security: report the module name to security_module_request
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 5
93
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!strict_strtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!strict_strtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128
129 /*
130  * Minimal support for a secondary security module,
131  * just to allow the use of the capability module.
132  */
133 static struct security_operations *secondary_ops;
134
135 /* Lists of inode and superblock security structures initialized
136    before the policy was loaded. */
137 static LIST_HEAD(superblock_security_head);
138 static DEFINE_SPINLOCK(sb_security_lock);
139
140 static struct kmem_cache *sel_inode_cache;
141
142 /**
143  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
144  *
145  * Description:
146  * This function checks the SECMARK reference counter to see if any SECMARK
147  * targets are currently configured, if the reference counter is greater than
148  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
149  * enabled, false (0) if SECMARK is disabled.
150  *
151  */
152 static int selinux_secmark_enabled(void)
153 {
154         return (atomic_read(&selinux_secmark_refcount) > 0);
155 }
156
157 /*
158  * initialise the security for the init task
159  */
160 static void cred_init_security(void)
161 {
162         struct cred *cred = (struct cred *) current->real_cred;
163         struct task_security_struct *tsec;
164
165         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
166         if (!tsec)
167                 panic("SELinux:  Failed to initialize initial task.\n");
168
169         tsec->osid = tsec->sid = SECINITSID_KERNEL;
170         cred->security = tsec;
171 }
172
173 /*
174  * get the security ID of a set of credentials
175  */
176 static inline u32 cred_sid(const struct cred *cred)
177 {
178         const struct task_security_struct *tsec;
179
180         tsec = cred->security;
181         return tsec->sid;
182 }
183
184 /*
185  * get the objective security ID of a task
186  */
187 static inline u32 task_sid(const struct task_struct *task)
188 {
189         u32 sid;
190
191         rcu_read_lock();
192         sid = cred_sid(__task_cred(task));
193         rcu_read_unlock();
194         return sid;
195 }
196
197 /*
198  * get the subjective security ID of the current task
199  */
200 static inline u32 current_sid(void)
201 {
202         const struct task_security_struct *tsec = current_cred()->security;
203
204         return tsec->sid;
205 }
206
207 /* Allocate and free functions for each kind of security blob. */
208
209 static int inode_alloc_security(struct inode *inode)
210 {
211         struct inode_security_struct *isec;
212         u32 sid = current_sid();
213
214         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
215         if (!isec)
216                 return -ENOMEM;
217
218         mutex_init(&isec->lock);
219         INIT_LIST_HEAD(&isec->list);
220         isec->inode = inode;
221         isec->sid = SECINITSID_UNLABELED;
222         isec->sclass = SECCLASS_FILE;
223         isec->task_sid = sid;
224         inode->i_security = isec;
225
226         return 0;
227 }
228
229 static void inode_free_security(struct inode *inode)
230 {
231         struct inode_security_struct *isec = inode->i_security;
232         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
233
234         spin_lock(&sbsec->isec_lock);
235         if (!list_empty(&isec->list))
236                 list_del_init(&isec->list);
237         spin_unlock(&sbsec->isec_lock);
238
239         inode->i_security = NULL;
240         kmem_cache_free(sel_inode_cache, isec);
241 }
242
243 static int file_alloc_security(struct file *file)
244 {
245         struct file_security_struct *fsec;
246         u32 sid = current_sid();
247
248         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
249         if (!fsec)
250                 return -ENOMEM;
251
252         fsec->sid = sid;
253         fsec->fown_sid = sid;
254         file->f_security = fsec;
255
256         return 0;
257 }
258
259 static void file_free_security(struct file *file)
260 {
261         struct file_security_struct *fsec = file->f_security;
262         file->f_security = NULL;
263         kfree(fsec);
264 }
265
266 static int superblock_alloc_security(struct super_block *sb)
267 {
268         struct superblock_security_struct *sbsec;
269
270         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
271         if (!sbsec)
272                 return -ENOMEM;
273
274         mutex_init(&sbsec->lock);
275         INIT_LIST_HEAD(&sbsec->list);
276         INIT_LIST_HEAD(&sbsec->isec_head);
277         spin_lock_init(&sbsec->isec_lock);
278         sbsec->sb = sb;
279         sbsec->sid = SECINITSID_UNLABELED;
280         sbsec->def_sid = SECINITSID_FILE;
281         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
282         sb->s_security = sbsec;
283
284         return 0;
285 }
286
287 static void superblock_free_security(struct super_block *sb)
288 {
289         struct superblock_security_struct *sbsec = sb->s_security;
290
291         spin_lock(&sb_security_lock);
292         if (!list_empty(&sbsec->list))
293                 list_del_init(&sbsec->list);
294         spin_unlock(&sb_security_lock);
295
296         sb->s_security = NULL;
297         kfree(sbsec);
298 }
299
300 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
301 {
302         struct sk_security_struct *ssec;
303
304         ssec = kzalloc(sizeof(*ssec), priority);
305         if (!ssec)
306                 return -ENOMEM;
307
308         ssec->peer_sid = SECINITSID_UNLABELED;
309         ssec->sid = SECINITSID_UNLABELED;
310         sk->sk_security = ssec;
311
312         selinux_netlbl_sk_security_reset(ssec);
313
314         return 0;
315 }
316
317 static void sk_free_security(struct sock *sk)
318 {
319         struct sk_security_struct *ssec = sk->sk_security;
320
321         sk->sk_security = NULL;
322         selinux_netlbl_sk_security_free(ssec);
323         kfree(ssec);
324 }
325
326 /* The security server must be initialized before
327    any labeling or access decisions can be provided. */
328 extern int ss_initialized;
329
330 /* The file system's label must be initialized prior to use. */
331
332 static char *labeling_behaviors[6] = {
333         "uses xattr",
334         "uses transition SIDs",
335         "uses task SIDs",
336         "uses genfs_contexts",
337         "not configured for labeling",
338         "uses mountpoint labeling",
339 };
340
341 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
342
343 static inline int inode_doinit(struct inode *inode)
344 {
345         return inode_doinit_with_dentry(inode, NULL);
346 }
347
348 enum {
349         Opt_error = -1,
350         Opt_context = 1,
351         Opt_fscontext = 2,
352         Opt_defcontext = 3,
353         Opt_rootcontext = 4,
354         Opt_labelsupport = 5,
355 };
356
357 static const match_table_t tokens = {
358         {Opt_context, CONTEXT_STR "%s"},
359         {Opt_fscontext, FSCONTEXT_STR "%s"},
360         {Opt_defcontext, DEFCONTEXT_STR "%s"},
361         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
362         {Opt_labelsupport, LABELSUPP_STR},
363         {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369                         struct superblock_security_struct *sbsec,
370                         const struct cred *cred)
371 {
372         const struct task_security_struct *tsec = cred->security;
373         int rc;
374
375         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376                           FILESYSTEM__RELABELFROM, NULL);
377         if (rc)
378                 return rc;
379
380         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381                           FILESYSTEM__RELABELTO, NULL);
382         return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386                         struct superblock_security_struct *sbsec,
387                         const struct cred *cred)
388 {
389         const struct task_security_struct *tsec = cred->security;
390         int rc;
391         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392                           FILESYSTEM__RELABELFROM, NULL);
393         if (rc)
394                 return rc;
395
396         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397                           FILESYSTEM__ASSOCIATE, NULL);
398         return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403         struct superblock_security_struct *sbsec = sb->s_security;
404         struct dentry *root = sb->s_root;
405         struct inode *root_inode = root->d_inode;
406         int rc = 0;
407
408         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409                 /* Make sure that the xattr handler exists and that no
410                    error other than -ENODATA is returned by getxattr on
411                    the root directory.  -ENODATA is ok, as this may be
412                    the first boot of the SELinux kernel before we have
413                    assigned xattr values to the filesystem. */
414                 if (!root_inode->i_op->getxattr) {
415                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416                                "xattr support\n", sb->s_id, sb->s_type->name);
417                         rc = -EOPNOTSUPP;
418                         goto out;
419                 }
420                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421                 if (rc < 0 && rc != -ENODATA) {
422                         if (rc == -EOPNOTSUPP)
423                                 printk(KERN_WARNING "SELinux: (dev %s, type "
424                                        "%s) has no security xattr handler\n",
425                                        sb->s_id, sb->s_type->name);
426                         else
427                                 printk(KERN_WARNING "SELinux: (dev %s, type "
428                                        "%s) getxattr errno %d\n", sb->s_id,
429                                        sb->s_type->name, -rc);
430                         goto out;
431                 }
432         }
433
434         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
435
436         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438                        sb->s_id, sb->s_type->name);
439         else
440                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441                        sb->s_id, sb->s_type->name,
442                        labeling_behaviors[sbsec->behavior-1]);
443
444         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
445             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
446             sbsec->behavior == SECURITY_FS_USE_NONE ||
447             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
448                 sbsec->flags &= ~SE_SBLABELSUPP;
449
450         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
451         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
452                 sbsec->flags |= SE_SBLABELSUPP;
453
454         /* Initialize the root inode. */
455         rc = inode_doinit_with_dentry(root_inode, root);
456
457         /* Initialize any other inodes associated with the superblock, e.g.
458            inodes created prior to initial policy load or inodes created
459            during get_sb by a pseudo filesystem that directly
460            populates itself. */
461         spin_lock(&sbsec->isec_lock);
462 next_inode:
463         if (!list_empty(&sbsec->isec_head)) {
464                 struct inode_security_struct *isec =
465                                 list_entry(sbsec->isec_head.next,
466                                            struct inode_security_struct, list);
467                 struct inode *inode = isec->inode;
468                 spin_unlock(&sbsec->isec_lock);
469                 inode = igrab(inode);
470                 if (inode) {
471                         if (!IS_PRIVATE(inode))
472                                 inode_doinit(inode);
473                         iput(inode);
474                 }
475                 spin_lock(&sbsec->isec_lock);
476                 list_del_init(&isec->list);
477                 goto next_inode;
478         }
479         spin_unlock(&sbsec->isec_lock);
480 out:
481         return rc;
482 }
483
484 /*
485  * This function should allow an FS to ask what it's mount security
486  * options were so it can use those later for submounts, displaying
487  * mount options, or whatever.
488  */
489 static int selinux_get_mnt_opts(const struct super_block *sb,
490                                 struct security_mnt_opts *opts)
491 {
492         int rc = 0, i;
493         struct superblock_security_struct *sbsec = sb->s_security;
494         char *context = NULL;
495         u32 len;
496         char tmp;
497
498         security_init_mnt_opts(opts);
499
500         if (!(sbsec->flags & SE_SBINITIALIZED))
501                 return -EINVAL;
502
503         if (!ss_initialized)
504                 return -EINVAL;
505
506         tmp = sbsec->flags & SE_MNTMASK;
507         /* count the number of mount options for this sb */
508         for (i = 0; i < 8; i++) {
509                 if (tmp & 0x01)
510                         opts->num_mnt_opts++;
511                 tmp >>= 1;
512         }
513         /* Check if the Label support flag is set */
514         if (sbsec->flags & SE_SBLABELSUPP)
515                 opts->num_mnt_opts++;
516
517         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
518         if (!opts->mnt_opts) {
519                 rc = -ENOMEM;
520                 goto out_free;
521         }
522
523         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
524         if (!opts->mnt_opts_flags) {
525                 rc = -ENOMEM;
526                 goto out_free;
527         }
528
529         i = 0;
530         if (sbsec->flags & FSCONTEXT_MNT) {
531                 rc = security_sid_to_context(sbsec->sid, &context, &len);
532                 if (rc)
533                         goto out_free;
534                 opts->mnt_opts[i] = context;
535                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
536         }
537         if (sbsec->flags & CONTEXT_MNT) {
538                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
539                 if (rc)
540                         goto out_free;
541                 opts->mnt_opts[i] = context;
542                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
543         }
544         if (sbsec->flags & DEFCONTEXT_MNT) {
545                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
546                 if (rc)
547                         goto out_free;
548                 opts->mnt_opts[i] = context;
549                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
550         }
551         if (sbsec->flags & ROOTCONTEXT_MNT) {
552                 struct inode *root = sbsec->sb->s_root->d_inode;
553                 struct inode_security_struct *isec = root->i_security;
554
555                 rc = security_sid_to_context(isec->sid, &context, &len);
556                 if (rc)
557                         goto out_free;
558                 opts->mnt_opts[i] = context;
559                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
560         }
561         if (sbsec->flags & SE_SBLABELSUPP) {
562                 opts->mnt_opts[i] = NULL;
563                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
564         }
565
566         BUG_ON(i != opts->num_mnt_opts);
567
568         return 0;
569
570 out_free:
571         security_free_mnt_opts(opts);
572         return rc;
573 }
574
575 static int bad_option(struct superblock_security_struct *sbsec, char flag,
576                       u32 old_sid, u32 new_sid)
577 {
578         char mnt_flags = sbsec->flags & SE_MNTMASK;
579
580         /* check if the old mount command had the same options */
581         if (sbsec->flags & SE_SBINITIALIZED)
582                 if (!(sbsec->flags & flag) ||
583                     (old_sid != new_sid))
584                         return 1;
585
586         /* check if we were passed the same options twice,
587          * aka someone passed context=a,context=b
588          */
589         if (!(sbsec->flags & SE_SBINITIALIZED))
590                 if (mnt_flags & flag)
591                         return 1;
592         return 0;
593 }
594
595 /*
596  * Allow filesystems with binary mount data to explicitly set mount point
597  * labeling information.
598  */
599 static int selinux_set_mnt_opts(struct super_block *sb,
600                                 struct security_mnt_opts *opts)
601 {
602         const struct cred *cred = current_cred();
603         int rc = 0, i;
604         struct superblock_security_struct *sbsec = sb->s_security;
605         const char *name = sb->s_type->name;
606         struct inode *inode = sbsec->sb->s_root->d_inode;
607         struct inode_security_struct *root_isec = inode->i_security;
608         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
609         u32 defcontext_sid = 0;
610         char **mount_options = opts->mnt_opts;
611         int *flags = opts->mnt_opts_flags;
612         int num_opts = opts->num_mnt_opts;
613
614         mutex_lock(&sbsec->lock);
615
616         if (!ss_initialized) {
617                 if (!num_opts) {
618                         /* Defer initialization until selinux_complete_init,
619                            after the initial policy is loaded and the security
620                            server is ready to handle calls. */
621                         spin_lock(&sb_security_lock);
622                         if (list_empty(&sbsec->list))
623                                 list_add(&sbsec->list, &superblock_security_head);
624                         spin_unlock(&sb_security_lock);
625                         goto out;
626                 }
627                 rc = -EINVAL;
628                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
629                         "before the security server is initialized\n");
630                 goto out;
631         }
632
633         /*
634          * Binary mount data FS will come through this function twice.  Once
635          * from an explicit call and once from the generic calls from the vfs.
636          * Since the generic VFS calls will not contain any security mount data
637          * we need to skip the double mount verification.
638          *
639          * This does open a hole in which we will not notice if the first
640          * mount using this sb set explict options and a second mount using
641          * this sb does not set any security options.  (The first options
642          * will be used for both mounts)
643          */
644         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
645             && (num_opts == 0))
646                 goto out;
647
648         /*
649          * parse the mount options, check if they are valid sids.
650          * also check if someone is trying to mount the same sb more
651          * than once with different security options.
652          */
653         for (i = 0; i < num_opts; i++) {
654                 u32 sid;
655
656                 if (flags[i] == SE_SBLABELSUPP)
657                         continue;
658                 rc = security_context_to_sid(mount_options[i],
659                                              strlen(mount_options[i]), &sid);
660                 if (rc) {
661                         printk(KERN_WARNING "SELinux: security_context_to_sid"
662                                "(%s) failed for (dev %s, type %s) errno=%d\n",
663                                mount_options[i], sb->s_id, name, rc);
664                         goto out;
665                 }
666                 switch (flags[i]) {
667                 case FSCONTEXT_MNT:
668                         fscontext_sid = sid;
669
670                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
671                                         fscontext_sid))
672                                 goto out_double_mount;
673
674                         sbsec->flags |= FSCONTEXT_MNT;
675                         break;
676                 case CONTEXT_MNT:
677                         context_sid = sid;
678
679                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
680                                         context_sid))
681                                 goto out_double_mount;
682
683                         sbsec->flags |= CONTEXT_MNT;
684                         break;
685                 case ROOTCONTEXT_MNT:
686                         rootcontext_sid = sid;
687
688                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
689                                         rootcontext_sid))
690                                 goto out_double_mount;
691
692                         sbsec->flags |= ROOTCONTEXT_MNT;
693
694                         break;
695                 case DEFCONTEXT_MNT:
696                         defcontext_sid = sid;
697
698                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
699                                         defcontext_sid))
700                                 goto out_double_mount;
701
702                         sbsec->flags |= DEFCONTEXT_MNT;
703
704                         break;
705                 default:
706                         rc = -EINVAL;
707                         goto out;
708                 }
709         }
710
711         if (sbsec->flags & SE_SBINITIALIZED) {
712                 /* previously mounted with options, but not on this attempt? */
713                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
714                         goto out_double_mount;
715                 rc = 0;
716                 goto out;
717         }
718
719         if (strcmp(sb->s_type->name, "proc") == 0)
720                 sbsec->flags |= SE_SBPROC;
721
722         /* Determine the labeling behavior to use for this filesystem type. */
723         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
724         if (rc) {
725                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
726                        __func__, sb->s_type->name, rc);
727                 goto out;
728         }
729
730         /* sets the context of the superblock for the fs being mounted. */
731         if (fscontext_sid) {
732                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
733                 if (rc)
734                         goto out;
735
736                 sbsec->sid = fscontext_sid;
737         }
738
739         /*
740          * Switch to using mount point labeling behavior.
741          * sets the label used on all file below the mountpoint, and will set
742          * the superblock context if not already set.
