d85b793c9321c5866a2f6bd2ce60cb5aaff42e17
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>             /* for local_port_range[] */
54 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
55 #include <net/net_namespace.h>
56 #include <net/netlabel.h>
57 #include <linux/uaccess.h>
58 #include <asm/ioctls.h>
59 #include <linux/atomic.h>
60 #include <linux/bitops.h>
61 #include <linux/interrupt.h>
62 #include <linux/netdevice.h>    /* for network interface checks */
63 #include <linux/netlink.h>
64 #include <linux/tcp.h>
65 #include <linux/udp.h>
66 #include <linux/dccp.h>
67 #include <linux/quota.h>
68 #include <linux/un.h>           /* for Unix socket types */
69 #include <net/af_unix.h>        /* for Unix socket types */
70 #include <linux/parser.h>
71 #include <linux/nfs_mount.h>
72 #include <net/ipv6.h>
73 #include <linux/hugetlb.h>
74 #include <linux/personality.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79 #include <linux/posix-timers.h>
80 #include <linux/syslog.h>
81 #include <linux/user_namespace.h>
82 #include <linux/export.h>
83 #include <linux/msg.h>
84 #include <linux/shm.h>
85
86 #include "avc.h"
87 #include "objsec.h"
88 #include "netif.h"
89 #include "netnode.h"
90 #include "netport.h"
91 #include "xfrm.h"
92 #include "netlabel.h"
93 #include "audit.h"
94 #include "avc_ss.h"
95
96 #define NUM_SEL_MNT_OPTS 5
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!strict_strtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!strict_strtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.
141  *
142  */
143 static int selinux_secmark_enabled(void)
144 {
145         return (atomic_read(&selinux_secmark_refcount) > 0);
146 }
147
148 /*
149  * initialise the security for the init task
150  */
151 static void cred_init_security(void)
152 {
153         struct cred *cred = (struct cred *) current->real_cred;
154         struct task_security_struct *tsec;
155
156         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157         if (!tsec)
158                 panic("SELinux:  Failed to initialize initial task.\n");
159
160         tsec->osid = tsec->sid = SECINITSID_KERNEL;
161         cred->security = tsec;
162 }
163
164 /*
165  * get the security ID of a set of credentials
166  */
167 static inline u32 cred_sid(const struct cred *cred)
168 {
169         const struct task_security_struct *tsec;
170
171         tsec = cred->security;
172         return tsec->sid;
173 }
174
175 /*
176  * get the objective security ID of a task
177  */
178 static inline u32 task_sid(const struct task_struct *task)
179 {
180         u32 sid;
181
182         rcu_read_lock();
183         sid = cred_sid(__task_cred(task));
184         rcu_read_unlock();
185         return sid;
186 }
187
188 /*
189  * get the subjective security ID of the current task
190  */
191 static inline u32 current_sid(void)
192 {
193         const struct task_security_struct *tsec = current_security();
194
195         return tsec->sid;
196 }
197
198 /* Allocate and free functions for each kind of security blob. */
199
200 static int inode_alloc_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec;
203         u32 sid = current_sid();
204
205         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
206         if (!isec)
207                 return -ENOMEM;
208
209         mutex_init(&isec->lock);
210         INIT_LIST_HEAD(&isec->list);
211         isec->inode = inode;
212         isec->sid = SECINITSID_UNLABELED;
213         isec->sclass = SECCLASS_FILE;
214         isec->task_sid = sid;
215         inode->i_security = isec;
216
217         return 0;
218 }
219
220 static void inode_free_security(struct inode *inode)
221 {
222         struct inode_security_struct *isec = inode->i_security;
223         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224
225         spin_lock(&sbsec->isec_lock);
226         if (!list_empty(&isec->list))
227                 list_del_init(&isec->list);
228         spin_unlock(&sbsec->isec_lock);
229
230         inode->i_security = NULL;
231         kmem_cache_free(sel_inode_cache, isec);
232 }
233
234 static int file_alloc_security(struct file *file)
235 {
236         struct file_security_struct *fsec;
237         u32 sid = current_sid();
238
239         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
240         if (!fsec)
241                 return -ENOMEM;
242
243         fsec->sid = sid;
244         fsec->fown_sid = sid;
245         file->f_security = fsec;
246
247         return 0;
248 }
249
250 static void file_free_security(struct file *file)
251 {
252         struct file_security_struct *fsec = file->f_security;
253         file->f_security = NULL;
254         kfree(fsec);
255 }
256
257 static int superblock_alloc_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec;
260
261         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
262         if (!sbsec)
263                 return -ENOMEM;
264
265         mutex_init(&sbsec->lock);
