Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>             /* for local_port_range[] */
54 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
55 #include <net/net_namespace.h>
56 #include <net/netlabel.h>
57 #include <linux/uaccess.h>
58 #include <asm/ioctls.h>
59 #include <linux/atomic.h>
60 #include <linux/bitops.h>
61 #include <linux/interrupt.h>
62 #include <linux/netdevice.h>    /* for network interface checks */
63 #include <linux/netlink.h>
64 #include <linux/tcp.h>
65 #include <linux/udp.h>
66 #include <linux/dccp.h>
67 #include <linux/quota.h>
68 #include <linux/un.h>           /* for Unix socket types */
69 #include <net/af_unix.h>        /* for Unix socket types */
70 #include <linux/parser.h>
71 #include <linux/nfs_mount.h>
72 #include <net/ipv6.h>
73 #include <linux/hugetlb.h>
74 #include <linux/personality.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79 #include <linux/posix-timers.h>
80 #include <linux/syslog.h>
81 #include <linux/user_namespace.h>
82 #include <linux/export.h>
83 #include <linux/msg.h>
84 #include <linux/shm.h>
85
86 #include "avc.h"
87 #include "objsec.h"
88 #include "netif.h"
89 #include "netnode.h"
90 #include "netport.h"
91 #include "xfrm.h"
92 #include "netlabel.h"
93 #include "audit.h"
94 #include "avc_ss.h"
95
96 #define NUM_SEL_MNT_OPTS 5
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!strict_strtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!strict_strtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.
141  *
142  */
143 static int selinux_secmark_enabled(void)
144 {
145         return (atomic_read(&selinux_secmark_refcount) > 0);
146 }
147
148 /*
149  * initialise the security for the init task
150  */
151 static void cred_init_security(void)
152 {
153         struct cred *cred = (struct cred *) current->real_cred;
154         struct task_security_struct *tsec;
155
156         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157         if (!tsec)
158                 panic("SELinux:  Failed to initialize initial task.\n");
159
160         tsec->osid = tsec->sid = SECINITSID_KERNEL;
161         cred->security = tsec;
162 }
163
164 /*
165  * get the security ID of a set of credentials
166  */
167 static inline u32 cred_sid(const struct cred *cred)
168 {
169         const struct task_security_struct *tsec;
170
171         tsec = cred->security;
172         return tsec->sid;
173 }
174
175 /*
176  * get the objective security ID of a task
177  */
178 static inline u32 task_sid(const struct task_struct *task)
179 {
180         u32 sid;
181
182         rcu_read_lock();
183         sid = cred_sid(__task_cred(task));
184         rcu_read_unlock();
185         return sid;
186 }
187
188 /*
189  * get the subjective security ID of the current task
190  */
191 static inline u32 current_sid(void)
192 {
193         const struct task_security_struct *tsec = current_security();
194
195         return tsec->sid;
196 }
197
198 /* Allocate and free functions for each kind of security blob. */
199
200 static int inode_alloc_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec;
203         u32 sid = current_sid();
204
205         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
206         if (!isec)
207                 return -ENOMEM;
208
209         mutex_init(&isec->lock);
210         INIT_LIST_HEAD(&isec->list);
211         isec->inode = inode;
212         isec->sid = SECINITSID_UNLABELED;
213         isec->sclass = SECCLASS_FILE;
214         isec->task_sid = sid;
215         inode->i_security = isec;
216
217         return 0;
218 }
219
220 static void inode_free_security(struct inode *inode)
221 {
222         struct inode_security_struct *isec = inode->i_security;
223         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224
225         spin_lock(&sbsec->isec_lock);
226         if (!list_empty(&isec->list))
227                 list_del_init(&isec->list);
228         spin_unlock(&sbsec->isec_lock);
229
230         inode->i_security = NULL;
231         kmem_cache_free(sel_inode_cache, isec);
232 }
233
234 static int file_alloc_security(struct file *file)
235 {
236         struct file_security_struct *fsec;
237         u32 sid = current_sid();
238
239         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
240         if (!fsec)
241                 return -ENOMEM;
242
243         fsec->sid = sid;
244         fsec->fown_sid = sid;
245         file->f_security = fsec;
246
247         return 0;
248 }
249
250 static void file_free_security(struct file *file)
251 {
252         struct file_security_struct *fsec = file->f_security;
253         file->f_security = NULL;
254         kfree(fsec);
255 }
256
257 static int superblock_alloc_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec;
260
261         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
262         if (!sbsec)
263                 return -ENOMEM;
264
265         mutex_init(&sbsec->lock);
266         INIT_LIST_HEAD(&sbsec->isec_head);
267         spin_lock_init(&sbsec->isec_lock);
268         sbsec->sb = sb;
269         sbsec->sid = SECINITSID_UNLABELED;
270         sbsec->def_sid = SECINITSID_FILE;
271         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
272         sb->s_security = sbsec;
273
274         return 0;
275 }
276
277 static void superblock_free_security(struct super_block *sb)
278 {
279         struct superblock_security_struct *sbsec = sb->s_security;
280         sb->s_security = NULL;
281         kfree(sbsec);
282 }
283
284 /* The file system's label must be initialized prior to use. */
285
286 static const char *labeling_behaviors[6] = {
287         "uses xattr",
288         "uses transition SIDs",
289         "uses task SIDs",
290         "uses genfs_contexts",
291         "not configured for labeling",
292         "uses mountpoint labeling",
293 };
294
295 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296
297 static inline int inode_doinit(struct inode *inode)
298 {
299         return inode_doinit_with_dentry(inode, NULL);
300 }
301
302 enum {
303         Opt_error = -1,
304         Opt_context = 1,
305         Opt_fscontext = 2,
306         Opt_defcontext = 3,
307         Opt_rootcontext = 4,
308         Opt_labelsupport = 5,
309 };
310
311 static const match_table_t tokens = {
312         {Opt_context, CONTEXT_STR "%s"},
313         {Opt_fscontext, FSCONTEXT_STR "%s"},
314         {Opt_defcontext, DEFCONTEXT_STR "%s"},
315         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
316         {Opt_labelsupport, LABELSUPP_STR},
317         {Opt_error, NULL},
318 };
319
320 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
321
322 static int may_context_mount_sb_relabel(u32 sid,
323                         struct superblock_security_struct *sbsec,
324                         const struct cred *cred)
325 {
326         const struct task_security_struct *tsec = cred->security;
327         int rc;
328
329         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
330                           FILESYSTEM__RELABELFROM, NULL);
331         if (rc)
332                 return rc;
333
334         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
335                           FILESYSTEM__RELABELTO, NULL);
336         return rc;
337 }
338
339 static int may_context_mount_inode_relabel(u32 sid,
340                         struct superblock_security_struct *sbsec,
341                         const struct cred *cred)
342 {
343         const struct task_security_struct *tsec = cred->security;
344         int rc;
345         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELFROM, NULL);
347         if (rc)
348                 return rc;
349
350         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
351                           FILESYSTEM__ASSOCIATE, NULL);
352         return rc;
353 }
354
355 static int sb_finish_set_opts(struct super_block *sb)
356 {
357         struct superblock_security_struct *sbsec = sb->s_security;
358         struct dentry *root = sb->s_root;
359         struct inode *root_inode = root->d_inode;
360         int rc = 0;
361
362         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
363                 /* Make sure that the xattr handler exists and that no
364                    error other than -ENODATA is returned by getxattr on
365                    the root directory.  -ENODATA is ok, as this may be
366                    the first boot of the SELinux kernel before we have
367                    assigned xattr values to the filesystem. */
368                 if (!root_inode->i_op->getxattr) {
369                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
370                                "xattr support\n", sb->s_id, sb->s_type->name);
371                         rc = -EOPNOTSUPP;
372                         goto out;
373                 }
374                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
375                 if (rc < 0 && rc != -ENODATA) {
376                         if (rc == -EOPNOTSUPP)
377                                 printk(KERN_WARNING "SELinux: (dev %s, type "
378                                        "%s) has no security xattr handler\n",
379                                        sb->s_id, sb->s_type->name);
380                         else
381                                 printk(KERN_WARNING "SELinux: (dev %s, type "
382                                        "%s) getxattr errno %d\n", sb->s_id,
383                                        sb->s_type->name, -rc);
384                         goto out;
385                 }
386         }
387
388         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
389
390         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392                        sb->s_id, sb->s_type->name);
393         else
394                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395                        sb->s_id, sb->s_type->name,
396                        labeling_behaviors[sbsec->behavior-1]);
397
398         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
399             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
400             sbsec->behavior == SECURITY_FS_USE_NONE ||
401             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 sbsec->flags &= ~SE_SBLABELSUPP;
403
404         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406                 sbsec->flags |= SE_SBLABELSUPP;
407
408         /* Initialize the root inode. */
409         rc = inode_doinit_with_dentry(root_inode, root);
410
411         /* Initialize any other inodes associated with the superblock, e.g.
412            inodes created prior to initial policy load or inodes created
413            during get_sb by a pseudo filesystem that directly
414            populates itself. */
415         spin_lock(&sbsec->isec_lock);
416 next_inode:
417         if (!list_empty(&sbsec->isec_head)) {
418                 struct inode_security_struct *isec =
419                                 list_entry(sbsec->isec_head.next,
420                                            struct inode_security_struct, list);
421                 struct inode *inode = isec->inode;
422                 spin_unlock(&sbsec->isec_lock);
423                 inode = igrab(inode);
424                 if (inode) {
425                         if (!IS_PRIVATE(inode))
426                                 inode_doinit(inode);
427                         iput(inode);
428                 }
429                 spin_lock(&sbsec->isec_lock);
430                 list_del_init(&isec->list);
431                 goto next_inode;
432         }
433         spin_unlock(&sbsec->isec_lock);
434 out:
435         return rc;
436 }
437
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444                                 struct security_mnt_opts *opts)
445 {
446         int rc = 0, i;
447         struct superblock_security_struct *sbsec = sb->s_security;
448         char *context = NULL;
449         u32 len;
450         char tmp;
451
452         security_init_mnt_opts(opts);
453
454         if (!(sbsec->flags & SE_SBINITIALIZED))
455                 return -EINVAL;
456
457         if (!ss_initialized)
458                 return -EINVAL;
459
460         tmp = sbsec->flags & SE_MNTMASK;
461         /* count the number of mount options for this sb */
462         for (i = 0; i < 8; i++) {
463                 if (tmp & 0x01)
464                         opts->num_mnt_opts++;
465                 tmp >>= 1;
466         }
467         /* Check if the Label support flag is set */
468         if (sbsec->flags & SE_SBLABELSUPP)
469                 opts->num_mnt_opts++;
470
471         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472         if (!opts->mnt_opts) {
473                 rc = -ENOMEM;
474                 goto out_free;
475         }
476
477         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478         if (!opts->mnt_opts_flags) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         i = 0;
484         if (sbsec->flags & FSCONTEXT_MNT) {
485                 rc = security_sid_to_context(sbsec->sid, &context, &len);
486                 if (rc)
487                         goto out_free;
488                 opts->mnt_opts[i] = context;
489                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490         }
491         if (sbsec->flags & CONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497         }
498         if (sbsec->flags & DEFCONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504         }
505         if (sbsec->flags & ROOTCONTEXT_MNT) {
506                 struct inode *root = sbsec->sb->s_root->d_inode;
507                 struct inode_security_struct *isec = root->i_security;
508
509                 rc = security_sid_to_context(isec->sid, &context, &len);
510                 if (rc)
511                         goto out_free;
512                 opts->mnt_opts[i] = context;
513                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514         }
515         if (sbsec->flags & SE_SBLABELSUPP) {
516                 opts->mnt_opts[i] = NULL;
517                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         char mnt_flags = sbsec->flags & SE_MNTMASK;
533
534         /* check if the old mount command had the same options */
535         if (sbsec->flags & SE_SBINITIALIZED)
536                 if (!(sbsec->flags & flag) ||
537                     (old_sid != new_sid))
538                         return 1;
539
540         /* check if we were passed the same options twice,
541          * aka someone passed context=a,context=b
542          */
543         if (!(sbsec->flags & SE_SBINITIALIZED))
544                 if (mnt_flags & flag)
545                         return 1;
546         return 0;
547 }
548
549 /*
550  * Allow filesystems with binary mount data to explicitly set mount point
551  * labeling information.
552  */
553 static int selinux_set_mnt_opts(struct super_block *sb,
554                                 struct security_mnt_opts *opts)
555 {
556         const struct cred *cred = current_cred();
557         int rc = 0, i;
558         struct superblock_security_struct *sbsec = sb->s_security;
559         const char *name = sb->s_type->name;
560         struct inode *inode = sbsec->sb->s_root->d_inode;
561         struct inode_security_struct *root_isec = inode->i_security;
562         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563         u32 defcontext_sid = 0;
564         char **mount_options = opts->mnt_opts;
565         int *flags = opts->mnt_opts_flags;
566         int num_opts = opts->num_mnt_opts;
567
568         mutex_lock(&sbsec->lock);
569
570         if (!ss_initialized) {
571                 if (!num_opts) {
572                         /* Defer initialization until selinux_complete_init,
573                            after the initial policy is loaded and the security
574                            server is ready to handle calls. */
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605
606                 if (flags[i] == SE_SBLABELSUPP)
607                         continue;
608                 rc = security_context_to_sid(mount_options[i],
609                                              strlen(mount_options[i]), &sid);
610                 if (rc) {
611                         printk(KERN_WARNING "SELinux: security_context_to_sid"
612                                "(%s) failed for (dev %s, type %s) errno=%d\n",
613                                mount_options[i], sb->s_id, name, rc);
614                         goto out;
615                 }
616                 switch (flags[i]) {
617                 case FSCONTEXT_MNT:
618                         fscontext_sid = sid;
619
620                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
621                                         fscontext_sid))
622                                 goto out_double_mount;
623
624                         sbsec->flags |= FSCONTEXT_MNT;
625                         break;
626                 case CONTEXT_MNT:
627                         context_sid = sid;
628
629                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
630                                         context_sid))
631                                 goto out_double_mount;
632
633                         sbsec->flags |= CONTEXT_MNT;
634                         break;
635                 case ROOTCONTEXT_MNT:
636                         rootcontext_sid = sid;
637
638                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
639                                         rootcontext_sid))
640                                 goto out_double_mount;
641
642                         sbsec->flags |= ROOTCONTEXT_MNT;
643
644                         break;
645                 case DEFCONTEXT_MNT:
646                         defcontext_sid = sid;
647
648                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
649                                         defcontext_sid))
650                                 goto out_double_mount;
651
652                         sbsec->flags |= DEFCONTEXT_MNT;
653
654                         break;
655                 default:
656                         rc = -EINVAL;
657                         goto out;
658                 }
659         }
660
661         if (sbsec->flags & SE_SBINITIALIZED) {
662                 /* previously mounted with options, but not on this attempt? */
663                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
664                         goto out_double_mount;
665                 rc = 0;
666                 goto out;
667         }
668
669         if (strcmp(sb->s_type->name, "proc") == 0)
670                 sbsec->flags |= SE_SBPROC;
671
672         /* Determine the labeling behavior to use for this filesystem type. */
673         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
674         if (rc) {
675                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
676                        __func__, sb->s_type->name, rc);
677                 goto out;
678         }
679
680         /* sets the context of the superblock for the fs being mounted. */
681         if (fscontext_sid) {
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
697                                                           cred);
698                         if (rc)
699                                 goto out;
700                         sbsec->sid = context_sid;
701                 } else {
702                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
703                                                              cred);
704                         if (rc)
705                                 goto out;
706                 }
707                 if (!rootcontext_sid)
708                         rootcontext_sid = context_sid;
709
710                 sbsec->mntpoint_sid = context_sid;
711                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
712         }
713
714         if (rootcontext_sid) {
715                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
716                                                      cred);
717                 if (rc)
718                         goto out;
719
720                 root_isec->sid = rootcontext_sid;
721                 root_isec->initialized = 1;
722         }
723
724         if (defcontext_sid) {
725                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726                         rc = -EINVAL;
727                         printk(KERN_WARNING "SELinux: defcontext option is "
728                                "invalid for this filesystem type\n");
729                         goto out;
730                 }
731
732                 if (defcontext_sid != sbsec->def_sid) {
733                         rc = may_context_mount_inode_relabel(defcontext_sid,
734                                                              sbsec, cred);
735                         if (rc)
736                                 goto out;
737                 }
738
739                 sbsec->def_sid = defcontext_sid;
740         }
741
742         rc = sb_finish_set_opts(sb);
743 out:
744         mutex_unlock(&sbsec->lock);
745         return rc;
746 out_double_mount:
747         rc = -EINVAL;
748         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
749                "security settings for (dev %s, type %s)\n", sb->s_id, name);
750         goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754                                         struct super_block *newsb)
755 {
756         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757         struct superblock_security_struct *newsbsec = newsb->s_security;
758
759         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
760         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
761         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763         /*
764          * if the parent was able to be mounted it clearly had no special lsm
765          * mount options.  thus we can safely deal with this superblock later
766          */
767         if (!ss_initialized)
768                 return;
769
770         /* how can we clone if the old one wasn't set up?? */
771         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
772
773         /* if fs is reusing a sb, just let its options stand... */
774         if (newsbsec->flags & SE_SBINITIALIZED)
775                 return;
776
777         mutex_lock(&newsbsec->lock);
778
779         newsbsec->flags = oldsbsec->flags;
780
781         newsbsec->sid = oldsbsec->sid;
782         newsbsec->def_sid = oldsbsec->def_sid;
783         newsbsec->behavior = oldsbsec->behavior;
784
785         if (set_context) {
786                 u32 sid = oldsbsec->mntpoint_sid;
787
788                 if (!set_fscontext)
789                         newsbsec->sid = sid;
790                 if (!set_rootcontext) {
791                         struct inode *newinode = newsb->s_root->d_inode;
792                         struct inode_security_struct *newisec = newinode->i_security;
793                         newisec->sid = sid;
794                 }
795                 newsbsec->mntpoint_sid = sid;
796         }
797         if (set_rootcontext) {
798                 const struct inode *oldinode = oldsb->s_root->d_inode;
799                 const struct inode_security_struct *oldisec = oldinode->i_security;
800                 struct inode *newinode = newsb->s_root->d_inode;
801                 struct inode_security_struct *newisec = newinode->i_security;
802
803                 newisec->sid = oldisec->sid;
804         }
805
806         sb_finish_set_opts(newsb);
807         mutex_unlock(&newsbsec->lock);
808 }
809
810 static int selinux_parse_opts_str(char *options,
811                                   struct security_mnt_opts *opts)
812 {
813         char *p;
814         char *context = NULL, *defcontext = NULL;
815         char *fscontext = NULL, *rootcontext = NULL;
816         int rc, num_mnt_opts = 0;
817
818         opts->num_mnt_opts = 0;
819
820         /* Standard string-based options. */
821         while ((p = strsep(&options, "|")) != NULL) {
822                 int token;
823                 substring_t args[MAX_OPT_ARGS];
824
825                 if (!*p)
826                         continue;
827
828                 token = match_token(p, tokens, args);
829
830                 switch (token) {
831                 case Opt_context:
832                         if (context || defcontext) {
833                                 rc = -EINVAL;
834                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
835                                 goto out_err;
836                         }
837                         context = match_strdup(&args[0]);
838                         if (!context) {
839                                 rc = -ENOMEM;
840                                 goto out_err;
841                         }
842                         break;
843
844                 case Opt_fscontext:
845                         if (fscontext) {
846                                 rc = -EINVAL;
847                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848                                 goto out_err;
849                         }
850                         fscontext = match_strdup(&args[0]);
851                         if (!fscontext) {
852                                 rc = -ENOMEM;
853                                 goto out_err;
854                         }
855                         break;
856
857                 case Opt_rootcontext:
858                         if (rootcontext) {
859                                 rc = -EINVAL;
860                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861                                 goto out_err;
862                         }
863                         rootcontext = match_strdup(&args[0]);
864                         if (!rootcontext) {
865                                 rc = -ENOMEM;
866                                 goto out_err;
867                         }
868                         break;
869
870                 case Opt_defcontext:
871                         if (context || defcontext) {
872                                 rc = -EINVAL;
873                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874                                 goto out_err;
875                         }
876                         defcontext = match_strdup(&args[0]);
877                         if (!defcontext) {
878                                 rc = -ENOMEM;
879                                 goto out_err;
880                         }
881                         break;
882                 case Opt_labelsupport:
883                         break;
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static void selinux_write_opts(struct seq_file *m,
959                                struct security_mnt_opts *opts)
960 {
961         int i;
962         char *prefix;
963
964         for (i = 0; i < opts->num_mnt_opts; i++) {
965                 char *has_comma;
966
967                 if (opts->mnt_opts[i])
968                         has_comma = strchr(opts->mnt_opts[i], ',');
969                 else
970                         has_comma = NULL;
971
972                 switch (opts->mnt_opts_flags[i]) {
973                 case CONTEXT_MNT:
974                         prefix = CONTEXT_STR;
975                         break;
976                 case FSCONTEXT_MNT:
977                         prefix = FSCONTEXT_STR;
978                         break;
979                 case ROOTCONTEXT_MNT:
980                         prefix = ROOTCONTEXT_STR;
981                         break;
982                 case DEFCONTEXT_MNT:
983                         prefix = DEFCONTEXT_STR;
984                         break;
985                 case SE_SBLABELSUPP:
986                         seq_putc(m, ',');
987                         seq_puts(m, LABELSUPP_STR);
988                         continue;
989                 default:
990                         BUG();
991                         return;
992                 };
993                 /* we need a comma before each option */
994                 seq_putc(m, ',');
995                 seq_puts(m, prefix);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998                 seq_puts(m, opts->mnt_opts[i]);
999                 if (has_comma)
1000                         seq_putc(m, '\"');
1001         }
1002 }
1003
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006         struct security_mnt_opts opts;
1007         int rc;
1008
1009         rc = selinux_get_mnt_opts(sb, &opts);
1010         if (rc) {
1011                 /* before policy load we may get EINVAL, don't show anything */
1012                 if (rc == -EINVAL)
1013                         rc = 0;
1014                 return rc;
1015         }
1016
1017         selinux_write_opts(m, &opts);
1018
1019         security_free_mnt_opts(&opts);
1020
1021         return rc;
1022 }
1023
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026         switch (mode & S_IFMT) {
1027         case S_IFSOCK:
1028                 return SECCLASS_SOCK_FILE;
1029         case S_IFLNK:
1030                 return SECCLASS_LNK_FILE;
1031         case S_IFREG:
1032                 return SECCLASS_FILE;
1033         case S_IFBLK:
1034                 return SECCLASS_BLK_FILE;
1035         case S_IFDIR:
1036                 return SECCLASS_DIR;
1037         case S_IFCHR:
1038                 return SECCLASS_CHR_FILE;
1039         case S_IFIFO:
1040                 return SECCLASS_FIFO_FILE;
1041
1042         }
1043
1044         return SECCLASS_FILE;
1045 }
1046
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059         switch (family) {
1060         case PF_UNIX:
1061                 switch (type) {
1062                 case SOCK_STREAM:
1063                 case SOCK_SEQPACKET:
1064                         return SECCLASS_UNIX_STREAM_SOCKET;
1065                 case SOCK_DGRAM:
1066                         return SECCLASS_UNIX_DGRAM_SOCKET;
1067                 }
1068                 break;
1069         case PF_INET:
1070         case PF_INET6:
1071                 switch (type) {
1072                 case SOCK_STREAM:
1073                         if (default_protocol_stream(protocol))
1074                                 return SECCLASS_TCP_SOCKET;
1075                         else
1076                                 return SECCLASS_RAWIP_SOCKET;
1077                 case SOCK_DGRAM:
1078                         if (default_protocol_dgram(protocol))
1079                                 return SECCLASS_UDP_SOCKET;
1080                         else
1081                                 return SECCLASS_RAWIP_SOCKET;
1082                 case SOCK_DCCP:
1083                         return SECCLASS_DCCP_SOCKET;
1084                 default:
1085                         return SECCLASS_RAWIP_SOCKET;
1086                 }
1087                 break;
1088         case PF_NETLINK:
1089                 switch (protocol) {
1090                 case NETLINK_ROUTE:
1091                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                 case NETLINK_FIREWALL:
1093                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                 case NETLINK_SOCK_DIAG:
1095                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                 case NETLINK_NFLOG:
1097                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                 case NETLINK_XFRM:
1099                         return SECCLASS_NETLINK_XFRM_SOCKET;
1100                 case NETLINK_SELINUX:
1101                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                 case NETLINK_AUDIT:
1103                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                 case NETLINK_IP6_FW:
1105                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                 case NETLINK_DNRTMSG:
1107                         return SECCLASS_NETLINK_DNRT_SOCKET;
1108                 case NETLINK_KOBJECT_UEVENT:
1109                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                 default:
1111                         return SECCLASS_NETLINK_SOCKET;
1112                 }
1113         case PF_PACKET:
1114                 return SECCLASS_PACKET_SOCKET;
1115         case PF_KEY:
1116                 return SECCLASS_KEY_SOCKET;
1117         case PF_APPLETALK:
1118                 return SECCLASS_APPLETALK_SOCKET;
1119         }
1120
1121         return SECCLASS_SOCKET;
1122 }
1123
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126                                 u16 tclass,
1127                                 u32 *sid)
1128 {
1129         int rc;
1130         char *buffer, *path;
1131
1132         buffer = (char *)__get_free_page(GFP_KERNEL);
1133         if (!buffer)
1134                 return -ENOMEM;
1135
1136         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137         if (IS_ERR(path))
1138                 rc = PTR_ERR(path);
1139         else {
1140                 /* each process gets a /proc/PID/ entry. Strip off the
1141                  * PID part to get a valid selinux labeling.