743          */
744         if (context_sid) {
745                 if (!fscontext_sid) {
746                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
747                                                           cred);
748                         if (rc)
749                                 goto out;
750                         sbsec->sid = context_sid;
751                 } else {
752                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
753                                                              cred);
754                         if (rc)
755                                 goto out;
756                 }
757                 if (!rootcontext_sid)
758                         rootcontext_sid = context_sid;
759
760                 sbsec->mntpoint_sid = context_sid;
761                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
762         }
763
764         if (rootcontext_sid) {
765                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
766                                                      cred);
767                 if (rc)
768                         goto out;
769
770                 root_isec->sid = rootcontext_sid;
771                 root_isec->initialized = 1;
772         }
773
774         if (defcontext_sid) {
775                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
776                         rc = -EINVAL;
777                         printk(KERN_WARNING "SELinux: defcontext option is "
778                                "invalid for this filesystem type\n");
779                         goto out;
780                 }
781
782                 if (defcontext_sid != sbsec->def_sid) {
783                         rc = may_context_mount_inode_relabel(defcontext_sid,
784                                                              sbsec, cred);
785                         if (rc)
786                                 goto out;
787                 }
788
789                 sbsec->def_sid = defcontext_sid;
790         }
791
792         rc = sb_finish_set_opts(sb);
793 out:
794         mutex_unlock(&sbsec->lock);
795         return rc;
796 out_double_mount:
797         rc = -EINVAL;
798         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
799                "security settings for (dev %s, type %s)\n", sb->s_id, name);
800         goto out;
801 }
802
803 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
804                                         struct super_block *newsb)
805 {
806         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
807         struct superblock_security_struct *newsbsec = newsb->s_security;
808
809         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
810         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
811         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
812
813         /*
814          * if the parent was able to be mounted it clearly had no special lsm
815          * mount options.  thus we can safely put this sb on the list and deal
816          * with it later
817          */
818         if (!ss_initialized) {
819                 spin_lock(&sb_security_lock);
820                 if (list_empty(&newsbsec->list))
821                         list_add(&newsbsec->list, &superblock_security_head);
822                 spin_unlock(&sb_security_lock);
823                 return;
824         }
825
826         /* how can we clone if the old one wasn't set up?? */
827         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
828
829         /* if fs is reusing a sb, just let its options stand... */
830         if (newsbsec->flags & SE_SBINITIALIZED)
831                 return;
832
833         mutex_lock(&newsbsec->lock);
834
835         newsbsec->flags = oldsbsec->flags;
836
837         newsbsec->sid = oldsbsec->sid;
838         newsbsec->def_sid = oldsbsec->def_sid;
839         newsbsec->behavior = oldsbsec->behavior;
840
841         if (set_context) {
842                 u32 sid = oldsbsec->mntpoint_sid;
843
844                 if (!set_fscontext)
845                         newsbsec->sid = sid;
846                 if (!set_rootcontext) {
847                         struct inode *newinode = newsb->s_root->d_inode;
848                         struct inode_security_struct *newisec = newinode->i_security;
849                         newisec->sid = sid;
850                 }
851                 newsbsec->mntpoint_sid = sid;
852         }
853         if (set_rootcontext) {
854                 const struct inode *oldinode = oldsb->s_root->d_inode;
855                 const struct inode_security_struct *oldisec = oldinode->i_security;
856                 struct inode *newinode = newsb->s_root->d_inode;
857                 struct inode_security_struct *newisec = newinode->i_security;
858
859                 newisec->sid = oldisec->sid;
860         }
861
862         sb_finish_set_opts(newsb);
863         mutex_unlock(&newsbsec->lock);
864 }
865
866 static int selinux_parse_opts_str(char *options,
867                                   struct security_mnt_opts *opts)
868 {
869         char *p;
870         char *context = NULL, *defcontext = NULL;
871         char *fscontext = NULL, *rootcontext = NULL;
872         int rc, num_mnt_opts = 0;
873
874         opts->num_mnt_opts = 0;
875
876         /* Standard string-based options. */
877         while ((p = strsep(&options, "|")) != NULL) {
878                 int token;
879                 substring_t args[MAX_OPT_ARGS];
880
881                 if (!*p)
882                         continue;
883
884                 token = match_token(p, tokens, args);
885
886                 switch (token) {
887                 case Opt_context:
888                         if (context || defcontext) {
889                                 rc = -EINVAL;
890                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
891                                 goto out_err;
892                         }
893                         context = match_strdup(&args[0]);
894                         if (!context) {
895                                 rc = -ENOMEM;
896                                 goto out_err;
897                         }
898                         break;
899
900                 case Opt_fscontext:
901                         if (fscontext) {
902                                 rc = -EINVAL;
903                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
904                                 goto out_err;
905                         }
906                         fscontext = match_strdup(&args[0]);
907                         if (!fscontext) {
908                                 rc = -ENOMEM;
909                                 goto out_err;
910                         }
911                         break;
912
913                 case Opt_rootcontext:
914                         if (rootcontext) {
915                                 rc = -EINVAL;
916                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
917                                 goto out_err;
918                         }
919                         rootcontext = match_strdup(&args[0]);
920                         if (!rootcontext) {
921                                 rc = -ENOMEM;
922                                 goto out_err;
923                         }
924                         break;
925
926                 case Opt_defcontext:
927                         if (context || defcontext) {
928                                 rc = -EINVAL;
929                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
930                                 goto out_err;
931                         }
932                         defcontext = match_strdup(&args[0]);
933                         if (!defcontext) {
934                                 rc = -ENOMEM;
935                                 goto out_err;
936                         }
937                         break;
938                 case Opt_labelsupport:
939                         break;
940                 default:
941                         rc = -EINVAL;
942                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
943                         goto out_err;
944
945                 }
946         }
947
948         rc = -ENOMEM;
949         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
950         if (!opts->mnt_opts)
951                 goto out_err;
952
953         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
954         if (!opts->mnt_opts_flags) {
955                 kfree(opts->mnt_opts);
956                 goto out_err;
957         }
958
959         if (fscontext) {
960                 opts->mnt_opts[num_mnt_opts] = fscontext;
961                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
962         }
963         if (context) {
964                 opts->mnt_opts[num_mnt_opts] = context;
965                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
966         }
967         if (rootcontext) {
968                 opts->mnt_opts[num_mnt_opts] = rootcontext;
969                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
970         }
971         if (defcontext) {
972                 opts->mnt_opts[num_mnt_opts] = defcontext;
973                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
974         }
975
976         opts->num_mnt_opts = num_mnt_opts;
977         return 0;
978
979 out_err:
980         kfree(context);
981         kfree(defcontext);
982         kfree(fscontext);
983         kfree(rootcontext);
984         return rc;
985 }
986 /*
987  * string mount options parsing and call set the sbsec
988  */
989 static int superblock_doinit(struct super_block *sb, void *data)
990 {
991         int rc = 0;
992         char *options = data;
993         struct security_mnt_opts opts;
994
995         security_init_mnt_opts(&opts);
996
997         if (!data)
998                 goto out;
999
1000         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1001
1002         rc = selinux_parse_opts_str(options, &opts);
1003         if (rc)
1004                 goto out_err;
1005
1006 out:
1007         rc = selinux_set_mnt_opts(sb, &opts);
1008
1009 out_err:
1010         security_free_mnt_opts(&opts);
1011         return rc;
1012 }
1013
1014 static void selinux_write_opts(struct seq_file *m,
1015                                struct security_mnt_opts *opts)
1016 {
1017         int i;
1018         char *prefix;
1019
1020         for (i = 0; i < opts->num_mnt_opts; i++) {
1021                 char *has_comma;
1022
1023                 if (opts->mnt_opts[i])
1024                         has_comma = strchr(opts->mnt_opts[i], ',');
1025                 else
1026                         has_comma = NULL;
1027
1028                 switch (opts->mnt_opts_flags[i]) {
1029                 case CONTEXT_MNT:
1030                         prefix = CONTEXT_STR;
1031                         break;
1032                 case FSCONTEXT_MNT:
1033                         prefix = FSCONTEXT_STR;
1034                         break;
1035                 case ROOTCONTEXT_MNT:
1036                         prefix = ROOTCONTEXT_STR;
1037                         break;
1038                 case DEFCONTEXT_MNT:
1039                         prefix = DEFCONTEXT_STR;
1040                         break;
1041                 case SE_SBLABELSUPP:
1042                         seq_putc(m, ',');
1043                         seq_puts(m, LABELSUPP_STR);
1044                         continue;
1045                 default:
1046                         BUG();
1047                 };
1048                 /* we need a comma before each option */
1049                 seq_putc(m, ',');
1050                 seq_puts(m, prefix);
1051                 if (has_comma)
1052                         seq_putc(m, '\"');
1053                 seq_puts(m, opts->mnt_opts[i]);
1054                 if (has_comma)
1055                         seq_putc(m, '\"');
1056         }
1057 }
1058
1059 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1060 {
1061         struct security_mnt_opts opts;
1062         int rc;
1063
1064         rc = selinux_get_mnt_opts(sb, &opts);
1065         if (rc) {
1066                 /* before policy load we may get EINVAL, don't show anything */
1067                 if (rc == -EINVAL)
1068                         rc = 0;
1069                 return rc;
1070         }
1071
1072         selinux_write_opts(m, &opts);
1073
1074         security_free_mnt_opts(&opts);
1075
1076         return rc;
1077 }
1078
1079 static inline u16 inode_mode_to_security_class(umode_t mode)
1080 {
1081         switch (mode & S_IFMT) {
1082         case S_IFSOCK:
1083                 return SECCLASS_SOCK_FILE;
1084         case S_IFLNK:
1085                 return SECCLASS_LNK_FILE;
1086         case S_IFREG:
1087                 return SECCLASS_FILE;
1088         case S_IFBLK:
1089                 return SECCLASS_BLK_FILE;
1090         case S_IFDIR:
1091                 return SECCLASS_DIR;
1092         case S_IFCHR:
1093                 return SECCLASS_CHR_FILE;
1094         case S_IFIFO:
1095                 return SECCLASS_FIFO_FILE;
1096
1097         }
1098
1099         return SECCLASS_FILE;
1100 }
1101
1102 static inline int default_protocol_stream(int protocol)
1103 {
1104         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1105 }
1106
1107 static inline int default_protocol_dgram(int protocol)
1108 {
1109         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1110 }
1111
1112 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1113 {
1114         switch (family) {
1115         case PF_UNIX:
1116                 switch (type) {
1117                 case SOCK_STREAM:
1118                 case SOCK_SEQPACKET:
1119                         return SECCLASS_UNIX_STREAM_SOCKET;
1120                 case SOCK_DGRAM:
1121                         return SECCLASS_UNIX_DGRAM_SOCKET;
1122                 }
1123                 break;
1124         case PF_INET:
1125         case PF_INET6:
1126                 switch (type) {
1127                 case SOCK_STREAM:
1128                         if (default_protocol_stream(protocol))
1129                                 return SECCLASS_TCP_SOCKET;
1130                         else
1131                                 return SECCLASS_RAWIP_SOCKET;
1132                 case SOCK_DGRAM:
1133                         if (default_protocol_dgram(protocol))
1134                                 return SECCLASS_UDP_SOCKET;
1135                         else
1136                                 return SECCLASS_RAWIP_SOCKET;
1137                 case SOCK_DCCP:
1138                         return SECCLASS_DCCP_SOCKET;
1139                 default:
1140                         return SECCLASS_RAWIP_SOCKET;
1141                 }
1142                 break;
1143         case PF_NETLINK:
1144                 switch (protocol) {
1145                 case NETLINK_ROUTE:
1146                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1147                 case NETLINK_FIREWALL:
1148                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1149                 case NETLINK_INET_DIAG:
1150                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1151                 case NETLINK_NFLOG:
1152                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1153                 case NETLINK_XFRM:
1154                         return SECCLASS_NETLINK_XFRM_SOCKET;
1155                 case NETLINK_SELINUX:
1156                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1157                 case NETLINK_AUDIT:
1158                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1159                 case NETLINK_IP6_FW:
1160                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1161                 case NETLINK_DNRTMSG:
1162                         return SECCLASS_NETLINK_DNRT_SOCKET;
1163                 case NETLINK_KOBJECT_UEVENT:
1164                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1165                 default:
1166                         return SECCLASS_NETLINK_SOCKET;
1167                 }
1168         case PF_PACKET:
1169                 return SECCLASS_PACKET_SOCKET;
1170         case PF_KEY:
1171                 return SECCLASS_KEY_SOCKET;
1172         case PF_APPLETALK:
1173                 return SECCLASS_APPLETALK_SOCKET;
1174         }
1175
1176         return SECCLASS_SOCKET;
1177 }
1178
1179 #ifdef CONFIG_PROC_FS
1180 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1181                                 u16 tclass,
1182                                 u32 *sid)
1183 {
1184         int buflen, rc;
1185         char *buffer, *path, *end;
1186
1187         buffer = (char *)__get_free_page(GFP_KERNEL);
1188         if (!buffer)
1189                 return -ENOMEM;
1190
1191         buflen = PAGE_SIZE;
1192         end = buffer+buflen;
1193         *--end = '\0';
1194         buflen--;
1195         path = end-1;
1196         *path = '/';
1197         while (de && de != de->parent) {
1198                 buflen -= de->namelen + 1;
1199                 if (buflen < 0)
1200                         break;
1201                 end -= de->namelen;
1202                 memcpy(end, de->name, de->namelen);
1203                 *--end = '/';
1204                 path = end;
1205                 de = de->parent;
1206         }
1207         rc = security_genfs_sid("proc", path, tclass, sid);
1208         free_page((unsigned long)buffer);
1209         return rc;
1210 }
1211 #else
1212 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1213                                 u16 tclass,
1214                                 u32 *sid)
1215 {
1216         return -EINVAL;
1217 }
1218 #endif
1219
1220 /* The inode's security attributes must be initialized before first use. */
1221 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1222 {
1223         struct superblock_security_struct *sbsec = NULL;
1224         struct inode_security_struct *isec = inode->i_security;
1225         u32 sid;
1226         struct dentry *dentry;
1227 #define INITCONTEXTLEN 255
1228         char *context = NULL;
1229         unsigned len = 0;
1230         int rc = 0;
1231
1232         if (isec->initialized)
1233                 goto out;
1234
1235         mutex_lock(&isec->lock);
1236         if (isec->initialized)
1237                 goto out_unlock;
1238
1239         sbsec = inode->i_sb->s_security;
1240         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1241                 /* Defer initialization until selinux_complete_init,
1242                    after the initial policy is loaded and the security
1243                    server is ready to handle calls. */
1244                 spin_lock(&sbsec->isec_lock);
1245                 if (list_empty(&isec->list))
1246                         list_add(&isec->list, &sbsec->isec_head);
1247                 spin_unlock(&sbsec->isec_lock);
1248                 goto out_unlock;
1249         }
1250
1251         switch (sbsec->behavior) {
1252         case SECURITY_FS_USE_XATTR:
1253                 if (!inode->i_op->getxattr) {
1254                         isec->sid = sbsec->def_sid;
1255                         break;
1256                 }
1257
1258                 /* Need a dentry, since the xattr API requires one.
1259                    Life would be simpler if we could just pass the inode. */
1260                 if (opt_dentry) {
1261                         /* Called from d_instantiate or d_splice_alias. */
1262                         dentry = dget(opt_dentry);
1263                 } else {
1264                         /* Called from selinux_complete_init, try to find a dentry. */
1265                         dentry = d_find_alias(inode);
1266                 }
1267                 if (!dentry) {
1268                         /*
1269                          * this is can be hit on boot when a file is accessed
1270                          * before the policy is loaded.  When we load policy we
1271                          * may find inodes that have no dentry on the
1272                          * sbsec->isec_head list.  No reason to complain as these
1273                          * will get fixed up the next time we go through
1274                          * inode_doinit with a dentry, before these inodes could
1275                          * be used again by userspace.
1276                          */
1277                         goto out_unlock;
1278                 }
1279
1280                 len = INITCONTEXTLEN;
1281                 context = kmalloc(len+1, GFP_NOFS);
1282                 if (!context) {
1283                         rc = -ENOMEM;
1284                         dput(dentry);
1285                         goto out_unlock;
1286                 }
1287                 context[len] = '\0';
1288                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1289                                            context, len);
1290                 if (rc == -ERANGE) {
1291                         kfree(context);
1292
1293                         /* Need a larger buffer.  Query for the right size. */
1294                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1295                                                    NULL, 0);
1296                         if (rc < 0) {
1297                                 dput(dentry);
1298                                 goto out_unlock;
1299                         }
1300                         len = rc;
1301                         context = kmalloc(len+1, GFP_NOFS);
1302                         if (!context) {
1303                                 rc = -ENOMEM;
1304                                 dput(dentry);
1305                                 goto out_unlock;
1306                         }
1307                         context[len] = '\0';
1308                         rc = inode->i_op->getxattr(dentry,
1309                                                    XATTR_NAME_SELINUX,
1310                                                    context, len);
1311                 }
1312                 dput(dentry);
1313                 if (rc < 0) {
1314                         if (rc != -ENODATA) {
1315                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1316                                        "%d for dev=%s ino=%ld\n", __func__,
1317                                        -rc, inode->i_sb->s_id, inode->i_ino);
1318                                 kfree(context);
1319                                 goto out_unlock;
1320                         }
1321                         /* Map ENODATA to the default file SID */
1322                         sid = sbsec->def_sid;
1323                         rc = 0;
1324                 } else {
1325                         rc = security_context_to_sid_default(context, rc, &sid,
1326                                                              sbsec->def_sid,
1327                                                              GFP_NOFS);
1328                         if (rc) {
1329                                 char *dev = inode->i_sb->s_id;
1330                                 unsigned long ino = inode->i_ino;
1331
1332                                 if (rc == -EINVAL) {
1333                                         if (printk_ratelimit())
1334                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1335                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1336                                                         "filesystem in question.\n", ino, dev, context);
1337                                 } else {
1338                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1339                                                "returned %d for dev=%s ino=%ld\n",
1340                                                __func__, context, -rc, dev, ino);
1341                                 }
1342                                 kfree(context);
1343                                 /* Leave with the unlabeled SID */
1344                                 rc = 0;
1345                                 break;
1346                         }
1347                 }
1348                 kfree(context);
1349                 isec->sid = sid;
1350                 break;
1351         case SECURITY_FS_USE_TASK:
1352                 isec->sid = isec->task_sid;
1353                 break;
1354         case SECURITY_FS_USE_TRANS:
1355                 /* Default to the fs SID. */
1356                 isec->sid = sbsec->sid;
1357
1358                 /* Try to obtain a transition SID. */
1359                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1360                 rc = security_transition_sid(isec->task_sid,
1361                                              sbsec->sid,
1362                                              isec->sclass,
1363                                              &sid);
1364                 if (rc)
1365                         goto out_unlock;
1366                 isec->sid = sid;
1367                 break;
1368         case SECURITY_FS_USE_MNTPOINT:
1369                 isec->sid = sbsec->mntpoint_sid;
1370                 break;
1371         default:
1372                 /* Default to the fs superblock SID. */
1373                 isec->sid = sbsec->sid;
1374
1375                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1376                         struct proc_inode *proci = PROC_I(inode);
1377                         if (proci->pde) {
1378                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1379                                 rc = selinux_proc_get_sid(proci->pde,
1380                                                           isec->sclass,
1381                                                           &sid);
1382                                 if (rc)
1383                                         goto out_unlock;
1384                                 isec->sid = sid;
1385                         }
1386                 }
1387                 break;
1388         }
1389
1390         isec->initialized = 1;
1391
1392 out_unlock:
1393         mutex_unlock(&isec->lock);
1394 out:
1395         if (isec->sclass == SECCLASS_FILE)
1396                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1397         return rc;
1398 }
1399
1400 /* Convert a Linux signal to an access vector. */
1401 static inline u32 signal_to_av(int sig)
1402 {
1403         u32 perm = 0;
1404
1405         switch (sig) {
1406         case SIGCHLD:
1407                 /* Commonly granted from child to parent. */
1408                 perm = PROCESS__SIGCHLD;
1409                 break;
1410         case SIGKILL:
1411                 /* Cannot be caught or ignored */
1412                 perm = PROCESS__SIGKILL;
1413                 break;
1414         case SIGSTOP:
1415                 /* Cannot be caught or ignored */
1416                 perm = PROCESS__SIGSTOP;
1417                 break;
1418         default:
1419                 /* All other signals. */
1420                 perm = PROCESS__SIGNAL;
1421                 break;
1422         }
1423
1424         return perm;
1425 }
1426
1427 /*
1428  * Check permission between a pair of credentials
1429  * fork check, ptrace check, etc.
1430  */
1431 static int cred_has_perm(const struct cred *actor,
1432                          const struct cred *target,
1433                          u32 perms)
1434 {
1435         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1436
1437         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1438 }
1439
1440 /*
1441  * Check permission between a pair of tasks, e.g. signal checks,
1442  * fork check, ptrace check, etc.
1443  * tsk1 is the actor and tsk2 is the target
1444  * - this uses the default subjective creds of tsk1
1445  */
1446 static int task_has_perm(const struct task_struct *tsk1,
1447                          const struct task_struct *tsk2,
1448                          u32 perms)
1449 {
1450         const struct task_security_struct *__tsec1, *__tsec2;
1451         u32 sid1, sid2;
1452
1453         rcu_read_lock();
1454         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1455         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1456         rcu_read_unlock();
1457         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1458 }
1459
1460 /*
1461  * Check permission between current and another task, e.g. signal checks,
1462  * fork check, ptrace check, etc.
1463  * current is the actor and tsk2 is the target
1464  * - this uses current's subjective creds
1465  */
1466 static int current_has_perm(const struct task_struct *tsk,
1467                             u32 perms)
1468 {
1469         u32 sid, tsid;
1470
1471         sid = current_sid();
1472         tsid = task_sid(tsk);
1473         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1474 }
1475
1476 #if CAP_LAST_CAP > 63
1477 #error Fix SELinux to handle capabilities > 63.
1478 #endif
1479
1480 /* Check whether a task is allowed to use a capability. */
1481 static int task_has_capability(struct task_struct *tsk,
1482                                const struct cred *cred,
1483                                int cap, int audit)
1484 {
1485         struct common_audit_data ad;
1486         struct av_decision avd;
1487         u16 sclass;
1488         u32 sid = cred_sid(cred);
1489         u32 av = CAP_TO_MASK(cap);
1490         int rc;
1491
1492         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1493         ad.tsk = tsk;
1494         ad.u.cap = cap;
1495
1496         switch (CAP_TO_INDEX(cap)) {
1497         case 0:
1498                 sclass = SECCLASS_CAPABILITY;
1499                 break;
1500         case 1:
1501                 sclass = SECCLASS_CAPABILITY2;
1502                 break;
1503         default:
1504                 printk(KERN_ERR
1505                        "SELinux:  out of range capability %d\n", cap);
1506                 BUG();
1507         }
1508
1509         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1510         if (audit == SECURITY_CAP_AUDIT)
1511                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1512         return rc;
1513 }
1514
1515 /* Check whether a task is allowed to use a system operation. */
1516 static int task_has_system(struct task_struct *tsk,
1517                            u32 perms)
1518 {
1519         u32 sid = task_sid(tsk);
1520
1521         return avc_has_perm(sid, SECINITSID_KERNEL,
1522                             SECCLASS_SYSTEM, perms, NULL);
1523 }
1524
1525 /* Check whether a task has a particular permission to an inode.
