass;
3951         newisec->sid = isec->sid;
3952         newisec->initialized = 1;
3953
3954         return 0;
3955 }
3956
3957 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3958                                   int size)
3959 {
3960         return socket_has_perm(current, sock, SOCKET__WRITE);
3961 }
3962
3963 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3964                                   int size, int flags)
3965 {
3966         return socket_has_perm(current, sock, SOCKET__READ);
3967 }
3968
3969 static int selinux_socket_getsockname(struct socket *sock)
3970 {
3971         return socket_has_perm(current, sock, SOCKET__GETATTR);
3972 }
3973
3974 static int selinux_socket_getpeername(struct socket *sock)
3975 {
3976         return socket_has_perm(current, sock, SOCKET__GETATTR);
3977 }
3978
3979 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3980 {
3981         int err;
3982
3983         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3984         if (err)
3985                 return err;
3986
3987         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3988 }
3989
3990 static int selinux_socket_getsockopt(struct socket *sock, int level,
3991                                      int optname)
3992 {
3993         return socket_has_perm(current, sock, SOCKET__GETOPT);
3994 }
3995
3996 static int selinux_socket_shutdown(struct socket *sock, int how)
3997 {
3998         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3999 }
4000
4001 static int selinux_socket_unix_stream_connect(struct socket *sock,
4002                                               struct socket *other,
4003                                               struct sock *newsk)
4004 {
4005         struct sk_security_struct *ssec;
4006         struct inode_security_struct *isec;
4007         struct inode_security_struct *other_isec;
4008         struct common_audit_data ad;
4009         int err;
4010
4011         isec = SOCK_INODE(sock)->i_security;
4012         other_isec = SOCK_INODE(other)->i_security;
4013
4014         COMMON_AUDIT_DATA_INIT(&ad, NET);
4015         ad.u.net.sk = other->sk;
4016
4017         err = avc_has_perm(isec->sid, other_isec->sid,
4018                            isec->sclass,
4019                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4020         if (err)
4021                 return err;
4022
4023         /* connecting socket */
4024         ssec = sock->sk->sk_security;
4025         ssec->peer_sid = other_isec->sid;
4026
4027         /* server child socket */
4028         ssec = newsk->sk_security;
4029         ssec->peer_sid = isec->sid;
4030         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4031
4032         return err;
4033 }
4034
4035 static int selinux_socket_unix_may_send(struct socket *sock,
4036                                         struct socket *other)
4037 {
4038         struct inode_security_struct *isec;
4039         struct inode_security_struct *other_isec;
4040         struct common_audit_data ad;
4041         int err;
4042
4043         isec = SOCK_INODE(sock)->i_security;
4044         other_isec = SOCK_INODE(other)->i_security;
4045
4046         COMMON_AUDIT_DATA_INIT(&ad, NET);
4047         ad.u.net.sk = other->sk;
4048
4049         err = avc_has_perm(isec->sid, other_isec->sid,
4050                            isec->sclass, SOCKET__SENDTO, &ad);
4051         if (err)
4052                 return err;
4053
4054         return 0;
4055 }
4056
4057 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4058                                     u32 peer_sid,
4059                                     struct common_audit_data *ad)
4060 {
4061         int err;
4062         u32 if_sid;
4063         u32 node_sid;
4064
4065         err = sel_netif_sid(ifindex, &if_sid);
4066         if (err)
4067                 return err;
4068         err = avc_has_perm(peer_sid, if_sid,
4069                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4070         if (err)
4071                 return err;
4072
4073         err = sel_netnode_sid(addrp, family, &node_sid);
4074         if (err)
4075                 return err;
4076         return avc_has_perm(peer_sid, node_sid,
4077                             SECCLASS_NODE, NODE__RECVFROM, ad);
4078 }
4079
4080 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4081                                        u16 family)
4082 {
4083         int err = 0;
4084         struct sk_security_struct *sksec = sk->sk_security;
4085         u32 peer_sid;
4086         u32 sk_sid = sksec->sid;
4087         struct common_audit_data ad;
4088         char *addrp;
4089
4090         COMMON_AUDIT_DATA_INIT(&ad, NET);
4091         ad.u.net.netif = skb->skb_iif;
4092         ad.u.net.family = family;
4093         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4094         if (err)
4095                 return err;
4096
4097         if (selinux_secmark_enabled()) {
4098                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4099                                    PACKET__RECV, &ad);
4100                 if (err)
4101                         return err;
4102         }
4103
4104         if (selinux_policycap_netpeer) {
4105                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4106                 if (err)
4107                         return err;
4108                 err = avc_has_perm(sk_sid, peer_sid,
4109                                    SECCLASS_PEER, PEER__RECV, &ad);
4110                 if (err)
4111                         selinux_netlbl_err(skb, err, 0);
4112         } else {
4113                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4114                 if (err)
4115                         return err;
4116                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4117         }
4118
4119         return err;
4120 }
4121
4122 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4123 {
4124         int err;
4125         struct sk_security_struct *sksec = sk->sk_security;
4126         u16 family = sk->sk_family;
4127         u32 sk_sid = sksec->sid;
4128         struct common_audit_data ad;
4129         char *addrp;
4130         u8 secmark_active;
4131         u8 peerlbl_active;
4132
4133         if (family != PF_INET && family != PF_INET6)
4134                 return 0;
4135
4136         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4137         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4138                 family = PF_INET;
4139
4140         /* If any sort of compatibility mode is enabled then handoff processing
4141          * to the selinux_sock_rcv_skb_compat() function to deal with the
4142          * special handling.  We do this in an attempt to keep this function
4143          * as fast and as clean as possible. */
4144         if (!selinux_policycap_netpeer)
4145                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4146
4147         secmark_active = selinux_secmark_enabled();
4148         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4149         if (!secmark_active && !peerlbl_active)
4150                 return 0;
4151
4152         COMMON_AUDIT_DATA_INIT(&ad, NET);
4153         ad.u.net.netif = skb->skb_iif;
4154         ad.u.net.family = family;
4155         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4156         if (err)
4157                 return err;
4158
4159         if (peerlbl_active) {
4160                 u32 peer_sid;
4161
4162                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4163                 if (err)
4164                         return err;
4165                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4166                                                peer_sid, &ad);
4167                 if (err) {
4168                         selinux_netlbl_err(skb, err, 0);
4169                         return err;
4170                 }
4171                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4172                                    PEER__RECV, &ad);
4173                 if (err)
4174                         selinux_netlbl_err(skb, err, 0);
4175         }
4176
4177         if (secmark_active) {
4178                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4179                                    PACKET__RECV, &ad);
4180                 if (err)
4181                         return err;
4182         }
4183
4184         return err;
4185 }
4186
4187 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4188                                             int __user *optlen, unsigned len)
4189 {
4190         int err = 0;
4191         char *scontext;
4192         u32 scontext_len;
4193         struct sk_security_struct *ssec;
4194         struct inode_security_struct *isec;
4195         u32 peer_sid = SECSID_NULL;
4196
4197         isec = SOCK_INODE(sock)->i_security;
4198
4199         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4200             isec->sclass == SECCLASS_TCP_SOCKET) {
4201                 ssec = sock->sk->sk_security;
4202                 peer_sid = ssec->peer_sid;
4203         }