266         INIT_LIST_HEAD(&sbsec->isec_head);
267         spin_lock_init(&sbsec->isec_lock);
268         sbsec->sb = sb;
269         sbsec->sid = SECINITSID_UNLABELED;
270         sbsec->def_sid = SECINITSID_FILE;
271         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
272         sb->s_security = sbsec;
273
274         return 0;
275 }
276
277 static void superblock_free_security(struct super_block *sb)
278 {
279         struct superblock_security_struct *sbsec = sb->s_security;
280         sb->s_security = NULL;
281         kfree(sbsec);
282 }
283
284 /* The file system's label must be initialized prior to use. */
285
286 static const char *labeling_behaviors[6] = {
287         "uses xattr",
288         "uses transition SIDs",
289         "uses task SIDs",
290         "uses genfs_contexts",
291         "not configured for labeling",
292         "uses mountpoint labeling",
293 };
294
295 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296
297 static inline int inode_doinit(struct inode *inode)
298 {
299         return inode_doinit_with_dentry(inode, NULL);
300 }
301
302 enum {
303         Opt_error = -1,
304         Opt_context = 1,
305         Opt_fscontext = 2,
306         Opt_defcontext = 3,
307         Opt_rootcontext = 4,
308         Opt_labelsupport = 5,
309 };
310
311 static const match_table_t tokens = {
312         {Opt_context, CONTEXT_STR "%s"},
313         {Opt_fscontext, FSCONTEXT_STR "%s"},
314         {Opt_defcontext, DEFCONTEXT_STR "%s"},
315         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
316         {Opt_labelsupport, LABELSUPP_STR},
317         {Opt_error, NULL},
318 };
319
320 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
321
322 static int may_context_mount_sb_relabel(u32 sid,
323                         struct superblock_security_struct *sbsec,
324                         const struct cred *cred)
325 {
326         const struct task_security_struct *tsec = cred->security;
327         int rc;
328
329         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
330                           FILESYSTEM__RELABELFROM, NULL);
331         if (rc)
332                 return rc;
333
334         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
335                           FILESYSTEM__RELABELTO, NULL);
336         return rc;
337 }
338
339 static int may_context_mount_inode_relabel(u32 sid,
340                         struct superblock_security_struct *sbsec,
341                         const struct cred *cred)
342 {
343         const struct task_security_struct *tsec = cred->security;
344         int rc;
345         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELFROM, NULL);
347         if (rc)
348                 return rc;
349
350         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
351                           FILESYSTEM__ASSOCIATE, NULL);
352         return rc;
353 }
354
355 static int sb_finish_set_opts(struct super_block *sb)
356 {
357         struct superblock_security_struct *sbsec = sb->s_security;
358         struct dentry *root = sb->s_root;
359         struct inode *root_inode = root->d_inode;
360         int rc = 0;
361
362         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
363                 /* Make sure that the xattr handler exists and that no
364                    error other than -ENODATA is returned by getxattr on
365                    the root directory.  -ENODATA is ok, as this may be
366                    the first boot of the SELinux kernel before we have
367                    assigned xattr values to the filesystem. */
368                 if (!root_inode->i_op->getxattr) {
369                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
370                                "xattr support\n", sb->s_id, sb->s_type->name);
371                         rc = -EOPNOTSUPP;
372                         goto out;
373                 }
374                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
375                 if (rc < 0 && rc != -ENODATA) {
376                         if (rc == -EOPNOTSUPP)
377                                 printk(KERN_WARNING "SELinux: (dev %s, type "
378                                        "%s) has no security xattr handler\n",
379                                        sb->s_id, sb->s_type->name);
380                         else
381                                 printk(KERN_WARNING "SELinux: (dev %s, type "
382                                        "%s) getxattr errno %d\n", sb->s_id,
383                                        sb->s_type->name, -rc);
384                         goto out;
385                 }
386         }
387
388         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
389
390         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392                        sb->s_id, sb->s_type->name);
393         else
394                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395                        sb->s_id, sb->s_type->name,