1526    The 'adp' parameter is optional and allows other audit
1527    data to be passed (e.g. the dentry). */
1528 static int inode_has_perm(const struct cred *cred,
1529                           struct inode *inode,
1530                           u32 perms,
1531                           struct common_audit_data *adp)
1532 {
1533         struct inode_security_struct *isec;
1534         struct common_audit_data ad;
1535         u32 sid;
1536
1537         validate_creds(cred);
1538
1539         if (unlikely(IS_PRIVATE(inode)))
1540                 return 0;
1541
1542         sid = cred_sid(cred);
1543         isec = inode->i_security;
1544
1545         if (!adp) {
1546                 adp = &ad;
1547                 COMMON_AUDIT_DATA_INIT(&ad, FS);
1548                 ad.u.fs.inode = inode;
1549         }
1550
1551         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1552 }
1553
1554 /* Same as inode_has_perm, but pass explicit audit data containing
1555    the dentry to help the auditing code to more easily generate the
1556    pathname if needed. */
1557 static inline int dentry_has_perm(const struct cred *cred,
1558                                   struct vfsmount *mnt,
1559                                   struct dentry *dentry,
1560                                   u32 av)
1561 {
1562         struct inode *inode = dentry->d_inode;
1563         struct common_audit_data ad;
1564
1565         COMMON_AUDIT_DATA_INIT(&ad, FS);
1566         ad.u.fs.path.mnt = mnt;
1567         ad.u.fs.path.dentry = dentry;
1568         return inode_has_perm(cred, inode, av, &ad);
1569 }
1570
1571 /* Check whether a task can use an open file descriptor to
1572    access an inode in a given way.  Check access to the
1573    descriptor itself, and then use dentry_has_perm to
1574    check a particular permission to the file.
1575    Access to the descriptor is implicitly granted if it
1576    has the same SID as the process.  If av is zero, then
1577    access to the file is not checked, e.g. for cases
1578    where only the descriptor is affected like seek. */
1579 static int file_has_perm(const struct cred *cred,
1580                          struct file *file,
1581                          u32 av)
1582 {
1583         struct file_security_struct *fsec = file->f_security;
1584         struct inode *inode = file->f_path.dentry->d_inode;
1585         struct common_audit_data ad;
1586         u32 sid = cred_sid(cred);
1587         int rc;
1588
1589         COMMON_AUDIT_DATA_INIT(&ad, FS);
1590         ad.u.fs.path = file->f_path;
1591
1592         if (sid != fsec->sid) {
1593                 rc = avc_has_perm(sid, fsec->sid,
1594                                   SECCLASS_FD,
1595                                   FD__USE,
1596                                   &ad);
1597                 if (rc)
1598                         goto out;
1599         }
1600
1601         /* av is zero if only checking access to the descriptor. */
1602         rc = 0;
1603         if (av)
1604                 rc = inode_has_perm(cred, inode, av, &ad);
1605
1606 out:
1607         return rc;
1608 }
1609
1610 /* Check whether a task can create a file. */
1611 static int may_create(struct inode *dir,
1612                       struct dentry *dentry,
1613                       u16 tclass)
1614 {
1615         const struct cred *cred = current_cred();
1616         const struct task_security_struct *tsec = cred->security;
1617         struct inode_security_struct *dsec;
1618         struct superblock_security_struct *sbsec;
1619         u32 sid, newsid;
1620         struct common_audit_data ad;
1621         int rc;
1622
1623         dsec = dir->i_security;
1624         sbsec = dir->i_sb->s_security;
1625
1626         sid = tsec->sid;
1627         newsid = tsec->create_sid;
1628
1629         COMMON_AUDIT_DATA_INIT(&ad, FS);
1630         ad.u.fs.path.dentry = dentry;
1631
1632         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1633                           DIR__ADD_NAME | DIR__SEARCH,
1634                           &ad);
1635         if (rc)
1636                 return rc;
1637
1638         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1639                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1640                 if (rc)
1641                         return rc;
1642         }
1643
1644         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1645         if (rc)
1646                 return rc;
1647
1648         return avc_has_perm(newsid, sbsec->sid,
1649                             SECCLASS_FILESYSTEM,
1650                             FILESYSTEM__ASSOCIATE, &ad);
1651 }
1652
1653 /* Check whether a task can create a key. */
1654 static int may_create_key(u32 ksid,
1655                           struct task_struct *ctx)
1656 {
1657         u32 sid = task_sid(ctx);
1658
1659         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1660 }
1661
1662 #define MAY_LINK        0
1663 #define MAY_UNLINK      1
1664 #define MAY_RMDIR       2
1665
1666 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1667 static int may_link(struct inode *dir,
1668                     struct dentry *dentry,
1669                     int kind)
1670
1671 {
1672         struct inode_security_struct *dsec, *isec;
1673         struct common_audit_data ad;
1674         u32 sid = current_sid();
1675         u32 av;
1676         int rc;
1677
1678         dsec = dir->i_security;
1679         isec = dentry->d_inode->i_security;
1680
1681         COMMON_AUDIT_DATA_INIT(&ad, FS);
1682         ad.u.fs.path.dentry = dentry;
1683
1684         av = DIR__SEARCH;
1685         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1686         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1687         if (rc)
1688                 return rc;
1689
1690         switch (kind) {
1691         case MAY_LINK:
1692                 av = FILE__LINK;
1693                 break;
1694         case MAY_UNLINK:
1695                 av = FILE__UNLINK;
1696                 break;
1697         case MAY_RMDIR:
1698                 av = DIR__RMDIR;
1699                 break;
1700         default:
1701                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1702                         __func__, kind);
1703                 return 0;
1704         }
1705
1706         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1707         return rc;
1708 }
1709
1710 static inline int may_rename(struct inode *old_dir,
1711                              struct dentry *old_dentry,
1712                              struct inode *new_dir,
1713                              struct dentry *new_dentry)
1714 {
1715         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1716         struct common_audit_data ad;
1717         u32 sid = current_sid();
1718         u32 av;
1719         int old_is_dir, new_is_dir;
1720         int rc;
1721
1722         old_dsec = old_dir->i_security;
1723         old_isec = old_dentry->d_inode->i_security;
1724         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1725         new_dsec = new_dir->i_security;
1726
1727         COMMON_AUDIT_DATA_INIT(&ad, FS);
1728
1729         ad.u.fs.path.dentry = old_dentry;
1730         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1731                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1732         if (rc)
1733                 return rc;
1734         rc = avc_has_perm(sid, old_isec->sid,
1735                           old_isec->sclass, FILE__RENAME, &ad);
1736         if (rc)
1737                 return rc;
1738         if (old_is_dir && new_dir != old_dir) {
1739                 rc = avc_has_perm(sid, old_isec->sid,
1740                                   old_isec->sclass, DIR__REPARENT, &ad);
1741                 if (rc)
1742                         return rc;
1743         }
1744
1745         ad.u.fs.path.dentry = new_dentry;
1746         av = DIR__ADD_NAME | DIR__SEARCH;
1747         if (new_dentry->d_inode)
1748                 av |= DIR__REMOVE_NAME;
1749         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1750         if (rc)
1751                 return rc;
1752         if (new_dentry->d_inode) {
1753                 new_isec = new_dentry->d_inode->i_security;
1754                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1755                 rc = avc_has_perm(sid, new_isec->sid,
1756                                   new_isec->sclass,
1757                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1758                 if (rc)
1759                         return rc;
1760         }
1761
1762         return 0;
1763 }
1764
1765 /* Check whether a task can perform a filesystem operation. */
1766 static int superblock_has_perm(const struct cred *cred,
1767                                struct super_block *sb,
1768                                u32 perms,
1769                                struct common_audit_data *ad)
1770 {
1771         struct superblock_security_struct *sbsec;
1772         u32 sid = cred_sid(cred);
1773
1774         sbsec = sb->s_security;
1775         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1776 }
1777
1778 /* Convert a Linux mode and permission mask to an access vector. */
1779 static inline u32 file_mask_to_av(int mode, int mask)
1780 {
1781         u32 av = 0;
1782
1783         if ((mode & S_IFMT) != S_IFDIR) {
1784                 if (mask & MAY_EXEC)
1785                         av |= FILE__EXECUTE;
1786                 if (mask & MAY_READ)
1787                         av |= FILE__READ;
1788
1789                 if (mask & MAY_APPEND)
1790                         av |= FILE__APPEND;
1791                 else if (mask & MAY_WRITE)
1792                         av |= FILE__WRITE;
1793
1794         } else {
1795                 if (mask & MAY_EXEC)
1796                         av |= DIR__SEARCH;
1797                 if (mask & MAY_WRITE)
1798                         av |= DIR__WRITE;
1799                 if (mask & MAY_READ)
1800                         av |= DIR__READ;
1801         }
1802
1803         return av;
1804 }
1805
1806 /* Convert a Linux file to an access vector. */
1807 static inline u32 file_to_av(struct file *file)
1808 {
1809         u32 av = 0;
1810
1811         if (file->f_mode & FMODE_READ)
1812                 av |= FILE__READ;
1813         if (file->f_mode & FMODE_WRITE) {
1814                 if (file->f_flags & O_APPEND)
1815                         av |= FILE__APPEND;
1816                 else
1817                         av |= FILE__WRITE;
1818         }
1819         if (!av) {
1820                 /*
1821                  * Special file opened with flags 3 for ioctl-only use.
1822                  */
1823                 av = FILE__IOCTL;
1824         }
1825
1826         return av;
1827 }
1828
1829 /*
1830  * Convert a file to an access vector and include the correct open
1831  * open permission.
1832  */
1833 static inline u32 open_file_to_av(struct file *file)
1834 {
1835         u32 av = file_to_av(file);
1836
1837         if (selinux_policycap_openperm) {
1838                 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1839                 /*
1840                  * lnk files and socks do not really have an 'open'
1841                  */
1842                 if (S_ISREG(mode))
1843                         av |= FILE__OPEN;
1844                 else if (S_ISCHR(mode))
1845                         av |= CHR_FILE__OPEN;
1846                 else if (S_ISBLK(mode))
1847                         av |= BLK_FILE__OPEN;
1848                 else if (S_ISFIFO(mode))
1849                         av |= FIFO_FILE__OPEN;
1850                 else if (S_ISDIR(mode))
1851                         av |= DIR__OPEN;
1852                 else if (S_ISSOCK(mode))
1853                         av |= SOCK_FILE__OPEN;
1854                 else
1855                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1856                                 "unknown mode:%o\n", __func__, mode);
1857         }
1858         return av;
1859 }
1860
1861 /* Hook functions begin here. */
1862
1863 static int selinux_ptrace_access_check(struct task_struct *child,
1864                                      unsigned int mode)
1865 {
1866         int rc;
1867
1868         rc = cap_ptrace_access_check(child, mode);
1869         if (rc)
1870                 return rc;
1871
1872         if (mode == PTRACE_MODE_READ) {
1873                 u32 sid = current_sid();
1874                 u32 csid = task_sid(child);
1875                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1876         }
1877
1878         return current_has_perm(child, PROCESS__PTRACE);
1879 }
1880
1881 static int selinux_ptrace_traceme(struct task_struct *parent)
1882 {
1883         int rc;
1884
1885         rc = cap_ptrace_traceme(parent);
1886         if (rc)
1887                 return rc;
1888
1889         return task_has_perm(parent, current, PROCESS__PTRACE);
1890 }
1891
1892 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1893                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1894 {
1895         int error;
1896
1897         error = current_has_perm(target, PROCESS__GETCAP);
1898         if (error)
1899                 return error;
1900
1901         return cap_capget(target, effective, inheritable, permitted);
1902 }
1903
1904 static int selinux_capset(struct cred *new, const struct cred *old,
1905                           const kernel_cap_t *effective,
1906                           const kernel_cap_t *inheritable,
1907                           const kernel_cap_t *permitted)
1908 {
1909         int error;
1910
1911         error = cap_capset(new, old,
1912                                       effective, inheritable, permitted);
1913         if (error)
1914                 return error;
1915
1916         return cred_has_perm(old, new, PROCESS__SETCAP);
1917 }
1918
1919 /*
1920  * (This comment used to live with the selinux_task_setuid hook,
1921  * which was removed).
1922  *
1923  * Since setuid only affects the current process, and since the SELinux
1924  * controls are not based on the Linux identity attributes, SELinux does not
1925  * need to control this operation.  However, SELinux does control the use of
1926  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1927  */
1928
1929 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1930                            int cap, int audit)
1931 {
1932         int rc;
1933
1934         rc = cap_capable(tsk, cred, cap, audit);
1935         if (rc)
1936                 return rc;
1937
1938         return task_has_capability(tsk, cred, cap, audit);
1939 }
1940
1941 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1942 {
1943         int buflen, rc;
1944         char *buffer, *path, *end;
1945
1946         rc = -ENOMEM;
1947         buffer = (char *)__get_free_page(GFP_KERNEL);
1948         if (!buffer)
1949                 goto out;
1950
1951         buflen = PAGE_SIZE;
1952         end = buffer+buflen;
1953         *--end = '\0';
1954         buflen--;
1955         path = end-1;
1956         *path = '/';
1957         while (table) {
1958                 const char *name = table->procname;
1959                 size_t namelen = strlen(name);
1960                 buflen -= namelen + 1;
1961                 if (buflen < 0)
1962                         goto out_free;
1963                 end -= namelen;
1964                 memcpy(end, name, namelen);
1965                 *--end = '/';
1966                 path = end;
1967                 table = table->parent;
1968         }
1969         buflen -= 4;
1970         if (buflen < 0)
1971                 goto out_free;
1972         end -= 4;
1973         memcpy(end, "/sys", 4);
1974         path = end;
1975         rc = security_genfs_sid("proc", path, tclass, sid);
1976 out_free:
1977         free_page((unsigned long)buffer);
1978 out:
1979         return rc;
1980 }
1981
1982 static int selinux_sysctl(ctl_table *table, int op)
1983 {
1984         int error = 0;
1985         u32 av;
1986         u32 tsid, sid;
1987         int rc;
1988
1989         sid = current_sid();
1990
1991         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1992                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1993         if (rc) {
1994                 /* Default to the well-defined sysctl SID. */
1995                 tsid = SECINITSID_SYSCTL;
1996         }
1997
1998         /* The op values are "defined" in sysctl.c, thereby creating
1999          * a bad coupling between this module and sysctl.c */
2000         if (op == 001) {
2001                 error = avc_has_perm(sid, tsid,
2002                                      SECCLASS_DIR, DIR__SEARCH, NULL);
2003         } else {
2004                 av = 0;
2005                 if (op & 004)
2006                         av |= FILE__READ;
2007                 if (op & 002)
2008                         av |= FILE__WRITE;
2009                 if (av)
2010                         error = avc_has_perm(sid, tsid,
2011                                              SECCLASS_FILE, av, NULL);
2012         }
2013
2014         return error;
2015 }
2016
2017 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2018 {
2019         const struct cred *cred = current_cred();
2020         int rc = 0;
2021
2022         if (!sb)
2023                 return 0;
2024
2025         switch (cmds) {
2026         case Q_SYNC:
2027         case Q_QUOTAON:
2028         case Q_QUOTAOFF:
2029         case Q_SETINFO:
2030         case Q_SETQUOTA:
2031                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2032                 break;
2033         case Q_GETFMT:
2034         case Q_GETINFO:
2035         case Q_GETQUOTA:
2036                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2037                 break;
2038         default:
2039                 rc = 0;  /* let the kernel handle invalid cmds */
2040                 break;
2041         }
2042         return rc;
2043 }
2044
2045 static int selinux_quota_on(struct dentry *dentry)
2046 {
2047         const struct cred *cred = current_cred();
2048
2049         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
2050 }
2051
2052 static int selinux_syslog(int type)
2053 {
2054         int rc;
2055
2056         rc = cap_syslog(type);
2057         if (rc)
2058                 return rc;
2059
2060         switch (type) {
2061         case 3:         /* Read last kernel messages */
2062         case 10:        /* Return size of the log buffer */
2063                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2064                 break;
2065         case 6:         /* Disable logging to console */
2066         case 7:         /* Enable logging to console */
2067         case 8:         /* Set level of messages printed to console */
2068                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2069                 break;
2070         case 0:         /* Close log */
2071         case 1:         /* Open log */
2072         case 2:         /* Read from log */
2073         case 4:         /* Read/clear last kernel messages */
2074         case 5:         /* Clear ring buffer */
2075         default:
2076                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2077                 break;
2078         }
2079         return rc;
2080 }
2081
2082 /*
2083  * Check that a process has enough memory to allocate a new virtual
2084  * mapping. 0 means there is enough memory for the allocation to
2085  * succeed and -ENOMEM implies there is not.
2086  *
2087  * Do not audit the selinux permission check, as this is applied to all
2088  * processes that allocate mappings.
2089  */
2090 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2091 {
2092         int rc, cap_sys_admin = 0;
2093
2094         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2095                              SECURITY_CAP_NOAUDIT);
2096         if (rc == 0)
2097                 cap_sys_admin = 1;
2098
2099         return __vm_enough_memory(mm, pages, cap_sys_admin);
2100 }
2101
2102 /* binprm security operations */
2103
2104 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2105 {
2106         const struct task_security_struct *old_tsec;
2107         struct task_security_struct *new_tsec;
2108         struct inode_security_struct *isec;
2109         struct common_audit_data ad;
2110         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2111         int rc;
2112
2113         rc = cap_bprm_set_creds(bprm);
2114         if (rc)
2115                 return rc;
2116
2117         /* SELinux context only depends on initial program or script and not
2118          * the script interpreter */
2119         if (bprm->cred_prepared)
2120                 return 0;
2121
2122         old_tsec = current_security();
2123         new_tsec = bprm->cred->security;
2124         isec = inode->i_security;
2125
2126         /* Default to the current task SID. */
2127         new_tsec->sid = old_tsec->sid;
2128         new_tsec->osid = old_tsec->sid;
2129
2130         /* Reset fs, key, and sock SIDs on execve. */
2131         new_tsec->create_sid = 0;
2132         new_tsec->keycreate_sid = 0;
2133         new_tsec->sockcreate_sid = 0;
2134
2135         if (old_tsec->exec_sid) {
2136                 new_tsec->sid = old_tsec->exec_sid;
2137                 /* Reset exec SID on execve. */
2138                 new_tsec->exec_sid = 0;
2139         } else {
2140                 /* Check for a default transition on this program. */
2141                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2142                                              SECCLASS_PROCESS, &new_tsec->sid);
2143                 if (rc)
2144                         return rc;
2145         }
2146
2147         COMMON_AUDIT_DATA_INIT(&ad, FS);
2148         ad.u.fs.path = bprm->file->f_path;
2149
2150         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2151                 new_tsec->sid = old_tsec->sid;
2152
2153         if (new_tsec->sid == old_tsec->sid) {
2154                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2155                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2156                 if (rc)
2157                         return rc;
2158         } else {
2159                 /* Check permissions for the transition. */
2160                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2161                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2162                 if (rc)
2163                         return rc;
2164
2165                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2166                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2167                 if (rc)
2168                         return rc;
2169
2170                 /* Check for shared state */
2171                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2172                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2173                                           SECCLASS_PROCESS, PROCESS__SHARE,
2174                                           NULL);
2175                         if (rc)
2176                                 return -EPERM;
2177                 }
2178
2179                 /* Make sure that anyone attempting to ptrace over a task that
2180                  * changes its SID has the appropriate permit */
2181                 if (bprm->unsafe &
2182                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2183                         struct task_struct *tracer;
2184                         struct task_security_struct *sec;
2185                         u32 ptsid = 0;
2186
2187                         rcu_read_lock();
2188                         tracer = tracehook_tracer_task(current);
2189                         if (likely(tracer != NULL)) {
2190                                 sec = __task_cred(tracer)->security;
2191                                 ptsid = sec->sid;
2192                         }
2193                         rcu_read_unlock();
2194
2195                         if (ptsid != 0) {
2196                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2197                                                   SECCLASS_PROCESS,
2198                                                   PROCESS__PTRACE, NULL);
2199                                 if (rc)
2200                                         return -EPERM;
2201                         }
2202                 }
2203
2204                 /* Clear any possibly unsafe personality bits on exec: */
2205                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2206         }
2207
2208         return 0;
2209 }
2210
2211 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2212 {
2213         const struct cred *cred = current_cred();
2214         const struct task_security_struct *tsec = cred->security;
2215         u32 sid, osid;
2216         int atsecure = 0;
2217
2218         sid = tsec->sid;
2219         osid = tsec->osid;
2220
2221         if (osid != sid) {
2222                 /* Enable secure mode for SIDs transitions unless
2223                    the noatsecure permission is granted between
2224                    the two SIDs, i.e. ahp returns 0. */
2225                 atsecure = avc_has_perm(osid, sid,
2226                                         SECCLASS_PROCESS,
2227                                         PROCESS__NOATSECURE, NULL);
2228         }
2229
2230         return (atsecure || cap_bprm_secureexec(bprm));
2231 }
2232
2233 extern struct vfsmount *selinuxfs_mount;
2234 extern struct dentry *selinux_null;
2235
2236 /* Derived from fs/exec.c:flush_old_files. */
2237 static inline void flush_unauthorized_files(const struct cred *cred,
2238                                             struct files_struct *files)
2239 {
2240         struct common_audit_data ad;
2241         struct file *file, *devnull = NULL;
2242         struct tty_struct *tty;
2243         struct fdtable *fdt;
2244         long j = -1;
2245         int drop_tty = 0;
2246
2247         tty = get_current_tty();
2248         if (tty) {
2249                 file_list_lock();
2250                 if (!list_empty(&tty->tty_files)) {
2251                         struct inode *inode;
2252
2253                         /* Revalidate access to controlling tty.