4204         if (peer_sid == SECSID_NULL) {
4205                 err = -ENOPROTOOPT;
4206                 goto out;
4207         }
4208
4209         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4210
4211         if (err)
4212                 goto out;
4213
4214         if (scontext_len > len) {
4215                 err = -ERANGE;
4216                 goto out_len;
4217         }
4218
4219         if (copy_to_user(optval, scontext, scontext_len))
4220                 err = -EFAULT;
4221
4222 out_len:
4223         if (put_user(scontext_len, optlen))
4224                 err = -EFAULT;
4225
4226         kfree(scontext);
4227 out:
4228         return err;
4229 }
4230
4231 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4232 {
4233         u32 peer_secid = SECSID_NULL;
4234         u16 family;
4235
4236         if (skb && skb->protocol == htons(ETH_P_IP))
4237                 family = PF_INET;
4238         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4239                 family = PF_INET6;
4240         else if (sock)
4241                 family = sock->sk->sk_family;
4242         else
4243                 goto out;
4244
4245         if (sock && family == PF_UNIX)
4246                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4247         else if (skb)
4248                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4249
4250 out:
4251         *secid = peer_secid;
4252         if (peer_secid == SECSID_NULL)
4253                 return -EINVAL;
4254         return 0;
4255 }
4256
4257 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4258 {
4259         return sk_alloc_security(sk, family, priority);
4260 }
4261
4262 static void selinux_sk_free_security(struct sock *sk)
4263 {
4264         sk_free_security(sk);
4265 }
4266
4267 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4268 {
4269         struct sk_security_struct *ssec = sk->sk_security;
4270         struct sk_security_struct *newssec = newsk->sk_security;
4271
4272         newssec->sid = ssec->sid;
4273         newssec->peer_sid = ssec->peer_sid;
4274         newssec->sclass = ssec->sclass;
4275
4276         selinux_netlbl_sk_security_reset(newssec);
4277 }
4278
4279 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4280 {
4281         if (!sk)
4282                 *secid = SECINITSID_ANY_SOCKET;
4283         else {
4284                 struct sk_security_struct *sksec = sk->sk_security;
4285
4286                 *secid = sksec->sid;
4287         }
4288 }
4289
4290 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4291 {
4292         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4293         struct sk_security_struct *sksec = sk->sk_security;
4294
4295         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4296             sk->sk_family == PF_UNIX)
4297                 isec->sid = sksec->sid;
4298         sksec->sclass = isec->sclass;
4299 }
4300
4301 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4302                                      struct request_sock *req)
4303 {
4304         struct sk_security_struct *sksec = sk->sk_security;
4305         int err;
4306         u16 family = sk->sk_family;
4307         u32 newsid;
4308         u32 peersid;
4309
4310         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4311         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4312                 family = PF_INET;
4313
4314         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4315         if (err)
4316                 return err;
4317         if (peersid == SECSID_NULL) {
4318                 req->secid = sksec->sid;
4319                 req->peer_secid = SECSID_NULL;
4320         } else {
4321                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4322                 if (err)
4323                         return err;
4324                 req->secid = newsid;
4325                 req->peer_secid = peersid;
4326         }
4327
4328         return selinux_netlbl_inet_conn_request(req, family);
4329 }
4330
4331 static void selinux_inet_csk_clone(struct sock *newsk,
4332                                    const struct request_sock *req)
4333 {
4334         struct sk_security_struct *newsksec = newsk->sk_security;
4335
4336         newsksec->sid = req->secid;
4337         newsksec->peer_sid = req->peer_secid;
4338         /* NOTE: Ideally, we should also get the isec->sid for the
4339            new socket in sync, but we don't have the isec available yet.
4340            So we will wait until sock_graft to do it, by which
4341            time it will have been created and available. */
4342
4343         /* We don't need to take any sort of lock here as we are the only
4344          * thread with access to newsksec */
4345         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4346 }
4347
4348 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4349 {
4350         u16 family = sk->sk_family;
4351         struct sk_security_struct *sksec = sk->sk_security;
4352
4353         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4354         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4355                 family = PF_INET;
4356
4357         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4358 }
4359
4360 static void selinux_req_classify_flow(const struct request_sock *req,
4361                                       struct flowi *fl)
4362 {
4363         fl->secid = req->secid;
4364 }
4365
4366 static int selinux_tun_dev_create(void)
4367 {
4368         u32 sid = current_sid();
4369
4370         /* we aren't taking into account the "sockcreate" SID since the socket
4371          * that is being created here is not a socket in the traditional sense,
4372          * instead it is a private sock, accessible only to the kernel, and
4373          * representing a wide range of network traffic spanning multiple
4374          * connections unlike traditional sockets - check the TUN driver to
4375          * get a better understanding of why this socket is special */
4376
4377         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4378                             NULL);
4379 }
4380
4381 static void selinux_tun_dev_post_create(struct sock *sk)
4382 {
4383         struct sk_security_struct *sksec = sk->sk_security;
4384
4385         /* we don't currently perform any NetLabel based labeling here and it
4386          * isn't clear that we would want to do so anyway; while we could apply
4387          * labeling without the support of the TUN user the resulting labeled
4388          * traffic from the other end of the connection would almost certainly
4389          * cause confusion to the TUN user that had no idea network labeling
4390          * protocols were being used */
4391
4392         /* see the comments in selinux_tun_dev_create() about why we don't use
4393          * the sockcreate SID here */
4394
4395         sksec->sid = current_sid();
4396         sksec->sclass = SECCLASS_TUN_SOCKET;
4397 }
4398
4399 static int selinux_tun_dev_attach(struct sock *sk)
4400 {
4401         struct sk_security_struct *sksec = sk->sk_security;
4402         u32 sid = current_sid();
4403         int err;
4404
4405         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4406                            TUN_SOCKET__RELABELFROM, NULL);
4407         if (err)
4408                 return err;
4409         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4410                            TUN_SOCKET__RELABELTO, NULL);
4411         if (err)
4412                 return err;
4413
4414         sksec->sid = sid;
4415
4416         return 0;
4417 }
4418
4419 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4420 {
4421         int err = 0;
4422         u32 perm;
4423         struct nlmsghdr *nlh;
4424         struct socket *sock = sk->sk_socket;
4425         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4426
4427         if (skb->len < NLMSG_SPACE(0)) {
4428                 err = -EINVAL;
4429                 goto out;
4430         }
4431         nlh = nlmsg_hdr(skb);
4432
4433         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4434         if (err) {
4435                 if (err == -EINVAL) {
4436                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4437                                   "SELinux:  unrecognized netlink message"
4438                                   " type=%hu for sclass=%hu\n",
4439                                   nlh->nlmsg_type, isec->sclass);
4440                         if (!selinux_enforcing || security_get_allow_unknown())
4441                                 err = 0;
4442                 }
4443
4444                 /* Ignore */
4445                 if (err == -ENOENT)
4446                         err = 0;
4447                 goto out;
4448         }
4449
4450         err = socket_has_perm(current, sock, perm);
4451 out:
4452         return err;
4453 }
4454
4455 #ifdef CONFIG_NETFILTER
4456
4457 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4458                                        u16 family)
4459 {
4460         int err;
4461         char *addrp;