1142                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                 while (path[1] >= '0' && path[1] <= '9') {
1144                         path[1] = '/';
1145                         path++;
1146                 }
1147                 rc = security_genfs_sid("proc", path, tclass, sid);
1148         }
1149         free_page((unsigned long)buffer);
1150         return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154                                 u16 tclass,
1155                                 u32 *sid)
1156 {
1157         return -EINVAL;
1158 }
1159 #endif
1160
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164         struct superblock_security_struct *sbsec = NULL;
1165         struct inode_security_struct *isec = inode->i_security;
1166         u32 sid;
1167         struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169         char *context = NULL;
1170         unsigned len = 0;
1171         int rc = 0;
1172
1173         if (isec->initialized)
1174                 goto out;
1175
1176         mutex_lock(&isec->lock);
1177         if (isec->initialized)
1178                 goto out_unlock;
1179
1180         sbsec = inode->i_sb->s_security;
1181         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                 /* Defer initialization until selinux_complete_init,
1183                    after the initial policy is loaded and the security
1184                    server is ready to handle calls. */
1185                 spin_lock(&sbsec->isec_lock);
1186                 if (list_empty(&isec->list))
1187                         list_add(&isec->list, &sbsec->isec_head);
1188                 spin_unlock(&sbsec->isec_lock);
1189                 goto out_unlock;
1190         }
1191
1192         switch (sbsec->behavior) {
1193         case SECURITY_FS_USE_XATTR:
1194                 if (!inode->i_op->getxattr) {
1195                         isec->sid = sbsec->def_sid;
1196                         break;
1197                 }
1198
1199                 /* Need a dentry, since the xattr API requires one.
1200                    Life would be simpler if we could just pass the inode. */
1201                 if (opt_dentry) {
1202                         /* Called from d_instantiate or d_splice_alias. */
1203                         dentry = dget(opt_dentry);
1204                 } else {
1205                         /* Called from selinux_complete_init, try to find a dentry. */
1206                         dentry = d_find_alias(inode);
1207                 }
1208                 if (!dentry) {
1209                         /*
1210                          * this is can be hit on boot when a file is accessed
1211                          * before the policy is loaded.  When we load policy we
1212                          * may find inodes that have no dentry on the
1213                          * sbsec->isec_head list.  No reason to complain as these
1214                          * will get fixed up the next time we go through
1215                          * inode_doinit with a dentry, before these inodes could
1216                          * be used again by userspace.
1217                          */
1218                         goto out_unlock;
1219                 }
1220
1221                 len = INITCONTEXTLEN;
1222                 context = kmalloc(len+1, GFP_NOFS);
1223                 if (!context) {
1224                         rc = -ENOMEM;
1225                         dput(dentry);
1226                         goto out_unlock;
1227                 }
1228                 context[len] = '\0';
1229                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                            context, len);
1231                 if (rc == -ERANGE) {
1232                         kfree(context);
1233
1234                         /* Need a larger buffer.  Query for the right size. */
1235                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                    NULL, 0);
1237                         if (rc < 0) {
1238                                 dput(dentry);
1239                                 goto out_unlock;
1240                         }
1241                         len = rc;
1242                         context = kmalloc(len+1, GFP_NOFS);
1243                         if (!context) {
1244                                 rc = -ENOMEM;
1245                                 dput(dentry);
1246                                 goto out_unlock;
1247                         }
1248                         context[len] = '\0';
1249                         rc = inode->i_op->getxattr(dentry,
1250                                                    XATTR_NAME_SELINUX,
1251                                                    context, len);
1252                 }
1253                 dput(dentry);
1254                 if (rc < 0) {
1255                         if (rc != -ENODATA) {
1256                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                        "%d for dev=%s ino=%ld\n", __func__,
1258                                        -rc, inode->i_sb->s_id, inode->i_ino);
1259                                 kfree(context);
1260                                 goto out_unlock;
1261                         }
1262                         /* Map ENODATA to the default file SID */
1263                         sid = sbsec->def_sid;
1264                         rc = 0;
1265                 } else {
1266                         rc = security_context_to_sid_default(context, rc, &sid,
1267                                                              sbsec->def_sid,
1268                                                              GFP_NOFS);
1269                         if (rc) {
1270                                 char *dev = inode->i_sb->s_id;
1271                                 unsigned long ino = inode->i_ino;
1272
1273                                 if (rc == -EINVAL) {
1274                                         if (printk_ratelimit())
1275                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                         "filesystem in question.\n", ino, dev, context);
1278                                 } else {
1279                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                                "returned %d for dev=%s ino=%ld\n",
1281                                                __func__, context, -rc, dev, ino);
1282                                 }
1283                                 kfree(context);
1284                                 /* Leave with the unlabeled SID */
1285                                 rc = 0;
1286                                 break;
1287                         }
1288                 }
1289                 kfree(context);
1290                 isec->sid = sid;
1291                 break;
1292         case SECURITY_FS_USE_TASK:
1293                 isec->sid = isec->task_sid;
1294                 break;
1295         case SECURITY_FS_USE_TRANS:
1296                 /* Default to the fs SID. */
1297                 isec->sid = sbsec->sid;
1298
1299                 /* Try to obtain a transition SID. */
1300                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                              isec->sclass, NULL, &sid);
1303                 if (rc)
1304                         goto out_unlock;
1305                 isec->sid = sid;
1306                 break;
1307         case SECURITY_FS_USE_MNTPOINT:
1308                 isec->sid = sbsec->mntpoint_sid;
1309                 break;
1310         default:
1311                 /* Default to the fs superblock SID. */
1312                 isec->sid = sbsec->sid;
1313
1314                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                         if (opt_dentry) {
1316                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                 rc = selinux_proc_get_sid(opt_dentry,
1318                                                           isec->sclass,
1319                                                           &sid);
1320                                 if (rc)
1321                                         goto out_unlock;
1322                                 isec->sid = sid;
1323                         }
1324                 }
1325                 break;
1326         }
1327
1328         isec->initialized = 1;
1329
1330 out_unlock:
1331         mutex_unlock(&isec->lock);
1332 out:
1333         if (isec->sclass == SECCLASS_FILE)
1334                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335         return rc;
1336 }
1337
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341         u32 perm = 0;
1342
1343         switch (sig) {
1344         case SIGCHLD:
1345                 /* Commonly granted from child to parent. */
1346                 perm = PROCESS__SIGCHLD;
1347                 break;
1348         case SIGKILL:
1349                 /* Cannot be caught or ignored */
1350                 perm = PROCESS__SIGKILL;
1351                 break;
1352         case SIGSTOP:
1353                 /* Cannot be caught or ignored */
1354                 perm = PROCESS__SIGSTOP;
1355                 break;
1356         default:
1357                 /* All other signals. */
1358                 perm = PROCESS__SIGNAL;
1359                 break;
1360         }
1361
1362         return perm;
1363 }
1364
1365 /*
1366  * Check permission between a pair of credentials
1367  * fork check, ptrace check, etc.
1368  */
1369 static int cred_has_perm(const struct cred *actor,
1370                          const struct cred *target,
1371                          u32 perms)
1372 {
1373         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377
1378 /*
1379  * Check permission between a pair of tasks, e.g. signal checks,
1380  * fork check, ptrace check, etc.
1381  * tsk1 is the actor and tsk2 is the target
1382  * - this uses the default subjective creds of tsk1
1383  */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385                          const struct task_struct *tsk2,
1386                          u32 perms)
1387 {
1388         const struct task_security_struct *__tsec1, *__tsec2;
1389         u32 sid1, sid2;
1390
1391         rcu_read_lock();
1392         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394         rcu_read_unlock();
1395         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397
1398 /*
1399  * Check permission between current and another task, e.g. signal checks,
1400  * fork check, ptrace check, etc.
1401  * current is the actor and tsk2 is the target
1402  * - this uses current's subjective creds
1403  */
1404 static int current_has_perm(const struct task_struct *tsk,
1405                             u32 perms)
1406 {
1407         u32 sid, tsid;
1408
1409         sid = current_sid();
1410         tsid = task_sid(tsk);
1411         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417
1418 /* Check whether a task is allowed to use a capability. */
1419 static int cred_has_capability(const struct cred *cred,
1420                                int cap, int audit)
1421 {
1422         struct common_audit_data ad;
1423         struct selinux_audit_data sad = {0,};
1424         struct av_decision avd;
1425         u16 sclass;
1426         u32 sid = cred_sid(cred);
1427         u32 av = CAP_TO_MASK(cap);
1428         int rc;
1429
1430         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1431         ad.selinux_audit_data = &sad;
1432         ad.tsk = current;
1433         ad.u.cap = cap;
1434
1435         switch (CAP_TO_INDEX(cap)) {
1436         case 0:
1437                 sclass = SECCLASS_CAPABILITY;
1438                 break;
1439         case 1:
1440                 sclass = SECCLASS_CAPABILITY2;
1441                 break;
1442         default:
1443                 printk(KERN_ERR
1444                        "SELinux:  out of range capability %d\n", cap);
1445                 BUG();
1446                 return -EINVAL;
1447         }
1448
1449         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1450         if (audit == SECURITY_CAP_AUDIT) {
1451                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1452                 if (rc2)
1453                         return rc2;
1454         }
1455         return rc;
1456 }
1457
1458 /* Check whether a task is allowed to use a system operation. */
1459 static int task_has_system(struct task_struct *tsk,
1460                            u32 perms)
1461 {
1462         u32 sid = task_sid(tsk);
1463
1464         return avc_has_perm(sid, SECINITSID_KERNEL,
1465                             SECCLASS_SYSTEM, perms, NULL);
1466 }
1467
1468 /* Check whether a task has a particular permission to an inode.
1469    The 'adp' parameter is optional and allows other audit
1470    data to be passed (e.g. the dentry). */
1471 static int inode_has_perm(const struct cred *cred,
1472                           struct inode *inode,
1473                           u32 perms,
1474                           struct common_audit_data *adp,
1475                           unsigned flags)
1476 {
1477         struct inode_security_struct *isec;
1478         u32 sid;
1479
1480         validate_creds(cred);
1481
1482         if (unlikely(IS_PRIVATE(inode)))
1483                 return 0;
1484
1485         sid = cred_sid(cred);
1486         isec = inode->i_security;
1487
1488         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1489 }
1490
1491 static int inode_has_perm_noadp(const struct cred *cred,
1492                                 struct inode *inode,
1493                                 u32 perms,
1494                                 unsigned flags)
1495 {
1496         struct common_audit_data ad;
1497         struct selinux_audit_data sad = {0,};
1498
1499         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1500         ad.u.inode = inode;
1501         ad.selinux_audit_data = &sad;
1502         return inode_has_perm(cred, inode, perms, &ad, flags);
1503 }
1504
1505 /* Same as inode_has_perm, but pass explicit audit data containing
1506    the dentry to help the auditing code to more easily generate the
1507    pathname if needed. */
1508 static inline int dentry_has_perm(const struct cred *cred,
1509                                   struct dentry *dentry,
1510                                   u32 av)
1511 {
1512         struct inode *inode = dentry->d_inode;
1513         struct common_audit_data ad;
1514         struct selinux_audit_data sad = {0,};
1515
1516         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1517         ad.u.dentry = dentry;
1518         ad.selinux_audit_data = &sad;
1519         return inode_has_perm(cred, inode, av, &ad, 0);
1520 }
1521
1522 /* Same as inode_has_perm, but pass explicit audit data containing
1523    the path to help the auditing code to more easily generate the
1524    pathname if needed. */
1525 static inline int path_has_perm(const struct cred *cred,
1526                                 struct path *path,
1527                                 u32 av)
1528 {
1529         struct inode *inode = path->dentry->d_inode;
1530         struct common_audit_data ad;
1531         struct selinux_audit_data sad = {0,};
1532
1533         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1534         ad.u.path = *path;
1535         ad.selinux_audit_data = &sad;
1536         return inode_has_perm(cred, inode, av, &ad, 0);
1537 }
1538
1539 /* Check whether a task can use an open file descriptor to
1540    access an inode in a given way.  Check access to the
1541    descriptor itself, and then use dentry_has_perm to
1542    check a particular permission to the file.