2254                            Use inode_has_perm on the tty inode directly rather
2255                            than using file_has_perm, as this particular open
2256                            file may belong to another process and we are only
2257                            interested in the inode-based check here. */
2258                         file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2259                         inode = file->f_path.dentry->d_inode;
2260                         if (inode_has_perm(cred, inode,
2261                                            FILE__READ | FILE__WRITE, NULL)) {
2262                                 drop_tty = 1;
2263                         }
2264                 }
2265                 file_list_unlock();
2266                 tty_kref_put(tty);
2267         }
2268         /* Reset controlling tty. */
2269         if (drop_tty)
2270                 no_tty();
2271
2272         /* Revalidate access to inherited open files. */
2273
2274         COMMON_AUDIT_DATA_INIT(&ad, FS);
2275
2276         spin_lock(&files->file_lock);
2277         for (;;) {
2278                 unsigned long set, i;
2279                 int fd;
2280
2281                 j++;
2282                 i = j * __NFDBITS;
2283                 fdt = files_fdtable(files);
2284                 if (i >= fdt->max_fds)
2285                         break;
2286                 set = fdt->open_fds->fds_bits[j];
2287                 if (!set)
2288                         continue;
2289                 spin_unlock(&files->file_lock);
2290                 for ( ; set ; i++, set >>= 1) {
2291                         if (set & 1) {
2292                                 file = fget(i);
2293                                 if (!file)
2294                                         continue;
2295                                 if (file_has_perm(cred,
2296                                                   file,
2297                                                   file_to_av(file))) {
2298                                         sys_close(i);
2299                                         fd = get_unused_fd();
2300                                         if (fd != i) {
2301                                                 if (fd >= 0)
2302                                                         put_unused_fd(fd);
2303                                                 fput(file);
2304                                                 continue;
2305                                         }
2306                                         if (devnull) {
2307                                                 get_file(devnull);
2308                                         } else {
2309                                                 devnull = dentry_open(
2310                                                         dget(selinux_null),
2311                                                         mntget(selinuxfs_mount),
2312                                                         O_RDWR, cred);
2313                                                 if (IS_ERR(devnull)) {
2314                                                         devnull = NULL;
2315                                                         put_unused_fd(fd);
2316                                                         fput(file);
2317                                                         continue;
2318                                                 }
2319                                         }
2320                                         fd_install(fd, devnull);
2321                                 }
2322                                 fput(file);
2323                         }
2324                 }
2325                 spin_lock(&files->file_lock);
2326
2327         }
2328         spin_unlock(&files->file_lock);
2329 }
2330
2331 /*
2332  * Prepare a process for imminent new credential changes due to exec
2333  */
2334 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2335 {
2336         struct task_security_struct *new_tsec;
2337         struct rlimit *rlim, *initrlim;
2338         int rc, i;
2339
2340         new_tsec = bprm->cred->security;
2341         if (new_tsec->sid == new_tsec->osid)
2342                 return;
2343
2344         /* Close files for which the new task SID is not authorized. */
2345         flush_unauthorized_files(bprm->cred, current->files);
2346
2347         /* Always clear parent death signal on SID transitions. */
2348         current->pdeath_signal = 0;
2349
2350         /* Check whether the new SID can inherit resource limits from the old
2351          * SID.  If not, reset all soft limits to the lower of the current
2352          * task's hard limit and the init task's soft limit.
2353          *
2354          * Note that the setting of hard limits (even to lower them) can be
2355          * controlled by the setrlimit check.  The inclusion of the init task's
2356          * soft limit into the computation is to avoid resetting soft limits
2357          * higher than the default soft limit for cases where the default is
2358          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2359          */
2360         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2361                           PROCESS__RLIMITINH, NULL);
2362         if (rc) {
2363                 for (i = 0; i < RLIM_NLIMITS; i++) {
2364                         rlim = current->signal->rlim + i;
2365                         initrlim = init_task.signal->rlim + i;
2366                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2367                 }
2368                 update_rlimit_cpu(rlim->rlim_cur);
2369         }
2370 }
2371
2372 /*
2373  * Clean up the process immediately after the installation of new credentials
2374  * due to exec
2375  */
2376 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2377 {
2378         const struct task_security_struct *tsec = current_security();
2379         struct itimerval itimer;
2380         u32 osid, sid;
2381         int rc, i;
2382
2383         osid = tsec->osid;
2384         sid = tsec->sid;
2385
2386         if (sid == osid)
2387                 return;
2388
2389         /* Check whether the new SID can inherit signal state from the old SID.
2390          * If not, clear itimers to avoid subsequent signal generation and
2391          * flush and unblock signals.
2392          *
2393          * This must occur _after_ the task SID has been updated so that any
2394          * kill done after the flush will be checked against the new SID.
2395          */
2396         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2397         if (rc) {
2398                 memset(&itimer, 0, sizeof itimer);
2399                 for (i = 0; i < 3; i++)
2400                         do_setitimer(i, &itimer, NULL);
2401                 spin_lock_irq(&current->sighand->siglock);
2402                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2403                         __flush_signals(current);
2404                         flush_signal_handlers(current, 1);
2405                         sigemptyset(&current->blocked);
2406                 }
2407                 spin_unlock_irq(&current->sighand->siglock);
2408         }
2409
2410         /* Wake up the parent if it is waiting so that it can recheck
2411          * wait permission to the new task SID. */
2412         read_lock(&tasklist_lock);
2413         __wake_up_parent(current, current->real_parent);
2414         read_unlock(&tasklist_lock);
2415 }
2416
2417 /* superblock security operations */
2418
2419 static int selinux_sb_alloc_security(struct super_block *sb)
2420 {
2421         return superblock_alloc_security(sb);
2422 }
2423
2424 static void selinux_sb_free_security(struct super_block *sb)
2425 {
2426         superblock_free_security(sb);
2427 }
2428
2429 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2430 {
2431         if (plen > olen)
2432                 return 0;
2433
2434         return !memcmp(prefix, option, plen);
2435 }
2436
2437 static inline int selinux_option(char *option, int len)
2438 {
2439         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2440                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2441                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2442                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2443                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2444 }
2445
2446 static inline void take_option(char **to, char *from, int *first, int len)
2447 {
2448         if (!*first) {
2449                 **to = ',';
2450                 *to += 1;
2451         } else
2452                 *first = 0;
2453         memcpy(*to, from, len);
2454         *to += len;
2455 }
2456
2457 static inline void take_selinux_option(char **to, char *from, int *first,
2458                                        int len)
2459 {
2460         int current_size = 0;
2461
2462         if (!*first) {
2463                 **to = '|';
2464                 *to += 1;
2465         } else
2466                 *first = 0;
2467
2468         while (current_size < len) {
2469                 if (*from != '"') {
2470                         **to = *from;
2471                         *to += 1;
2472                 }
2473                 from += 1;
2474                 current_size += 1;
2475         }
2476 }
2477
2478 static int selinux_sb_copy_data(char *orig, char *copy)
2479 {
2480         int fnosec, fsec, rc = 0;
2481         char *in_save, *in_curr, *in_end;
2482         char *sec_curr, *nosec_save, *nosec;
2483         int open_quote = 0;
2484
2485         in_curr = orig;
2486         sec_curr = copy;
2487
2488         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2489         if (!nosec) {
2490                 rc = -ENOMEM;
2491                 goto out;
2492         }
2493
2494         nosec_save = nosec;
2495         fnosec = fsec = 1;
2496         in_save = in_end = orig;
2497
2498         do {
2499                 if (*in_end == '"')
2500                         open_quote = !open_quote;
2501                 if ((*in_end == ',' && open_quote == 0) ||
2502                                 *in_end == '\0') {
2503                         int len = in_end - in_curr;
2504
2505                         if (selinux_option(in_curr, len))
2506                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2507                         else
2508                                 take_option(&nosec, in_curr, &fnosec, len);
2509
2510                         in_curr = in_end + 1;
2511                 }
2512         } while (*in_end++);
2513
2514         strcpy(in_save, nosec_save);
2515         free_page((unsigned long)nosec_save);
2516 out:
2517         return rc;
2518 }
2519
2520 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2521 {
2522         const struct cred *cred = current_cred();
2523         struct common_audit_data ad;
2524         int rc;
2525
2526         rc = superblock_doinit(sb, data);
2527         if (rc)
2528                 return rc;
2529
2530         /* Allow all mounts performed by the kernel */
2531         if (flags & MS_KERNMOUNT)
2532                 return 0;
2533
2534         COMMON_AUDIT_DATA_INIT(&ad, FS);
2535         ad.u.fs.path.dentry = sb->s_root;
2536         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2537 }
2538
2539 static int selinux_sb_statfs(struct dentry *dentry)
2540 {
2541         const struct cred *cred = current_cred();
2542         struct common_audit_data ad;
2543
2544         COMMON_AUDIT_DATA_INIT(&ad, FS);
2545         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2546         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2547 }
2548
2549 static int selinux_mount(char *dev_name,
2550                          struct path *path,
2551                          char *type,
2552                          unsigned long flags,
2553                          void *data)
2554 {
2555         const struct cred *cred = current_cred();
2556
2557         if (flags & MS_REMOUNT)
2558                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2559                                            FILESYSTEM__REMOUNT, NULL);
2560         else
2561                 return dentry_has_perm(cred, path->mnt, path->dentry,
2562                                        FILE__MOUNTON);
2563 }
2564
2565 static int selinux_umount(struct vfsmount *mnt, int flags)
2566 {
2567         const struct cred *cred = current_cred();
2568
2569         return superblock_has_perm(cred, mnt->mnt_sb,
2570                                    FILESYSTEM__UNMOUNT, NULL);
2571 }
2572
2573 /* inode security operations */
2574
2575 static int selinux_inode_alloc_security(struct inode *inode)
2576 {
2577         return inode_alloc_security(inode);
2578 }
2579
2580 static void selinux_inode_free_security(struct inode *inode)
2581 {
2582         inode_free_security(inode);
2583 }
2584
2585 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2586                                        char **name, void **value,
2587                                        size_t *len)
2588 {
2589         const struct cred *cred = current_cred();
2590         const struct task_security_struct *tsec = cred->security;
2591         struct inode_security_struct *dsec;
2592         struct superblock_security_struct *sbsec;
2593         u32 sid, newsid, clen;
2594         int rc;
2595         char *namep = NULL, *context;
2596
2597         dsec = dir->i_security;
2598         sbsec = dir->i_sb->s_security;
2599
2600         sid = tsec->sid;
2601         newsid = tsec->create_sid;
2602
2603         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2604                 rc = security_transition_sid(sid, dsec->sid,
2605                                              inode_mode_to_security_class(inode->i_mode),
2606                                              &newsid);
2607                 if (rc) {
2608                         printk(KERN_WARNING "%s:  "
2609                                "security_transition_sid failed, rc=%d (dev=%s "
2610                                "ino=%ld)\n",
2611                                __func__,
2612                                -rc, inode->i_sb->s_id, inode->i_ino);
2613                         return rc;
2614                 }
2615         }
2616
2617         /* Possibly defer initialization to selinux_complete_init. */
2618         if (sbsec->flags & SE_SBINITIALIZED) {
2619                 struct inode_security_struct *isec = inode->i_security;
2620                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2621                 isec->sid = newsid;
2622                 isec->initialized = 1;
2623         }
2624
2625         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2626                 return -EOPNOTSUPP;
2627
2628         if (name) {
2629                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2630                 if (!namep)
2631                         return -ENOMEM;
2632                 *name = namep;
2633         }
2634
2635         if (value && len) {
2636                 rc = security_sid_to_context_force(newsid, &context, &clen);
2637                 if (rc) {
2638                         kfree(namep);
2639                         return rc;
2640                 }
2641                 *value = context;
2642                 *len = clen;
2643         }
2644
2645         return 0;
2646 }
2647
2648 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2649 {
2650         return may_create(dir, dentry, SECCLASS_FILE);
2651 }
2652
2653 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2654 {
2655         return may_link(dir, old_dentry, MAY_LINK);
2656 }
2657
2658 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2659 {
2660         return may_link(dir, dentry, MAY_UNLINK);
2661 }
2662
2663 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2664 {
2665         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2666 }
2667
2668 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2669 {
2670         return may_create(dir, dentry, SECCLASS_DIR);
2671 }
2672
2673 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2674 {
2675         return may_link(dir, dentry, MAY_RMDIR);
2676 }
2677
2678 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2679 {
2680         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2681 }
2682
2683 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2684                                 struct inode *new_inode, struct dentry *new_dentry)
2685 {
2686         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2687 }
2688
2689 static int selinux_inode_readlink(struct dentry *dentry)
2690 {
2691         const struct cred *cred = current_cred();
2692
2693         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2694 }
2695
2696 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2697 {
2698         const struct cred *cred = current_cred();
2699
2700         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2701 }
2702
2703 static int selinux_inode_permission(struct inode *inode, int mask)
2704 {
2705         const struct cred *cred = current_cred();
2706
2707         if (!mask) {
2708                 /* No permission to check.  Existence test. */
2709                 return 0;
2710         }
2711
2712         return inode_has_perm(cred, inode,
2713                               file_mask_to_av(inode->i_mode, mask), NULL);
2714 }
2715
2716 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2717 {
2718         const struct cred *cred = current_cred();
2719         unsigned int ia_valid = iattr->ia_valid;
2720
2721         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2722         if (ia_valid & ATTR_FORCE) {
2723                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2724                               ATTR_FORCE);
2725                 if (!ia_valid)
2726                         return 0;
2727         }
2728
2729         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2730                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2731                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2732
2733         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2734 }
2735
2736 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2737 {
2738         const struct cred *cred = current_cred();
2739
2740         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2741 }
2742
2743 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2744 {
2745         const struct cred *cred = current_cred();
2746
2747         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2748                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2749                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2750                         if (!capable(CAP_SETFCAP))
2751                                 return -EPERM;
2752                 } else if (!capable(CAP_SYS_ADMIN)) {
2753                         /* A different attribute in the security namespace.
2754                            Restrict to administrator. */
2755                         return -EPERM;
2756                 }
2757         }
2758
2759         /* Not an attribute we recognize, so just check the
2760            ordinary setattr permission. */
2761         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2762 }
2763
2764 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2765                                   const void *value, size_t size, int flags)
2766 {
2767         struct inode *inode = dentry->d_inode;
2768         struct inode_security_struct *isec = inode->i_security;
2769         struct superblock_security_struct *sbsec;
2770         struct common_audit_data ad;
2771         u32 newsid, sid = current_sid();
2772         int rc = 0;
2773
2774         if (strcmp(name, XATTR_NAME_SELINUX))
2775                 return selinux_inode_setotherxattr(dentry, name);
2776
2777         sbsec = inode->i_sb->s_security;
2778         if (!(sbsec->flags & SE_SBLABELSUPP))
2779                 return -EOPNOTSUPP;
2780
2781         if (!is_owner_or_cap(inode))
2782                 return -EPERM;
2783
2784         COMMON_AUDIT_DATA_INIT(&ad, FS);
2785         ad.u.fs.path.dentry = dentry;
2786
2787         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2788                           FILE__RELABELFROM, &ad);
2789         if (rc)
2790                 return rc;
2791
2792         rc = security_context_to_sid(value, size, &newsid);
2793         if (rc == -EINVAL) {
2794                 if (!capable(CAP_MAC_ADMIN))
2795                         return rc;
2796                 rc = security_context_to_sid_force(value, size, &newsid);
2797         }
2798         if (rc)
2799                 return rc;
2800
2801         rc = avc_has_perm(sid, newsid, isec->sclass,
2802                           FILE__RELABELTO, &ad);
2803         if (rc)
2804                 return rc;
2805
2806         rc = security_validate_transition(isec->sid, newsid, sid,
2807                                           isec->sclass);
2808         if (rc)
2809                 return rc;
2810
2811         return avc_has_perm(newsid,
2812                             sbsec->sid,
2813                             SECCLASS_FILESYSTEM,
2814                             FILESYSTEM__ASSOCIATE,
2815                             &ad);
2816 }
2817
2818 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2819                                         const void *value, size_t size,
2820                                         int flags)
2821 {
2822         struct inode *inode = dentry->d_inode;
2823         struct inode_security_struct *isec = inode->i_security;
2824         u32 newsid;
2825         int rc;
2826
2827         if (strcmp(name, XATTR_NAME_SELINUX)) {
2828                 /* Not an attribute we recognize, so nothing to do. */
2829                 return;
2830         }
2831
2832         rc = security_context_to_sid_force(value, size, &newsid);
2833         if (rc) {
2834                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2835                        "for (%s, %lu), rc=%d\n",
2836                        inode->i_sb->s_id, inode->i_ino, -rc);
2837                 return;
2838         }
2839
2840         isec->sid = newsid;
2841         return;
2842 }
2843
2844 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2845 {
2846         const struct cred *cred = current_cred();
2847
2848         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2849 }
2850
2851 static int selinux_inode_listxattr(struct dentry *dentry)
2852 {
2853         const struct cred *cred = current_cred();
2854
2855         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2856 }
2857
2858 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2859 {
2860         if (strcmp(name, XATTR_NAME_SELINUX))
2861                 return selinux_inode_setotherxattr(dentry, name);
2862
2863         /* No one is allowed to remove a SELinux security label.
2864            You can change the label, but all data must be labeled. */
2865         return -EACCES;
2866 }
2867
2868 /*
2869  * Copy the inode security context value to the user.
2870  *
2871  * Permission check is handled by selinux_inode_getxattr hook.
2872  */
2873 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2874 {
2875         u32 size;
2876         int error;
2877         char *context = NULL;
2878         struct inode_security_struct *isec = inode->i_security;
2879
2880         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2881                 return -EOPNOTSUPP;
2882
2883         /*
2884          * If the caller has CAP_MAC_ADMIN, then get the raw context
2885          * value even if it is not defined by current policy; otherwise,
2886          * use the in-core value under current policy.
2887          * Use the non-auditing forms of the permission checks since
2888          * getxattr may be called by unprivileged processes commonly
2889          * and lack of permission just means that we fall back to the
2890          * in-core context value, not a denial.
2891          */
2892         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2893                                 SECURITY_CAP_NOAUDIT);
2894         if (!error)
2895                 error = security_sid_to_context_force(isec->sid, &context,
2896                                                       &size);
2897         else
2898                 error = security_sid_to_context(isec->sid, &context, &size);
2899         if (error)
2900                 return error;
2901         error = size;
2902         if (alloc) {
2903                 *buffer = context;
2904                 goto out_nofree;
2905         }
2906         kfree(context);
2907 out_nofree:
2908         return error;
2909 }
2910
2911 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2912                                      const void *value, size_t size, int flags)
2913 {
2914         struct inode_security_struct *isec = inode->i_security;
2915         u32 newsid;
2916         int rc;
2917
2918         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2919                 return -EOPNOTSUPP;
2920
2921         if (!value || !size)
2922                 return -EACCES;
2923
2924         rc = security_context_to_sid((void *)value, size, &newsid);
2925         if (rc)
2926                 return rc;
2927
2928         isec->sid = newsid;
2929         isec->initialized = 1;
2930         return 0;
2931 }
2932
2933 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2934 {
2935         const int len = sizeof(XATTR_NAME_SELINUX);
2936         if (buffer && len <= buffer_size)
2937                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2938         return len;
2939 }
2940
2941 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2942 {
2943         struct inode_security_struct *isec = inode->i_security;
2944         *secid = isec->sid;
2945 }
2946
2947 /* file security operations */
2948
2949 static int selinux_revalidate_file_permission(struct file *file, int mask)
2950 {
2951         const struct cred *cred = current_cred();
2952         struct inode *inode = file->f_path.dentry->d_inode;
2953
2954         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2955         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2956                 mask |= MAY_APPEND;
2957
2958         return file_has_perm(cred, file,
2959                              file_mask_to_av(inode->i_mode, mask));
2960 }
2961
2962 static int selinux_file_permission(struct file *file, int mask)
2963 {
2964         struct inode *inode = file->f_path.dentry->d_inode;
2965         struct file_security_struct *fsec = file->f_security;
2966         struct inode_security_struct *isec = inode->i_security;
2967         u32 sid = current_sid();
2968
2969         if (!mask)
2970                 /* No permission to check.  Existence test. */
2971                 return 0;
2972
2973         if (sid == fsec->sid && fsec->isid == isec->sid &&
2974             fsec->pseqno == avc_policy_seqno())
2975                 /* No change since dentry_open check. */
2976                 return 0;
2977
2978         return selinux_revalidate_file_permission(file, mask);
2979 }
2980
2981 static int selinux_file_alloc_security(struct file *file)
2982 {
2983         return file_alloc_security(file);
2984 }
2985
2986 static void selinux_file_free_security(struct file *file)
2987 {
2988         file_free_security(file);
2989 }
2990
2991 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2992                               unsigned long arg)
2993 {
2994         const struct cred *cred = current_cred();
2995         u32 av = 0;
2996
2997         if (_IOC_DIR(cmd) & _IOC_WRITE)
2998                 av |= FILE__WRITE;
2999         if (_IOC_DIR(cmd) & _IOC_READ)
3000                 av |= FILE__READ;
3001         if (!av)
3002                 av = FILE__IOCTL;
3003
3004         return file_has_perm(cred, file, av);
3005 }
3006
3007 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3008 {
3009         const struct cred *cred = current_cred();
3010         int rc = 0;
3011
3012 #ifndef CONFIG_PPC32
3013         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3014                 /*
3015                  * We are making executable an anonymous mapping or a
3016                  * private file mapping that will also be writable.