4462         u32 peer_sid;
4463         struct common_audit_data ad;
4464         u8 secmark_active;
4465         u8 netlbl_active;
4466         u8 peerlbl_active;
4467
4468         if (!selinux_policycap_netpeer)
4469                 return NF_ACCEPT;
4470
4471         secmark_active = selinux_secmark_enabled();
4472         netlbl_active = netlbl_enabled();
4473         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4474         if (!secmark_active && !peerlbl_active)
4475                 return NF_ACCEPT;
4476
4477         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4478                 return NF_DROP;
4479
4480         COMMON_AUDIT_DATA_INIT(&ad, NET);
4481         ad.u.net.netif = ifindex;
4482         ad.u.net.family = family;
4483         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4484                 return NF_DROP;
4485
4486         if (peerlbl_active) {
4487                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4488                                                peer_sid, &ad);
4489                 if (err) {
4490                         selinux_netlbl_err(skb, err, 1);
4491                         return NF_DROP;
4492                 }
4493         }
4494
4495         if (secmark_active)
4496                 if (avc_has_perm(peer_sid, skb->secmark,
4497                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4498                         return NF_DROP;
4499
4500         if (netlbl_active)
4501                 /* we do this in the FORWARD path and not the POST_ROUTING
4502                  * path because we want to make sure we apply the necessary
4503                  * labeling before IPsec is applied so we can leverage AH
4504                  * protection */
4505                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4506                         return NF_DROP;
4507
4508         return NF_ACCEPT;
4509 }
4510
4511 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4512                                          struct sk_buff *skb,
4513                                          const struct net_device *in,
4514                                          const struct net_device *out,
4515                                          int (*okfn)(struct sk_buff *))
4516 {
4517         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4518 }
4519
4520 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4521 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4522                                          struct sk_buff *skb,
4523                                          const struct net_device *in,
4524                                          const struct net_device *out,
4525                                          int (*okfn)(struct sk_buff *))
4526 {
4527         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4528 }
4529 #endif  /* IPV6 */
4530
4531 static unsigned int selinux_ip_output(struct sk_buff *skb,
4532                                       u16 family)
4533 {
4534         u32 sid;
4535
4536         if (!netlbl_enabled())
4537                 return NF_ACCEPT;
4538
4539         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4540          * because we want to make sure we apply the necessary labeling
4541          * before IPsec is applied so we can leverage AH protection */
4542         if (skb->sk) {
4543                 struct sk_security_struct *sksec = skb->sk->sk_security;
4544                 sid = sksec->sid;
4545         } else
4546                 sid = SECINITSID_KERNEL;
4547         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4548                 return NF_DROP;
4549
4550         return NF_ACCEPT;
4551 }
4552
4553 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4554                                         struct sk_buff *skb,
4555                                         const struct net_device *in,
4556                                         const struct net_device *out,
4557                                         int (*okfn)(struct sk_buff *))
4558 {
4559         return selinux_ip_output(skb, PF_INET);
4560 }
4561
4562 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4563                                                 int ifindex,
4564                                                 u16 family)
4565 {
4566         struct sock *sk = skb->sk;
4567         struct sk_security_struct *sksec;
4568         struct common_audit_data ad;
4569         char *addrp;
4570         u8 proto;
4571
4572         if (sk == NULL)
4573                 return NF_ACCEPT;
4574         sksec = sk->sk_security;
4575
4576         COMMON_AUDIT_DATA_INIT(&ad, NET);
4577         ad.u.net.netif = ifindex;
4578         ad.u.net.family = family;
4579         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4580                 return NF_DROP;
4581
4582         if (selinux_secmark_enabled())
4583                 if (avc_has_perm(sksec->sid, skb->secmark,
4584                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4585                         return NF_DROP;
4586
4587         if (selinux_policycap_netpeer)
4588                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4589                         return NF_DROP;
4590
4591         return NF_ACCEPT;
4592 }
4593
4594 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4595                                          u16 family)
4596 {
4597         u32 secmark_perm;
4598         u32 peer_sid;
4599         struct sock *sk;
4600         struct common_audit_data ad;
4601         char *addrp;
4602         u8 secmark_active;
4603         u8 peerlbl_active;
4604
4605         /* If any sort of compatibility mode is enabled then handoff processing
4606          * to the selinux_ip_postroute_compat() function to deal with the
4607          * special handling.  We do this in an attempt to keep this function
4608          * as fast and as clean as possible. */
4609         if (!selinux_policycap_netpeer)
4610                 return selinux_ip_postroute_compat(skb, ifindex, family);
4611 #ifdef CONFIG_XFRM
4612         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4613          * packet transformation so allow the packet to pass without any checks
4614          * since we'll have another chance to perform access control checks
4615          * when the packet is on it's final way out.
4616          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4617          *       is NULL, in this case go ahead and apply access control. */
4618         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4619                 return NF_ACCEPT;
4620 #endif
4621         secmark_active = selinux_secmark_enabled();
4622         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4623         if (!secmark_active && !peerlbl_active)
4624                 return NF_ACCEPT;
4625
4626         /* if the packet is being forwarded then get the peer label from the
4627          * packet itself; otherwise check to see if it is from a local
4628          * application or the kernel, if from an application get the peer label
4629          * from the sending socket, otherwise use the kernel's sid */
4630         sk = skb->sk;
4631         if (sk == NULL) {
4632                 switch (family) {
4633                 case PF_INET:
4634                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4635                                 secmark_perm = PACKET__FORWARD_OUT;
4636                         else
4637                                 secmark_perm = PACKET__SEND;
4638                         break;
4639                 case PF_INET6:
4640                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4641                                 secmark_perm = PACKET__FORWARD_OUT;
4642                         else
4643                                 secmark_perm = PACKET__SEND;
4644                         break;
4645                 default:
4646                         return NF_DROP;
4647                 }
4648                 if (secmark_perm == PACKET__FORWARD_OUT) {
4649                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4650                                 return NF_DROP;
4651                 } else
4652                         peer_sid = SECINITSID_KERNEL;
4653         } else {
4654                 struct sk_security_struct *sksec = sk->sk_security;
4655                 peer_sid = sksec->sid;
4656                 secmark_perm = PACKET__SEND;
4657         }
4658
4659         COMMON_AUDIT_DATA_INIT(&ad, NET);
4660         ad.u.net.netif = ifindex;
4661         ad.u.net.family = family;
4662         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4663                 return NF_DROP;
4664
4665         if (secmark_active)
4666                 if (avc_has_perm(peer_sid, skb->secmark,
4667                                  SECCLASS_PACKET, secmark_perm, &ad))
4668                         return NF_DROP;
4669
4670         if (peerlbl_active) {
4671                 u32 if_sid;
4672                 u32 node_sid;
4673
4674                 if (sel_netif_sid(ifindex, &if_sid))