1543    Access to the descriptor is implicitly granted if it
1544    has the same SID as the process.  If av is zero, then
1545    access to the file is not checked, e.g. for cases
1546    where only the descriptor is affected like seek. */
1547 static int file_has_perm(const struct cred *cred,
1548                          struct file *file,
1549                          u32 av)
1550 {
1551         struct file_security_struct *fsec = file->f_security;
1552         struct inode *inode = file->f_path.dentry->d_inode;
1553         struct common_audit_data ad;
1554         struct selinux_audit_data sad = {0,};
1555         u32 sid = cred_sid(cred);
1556         int rc;
1557
1558         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1559         ad.u.path = file->f_path;
1560         ad.selinux_audit_data = &sad;
1561
1562         if (sid != fsec->sid) {
1563                 rc = avc_has_perm(sid, fsec->sid,
1564                                   SECCLASS_FD,
1565                                   FD__USE,
1566                                   &ad);
1567                 if (rc)
1568                         goto out;
1569         }
1570
1571         /* av is zero if only checking access to the descriptor. */
1572         rc = 0;
1573         if (av)
1574                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1575
1576 out:
1577         return rc;
1578 }
1579
1580 /* Check whether a task can create a file. */
1581 static int may_create(struct inode *dir,
1582                       struct dentry *dentry,
1583                       u16 tclass)
1584 {
1585         const struct task_security_struct *tsec = current_security();
1586         struct inode_security_struct *dsec;
1587         struct superblock_security_struct *sbsec;
1588         u32 sid, newsid;
1589         struct common_audit_data ad;
1590         struct selinux_audit_data sad = {0,};
1591         int rc;
1592
1593         dsec = dir->i_security;
1594         sbsec = dir->i_sb->s_security;
1595
1596         sid = tsec->sid;
1597         newsid = tsec->create_sid;
1598
1599         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1600         ad.u.dentry = dentry;
1601         ad.selinux_audit_data = &sad;
1602
1603         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1604                           DIR__ADD_NAME | DIR__SEARCH,
1605                           &ad);
1606         if (rc)
1607                 return rc;
1608
1609         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1610                 rc = security_transition_sid(sid, dsec->sid, tclass,
1611                                              &dentry->d_name, &newsid);
1612                 if (rc)
1613                         return rc;
1614         }
1615
1616         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1617         if (rc)
1618                 return rc;
1619
1620         return avc_has_perm(newsid, sbsec->sid,
1621                             SECCLASS_FILESYSTEM,
1622                             FILESYSTEM__ASSOCIATE, &ad);
1623 }
1624
1625 /* Check whether a task can create a key. */
1626 static int may_create_key(u32 ksid,
1627                           struct task_struct *ctx)
1628 {
1629         u32 sid = task_sid(ctx);
1630
1631         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1632 }
1633
1634 #define MAY_LINK        0
1635 #define MAY_UNLINK      1
1636 #define MAY_RMDIR       2
1637
1638 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1639 static int may_link(struct inode *dir,
1640                     struct dentry *dentry,
1641                     int kind)
1642
1643 {
1644         struct inode_security_struct *dsec, *isec;
1645         struct common_audit_data ad;
1646         struct selinux_audit_data sad = {0,};
1647         u32 sid = current_sid();
1648         u32 av;
1649         int rc;
1650
1651         dsec = dir->i_security;
1652         isec = dentry->d_inode->i_security;
1653
1654         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1655         ad.u.dentry = dentry;
1656         ad.selinux_audit_data = &sad;
1657
1658         av = DIR__SEARCH;
1659         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1660         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1661         if (rc)
1662                 return rc;
1663
1664         switch (kind) {
1665         case MAY_LINK:
1666                 av = FILE__LINK;
1667                 break;
1668         case MAY_UNLINK:
1669                 av = FILE__UNLINK;
1670                 break;
1671         case MAY_RMDIR:
1672                 av = DIR__RMDIR;
1673                 break;
1674         default:
1675                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1676                         __func__, kind);
1677                 return 0;
1678         }
1679
1680         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1681         return rc;
1682 }
1683
1684 static inline int may_rename(struct inode *old_dir,
1685                              struct dentry *old_dentry,
1686                              struct inode *new_dir,
1687                              struct dentry *new_dentry)
1688 {
1689         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1690         struct common_audit_data ad;
1691         struct selinux_audit_data sad = {0,};
1692         u32 sid = current_sid();
1693         u32 av;
1694         int old_is_dir, new_is_dir;
1695         int rc;
1696
1697         old_dsec = old_dir->i_security;
1698         old_isec = old_dentry->d_inode->i_security;
1699         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1700         new_dsec = new_dir->i_security;
1701
1702         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1703         ad.selinux_audit_data = &sad;
1704
1705         ad.u.dentry = old_dentry;
1706         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1707                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1708         if (rc)
1709                 return rc;
1710         rc = avc_has_perm(sid, old_isec->sid,
1711                           old_isec->sclass, FILE__RENAME, &ad);
1712         if (rc)
1713                 return rc;
1714         if (old_is_dir && new_dir != old_dir) {
1715                 rc = avc_has_perm(sid, old_isec->sid,
1716                                   old_isec->sclass, DIR__REPARENT, &ad);
1717                 if (rc)
1718                         return rc;
1719         }
1720
1721         ad.u.dentry = new_dentry;
1722         av = DIR__ADD_NAME | DIR__SEARCH;
1723         if (new_dentry->d_inode)
1724                 av |= DIR__REMOVE_NAME;
1725         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1726         if (rc)
1727                 return rc;
1728         if (new_dentry->d_inode) {
1729                 new_isec = new_dentry->d_inode->i_security;
1730                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1731                 rc = avc_has_perm(sid, new_isec->sid,
1732                                   new_isec->sclass,
1733                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1734                 if (rc)
1735                         return rc;
1736         }
1737
1738         return 0;
1739 }
1740
1741 /* Check whether a task can perform a filesystem operation. */
1742 static int superblock_has_perm(const struct cred *cred,
1743                                struct super_block *sb,
1744                                u32 perms,
1745                                struct common_audit_data *ad)
1746 {
1747         struct superblock_security_struct *sbsec;
1748         u32 sid = cred_sid(cred);
1749
1750         sbsec = sb->s_security;
1751         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1752 }
1753
1754 /* Convert a Linux mode and permission mask to an access vector. */
1755 static inline u32 file_mask_to_av(int mode, int mask)
1756 {
1757         u32 av = 0;
1758
1759         if (!S_ISDIR(mode)) {
1760                 if (mask & MAY_EXEC)
1761                         av |= FILE__EXECUTE;
1762                 if (mask & MAY_READ)
1763                         av |= FILE__READ;
1764
1765                 if (mask & MAY_APPEND)
1766                         av |= FILE__APPEND;
1767                 else if (mask & MAY_WRITE)
1768                         av |= FILE__WRITE;
1769
1770         } else {
1771                 if (mask & MAY_EXEC)
1772                         av |= DIR__SEARCH;
1773                 if (mask & MAY_WRITE)
1774                         av |= DIR__WRITE;
1775                 if (mask & MAY_READ)
1776                         av |= DIR__READ;
1777         }
1778
1779         return av;
1780 }
1781
1782 /* Convert a Linux file to an access vector. */
1783 static inline u32 file_to_av(struct file *file)
1784 {
1785         u32 av = 0;
1786
1787         if (file->f_mode & FMODE_READ)
1788                 av |= FILE__READ;
1789         if (file->f_mode & FMODE_WRITE) {
1790                 if (file->f_flags & O_APPEND)
1791                         av |= FILE__APPEND;
1792                 else
1793                         av |= FILE__WRITE;
1794         }
1795         if (!av) {
1796                 /*
1797                  * Special file opened with flags 3 for ioctl-only use.
1798                  */
1799                 av = FILE__IOCTL;
1800         }
1801
1802         return av;
1803 }
1804
1805 /*
1806  * Convert a file to an access vector and include the correct open
1807  * open permission.
1808  */
1809 static inline u32 open_file_to_av(struct file *file)
1810 {
1811         u32 av = file_to_av(file);
1812
1813         if (selinux_policycap_openperm)
1814                 av |= FILE__OPEN;
1815
1816         return av;
1817 }
1818
1819 /* Hook functions begin here. */
1820
1821 static int selinux_ptrace_access_check(struct task_struct *child,
1822                                      unsigned int mode)
1823 {
1824         int rc;
1825
1826         rc = cap_ptrace_access_check(child, mode);
1827         if (rc)
1828                 return rc;
1829
1830         if (mode & PTRACE_MODE_READ) {
1831                 u32 sid = current_sid();
1832                 u32 csid = task_sid(child);
1833                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1834         }
1835
1836         return current_has_perm(child, PROCESS__PTRACE);
1837 }
1838
1839 static int selinux_ptrace_traceme(struct task_struct *parent)
1840 {
1841         int rc;
1842
1843         rc = cap_ptrace_traceme(parent);
1844         if (rc)
1845                 return rc;
1846
1847         return task_has_perm(parent, current, PROCESS__PTRACE);
1848 }
1849
1850 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1851                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1852 {
1853         int error;
1854
1855         error = current_has_perm(target, PROCESS__GETCAP);
1856         if (error)
1857                 return error;
1858
1859         return cap_capget(target, effective, inheritable, permitted);
1860 }
1861
1862 static int selinux_capset(struct cred *new, const struct cred *old,
1863                           const kernel_cap_t *effective,
1864                           const kernel_cap_t *inheritable,
1865                           const kernel_cap_t *permitted)
1866 {
1867         int error;
1868
1869         error = cap_capset(new, old,
1870                                       effective, inheritable, permitted);
1871         if (error)
1872                 return error;
1873
1874         return cred_has_perm(old, new, PROCESS__SETCAP);
1875 }
1876
1877 /*
1878  * (This comment used to live with the selinux_task_setuid hook,
1879  * which was removed).
1880  *
1881  * Since setuid only affects the current process, and since the SELinux
1882  * controls are not based on the Linux identity attributes, SELinux does not
1883  * need to control this operation.  However, SELinux does control the use of
1884  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1885  */
1886
1887 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1888                            int cap, int audit)
1889 {
1890         int rc;
1891
1892         rc = cap_capable(cred, ns, cap, audit);
1893         if (rc)
1894                 return rc;
1895
1896         return cred_has_capability(cred, cap, audit);
1897 }
1898
1899 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1900 {
1901         const struct cred *cred = current_cred();
1902         int rc = 0;
1903
1904         if (!sb)
1905                 return 0;
1906
1907         switch (cmds) {
1908         case Q_SYNC:
1909         case Q_QUOTAON:
1910         case Q_QUOTAOFF:
1911         case Q_SETINFO:
1912         case Q_SETQUOTA:
1913                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1914                 break;
1915         case Q_GETFMT:
1916         case Q_GETINFO:
1917         case Q_GETQUOTA:
1918                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1919                 break;
1920         default:
1921                 rc = 0;  /* let the kernel handle invalid cmds */
1922                 break;
1923         }
1924         return rc;
1925 }
1926
1927 static int selinux_quota_on(struct dentry *dentry)
1928 {
1929         const struct cred *cred = current_cred();
1930
1931         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1932 }
1933
1934 static int selinux_syslog(int type)
1935 {
1936         int rc;
1937
1938         switch (type) {
1939         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1940         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1941                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1942                 break;
1943         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1944         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1945         /* Set level of messages printed to console */
1946         case SYSLOG_ACTION_CONSOLE_LEVEL:
1947                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1948                 break;
1949         case SYSLOG_ACTION_CLOSE:       /* Close log */
1950         case SYSLOG_ACTION_OPEN:        /* Open log */
1951         case SYSLOG_ACTION_READ:        /* Read from log */
1952         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1953         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1954         default:
1955                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1956                 break;
1957         }
1958         return rc;
1959 }
1960
1961 /*
1962  * Check that a process has enough memory to allocate a new virtual
1963  * mapping. 0 means there is enough memory for the allocation to
1964  * succeed and -ENOMEM implies there is not.
1965  *
1966  * Do not audit the selinux permission check, as this is applied to all
1967  * processes that allocate mappings.
1968  */
1969 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1970 {
1971         int rc, cap_sys_admin = 0;
1972
1973         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1974                              SECURITY_CAP_NOAUDIT);
1975         if (rc == 0)
1976                 cap_sys_admin = 1;
1977
1978         return __vm_enough_memory(mm, pages, cap_sys_admin);
1979 }
1980
1981 /* binprm security operations */
1982
1983 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1984 {
1985         const struct task_security_struct *old_tsec;
1986         struct task_security_struct *new_tsec;
1987         struct inode_security_struct *isec;
1988         struct common_audit_data ad;
1989         struct selinux_audit_data sad = {0,};
1990         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1991         int rc;
1992
1993         rc = cap_bprm_set_creds(bprm);
1994         if (rc)
1995                 return rc;
1996
1997         /* SELinux context only depends on initial program or script and not
1998          * the script interpreter */
1999         if (bprm->cred_prepared)
2000                 return 0;
2001
2002         old_tsec = current_security();
2003         new_tsec = bprm->cred->security;
2004         isec = inode->i_security;
2005
2006         /* Default to the current task SID. */
2007         new_tsec->sid = old_tsec->sid;
2008         new_tsec->osid = old_tsec->sid;
2009
2010         /* Reset fs, key, and sock SIDs on execve. */
2011         new_tsec->create_sid = 0;
2012         new_tsec->keycreate_sid = 0;
2013         new_tsec->sockcreate_sid = 0;
2014
2015         if (old_tsec->exec_sid) {
2016                 new_tsec->sid = old_tsec->exec_sid;
2017                 /* Reset exec SID on execve. */
2018                 new_tsec->exec_sid = 0;
2019
2020                 /*
2021                  * Minimize confusion: if no_new_privs and a transition is
2022                  * explicitly requested, then fail the exec.
2023                  */
2024                 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2025                         return -EPERM;
2026         } else {
2027                 /* Check for a default transition on this program. */
2028                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2029                                              SECCLASS_PROCESS, NULL,
2030                                              &new_tsec->sid);
2031                 if (rc)
2032                         return rc;
2033         }
2034
2035         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2036         ad.selinux_audit_data = &sad;
2037         ad.u.path = bprm->file->f_path;
2038
2039         if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2040             (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2041                 new_tsec->sid = old_tsec->sid;
2042
2043         if (new_tsec->sid == old_tsec->sid) {
2044                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2045                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2046                 if (rc)
2047                         return rc;
2048         } else {
2049                 /* Check permissions for the transition. */
2050                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2051                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2052                 if (rc)
2053                         return rc;
2054
2055                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2056                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2057                 if (rc)
2058                         return rc;
2059
2060                 /* Check for shared state */
2061                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2062                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2063                                           SECCLASS_PROCESS, PROCESS__SHARE,
2064                                           NULL);
2065                         if (rc)
2066                                 return -EPERM;
2067                 }
2068
2069                 /* Make sure that anyone attempting to ptrace over a task that
2070                  * changes its SID has the appropriate permit */
2071                 if (bprm->unsafe &
2072                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2073                         struct task_struct *tracer;
2074                         struct task_security_struct *sec;
2075                         u32 ptsid = 0;
2076
2077                         rcu_read_lock();
2078                         tracer = ptrace_parent(current);
2079                         if (likely(tracer != NULL)) {
2080                                 sec = __task_cred(tracer)->security;
2081                                 ptsid = sec->sid;
2082                         }
2083                         rcu_read_unlock();
2084
2085                         if (ptsid != 0) {
2086                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2087                                                   SECCLASS_PROCESS,
2088                                                   PROCESS__PTRACE, NULL);
2089                                 if (rc)
2090                                         return -EPERM;
2091                         }
2092                 }
2093
2094                 /* Clear any possibly unsafe personality bits on exec: */
2095                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2096         }
2097
2098         return 0;
2099 }
2100
2101 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2102 {
2103         const struct task_security_struct *tsec = current_security();
2104         u32 sid, osid;
2105         int atsecure = 0;
2106
2107         sid = tsec->sid;
2108         osid = tsec->osid;
2109
2110         if (osid != sid) {
2111                 /* Enable secure mode for SIDs transitions unless
2112                    the noatsecure permission is granted between
2113                    the two SIDs, i.e. ahp returns 0. */
2114                 atsecure = avc_has_perm(osid, sid,
2115                                         SECCLASS_PROCESS,
2116                                         PROCESS__NOATSECURE, NULL);
2117         }
2118
2119         return (atsecure || cap_bprm_secureexec(bprm));
2120 }
2121
2122 /* Derived from fs/exec.c:flush_old_files. */
2123 static inline void flush_unauthorized_files(const struct cred *cred,
2124                                             struct files_struct *files)
2125 {
2126         struct common_audit_data ad;
2127         struct selinux_audit_data sad = {0,};
2128         struct file *file, *devnull = NULL;
2129         struct tty_struct *tty;
2130         struct fdtable *fdt;
2131         long j = -1;
2132         int drop_tty = 0;
2133
2134         tty = get_current_tty();
2135         if (tty) {
2136                 spin_lock(&tty_files_lock);
2137                 if (!list_empty(&tty->tty_files)) {
2138                         struct tty_file_private *file_priv;
2139                         struct inode *inode;
2140
2141                         /* Revalidate access to controlling tty.
2142                            Use inode_has_perm on the tty inode directly rather
2143                            than using file_has_perm, as this particular open
2144                            file may belong to another process and we are only
2145                            interested in the inode-based check here. */
2146                         file_priv = list_first_entry(&tty->tty_files,
2147                                                 struct tty_file_private, list);
2148                         file = file_priv->file;
2149                         inode = file->f_path.dentry->d_inode;
2150                         if (inode_has_perm_noadp(cred, inode,
2151                                            FILE__READ | FILE__WRITE, 0)) {
2152                                 drop_tty = 1;
2153                         }
2154                 }
2155                 spin_unlock(&tty_files_lock);
2156                 tty_kref_put(tty);
2157         }
2158         /* Reset controlling tty. */
2159         if (drop_tty)
2160                 no_tty();
2161
2162         /* Revalidate access to inherited open files. */
2163
2164         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2165         ad.selinux_audit_data = &sad;
2166
2167         spin_lock(&files->file_lock);
2168         for (;;) {
2169                 unsigned long set, i;
2170                 int fd;
2171
2172                 j++;
2173                 i = j * __NFDBITS;
2174                 fdt = files_fdtable(files);
2175                 if (i >= fdt->max_fds)
2176                         break;
2177                 set = fdt->open_fds[j];
2178                 if (!set)
2179                         continue;
2180                 spin_unlock(&files->file_lock);
2181                 for ( ; set ; i++, set >>= 1) {
2182                         if (set & 1) {
2183                                 file = fget(i);
2184                                 if (!file)
2185                                         continue;
2186                                 if (file_has_perm(cred,
2187                                                   file,
2188                                                   file_to_av(file))) {
2189                                         sys_close(i);
2190                                         fd = get_unused_fd();
2191                                         if (fd != i) {
2192                                                 if (fd >= 0)
2193                                                         put_unused_fd(fd);
2194                                                 fput(file);
2195                                                 continue;
2196                                         }
2197                                         if (devnull) {
2198                                                 get_file(devnull);
2199                                         } else {
2200                                                 devnull = dentry_open(
2201                                                         dget(selinux_null),
2202                                                         mntget(selinuxfs_mount),
2203                                                         O_RDWR, cred);
2204                                                 if (IS_ERR(devnull)) {
2205                                                         devnull = NULL;
2206                                                         put_unused_fd(fd);
2207                                                         fput(file);
2208                                                         continue;
2209                                                 }
2210                                         }
2211                                         fd_install(fd, devnull);
2212                                 }
2213                                 fput(file);
2214                         }
2215                 }
2216                 spin_lock(&files->file_lock);
2217
2218         }
2219         spin_unlock(&files->file_lock);
2220 }
2221
2222 /*
2223  * Prepare a process for imminent new credential changes due to exec
2224  */
2225 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2226 {
2227         struct task_security_struct *new_tsec;
2228         struct rlimit *rlim, *initrlim;
2229         int rc, i;
2230
2231         new_tsec = bprm->cred->security;
2232         if (new_tsec->sid == new_tsec->osid)
2233                 return;
2234
2235         /* Close files for which the new task SID is not authorized. */
2236         flush_unauthorized_files(bprm->cred, current->files);
2237
2238         /* Always clear parent death signal on SID transitions. */
2239         current->pdeath_signal = 0;
2240
2241         /* Check whether the new SID can inherit resource limits from the old
2242          * SID.  If not, reset all soft limits to the lower of the current
2243          * task's hard limit and the init task's soft limit.
2244          *
2245          * Note that the setting of hard limits (even to lower them) can be
2246          * controlled by the setrlimit check.  The inclusion of the init task's
2247          * soft limit into the computation is to avoid resetting soft limits
2248          * higher than the default soft limit for cases where the default is
2249          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2250          */
2251         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2252                           PROCESS__RLIMITINH, NULL);
2253         if (rc) {
2254                 /* protect against do_prlimit() */
2255                 task_lock(current);
2256                 for (i = 0; i < RLIM_NLIMITS; i++) {
2257                         rlim = current->signal->rlim + i;
2258                         initrlim = init_task.signal->rlim + i;
2259                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2260                 }
2261                 task_unlock(current);
2262                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2263         }
2264 }
2265
2266 /*
2267  * Clean up the process immediately after the installation of new credentials
2268  * due to exec
2269  */
2270 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2271 {
2272         const struct task_security_struct *tsec = current_security();
2273         struct itimerval itimer;
2274         u32 osid, sid;
2275         int rc, i;
2276
2277         osid = tsec->osid;
2278         sid = tsec->sid;
2279
2280         if (sid == osid)
2281                 return;
2282
2283         /* Check whether the new SID can inherit signal state from the old SID.
2284          * If not, clear itimers to avoid subsequent signal generation and
2285          * flush and unblock signals.
2286          *
2287          * This must occur _after_ the task SID has been updated so that any
2288          * kill done after the flush will be checked against the new SID.