3017                  * This has an additional check.
3018                  */
3019                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3020                 if (rc)
3021                         goto error;
3022         }
3023 #endif
3024
3025         if (file) {
3026                 /* read access is always possible with a mapping */
3027                 u32 av = FILE__READ;
3028
3029                 /* write access only matters if the mapping is shared */
3030                 if (shared && (prot & PROT_WRITE))
3031                         av |= FILE__WRITE;
3032
3033                 if (prot & PROT_EXEC)
3034                         av |= FILE__EXECUTE;
3035
3036                 return file_has_perm(cred, file, av);
3037         }
3038
3039 error:
3040         return rc;
3041 }
3042
3043 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3044                              unsigned long prot, unsigned long flags,
3045                              unsigned long addr, unsigned long addr_only)
3046 {
3047         int rc = 0;
3048         u32 sid = current_sid();
3049
3050         /*
3051          * notice that we are intentionally putting the SELinux check before
3052          * the secondary cap_file_mmap check.  This is such a likely attempt
3053          * at bad behaviour/exploit that we always want to get the AVC, even
3054          * if DAC would have also denied the operation.
3055          */
3056         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3057                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3058                                   MEMPROTECT__MMAP_ZERO, NULL);
3059                 if (rc)
3060                         return rc;
3061         }
3062
3063         /* do DAC check on address space usage */
3064         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3065         if (rc || addr_only)
3066                 return rc;
3067
3068         if (selinux_checkreqprot)
3069                 prot = reqprot;
3070
3071         return file_map_prot_check(file, prot,
3072                                    (flags & MAP_TYPE) == MAP_SHARED);
3073 }
3074
3075 static int selinux_file_mprotect(struct vm_area_struct *vma,
3076                                  unsigned long reqprot,
3077                                  unsigned long prot)
3078 {
3079         const struct cred *cred = current_cred();
3080
3081         if (selinux_checkreqprot)
3082                 prot = reqprot;
3083
3084 #ifndef CONFIG_PPC32
3085         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3086                 int rc = 0;
3087                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3088                     vma->vm_end <= vma->vm_mm->brk) {
3089                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3090                 } else if (!vma->vm_file &&
3091                            vma->vm_start <= vma->vm_mm->start_stack &&
3092                            vma->vm_end >= vma->vm_mm->start_stack) {
3093                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3094                 } else if (vma->vm_file && vma->anon_vma) {
3095                         /*
3096                          * We are making executable a file mapping that has
3097                          * had some COW done. Since pages might have been
3098                          * written, check ability to execute the possibly
3099                          * modified content.  This typically should only
3100                          * occur for text relocations.
3101                          */
3102                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3103                 }
3104                 if (rc)
3105                         return rc;
3106         }
3107 #endif
3108
3109         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3110 }
3111
3112 static int selinux_file_lock(struct file *file, unsigned int cmd)
3113 {
3114         const struct cred *cred = current_cred();
3115
3116         return file_has_perm(cred, file, FILE__LOCK);
3117 }
3118
3119 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3120                               unsigned long arg)
3121 {
3122         const struct cred *cred = current_cred();
3123         int err = 0;
3124
3125         switch (cmd) {
3126         case F_SETFL:
3127                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3128                         err = -EINVAL;
3129                         break;
3130                 }
3131
3132                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3133                         err = file_has_perm(cred, file, FILE__WRITE);
3134                         break;
3135                 }
3136                 /* fall through */
3137         case F_SETOWN:
3138         case F_SETSIG:
3139         case F_GETFL:
3140         case F_GETOWN:
3141         case F_GETSIG:
3142                 /* Just check FD__USE permission */
3143                 err = file_has_perm(cred, file, 0);
3144                 break;
3145         case F_GETLK:
3146         case F_SETLK:
3147         case F_SETLKW:
3148 #if BITS_PER_LONG == 32
3149         case F_GETLK64:
3150         case F_SETLK64:
3151         case F_SETLKW64:
3152 #endif
3153                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3154                         err = -EINVAL;
3155                         break;
3156                 }
3157                 err = file_has_perm(cred, file, FILE__LOCK);
3158                 break;
3159         }
3160
3161         return err;
3162 }
3163
3164 static int selinux_file_set_fowner(struct file *file)
3165 {
3166         struct file_security_struct *fsec;
3167
3168         fsec = file->f_security;
3169         fsec->fown_sid = current_sid();
3170
3171         return 0;
3172 }
3173
3174 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3175                                        struct fown_struct *fown, int signum)
3176 {
3177         struct file *file;
3178         u32 sid = task_sid(tsk);
3179         u32 perm;
3180         struct file_security_struct *fsec;
3181
3182         /* struct fown_struct is never outside the context of a struct file */
3183         file = container_of(fown, struct file, f_owner);
3184
3185         fsec = file->f_security;
3186
3187         if (!signum)
3188                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3189         else
3190                 perm = signal_to_av(signum);
3191
3192         return avc_has_perm(fsec->fown_sid, sid,
3193                             SECCLASS_PROCESS, perm, NULL);
3194 }
3195
3196 static int selinux_file_receive(struct file *file)
3197 {
3198         const struct cred *cred = current_cred();
3199
3200         return file_has_perm(cred, file, file_to_av(file));
3201 }
3202
3203 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3204 {
3205         struct file_security_struct *fsec;
3206         struct inode *inode;
3207         struct inode_security_struct *isec;
3208
3209         inode = file->f_path.dentry->d_inode;
3210         fsec = file->f_security;
3211         isec = inode->i_security;
3212         /*
3213          * Save inode label and policy sequence number
3214          * at open-time so that selinux_file_permission
3215          * can determine whether revalidation is necessary.
3216          * Task label is already saved in the file security
3217          * struct as its SID.
3218          */
3219         fsec->isid = isec->sid;
3220         fsec->pseqno = avc_policy_seqno();
3221         /*
3222          * Since the inode label or policy seqno may have changed
3223          * between the selinux_inode_permission check and the saving
3224          * of state above, recheck that access is still permitted.
3225          * Otherwise, access might never be revalidated against the
3226          * new inode label or new policy.
3227          * This check is not redundant - do not remove.
3228          */
3229         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3230 }
3231
3232 /* task security operations */
3233
3234 static int selinux_task_create(unsigned long clone_flags)
3235 {
3236         return current_has_perm(current, PROCESS__FORK);
3237 }
3238
3239 /*
3240  * allocate the SELinux part of blank credentials
3241  */
3242 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3243 {
3244         struct task_security_struct *tsec;
3245
3246         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3247         if (!tsec)
3248                 return -ENOMEM;
3249
3250         cred->security = tsec;
3251         return 0;
3252 }
3253
3254 /*
3255  * detach and free the LSM part of a set of credentials
3256  */
3257 static void selinux_cred_free(struct cred *cred)
3258 {
3259         struct task_security_struct *tsec = cred->security;
3260
3261         BUG_ON((unsigned long) cred->security < PAGE_SIZE);
3262         cred->security = (void *) 0x7UL;
3263         kfree(tsec);
3264 }
3265
3266 /*
3267  * prepare a new set of credentials for modification
3268  */
3269 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3270                                 gfp_t gfp)
3271 {
3272         const struct task_security_struct *old_tsec;
3273         struct task_security_struct *tsec;
3274
3275         old_tsec = old->security;
3276
3277         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3278         if (!tsec)
3279                 return -ENOMEM;
3280
3281         new->security = tsec;
3282         return 0;
3283 }
3284
3285 /*
3286  * transfer the SELinux data to a blank set of creds
3287  */
3288 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3289 {
3290         const struct task_security_struct *old_tsec = old->security;
3291         struct task_security_struct *tsec = new->security;
3292
3293         *tsec = *old_tsec;
3294 }
3295
3296 /*
3297  * set the security data for a kernel service
3298  * - all the creation contexts are set to unlabelled
3299  */
3300 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3301 {
3302         struct task_security_struct *tsec = new->security;
3303         u32 sid = current_sid();
3304         int ret;
3305
3306         ret = avc_has_perm(sid, secid,
3307                            SECCLASS_KERNEL_SERVICE,
3308                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3309                            NULL);
3310         if (ret == 0) {
3311                 tsec->sid = secid;
3312                 tsec->create_sid = 0;
3313                 tsec->keycreate_sid = 0;
3314                 tsec->sockcreate_sid = 0;
3315         }
3316         return ret;
3317 }
3318
3319 /*
3320  * set the file creation context in a security record to the same as the
3321  * objective context of the specified inode
3322  */
3323 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3324 {
3325         struct inode_security_struct *isec = inode->i_security;
3326         struct task_security_struct *tsec = new->security;
3327         u32 sid = current_sid();
3328         int ret;
3329
3330         ret = avc_has_perm(sid, isec->sid,
3331                            SECCLASS_KERNEL_SERVICE,
3332                            KERNEL_SERVICE__CREATE_FILES_AS,
3333                            NULL);
3334
3335         if (ret == 0)
3336                 tsec->create_sid = isec->sid;
3337         return 0;
3338 }
3339
3340 static int selinux_kernel_module_request(char *kmod_name)
3341 {
3342         u32 sid;
3343         struct common_audit_data ad;
3344
3345         sid = task_sid(current);
3346
3347         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3348         ad.u.kmod_name = kmod_name;
3349
3350         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3351                             SYSTEM__MODULE_REQUEST, &ad);
3352 }
3353
3354 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3355 {
3356         return current_has_perm(p, PROCESS__SETPGID);
3357 }
3358
3359 static int selinux_task_getpgid(struct task_struct *p)
3360 {
3361         return current_has_perm(p, PROCESS__GETPGID);
3362 }
3363
3364 static int selinux_task_getsid(struct task_struct *p)
3365 {
3366         return current_has_perm(p, PROCESS__GETSESSION);
3367 }
3368
3369 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3370 {
3371         *secid = task_sid(p);
3372 }
3373
3374 static int selinux_task_setnice(struct task_struct *p, int nice)
3375 {
3376         int rc;
3377
3378         rc = cap_task_setnice(p, nice);
3379         if (rc)
3380                 return rc;
3381
3382         return current_has_perm(p, PROCESS__SETSCHED);
3383 }
3384
3385 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3386 {
3387         int rc;
3388
3389         rc = cap_task_setioprio(p, ioprio);
3390         if (rc)
3391                 return rc;
3392
3393         return current_has_perm(p, PROCESS__SETSCHED);
3394 }
3395
3396 static int selinux_task_getioprio(struct task_struct *p)
3397 {
3398         return current_has_perm(p, PROCESS__GETSCHED);
3399 }
3400
3401 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3402 {
3403         struct rlimit *old_rlim = current->signal->rlim + resource;
3404
3405         /* Control the ability to change the hard limit (whether
3406            lowering or raising it), so that the hard limit can
3407            later be used as a safe reset point for the soft limit
3408            upon context transitions.  See selinux_bprm_committing_creds. */
3409         if (old_rlim->rlim_max != new_rlim->rlim_max)
3410                 return current_has_perm(current, PROCESS__SETRLIMIT);
3411
3412         return 0;
3413 }
3414
3415 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3416 {
3417         int rc;
3418
3419         rc = cap_task_setscheduler(p, policy, lp);
3420         if (rc)
3421                 return rc;
3422
3423         return current_has_perm(p, PROCESS__SETSCHED);
3424 }
3425
3426 static int selinux_task_getscheduler(struct task_struct *p)
3427 {
3428         return current_has_perm(p, PROCESS__GETSCHED);
3429 }
3430
3431 static int selinux_task_movememory(struct task_struct *p)
3432 {
3433         return current_has_perm(p, PROCESS__SETSCHED);
3434 }
3435
3436 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3437                                 int sig, u32 secid)
3438 {
3439         u32 perm;
3440         int rc;
3441
3442         if (!sig)
3443                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3444         else
3445                 perm = signal_to_av(sig);
3446         if (secid)
3447                 rc = avc_has_perm(secid, task_sid(p),
3448                                   SECCLASS_PROCESS, perm, NULL);
3449         else
3450                 rc = current_has_perm(p, perm);
3451         return rc;
3452 }
3453
3454 static int selinux_task_wait(struct task_struct *p)
3455 {
3456         return task_has_perm(p, current, PROCESS__SIGCHLD);
3457 }
3458
3459 static void selinux_task_to_inode(struct task_struct *p,
3460                                   struct inode *inode)
3461 {
3462         struct inode_security_struct *isec = inode->i_security;
3463         u32 sid = task_sid(p);
3464
3465         isec->sid = sid;
3466         isec->initialized = 1;
3467 }
3468
3469 /* Returns error only if unable to parse addresses */
3470 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3471                         struct common_audit_data *ad, u8 *proto)
3472 {
3473         int offset, ihlen, ret = -EINVAL;
3474         struct iphdr _iph, *ih;
3475
3476         offset = skb_network_offset(skb);
3477         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3478         if (ih == NULL)
3479                 goto out;
3480
3481         ihlen = ih->ihl * 4;
3482         if (ihlen < sizeof(_iph))
3483                 goto out;
3484
3485         ad->u.net.v4info.saddr = ih->saddr;
3486         ad->u.net.v4info.daddr = ih->daddr;
3487         ret = 0;
3488
3489         if (proto)
3490                 *proto = ih->protocol;
3491
3492         switch (ih->protocol) {
3493         case IPPROTO_TCP: {
3494                 struct tcphdr _tcph, *th;
3495
3496                 if (ntohs(ih->frag_off) & IP_OFFSET)
3497                         break;
3498
3499                 offset += ihlen;
3500                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3501                 if (th == NULL)
3502                         break;
3503
3504                 ad->u.net.sport = th->source;
3505                 ad->u.net.dport = th->dest;
3506                 break;
3507         }
3508
3509         case IPPROTO_UDP: {
3510                 struct udphdr _udph, *uh;
3511
3512                 if (ntohs(ih->frag_off) & IP_OFFSET)
3513                         break;
3514
3515                 offset += ihlen;
3516                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3517                 if (uh == NULL)
3518                         break;
3519
3520                 ad->u.net.sport = uh->source;
3521                 ad->u.net.dport = uh->dest;
3522                 break;
3523         }
3524
3525         case IPPROTO_DCCP: {
3526                 struct dccp_hdr _dccph, *dh;
3527
3528                 if (ntohs(ih->frag_off) & IP_OFFSET)
3529                         break;
3530
3531                 offset += ihlen;
3532                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3533                 if (dh == NULL)
3534                         break;
3535
3536                 ad->u.net.sport = dh->dccph_sport;
3537                 ad->u.net.dport = dh->dccph_dport;
3538                 break;
3539         }
3540
3541         default:
3542                 break;
3543         }
3544 out:
3545         return ret;
3546 }
3547
3548 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3549
3550 /* Returns error only if unable to parse addresses */
3551 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3552                         struct common_audit_data *ad, u8 *proto)
3553 {
3554         u8 nexthdr;
3555         int ret = -EINVAL, offset;
3556         struct ipv6hdr _ipv6h, *ip6;
3557
3558         offset = skb_network_offset(skb);
3559         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3560         if (ip6 == NULL)
3561                 goto out;
3562
3563         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3564         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3565         ret = 0;
3566
3567         nexthdr = ip6->nexthdr;
3568         offset += sizeof(_ipv6h);
3569         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3570         if (offset < 0)
3571                 goto out;
3572
3573         if (proto)
3574                 *proto = nexthdr;
3575
3576         switch (nexthdr) {
3577         case IPPROTO_TCP: {
3578                 struct tcphdr _tcph, *th;
3579
3580                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3581                 if (th == NULL)
3582                         break;
3583
3584                 ad->u.net.sport = th->source;
3585                 ad->u.net.dport = th->dest;
3586                 break;
3587         }
3588
3589         case IPPROTO_UDP: {
3590                 struct udphdr _udph, *uh;
3591
3592                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3593                 if (uh == NULL)
3594                         break;
3595
3596                 ad->u.net.sport = uh->source;
3597                 ad->u.net.dport = uh->dest;
3598                 break;
3599         }
3600
3601         case IPPROTO_DCCP: {
3602                 struct dccp_hdr _dccph, *dh;
3603
3604                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3605                 if (dh == NULL)
3606                         break;
3607
3608                 ad->u.net.sport = dh->dccph_sport;
3609                 ad->u.net.dport = dh->dccph_dport;
3610                 break;
3611         }
3612
3613         /* includes fragments */
3614         default:
3615                 break;
3616         }
3617 out:
3618         return ret;
3619 }
3620
3621 #endif /* IPV6 */
3622
3623 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3624                              char **_addrp, int src, u8 *proto)
3625 {
3626         char *addrp;
3627         int ret;
3628
3629         switch (ad->u.net.family) {
3630         case PF_INET:
3631                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3632                 if (ret)
3633                         goto parse_error;
3634                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3635                                        &ad->u.net.v4info.daddr);
3636                 goto okay;
3637
3638 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3639         case PF_INET6:
3640                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3641                 if (ret)
3642                         goto parse_error;
3643                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3644                                        &ad->u.net.v6info.daddr);
3645                 goto okay;
3646 #endif  /* IPV6 */
3647         default:
3648                 addrp = NULL;
3649                 goto okay;
3650         }
3651
3652 parse_error:
3653         printk(KERN_WARNING
3654                "SELinux: failure in selinux_parse_skb(),"
3655                " unable to parse packet\n");
3656         return ret;
3657
3658 okay:
3659         if (_addrp)
3660                 *_addrp = addrp;
3661         return 0;
3662 }
3663
3664 /**
3665  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3666  * @skb: the packet
3667  * @family: protocol family
3668  * @sid: the packet's peer label SID
3669  *
3670  * Description:
3671  * Check the various different forms of network peer labeling and determine
3672  * the peer label/SID for the packet; most of the magic actually occurs in
3673  * the security server function security_net_peersid_cmp().  The function
3674  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3675  * or -EACCES if @sid is invalid due to inconsistencies with the different
3676  * peer labels.
3677  *
3678  */
3679 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3680 {
3681         int err;
3682         u32 xfrm_sid;
3683         u32 nlbl_sid;
3684         u32 nlbl_type;
3685
3686         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3687         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3688
3689         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3690         if (unlikely(err)) {
3691                 printk(KERN_WARNING
3692                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3693                        " unable to determine packet's peer label\n");
3694                 return -EACCES;
3695         }
3696
3697         return 0;
3698 }
3699
3700 /* socket security operations */
3701 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3702                            u32 perms)
3703 {
3704         struct inode_security_struct *isec;
3705         struct common_audit_data ad;
3706         u32 sid;
3707         int err = 0;
3708
3709         isec = SOCK_INODE(sock)->i_security;
3710
3711         if (isec->sid == SECINITSID_KERNEL)
3712                 goto out;
3713         sid = task_sid(task);
3714
3715         COMMON_AUDIT_DATA_INIT(&ad, NET);
3716         ad.u.net.sk = sock->sk;
3717         err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3718
3719 out:
3720         return err;
3721 }
3722
3723 static int selinux_socket_create(int family, int type,
3724                                  int protocol, int kern)
3725 {
3726         const struct cred *cred = current_cred();
3727         const struct task_security_struct *tsec = cred->security;
3728         u32 sid, newsid;
3729         u16 secclass;
3730         int err = 0;
3731
3732         if (kern)
3733                 goto out;
3734
3735         sid = tsec->sid;
3736         newsid = tsec->sockcreate_sid ?: sid;
3737
3738         secclass = socket_type_to_security_class(family, type, protocol);
3739         err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3740
3741 out:
3742         return err;
3743 }
3744
3745 static int selinux_socket_post_create(struct socket *sock, int family,
3746                                       int type, int protocol, int kern)
3747 {
3748         const struct cred *cred = current_cred();
3749         const struct task_security_struct *tsec = cred->security;
3750         struct inode_security_struct *isec;
3751         struct sk_security_struct *sksec;
3752         u32 sid, newsid;
3753         int err = 0;
3754
3755         sid = tsec->sid;
3756         newsid = tsec->sockcreate_sid;
3757
3758         isec = SOCK_INODE(sock)->i_security;
3759
3760         if (kern)
3761                 isec->sid = SECINITSID_KERNEL;
3762         else if (newsid)
3763                 isec->sid = newsid;
3764         else
3765                 isec->sid = sid;
3766
3767         isec->sclass = socket_type_to_security_class(family, type, protocol);
3768         isec->initialized = 1;
3769
3770         if (sock->sk) {
3771                 sksec = sock->sk->sk_security;
3772                 sksec->sid = isec->sid;
3773                 sksec->sclass = isec->sclass;
3774                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3775         }
3776
3777         return err;
3778 }
3779
3780 /* Range of port numbers used to automatically bind.