4675                         return NF_DROP;
4676                 if (avc_has_perm(peer_sid, if_sid,
4677                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4678                         return NF_DROP;
4679
4680                 if (sel_netnode_sid(addrp, family, &node_sid))
4681                         return NF_DROP;
4682                 if (avc_has_perm(peer_sid, node_sid,
4683                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4684                         return NF_DROP;
4685         }
4686
4687         return NF_ACCEPT;
4688 }
4689
4690 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4691                                            struct sk_buff *skb,
4692                                            const struct net_device *in,
4693                                            const struct net_device *out,
4694                                            int (*okfn)(struct sk_buff *))
4695 {
4696         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4697 }
4698
4699 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4700 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4701                                            struct sk_buff *skb,
4702                                            const struct net_device *in,
4703                                            const struct net_device *out,
4704                                            int (*okfn)(struct sk_buff *))
4705 {
4706         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4707 }
4708 #endif  /* IPV6 */
4709
4710 #endif  /* CONFIG_NETFILTER */
4711
4712 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4713 {
4714         int err;
4715
4716         err = cap_netlink_send(sk, skb);
4717         if (err)
4718                 return err;
4719
4720         return selinux_nlmsg_perm(sk, skb);
4721 }
4722
4723 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4724 {
4725         int err;
4726         struct common_audit_data ad;
4727
4728         err = cap_netlink_recv(skb, capability);
4729         if (err)
4730                 return err;
4731
4732         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4733         ad.u.cap = capability;
4734
4735         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4736                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4737 }
4738
4739 static int ipc_alloc_security(struct task_struct *task,
4740                               struct kern_ipc_perm *perm,
4741                               u16 sclass)
4742 {
4743         struct ipc_security_struct *isec;
4744         u32 sid;
4745
4746         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4747         if (!isec)
4748                 return -ENOMEM;
4749
4750         sid = task_sid(task);
4751         isec->sclass = sclass;
4752         isec->sid = sid;
4753         perm->security = isec;
4754
4755         return 0;
4756 }
4757
4758 static void ipc_free_security(struct kern_ipc_perm *perm)
4759 {
4760         struct ipc_security_struct *isec = perm->security;
4761         perm->security = NULL;
4762         kfree(isec);
4763 }
4764
4765 static int msg_msg_alloc_security(struct msg_msg *msg)
4766 {
4767         struct msg_security_struct *msec;
4768
4769         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4770         if (!msec)
4771                 return -ENOMEM;
4772
4773         msec->sid = SECINITSID_UNLABELED;
4774         msg->security = msec;
4775
4776         return 0;
4777 }
4778
4779 static void msg_msg_free_security(struct msg_msg *msg)
4780 {
4781         struct msg_security_struct *msec = msg->security;
4782
4783         msg->security = NULL;
4784         kfree(msec);
4785 }
4786
4787 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4788                         u32 perms)
4789 {
4790         struct ipc_security_struct *isec;
4791         struct common_audit_data ad;
4792         u32 sid = current_sid();
4793
4794         isec = ipc_perms->security;
4795
4796         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4797         ad.u.ipc_id = ipc_perms->key;
4798
4799         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4800 }
4801
4802 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4803 {
4804         return msg_msg_alloc_security(msg);
4805 }
4806
4807 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4808 {
4809         msg_msg_free_security(msg);
4810 }
4811
4812 /* message queue security operations */
4813 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4814 {
4815         struct ipc_security_struct *isec;
4816         struct common_audit_data ad;
4817         u32 sid = current_sid();
4818         int rc;
4819
4820         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4821         if (rc)
4822                 return rc;
4823
4824         isec = msq->q_perm.security;
4825
4826         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4827         ad.u.ipc_id = msq->q_perm.key;
4828
4829         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4830                           MSGQ__CREATE, &ad);
4831         if (rc) {
4832                 ipc_free_security(&msq->q_perm);
4833                 return rc;
4834         }
4835         return 0;
4836 }
4837
4838 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4839 {
4840         ipc_free_security(&msq->q_perm);
4841 }
4842
4843 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4844 {
4845         struct ipc_security_struct *isec;
4846         struct common_audit_data ad;
4847         u32 sid = current_sid();
4848
4849         isec = msq->q_perm.security;
4850
4851         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4852         ad.u.ipc_id = msq->q_perm.key;
4853
4854         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4855                             MSGQ__ASSOCIATE, &ad);
4856 }
4857
4858 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4859 {
4860         int err;
4861         int perms;
4862
4863         switch (cmd) {
4864         case IPC_INFO:
4865         case MSG_INFO:
4866                 /* No specific object, just general system-wide information. */
4867                 return task_has_system(current, SYSTEM__IPC_INFO);
4868         case IPC_STAT:
4869         case MSG_STAT:
4870                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4871                 break;
4872         case IPC_SET:
4873                 perms = MSGQ__SETATTR;
4874                 break;
4875         case IPC_RMID:
4876                 perms = MSGQ__DESTROY;
4877                 break;
4878         default:
4879                 return 0;
4880         }
4881
4882         err = ipc_has_perm(&msq->q_perm, perms);
4883         return err;
4884 }
4885
4886 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4887 {
4888         struct ipc_security_struct *isec;
4889         struct msg_security_struct *msec;
4890         struct common_audit_data ad;
4891         u32 sid = current_sid();
4892         int rc;
4893
4894         isec = msq->q_perm.security;
4895         msec = msg->security;
4896
4897         /*
4898          * First time through, need to assign label to the message
4899          */
4900         if (msec->sid == SECINITSID_UNLABELED) {
4901                 /*
4902                  * Compute new sid based on current process and
4903                  * message queue this message will be stored in
4904                  */
4905                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4906                                              &msec->sid);
4907                 if (rc)
4908                         return rc;
4909         }
4910
4911         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4912         ad.u.ipc_id = msq->q_perm.key;
4913
4914         /* Can this process write to the queue? */
4915         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4916                           MSGQ__WRITE, &ad);
4917         if (!rc)
4918                 /* Can this process send the message */
4919                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4920                                   MSG__SEND, &ad);
4921         if (!rc)
4922                 /* Can the message be put in the queue? */
4923                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4924                                   MSGQ__ENQUEUE, &ad);
4925
4926         return rc;
4927 }
4928
4929 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4930                                     struct task_struct *target,
4931                                     long type, int mode)
4932 {
4933         struct ipc_security_struct *isec;
4934         struct msg_security_struct *msec;
4935         struct common_audit_data ad;
4936         u32 sid = task_sid(target);
4937         int rc;
4938
4939         isec = msq->q_perm.security;
4940         msec = msg->security;
4941
4942         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4943         ad.u.ipc_id = msq->q_perm.key;
4944
4945         rc = avc_has_perm(sid, isec->sid,
4946                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4947         if (!rc)