2289          */
2290         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2291         if (rc) {
2292                 memset(&itimer, 0, sizeof itimer);
2293                 for (i = 0; i < 3; i++)
2294                         do_setitimer(i, &itimer, NULL);
2295                 spin_lock_irq(&current->sighand->siglock);
2296                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2297                         __flush_signals(current);
2298                         flush_signal_handlers(current, 1);
2299                         sigemptyset(&current->blocked);
2300                 }
2301                 spin_unlock_irq(&current->sighand->siglock);
2302         }
2303
2304         /* Wake up the parent if it is waiting so that it can recheck
2305          * wait permission to the new task SID. */
2306         read_lock(&tasklist_lock);
2307         __wake_up_parent(current, current->real_parent);
2308         read_unlock(&tasklist_lock);
2309 }
2310
2311 /* superblock security operations */
2312
2313 static int selinux_sb_alloc_security(struct super_block *sb)
2314 {
2315         return superblock_alloc_security(sb);
2316 }
2317
2318 static void selinux_sb_free_security(struct super_block *sb)
2319 {
2320         superblock_free_security(sb);
2321 }
2322
2323 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2324 {
2325         if (plen > olen)
2326                 return 0;
2327
2328         return !memcmp(prefix, option, plen);
2329 }
2330
2331 static inline int selinux_option(char *option, int len)
2332 {
2333         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2334                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2335                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2336                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2337                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2338 }
2339
2340 static inline void take_option(char **to, char *from, int *first, int len)
2341 {
2342         if (!*first) {
2343                 **to = ',';
2344                 *to += 1;
2345         } else
2346                 *first = 0;
2347         memcpy(*to, from, len);
2348         *to += len;
2349 }
2350
2351 static inline void take_selinux_option(char **to, char *from, int *first,
2352                                        int len)
2353 {
2354         int current_size = 0;
2355
2356         if (!*first) {
2357                 **to = '|';
2358                 *to += 1;
2359         } else
2360                 *first = 0;
2361
2362         while (current_size < len) {
2363                 if (*from != '"') {
2364                         **to = *from;
2365                         *to += 1;
2366                 }
2367                 from += 1;
2368                 current_size += 1;
2369         }
2370 }
2371
2372 static int selinux_sb_copy_data(char *orig, char *copy)
2373 {
2374         int fnosec, fsec, rc = 0;
2375         char *in_save, *in_curr, *in_end;
2376         char *sec_curr, *nosec_save, *nosec;
2377         int open_quote = 0;
2378
2379         in_curr = orig;
2380         sec_curr = copy;
2381
2382         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2383         if (!nosec) {
2384                 rc = -ENOMEM;
2385                 goto out;
2386         }
2387
2388         nosec_save = nosec;
2389         fnosec = fsec = 1;
2390         in_save = in_end = orig;
2391
2392         do {
2393                 if (*in_end == '"')
2394                         open_quote = !open_quote;
2395                 if ((*in_end == ',' && open_quote == 0) ||
2396                                 *in_end == '\0') {
2397                         int len = in_end - in_curr;
2398
2399                         if (selinux_option(in_curr, len))
2400                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2401                         else
2402                                 take_option(&nosec, in_curr, &fnosec, len);
2403
2404                         in_curr = in_end + 1;
2405                 }
2406         } while (*in_end++);
2407
2408         strcpy(in_save, nosec_save);
2409         free_page((unsigned long)nosec_save);
2410 out:
2411         return rc;
2412 }
2413
2414 static int selinux_sb_remount(struct super_block *sb, void *data)
2415 {
2416         int rc, i, *flags;
2417         struct security_mnt_opts opts;
2418         char *secdata, **mount_options;
2419         struct superblock_security_struct *sbsec = sb->s_security;
2420
2421         if (!(sbsec->flags & SE_SBINITIALIZED))
2422                 return 0;
2423
2424         if (!data)
2425                 return 0;
2426
2427         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2428                 return 0;
2429
2430         security_init_mnt_opts(&opts);
2431         secdata = alloc_secdata();
2432         if (!secdata)
2433                 return -ENOMEM;
2434         rc = selinux_sb_copy_data(data, secdata);
2435         if (rc)
2436                 goto out_free_secdata;
2437
2438         rc = selinux_parse_opts_str(secdata, &opts);
2439         if (rc)
2440                 goto out_free_secdata;
2441
2442         mount_options = opts.mnt_opts;
2443         flags = opts.mnt_opts_flags;
2444
2445         for (i = 0; i < opts.num_mnt_opts; i++) {
2446                 u32 sid;
2447                 size_t len;
2448
2449                 if (flags[i] == SE_SBLABELSUPP)
2450                         continue;
2451                 len = strlen(mount_options[i]);
2452                 rc = security_context_to_sid(mount_options[i], len, &sid);
2453                 if (rc) {
2454                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2455                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2456                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2457                         goto out_free_opts;
2458                 }
2459                 rc = -EINVAL;
2460                 switch (flags[i]) {
2461                 case FSCONTEXT_MNT:
2462                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2463                                 goto out_bad_option;
2464                         break;
2465                 case CONTEXT_MNT:
2466                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2467                                 goto out_bad_option;
2468                         break;
2469                 case ROOTCONTEXT_MNT: {
2470                         struct inode_security_struct *root_isec;
2471                         root_isec = sb->s_root->d_inode->i_security;
2472
2473                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2474                                 goto out_bad_option;
2475                         break;
2476                 }
2477                 case DEFCONTEXT_MNT:
2478                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2479                                 goto out_bad_option;
2480                         break;
2481                 default:
2482                         goto out_free_opts;
2483                 }
2484         }
2485
2486         rc = 0;
2487 out_free_opts:
2488         security_free_mnt_opts(&opts);
2489 out_free_secdata:
2490         free_secdata(secdata);
2491         return rc;
2492 out_bad_option:
2493         printk(KERN_WARNING "SELinux: unable to change security options "
2494                "during remount (dev %s, type=%s)\n", sb->s_id,
2495                sb->s_type->name);
2496         goto out_free_opts;
2497 }
2498
2499 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2500 {
2501         const struct cred *cred = current_cred();
2502         struct common_audit_data ad;
2503         struct selinux_audit_data sad = {0,};
2504         int rc;
2505
2506         rc = superblock_doinit(sb, data);
2507         if (rc)
2508                 return rc;
2509
2510         /* Allow all mounts performed by the kernel */
2511         if (flags & MS_KERNMOUNT)
2512                 return 0;
2513
2514         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2515         ad.selinux_audit_data = &sad;
2516         ad.u.dentry = sb->s_root;
2517         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2518 }
2519
2520 static int selinux_sb_statfs(struct dentry *dentry)
2521 {
2522         const struct cred *cred = current_cred();
2523         struct common_audit_data ad;
2524         struct selinux_audit_data sad = {0,};
2525
2526         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2527         ad.selinux_audit_data = &sad;
2528         ad.u.dentry = dentry->d_sb->s_root;
2529         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2530 }
2531
2532 static int selinux_mount(char *dev_name,
2533                          struct path *path,
2534                          char *type,
2535                          unsigned long flags,
2536                          void *data)
2537 {
2538         const struct cred *cred = current_cred();
2539
2540         if (flags & MS_REMOUNT)
2541                 return superblock_has_perm(cred, path->dentry->d_sb,
2542                                            FILESYSTEM__REMOUNT, NULL);
2543         else
2544                 return path_has_perm(cred, path, FILE__MOUNTON);
2545 }
2546
2547 static int selinux_umount(struct vfsmount *mnt, int flags)
2548 {
2549         const struct cred *cred = current_cred();
2550
2551         return superblock_has_perm(cred, mnt->mnt_sb,
2552                                    FILESYSTEM__UNMOUNT, NULL);
2553 }
2554
2555 /* inode security operations */
2556
2557 static int selinux_inode_alloc_security(struct inode *inode)
2558 {
2559         return inode_alloc_security(inode);
2560 }
2561
2562 static void selinux_inode_free_security(struct inode *inode)
2563 {
2564         inode_free_security(inode);
2565 }
2566
2567 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2568                                        const struct qstr *qstr, char **name,
2569                                        void **value, size_t *len)
2570 {
2571         const struct task_security_struct *tsec = current_security();
2572         struct inode_security_struct *dsec;
2573         struct superblock_security_struct *sbsec;
2574         u32 sid, newsid, clen;
2575         int rc;
2576         char *namep = NULL, *context;
2577
2578         dsec = dir->i_security;
2579         sbsec = dir->i_sb->s_security;
2580
2581         sid = tsec->sid;
2582         newsid = tsec->create_sid;
2583
2584         if ((sbsec->flags & SE_SBINITIALIZED) &&
2585             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2586                 newsid = sbsec->mntpoint_sid;
2587         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2588                 rc = security_transition_sid(sid, dsec->sid,
2589                                              inode_mode_to_security_class(inode->i_mode),
2590                                              qstr, &newsid);
2591                 if (rc) {
2592                         printk(KERN_WARNING "%s:  "
2593                                "security_transition_sid failed, rc=%d (dev=%s "
2594                                "ino=%ld)\n",
2595                                __func__,
2596                                -rc, inode->i_sb->s_id, inode->i_ino);
2597                         return rc;
2598                 }
2599         }
2600
2601         /* Possibly defer initialization to selinux_complete_init. */
2602         if (sbsec->flags & SE_SBINITIALIZED) {
2603                 struct inode_security_struct *isec = inode->i_security;
2604                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2605                 isec->sid = newsid;
2606                 isec->initialized = 1;
2607         }
2608
2609         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2610                 return -EOPNOTSUPP;
2611
2612         if (name) {
2613                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2614                 if (!namep)
2615                         return -ENOMEM;
2616                 *name = namep;
2617         }
2618
2619         if (value && len) {
2620                 rc = security_sid_to_context_force(newsid, &context, &clen);
2621                 if (rc) {
2622                         kfree(namep);
2623                         return rc;
2624                 }
2625                 *value = context;
2626                 *len = clen;
2627         }
2628
2629         return 0;
2630 }
2631
2632 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2633 {
2634         return may_create(dir, dentry, SECCLASS_FILE);
2635 }
2636
2637 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2638 {
2639         return may_link(dir, old_dentry, MAY_LINK);
2640 }
2641
2642 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2643 {
2644         return may_link(dir, dentry, MAY_UNLINK);
2645 }
2646
2647 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2648 {
2649         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2650 }
2651
2652 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2653 {
2654         return may_create(dir, dentry, SECCLASS_DIR);
2655 }
2656
2657 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2658 {
2659         return may_link(dir, dentry, MAY_RMDIR);
2660 }
2661
2662 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2663 {
2664         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2665 }
2666
2667 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2668                                 struct inode *new_inode, struct dentry *new_dentry)
2669 {
2670         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2671 }
2672
2673 static int selinux_inode_readlink(struct dentry *dentry)
2674 {
2675         const struct cred *cred = current_cred();
2676
2677         return dentry_has_perm(cred, dentry, FILE__READ);
2678 }
2679
2680 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2681 {
2682         const struct cred *cred = current_cred();
2683
2684         return dentry_has_perm(cred, dentry, FILE__READ);
2685 }
2686
2687 static int selinux_inode_permission(struct inode *inode, int mask)
2688 {
2689         const struct cred *cred = current_cred();
2690         struct common_audit_data ad;
2691         struct selinux_audit_data sad = {0,};
2692         u32 perms;
2693         bool from_access;
2694         unsigned flags = mask & MAY_NOT_BLOCK;
2695
2696         from_access = mask & MAY_ACCESS;
2697         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2698
2699         /* No permission to check.  Existence test. */
2700         if (!mask)
2701                 return 0;
2702
2703         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2704         ad.selinux_audit_data = &sad;
2705         ad.u.inode = inode;
2706
2707         if (from_access)
2708                 ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS;
2709
2710         perms = file_mask_to_av(inode->i_mode, mask);
2711
2712         return inode_has_perm(cred, inode, perms, &ad, flags);
2713 }
2714
2715 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2716 {
2717         const struct cred *cred = current_cred();
2718         unsigned int ia_valid = iattr->ia_valid;
2719
2720         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2721         if (ia_valid & ATTR_FORCE) {
2722                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2723                               ATTR_FORCE);
2724                 if (!ia_valid)
2725                         return 0;
2726         }
2727
2728         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2729                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2730                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2731
2732         return dentry_has_perm(cred, dentry, FILE__WRITE);
2733 }
2734
2735 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2736 {
2737         const struct cred *cred = current_cred();
2738         struct path path;
2739
2740         path.dentry = dentry;
2741         path.mnt = mnt;
2742
2743         return path_has_perm(cred, &path, FILE__GETATTR);
2744 }
2745
2746 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2747 {
2748         const struct cred *cred = current_cred();
2749
2750         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2751                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2752                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2753                         if (!capable(CAP_SETFCAP))
2754                                 return -EPERM;
2755                 } else if (!capable(CAP_SYS_ADMIN)) {
2756                         /* A different attribute in the security namespace.
2757                            Restrict to administrator. */
2758                         return -EPERM;
2759                 }
2760         }
2761
2762         /* Not an attribute we recognize, so just check the
2763            ordinary setattr permission. */
2764         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2765 }
2766
2767 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2768                                   const void *value, size_t size, int flags)
2769 {
2770         struct inode *inode = dentry->d_inode;
2771         struct inode_security_struct *isec = inode->i_security;
2772         struct superblock_security_struct *sbsec;
2773         struct common_audit_data ad;
2774         struct selinux_audit_data sad = {0,};
2775         u32 newsid, sid = current_sid();
2776         int rc = 0;
2777
2778         if (strcmp(name, XATTR_NAME_SELINUX))
2779                 return selinux_inode_setotherxattr(dentry, name);
2780
2781         sbsec = inode->i_sb->s_security;
2782         if (!(sbsec->flags & SE_SBLABELSUPP))
2783                 return -EOPNOTSUPP;
2784
2785         if (!inode_owner_or_capable(inode))
2786                 return -EPERM;
2787
2788         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2789         ad.selinux_audit_data = &sad;
2790         ad.u.dentry = dentry;
2791
2792         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2793                           FILE__RELABELFROM, &ad);
2794         if (rc)
2795                 return rc;
2796
2797         rc = security_context_to_sid(value, size, &newsid);
2798         if (rc == -EINVAL) {
2799                 if (!capable(CAP_MAC_ADMIN))
2800                         return rc;
2801                 rc = security_context_to_sid_force(value, size, &newsid);
2802         }
2803         if (rc)
2804                 return rc;
2805
2806         rc = avc_has_perm(sid, newsid, isec->sclass,
2807                           FILE__RELABELTO, &ad);
2808         if (rc)
2809                 return rc;
2810
2811         rc = security_validate_transition(isec->sid, newsid, sid,
2812                                           isec->sclass);
2813         if (rc)
2814                 return rc;
2815
2816         return avc_has_perm(newsid,
2817                             sbsec->sid,
2818                             SECCLASS_FILESYSTEM,
2819                             FILESYSTEM__ASSOCIATE,
2820                             &ad);
2821 }
2822
2823 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2824                                         const void *value, size_t size,
2825                                         int flags)
2826 {
2827         struct inode *inode = dentry->d_inode;
2828         struct inode_security_struct *isec = inode->i_security;
2829         u32 newsid;
2830         int rc;
2831
2832         if (strcmp(name, XATTR_NAME_SELINUX)) {
2833                 /* Not an attribute we recognize, so nothing to do. */
2834                 return;
2835         }
2836
2837         rc = security_context_to_sid_force(value, size, &newsid);
2838         if (rc) {
2839                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2840                        "for (%s, %lu), rc=%d\n",
2841                        inode->i_sb->s_id, inode->i_ino, -rc);
2842                 return;
2843         }
2844
2845         isec->sid = newsid;
2846         return;
2847 }
2848
2849 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2850 {
2851         const struct cred *cred = current_cred();
2852
2853         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2854 }
2855
2856 static int selinux_inode_listxattr(struct dentry *dentry)
2857 {
2858         const struct cred *cred = current_cred();
2859
2860         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2861 }
2862
2863 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2864 {
2865         if (strcmp(name, XATTR_NAME_SELINUX))
2866                 return selinux_inode_setotherxattr(dentry, name);
2867
2868         /* No one is allowed to remove a SELinux security label.
2869            You can change the label, but all data must be labeled. */
2870         return -EACCES;
2871 }
2872
2873 /*
2874  * Copy the inode security context value to the user.
2875  *
2876  * Permission check is handled by selinux_inode_getxattr hook.
2877  */
2878 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2879 {
2880         u32 size;
2881         int error;
2882         char *context = NULL;
2883         struct inode_security_struct *isec = inode->i_security;
2884
2885         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2886                 return -EOPNOTSUPP;
2887
2888         /*
2889          * If the caller has CAP_MAC_ADMIN, then get the raw context
2890          * value even if it is not defined by current policy; otherwise,
2891          * use the in-core value under current policy.
2892          * Use the non-auditing forms of the permission checks since
2893          * getxattr may be called by unprivileged processes commonly
2894          * and lack of permission just means that we fall back to the
2895          * in-core context value, not a denial.
2896          */
2897         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2898                                 SECURITY_CAP_NOAUDIT);
2899         if (!error)
2900                 error = security_sid_to_context_force(isec->sid, &context,
2901                                                       &size);
2902         else
2903                 error = security_sid_to_context(isec->sid, &context, &size);
2904         if (error)
2905                 return error;
2906         error = size;
2907         if (alloc) {
2908                 *buffer = context;
2909                 goto out_nofree;
2910         }
2911         kfree(context);
2912 out_nofree:
2913         return error;
2914 }
2915
2916 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2917                                      const void *value, size_t size, int flags)
2918 {
2919         struct inode_security_struct *isec = inode->i_security;
2920         u32 newsid;
2921         int rc;
2922
2923         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2924                 return -EOPNOTSUPP;
2925
2926         if (!value || !size)
2927                 return -EACCES;
2928
2929         rc = security_context_to_sid((void *)value, size, &newsid);
2930         if (rc)
2931                 return rc;
2932
2933         isec->sid = newsid;
2934         isec->initialized = 1;
2935         return 0;
2936 }
2937
2938 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2939 {
2940         const int len = sizeof(XATTR_NAME_SELINUX);
2941         if (buffer && len <= buffer_size)
2942                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2943         return len;
2944 }
2945
2946 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2947 {
2948         struct inode_security_struct *isec = inode->i_security;
2949         *secid = isec->sid;
2950 }
2951
2952 /* file security operations */
2953
2954 static int selinux_revalidate_file_permission(struct file *file, int mask)
2955 {
2956         const struct cred *cred = current_cred();
2957         struct inode *inode = file->f_path.dentry->d_inode;
2958
2959         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2960         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2961                 mask |= MAY_APPEND;
2962
2963         return file_has_perm(cred, file,
2964                              file_mask_to_av(inode->i_mode, mask));
2965 }
2966
2967 static int selinux_file_permission(struct file *file, int mask)
2968 {
2969         struct inode *inode = file->f_path.dentry->d_inode;
2970         struct file_security_struct *fsec = file->f_security;
2971         struct inode_security_struct *isec = inode->i_security;
2972         u32 sid = current_sid();
2973
2974         if (!mask)
2975                 /* No permission to check.  Existence test. */
2976                 return 0;
2977
2978         if (sid == fsec->sid && fsec->isid == isec->sid &&
2979             fsec->pseqno == avc_policy_seqno())
2980                 /* No change since dentry_open check. */
2981                 return 0;
2982
2983         return selinux_revalidate_file_permission(file, mask);
2984 }
2985
2986 static int selinux_file_alloc_security(struct file *file)
2987 {
2988         return file_alloc_security(file);
2989 }
2990
2991 static void selinux_file_free_security(struct file *file)
2992 {
2993         file_free_security(file);
2994 }
2995
2996 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2997                               unsigned long arg)
2998 {
2999         const struct cred *cred = current_cred();
3000         int error = 0;
3001
3002         switch (cmd) {
3003         case FIONREAD:
3004         /* fall through */
3005         case FIBMAP:
3006         /* fall through */
3007         case FIGETBSZ:
3008         /* fall through */
3009         case FS_IOC_GETFLAGS:
3010         /* fall through */
3011         case FS_IOC_GETVERSION:
3012                 error = file_has_perm(cred, file, FILE__GETATTR);
3013                 break;
3014
3015         case FS_IOC_SETFLAGS:
3016         /* fall through */
3017         case FS_IOC_SETVERSION:
3018                 error = file_has_perm(cred, file, FILE__SETATTR);
3019                 break;
3020
3021         /* sys_ioctl() checks */
3022         case FIONBIO:
3023         /* fall through */
3024         case FIOASYNC:
3025                 error = file_has_perm(cred, file, 0);
3026                 break;
3027
3028         case KDSKBENT:
3029         case KDSKBSENT:
3030                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3031                                             SECURITY_CAP_AUDIT);
3032                 break;
3033
3034         /* default case assumes that the command will go
3035          * to the file's ioctl() function.
3036          */
3037         default:
3038                 error = file_has_perm(cred, file, FILE__IOCTL);
3039         }
3040         return error;
3041 }
3042
3043 static int default_noexec;
3044
3045 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3046 {
3047         const struct cred *cred = current_cred();
3048         int rc = 0;
3049
3050         if (default_noexec &&
3051             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3052                 /*
3053                  * We are making executable an anonymous mapping or a
3054                  * private file mapping that will also be writable.
3055                  * This has an additional check.
3056                  */
3057                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3058                 if (rc)
3059                         goto error;
3060         }
3061
3062         if (file) {
3063                 /* read access is always possible with a mapping */
3064                 u32 av = FILE__READ;
3065
3066                 /* write access only matters if the mapping is shared */
3067                 if (shared && (prot & PROT_WRITE))
3068                         av |= FILE__WRITE;
3069
3070                 if (prot & PROT_EXEC)
3071                         av |= FILE__EXECUTE;
3072
3073                 return file_has_perm(cred, file, av);
3074         }
3075
3076 error:
3077         return rc;
3078 }
3079
3080 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3081                              unsigned long prot, unsigned long flags,
3082                              unsigned long addr, unsigned long addr_only)
3083 {
3084         int rc = 0;
3085         u32 sid = current_sid();
3086
3087         /*
3088          * notice that we are intentionally putting the SELinux check before
3089          * the secondary cap_file_mmap check.  This is such a likely attempt
3090          * at bad behaviour/exploit that we always want to get the AVC, even
3091          * if DAC would have also denied the operation.