3781    Need to determine whether we should perform a name_bind
3782    permission check between the socket and the port number. */
3783
3784 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3785 {
3786         u16 family;
3787         int err;
3788
3789         err = socket_has_perm(current, sock, SOCKET__BIND);
3790         if (err)
3791                 goto out;
3792
3793         /*
3794          * If PF_INET or PF_INET6, check name_bind permission for the port.
3795          * Multiple address binding for SCTP is not supported yet: we just
3796          * check the first address now.
3797          */
3798         family = sock->sk->sk_family;
3799         if (family == PF_INET || family == PF_INET6) {
3800                 char *addrp;
3801                 struct inode_security_struct *isec;
3802                 struct common_audit_data ad;
3803                 struct sockaddr_in *addr4 = NULL;
3804                 struct sockaddr_in6 *addr6 = NULL;
3805                 unsigned short snum;
3806                 struct sock *sk = sock->sk;
3807                 u32 sid, node_perm;
3808
3809                 isec = SOCK_INODE(sock)->i_security;
3810
3811                 if (family == PF_INET) {
3812                         addr4 = (struct sockaddr_in *)address;
3813                         snum = ntohs(addr4->sin_port);
3814                         addrp = (char *)&addr4->sin_addr.s_addr;
3815                 } else {
3816                         addr6 = (struct sockaddr_in6 *)address;
3817                         snum = ntohs(addr6->sin6_port);
3818                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3819                 }
3820
3821                 if (snum) {
3822                         int low, high;
3823
3824                         inet_get_local_port_range(&low, &high);
3825
3826                         if (snum < max(PROT_SOCK, low) || snum > high) {
3827                                 err = sel_netport_sid(sk->sk_protocol,
3828                                                       snum, &sid);
3829                                 if (err)
3830                                         goto out;
3831                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3832                                 ad.u.net.sport = htons(snum);
3833                                 ad.u.net.family = family;
3834                                 err = avc_has_perm(isec->sid, sid,
3835                                                    isec->sclass,
3836                                                    SOCKET__NAME_BIND, &ad);
3837                                 if (err)
3838                                         goto out;
3839                         }
3840                 }
3841
3842                 switch (isec->sclass) {
3843                 case SECCLASS_TCP_SOCKET:
3844                         node_perm = TCP_SOCKET__NODE_BIND;
3845                         break;
3846
3847                 case SECCLASS_UDP_SOCKET:
3848                         node_perm = UDP_SOCKET__NODE_BIND;
3849                         break;
3850
3851                 case SECCLASS_DCCP_SOCKET:
3852                         node_perm = DCCP_SOCKET__NODE_BIND;
3853                         break;
3854
3855                 default:
3856                         node_perm = RAWIP_SOCKET__NODE_BIND;
3857                         break;
3858                 }
3859
3860                 err = sel_netnode_sid(addrp, family, &sid);
3861                 if (err)
3862                         goto out;
3863
3864                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3865                 ad.u.net.sport = htons(snum);
3866                 ad.u.net.family = family;
3867
3868                 if (family == PF_INET)
3869                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3870                 else
3871                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3872
3873                 err = avc_has_perm(isec->sid, sid,
3874                                    isec->sclass, node_perm, &ad);
3875                 if (err)
3876                         goto out;
3877         }
3878 out:
3879         return err;
3880 }
3881
3882 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3883 {
3884         struct sock *sk = sock->sk;
3885         struct inode_security_struct *isec;
3886         int err;
3887
3888         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3889         if (err)
3890                 return err;
3891
3892         /*
3893          * If a TCP or DCCP socket, check name_connect permission for the port.
3894          */
3895         isec = SOCK_INODE(sock)->i_security;
3896         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3897             isec->sclass == SECCLASS_DCCP_SOCKET) {
3898                 struct common_audit_data ad;
3899                 struct sockaddr_in *addr4 = NULL;
3900                 struct sockaddr_in6 *addr6 = NULL;
3901                 unsigned short snum;
3902                 u32 sid, perm;
3903
3904                 if (sk->sk_family == PF_INET) {
3905                         addr4 = (struct sockaddr_in *)address;
3906                         if (addrlen < sizeof(struct sockaddr_in))
3907                                 return -EINVAL;
3908                         snum = ntohs(addr4->sin_port);
3909                 } else {
3910                         addr6 = (struct sockaddr_in6 *)address;
3911                         if (addrlen < SIN6_LEN_RFC2133)
3912                                 return -EINVAL;
3913                         snum = ntohs(addr6->sin6_port);
3914                 }
3915
3916                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3917                 if (err)
3918                         goto out;
3919
3920                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3921                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3922
3923                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3924                 ad.u.net.dport = htons(snum);
3925                 ad.u.net.family = sk->sk_family;
3926                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3927                 if (err)
3928                         goto out;
3929         }
3930
3931         err = selinux_netlbl_socket_connect(sk, address);
3932
3933 out:
3934         return err;
3935 }
3936
3937 static int selinux_socket_listen(struct socket *sock, int backlog)
3938 {
3939         return socket_has_perm(current, sock, SOCKET__LISTEN);
3940 }
3941
3942 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3943 {
3944         int err;
3945         struct inode_security_struct *isec;
3946         struct inode_security_struct *newisec;
3947
3948         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3949         if (err)
3950                 return err;
3951
3952         newisec = SOCK_INODE(newsock)->i_security;
3953
3954         isec = SOCK_INODE(sock)->i_security;
3955         newisec->sclass = isec->sclass;
3956         newisec->sid = isec->sid;
3957         newisec->initialized = 1;
3958
3959         return 0;
3960 }
3961
3962 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3963                                   int size)
3964 {
3965         return socket_has_perm(current, sock, SOCKET__WRITE);
3966 }
3967
3968 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3969                                   int size, int flags)
3970 {
3971         return socket_has_perm(current, sock, SOCKET__READ);
3972 }
3973
3974 static int selinux_socket_getsockname(struct socket *sock)
3975 {
3976         return socket_has_perm(current, sock, SOCKET__GETATTR);
3977 }
3978
3979 static int selinux_socket_getpeername(struct socket *sock)
3980 {
3981         return socket_has_perm(current, sock, SOCKET__GETATTR);
3982 }
3983
3984 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3985 {
3986         int err;
3987
3988         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3989         if (err)
3990                 return err;
3991
3992         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3993 }
3994
3995 static int selinux_socket_getsockopt(struct socket *sock, int level,
3996                                      int optname)
3997 {
3998         return socket_has_perm(current, sock, SOCKET__GETOPT);
3999 }
4000
4001 static int selinux_socket_shutdown(struct socket *sock, int how)
4002 {
4003         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4004 }
4005
4006 static int selinux_socket_unix_stream_connect(struct socket *sock,
4007                                               struct socket *other,
4008                                               struct sock *newsk)
4009 {
4010         struct sk_security_struct *ssec;
4011         struct inode_security_struct *isec;
4012         struct inode_security_struct *other_isec;
4013         struct common_audit_data ad;
4014         int err;
4015
4016         isec = SOCK_INODE(sock)->i_security;
4017         other_isec = SOCK_INODE(other)->i_security;
4018
4019         COMMON_AUDIT_DATA_INIT(&ad, NET);
4020         ad.u.net.sk = other->sk;
4021
4022         err = avc_has_perm(isec->sid, other_isec->sid,
4023                            isec->sclass,
4024                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4025         if (err)
4026                 return err;
4027
4028         /* connecting socket */
4029         ssec = sock->sk->sk_security;
4030         ssec->peer_sid = other_isec->sid;
4031
4032         /* server child socket */
4033         ssec = newsk->sk_security;
4034         ssec->peer_sid = isec->sid;
4035         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4036
4037         return err;
4038 }
4039
4040 static int selinux_socket_unix_may_send(struct socket *sock,
4041                                         struct socket *other)
4042 {
4043         struct inode_security_struct *isec;
4044         struct inode_security_struct *other_isec;
4045         struct common_audit_data ad;
4046         int err;
4047
4048         isec = SOCK_INODE(sock)->i_security;
4049         other_isec = SOCK_INODE(other)->i_security;
4050
4051         COMMON_AUDIT_DATA_INIT(&ad, NET);
4052         ad.u.net.sk = other->sk;
4053
4054         err = avc_has_perm(isec->sid, other_isec->sid,
4055                            isec->sclass, SOCKET__SENDTO, &ad);
4056         if (err)
4057                 return err;
4058
4059         return 0;
4060 }
4061
4062 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4063                                     u32 peer_sid,
4064                                     struct common_audit_data *ad)
4065 {
4066         int err;
4067         u32 if_sid;
4068         u32 node_sid;
4069
4070         err = sel_netif_sid(ifindex, &if_sid);
4071         if (err)
4072                 return err;
4073         err = avc_has_perm(peer_sid, if_sid,
4074                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4075         if (err)
4076                 return err;
4077
4078         err = sel_netnode_sid(addrp, family, &node_sid);
4079         if (err)
4080                 return err;
4081         return avc_has_perm(peer_sid, node_sid,
4082                             SECCLASS_NODE, NODE__RECVFROM, ad);
4083 }
4084
4085 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4086                                        u16 family)
4087 {
4088         int err = 0;
4089         struct sk_security_struct *sksec = sk->sk_security;
4090         u32 peer_sid;
4091         u32 sk_sid = sksec->sid;
4092         struct common_audit_data ad;
4093         char *addrp;
4094
4095         COMMON_AUDIT_DATA_INIT(&ad, NET);
4096         ad.u.net.netif = skb->iif;
4097         ad.u.net.family = family;
4098         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4099         if (err)
4100                 return err;
4101
4102         if (selinux_secmark_enabled()) {
4103                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4104                                    PACKET__RECV, &ad);
4105                 if (err)
4106                         return err;
4107         }
4108
4109         if (selinux_policycap_netpeer) {
4110                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4111                 if (err)
4112                         return err;
4113                 err = avc_has_perm(sk_sid, peer_sid,
4114                                    SECCLASS_PEER, PEER__RECV, &ad);
4115                 if (err)
4116                         selinux_netlbl_err(skb, err, 0);
4117         } else {
4118                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4119                 if (err)
4120                         return err;
4121                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4122         }
4123
4124         return err;
4125 }
4126
4127 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4128 {
4129         int err;
4130         struct sk_security_struct *sksec = sk->sk_security;
4131         u16 family = sk->sk_family;
4132         u32 sk_sid = sksec->sid;
4133         struct common_audit_data ad;
4134         char *addrp;
4135         u8 secmark_active;
4136         u8 peerlbl_active;
4137
4138         if (family != PF_INET && family != PF_INET6)
4139                 return 0;
4140
4141         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4142         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4143                 family = PF_INET;
4144
4145         /* If any sort of compatibility mode is enabled then handoff processing
4146          * to the selinux_sock_rcv_skb_compat() function to deal with the
4147          * special handling.  We do this in an attempt to keep this function
4148          * as fast and as clean as possible. */
4149         if (!selinux_policycap_netpeer)
4150                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4151
4152         secmark_active = selinux_secmark_enabled();
4153         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4154         if (!secmark_active && !peerlbl_active)
4155                 return 0;
4156
4157         COMMON_AUDIT_DATA_INIT(&ad, NET);
4158         ad.u.net.netif = skb->iif;
4159         ad.u.net.family = family;
4160         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4161         if (err)
4162                 return err;
4163
4164         if (peerlbl_active) {
4165                 u32 peer_sid;
4166
4167                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4168                 if (err)
4169                         return err;
4170                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4171                                                peer_sid, &ad);
4172                 if (err) {
4173                         selinux_netlbl_err(skb, err, 0);
4174                         return err;
4175                 }
4176                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4177                                    PEER__RECV, &ad);
4178                 if (err)
4179                         selinux_netlbl_err(skb, err, 0);
4180         }
4181
4182         if (secmark_active) {
4183                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4184                                    PACKET__RECV, &ad);
4185                 if (err)
4186                         return err;
4187         }
4188
4189         return err;
4190 }
4191
4192 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4193                                             int __user *optlen, unsigned len)
4194 {
4195         int err = 0;
4196         char *scontext;
4197         u32 scontext_len;
4198         struct sk_security_struct *ssec;
4199         struct inode_security_struct *isec;
4200         u32 peer_sid = SECSID_NULL;
4201
4202         isec = SOCK_INODE(sock)->i_security;
4203
4204         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4205             isec->sclass == SECCLASS_TCP_SOCKET) {
4206                 ssec = sock->sk->sk_security;
4207                 peer_sid = ssec->peer_sid;
4208         }
4209         if (peer_sid == SECSID_NULL) {
4210                 err = -ENOPROTOOPT;
4211                 goto out;
4212         }
4213
4214         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4215
4216         if (err)
4217                 goto out;
4218
4219         if (scontext_len > len) {
4220                 err = -ERANGE;
4221                 goto out_len;
4222         }
4223
4224         if (copy_to_user(optval, scontext, scontext_len))
4225                 err = -EFAULT;
4226
4227 out_len:
4228         if (put_user(scontext_len, optlen))
4229                 err = -EFAULT;
4230
4231         kfree(scontext);
4232 out:
4233         return err;
4234 }
4235
4236 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4237 {
4238         u32 peer_secid = SECSID_NULL;
4239         u16 family;
4240
4241         if (skb && skb->protocol == htons(ETH_P_IP))
4242                 family = PF_INET;
4243         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4244                 family = PF_INET6;
4245         else if (sock)
4246                 family = sock->sk->sk_family;
4247         else
4248                 goto out;
4249
4250         if (sock && family == PF_UNIX)
4251                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4252         else if (skb)
4253                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4254
4255 out:
4256         *secid = peer_secid;
4257         if (peer_secid == SECSID_NULL)
4258                 return -EINVAL;
4259         return 0;
4260 }
4261
4262 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4263 {
4264         return sk_alloc_security(sk, family, priority);
4265 }
4266
4267 static void selinux_sk_free_security(struct sock *sk)
4268 {
4269         sk_free_security(sk);
4270 }
4271
4272 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4273 {
4274         struct sk_security_struct *ssec = sk->sk_security;
4275         struct sk_security_struct *newssec = newsk->sk_security;
4276
4277         newssec->sid = ssec->sid;
4278         newssec->peer_sid = ssec->peer_sid;
4279         newssec->sclass = ssec->sclass;
4280
4281         selinux_netlbl_sk_security_reset(newssec);
4282 }
4283
4284 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4285 {
4286         if (!sk)
4287                 *secid = SECINITSID_ANY_SOCKET;
4288         else {
4289                 struct sk_security_struct *sksec = sk->sk_security;
4290
4291                 *secid = sksec->sid;
4292         }
4293 }
4294
4295 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4296 {
4297         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4298         struct sk_security_struct *sksec = sk->sk_security;
4299
4300         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4301             sk->sk_family == PF_UNIX)
4302                 isec->sid = sksec->sid;
4303         sksec->sclass = isec->sclass;
4304 }
4305
4306 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4307                                      struct request_sock *req)
4308 {
4309         struct sk_security_struct *sksec = sk->sk_security;
4310         int err;
4311         u16 family = sk->sk_family;
4312         u32 newsid;
4313         u32 peersid;
4314
4315         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4316         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4317                 family = PF_INET;
4318
4319         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4320         if (err)
4321                 return err;
4322         if (peersid == SECSID_NULL) {
4323                 req->secid = sksec->sid;
4324                 req->peer_secid = SECSID_NULL;
4325         } else {
4326                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4327                 if (err)
4328                         return err;
4329                 req->secid = newsid;
4330                 req->peer_secid = peersid;
4331         }
4332
4333         return selinux_netlbl_inet_conn_request(req, family);
4334 }
4335
4336 static void selinux_inet_csk_clone(struct sock *newsk,
4337                                    const struct request_sock *req)
4338 {
4339         struct sk_security_struct *newsksec = newsk->sk_security;
4340
4341         newsksec->sid = req->secid;
4342         newsksec->peer_sid = req->peer_secid;
4343         /* NOTE: Ideally, we should also get the isec->sid for the
4344            new socket in sync, but we don't have the isec available yet.