4948                 rc = avc_has_perm(sid, msec->sid,
4949                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4950         return rc;
4951 }
4952
4953 /* Shared Memory security operations */
4954 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4955 {
4956         struct ipc_security_struct *isec;
4957         struct common_audit_data ad;
4958         u32 sid = current_sid();
4959         int rc;
4960
4961         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4962         if (rc)
4963                 return rc;
4964
4965         isec = shp->shm_perm.security;
4966
4967         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4968         ad.u.ipc_id = shp->shm_perm.key;
4969
4970         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4971                           SHM__CREATE, &ad);
4972         if (rc) {
4973                 ipc_free_security(&shp->shm_perm);
4974                 return rc;
4975         }
4976         return 0;
4977 }
4978
4979 static void selinux_shm_free_security(struct shmid_kernel *shp)
4980 {
4981         ipc_free_security(&shp->shm_perm);
4982 }
4983
4984 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4985 {
4986         struct ipc_security_struct *isec;
4987         struct common_audit_data ad;
4988         u32 sid = current_sid();
4989
4990         isec = shp->shm_perm.security;
4991
4992         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4993         ad.u.ipc_id = shp->shm_perm.key;
4994
4995         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4996                             SHM__ASSOCIATE, &ad);
4997 }
4998
4999 /* Note, at this point, shp is locked down */
5000 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5001 {
5002         int perms;
5003         int err;
5004
5005         switch (cmd) {
5006         case IPC_INFO:
5007         case SHM_INFO:
5008                 /* No specific object, just general system-wide information. */
5009                 return task_has_system(current, SYSTEM__IPC_INFO);
5010         case IPC_STAT:
5011         case SHM_STAT:
5012                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5013                 break;
5014         case IPC_SET:
5015                 perms = SHM__SETATTR;
5016                 break;
5017         case SHM_LOCK:
5018         case SHM_UNLOCK:
5019                 perms = SHM__LOCK;
5020                 break;
5021         case IPC_RMID:
5022                 perms = SHM__DESTROY;
5023                 break;
5024         default:
5025                 return 0;
5026         }
5027
5028         err = ipc_has_perm(&shp->shm_perm, perms);
5029         return err;
5030 }
5031
5032 static int selinux_shm_shmat(struct shmid_kernel *shp,
5033                              char __user *shmaddr, int shmflg)
5034 {
5035         u32 perms;
5036
5037         if (shmflg & SHM_RDONLY)
5038                 perms = SHM__READ;
5039         else
5040                 perms = SHM__READ | SHM__WRITE;
5041
5042         return ipc_has_perm(&shp->shm_perm, perms);
5043 }
5044
5045 /* Semaphore security operations */
5046 static int selinux_sem_alloc_security(struct sem_array *sma)
5047 {
5048         struct ipc_security_struct *isec;
5049         struct common_audit_data ad;
5050         u32 sid = current_sid();
5051         int rc;
5052
5053         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5054         if (rc)
5055                 return rc;
5056
5057         isec = sma->sem_perm.security;
5058
5059         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5060         ad.u.ipc_id = sma->sem_perm.key;
5061
5062         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5063                           SEM__CREATE, &ad);
5064         if (rc) {
5065                 ipc_free_security(&sma->sem_perm);
5066                 return rc;
5067         }
5068         return 0;
5069 }
5070
5071 static void selinux_sem_free_security(struct sem_array *sma)
5072 {
5073         ipc_free_security(&sma->sem_perm);
5074 }
5075
5076 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5077 {
5078         struct ipc_security_struct *isec;
5079         struct common_audit_data ad;
5080         u32 sid = current_sid();
5081
5082         isec = sma->sem_perm.security;
5083
5084         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5085         ad.u.ipc_id = sma->sem_perm.key;
5086
5087         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5088                             SEM__ASSOCIATE, &ad);
5089 }
5090
5091 /* Note, at this point, sma is locked down */
5092 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5093 {
5094         int err;
5095         u32 perms;
5096
5097         switch (cmd) {
5098         case IPC_INFO:
5099         case SEM_INFO:
5100                 /* No specific object, just general system-wide information. */
5101                 return task_has_system(current, SYSTEM__IPC_INFO);
5102         case GETPID:
5103         case GETNCNT:
5104         case GETZCNT:
5105                 perms = SEM__GETATTR;
5106                 break;
5107         case GETVAL:
5108         case GETALL:
5109                 perms = SEM__READ;
5110                 break;
5111         case SETVAL:
5112         case SETALL:
5113                 perms = SEM__WRITE;
5114                 break;
5115         case IPC_RMID:
5116                 perms = SEM__DESTROY;
5117                 break;
5118         case IPC_SET:
5119                 perms = SEM__SETATTR;
5120                 break;
5121         case IPC_STAT:
5122         case SEM_STAT:
5123                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5124                 break;
5125         default:
5126                 return 0;
5127         }
5128
5129         err = ipc_has_perm(&sma->sem_perm, perms);
5130         return err;
5131 }
5132
5133 static int selinux_sem_semop(struct sem_array *sma,
5134                              struct sembuf *sops, unsigned nsops, int alter)
5135 {
5136         u32 perms;
5137
5138         if (alter)
5139                 perms = SEM__READ | SEM__WRITE;
5140         else
5141                 perms = SEM__READ;
5142
5143         return ipc_has_perm(&sma->sem_perm, perms);
5144 }
5145
5146 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5147 {
5148         u32 av = 0;
5149
5150         av = 0;
5151         if (flag & S_IRUGO)
5152                 av |= IPC__UNIX_READ;
5153         if (flag & S_IWUGO)
5154                 av |= IPC__UNIX_WRITE;
5155
5156         if (av == 0)
5157                 return 0;
5158
5159         return ipc_has_perm(ipcp, av);
5160 }
5161
5162 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5163 {
5164         struct ipc_security_struct *isec = ipcp->security;
5165         *secid = isec->sid;
5166 }
5167
5168 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5169 {
5170         if (inode)
5171                 inode_doinit_with_dentry(inode, dentry);
5172 }
5173
5174 static int selinux_getprocattr(struct task_struct *p,
5175                                char *name, char **value)
5176 {
5177         const struct task_security_struct *__tsec;
5178         u32 sid;
5179         int error;
5180         unsigned len;
5181
5182         if (current != p) {
5183                 error = current_has_perm(p, PROCESS__GETATTR);
5184                 if (error)
5185                         return error;
5186         }
5187
5188         rcu_read_lock();
5189         __tsec = __task_cred(p)->security;
5190
5191         if (!strcmp(name, "current"))
5192                 sid = __tsec->sid;
5193         else if (!strcmp(name, "prev"))
5194                 sid = __tsec->osid;
5195         else if (!strcmp(name, "exec"))
5196                 sid = __tsec->exec_sid;
5197         else if (!strcmp(name, "fscreate"))
5198                 sid = __tsec->create_sid;
5199         else if (!strcmp(name, "keycreate"))
5200                 sid = __tsec->keycreate_sid;
5201         else if (!strcmp(name, "sockcreate"))
5202                 sid = __tsec->sockcreate_sid;
5203         else
5204                 goto invalid;
5205         rcu_read_unlock();
5206
5207         if (!sid)
5208                 return 0;
5209
5210         error = security_sid_to_context(sid, value, &len);
5211         if (error)
5212                 return error;
5213         return len;
5214
5215 invalid:
5216         rcu_read_unlock();
5217         return -EINVAL;
5218 }
5219
5220 static int selinux_setprocattr(struct task_struct *p,
5221                                char *name, void *value, size_t size)
5222 {
5223         struct task_security_struct *tsec;
5224         struct task_struct *tracer;
5225         struct cred *new;
5226         u32 sid = 0, ptsid;
5227         int error;
5228         char *str = value;
5229
5230         if (current != p) {
5231                 /* SELinux only allows a process to change its own
5232                    security attributes. */
5233                 return -EACCES;
5234         }
5235
5236         /*
5237          * Basic control over ability to set these attributes at all.