396                        labeling_behaviors[sbsec->behavior-1]);
397
398         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
399             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
400             sbsec->behavior == SECURITY_FS_USE_NONE ||
401             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 sbsec->flags &= ~SE_SBLABELSUPP;
403
404         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406                 sbsec->flags |= SE_SBLABELSUPP;
407
408         /* Initialize the root inode. */
409         rc = inode_doinit_with_dentry(root_inode, root);
410
411         /* Initialize any other inodes associated with the superblock, e.g.
412            inodes created prior to initial policy load or inodes created
413            during get_sb by a pseudo filesystem that directly
414            populates itself. */
415         spin_lock(&sbsec->isec_lock);
416 next_inode:
417         if (!list_empty(&sbsec->isec_head)) {
418                 struct inode_security_struct *isec =
419                                 list_entry(sbsec->isec_head.next,
420                                            struct inode_security_struct, list);
421                 struct inode *inode = isec->inode;
422                 spin_unlock(&sbsec->isec_lock);
423                 inode = igrab(inode);
424                 if (inode) {
425                         if (!IS_PRIVATE(inode))
426                                 inode_doinit(inode);
427                         iput(inode);
428                 }
429                 spin_lock(&sbsec->isec_lock);
430                 list_del_init(&isec->list);
431                 goto next_inode;
432         }
433         spin_unlock(&sbsec->isec_lock);
434 out:
435         return rc;
436 }
437
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444                                 struct security_mnt_opts *opts)
445 {
446         int rc = 0, i;
447         struct superblock_security_struct *sbsec = sb->s_security;
448         char *context = NULL;
449         u32 len;
450         char tmp;
451
452         security_init_mnt_opts(opts);
453
454         if (!(sbsec->flags & SE_SBINITIALIZED))
455                 return -EINVAL;
456
457         if (!ss_initialized)
458                 return -EINVAL;
459
460         tmp = sbsec->flags & SE_MNTMASK;
461         /* count the number of mount options for this sb */
462         for (i = 0; i < 8; i++) {
463                 if (tmp & 0x01)
464                         opts->num_mnt_opts++;
465                 tmp >>= 1;
466         }
467         /* Check if the Label support flag is set */
468         if (sbsec->flags & SE_SBLABELSUPP)
469                 opts->num_mnt_opts++;
470
471         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472         if (!opts->mnt_opts) {
473                 rc = -ENOMEM;
474                 goto out_free;
475         }
476
477         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478         if (!opts->mnt_opts_flags) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         i = 0;
484         if (sbsec->flags & FSCONTEXT_MNT) {
485                 rc = security_sid_to_context(sbsec->sid, &context, &len);
486                 if (rc)
487                         goto out_free;
488                 opts->mnt_opts[i] = context;
489                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490         }
491         if (sbsec->flags & CONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497         }
498         if (sbsec->flags & DEFCONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504         }
505         if (sbsec->flags & ROOTCONTEXT_MNT) {
506                 struct inode *root = sbsec->sb->s_root->d_inode;
507                 struct inode_security_struct *isec = root->i_security;
508
509                 rc = security_sid_to_context(isec->sid, &context, &len);
510                 if (rc)
511                         goto out_free;
512                 opts->mnt_opts[i] = context;
513                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514         }
515         if (sbsec->flags & SE_SBLABELSUPP) {
516                 opts->mnt_opts[i] = NULL;
517                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         char mnt_flags = sbsec->flags & SE_MNTMASK;
533
534         /* check if the old mount command had the same options */
535         if (sbsec->flags & SE_SBINITIALIZED)
536                 if (!(sbsec->flags & flag) ||
537                     (old_sid != new_sid))
538                         return 1;
539
540         /* check if we were passed the same options twice,
541          * aka someone passed context=a,context=b
542          */
543         if (!(sbsec->flags & SE_SBINITIALIZED))
544                 if (mnt_flags & flag)
545                         return 1;
546         return 0;
547 }
548
549 /*
550  * Allow filesystems with binary mount data to explicitly set mount point
551  * labeling information.