4345            So we will wait until sock_graft to do it, by which
4346            time it will have been created and available. */
4347
4348         /* We don't need to take any sort of lock here as we are the only
4349          * thread with access to newsksec */
4350         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4351 }
4352
4353 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4354 {
4355         u16 family = sk->sk_family;
4356         struct sk_security_struct *sksec = sk->sk_security;
4357
4358         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4359         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4360                 family = PF_INET;
4361
4362         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4363 }
4364
4365 static void selinux_req_classify_flow(const struct request_sock *req,
4366                                       struct flowi *fl)
4367 {
4368         fl->secid = req->secid;
4369 }
4370
4371 static int selinux_tun_dev_create(void)
4372 {
4373         u32 sid = current_sid();
4374
4375         /* we aren't taking into account the "sockcreate" SID since the socket
4376          * that is being created here is not a socket in the traditional sense,
4377          * instead it is a private sock, accessible only to the kernel, and
4378          * representing a wide range of network traffic spanning multiple
4379          * connections unlike traditional sockets - check the TUN driver to
4380          * get a better understanding of why this socket is special */
4381
4382         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4383                             NULL);
4384 }
4385
4386 static void selinux_tun_dev_post_create(struct sock *sk)
4387 {
4388         struct sk_security_struct *sksec = sk->sk_security;
4389
4390         /* we don't currently perform any NetLabel based labeling here and it
4391          * isn't clear that we would want to do so anyway; while we could apply
4392          * labeling without the support of the TUN user the resulting labeled
4393          * traffic from the other end of the connection would almost certainly
4394          * cause confusion to the TUN user that had no idea network labeling
4395          * protocols were being used */
4396
4397         /* see the comments in selinux_tun_dev_create() about why we don't use
4398          * the sockcreate SID here */
4399
4400         sksec->sid = current_sid();
4401         sksec->sclass = SECCLASS_TUN_SOCKET;
4402 }
4403
4404 static int selinux_tun_dev_attach(struct sock *sk)
4405 {
4406         struct sk_security_struct *sksec = sk->sk_security;
4407         u32 sid = current_sid();
4408         int err;
4409
4410         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4411                            TUN_SOCKET__RELABELFROM, NULL);
4412         if (err)
4413                 return err;
4414         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4415                            TUN_SOCKET__RELABELTO, NULL);
4416         if (err)
4417                 return err;
4418
4419         sksec->sid = sid;
4420
4421         return 0;
4422 }
4423
4424 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4425 {
4426         int err = 0;
4427         u32 perm;
4428         struct nlmsghdr *nlh;
4429         struct socket *sock = sk->sk_socket;
4430         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4431
4432         if (skb->len < NLMSG_SPACE(0)) {
4433                 err = -EINVAL;
4434                 goto out;
4435         }
4436         nlh = nlmsg_hdr(skb);
4437
4438         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4439         if (err) {
4440                 if (err == -EINVAL) {
4441                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4442                                   "SELinux:  unrecognized netlink message"
4443                                   " type=%hu for sclass=%hu\n",
4444                                   nlh->nlmsg_type, isec->sclass);
4445                         if (!selinux_enforcing || security_get_allow_unknown())
4446                                 err = 0;
4447                 }
4448
4449                 /* Ignore */
4450                 if (err == -ENOENT)
4451                         err = 0;
4452                 goto out;
4453         }
4454
4455         err = socket_has_perm(current, sock, perm);
4456 out:
4457         return err;
4458 }
4459
4460 #ifdef CONFIG_NETFILTER
4461
4462 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4463                                        u16 family)
4464 {
4465         int err;
4466         char *addrp;
4467         u32 peer_sid;
4468         struct common_audit_data ad;
4469         u8 secmark_active;
4470         u8 netlbl_active;
4471         u8 peerlbl_active;
4472
4473         if (!selinux_policycap_netpeer)
4474                 return NF_ACCEPT;
4475
4476         secmark_active = selinux_secmark_enabled();
4477         netlbl_active = netlbl_enabled();
4478         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4479         if (!secmark_active && !peerlbl_active)
4480                 return NF_ACCEPT;
4481
4482         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4483                 return NF_DROP;
4484
4485         COMMON_AUDIT_DATA_INIT(&ad, NET);
4486         ad.u.net.netif = ifindex;
4487         ad.u.net.family = family;
4488         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4489                 return NF_DROP;
4490
4491         if (peerlbl_active) {
4492                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4493                                                peer_sid, &ad);
4494                 if (err) {
4495                         selinux_netlbl_err(skb, err, 1);
4496                         return NF_DROP;
4497                 }
4498         }
4499
4500         if (secmark_active)
4501                 if (avc_has_perm(peer_sid, skb->secmark,
4502                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4503                         return NF_DROP;
4504
4505         if (netlbl_active)
4506                 /* we do this in the FORWARD path and not the POST_ROUTING
4507                  * path because we want to make sure we apply the necessary
4508                  * labeling before IPsec is applied so we can leverage AH
4509                  * protection */
4510                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4511                         return NF_DROP;
4512
4513         return NF_ACCEPT;
4514 }
4515
4516 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4517                                          struct sk_buff *skb,
4518                                          const struct net_device *in,
4519                                          const struct net_device *out,
4520                                          int (*okfn)(struct sk_buff *))
4521 {
4522         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4523 }
4524
4525 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4526 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4527                                          struct sk_buff *skb,
4528                                          const struct net_device *in,
4529                                          const struct net_device *out,
4530                                          int (*okfn)(struct sk_buff *))
4531 {
4532         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4533 }
4534 #endif  /* IPV6 */
4535
4536 static unsigned int selinux_ip_output(struct sk_buff *skb,
4537                                       u16 family)
4538 {
4539         u32 sid;
4540
4541         if (!netlbl_enabled())
4542                 return NF_ACCEPT;
4543
4544         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4545          * because we want to make sure we apply the necessary labeling
4546          * before IPsec is applied so we can leverage AH protection */
4547         if (skb->sk) {
4548                 struct sk_security_struct *sksec = skb->sk->sk_security;
4549                 sid = sksec->sid;
4550         } else
4551                 sid = SECINITSID_KERNEL;
4552         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4553                 return NF_DROP;
4554
4555         return NF_ACCEPT;
4556 }
4557
4558 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4559                                         struct sk_buff *skb,
4560                                         const struct net_device *in,
4561                                         const struct net_device *out,
4562                                         int (*okfn)(struct sk_buff *))
4563 {
4564         return selinux_ip_output(skb, PF_INET);
4565 }
4566
4567 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4568                                                 int ifindex,
4569                                                 u16 family)
4570 {
4571         struct sock *sk = skb->sk;
4572         struct sk_security_struct *sksec;
4573         struct common_audit_data ad;
4574         char *addrp;
4575         u8 proto;
4576
4577         if (sk == NULL)
4578                 return NF_ACCEPT;
4579         sksec = sk->sk_security;
4580
4581         COMMON_AUDIT_DATA_INIT(&ad, NET);
4582         ad.u.net.netif = ifindex;
4583         ad.u.net.family = family;
4584         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4585                 return NF_DROP;
4586
4587         if (selinux_secmark_enabled())
4588                 if (avc_has_perm(sksec->sid, skb->secmark,
4589                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4590                         return NF_DROP;
4591
4592         if (selinux_policycap_netpeer)
4593                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4594                         return NF_DROP;
4595
4596         return NF_ACCEPT;
4597 }
4598
4599 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4600                                          u16 family)
4601 {
4602         u32 secmark_perm;
4603         u32 peer_sid;
4604         struct sock *sk;
4605         struct common_audit_data ad;
4606         char *addrp;
4607         u8 secmark_active;
4608         u8 peerlbl_active;
4609
4610         /* If any sort of compatibility mode is enabled then handoff processing
4611          * to the selinux_ip_postroute_compat() function to deal with the
4612          * special handling.  We do this in an attempt to keep this function
4613          * as fast and as clean as possible. */
4614         if (!selinux_policycap_netpeer)
4615                 return selinux_ip_postroute_compat(skb, ifindex, family);
4616 #ifdef CONFIG_XFRM
4617         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4618          * packet transformation so allow the packet to pass without any checks
4619          * since we'll have another chance to perform access control checks
4620          * when the packet is on it's final way out.
4621          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4622          *       is NULL, in this case go ahead and apply access control. */
4623         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4624                 return NF_ACCEPT;
4625 #endif
4626         secmark_active = selinux_secmark_enabled();
4627         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4628         if (!secmark_active && !peerlbl_active)
4629                 return NF_ACCEPT;
4630
4631         /* if the packet is being forwarded then get the peer label from the
4632          * packet itself; otherwise check to see if it is from a local
4633          * application or the kernel, if from an application get the peer label
4634          * from the sending socket, otherwise use the kernel's sid */
4635         sk = skb->sk;
4636         if (sk == NULL) {
4637                 switch (family) {
4638                 case PF_INET:
4639                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4640                                 secmark_perm = PACKET__FORWARD_OUT;
4641                         else
4642                                 secmark_perm = PACKET__SEND;
4643                         break;
4644                 case PF_INET6:
4645                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4646                                 secmark_perm = PACKET__FORWARD_OUT;
4647                         else
4648                                 secmark_perm = PACKET__SEND;
4649                         break;
4650                 default:
4651                         return NF_DROP;
4652                 }
4653                 if (secmark_perm == PACKET__FORWARD_OUT) {
4654                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4655                                 return NF_DROP;
4656                 } else
4657                         peer_sid = SECINITSID_KERNEL;
4658         } else {
4659                 struct sk_security_struct *sksec = sk->sk_security;
4660                 peer_sid = sksec->sid;
4661                 secmark_perm = PACKET__SEND;
4662         }
4663
4664         COMMON_AUDIT_DATA_INIT(&ad, NET);
4665         ad.u.net.netif = ifindex;
4666         ad.u.net.family = family;
4667         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4668                 return NF_DROP;
4669
4670         if (secmark_active)
4671                 if (avc_has_perm(peer_sid, skb->secmark,
4672                                  SECCLASS_PACKET, secmark_perm, &ad))
4673                         return NF_DROP;
4674
4675         if (peerlbl_active) {
4676                 u32 if_sid;
4677                 u32 node_sid;
4678
4679                 if (sel_netif_sid(ifindex, &if_sid))
4680                         return NF_DROP;
4681                 if (avc_has_perm(peer_sid, if_sid,
4682                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4683                         return NF_DROP;
4684
4685                 if (sel_netnode_sid(addrp, family, &node_sid))
4686                         return NF_DROP;
4687                 if (avc_has_perm(peer_sid, node_sid,
4688                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4689                         return NF_DROP;
4690         }
4691
4692         return NF_ACCEPT;
4693 }
4694
4695 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4696                                            struct sk_buff *skb,
4697                                            const struct net_device *in,
4698                                            const struct net_device *out,
4699                                            int (*okfn)(struct sk_buff *))
4700 {
4701         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4702 }
4703
4704 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4705 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4706                                            struct sk_buff *skb,
4707                                            const struct net_device *in,
4708                                            const struct net_device *out,
4709                                            int (*okfn)(struct sk_buff *))
4710 {
4711         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4712 }
4713 #endif  /* IPV6 */
4714
4715 #endif  /* CONFIG_NETFILTER */
4716
4717 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4718 {
4719         int err;
4720
4721         err = cap_netlink_send(sk, skb);
4722         if (err)
4723                 return err;
4724
4725         return selinux_nlmsg_perm(sk, skb);
4726 }
4727
4728 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4729 {
4730         int err;
4731         struct common_audit_data ad;
4732
4733         err = cap_netlink_recv(skb, capability);
4734         if (err)
4735                 return err;
4736
4737         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4738         ad.u.cap = capability;
4739
4740         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4741                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4742 }
4743
4744 static int ipc_alloc_security(struct task_struct *task,
4745                               struct kern_ipc_perm *perm,
4746                               u16 sclass)
4747 {
4748         struct ipc_security_struct *isec;
4749         u32 sid;
4750
4751         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4752         if (!isec)
4753                 return -ENOMEM;
4754
4755         sid = task_sid(task);
4756         isec->sclass = sclass;
4757         isec->sid = sid;
4758         perm->security = isec;
4759
4760         return 0;
4761 }
4762
4763 static void ipc_free_security(struct kern_ipc_perm *perm)
4764 {
4765         struct ipc_security_struct *isec = perm->security;
4766         perm->security = NULL;
4767         kfree(isec);
4768 }
4769
4770 static int msg_msg_alloc_security(struct msg_msg *msg)
4771 {
4772         struct msg_security_struct *msec;
4773
4774         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4775         if (!msec)
4776                 return -ENOMEM;
4777
4778         msec->sid = SECINITSID_UNLABELED;
4779         msg->security = msec;
4780
4781         return 0;
4782 }
4783
4784 static void msg_msg_free_security(struct msg_msg *msg)
4785 {
4786         struct msg_security_struct *msec = msg->security;
4787
4788         msg->security = NULL;
4789         kfree(msec);
4790 }
4791
4792 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4793                         u32 perms)
4794 {
4795         struct ipc_security_struct *isec;
4796         struct common_audit_data ad;
4797         u32 sid = current_sid();
4798
4799         isec = ipc_perms->security;
4800
4801         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4802         ad.u.ipc_id = ipc_perms->key;
4803
4804         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4805 }
4806
4807 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4808 {
4809         return msg_msg_alloc_security(msg);
4810 }
4811
4812 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4813 {
4814         msg_msg_free_security(msg);
4815 }
4816
4817 /* message queue security operations */
4818 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4819 {
4820         struct ipc_security_struct *isec;
4821         struct common_audit_data ad;
4822         u32 sid = current_sid();
4823         int rc;
4824
4825         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4826         if (rc)
4827                 return rc;
4828
4829         isec = msq->q_perm.security;
4830
4831         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4832         ad.u.ipc_id = msq->q_perm.key;
4833
4834         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4835                           MSGQ__CREATE, &ad);
4836         if (rc) {
4837                 ipc_free_security(&msq->q_perm);
4838                 return rc;
4839         }
4840         return 0;
4841 }
4842
4843 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4844 {
4845         ipc_free_security(&msq->q_perm);
4846 }
4847
4848 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4849 {
4850         struct ipc_security_struct *isec;
4851         struct common_audit_data ad;
4852         u32 sid = current_sid();
4853
4854         isec = msq->q_perm.security;
4855
4856         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4857         ad.u.ipc_id = msq->q_perm.key;
4858
4859         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4860                             MSGQ__ASSOCIATE, &ad);
4861 }
4862
4863 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4864 {
4865         int err;
4866         int perms;
4867
4868         switch (cmd) {
4869         case IPC_INFO:
4870         case MSG_INFO:
4871                 /* No specific object, just general system-wide information. */
4872                 return task_has_system(current, SYSTEM__IPC_INFO);
4873         case IPC_STAT:
4874         case MSG_STAT:
4875                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4876                 break;
4877         case IPC_SET:
4878                 perms = MSGQ__SETATTR;
4879                 break;
4880         case IPC_RMID:
4881                 perms = MSGQ__DESTROY;
4882                 break;
4883         default:
4884                 return 0;
4885         }
4886
4887         err = ipc_has_perm(&msq->q_perm, perms);
4888         return err;
4889 }
4890
4891 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4892 {
4893         struct ipc_security_struct *isec;
4894         struct msg_security_struct *msec;
4895         struct common_audit_data ad;
4896         u32 sid = current_sid();
4897         int rc;
4898
4899         isec = msq->q_perm.security;
4900         msec = msg->security;
4901
4902         /*
4903          * First time through, need to assign label to the message
4904          */
4905         if (msec->sid == SECINITSID_UNLABELED) {
4906                 /*
4907                  * Compute new sid based on current process and
4908                  * message queue this message will be stored in
4909                  */
4910                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4911                                              &msec->sid);
4912                 if (rc)
4913                         return rc;
4914         }
4915
4916         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4917         ad.u.ipc_id = msq->q_perm.key;
4918
4919         /* Can this process write to the queue? */
4920         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4921                           MSGQ__WRITE, &ad);
4922         if (!rc)
4923                 /* Can this process send the message */
4924                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4925                                   MSG__SEND, &ad);
4926         if (!rc)
4927                 /* Can the message be put in the queue? */
4928                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4929                                   MSGQ__ENQUEUE, &ad);
4930
4931         return rc;
4932 }
4933
4934 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4935                                     struct task_struct *target,
4936                                     long type, int mode)
4937 {
4938         struct ipc_security_struct *isec;
4939         struct msg_security_struct *msec;
4940         struct common_audit_data ad;
4941         u32 sid = task_sid(target);
4942         int rc;
4943
4944         isec = msq->q_perm.security;
4945         msec = msg->security;
4946
4947         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4948         ad.u.ipc_id = msq->q_perm.key;
4949
4950         rc = avc_has_perm(sid, isec->sid,
4951                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4952         if (!rc)
4953                 rc = avc_has_perm(sid, msec->sid,
4954                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4955         return rc;
4956 }
4957
4958 /* Shared Memory security operations */
4959 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4960 {
4961         struct ipc_security_struct *isec;
4962         struct common_audit_data ad;
4963         u32 sid = current_sid();
4964         int rc;
4965
4966         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4967         if (rc)
4968                 return rc;
4969
4970         isec = shp->shm_perm.security;
4971
4972         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4973         ad.u.ipc_id = shp->shm_perm.key;
4974
4975         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4976                           SHM__CREATE, &ad);
4977         if (rc) {
4978                 ipc_free_security(&shp->shm_perm);
4979                 return rc;
4980         }
4981         return 0;
4982 }
4983
4984 static void selinux_shm_free_security(struct shmid_kernel *shp)
4985 {
4986         ipc_free_security(&shp->shm_perm);
4987 }
4988
4989 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4990 {
4991         struct ipc_security_struct *isec;
4992         struct common_audit_data ad;
4993         u32 sid = current_sid();
4994
4995         isec = shp->shm_perm.security;
4996
4997         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4998         ad.u.ipc_id = shp->shm_perm.key;
4999
5000         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5001                             SHM__ASSOCIATE, &ad);
5002 }
5003
5004 /* Note, at this point, shp is locked down */
5005 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5006 {
5007         int perms;
5008         int err;
5009
5010         switch (cmd) {
5011         case IPC_INFO:
5012         case SHM_INFO:
5013                 /* No specific object, just general system-wide information. */
5014                 return task_has_system(current, SYSTEM__IPC_INFO);
5015         case IPC_STAT:
5016         case SHM_STAT:
5017                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5018                 break;
5019         case IPC_SET:
5020                 perms = SHM__SETATTR;
5021                 break;
5022         case SHM_LOCK:
5023         case SHM_UNLOCK:
5024                 perms = SHM__LOCK;
5025                 break;
5026         case IPC_RMID:
5027                 perms = SHM__DESTROY;
5028                 break;
5029         default:
5030                 return 0;
5031         }
5032
5033         err = ipc_has_perm(&shp->shm_perm, perms);
5034         return err;
5035 }
5036
5037 static int selinux_shm_shmat(struct shmid_kernel *shp,
5038                              char __user *shmaddr, int shmflg)
5039 {
5040         u32 perms;
5041
5042         if (shmflg & SHM_RDONLY)
5043                 perms = SHM__READ;
5044         else
5045                 perms = SHM__READ | SHM__WRITE;
5046
5047         return ipc_has_perm(&shp->shm_perm, perms);
5048 }
5049
5050 /* Semaphore security operations */
5051 static int selinux_sem_alloc_security(struct sem_array *sma)
5052 {
5053         struct ipc_security_struct *isec;
5054         struct common_audit_data ad;
5055         u32 sid = current_sid();
5056         int rc;
5057
5058         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5059         if (rc)
5060                 return rc;
5061
5062         isec = sma->sem_perm.security;
5063
5064         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5065         ad.u.ipc_id = sma->sem_perm.key;
5066
5067         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5068                           SEM__CREATE, &ad);
5069         if (rc) {
5070                 ipc_free_security(&sma->sem_perm);
5071                 return rc;
5072         }
5073         return 0;
5074 }
5075
5076 static void selinux_sem_free_security(struct sem_array *sma)
5077 {
5078         ipc_free_security(&sma->sem_perm);
5079 }
5080
5081 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5082 {
5083         struct ipc_security_struct *isec;
5084         struct common_audit_data ad;
5085         u32 sid = current_sid();
5086
5087         isec = sma->sem_perm.security;
5088
5089         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5090         ad.u.ipc_id = sma->sem_perm.key;
5091
5092         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5093                             SEM__ASSOCIATE, &ad);
5094 }
5095
5096 /* Note, at this point, sma is locked down */
5097 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5098 {
5099         int err;
5100         u32 perms;
5101
5102         switch (cmd) {
5103         case IPC_INFO:
5104         case SEM_INFO:
5105                 /* No specific object, just general system-wide information. */
5106                 return task_has_system(current, SYSTEM__IPC_INFO);
5107         case GETPID:
5108         case GETNCNT:
5109         case GETZCNT:
5110                 perms = SEM__GETATTR;
5111                 break;
5112         case GETVAL:
5113         case GETALL:
5114                 perms = SEM__READ;
5115                 break;
5116         case SETVAL:
5117         case SETALL:
5118                 perms = SEM__WRITE;
5119                 break;
5120         case IPC_RMID:
5121                 perms = SEM__DESTROY;
5122                 break;
5123         case IPC_SET:
5124                 perms = SEM__SETATTR;
5125                 break;
5126         case IPC_STAT:
5127         case SEM_STAT:
5128                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5129                 break;
5130         default:
5131                 return 0;
5132         }
5133
5134         err = ipc_has_perm(&sma->sem_perm, perms);
5135         return err;
5136 }
5137
5138 static int selinux_sem_semop(struct sem_array *sma,
5139                              struct sembuf *sops, unsigned nsops, int alter)
5140 {
5141         u32 perms;
5142
5143         if (alter)
5144                 perms = SEM__READ | SEM__WRITE;
5145         else
5146                 perms = SEM__READ;
5147
5148         return ipc_has_perm(&sma->sem_perm, perms);
5149 }
5150
5151 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5152 {
5153         u32 av = 0;
5154
5155         av = 0;
5156         if (flag & S_IRUGO)
5157                 av |= IPC__UNIX_READ;
5158         if (flag & S_IWUGO)
5159                 av |= IPC__UNIX_WRITE;
5160
5161         if (av == 0)
5162                 return 0;
5163
5164         return ipc_has_perm(ipcp, av);
5165 }
5166
5167 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5168 {
5169         struct ipc_security_struct *isec = ipcp->security;
5170         *secid = isec->sid;
5171 }
5172
5173 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5174 {
5175         if (inode)
5176                 inode_doinit_with_dentry(inode, dentry);
5177 }
5178
5179 static int selinux_getprocattr(struct task_struct *p,
5180                                char *name, char **value)
5181 {
5182         const struct task_security_struct *__tsec;
5183         u32 sid;
5184         int error;
5185         unsigned len;
5186
5187         if (current != p) {
5188                 error = current_has_perm(p, PROCESS__GETATTR);
5189                 if (error)
5190                         return error;
5191         }
5192
5193         rcu_read_lock();
5194         __tsec = __task_cred(p)->security;
5195
5196         if (!strcmp(name, "current"))
5197                 sid = __tsec->sid;
5198         else if (!strcmp(name, "prev"))
5199                 sid = __tsec->osid;
5200         else if (!strcmp(name, "exec"))
5201                 sid = __tsec->exec_sid;
5202         else if (!strcmp(name, "fscreate"))
5203                 sid = __tsec->create_sid;
5204         else if (!strcmp(name, "keycreate"))
5205                 sid = __tsec->keycreate_sid;
5206         else if (!strcmp(name, "sockcreate"))
5207                 sid = __tsec->sockcreate_sid;
5208         else
5209                 goto invalid;
5210         rcu_read_unlock();
5211
5212         if (!sid)
5213                 return 0;
5214
5215         error = security_sid_to_context(sid, value, &len);
5216         if (error)
5217                 return error;
5218         return len;
5219
5220 invalid:
5221         rcu_read_unlock();
5222         return -EINVAL;
5223 }
5224
5225 static int selinux_setprocattr(struct task_struct *p,
5226                                char *name, void *value, size_t size)
5227 {
5228         struct task_security_struct *tsec;
5229         struct task_struct *tracer;
5230         struct cred *new;
5231         u32 sid = 0, ptsid;
5232         int error;
5233         char *str = value;
5234
5235         if (current != p) {
5236                 /* SELinux only allows a process to change its own
5237                    security attributes. */
5238                 return -EACCES;
5239         }
5240
5241         /*
5242          * Basic control over ability to set these attributes at all.