5238          * current == p, but we'll pass them separately in case the
5239          * above restriction is ever removed.
5240          */
5241         if (!strcmp(name, "exec"))
5242                 error = current_has_perm(p, PROCESS__SETEXEC);
5243         else if (!strcmp(name, "fscreate"))
5244                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5245         else if (!strcmp(name, "keycreate"))
5246                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5247         else if (!strcmp(name, "sockcreate"))
5248                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5249         else if (!strcmp(name, "current"))
5250                 error = current_has_perm(p, PROCESS__SETCURRENT);
5251         else
5252                 error = -EINVAL;
5253         if (error)
5254                 return error;
5255
5256         /* Obtain a SID for the context, if one was specified. */
5257         if (size && str[1] && str[1] != '\n') {
5258                 if (str[size-1] == '\n') {
5259                         str[size-1] = 0;
5260                         size--;
5261                 }
5262                 error = security_context_to_sid(value, size, &sid);
5263                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5264                         if (!capable(CAP_MAC_ADMIN))
5265                                 return error;
5266                         error = security_context_to_sid_force(value, size,
5267                                                               &sid);
5268                 }
5269                 if (error)
5270                         return error;
5271         }
5272
5273         new = prepare_creds();
5274         if (!new)
5275                 return -ENOMEM;
5276
5277         /* Permission checking based on the specified context is
5278            performed during the actual operation (execve,
5279            open/mkdir/...), when we know the full context of the
5280            operation.  See selinux_bprm_set_creds for the execve
5281            checks and may_create for the file creation checks. The
5282            operation will then fail if the context is not permitted. */
5283         tsec = new->security;
5284         if (!strcmp(name, "exec")) {
5285                 tsec->exec_sid = sid;
5286         } else if (!strcmp(name, "fscreate")) {
5287                 tsec->create_sid = sid;
5288         } else if (!strcmp(name, "keycreate")) {
5289                 error = may_create_key(sid, p);
5290                 if (error)
5291                         goto abort_change;
5292                 tsec->keycreate_sid = sid;
5293         } else if (!strcmp(name, "sockcreate")) {
5294                 tsec->sockcreate_sid = sid;
5295         } else if (!strcmp(name, "current")) {
5296                 error = -EINVAL;
5297                 if (sid == 0)
5298                         goto abort_change;
5299
5300                 /* Only allow single threaded processes to change context */
5301                 error = -EPERM;
5302                 if (!current_is_single_threaded()) {
5303                         error = security_bounded_transition(tsec->sid, sid);
5304                         if (error)
5305                                 goto abort_change;
5306                 }
5307
5308                 /* Check permissions for the transition. */
5309                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5310                                      PROCESS__DYNTRANSITION, NULL);
5311                 if (error)
5312                         goto abort_change;
5313
5314                 /* Check for ptracing, and update the task SID if ok.
5315                    Otherwise, leave SID unchanged and fail. */
5316                 ptsid = 0;
5317                 task_lock(p);
5318                 tracer = tracehook_tracer_task(p);
5319                 if (tracer)
5320                         ptsid = task_sid(tracer);
5321                 task_unlock(p);
5322
5323                 if (tracer) {
5324                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5325                                              PROCESS__PTRACE, NULL);
5326                         if (error)
5327                                 goto abort_change;
5328                 }
5329
5330                 tsec->sid = sid;
5331         } else {
5332                 error = -EINVAL;
5333                 goto abort_change;
5334         }
5335
5336         commit_creds(new);
5337         return size;
5338
5339 abort_change:
5340         abort_creds(new);
5341         return error;
5342 }
5343
5344 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5345 {
5346         return security_sid_to_context(secid, secdata, seclen);
5347 }
5348
5349 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5350 {
5351         return security_context_to_sid(secdata, seclen, secid);
5352 }
5353
5354 static void selinux_release_secctx(char *secdata, u32 seclen)
5355 {
5356         kfree(secdata);
5357 }
5358
5359 /*
5360  *      called with inode->i_mutex locked
5361  */
5362 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5363 {
5364         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5365 }
5366
5367 /*
5368  *      called with inode->i_mutex locked
5369  */
5370 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5371 {
5372         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5373 }
5374
5375 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5376 {
5377         int len = 0;
5378         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5379                                                 ctx, true);
5380         if (len < 0)
5381                 return len;
5382         *ctxlen = len;
5383         return 0;
5384 }
5385 #ifdef CONFIG_KEYS
5386
5387 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5388                              unsigned long flags)
5389 {
5390         const struct task_security_struct *tsec;
5391         struct key_security_struct *ksec;
5392
5393         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5394         if (!ksec)
5395                 return -ENOMEM;
5396
5397         tsec = cred->security;
5398         if (tsec->keycreate_sid)
5399                 ksec->sid = tsec->keycreate_sid;
5400         else
5401                 ksec->sid = tsec->sid;
5402
5403         k->security = ksec;
5404         return 0;
5405 }
5406
5407 static void selinux_key_free(struct key *k)
5408 {
5409         struct key_security_struct *ksec = k->security;
5410
5411         k->security = NULL;
5412         kfree(ksec);
5413 }
5414
5415 static int selinux_key_permission(key_ref_t key_ref,
5416                                   const struct cred *cred,
5417                                   key_perm_t perm)
5418 {
5419         struct key *key;
5420         struct key_security_struct *ksec;
5421         u32 sid;
5422
5423         /* if no specific permissions are requested, we skip the
5424            permission check. No serious, additional covert channels
5425            appear to be created. */
5426         if (perm == 0)
5427                 return 0;
5428
5429         sid = cred_sid(cred);
5430
5431         key = key_ref_to_ptr(key_ref);
5432         ksec = key->security;
5433
5434         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5435 }
5436
5437 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5438 {
5439         struct key_security_struct *ksec = key->security;
5440         char *context = NULL;
5441         unsigned len;
5442         int rc;
5443
5444         rc = security_sid_to_context(ksec->sid, &context, &len);
5445         if (!rc)
5446                 rc = len;
5447         *_buffer = context;
5448         return rc;
5449 }
5450
5451 #endif
5452
5453 static struct security_operations selinux_ops = {
5454         .name =                         "selinux",
5455
5456         .ptrace_access_check =          selinux_ptrace_access_check,
5457         .ptrace_traceme =               selinux_ptrace_traceme,
5458         .capget =                       selinux_capget,
5459         .capset =                       selinux_capset,
5460         .sysctl =                       selinux_sysctl,
5461         .capable =                      selinux_capable,
5462         .quotactl =                     selinux_quotactl,
5463         .quota_on =                     selinux_quota_on,
5464         .syslog =                       selinux_syslog,
5465         .vm_enough_memory =             selinux_vm_enough_memory,
5466
5467         .netlink_send =                 selinux_netlink_send,
5468         .netlink_recv =                 selinux_netlink_recv,
5469