552  */
553 static int selinux_set_mnt_opts(struct super_block *sb,
554                                 struct security_mnt_opts *opts)
555 {
556         const struct cred *cred = current_cred();
557         int rc = 0, i;
558         struct superblock_security_struct *sbsec = sb->s_security;
559         const char *name = sb->s_type->name;
560         struct inode *inode = sbsec->sb->s_root->d_inode;
561         struct inode_security_struct *root_isec = inode->i_security;
562         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563         u32 defcontext_sid = 0;
564         char **mount_options = opts->mnt_opts;
565         int *flags = opts->mnt_opts_flags;
566         int num_opts = opts->num_mnt_opts;
567
568         mutex_lock(&sbsec->lock);
569
570         if (!ss_initialized) {
571                 if (!num_opts) {
572                         /* Defer initialization until selinux_complete_init,
573                            after the initial policy is loaded and the security
574                            server is ready to handle calls. */
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605
606                 if (flags[i] == SE_SBLABELSUPP)
607                         continue;
608                 rc = security_context_to_sid(mount_options[i],
609                                              strlen(mount_options[i]), &sid);
610                 if (rc) {
611                         printk(KERN_WARNING "SELinux: security_context_to_sid"
612                                "(%s) failed for (dev %s, type %s) errno=%d\n",
613                                mount_options[i], sb->s_id, name, rc);
614                         goto out;
615                 }
616                 switch (flags[i]) {
617                 case FSCONTEXT_MNT:
618                         fscontext_sid = sid;
619
620                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
621                                         fscontext_sid))
622                                 goto out_double_mount;
623
624                         sbsec->flags |= FSCONTEXT_MNT;
625                         break;
626                 case CONTEXT_MNT:
627                         context_sid = sid;
628
629                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
630                                         context_sid))
631                                 goto out_double_mount;
632
633                         sbsec->flags |= CONTEXT_MNT;
634                         break;
635                 case ROOTCONTEXT_MNT:
636                         rootcontext_sid = sid;
637
638                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
639                                         rootcontext_sid))
640                                 goto out_double_mount;
641
642                         sbsec->flags |= ROOTCONTEXT_MNT;
643
644                         break;
645                 case DEFCONTEXT_MNT:
646                         defcontext_sid = sid;
647
648                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
649                                         defcontext_sid))
650                                 goto out_double_mount;
651
652                         sbsec->flags |= DEFCONTEXT_MNT;
653
654                         break;
655                 default:
656                         rc = -EINVAL;
657                         goto out;
658                 }
659         }
660
661         if (sbsec->flags & SE_SBINITIALIZED) {
662                 /* previously mounted with options, but not on this attempt? */
663                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
664                         goto out_double_mount;
665                 rc = 0;
666                 goto out;
667         }
668
669         if (strcmp(sb->s_type->name, "proc") == 0)
670                 sbsec->flags |= SE_SBPROC;
671
672         /* Determine the labeling behavior to use for this filesystem type. */
673         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
674         if (rc) {
675                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
676                        __func__, sb->s_type->name, rc);
677                 goto out;
678         }
679
680         /* sets the context of the superblock for the fs being mounted. */
681         if (fscontext_sid) {
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
697                                                           cred);
698                         if (rc)
699                                 goto out;
700                         sbsec->sid = context_sid;
701                 } else {