3092          */
3093         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3094                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3095                                   MEMPROTECT__MMAP_ZERO, NULL);
3096                 if (rc)
3097                         return rc;
3098         }
3099
3100         /* do DAC check on address space usage */
3101         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3102         if (rc || addr_only)
3103                 return rc;
3104
3105         if (selinux_checkreqprot)
3106                 prot = reqprot;
3107
3108         return file_map_prot_check(file, prot,
3109                                    (flags & MAP_TYPE) == MAP_SHARED);
3110 }
3111
3112 static int selinux_file_mprotect(struct vm_area_struct *vma,
3113                                  unsigned long reqprot,
3114                                  unsigned long prot)
3115 {
3116         const struct cred *cred = current_cred();
3117
3118         if (selinux_checkreqprot)
3119                 prot = reqprot;
3120
3121         if (default_noexec &&
3122             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3123                 int rc = 0;
3124                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3125                     vma->vm_end <= vma->vm_mm->brk) {
3126                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3127                 } else if (!vma->vm_file &&
3128                            vma->vm_start <= vma->vm_mm->start_stack &&
3129                            vma->vm_end >= vma->vm_mm->start_stack) {
3130                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3131                 } else if (vma->vm_file && vma->anon_vma) {
3132                         /*
3133                          * We are making executable a file mapping that has
3134                          * had some COW done. Since pages might have been
3135                          * written, check ability to execute the possibly
3136                          * modified content.  This typically should only
3137                          * occur for text relocations.
3138                          */
3139                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3140                 }
3141                 if (rc)
3142                         return rc;
3143         }
3144
3145         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3146 }
3147
3148 static int selinux_file_lock(struct file *file, unsigned int cmd)
3149 {
3150         const struct cred *cred = current_cred();
3151
3152         return file_has_perm(cred, file, FILE__LOCK);
3153 }
3154
3155 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3156                               unsigned long arg)
3157 {
3158         const struct cred *cred = current_cred();
3159         int err = 0;
3160
3161         switch (cmd) {
3162         case F_SETFL:
3163                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3164                         err = -EINVAL;
3165                         break;
3166                 }
3167
3168                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3169                         err = file_has_perm(cred, file, FILE__WRITE);
3170                         break;
3171                 }
3172                 /* fall through */
3173         case F_SETOWN:
3174         case F_SETSIG:
3175         case F_GETFL:
3176         case F_GETOWN:
3177         case F_GETSIG:
3178                 /* Just check FD__USE permission */
3179                 err = file_has_perm(cred, file, 0);
3180                 break;
3181         case F_GETLK:
3182         case F_SETLK:
3183         case F_SETLKW:
3184 #if BITS_PER_LONG == 32
3185         case F_GETLK64:
3186         case F_SETLK64:
3187         case F_SETLKW64:
3188 #endif
3189                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3190                         err = -EINVAL;
3191                         break;
3192                 }
3193                 err = file_has_perm(cred, file, FILE__LOCK);
3194                 break;
3195         }
3196
3197         return err;
3198 }
3199
3200 static int selinux_file_set_fowner(struct file *file)
3201 {
3202         struct file_security_struct *fsec;
3203
3204         fsec = file->f_security;
3205         fsec->fown_sid = current_sid();
3206
3207         return 0;
3208 }
3209
3210 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3211                                        struct fown_struct *fown, int signum)
3212 {
3213         struct file *file;
3214         u32 sid = task_sid(tsk);
3215         u32 perm;
3216         struct file_security_struct *fsec;
3217
3218         /* struct fown_struct is never outside the context of a struct file */
3219         file = container_of(fown, struct file, f_owner);
3220
3221         fsec = file->f_security;
3222
3223         if (!signum)
3224                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3225         else
3226                 perm = signal_to_av(signum);
3227
3228         return avc_has_perm(fsec->fown_sid, sid,
3229                             SECCLASS_PROCESS, perm, NULL);
3230 }
3231
3232 static int selinux_file_receive(struct file *file)
3233 {
3234         const struct cred *cred = current_cred();
3235
3236         return file_has_perm(cred, file, file_to_av(file));
3237 }
3238
3239 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3240 {
3241         struct file_security_struct *fsec;
3242         struct inode *inode;
3243         struct inode_security_struct *isec;
3244
3245         inode = file->f_path.dentry->d_inode;
3246         fsec = file->f_security;
3247         isec = inode->i_security;
3248         /*
3249          * Save inode label and policy sequence number
3250          * at open-time so that selinux_file_permission
3251          * can determine whether revalidation is necessary.
3252          * Task label is already saved in the file security
3253          * struct as its SID.
3254          */
3255         fsec->isid = isec->sid;
3256         fsec->pseqno = avc_policy_seqno();
3257         /*
3258          * Since the inode label or policy seqno may have changed
3259          * between the selinux_inode_permission check and the saving
3260          * of state above, recheck that access is still permitted.
3261          * Otherwise, access might never be revalidated against the
3262          * new inode label or new policy.
3263          * This check is not redundant - do not remove.
3264          */
3265         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3266 }
3267
3268 /* task security operations */
3269
3270 static int selinux_task_create(unsigned long clone_flags)
3271 {
3272         return current_has_perm(current, PROCESS__FORK);
3273 }
3274
3275 /*
3276  * allocate the SELinux part of blank credentials
3277  */
3278 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3279 {
3280         struct task_security_struct *tsec;
3281
3282         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3283         if (!tsec)
3284                 return -ENOMEM;
3285
3286         cred->security = tsec;
3287         return 0;
3288 }
3289
3290 /*
3291  * detach and free the LSM part of a set of credentials
3292  */
3293 static void selinux_cred_free(struct cred *cred)
3294 {
3295         struct task_security_struct *tsec = cred->security;
3296
3297         /*
3298          * cred->security == NULL if security_cred_alloc_blank() or
3299          * security_prepare_creds() returned an error.
3300          */
3301         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3302         cred->security = (void *) 0x7UL;
3303         kfree(tsec);
3304 }
3305
3306 /*
3307  * prepare a new set of credentials for modification
3308  */
3309 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3310                                 gfp_t gfp)
3311 {
3312         const struct task_security_struct *old_tsec;
3313         struct task_security_struct *tsec;
3314
3315         old_tsec = old->security;
3316
3317         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3318         if (!tsec)
3319                 return -ENOMEM;
3320
3321         new->security = tsec;
3322         return 0;
3323 }
3324
3325 /*
3326  * transfer the SELinux data to a blank set of creds
3327  */
3328 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3329 {
3330         const struct task_security_struct *old_tsec = old->security;
3331         struct task_security_struct *tsec = new->security;
3332
3333         *tsec = *old_tsec;
3334 }
3335
3336 /*
3337  * set the security data for a kernel service
3338  * - all the creation contexts are set to unlabelled
3339  */
3340 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3341 {
3342         struct task_security_struct *tsec = new->security;
3343         u32 sid = current_sid();
3344         int ret;
3345
3346         ret = avc_has_perm(sid, secid,
3347                            SECCLASS_KERNEL_SERVICE,
3348                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3349                            NULL);
3350         if (ret == 0) {
3351                 tsec->sid = secid;
3352                 tsec->create_sid = 0;
3353                 tsec->keycreate_sid = 0;
3354                 tsec->sockcreate_sid = 0;
3355         }
3356         return ret;
3357 }
3358
3359 /*
3360  * set the file creation context in a security record to the same as the
3361  * objective context of the specified inode
3362  */
3363 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3364 {
3365         struct inode_security_struct *isec = inode->i_security;
3366         struct task_security_struct *tsec = new->security;
3367         u32 sid = current_sid();
3368         int ret;
3369
3370         ret = avc_has_perm(sid, isec->sid,
3371                            SECCLASS_KERNEL_SERVICE,
3372                            KERNEL_SERVICE__CREATE_FILES_AS,
3373                            NULL);
3374
3375         if (ret == 0)
3376                 tsec->create_sid = isec->sid;
3377         return ret;
3378 }
3379
3380 static int selinux_kernel_module_request(char *kmod_name)
3381 {
3382         u32 sid;
3383         struct common_audit_data ad;
3384         struct selinux_audit_data sad = {0,};
3385
3386         sid = task_sid(current);
3387
3388         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3389         ad.selinux_audit_data = &sad;
3390         ad.u.kmod_name = kmod_name;
3391
3392         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3393                             SYSTEM__MODULE_REQUEST, &ad);
3394 }
3395
3396 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3397 {
3398         return current_has_perm(p, PROCESS__SETPGID);
3399 }
3400
3401 static int selinux_task_getpgid(struct task_struct *p)
3402 {
3403         return current_has_perm(p, PROCESS__GETPGID);
3404 }
3405
3406 static int selinux_task_getsid(struct task_struct *p)
3407 {
3408         return current_has_perm(p, PROCESS__GETSESSION);
3409 }
3410
3411 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3412 {
3413         *secid = task_sid(p);
3414 }
3415
3416 static int selinux_task_setnice(struct task_struct *p, int nice)
3417 {
3418         int rc;
3419
3420         rc = cap_task_setnice(p, nice);
3421         if (rc)
3422                 return rc;
3423
3424         return current_has_perm(p, PROCESS__SETSCHED);
3425 }
3426
3427 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3428 {
3429         int rc;
3430
3431         rc = cap_task_setioprio(p, ioprio);
3432         if (rc)
3433                 return rc;
3434
3435         return current_has_perm(p, PROCESS__SETSCHED);
3436 }
3437
3438 static int selinux_task_getioprio(struct task_struct *p)
3439 {
3440         return current_has_perm(p, PROCESS__GETSCHED);
3441 }
3442
3443 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3444                 struct rlimit *new_rlim)
3445 {
3446         struct rlimit *old_rlim = p->signal->rlim + resource;
3447
3448         /* Control the ability to change the hard limit (whether
3449            lowering or raising it), so that the hard limit can
3450            later be used as a safe reset point for the soft limit
3451            upon context transitions.  See selinux_bprm_committing_creds. */
3452         if (old_rlim->rlim_max != new_rlim->rlim_max)
3453                 return current_has_perm(p, PROCESS__SETRLIMIT);
3454
3455         return 0;
3456 }
3457
3458 static int selinux_task_setscheduler(struct task_struct *p)
3459 {
3460         int rc;
3461
3462         rc = cap_task_setscheduler(p);
3463         if (rc)
3464                 return rc;
3465
3466         return current_has_perm(p, PROCESS__SETSCHED);
3467 }
3468
3469 static int selinux_task_getscheduler(struct task_struct *p)
3470 {
3471         return current_has_perm(p, PROCESS__GETSCHED);
3472 }
3473
3474 static int selinux_task_movememory(struct task_struct *p)
3475 {
3476         return current_has_perm(p, PROCESS__SETSCHED);
3477 }
3478
3479 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3480                                 int sig, u32 secid)
3481 {
3482         u32 perm;
3483         int rc;
3484
3485         if (!sig)
3486                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3487         else
3488                 perm = signal_to_av(sig);
3489         if (secid)
3490                 rc = avc_has_perm(secid, task_sid(p),
3491                                   SECCLASS_PROCESS, perm, NULL);
3492         else
3493                 rc = current_has_perm(p, perm);
3494         return rc;
3495 }
3496
3497 static int selinux_task_wait(struct task_struct *p)
3498 {
3499         return task_has_perm(p, current, PROCESS__SIGCHLD);
3500 }
3501
3502 static void selinux_task_to_inode(struct task_struct *p,
3503                                   struct inode *inode)
3504 {
3505         struct inode_security_struct *isec = inode->i_security;
3506         u32 sid = task_sid(p);
3507
3508         isec->sid = sid;
3509         isec->initialized = 1;
3510 }
3511
3512 /* Returns error only if unable to parse addresses */
3513 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3514                         struct common_audit_data *ad, u8 *proto)
3515 {
3516         int offset, ihlen, ret = -EINVAL;
3517         struct iphdr _iph, *ih;
3518
3519         offset = skb_network_offset(skb);
3520         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3521         if (ih == NULL)
3522                 goto out;
3523
3524         ihlen = ih->ihl * 4;
3525         if (ihlen < sizeof(_iph))
3526                 goto out;
3527
3528         ad->u.net->v4info.saddr = ih->saddr;
3529         ad->u.net->v4info.daddr = ih->daddr;
3530         ret = 0;
3531
3532         if (proto)
3533                 *proto = ih->protocol;
3534
3535         switch (ih->protocol) {
3536         case IPPROTO_TCP: {
3537                 struct tcphdr _tcph, *th;
3538
3539                 if (ntohs(ih->frag_off) & IP_OFFSET)
3540                         break;
3541
3542                 offset += ihlen;
3543                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3544                 if (th == NULL)
3545                         break;
3546
3547                 ad->u.net->sport = th->source;
3548                 ad->u.net->dport = th->dest;
3549                 break;
3550         }
3551
3552         case IPPROTO_UDP: {
3553                 struct udphdr _udph, *uh;
3554
3555                 if (ntohs(ih->frag_off) & IP_OFFSET)
3556                         break;
3557
3558                 offset += ihlen;
3559                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3560                 if (uh == NULL)
3561                         break;
3562
3563                 ad->u.net->sport = uh->source;
3564                 ad->u.net->dport = uh->dest;
3565                 break;
3566         }
3567
3568         case IPPROTO_DCCP: {
3569                 struct dccp_hdr _dccph, *dh;
3570
3571                 if (ntohs(ih->frag_off) & IP_OFFSET)
3572                         break;
3573
3574                 offset += ihlen;
3575                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3576                 if (dh == NULL)
3577                         break;
3578
3579                 ad->u.net->sport = dh->dccph_sport;
3580                 ad->u.net->dport = dh->dccph_dport;
3581                 break;
3582         }
3583
3584         default:
3585                 break;
3586         }
3587 out:
3588         return ret;
3589 }
3590
3591 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3592
3593 /* Returns error only if unable to parse addresses */
3594 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3595                         struct common_audit_data *ad, u8 *proto)
3596 {
3597         u8 nexthdr;
3598         int ret = -EINVAL, offset;
3599         struct ipv6hdr _ipv6h, *ip6;
3600         __be16 frag_off;
3601
3602         offset = skb_network_offset(skb);
3603         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3604         if (ip6 == NULL)
3605                 goto out;
3606
3607         ad->u.net->v6info.saddr = ip6->saddr;
3608         ad->u.net->v6info.daddr = ip6->daddr;
3609         ret = 0;
3610
3611         nexthdr = ip6->nexthdr;
3612         offset += sizeof(_ipv6h);
3613         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3614         if (offset < 0)
3615                 goto out;
3616
3617         if (proto)
3618                 *proto = nexthdr;
3619
3620         switch (nexthdr) {
3621         case IPPROTO_TCP: {
3622                 struct tcphdr _tcph, *th;
3623
3624                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3625                 if (th == NULL)
3626                         break;
3627
3628                 ad->u.net->sport = th->source;
3629                 ad->u.net->dport = th->dest;
3630                 break;
3631         }
3632
3633         case IPPROTO_UDP: {
3634                 struct udphdr _udph, *uh;
3635
3636                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3637                 if (uh == NULL)
3638                         break;
3639
3640                 ad->u.net->sport = uh->source;
3641                 ad->u.net->dport = uh->dest;
3642                 break;
3643         }
3644
3645         case IPPROTO_DCCP: {
3646                 struct dccp_hdr _dccph, *dh;
3647
3648                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3649                 if (dh == NULL)
3650                         break;
3651
3652                 ad->u.net->sport = dh->dccph_sport;
3653                 ad->u.net->dport = dh->dccph_dport;
3654                 break;
3655         }
3656
3657         /* includes fragments */
3658         default:
3659                 break;
3660         }
3661 out:
3662         return ret;
3663 }
3664
3665 #endif /* IPV6 */
3666
3667 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3668                              char **_addrp, int src, u8 *proto)
3669 {
3670         char *addrp;
3671         int ret;
3672
3673         switch (ad->u.net->family) {
3674         case PF_INET:
3675                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3676                 if (ret)
3677                         goto parse_error;
3678                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3679                                        &ad->u.net->v4info.daddr);
3680                 goto okay;
3681
3682 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3683         case PF_INET6:
3684                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3685                 if (ret)
3686                         goto parse_error;
3687                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3688                                        &ad->u.net->v6info.daddr);
3689                 goto okay;
3690 #endif  /* IPV6 */
3691         default:
3692                 addrp = NULL;
3693                 goto okay;
3694         }
3695
3696 parse_error:
3697         printk(KERN_WARNING
3698                "SELinux: failure in selinux_parse_skb(),"
3699                " unable to parse packet\n");
3700         return ret;
3701
3702 okay:
3703         if (_addrp)
3704                 *_addrp = addrp;
3705         return 0;
3706 }
3707
3708 /**
3709  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3710  * @skb: the packet
3711  * @family: protocol family
3712  * @sid: the packet's peer label SID
3713  *
3714  * Description:
3715  * Check the various different forms of network peer labeling and determine
3716  * the peer label/SID for the packet; most of the magic actually occurs in
3717  * the security server function security_net_peersid_cmp().  The function
3718  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3719  * or -EACCES if @sid is invalid due to inconsistencies with the different
3720  * peer labels.
3721  *
3722  */
3723 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3724 {
3725         int err;
3726         u32 xfrm_sid;
3727         u32 nlbl_sid;
3728         u32 nlbl_type;
3729
3730         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3731         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3732
3733         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3734         if (unlikely(err)) {
3735                 printk(KERN_WARNING
3736                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3737                        " unable to determine packet's peer label\n");
3738                 return -EACCES;
3739         }
3740
3741         return 0;
3742 }
3743
3744 /* socket security operations */
3745
3746 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3747                                  u16 secclass, u32 *socksid)
3748 {
3749         if (tsec->sockcreate_sid > SECSID_NULL) {
3750                 *socksid = tsec->sockcreate_sid;
3751                 return 0;
3752         }
3753
3754         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3755                                        socksid);
3756 }
3757
3758 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3759 {
3760         struct sk_security_struct *sksec = sk->sk_security;
3761         struct common_audit_data ad;
3762         struct selinux_audit_data sad = {0,};
3763         struct lsm_network_audit net = {0,};
3764         u32 tsid = task_sid(task);
3765
3766         if (sksec->sid == SECINITSID_KERNEL)
3767                 return 0;
3768
3769         COMMON_AUDIT_DATA_INIT(&ad, NET);
3770         ad.selinux_audit_data = &sad;
3771         ad.u.net = &net;
3772         ad.u.net->sk = sk;
3773
3774         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3775 }
3776
3777 static int selinux_socket_create(int family, int type,
3778                                  int protocol, int kern)
3779 {
3780         const struct task_security_struct *tsec = current_security();
3781         u32 newsid;
3782         u16 secclass;
3783         int rc;
3784
3785         if (kern)
3786                 return 0;
3787
3788         secclass = socket_type_to_security_class(family, type, protocol);
3789         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3790         if (rc)
3791                 return rc;
3792
3793         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3794 }
3795
3796 static int selinux_socket_post_create(struct socket *sock, int family,
3797                                       int type, int protocol, int kern)
3798 {
3799         const struct task_security_struct *tsec = current_security();
3800         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3801         struct sk_security_struct *sksec;
3802         int err = 0;
3803
3804         isec->sclass = socket_type_to_security_class(family, type, protocol);
3805
3806         if (kern)
3807                 isec->sid = SECINITSID_KERNEL;
3808         else {
3809                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3810                 if (err)
3811                         return err;
3812         }
3813
3814         isec->initialized = 1;
3815
3816         if (sock->sk) {
3817                 sksec = sock->sk->sk_security;
3818                 sksec->sid = isec->sid;
3819                 sksec->sclass = isec->sclass;
3820                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3821         }
3822
3823         return err;
3824 }
3825
3826 /* Range of port numbers used to automatically bind.
3827    Need to determine whether we should perform a name_bind
3828    permission check between the socket and the port number. */
3829
3830 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3831 {
3832         struct sock *sk = sock->sk;
3833         u16 family;
3834         int err;
3835
3836         err = sock_has_perm(current, sk, SOCKET__BIND);
3837         if (err)
3838                 goto out;
3839
3840         /*
3841          * If PF_INET or PF_INET6, check name_bind permission for the port.
3842          * Multiple address binding for SCTP is not supported yet: we just
3843          * check the first address now.