5470         .bprm_set_creds =               selinux_bprm_set_creds,
5471         .bprm_committing_creds =        selinux_bprm_committing_creds,
5472         .bprm_committed_creds =         selinux_bprm_committed_creds,
5473         .bprm_secureexec =              selinux_bprm_secureexec,
5474
5475         .sb_alloc_security =            selinux_sb_alloc_security,
5476         .sb_free_security =             selinux_sb_free_security,
5477         .sb_copy_data =                 selinux_sb_copy_data,
5478         .sb_kern_mount =                selinux_sb_kern_mount,
5479         .sb_show_options =              selinux_sb_show_options,
5480         .sb_statfs =                    selinux_sb_statfs,
5481         .sb_mount =                     selinux_mount,
5482         .sb_umount =                    selinux_umount,
5483         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5484         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5485         .sb_parse_opts_str =            selinux_parse_opts_str,
5486
5487
5488         .inode_alloc_security =         selinux_inode_alloc_security,
5489         .inode_free_security =          selinux_inode_free_security,
5490         .inode_init_security =          selinux_inode_init_security,
5491         .inode_create =                 selinux_inode_create,
5492         .inode_link =                   selinux_inode_link,
5493         .inode_unlink =                 selinux_inode_unlink,
5494         .inode_symlink =                selinux_inode_symlink,
5495         .inode_mkdir =                  selinux_inode_mkdir,
5496         .inode_rmdir =                  selinux_inode_rmdir,
5497         .inode_mknod =                  selinux_inode_mknod,
5498         .inode_rename =                 selinux_inode_rename,
5499         .inode_readlink =               selinux_inode_readlink,
5500         .inode_follow_link =            selinux_inode_follow_link,
5501         .inode_permission =             selinux_inode_permission,
5502         .inode_setattr =                selinux_inode_setattr,
5503         .inode_getattr =                selinux_inode_getattr,
5504         .inode_setxattr =               selinux_inode_setxattr,
5505         .inode_post_setxattr =          selinux_inode_post_setxattr,
5506         .inode_getxattr =               selinux_inode_getxattr,
5507         .inode_listxattr =              selinux_inode_listxattr,
5508         .inode_removexattr =            selinux_inode_removexattr,
5509         .inode_getsecurity =            selinux_inode_getsecurity,
5510         .inode_setsecurity =            selinux_inode_setsecurity,
5511         .inode_listsecurity =           selinux_inode_listsecurity,
5512         .inode_getsecid =               selinux_inode_getsecid,
5513
5514         .file_permission =              selinux_file_permission,
5515         .file_alloc_security =          selinux_file_alloc_security,
5516         .file_free_security =           selinux_file_free_security,
5517         .file_ioctl =                   selinux_file_ioctl,
5518         .file_mmap =                    selinux_file_mmap,
5519         .file_mprotect =                selinux_file_mprotect,
5520         .file_lock =                    selinux_file_lock,
5521         .file_fcntl =                   selinux_file_fcntl,
5522         .file_set_fowner =              selinux_file_set_fowner,
5523         .file_send_sigiotask =          selinux_file_send_sigiotask,
5524         .file_receive =                 selinux_file_receive,
5525
5526         .dentry_open =                  selinux_dentry_open,
5527
5528         .task_create =                  selinux_task_create,
5529         .cred_alloc_blank =             selinux_cred_alloc_blank,
5530         .cred_free =                    selinux_cred_free,
5531         .cred_prepare =                 selinux_cred_prepare,
5532         .cred_transfer =                selinux_cred_transfer,
5533         .kernel_act_as =                selinux_kernel_act_as,
5534         .kernel_create_files_as =       selinux_kernel_create_files_as,
5535         .kernel_module_request =        selinux_kernel_module_request,
5536         .task_setpgid =                 selinux_task_setpgid,
5537         .task_getpgid =                 selinux_task_getpgid,
5538         .task_getsid =                  selinux_task_getsid,
5539         .task_getsecid =                selinux_task_getsecid,
5540         .task_setnice =                 selinux_task_setnice,
5541         .task_setioprio =               selinux_task_setioprio,
5542         .task_getioprio =               selinux_task_getioprio,
5543         .task_setrlimit =               selinux_task_setrlimit,
5544         .task_setscheduler =            selinux_task_setscheduler,
5545         .task_getscheduler =            selinux_task_getscheduler,
5546         .task_movememory =              selinux_task_movememory,
5547         .task_kill =                    selinux_task_kill,
5548         .task_wait =                    selinux_task_wait,
5549         .task_to_inode =                selinux_task_to_inode,
5550
5551         .ipc_permission =               selinux_ipc_permission,
5552         .ipc_getsecid =                 selinux_ipc_getsecid,
5553
5554         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5555         .msg_msg_free_security =        selinux_msg_msg_free_security,
5556
5557         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5558         .msg_queue_free_security =      selinux_msg_queue_free_security,
5559         .msg_queue_associate =          selinux_msg_queue_associate,
5560         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5561         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5562         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5563
5564         .shm_alloc_security =           selinux_shm_alloc_security,
5565         .shm_free_security =            selinux_shm_free_security,
5566         .shm_associate =                selinux_shm_associate,
5567         .shm_shmctl =                   selinux_shm_shmctl,
5568         .shm_shmat =                    selinux_shm_shmat,
5569
5570         .sem_alloc_security =           selinux_sem_alloc_security,
5571         .sem_free_security =            selinux_sem_free_security,
5572         .sem_associate =                selinux_sem_associate,
5573         .sem_semctl =                   selinux_sem_semctl,
5574         .sem_semop =                    selinux_sem_semop,
5575
5576         .d_instantiate =                selinux_d_instantiate,
5577
5578         .getprocattr =                  selinux_getprocattr,
5579         .setprocattr =                  selinux_setprocattr,
5580
5581         .secid_to_secctx =              selinux_secid_to_secctx,
5582         .secctx_to_secid =              selinux_secctx_to_secid,
5583         .release_secctx =               selinux_release_secctx,
5584         .inode_notifysecctx =           selinux_inode_notifysecctx,
5585         .inode_setsecctx =              selinux_inode_setsecctx,
5586         .inode_getsecctx =              selinux_inode_getsecctx,
5587
5588         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5589         .unix_may_send =                selinux_socket_unix_may_send,
5590
5591         .socket_create =                selinux_socket_create,
5592         .socket_post_create =           selinux_socket_post_create,
5593         .socket_bind =                  selinux_socket_bind,
5594         .socket_connect =               selinux_socket_connect,
5595         .socket_listen =                selinux_socket_listen,
5596         .socket_accept =                selinux_socket_accept,
5597         .socket_sendmsg =               selinux_socket_sendmsg,
5598         .socket_recvmsg =               selinux_socket_recvmsg,
5599         .socket_getsockname =           selinux_socket_getsockname,
5600         .socket_getpeername =           selinux_socket_getpeername,
5601         .socket_getsockopt =            selinux_socket_getsockopt,
5602         .socket_setsockopt =            selinux_socket_setsockopt,
5603         .socket_shutdown =              selinux_socket_shutdown,
5604         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5605         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5606         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5607         .sk_alloc_security =            selinux_sk_alloc_security,
5608         .sk_free_security =             selinux_sk_free_security,
5609         .sk_clone_security =            selinux_sk_clone_security,
5610         .sk_getsecid =                  selinux_sk_getsecid,
5611         .sock_graft =                   selinux_sock_graft,