702                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
703                                                              cred);
704                         if (rc)
705                                 goto out;
706                 }
707                 if (!rootcontext_sid)
708                         rootcontext_sid = context_sid;
709
710                 sbsec->mntpoint_sid = context_sid;
711                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
712         }
713
714         if (rootcontext_sid) {
715                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
716                                                      cred);
717                 if (rc)
718                         goto out;
719
720                 root_isec->sid = rootcontext_sid;
721                 root_isec->initialized = 1;
722         }
723
724         if (defcontext_sid) {
725                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726                         rc = -EINVAL;
727                         printk(KERN_WARNING "SELinux: defcontext option is "
728                                "invalid for this filesystem type\n");
729                         goto out;
730                 }
731
732                 if (defcontext_sid != sbsec->def_sid) {
733                         rc = may_context_mount_inode_relabel(defcontext_sid,
734                                                              sbsec, cred);
735                         if (rc)
736                                 goto out;
737                 }
738
739                 sbsec->def_sid = defcontext_sid;
740         }
741
742         rc = sb_finish_set_opts(sb);
743 out:
744         mutex_unlock(&sbsec->lock);
745         return rc;
746 out_double_mount:
747         rc = -EINVAL;
748         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
749                "security settings for (dev %s, type %s)\n", sb->s_id, name);
750         goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754                                         struct super_block *newsb)
755 {
756         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757         struct superblock_security_struct *newsbsec = newsb->s_security;
758
759         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
760         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
761         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763         /*
764          * if the parent was able to be mounted it clearly had no special lsm
765          * mount options.  thus we can safely deal with this superblock later
766          */
767         if (!ss_initialized)
768                 return;
769
770         /* how can we clone if the old one wasn't set up?? */
771         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
772
773         /* if fs is reusing a sb, just let its options stand... */
774         if (newsbsec->flags & SE_SBINITIALIZED)
775                 return;
776
777         mutex_lock(&newsbsec->lock);
778
779         newsbsec->flags = oldsbsec->flags;
780
781         newsbsec->sid = oldsbsec->sid;
782         newsbsec->def_sid = oldsbsec->def_sid;
783         newsbsec->behavior = oldsbsec->behavior;
784
785         if (set_context) {
786                 u32 sid = oldsbsec->mntpoint_sid;
787
788                 if (!set_fscontext)
789                         newsbsec->sid = sid;
790                 if (!set_rootcontext) {
791                         struct inode *newinode = newsb->s_root->d_inode;
792                         struct inode_security_struct *newisec = newinode->i_security;
793                         newisec->sid = sid;
794                 }
795                 newsbsec->mntpoint_sid = sid;
796         }
797         if (set_rootcontext) {
798                 const struct inode *oldinode = oldsb->s_root->d_inode;
799                 const struct inode_security_struct *oldisec = oldinode->i_security;
800                 struct inode *newinode = newsb->s_root->d_inode;
801                 struct inode_security_struct *newisec = newinode->i_security;
802
803                 newisec->sid = oldisec->sid;
804         }
805
806         sb_finish_set_opts(newsb);
807         mutex_unlock(&newsbsec->lock);
808 }
809
810 static int selinux_parse_opts_str(char *options,
811                                   struct security_mnt_opts *opts)
812 {
813         char *p;
814         char *context = NULL, *defcontext = NULL;
815         char *fscontext = NULL, *rootcontext = NULL;
816         int rc, num_mnt_opts = 0;
817
818         opts->num_mnt_opts = 0;
819