3844          */
3845         family = sk->sk_family;
3846         if (family == PF_INET || family == PF_INET6) {
3847                 char *addrp;
3848                 struct sk_security_struct *sksec = sk->sk_security;
3849                 struct common_audit_data ad;
3850                 struct selinux_audit_data sad = {0,};
3851                 struct lsm_network_audit net = {0,};
3852                 struct sockaddr_in *addr4 = NULL;
3853                 struct sockaddr_in6 *addr6 = NULL;
3854                 unsigned short snum;
3855                 u32 sid, node_perm;
3856
3857                 if (family == PF_INET) {
3858                         addr4 = (struct sockaddr_in *)address;
3859                         snum = ntohs(addr4->sin_port);
3860                         addrp = (char *)&addr4->sin_addr.s_addr;
3861                 } else {
3862                         addr6 = (struct sockaddr_in6 *)address;
3863                         snum = ntohs(addr6->sin6_port);
3864                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3865                 }
3866
3867                 if (snum) {
3868                         int low, high;
3869
3870                         inet_get_local_port_range(&low, &high);
3871
3872                         if (snum < max(PROT_SOCK, low) || snum > high) {
3873                                 err = sel_netport_sid(sk->sk_protocol,
3874                                                       snum, &sid);
3875                                 if (err)
3876                                         goto out;
3877                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3878                                 ad.selinux_audit_data = &sad;
3879                                 ad.u.net = &net;
3880                                 ad.u.net->sport = htons(snum);
3881                                 ad.u.net->family = family;
3882                                 err = avc_has_perm(sksec->sid, sid,
3883                                                    sksec->sclass,
3884                                                    SOCKET__NAME_BIND, &ad);
3885                                 if (err)
3886                                         goto out;
3887                         }
3888                 }
3889
3890                 switch (sksec->sclass) {
3891                 case SECCLASS_TCP_SOCKET:
3892                         node_perm = TCP_SOCKET__NODE_BIND;
3893                         break;
3894
3895                 case SECCLASS_UDP_SOCKET:
3896                         node_perm = UDP_SOCKET__NODE_BIND;
3897                         break;
3898
3899                 case SECCLASS_DCCP_SOCKET:
3900                         node_perm = DCCP_SOCKET__NODE_BIND;
3901                         break;
3902
3903                 default:
3904                         node_perm = RAWIP_SOCKET__NODE_BIND;
3905                         break;
3906                 }
3907
3908                 err = sel_netnode_sid(addrp, family, &sid);
3909                 if (err)
3910                         goto out;
3911
3912                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3913                 ad.selinux_audit_data = &sad;
3914                 ad.u.net = &net;
3915                 ad.u.net->sport = htons(snum);
3916                 ad.u.net->family = family;
3917
3918                 if (family == PF_INET)
3919                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3920                 else
3921                         ad.u.net->v6info.saddr = addr6->sin6_addr;
3922
3923                 err = avc_has_perm(sksec->sid, sid,
3924                                    sksec->sclass, node_perm, &ad);
3925                 if (err)
3926                         goto out;
3927         }
3928 out:
3929         return err;
3930 }
3931
3932 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3933 {
3934         struct sock *sk = sock->sk;
3935         struct sk_security_struct *sksec = sk->sk_security;
3936         int err;
3937
3938         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3939         if (err)
3940                 return err;
3941
3942         /*
3943          * If a TCP or DCCP socket, check name_connect permission for the port.
3944          */
3945         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3946             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3947                 struct common_audit_data ad;
3948                 struct selinux_audit_data sad = {0,};
3949                 struct lsm_network_audit net = {0,};
3950                 struct sockaddr_in *addr4 = NULL;
3951                 struct sockaddr_in6 *addr6 = NULL;
3952                 unsigned short snum;
3953                 u32 sid, perm;
3954
3955                 if (sk->sk_family == PF_INET) {
3956                         addr4 = (struct sockaddr_in *)address;
3957                         if (addrlen < sizeof(struct sockaddr_in))
3958                                 return -EINVAL;
3959                         snum = ntohs(addr4->sin_port);
3960                 } else {
3961                         addr6 = (struct sockaddr_in6 *)address;
3962                         if (addrlen < SIN6_LEN_RFC2133)
3963                                 return -EINVAL;
3964                         snum = ntohs(addr6->sin6_port);
3965                 }
3966
3967                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3968                 if (err)
3969                         goto out;
3970
3971                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3972                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3973
3974                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3975                 ad.selinux_audit_data = &sad;
3976                 ad.u.net = &net;
3977                 ad.u.net->dport = htons(snum);
3978                 ad.u.net->family = sk->sk_family;
3979                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3980                 if (err)
3981                         goto out;
3982         }
3983
3984         err = selinux_netlbl_socket_connect(sk, address);
3985
3986 out:
3987         return err;
3988 }
3989
3990 static int selinux_socket_listen(struct socket *sock, int backlog)
3991 {
3992         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3993 }
3994
3995 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3996 {
3997         int err;
3998         struct inode_security_struct *isec;
3999         struct inode_security_struct *newisec;
4000
4001         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4002         if (err)
4003                 return err;
4004
4005         newisec = SOCK_INODE(newsock)->i_security;
4006
4007         isec = SOCK_INODE(sock)->i_security;
4008         newisec->sclass = isec->sclass;
4009         newisec->sid = isec->sid;
4010         newisec->initialized = 1;
4011
4012         return 0;
4013 }
4014
4015 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4016                                   int size)
4017 {
4018         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4019 }
4020
4021 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4022                                   int size, int flags)
4023 {
4024         return sock_has_perm(current, sock->sk, SOCKET__READ);
4025 }
4026
4027 static int selinux_socket_getsockname(struct socket *sock)
4028 {
4029         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4030 }
4031
4032 static int selinux_socket_getpeername(struct socket *sock)
4033 {
4034         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4035 }
4036
4037 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4038 {
4039         int err;
4040
4041         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4042         if (err)
4043                 return err;
4044
4045         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4046 }
4047
4048 static int selinux_socket_getsockopt(struct socket *sock, int level,
4049                                      int optname)
4050 {
4051         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4052 }
4053
4054 static int selinux_socket_shutdown(struct socket *sock, int how)
4055 {
4056         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4057 }
4058
4059 static int selinux_socket_unix_stream_connect(struct sock *sock,
4060                                               struct sock *other,
4061                                               struct sock *newsk)
4062 {
4063         struct sk_security_struct *sksec_sock = sock->sk_security;
4064         struct sk_security_struct *sksec_other = other->sk_security;
4065         struct sk_security_struct *sksec_new = newsk->sk_security;
4066         struct common_audit_data ad;
4067         struct selinux_audit_data sad = {0,};
4068         struct lsm_network_audit net = {0,};
4069         int err;
4070
4071         COMMON_AUDIT_DATA_INIT(&ad, NET);
4072         ad.selinux_audit_data = &sad;
4073         ad.u.net = &net;
4074         ad.u.net->sk = other;
4075
4076         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4077                            sksec_other->sclass,
4078                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4079         if (err)
4080                 return err;
4081
4082         /* server child socket */
4083         sksec_new->peer_sid = sksec_sock->sid;
4084         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4085                                     &sksec_new->sid);
4086         if (err)
4087                 return err;
4088
4089         /* connecting socket */
4090         sksec_sock->peer_sid = sksec_new->sid;
4091
4092         return 0;
4093 }
4094
4095 static int selinux_socket_unix_may_send(struct socket *sock,
4096                                         struct socket *other)
4097 {
4098         struct sk_security_struct *ssec = sock->sk->sk_security;
4099         struct sk_security_struct *osec = other->sk->sk_security;
4100         struct common_audit_data ad;
4101         struct selinux_audit_data sad = {0,};
4102         struct lsm_network_audit net = {0,};
4103
4104         COMMON_AUDIT_DATA_INIT(&ad, NET);
4105         ad.selinux_audit_data = &sad;
4106         ad.u.net = &net;
4107         ad.u.net->sk = other->sk;
4108
4109         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4110                             &ad);
4111 }
4112
4113 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4114                                     u32 peer_sid,
4115                                     struct common_audit_data *ad)
4116 {
4117         int err;
4118         u32 if_sid;
4119         u32 node_sid;
4120
4121         err = sel_netif_sid(ifindex, &if_sid);
4122         if (err)
4123                 return err;
4124         err = avc_has_perm(peer_sid, if_sid,
4125                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4126         if (err)
4127                 return err;
4128
4129         err = sel_netnode_sid(addrp, family, &node_sid);
4130         if (err)
4131                 return err;
4132         return avc_has_perm(peer_sid, node_sid,
4133                             SECCLASS_NODE, NODE__RECVFROM, ad);
4134 }
4135
4136 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4137                                        u16 family)
4138 {
4139         int err = 0;
4140         struct sk_security_struct *sksec = sk->sk_security;
4141         u32 sk_sid = sksec->sid;
4142         struct common_audit_data ad;
4143         struct selinux_audit_data sad = {0,};
4144         struct lsm_network_audit net = {0,};
4145         char *addrp;
4146
4147         COMMON_AUDIT_DATA_INIT(&ad, NET);
4148         ad.selinux_audit_data = &sad;
4149         ad.u.net = &net;
4150         ad.u.net->netif = skb->skb_iif;
4151         ad.u.net->family = family;
4152         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4153         if (err)
4154                 return err;
4155
4156         if (selinux_secmark_enabled()) {
4157                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4158                                    PACKET__RECV, &ad);
4159                 if (err)
4160                         return err;
4161         }
4162
4163         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4164         if (err)
4165                 return err;
4166         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4167
4168         return err;
4169 }
4170
4171 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4172 {
4173         int err;
4174         struct sk_security_struct *sksec = sk->sk_security;
4175         u16 family = sk->sk_family;
4176         u32 sk_sid = sksec->sid;
4177         struct common_audit_data ad;
4178         struct selinux_audit_data sad = {0,};
4179         struct lsm_network_audit net = {0,};
4180         char *addrp;
4181         u8 secmark_active;
4182         u8 peerlbl_active;
4183
4184         if (family != PF_INET && family != PF_INET6)
4185                 return 0;
4186
4187         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4188         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4189                 family = PF_INET;
4190
4191         /* If any sort of compatibility mode is enabled then handoff processing
4192          * to the selinux_sock_rcv_skb_compat() function to deal with the
4193          * special handling.  We do this in an attempt to keep this function
4194          * as fast and as clean as possible. */
4195         if (!selinux_policycap_netpeer)
4196                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4197
4198         secmark_active = selinux_secmark_enabled();
4199         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4200         if (!secmark_active && !peerlbl_active)
4201                 return 0;
4202
4203         COMMON_AUDIT_DATA_INIT(&ad, NET);
4204         ad.selinux_audit_data = &sad;
4205         ad.u.net = &net;
4206         ad.u.net->netif = skb->skb_iif;
4207         ad.u.net->family = family;
4208         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4209         if (err)
4210                 return err;
4211
4212         if (peerlbl_active) {
4213                 u32 peer_sid;
4214
4215                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4216                 if (err)
4217                         return err;
4218                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4219                                                peer_sid, &ad);
4220                 if (err) {
4221                         selinux_netlbl_err(skb, err, 0);
4222                         return err;
4223                 }
4224                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4225                                    PEER__RECV, &ad);
4226                 if (err)
4227                         selinux_netlbl_err(skb, err, 0);
4228         }
4229
4230         if (secmark_active) {
4231                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4232                                    PACKET__RECV, &ad);
4233                 if (err)
4234                         return err;
4235         }
4236
4237         return err;
4238 }
4239
4240 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4241                                             int __user *optlen, unsigned len)
4242 {
4243         int err = 0;
4244         char *scontext;
4245         u32 scontext_len;
4246         struct sk_security_struct *sksec = sock->sk->sk_security;
4247         u32 peer_sid = SECSID_NULL;
4248
4249         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4250             sksec->sclass == SECCLASS_TCP_SOCKET)
4251                 peer_sid = sksec->peer_sid;
4252         if (peer_sid == SECSID_NULL)
4253                 return -ENOPROTOOPT;
4254
4255         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4256         if (err)
4257                 return err;
4258
4259         if (scontext_len > len) {
4260                 err = -ERANGE;
4261                 goto out_len;
4262         }
4263
4264         if (copy_to_user(optval, scontext, scontext_len))
4265                 err = -EFAULT;
4266
4267 out_len:
4268         if (put_user(scontext_len, optlen))
4269                 err = -EFAULT;
4270         kfree(scontext);
4271         return err;
4272 }
4273
4274 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4275 {
4276         u32 peer_secid = SECSID_NULL;
4277         u16 family;
4278
4279         if (skb && skb->protocol == htons(ETH_P_IP))
4280                 family = PF_INET;
4281         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4282                 family = PF_INET6;
4283         else if (sock)
4284                 family = sock->sk->sk_family;
4285         else
4286                 goto out;
4287
4288         if (sock && family == PF_UNIX)
4289                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4290         else if (skb)
4291                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4292
4293 out:
4294         *secid = peer_secid;
4295         if (peer_secid == SECSID_NULL)
4296                 return -EINVAL;
4297         return 0;
4298 }
4299
4300 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4301 {
4302         struct sk_security_struct *sksec;
4303
4304         sksec = kzalloc(sizeof(*sksec), priority);
4305         if (!sksec)
4306                 return -ENOMEM;
4307
4308         sksec->peer_sid = SECINITSID_UNLABELED;
4309         sksec->sid = SECINITSID_UNLABELED;
4310         selinux_netlbl_sk_security_reset(sksec);
4311         sk->sk_security = sksec;
4312
4313         return 0;
4314 }
4315
4316 static void selinux_sk_free_security(struct sock *sk)
4317 {
4318         struct sk_security_struct *sksec = sk->sk_security;
4319
4320         sk->sk_security = NULL;
4321         selinux_netlbl_sk_security_free(sksec);
4322         kfree(sksec);
4323 }
4324
4325 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4326 {
4327         struct sk_security_struct *sksec = sk->sk_security;
4328         struct sk_security_struct *newsksec = newsk->sk_security;
4329
4330         newsksec->sid = sksec->sid;
4331         newsksec->peer_sid = sksec->peer_sid;
4332         newsksec->sclass = sksec->sclass;
4333
4334         selinux_netlbl_sk_security_reset(newsksec);
4335 }
4336
4337 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4338 {
4339         if (!sk)
4340                 *secid = SECINITSID_ANY_SOCKET;
4341         else {
4342                 struct sk_security_struct *sksec = sk->sk_security;
4343
4344                 *secid = sksec->sid;
4345         }
4346 }
4347
4348 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4349 {
4350         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4351         struct sk_security_struct *sksec = sk->sk_security;
4352
4353         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4354             sk->sk_family == PF_UNIX)
4355                 isec->sid = sksec->sid;
4356         sksec->sclass = isec->sclass;
4357 }
4358
4359 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4360                                      struct request_sock *req)
4361 {
4362         struct sk_security_struct *sksec = sk->sk_security;
4363         int err;
4364         u16 family = sk->sk_family;
4365         u32 newsid;
4366         u32 peersid;
4367
4368         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4369         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4370                 family = PF_INET;
4371
4372         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4373         if (err)
4374                 return err;
4375         if (peersid == SECSID_NULL) {
4376                 req->secid = sksec->sid;
4377                 req->peer_secid = SECSID_NULL;
4378         } else {
4379                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4380                 if (err)
4381                         return err;
4382                 req->secid = newsid;
4383                 req->peer_secid = peersid;
4384         }
4385
4386         return selinux_netlbl_inet_conn_request(req, family);
4387 }
4388
4389 static void selinux_inet_csk_clone(struct sock *newsk,
4390                                    const struct request_sock *req)
4391 {
4392         struct sk_security_struct *newsksec = newsk->sk_security;
4393
4394         newsksec->sid = req->secid;
4395         newsksec->peer_sid = req->peer_secid;
4396         /* NOTE: Ideally, we should also get the isec->sid for the
4397            new socket in sync, but we don't have the isec available yet.
4398            So we will wait until sock_graft to do it, by which
4399            time it will have been created and available. */
4400
4401         /* We don't need to take any sort of lock here as we are the only
4402          * thread with access to newsksec */
4403         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4404 }
4405
4406 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4407 {
4408         u16 family = sk->sk_family;
4409         struct sk_security_struct *sksec = sk->sk_security;
4410
4411         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4412         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4413                 family = PF_INET;
4414
4415         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4416 }
4417
4418 static int selinux_secmark_relabel_packet(u32 sid)
4419 {
4420         const struct task_security_struct *__tsec;
4421         u32 tsid;
4422
4423         __tsec = current_security();
4424         tsid = __tsec->sid;
4425
4426         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4427 }
4428
4429 static void selinux_secmark_refcount_inc(void)
4430 {
4431         atomic_inc(&selinux_secmark_refcount);
4432 }
4433
4434 static void selinux_secmark_refcount_dec(void)
4435 {
4436         atomic_dec(&selinux_secmark_refcount);
4437 }
4438
4439 static void selinux_req_classify_flow(const struct request_sock *req,
4440                                       struct flowi *fl)
4441 {
4442         fl->flowi_secid = req->secid;
4443 }
4444
4445 static int selinux_tun_dev_create(void)
4446 {
4447         u32 sid = current_sid();
4448
4449         /* we aren't taking into account the "sockcreate" SID since the socket
4450          * that is being created here is not a socket in the traditional sense,
4451          * instead it is a private sock, accessible only to the kernel, and
4452          * representing a wide range of network traffic spanning multiple
4453          * connections unlike traditional sockets - check the TUN driver to
4454          * get a better understanding of why this socket is special */
4455
4456         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4457                             NULL);
4458 }
4459
4460 static void selinux_tun_dev_post_create(struct sock *sk)
4461 {
4462         struct sk_security_struct *sksec = sk->sk_security;
4463
4464         /* we don't currently perform any NetLabel based labeling here and it
4465          * isn't clear that we would want to do so anyway; while we could apply
4466          * labeling without the support of the TUN user the resulting labeled
4467          * traffic from the other end of the connection would almost certainly
4468          * cause confusion to the TUN user that had no idea network labeling
4469          * protocols were being used */
4470
4471         /* see the comments in selinux_tun_dev_create() about why we don't use
4472          * the sockcreate SID here */
4473
4474         sksec->sid = current_sid();
4475         sksec->sclass = SECCLASS_TUN_SOCKET;
4476 }
4477
4478 static int selinux_tun_dev_attach(struct sock *sk)
4479 {
4480         struct sk_security_struct *sksec = sk->sk_security;
4481         u32 sid = current_sid();
4482         int err;
4483
4484         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4485                            TUN_SOCKET__RELABELFROM, NULL);
4486         if (err)
4487                 return err;
4488         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4489                            TUN_SOCKET__RELABELTO, NULL);
4490         if (err)
4491                 return err;
4492
4493         sksec->sid = sid;
4494
4495         return 0;
4496 }
4497
4498 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4499 {
4500         int err = 0;
4501         u32 perm;
4502         struct nlmsghdr *nlh;
4503         struct sk_security_struct *sksec = sk->sk_security;
4504
4505         if (skb->len < NLMSG_SPACE(0)) {
4506                 err = -EINVAL;
4507                 goto out;
4508         }
4509         nlh = nlmsg_hdr(skb);
4510
4511         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4512         if (err) {
4513                 if (err == -EINVAL) {
4514                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4515                                   "SELinux:  unrecognized netlink message"
4516                                   " type=%hu for sclass=%hu\n",
4517                                   nlh->nlmsg_type, sksec->sclass);
4518                         if (!selinux_enforcing || security_get_allow_unknown())
4519                                 err = 0;
4520                 }
4521
4522                 /* Ignore */
4523                 if (err == -ENOENT)
4524                         err = 0;
4525                 goto out;
4526         }
4527
4528         err = sock_has_perm(current, sk, perm);
4529 out:
4530         return err;
4531 }
4532
4533 #ifdef CONFIG_NETFILTER
4534
4535 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4536                                        u16 family)
4537 {
4538         int err;
4539         char *addrp;
4540         u32 peer_sid;
4541         struct common_audit_data ad;
4542         struct selinux_audit_data sad = {0,};
4543         struct lsm_network_audit net = {0,};
4544         u8 secmark_active;
4545         u8 netlbl_active;
4546         u8 peerlbl_active;
4547
4548         if (!selinux_policycap_netpeer)
4549                 return NF_ACCEPT;
4550
4551         secmark_active = selinux_secmark_enabled();
4552         netlbl_active = netlbl_enabled();
4553         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4554         if (!secmark_active && !peerlbl_active)
4555                 return NF_ACCEPT;
4556
4557         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4558                 return NF_DROP;
4559
4560         COMMON_AUDIT_DATA_INIT(&ad, NET);
4561         ad.selinux_audit_data = &sad;
4562         ad.u.net = &net;
4563         ad.u.net->netif = ifindex;
4564         ad.u.net->family = family;
4565         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4566                 return NF_DROP;
4567
4568         if (peerlbl_active) {
4569                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4570                                                peer_sid, &ad);
4571                 if (err) {
4572                         selinux_netlbl_err(skb, err, 1);
4573                         return NF_DROP;
4574                 }
4575         }
4576
4577         if (secmark_active)
4578                 if (avc_has_perm(peer_sid, skb->secmark,
4579                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4580                         return NF_DROP;
4581
4582         if (netlbl_active)
4583                 /* we do this in the FORWARD path and not the POST_ROUTING
4584                  * path because we want to make sure we apply the necessary
4585                  * labeling before IPsec is applied so we can leverage AH
4586                  * protection */
4587                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4588                         return NF_DROP;
4589
4590         return NF_ACCEPT;
4591 }
4592
4593 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4594                                          struct sk_buff *skb,
4595                                          const struct net_device *in,
4596                                          const struct net_device *out,
4597                                          int (*okfn)(struct sk_buff *))
4598 {
4599         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4600 }
4601
4602 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4603 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4604                                          struct sk_buff *skb,
4605                                          const struct net_device *in,
4606                                          const struct net_device *out,
4607                                          int (*okfn)(struct sk_buff *))
4608 {
4609         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4610 }
4611 #endif  /* IPV6 */
4612
4613 static unsigned int selinux_ip_output(struct sk_buff *skb,
4614                                       u16 family)
4615 {
4616         u32 sid;
4617
4618         if (!netlbl_enabled())
4619                 return NF_ACCEPT;
4620
4621         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4622          * because we want to make sure we apply the necessary labeling
4623          * before IPsec is applied so we can leverage AH protection */
4624         if (skb->sk) {
4625                 struct sk_security_struct *sksec = skb->sk->sk_security;
4626                 sid = sksec->sid;
4627         } else
4628                 sid = SECINITSID_KERNEL;
4629         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4630                 return NF_DROP;
4631
4632         return NF_ACCEPT;
4633 }
4634
4635 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4636                                         struct sk_buff *skb,
4637                                         const struct net_device *in,
4638                                         const struct net_device *out,
4639                                         int (*okfn)(struct sk_buff *))
4640 {
4641         return selinux_ip_output(skb, PF_INET);
4642 }
4643
4644 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4645                                                 int ifindex,
4646                                                 u16 family)
4647 {
4648         struct sock *sk = skb->sk;
4649         struct sk_security_struct *sksec;
4650         struct common_audit_data ad;
4651         struct selinux_audit_data sad = {0,};
4652         struct lsm_network_audit net = {0,};
4653         char *addrp;
4654         u8 proto;
4655
4656         if (sk == NULL)
4657                 return NF_ACCEPT;
4658         sksec = sk->sk_security;
4659
4660         COMMON_AUDIT_DATA_INIT(&ad, NET);
4661         ad.selinux_audit_data = &sad;
4662         ad.u.net = &net;
4663         ad.u.net->netif = ifindex;
4664         ad.u.net->family = family;
4665         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4666                 return NF_DROP;
4667
4668         if (selinux_secmark_enabled())
4669                 if (avc_has_perm(sksec->sid, skb->secmark,
4670                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4671                         return NF_DROP_ERR(-ECONNREFUSED);
4672
4673         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4674                 return NF_DROP_ERR(-ECONNREFUSED);
4675
4676         return NF_ACCEPT;
4677 }
4678
4679 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4680                                          u16 family)
4681 {
4682         u32 secmark_perm;
4683         u32 peer_sid;
4684         struct sock *sk;
4685         struct common_audit_data ad;
4686         struct selinux_audit_data sad = {0,};
4687         struct lsm_network_audit net = {0,};
4688         char *addrp;
4689         u8 secmark_active;
4690         u8 peerlbl_active;
4691
4692         /* If any sort of compatibility mode is enabled then handoff processing
4693          * to the selinux_ip_postroute_compat() function to deal with the
4694          * special handling.  We do this in an attempt to keep this function
4695          * as fast and as clean as possible. */
4696         if (!selinux_policycap_netpeer)
4697                 return selinux_ip_postroute_compat(skb, ifindex, family);
4698 #ifdef CONFIG_XFRM
4699         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4700          * packet transformation so allow the packet to pass without any checks
4701          * since we'll have another chance to perform access control checks
4702          * when the packet is on it's final way out.