5612         .inet_conn_request =            selinux_inet_conn_request,
5613         .inet_csk_clone =               selinux_inet_csk_clone,
5614         .inet_conn_established =        selinux_inet_conn_established,
5615         .req_classify_flow =            selinux_req_classify_flow,
5616         .tun_dev_create =               selinux_tun_dev_create,
5617         .tun_dev_post_create =          selinux_tun_dev_post_create,
5618         .tun_dev_attach =               selinux_tun_dev_attach,
5619
5620 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5621         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5622         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5623         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5624         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5625         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5626         .xfrm_state_free_security =     selinux_xfrm_state_free,
5627         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5628         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5629         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5630         .xfrm_decode_session =          selinux_xfrm_decode_session,
5631 #endif
5632
5633 #ifdef CONFIG_KEYS
5634         .key_alloc =                    selinux_key_alloc,
5635         .key_free =                     selinux_key_free,
5636         .key_permission =               selinux_key_permission,
5637         .key_getsecurity =              selinux_key_getsecurity,
5638 #endif
5639
5640 #ifdef CONFIG_AUDIT
5641         .audit_rule_init =              selinux_audit_rule_init,
5642         .audit_rule_known =             selinux_audit_rule_known,
5643         .audit_rule_match =             selinux_audit_rule_match,
5644         .audit_rule_free =              selinux_audit_rule_free,
5645 #endif
5646 };
5647
5648 static __init int selinux_init(void)
5649 {
5650         if (!security_module_enable(&selinux_ops)) {
5651                 selinux_enabled = 0;
5652                 return 0;
5653         }
5654
5655         if (!selinux_enabled) {
5656                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5657                 return 0;
5658         }
5659
5660         printk(KERN_INFO "SELinux:  Initializing.\n");
5661
5662         /* Set the security state for the initial task. */
5663         cred_init_security();
5664
5665         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5666                                             sizeof(struct inode_security_struct),
5667                                             0, SLAB_PANIC, NULL);
5668         avc_init();
5669
5670         if (register_security(&selinux_ops))
5671                 panic("SELinux: Unable to register with kernel.\n");
5672
5673         if (selinux_enforcing)
5674                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5675         else
5676                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5677
5678         return 0;
5679 }
5680
5681 void selinux_complete_init(void)
5682 {
5683         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5684
5685         /* Set up any superblocks initialized prior to the policy load. */
5686         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5687         spin_lock(&sb_lock);
5688         spin_lock(&sb_security_lock);
5689 next_sb:
5690         if (!list_empty(&superblock_security_head)) {
5691                 struct superblock_security_struct *sbsec =
5692                                 list_entry(superblock_security_head.next,
5693                                            struct superblock_security_struct,
5694                                            list);
5695                 struct super_block *sb = sbsec->sb;
5696                 sb->s_count++;
5697                 spin_unlock(&sb_security_lock);
5698                 spin_unlock(&sb_lock);
5699                 down_read(&sb->s_umount);
5700                 if (sb->s_root)
5701                         superblock_doinit(sb, NULL);
5702                 drop_super(sb);
5703                 spin_lock(&sb_lock);
5704                 spin_lock(&sb_security_lock);
5705                 list_del_init(&sbsec->list);
5706                 goto next_sb;
5707         }
5708         spin_unlock(&sb_security_lock);
5709         spin_unlock(&sb_lock);
5710 }
5711
5712 /* SELinux requires early initialization in order to label
5713    all processes and objects when they are created. */
5714 security_initcall(selinux_init);
5715
5716 #if defined(CONFIG_NETFILTER)
5717
5718 static struct nf_hook_ops selinux_ipv4_ops[] = {
5719         {
5720                 .hook =         selinux_ipv4_postroute,
5721                 .owner =        THIS_MODULE,
5722                 .pf =           PF_INET,
5723                 .hooknum =      NF_INET_POST_ROUTING,
5724                 .priority =     NF_IP_PRI_SELINUX_LAST,
5725         },
5726         {
5727                 .hook =         selinux_ipv4_forward,
5728                 .owner =        THIS_MODULE,
5729                 .pf =           PF_INET,
5730                 .hooknum =      NF_INET_FORWARD,
5731                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5732         },
5733         {
5734                 .hook =         selinux_ipv4_output,
5735                 .owner =        THIS_MODULE,
5736                 .pf =           PF_INET,
5737                 .hooknum =      NF_INET_LOCAL_OUT,
5738                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5739         }
5740 };
5741
5742 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5743
5744 static struct nf_hook_ops selinux_ipv6_ops[] = {
5745         {
5746                 .hook =         selinux_ipv6_postroute,
5747                 .owner =        THIS_MODULE,
5748                 .pf =           PF_INET6,
5749                 .hooknum =      NF_INET_POST_ROUTING,
5750                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5751         },
5752         {
5753                 .hook =         selinux_ipv6_forward,
5754                 .owner =        THIS_MODULE,
5755                 .pf =           PF_INET6,
5756                 .hooknum =      NF_INET_FORWARD,
5757                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5758         }
5759 };
5760
5761 #endif  /* IPV6 */
5762
5763 static int __init selinux_nf_ip_init(void)
5764 {
5765         int err = 0;
5766
5767         if (!selinux_enabled)
5768                 goto out;
5769
5770         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5771
5772         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5773         if (err)
5774                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5775
5776 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5777         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5778         if (err)
5779                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5780 #endif  /* IPV6 */
5781
5782 out:
5783         return err;
5784 }
5785
5786 __initcall(selinux_nf_ip_init);
5787
5788 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5789 static void selinux_nf_ip_exit(void)
5790 {
5791         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5792
5793         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5794 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5795         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5796 #endif  /* IPV6 */
5797 }
5798 #endif
5799
5800 #else /* CONFIG_NETFILTER */
5801
5802 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5803 #define selinux_nf_ip_exit()
5804 #endif
5805
5806 #endif /* CONFIG_NETFILTER */
5807
5808 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5809 static int selinux_disabled;
5810
5811 int selinux_disable(void)
5812 {
5813         extern void exit_sel_fs(void);
5814
5815         if (ss_initialized) {
5816                 /* Not permitted after initial policy load. */
5817                 return -EINVAL;
5818         }
5819
5820         if (selinux_disabled) {
5821                 /* Only do this once. */
5822                 return -EINVAL;
5823         }
5824
5825         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5826
5827         selinux_disabled = 1;
5828         selinux_enabled = 0;
5829
5830         reset_security_ops();
5831
5832         /* Try to destroy the avc node cache */
5833         avc_disable();
5834
5835         /* Unregister netfilter hooks. */
5836         selinux_nf_ip_exit();
5837
5838         /* Unregister selinuxfs. */
5839         exit_sel_fs();
5840
5841         return 0;
5842 }
5843 #endif