820         /* Standard string-based options. */
821         while ((p = strsep(&options, "|")) != NULL) {
822                 int token;
823                 substring_t args[MAX_OPT_ARGS];
824
825                 if (!*p)
826                         continue;
827
828                 token = match_token(p, tokens, args);
829
830                 switch (token) {
831                 case Opt_context:
832                         if (context || defcontext) {
833                                 rc = -EINVAL;
834                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
835                                 goto out_err;
836                         }
837                         context = match_strdup(&args[0]);
838                         if (!context) {
839                                 rc = -ENOMEM;
840                                 goto out_err;
841                         }
842                         break;
843
844                 case Opt_fscontext:
845                         if (fscontext) {
846                                 rc = -EINVAL;
847                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848                                 goto out_err;
849                         }
850                         fscontext = match_strdup(&args[0]);
851                         if (!fscontext) {
852                                 rc = -ENOMEM;
853                                 goto out_err;
854                         }
855                         break;
856
857                 case Opt_rootcontext:
858                         if (rootcontext) {
859                                 rc = -EINVAL;
860                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861                                 goto out_err;
862                         }
863                         rootcontext = match_strdup(&args[0]);
864                         if (!rootcontext) {
865                                 rc = -ENOMEM;
866                                 goto out_err;
867                         }
868                         break;
869
870                 case Opt_defcontext:
871                         if (context || defcontext) {
872                                 rc = -EINVAL;
873                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874                                 goto out_err;
875                         }
876                         defcontext = match_strdup(&args[0]);
877                         if (!defcontext) {
878                                 rc = -ENOMEM;
879                                 goto out_err;
880                         }
881                         break;
882                 case Opt_labelsupport:
883                         break;
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static void selinux_write_opts(struct seq_file *m,
959                                struct security_mnt_opts *opts)
960 {
961         int i;
962         char *prefix;
963
964         for (i = 0; i < opts->num_mnt_opts; i++) {
965                 char *has_comma;
966
967                 if (opts->mnt_opts[i])
968                         has_comma = strchr(opts->mnt_opts[i], ',');
969                 else
970                         has_comma = NULL;
971
972                 switch (opts->mnt_opts_flags[i]) {
973                 case CONTEXT_MNT:
974                         prefix = CONTEXT_STR;
975                         break;
976                 case FSCONTEXT_MNT:
977                         prefix = FSCONTEXT_STR;
978                         break;
979                 case ROOTCONTEXT_MNT:
980                         prefix = ROOTCONTEXT_STR;
981                         break;
982                 case DEFCONTEXT_MNT:
983                         prefix = DEFCONTEXT_STR;
984                         break;
985                 case SE_SBLABELSUPP:
986                         seq_putc(m, ',');
987                         seq_puts(m, LABELSUPP_STR);
988                         continue;
989                 default:
990                         BUG();
991                         return;
992                 };
993                 /* we need a comma before each option */
994                 seq_putc(m, ',');
995                 seq_puts(m, prefix);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998                 seq_puts(m, opts->mnt_opts[i]);
999                 if (has_comma)
1000                         seq_putc(m, '\"');
1001         }
1002 }
1003
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006         struct security_mnt_opts opts;
1007         int rc;
1008
1009         rc = selinux_get_mnt_opts(sb, &opts);