5243          * current == p, but we'll pass them separately in case the
5244          * above restriction is ever removed.
5245          */
5246         if (!strcmp(name, "exec"))
5247                 error = current_has_perm(p, PROCESS__SETEXEC);
5248         else if (!strcmp(name, "fscreate"))
5249                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5250         else if (!strcmp(name, "keycreate"))
5251                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5252         else if (!strcmp(name, "sockcreate"))
5253                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5254         else if (!strcmp(name, "current"))
5255                 error = current_has_perm(p, PROCESS__SETCURRENT);
5256         else
5257                 error = -EINVAL;
5258         if (error)
5259                 return error;
5260
5261         /* Obtain a SID for the context, if one was specified. */
5262         if (size && str[1] && str[1] != '\n') {
5263                 if (str[size-1] == '\n') {
5264                         str[size-1] = 0;
5265                         size--;
5266                 }
5267                 error = security_context_to_sid(value, size, &sid);
5268                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5269                         if (!capable(CAP_MAC_ADMIN))
5270                                 return error;
5271                         error = security_context_to_sid_force(value, size,
5272                                                               &sid);
5273                 }
5274                 if (error)
5275                         return error;
5276         }
5277
5278         new = prepare_creds();
5279         if (!new)
5280                 return -ENOMEM;
5281
5282         /* Permission checking based on the specified context is
5283            performed during the actual operation (execve,
5284            open/mkdir/...), when we know the full context of the
5285            operation.  See selinux_bprm_set_creds for the execve
5286            checks and may_create for the file creation checks. The
5287            operation will then fail if the context is not permitted. */
5288         tsec = new->security;
5289         if (!strcmp(name, "exec")) {
5290                 tsec->exec_sid = sid;
5291         } else if (!strcmp(name, "fscreate")) {
5292                 tsec->create_sid = sid;
5293         } else if (!strcmp(name, "keycreate")) {
5294                 error = may_create_key(sid, p);
5295                 if (error)
5296                         goto abort_change;
5297                 tsec->keycreate_sid = sid;
5298         } else if (!strcmp(name, "sockcreate")) {
5299                 tsec->sockcreate_sid = sid;
5300         } else if (!strcmp(name, "current")) {
5301                 error = -EINVAL;
5302                 if (sid == 0)
5303                         goto abort_change;
5304
5305                 /* Only allow single threaded processes to change context */
5306                 error = -EPERM;
5307                 if (!current_is_single_threaded()) {
5308                         error = security_bounded_transition(tsec->sid, sid);
5309                         if (error)
5310                                 goto abort_change;
5311                 }
5312
5313                 /* Check permissions for the transition. */
5314                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5315                                      PROCESS__DYNTRANSITION, NULL);
5316                 if (error)
5317                         goto abort_change;
5318
5319                 /* Check for ptracing, and update the task SID if ok.
5320                    Otherwise, leave SID unchanged and fail. */
5321                 ptsid = 0;
5322                 task_lock(p);
5323                 tracer = tracehook_tracer_task(p);
5324                 if (tracer)
5325                         ptsid = task_sid(tracer);
5326                 task_unlock(p);
5327
5328                 if (tracer) {
5329                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5330                                              PROCESS__PTRACE, NULL);
5331                         if (error)
5332                                 goto abort_change;
5333                 }
5334
5335                 tsec->sid = sid;
5336         } else {
5337                 error = -EINVAL;
5338                 goto abort_change;
5339         }
5340
5341         commit_creds(new);
5342         return size;
5343
5344 abort_change:
5345         abort_creds(new);
5346         return error;
5347 }
5348
5349 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5350 {
5351         return security_sid_to_context(secid, secdata, seclen);
5352 }
5353
5354 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5355 {
5356         return security_context_to_sid(secdata, seclen, secid);
5357 }
5358
5359 static void selinux_release_secctx(char *secdata, u32 seclen)
5360 {
5361         kfree(secdata);
5362 }
5363
5364 /*
5365  *      called with inode->i_mutex locked
5366  */
5367 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5368 {
5369         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5370 }
5371
5372 /*
5373  *      called with inode->i_mutex locked
5374  */
5375 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5376 {
5377         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5378 }
5379
5380 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5381 {
5382         int len = 0;
5383         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5384                                                 ctx, true);
5385         if (len < 0)
5386                 return len;
5387         *ctxlen = len;
5388         return 0;
5389 }
5390 #ifdef CONFIG_KEYS
5391
5392 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5393                              unsigned long flags)
5394 {
5395         const struct task_security_struct *tsec;
5396         struct key_security_struct *ksec;
5397
5398         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5399         if (!ksec)
5400                 return -ENOMEM;
5401
5402         tsec = cred->security;
5403         if (tsec->keycreate_sid)
5404                 ksec->sid = tsec->keycreate_sid;
5405         else
5406                 ksec->sid = tsec->sid;
5407
5408         k->security = ksec;
5409         return 0;
5410 }
5411
5412 static void selinux_key_free(struct key *k)
5413 {
5414         struct key_security_struct *ksec = k->security;
5415
5416         k->security = NULL;
5417         kfree(ksec);
5418 }
5419
5420 static int selinux_key_permission(key_ref_t key_ref,
5421                                   const struct cred *cred,
5422                                   key_perm_t perm)
5423 {
5424         struct key *key;
5425         struct key_security_struct *ksec;
5426         u32 sid;
5427
5428         /* if no specific permissions are requested, we skip the
5429            permission check. No serious, additional covert channels
5430            appear to be created. */
5431         if (perm == 0)
5432                 return 0;
5433
5434         sid = cred_sid(cred);
5435
5436         key = key_ref_to_ptr(key_ref);
5437         ksec = key->security;
5438
5439         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5440 }
5441
5442 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5443 {
5444         struct key_security_struct *ksec = key->security;
5445         char *context = NULL;
5446         unsigned len;
5447         int rc;
5448
5449         rc = security_sid_to_context(ksec->sid, &context, &len);
5450         if (!rc)
5451                 rc = len;
5452         *_buffer = context;
5453         return rc;
5454 }
5455
5456 #endif
5457
5458 static struct security_operations selinux_ops = {
5459         .name =                         "selinux",
5460
5461         .ptrace_access_check =          selinux_ptrace_access_check,
5462         .ptrace_traceme =               selinux_ptrace_traceme,
5463         .capget =                       selinux_capget,
5464         .capset =                       selinux_capset,
5465         .sysctl =                       selinux_sysctl,
5466         .capable =                      selinux_capable,
5467         .quotactl =                     selinux_quotactl,
5468         .quota_on =                     selinux_quota_on,
5469         .syslog =                       selinux_syslog,
5470         .vm_enough_memory =             selinux_vm_enough_memory,
5471
5472         .netlink_send =                 selinux_netlink_send,
5473         .netlink_recv =                 selinux_netlink_recv,
5474
5475         .bprm_set_creds =               selinux_bprm_set_creds,
5476         .bprm_committing_creds =        selinux_bprm_committing_creds,
5477         .bprm_committed_creds =         selinux_bprm_committed_creds,
5478         .bprm_secureexec =              selinux_bprm_secureexec,
5479
5480         .sb_alloc_security =            selinux_sb_alloc_security,
5481         .sb_free_security =             selinux_sb_free_security,
5482         .sb_copy_data =                 selinux_sb_copy_data,
5483         .sb_kern_mount =                selinux_sb_kern_mount,
5484         .sb_show_options =              selinux_sb_show_options,
5485         .sb_statfs =                    selinux_sb_statfs,
5486         .sb_mount =                     selinux_mount,
5487         .sb_umount =                    selinux_umount,
5488         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5489         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5490         .sb_parse_opts_str =            selinux_parse_opts_str,
5491
5492
5493         .inode_alloc_security =         selinux_inode_alloc_security,
5494         .inode_free_security =          selinux_inode_free_security,
5495         .inode_init_security =          selinux_inode_init_security,
5496         .inode_create =                 selinux_inode_create,
5497         .inode_link =                   selinux_inode_link,
5498         .inode_unlink =                 selinux_inode_unlink,
5499         .inode_symlink =                selinux_inode_symlink,
5500         .inode_mkdir =                  selinux_inode_mkdir,
5501         .inode_rmdir =                  selinux_inode_rmdir,
5502         .inode_mknod =                  selinux_inode_mknod,
5503         .inode_rename =                 selinux_inode_rename,
5504         .inode_readlink =               selinux_inode_readlink,
5505         .inode_follow_link =            selinux_inode_follow_link,
5506         .inode_permission =             selinux_inode_permission,
5507         .inode_setattr =                selinux_inode_setattr,
5508         .inode_getattr =                selinux_inode_getattr,
5509         .inode_setxattr =               selinux_inode_setxattr,
5510         .inode_post_setxattr =          selinux_inode_post_setxattr,
5511         .inode_getxattr =               selinux_inode_getxattr,
5512         .inode_listxattr =              selinux_inode_listxattr,
5513         .inode_removexattr =            selinux_inode_removexattr,
5514         .inode_getsecurity =            selinux_inode_getsecurity,
5515         .inode_setsecurity =            selinux_inode_setsecurity,
5516         .inode_listsecurity =           selinux_inode_listsecurity,
5517         .inode_getsecid =               selinux_inode_getsecid,
5518
5519         .file_permission =              selinux_file_permission,
5520         .file_alloc_security =          selinux_file_alloc_security,
5521         .file_free_security =           selinux_file_free_security,
5522         .file_ioctl =                   selinux_file_ioctl,
5523         .file_mmap =                    selinux_file_mmap,
5524         .file_mprotect =                selinux_file_mprotect,
5525         .file_lock =                    selinux_file_lock,
5526         .file_fcntl =                   selinux_file_fcntl,
5527         .file_set_fowner =              selinux_file_set_fowner,
5528         .file_send_sigiotask =          selinux_file_send_sigiotask,
5529         .file_receive =                 selinux_file_receive,
5530
5531         .dentry_open =                  selinux_dentry_open,
5532
5533         .task_create =                  selinux_task_create,
5534         .cred_alloc_blank =             selinux_cred_alloc_blank,
5535         .cred_free =                    selinux_cred_free,
5536         .cred_prepare =                 selinux_cred_prepare,
5537         .cred_transfer =                selinux_cred_transfer,
5538         .kernel_act_as =                selinux_kernel_act_as,
5539         .kernel_create_files_as =       selinux_kernel_create_files_as,
5540         .kernel_module_request =        selinux_kernel_module_request,
5541         .task_setpgid =                 selinux_task_setpgid,
5542         .task_getpgid =                 selinux_task_getpgid,
5543         .task_getsid =                  selinux_task_getsid,
5544         .task_getsecid =                selinux_task_getsecid,
5545         .task_setnice =                 selinux_task_setnice,
5546         .task_setioprio =               selinux_task_setioprio,
5547         .task_getioprio =               selinux_task_getioprio,
5548         .task_setrlimit =               selinux_task_setrlimit,
5549         .task_setscheduler =            selinux_task_setscheduler,
5550         .task_getscheduler =            selinux_task_getscheduler,
5551         .task_movememory =              selinux_task_movememory,
5552         .task_kill =                    selinux_task_kill,
5553         .task_wait =                    selinux_task_wait,
5554         .task_to_inode =                selinux_task_to_inode,
5555
5556         .ipc_permission =               selinux_ipc_permission,
5557         .ipc_getsecid =                 selinux_ipc_getsecid,
5558
5559         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5560         .msg_msg_free_security =        selinux_msg_msg_free_security,
5561
5562         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5563         .msg_queue_free_security =      selinux_msg_queue_free_security,
5564         .msg_queue_associate =          selinux_msg_queue_associate,
5565         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5566         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5567         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5568
5569         .shm_alloc_security =           selinux_shm_alloc_security,
5570         .shm_free_security =            selinux_shm_free_security,
5571         .shm_associate =                selinux_shm_associate,
5572         .shm_shmctl =                   selinux_shm_shmctl,
5573         .shm_shmat =                    selinux_shm_shmat,
5574
5575         .sem_alloc_security =           selinux_sem_alloc_security,
5576         .sem_free_security =            selinux_sem_free_security,
5577         .sem_associate =                selinux_sem_associate,
5578         .sem_semctl =                   selinux_sem_semctl,
5579         .sem_semop =                    selinux_sem_semop,
5580
5581         .d_instantiate =                selinux_d_instantiate,
5582
5583         .getprocattr =                  selinux_getprocattr,
5584         .setprocattr =                  selinux_setprocattr,
5585
5586         .secid_to_secctx =              selinux_secid_to_secctx,
5587         .secctx_to_secid =              selinux_secctx_to_secid,
5588         .release_secctx =               selinux_release_secctx,
5589         .inode_notifysecctx =           selinux_inode_notifysecctx,
5590         .inode_setsecctx =              selinux_inode_setsecctx,
5591         .inode_getsecctx =              selinux_inode_getsecctx,
5592
5593         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5594         .unix_may_send =                selinux_socket_unix_may_send,
5595
5596         .socket_create =                selinux_socket_create,
5597         .socket_post_create =           selinux_socket_post_create,
5598         .socket_bind =                  selinux_socket_bind,
5599         .socket_connect =               selinux_socket_connect,
5600         .socket_listen =                selinux_socket_listen,
5601         .socket_accept =                selinux_socket_accept,
5602         .socket_sendmsg =               selinux_socket_sendmsg,
5603         .socket_recvmsg =               selinux_socket_recvmsg,
5604         .socket_getsockname =           selinux_socket_getsockname,
5605         .socket_getpeername =           selinux_socket_getpeername,
5606         .socket_getsockopt =            selinux_socket_getsockopt,
5607         .socket_setsockopt =            selinux_socket_setsockopt,
5608         .socket_shutdown =              selinux_socket_shutdown,
5609         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5610         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5611         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5612         .sk_alloc_security =            selinux_sk_alloc_security,
5613         .sk_free_security =             selinux_sk_free_security,
5614         .sk_clone_security =            selinux_sk_clone_security,
5615         .sk_getsecid =                  selinux_sk_getsecid,
5616         .sock_graft =                   selinux_sock_graft,
5617         .inet_conn_request =            selinux_inet_conn_request,
5618         .inet_csk_clone =               selinux_inet_csk_clone,
5619         .inet_conn_established =        selinux_inet_conn_established,
5620         .req_classify_flow =            selinux_req_classify_flow,
5621         .tun_dev_create =               selinux_tun_dev_create,
5622         .tun_dev_post_create =          selinux_tun_dev_post_create,
5623         .tun_dev_attach =               selinux_tun_dev_attach,
5624
5625 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5626         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5627         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5628         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5629         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5630         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5631         .xfrm_state_free_security =     selinux_xfrm_state_free,
5632         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5633         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5634         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5635         .xfrm_decode_session =          selinux_xfrm_decode_session,
5636 #endif
5637
5638 #ifdef CONFIG_KEYS
5639         .key_alloc =                    selinux_key_alloc,
5640         .key_free =                     selinux_key_free,
5641         .key_permission =               selinux_key_permission,
5642         .key_getsecurity =              selinux_key_getsecurity,
5643 #endif
5644
5645 #ifdef CONFIG_AUDIT
5646         .audit_rule_init =              selinux_audit_rule_init,
5647         .audit_rule_known =             selinux_audit_rule_known,
5648         .audit_rule_match =             selinux_audit_rule_match,
5649         .audit_rule_free =              selinux_audit_rule_free,
5650 #endif
5651 };
5652
5653 static __init int selinux_init(void)
5654 {
5655         if (!security_module_enable(&selinux_ops)) {
5656                 selinux_enabled = 0;
5657                 return 0;
5658         }
5659
5660         if (!selinux_enabled) {
5661                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5662                 return 0;
5663         }
5664
5665         printk(KERN_INFO "SELinux:  Initializing.\n");
5666
5667         /* Set the security state for the initial task. */
5668         cred_init_security();
5669
5670         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5671                                             sizeof(struct inode_security_struct),
5672                                             0, SLAB_PANIC, NULL);
5673         avc_init();
5674
5675         secondary_ops = security_ops;
5676         if (!secondary_ops)
5677                 panic("SELinux: No initial security operations\n");
5678         if (register_security(&selinux_ops))
5679                 panic("SELinux: Unable to register with kernel.\n");
5680
5681         if (selinux_enforcing)
5682                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5683         else
5684                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5685
5686         return 0;
5687 }
5688
5689 void selinux_complete_init(void)
5690 {
5691         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5692
5693         /* Set up any superblocks initialized prior to the policy load. */
5694         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5695         spin_lock(&sb_lock);
5696         spin_lock(&sb_security_lock);
5697 next_sb:
5698         if (!list_empty(&superblock_security_head)) {
5699                 struct superblock_security_struct *sbsec =
5700                                 list_entry(superblock_security_head.next,
5701                                            struct superblock_security_struct,
5702                                            list);
5703                 struct super_block *sb = sbsec->sb;
5704                 sb->s_count++;
5705                 spin_unlock(&sb_security_lock);
5706                 spin_unlock(&sb_lock);
5707                 down_read(&sb->s_umount);
5708                 if (sb->s_root)
5709                         superblock_doinit(sb, NULL);
5710                 drop_super(sb);
5711                 spin_lock(&sb_lock);
5712                 spin_lock(&sb_security_lock);
5713                 list_del_init(&sbsec->list);
5714                 goto next_sb;
5715         }
5716         spin_unlock(&sb_security_lock);
5717         spin_unlock(&sb_lock);
5718 }
5719
5720 /* SELinux requires early initialization in order to label
5721    all processes and objects when they are created. */
5722 security_initcall(selinux_init);
5723
5724 #if defined(CONFIG_NETFILTER)
5725
5726 static struct nf_hook_ops selinux_ipv4_ops[] = {
5727         {
5728                 .hook =         selinux_ipv4_postroute,
5729                 .owner =        THIS_MODULE,
5730                 .pf =           PF_INET,
5731                 .hooknum =      NF_INET_POST_ROUTING,
5732                 .priority =     NF_IP_PRI_SELINUX_LAST,
5733         },
5734         {
5735                 .hook =         selinux_ipv4_forward,
5736                 .owner =        THIS_MODULE,
5737                 .pf =           PF_INET,
5738                 .hooknum =      NF_INET_FORWARD,
5739                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5740         },
5741         {
5742                 .hook =         selinux_ipv4_output,
5743                 .owner =        THIS_MODULE,
5744                 .pf =           PF_INET,
5745                 .hooknum =      NF_INET_LOCAL_OUT,
5746                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5747         }
5748 };
5749
5750 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5751
5752 static struct nf_hook_ops selinux_ipv6_ops[] = {
5753         {
5754                 .hook =         selinux_ipv6_postroute,
5755                 .owner =        THIS_MODULE,
5756                 .pf =           PF_INET6,
5757                 .hooknum =      NF_INET_POST_ROUTING,
5758                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5759         },
5760         {
5761                 .hook =         selinux_ipv6_forward,
5762                 .owner =        THIS_MODULE,
5763                 .pf =           PF_INET6,
5764                 .hooknum =      NF_INET_FORWARD,
5765                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5766         }
5767 };
5768
5769 #endif  /* IPV6 */
5770
5771 static int __init selinux_nf_ip_init(void)
5772 {
5773         int err = 0;
5774
5775         if (!selinux_enabled)
5776                 goto out;
5777
5778         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5779
5780         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5781         if (err)
5782                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5783
5784 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5785         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5786         if (err)
5787                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5788 #endif  /* IPV6 */
5789
5790 out:
5791         return err;
5792 }
5793
5794 __initcall(selinux_nf_ip_init);
5795
5796 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5797 static void selinux_nf_ip_exit(void)
5798 {
5799         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5800
5801         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5802 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5803         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5804 #endif  /* IPV6 */
5805 }
5806 #endif
5807
5808 #else /* CONFIG_NETFILTER */
5809
5810 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5811 #define selinux_nf_ip_exit()
5812 #endif
5813
5814 #endif /* CONFIG_NETFILTER */
5815
5816 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5817 static int selinux_disabled;
5818
5819 int selinux_disable(void)
5820 {
5821         extern void exit_sel_fs(void);
5822
5823         if (ss_initialized) {
5824                 /* Not permitted after initial policy load. */
5825                 return -EINVAL;
5826         }
5827
5828         if (selinux_disabled) {
5829                 /* Only do this once. */
5830                 return -EINVAL;
5831         }
5832
5833         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5834
5835         selinux_disabled = 1;
5836         selinux_enabled = 0;
5837
5838         /* Reset security_ops to the secondary module, dummy or capability. */
5839         security_ops = secondary_ops;
5840
5841         /* Try to destroy the avc node cache */
5842         avc_disable();
5843
5844         /* Unregister netfilter hooks. */
5845         selinux_nf_ip_exit();
5846
5847         /* Unregister selinuxfs. */
5848         exit_sel_fs();
5849
5850         return 0;
5851 }
5852 #endif