4703          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4704          *       is NULL, in this case go ahead and apply access control. */
4705         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4706                 return NF_ACCEPT;
4707 #endif
4708         secmark_active = selinux_secmark_enabled();
4709         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4710         if (!secmark_active && !peerlbl_active)
4711                 return NF_ACCEPT;
4712
4713         /* if the packet is being forwarded then get the peer label from the
4714          * packet itself; otherwise check to see if it is from a local
4715          * application or the kernel, if from an application get the peer label
4716          * from the sending socket, otherwise use the kernel's sid */
4717         sk = skb->sk;
4718         if (sk == NULL) {
4719                 if (skb->skb_iif) {
4720                         secmark_perm = PACKET__FORWARD_OUT;
4721                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4722                                 return NF_DROP;
4723                 } else {
4724                         secmark_perm = PACKET__SEND;
4725                         peer_sid = SECINITSID_KERNEL;
4726                 }
4727         } else {
4728                 struct sk_security_struct *sksec = sk->sk_security;
4729                 peer_sid = sksec->sid;
4730                 secmark_perm = PACKET__SEND;
4731         }
4732
4733         COMMON_AUDIT_DATA_INIT(&ad, NET);
4734         ad.selinux_audit_data = &sad;
4735         ad.u.net = &net;
4736         ad.u.net->netif = ifindex;
4737         ad.u.net->family = family;
4738         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4739                 return NF_DROP;
4740
4741         if (secmark_active)
4742                 if (avc_has_perm(peer_sid, skb->secmark,
4743                                  SECCLASS_PACKET, secmark_perm, &ad))
4744                         return NF_DROP_ERR(-ECONNREFUSED);
4745
4746         if (peerlbl_active) {
4747                 u32 if_sid;
4748                 u32 node_sid;
4749
4750                 if (sel_netif_sid(ifindex, &if_sid))
4751                         return NF_DROP;
4752                 if (avc_has_perm(peer_sid, if_sid,
4753                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4754                         return NF_DROP_ERR(-ECONNREFUSED);
4755
4756                 if (sel_netnode_sid(addrp, family, &node_sid))
4757                         return NF_DROP;
4758                 if (avc_has_perm(peer_sid, node_sid,
4759                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4760                         return NF_DROP_ERR(-ECONNREFUSED);
4761         }
4762
4763         return NF_ACCEPT;
4764 }
4765
4766 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4767                                            struct sk_buff *skb,
4768                                            const struct net_device *in,
4769                                            const struct net_device *out,
4770                                            int (*okfn)(struct sk_buff *))
4771 {
4772         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4773 }
4774
4775 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4776 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4777                                            struct sk_buff *skb,
4778                                            const struct net_device *in,
4779                                            const struct net_device *out,
4780                                            int (*okfn)(struct sk_buff *))
4781 {
4782         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4783 }
4784 #endif  /* IPV6 */
4785
4786 #endif  /* CONFIG_NETFILTER */
4787
4788 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4789 {
4790         int err;
4791
4792         err = cap_netlink_send(sk, skb);
4793         if (err)
4794                 return err;
4795
4796         return selinux_nlmsg_perm(sk, skb);
4797 }
4798
4799 static int ipc_alloc_security(struct task_struct *task,
4800                               struct kern_ipc_perm *perm,
4801                               u16 sclass)
4802 {
4803         struct ipc_security_struct *isec;
4804         u32 sid;
4805
4806         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4807         if (!isec)
4808                 return -ENOMEM;
4809
4810         sid = task_sid(task);
4811         isec->sclass = sclass;
4812         isec->sid = sid;
4813         perm->security = isec;
4814
4815         return 0;
4816 }
4817
4818 static void ipc_free_security(struct kern_ipc_perm *perm)
4819 {
4820         struct ipc_security_struct *isec = perm->security;
4821         perm->security = NULL;
4822         kfree(isec);
4823 }
4824
4825 static int msg_msg_alloc_security(struct msg_msg *msg)
4826 {
4827         struct msg_security_struct *msec;
4828
4829         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4830         if (!msec)
4831                 return -ENOMEM;
4832
4833         msec->sid = SECINITSID_UNLABELED;
4834         msg->security = msec;
4835
4836         return 0;
4837 }
4838
4839 static void msg_msg_free_security(struct msg_msg *msg)
4840 {
4841         struct msg_security_struct *msec = msg->security;
4842
4843         msg->security = NULL;
4844         kfree(msec);
4845 }
4846
4847 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4848                         u32 perms)
4849 {
4850         struct ipc_security_struct *isec;
4851         struct common_audit_data ad;
4852         struct selinux_audit_data sad = {0,};
4853         u32 sid = current_sid();
4854
4855         isec = ipc_perms->security;
4856
4857         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4858         ad.selinux_audit_data = &sad;
4859         ad.u.ipc_id = ipc_perms->key;
4860
4861         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4862 }
4863
4864 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4865 {
4866         return msg_msg_alloc_security(msg);
4867 }
4868
4869 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4870 {
4871         msg_msg_free_security(msg);
4872 }
4873
4874 /* message queue security operations */
4875 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4876 {
4877         struct ipc_security_struct *isec;
4878         struct common_audit_data ad;
4879         struct selinux_audit_data sad = {0,};
4880         u32 sid = current_sid();
4881         int rc;
4882
4883         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4884         if (rc)
4885                 return rc;
4886
4887         isec = msq->q_perm.security;
4888
4889         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4890         ad.selinux_audit_data = &sad;
4891         ad.u.ipc_id = msq->q_perm.key;
4892
4893         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4894                           MSGQ__CREATE, &ad);
4895         if (rc) {
4896                 ipc_free_security(&msq->q_perm);
4897                 return rc;
4898         }
4899         return 0;
4900 }
4901
4902 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4903 {
4904         ipc_free_security(&msq->q_perm);
4905 }
4906
4907 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4908 {
4909         struct ipc_security_struct *isec;
4910         struct common_audit_data ad;
4911         struct selinux_audit_data sad = {0,};
4912         u32 sid = current_sid();
4913
4914         isec = msq->q_perm.security;
4915
4916         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4917         ad.selinux_audit_data = &sad;
4918         ad.u.ipc_id = msq->q_perm.key;
4919
4920         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4921                             MSGQ__ASSOCIATE, &ad);
4922 }
4923
4924 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4925 {
4926         int err;
4927         int perms;
4928
4929         switch (cmd) {
4930         case IPC_INFO:
4931         case MSG_INFO:
4932                 /* No specific object, just general system-wide information. */
4933                 return task_has_system(current, SYSTEM__IPC_INFO);
4934         case IPC_STAT:
4935         case MSG_STAT:
4936                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4937                 break;
4938         case IPC_SET:
4939                 perms = MSGQ__SETATTR;
4940                 break;
4941         case IPC_RMID:
4942                 perms = MSGQ__DESTROY;
4943                 break;
4944         default:
4945                 return 0;
4946         }
4947
4948         err = ipc_has_perm(&msq->q_perm, perms);
4949         return err;
4950 }
4951
4952 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4953 {
4954         struct ipc_security_struct *isec;
4955         struct msg_security_struct *msec;
4956         struct common_audit_data ad;
4957         struct selinux_audit_data sad = {0,};
4958         u32 sid = current_sid();
4959         int rc;
4960
4961         isec = msq->q_perm.security;
4962         msec = msg->security;
4963
4964         /*
4965          * First time through, need to assign label to the message
4966          */
4967         if (msec->sid == SECINITSID_UNLABELED) {
4968                 /*
4969                  * Compute new sid based on current process and
4970                  * message queue this message will be stored in
4971                  */
4972                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4973                                              NULL, &msec->sid);
4974                 if (rc)
4975                         return rc;
4976         }
4977
4978         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4979         ad.selinux_audit_data = &sad;
4980         ad.u.ipc_id = msq->q_perm.key;
4981
4982         /* Can this process write to the queue? */
4983         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4984                           MSGQ__WRITE, &ad);
4985         if (!rc)
4986                 /* Can this process send the message */
4987                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4988                                   MSG__SEND, &ad);
4989         if (!rc)
4990                 /* Can the message be put in the queue? */
4991                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4992                                   MSGQ__ENQUEUE, &ad);
4993
4994         return rc;
4995 }
4996
4997 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4998                                     struct task_struct *target,
4999                                     long type, int mode)
5000 {
5001         struct ipc_security_struct *isec;
5002         struct msg_security_struct *msec;
5003         struct common_audit_data ad;
5004         struct selinux_audit_data sad = {0,};
5005         u32 sid = task_sid(target);
5006         int rc;
5007
5008         isec = msq->q_perm.security;
5009         msec = msg->security;
5010
5011         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5012         ad.selinux_audit_data = &sad;
5013         ad.u.ipc_id = msq->q_perm.key;
5014
5015         rc = avc_has_perm(sid, isec->sid,
5016                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5017         if (!rc)
5018                 rc = avc_has_perm(sid, msec->sid,
5019                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5020         return rc;
5021 }
5022
5023 /* Shared Memory security operations */
5024 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5025 {
5026         struct ipc_security_struct *isec;
5027         struct common_audit_data ad;
5028         struct selinux_audit_data sad = {0,};
5029         u32 sid = current_sid();
5030         int rc;
5031
5032         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5033         if (rc)
5034                 return rc;
5035
5036         isec = shp->shm_perm.security;
5037
5038         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5039         ad.selinux_audit_data = &sad;
5040         ad.u.ipc_id = shp->shm_perm.key;
5041
5042         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5043                           SHM__CREATE, &ad);
5044         if (rc) {
5045                 ipc_free_security(&shp->shm_perm);
5046                 return rc;
5047         }
5048         return 0;
5049 }
5050
5051 static void selinux_shm_free_security(struct shmid_kernel *shp)
5052 {
5053         ipc_free_security(&shp->shm_perm);
5054 }
5055
5056 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5057 {
5058         struct ipc_security_struct *isec;
5059         struct common_audit_data ad;
5060         struct selinux_audit_data sad = {0,};
5061         u32 sid = current_sid();
5062
5063         isec = shp->shm_perm.security;
5064
5065         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5066         ad.selinux_audit_data = &sad;
5067         ad.u.ipc_id = shp->shm_perm.key;
5068
5069         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5070                             SHM__ASSOCIATE, &ad);
5071 }
5072
5073 /* Note, at this point, shp is locked down */
5074 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5075 {
5076         int perms;
5077         int err;
5078
5079         switch (cmd) {
5080         case IPC_INFO:
5081         case SHM_INFO:
5082                 /* No specific object, just general system-wide information. */
5083                 return task_has_system(current, SYSTEM__IPC_INFO);
5084         case IPC_STAT:
5085         case SHM_STAT:
5086                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5087                 break;
5088         case IPC_SET:
5089                 perms = SHM__SETATTR;
5090                 break;
5091         case SHM_LOCK:
5092         case SHM_UNLOCK:
5093                 perms = SHM__LOCK;
5094                 break;
5095         case IPC_RMID:
5096                 perms = SHM__DESTROY;
5097                 break;
5098         default:
5099                 return 0;
5100         }
5101
5102         err = ipc_has_perm(&shp->shm_perm, perms);
5103         return err;
5104 }
5105
5106 static int selinux_shm_shmat(struct shmid_kernel *shp,
5107                              char __user *shmaddr, int shmflg)
5108 {
5109         u32 perms;
5110
5111         if (shmflg & SHM_RDONLY)
5112                 perms = SHM__READ;
5113         else
5114                 perms = SHM__READ | SHM__WRITE;
5115
5116         return ipc_has_perm(&shp->shm_perm, perms);
5117 }
5118
5119 /* Semaphore security operations */
5120 static int selinux_sem_alloc_security(struct sem_array *sma)
5121 {
5122         struct ipc_security_struct *isec;
5123         struct common_audit_data ad;
5124         struct selinux_audit_data sad = {0,};
5125         u32 sid = current_sid();
5126         int rc;
5127
5128         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5129         if (rc)
5130                 return rc;
5131
5132         isec = sma->sem_perm.security;
5133
5134         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5135         ad.selinux_audit_data = &sad;
5136         ad.u.ipc_id = sma->sem_perm.key;
5137
5138         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5139                           SEM__CREATE, &ad);
5140         if (rc) {
5141                 ipc_free_security(&sma->sem_perm);
5142                 return rc;
5143         }
5144         return 0;
5145 }
5146
5147 static void selinux_sem_free_security(struct sem_array *sma)
5148 {
5149         ipc_free_security(&sma->sem_perm);
5150 }
5151
5152 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5153 {
5154         struct ipc_security_struct *isec;
5155         struct common_audit_data ad;
5156         struct selinux_audit_data sad = {0,};
5157         u32 sid = current_sid();
5158
5159         isec = sma->sem_perm.security;
5160
5161         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5162         ad.selinux_audit_data = &sad;
5163         ad.u.ipc_id = sma->sem_perm.key;
5164
5165         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5166                             SEM__ASSOCIATE, &ad);
5167 }
5168
5169 /* Note, at this point, sma is locked down */
5170 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5171 {
5172         int err;
5173         u32 perms;
5174
5175         switch (cmd) {
5176         case IPC_INFO:
5177         case SEM_INFO:
5178                 /* No specific object, just general system-wide information. */
5179                 return task_has_system(current, SYSTEM__IPC_INFO);
5180         case GETPID:
5181         case GETNCNT:
5182         case GETZCNT:
5183                 perms = SEM__GETATTR;
5184                 break;
5185         case GETVAL:
5186         case GETALL:
5187                 perms = SEM__READ;
5188                 break;
5189         case SETVAL:
5190         case SETALL:
5191                 perms = SEM__WRITE;
5192                 break;
5193         case IPC_RMID:
5194                 perms = SEM__DESTROY;
5195                 break;
5196         case IPC_SET:
5197                 perms = SEM__SETATTR;
5198                 break;
5199         case IPC_STAT:
5200         case SEM_STAT:
5201                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5202                 break;
5203         default:
5204                 return 0;
5205         }
5206
5207         err = ipc_has_perm(&sma->sem_perm, perms);
5208         return err;
5209 }
5210
5211 static int selinux_sem_semop(struct sem_array *sma,
5212                              struct sembuf *sops, unsigned nsops, int alter)
5213 {
5214         u32 perms;
5215
5216         if (alter)
5217                 perms = SEM__READ | SEM__WRITE;
5218         else
5219                 perms = SEM__READ;
5220
5221         return ipc_has_perm(&sma->sem_perm, perms);
5222 }
5223
5224 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5225 {
5226         u32 av = 0;
5227
5228         av = 0;
5229         if (flag & S_IRUGO)
5230                 av |= IPC__UNIX_READ;
5231         if (flag & S_IWUGO)
5232                 av |= IPC__UNIX_WRITE;
5233
5234         if (av == 0)
5235                 return 0;
5236
5237         return ipc_has_perm(ipcp, av);
5238 }
5239
5240 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5241 {
5242         struct ipc_security_struct *isec = ipcp->security;
5243         *secid = isec->sid;
5244 }
5245
5246 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5247 {
5248         if (inode)
5249                 inode_doinit_with_dentry(inode, dentry);
5250 }
5251
5252 static int selinux_getprocattr(struct task_struct *p,
5253                                char *name, char **value)
5254 {
5255         const struct task_security_struct *__tsec;
5256         u32 sid;
5257         int error;
5258         unsigned len;
5259
5260         if (current != p) {
5261                 error = current_has_perm(p, PROCESS__GETATTR);
5262                 if (error)
5263                         return error;
5264         }
5265
5266         rcu_read_lock();
5267         __tsec = __task_cred(p)->security;
5268
5269         if (!strcmp(name, "current"))
5270                 sid = __tsec->sid;
5271         else if (!strcmp(name, "prev"))
5272                 sid = __tsec->osid;
5273         else if (!strcmp(name, "exec"))
5274                 sid = __tsec->exec_sid;
5275         else if (!strcmp(name, "fscreate"))
5276                 sid = __tsec->create_sid;
5277         else if (!strcmp(name, "keycreate"))
5278                 sid = __tsec->keycreate_sid;
5279         else if (!strcmp(name, "sockcreate"))
5280                 sid = __tsec->sockcreate_sid;
5281         else
5282                 goto invalid;
5283         rcu_read_unlock();
5284
5285         if (!sid)
5286                 return 0;
5287
5288         error = security_sid_to_context(sid, value, &len);
5289         if (error)
5290                 return error;
5291         return len;
5292
5293 invalid:
5294         rcu_read_unlock();
5295         return -EINVAL;
5296 }
5297
5298 static int selinux_setprocattr(struct task_struct *p,
5299                                char *name, void *value, size_t size)
5300 {
5301         struct task_security_struct *tsec;
5302         struct task_struct *tracer;
5303         struct cred *new;
5304         u32 sid = 0, ptsid;
5305         int error;
5306         char *str = value;
5307
5308         if (current != p) {
5309                 /* SELinux only allows a process to change its own
5310                    security attributes. */
5311                 return -EACCES;
5312         }
5313
5314         /*
5315          * Basic control over ability to set these attributes at all.