1010         if (rc) {
1011                 /* before policy load we may get EINVAL, don't show anything */
1012                 if (rc == -EINVAL)
1013                         rc = 0;
1014                 return rc;
1015         }
1016
1017         selinux_write_opts(m, &opts);
1018
1019         security_free_mnt_opts(&opts);
1020
1021         return rc;
1022 }
1023
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026         switch (mode & S_IFMT) {
1027         case S_IFSOCK:
1028                 return SECCLASS_SOCK_FILE;
1029         case S_IFLNK:
1030                 return SECCLASS_LNK_FILE;
1031         case S_IFREG:
1032                 return SECCLASS_FILE;
1033         case S_IFBLK:
1034                 return SECCLASS_BLK_FILE;
1035         case S_IFDIR:
1036                 return SECCLASS_DIR;
1037         case S_IFCHR:
1038                 return SECCLASS_CHR_FILE;
1039         case S_IFIFO:
1040                 return SECCLASS_FIFO_FILE;
1041
1042         }
1043
1044         return SECCLASS_FILE;
1045 }
1046
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059         switch (family) {
1060         case PF_UNIX:
1061                 switch (type) {
1062                 case SOCK_STREAM:
1063                 case SOCK_SEQPACKET:
1064                         return SECCLASS_UNIX_STREAM_SOCKET;
1065                 case SOCK_DGRAM:
1066                         return SECCLASS_UNIX_DGRAM_SOCKET;
1067                 }
1068                 break;
1069         case PF_INET:
1070         case PF_INET6:
1071                 switch (type) {
1072                 case SOCK_STREAM:
1073                         if (default_protocol_stream(protocol))
1074                                 return SECCLASS_TCP_SOCKET;
1075                         else
1076                                 return SECCLASS_RAWIP_SOCKET;
1077                 case SOCK_DGRAM:
1078                         if (default_protocol_dgram(protocol))
1079                                 return SECCLASS_UDP_SOCKET;
1080                         else
1081                                 return SECCLASS_RAWIP_SOCKET;
1082                 case SOCK_DCCP:
1083                         return SECCLASS_DCCP_SOCKET;
1084                 default:
1085                         return SECCLASS_RAWIP_SOCKET;
1086                 }
1087                 break;
1088         case PF_NETLINK:
1089                 switch (protocol) {
1090                 case NETLINK_ROUTE:
1091                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                 case NETLINK_FIREWALL:
1093                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                 case NETLINK_SOCK_DIAG:
1095                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                 case NETLINK_NFLOG:
1097                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                 case NETLINK_XFRM:
1099                         return SECCLASS_NETLINK_XFRM_SOCKET;
1100                 case NETLINK_SELINUX:
1101                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                 case NETLINK_AUDIT:
1103                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                 case NETLINK_IP6_FW:
1105                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                 case NETLINK_DNRTMSG:
1107                         return SECCLASS_NETLINK_DNRT_SOCKET;
1108                 case NETLINK_KOBJECT_UEVENT:
1109                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                 default:
1111                         return SECCLASS_NETLINK_SOCKET;
1112                 }
1113         case PF_PACKET:
1114                 return SECCLASS_PACKET_SOCKET;
1115         case PF_KEY:
1116                 return SECCLASS_KEY_SOCKET;
1117         case PF_APPLETALK:
1118                 return SECCLASS_APPLETALK_SOCKET;
1119         }
1120
1121         return SECCLASS_SOCKET;
1122 }
1123
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126                                 u16 tclass,
1127                                 u32 *sid)
1128 {
1129         int rc;
1130         char *buffer, *path;
1131
1132         buffer = (char *)__get_free_page(GFP_KERNEL);
1133         if (!buffer)
1134                 return -ENOMEM;
1135
1136         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137         if (IS_ERR(path))
1138                 rc = PTR_ERR(path);
1139         else {
1140                 /* each process gets a /proc/PID/ entry. Strip off the
1141                  * PID part to get a valid selinux labeling.