5316          * current == p, but we'll pass them separately in case the
5317          * above restriction is ever removed.
5318          */
5319         if (!strcmp(name, "exec"))
5320                 error = current_has_perm(p, PROCESS__SETEXEC);
5321         else if (!strcmp(name, "fscreate"))
5322                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5323         else if (!strcmp(name, "keycreate"))
5324                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5325         else if (!strcmp(name, "sockcreate"))
5326                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5327         else if (!strcmp(name, "current"))
5328                 error = current_has_perm(p, PROCESS__SETCURRENT);
5329         else
5330                 error = -EINVAL;
5331         if (error)
5332                 return error;
5333
5334         /* Obtain a SID for the context, if one was specified. */
5335         if (size && str[1] && str[1] != '\n') {
5336                 if (str[size-1] == '\n') {
5337                         str[size-1] = 0;
5338                         size--;
5339                 }
5340                 error = security_context_to_sid(value, size, &sid);
5341                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5342                         if (!capable(CAP_MAC_ADMIN))
5343                                 return error;
5344                         error = security_context_to_sid_force(value, size,
5345                                                               &sid);
5346                 }
5347                 if (error)
5348                         return error;
5349         }
5350
5351         new = prepare_creds();
5352         if (!new)
5353                 return -ENOMEM;
5354
5355         /* Permission checking based on the specified context is
5356            performed during the actual operation (execve,
5357            open/mkdir/...), when we know the full context of the
5358            operation.  See selinux_bprm_set_creds for the execve
5359            checks and may_create for the file creation checks. The
5360            operation will then fail if the context is not permitted. */
5361         tsec = new->security;
5362         if (!strcmp(name, "exec")) {
5363                 tsec->exec_sid = sid;
5364         } else if (!strcmp(name, "fscreate")) {
5365                 tsec->create_sid = sid;
5366         } else if (!strcmp(name, "keycreate")) {
5367                 error = may_create_key(sid, p);
5368                 if (error)
5369                         goto abort_change;
5370                 tsec->keycreate_sid = sid;
5371         } else if (!strcmp(name, "sockcreate")) {
5372                 tsec->sockcreate_sid = sid;
5373         } else if (!strcmp(name, "current")) {
5374                 error = -EINVAL;
5375                 if (sid == 0)
5376                         goto abort_change;
5377
5378                 /* Only allow single threaded processes to change context */
5379                 error = -EPERM;
5380                 if (!current_is_single_threaded()) {
5381                         error = security_bounded_transition(tsec->sid, sid);
5382                         if (error)
5383                                 goto abort_change;
5384                 }
5385
5386                 /* Check permissions for the transition. */
5387                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5388                                      PROCESS__DYNTRANSITION, NULL);
5389                 if (error)
5390                         goto abort_change;
5391
5392                 /* Check for ptracing, and update the task SID if ok.
5393                    Otherwise, leave SID unchanged and fail. */
5394                 ptsid = 0;
5395                 task_lock(p);
5396                 tracer = ptrace_parent(p);
5397                 if (tracer)
5398                         ptsid = task_sid(tracer);
5399                 task_unlock(p);
5400
5401                 if (tracer) {
5402                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5403                                              PROCESS__PTRACE, NULL);
5404                         if (error)
5405                                 goto abort_change;
5406                 }
5407
5408                 tsec->sid = sid;
5409         } else {
5410                 error = -EINVAL;
5411                 goto abort_change;
5412         }
5413
5414         commit_creds(new);
5415         return size;
5416
5417 abort_change:
5418         abort_creds(new);
5419         return error;
5420 }
5421
5422 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5423 {
5424         return security_sid_to_context(secid, secdata, seclen);
5425 }
5426
5427 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5428 {
5429         return security_context_to_sid(secdata, seclen, secid);
5430 }
5431
5432 static void selinux_release_secctx(char *secdata, u32 seclen)
5433 {
5434         kfree(secdata);
5435 }
5436
5437 /*
5438  *      called with inode->i_mutex locked
5439  */
5440 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5441 {
5442         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5443 }
5444
5445 /*
5446  *      called with inode->i_mutex locked
5447  */
5448 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5449 {
5450         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5451 }
5452
5453 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5454 {
5455         int len = 0;
5456         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5457                                                 ctx, true);
5458         if (len < 0)
5459                 return len;
5460         *ctxlen = len;
5461         return 0;
5462 }
5463 #ifdef CONFIG_KEYS
5464
5465 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5466                              unsigned long flags)
5467 {
5468         const struct task_security_struct *tsec;
5469         struct key_security_struct *ksec;
5470
5471         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5472         if (!ksec)
5473                 return -ENOMEM;
5474
5475         tsec = cred->security;
5476         if (tsec->keycreate_sid)
5477                 ksec->sid = tsec->keycreate_sid;
5478         else
5479                 ksec->sid = tsec->sid;
5480
5481         k->security = ksec;
5482         return 0;
5483 }
5484
5485 static void selinux_key_free(struct key *k)
5486 {
5487         struct key_security_struct *ksec = k->security;
5488
5489         k->security = NULL;
5490         kfree(ksec);
5491 }
5492
5493 static int selinux_key_permission(key_ref_t key_ref,
5494                                   const struct cred *cred,
5495                                   key_perm_t perm)
5496 {
5497         struct key *key;
5498         struct key_security_struct *ksec;
5499         u32 sid;
5500
5501         /* if no specific permissions are requested, we skip the
5502            permission check. No serious, additional covert channels
5503            appear to be created. */
5504         if (perm == 0)
5505                 return 0;
5506
5507         sid = cred_sid(cred);
5508
5509         key = key_ref_to_ptr(key_ref);
5510         ksec = key->security;
5511
5512         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5513 }
5514
5515 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5516 {
5517         struct key_security_struct *ksec = key->security;
5518         char *context = NULL;
5519         unsigned len;
5520         int rc;
5521
5522         rc = security_sid_to_context(ksec->sid, &context, &len);
5523         if (!rc)
5524                 rc = len;
5525         *_buffer = context;
5526         return rc;
5527 }
5528
5529 #endif
5530
5531 static struct security_operations selinux_ops = {
5532         .name =                         "selinux",
5533
5534         .ptrace_access_check =          selinux_ptrace_access_check,
5535         .ptrace_traceme =               selinux_ptrace_traceme,
5536         .capget =                       selinux_capget,
5537         .capset =                       selinux_capset,
5538         .capable =                      selinux_capable,
5539         .quotactl =                     selinux_quotactl,
5540         .quota_on =                     selinux_quota_on,
5541         .syslog =                       selinux_syslog,
5542         .vm_enough_memory =             selinux_vm_enough_memory,
5543
5544         .netlink_send =                 selinux_netlink_send,
5545
5546         .bprm_set_creds =               selinux_bprm_set_creds,
5547         .bprm_committing_creds =        selinux_bprm_committing_creds,
5548         .bprm_committed_creds =         selinux_bprm_committed_creds,
5549         .bprm_secureexec =              selinux_bprm_secureexec,
5550
5551         .sb_alloc_security =            selinux_sb_alloc_security,
5552         .sb_free_security =             selinux_sb_free_security,
5553         .sb_copy_data =                 selinux_sb_copy_data,
5554         .sb_remount =                   selinux_sb_remount,
5555         .sb_kern_mount =                selinux_sb_kern_mount,
5556         .sb_show_options =              selinux_sb_show_options,
5557         .sb_statfs =                    selinux_sb_statfs,
5558         .sb_mount =                     selinux_mount,
5559         .sb_umount =                    selinux_umount,
5560         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5561         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5562         .sb_parse_opts_str =            selinux_parse_opts_str,
5563
5564
5565         .inode_alloc_security =         selinux_inode_alloc_security,
5566         .inode_free_security =          selinux_inode_free_security,
5567         .inode_init_security =          selinux_inode_init_security,
5568         .inode_create =                 selinux_inode_create,
5569         .inode_link =                   selinux_inode_link,
5570         .inode_unlink =                 selinux_inode_unlink,
5571         .inode_symlink =                selinux_inode_symlink,
5572         .inode_mkdir =                  selinux_inode_mkdir,
5573         .inode_rmdir =                  selinux_inode_rmdir,
5574         .inode_mknod =                  selinux_inode_mknod,
5575         .inode_rename =                 selinux_inode_rename,
5576         .inode_readlink =               selinux_inode_readlink,
5577         .inode_follow_link =            selinux_inode_follow_link,
5578         .inode_permission =             selinux_inode_permission,
5579         .inode_setattr =                selinux_inode_setattr,
5580         .inode_getattr =                selinux_inode_getattr,
5581         .inode_setxattr =               selinux_inode_setxattr,
5582         .inode_post_setxattr =          selinux_inode_post_setxattr,
5583         .inode_getxattr =               selinux_inode_getxattr,
5584         .inode_listxattr =              selinux_inode_listxattr,
5585         .inode_removexattr =            selinux_inode_removexattr,
5586         .inode_getsecurity =            selinux_inode_getsecurity,
5587         .inode_setsecurity =            selinux_inode_setsecurity,
5588         .inode_listsecurity =           selinux_inode_listsecurity,
5589         .inode_getsecid =               selinux_inode_getsecid,
5590
5591         .file_permission =              selinux_file_permission,
5592         .file_alloc_security =          selinux_file_alloc_security,
5593         .file_free_security =           selinux_file_free_security,
5594         .file_ioctl =                   selinux_file_ioctl,
5595         .file_mmap =                    selinux_file_mmap,
5596         .file_mprotect =                selinux_file_mprotect,
5597         .file_lock =                    selinux_file_lock,
5598         .file_fcntl =                   selinux_file_fcntl,
5599         .file_set_fowner =              selinux_file_set_fowner,
5600         .file_send_sigiotask =          selinux_file_send_sigiotask,
5601         .file_receive =                 selinux_file_receive,
5602
5603         .dentry_open =                  selinux_dentry_open,
5604
5605         .task_create =                  selinux_task_create,
5606         .cred_alloc_blank =             selinux_cred_alloc_blank,
5607         .cred_free =                    selinux_cred_free,
5608         .cred_prepare =                 selinux_cred_prepare,
5609         .cred_transfer =                selinux_cred_transfer,
5610         .kernel_act_as =                selinux_kernel_act_as,
5611         .kernel_create_files_as =       selinux_kernel_create_files_as,
5612         .kernel_module_request =        selinux_kernel_module_request,
5613         .task_setpgid =                 selinux_task_setpgid,
5614         .task_getpgid =                 selinux_task_getpgid,
5615         .task_getsid =                  selinux_task_getsid,
5616         .task_getsecid =                selinux_task_getsecid,
5617         .task_setnice =                 selinux_task_setnice,
5618         .task_setioprio =               selinux_task_setioprio,
5619         .task_getioprio =               selinux_task_getioprio,
5620         .task_setrlimit =               selinux_task_setrlimit,
5621         .task_setscheduler =            selinux_task_setscheduler,
5622         .task_getscheduler =            selinux_task_getscheduler,
5623         .task_movememory =              selinux_task_movememory,
5624         .task_kill =                    selinux_task_kill,
5625         .task_wait =                    selinux_task_wait,
5626         .task_to_inode =                selinux_task_to_inode,
5627
5628         .ipc_permission =               selinux_ipc_permission,
5629         .ipc_getsecid =                 selinux_ipc_getsecid,
5630
5631         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5632         .msg_msg_free_security =        selinux_msg_msg_free_security,
5633
5634         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5635         .msg_queue_free_security =      selinux_msg_queue_free_security,
5636         .msg_queue_associate =          selinux_msg_queue_associate,
5637         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5638         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5639         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5640
5641         .shm_alloc_security =           selinux_shm_alloc_security,
5642         .shm_free_security =            selinux_shm_free_security,
5643         .shm_associate =                selinux_shm_associate,
5644         .shm_shmctl =                   selinux_shm_shmctl,
5645         .shm_shmat =                    selinux_shm_shmat,
5646
5647         .sem_alloc_security =           selinux_sem_alloc_security,
5648         .sem_free_security =            selinux_sem_free_security,
5649         .sem_associate =                selinux_sem_associate,
5650         .sem_semctl =                   selinux_sem_semctl,
5651         .sem_semop =                    selinux_sem_semop,
5652
5653         .d_instantiate =                selinux_d_instantiate,
5654
5655         .getprocattr =                  selinux_getprocattr,
5656         .setprocattr =                  selinux_setprocattr,
5657
5658         .secid_to_secctx =              selinux_secid_to_secctx,
5659         .secctx_to_secid =              selinux_secctx_to_secid,
5660         .release_secctx =               selinux_release_secctx,
5661         .inode_notifysecctx =           selinux_inode_notifysecctx,
5662         .inode_setsecctx =              selinux_inode_setsecctx,
5663         .inode_getsecctx =              selinux_inode_getsecctx,
5664
5665         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5666         .unix_may_send =                selinux_socket_unix_may_send,
5667
5668         .socket_create =                selinux_socket_create,
5669         .socket_post_create =           selinux_socket_post_create,
5670         .socket_bind =                  selinux_socket_bind,
5671         .socket_connect =               selinux_socket_connect,
5672         .socket_listen =                selinux_socket_listen,
5673         .socket_accept =                selinux_socket_accept,
5674         .socket_sendmsg =               selinux_socket_sendmsg,
5675         .socket_recvmsg =               selinux_socket_recvmsg,
5676         .socket_getsockname =           selinux_socket_getsockname,
5677         .socket_getpeername =           selinux_socket_getpeername,
5678         .socket_getsockopt =            selinux_socket_getsockopt,
5679         .socket_setsockopt =            selinux_socket_setsockopt,
5680         .socket_shutdown =              selinux_socket_shutdown,
5681         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5682         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5683         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5684         .sk_alloc_security =            selinux_sk_alloc_security,
5685         .sk_free_security =             selinux_sk_free_security,
5686         .sk_clone_security =            selinux_sk_clone_security,
5687         .sk_getsecid =                  selinux_sk_getsecid,
5688         .sock_graft =                   selinux_sock_graft,
5689         .inet_conn_request =            selinux_inet_conn_request,
5690         .inet_csk_clone =               selinux_inet_csk_clone,
5691         .inet_conn_established =        selinux_inet_conn_established,
5692         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5693         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5694         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5695         .req_classify_flow =            selinux_req_classify_flow,
5696         .tun_dev_create =               selinux_tun_dev_create,
5697         .tun_dev_post_create =          selinux_tun_dev_post_create,
5698         .tun_dev_attach =               selinux_tun_dev_attach,
5699
5700 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5701         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5702         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5703         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5704         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5705         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5706         .xfrm_state_free_security =     selinux_xfrm_state_free,
5707         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5708         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5709         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5710         .xfrm_decode_session =          selinux_xfrm_decode_session,
5711 #endif
5712
5713 #ifdef CONFIG_KEYS
5714         .key_alloc =                    selinux_key_alloc,
5715         .key_free =                     selinux_key_free,
5716         .key_permission =               selinux_key_permission,
5717         .key_getsecurity =              selinux_key_getsecurity,
5718 #endif
5719
5720 #ifdef CONFIG_AUDIT
5721         .audit_rule_init =              selinux_audit_rule_init,
5722         .audit_rule_known =             selinux_audit_rule_known,
5723         .audit_rule_match =             selinux_audit_rule_match,
5724         .audit_rule_free =              selinux_audit_rule_free,
5725 #endif
5726 };
5727
5728 static __init int selinux_init(void)
5729 {
5730         if (!security_module_enable(&selinux_ops)) {
5731                 selinux_enabled = 0;
5732                 return 0;
5733         }
5734
5735         if (!selinux_enabled) {
5736                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5737                 return 0;
5738         }
5739
5740         printk(KERN_INFO "SELinux:  Initializing.\n");
5741
5742         /* Set the security state for the initial task. */
5743         cred_init_security();
5744
5745         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5746
5747         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5748                                             sizeof(struct inode_security_struct),
5749                                             0, SLAB_PANIC, NULL);
5750         avc_init();
5751
5752         if (register_security(&selinux_ops))
5753                 panic("SELinux: Unable to register with kernel.\n");
5754
5755         if (selinux_enforcing)
5756                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5757         else
5758                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5759
5760         return 0;
5761 }
5762
5763 static void delayed_superblock_init(struct super_block *sb, void *unused)
5764 {
5765         superblock_doinit(sb, NULL);
5766 }
5767
5768 void selinux_complete_init(void)
5769 {
5770         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5771
5772         /* Set up any superblocks initialized prior to the policy load. */
5773         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5774         iterate_supers(delayed_superblock_init, NULL);
5775 }
5776
5777 /* SELinux requires early initialization in order to label
5778    all processes and objects when they are created. */
5779 security_initcall(selinux_init);
5780
5781 #if defined(CONFIG_NETFILTER)
5782
5783 static struct nf_hook_ops selinux_ipv4_ops[] = {
5784         {
5785                 .hook =         selinux_ipv4_postroute,
5786                 .owner =        THIS_MODULE,
5787                 .pf =           PF_INET,
5788                 .hooknum =      NF_INET_POST_ROUTING,
5789                 .priority =     NF_IP_PRI_SELINUX_LAST,
5790         },
5791         {
5792                 .hook =         selinux_ipv4_forward,
5793                 .owner =        THIS_MODULE,
5794                 .pf =           PF_INET,
5795                 .hooknum =      NF_INET_FORWARD,
5796                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5797         },
5798         {
5799                 .hook =         selinux_ipv4_output,
5800                 .owner =        THIS_MODULE,
5801                 .pf =           PF_INET,
5802                 .hooknum =      NF_INET_LOCAL_OUT,
5803                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5804         }
5805 };
5806
5807 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5808
5809 static struct nf_hook_ops selinux_ipv6_ops[] = {
5810         {
5811                 .hook =         selinux_ipv6_postroute,
5812                 .owner =        THIS_MODULE,
5813                 .pf =           PF_INET6,
5814                 .hooknum =      NF_INET_POST_ROUTING,
5815                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5816         },
5817         {
5818                 .hook =         selinux_ipv6_forward,
5819                 .owner =        THIS_MODULE,
5820                 .pf =           PF_INET6,
5821                 .hooknum =      NF_INET_FORWARD,
5822                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5823         }
5824 };
5825
5826 #endif  /* IPV6 */
5827
5828 static int __init selinux_nf_ip_init(void)
5829 {
5830         int err = 0;
5831
5832         if (!selinux_enabled)
5833                 goto out;
5834
5835         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5836
5837         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5838         if (err)
5839                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5840
5841 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5842         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5843         if (err)
5844                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5845 #endif  /* IPV6 */
5846
5847 out:
5848         return err;
5849 }
5850
5851 __initcall(selinux_nf_ip_init);
5852
5853 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5854 static void selinux_nf_ip_exit(void)
5855 {
5856         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5857
5858         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5859 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5860         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5861 #endif  /* IPV6 */
5862 }
5863 #endif
5864
5865 #else /* CONFIG_NETFILTER */
5866
5867 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5868 #define selinux_nf_ip_exit()
5869 #endif
5870
5871 #endif /* CONFIG_NETFILTER */
5872
5873 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5874 static int selinux_disabled;
5875
5876 int selinux_disable(void)
5877 {
5878         if (ss_initialized) {
5879                 /* Not permitted after initial policy load. */
5880                 return -EINVAL;
5881         }
5882
5883         if (selinux_disabled) {
5884                 /* Only do this once. */
5885                 return -EINVAL;
5886         }
5887
5888         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5889
5890         selinux_disabled = 1;
5891         selinux_enabled = 0;
5892
5893         reset_security_ops();
5894
5895         /* Try to destroy the avc node cache */
5896         avc_disable();
5897
5898         /* Unregister netfilter hooks. */
5899         selinux_nf_ip_exit();
5900
5901         /* Unregister selinuxfs. */
5902         exit_sel_fs();
5903
5904         return 0;
5905 }
5906 #endif