1142                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                 while (path[1] >= '0' && path[1] <= '9') {
1144                         path[1] = '/';
1145                         path++;
1146                 }
1147                 rc = security_genfs_sid("proc", path, tclass, sid);
1148         }
1149         free_page((unsigned long)buffer);
1150         return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154                                 u16 tclass,
1155                                 u32 *sid)
1156 {
1157         return -EINVAL;
1158 }
1159 #endif
1160
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164         struct superblock_security_struct *sbsec = NULL;
1165         struct inode_security_struct *isec = inode->i_security;
1166         u32 sid;
1167         struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169         char *context = NULL;
1170         unsigned len = 0;
1171         int rc = 0;
1172
1173         if (isec->initialized)
1174                 goto out;
1175
1176         mutex_lock(&isec->lock);
1177         if (isec->initialized)
1178                 goto out_unlock;
1179
1180         sbsec = inode->i_sb->s_security;
1181         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                 /* Defer initialization until selinux_complete_init,
1183                    after the initial policy is loaded and the security
1184                    server is ready to handle calls. */
1185                 spin_lock(&sbsec->isec_lock);
1186                 if (list_empty(&isec->list))
1187                         list_add(&isec->list, &sbsec->isec_head);
1188                 spin_unlock(&sbsec->isec_lock);
1189                 goto out_unlock;
1190         }
1191
1192         switch (sbsec->behavior) {
1193         case SECURITY_FS_USE_XATTR:
1194                 if (!inode->i_op->getxattr) {
1195                         isec->sid = sbsec->def_sid;
1196                         break;
1197                 }
1198
1199                 /* Need a dentry, since the xattr API requires one.
1200                    Life would be simpler if we could just pass the inode. */
1201                 if (opt_dentry) {
1202                         /* Called from d_instantiate or d_splice_alias. */
1203                         dentry = dget(opt_dentry);
1204                 } else {
1205                         /* Called from selinux_complete_init, try to find a dentry. */
1206                         dentry = d_find_alias(inode);
1207                 }
1208                 if (!dentry) {
1209                         /*
1210                          * this is can be hit on boot when a file is accessed
1211                          * before the policy is loaded.  When we load policy we
1212                          * may find inodes that have no dentry on the
1213                          * sbsec->isec_head list.  No reason to complain as these
1214                          * will get fixed up the next time we go through
1215                          * inode_doinit with a dentry, before these inodes could
1216                          * be used again by userspace.
1217                          */
1218                         goto out_unlock;
1219                 }
1220
1221                 len = INITCONTEXTLEN;
1222                 context = kmalloc(len+1, GFP_NOFS);
1223                 if (!context) {
1224                         rc = -ENOMEM;
1225                         dput(dentry);
1226                         goto out_unlock;
1227                 }
1228                 context[len] = '\0';
1229                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                            context, len);
1231                 if (rc == -ERANGE) {
1232                         kfree(context);
1233
1234                         /* Need a larger buffer.  Query for the right size. */
1235                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                    NULL, 0);
1237                         if (rc < 0) {
1238                                 dput(dentry);
1239                                 goto out_unlock;
1240                         }
1241                         len = rc;
1242                         context = kmalloc(len+1, GFP_NOFS);
1243                         if (!context) {
1244                                 rc = -ENOMEM;
1245                                 dput(dentry);
1246                                 goto out_unlock;
1247                         }
1248                         context[len] = '\0';
1249                         rc = inode->i_op->getxattr(dentry,
1250                                                    XATTR_NAME_SELINUX,
1251                                                    context, len);
1252                 }
1253                 dput(dentry);
1254                 if (rc < 0) {
1255                         if (rc != -ENODATA) {
1256                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                        "%d for dev=%s ino=%ld\n", __func__,
1258                                        -rc, inode->i_sb->s_id, inode->i_ino);
1259                                 kfree(context);
1260                                 goto out_unlock;
1261                         }
1262                         /* Map ENODATA to the default file SID */
1263                         sid = sbsec->def_sid;
1264                         rc = 0;
1265                 } else {
1266                         rc = security_context_to_sid_default(context, rc, &sid,
1267                                                              sbsec->def_sid,
1268                                                              GFP_NOFS);
1269                         if (rc) {
1270                                 char *dev = inode->i_sb->s_id;
1271                                 unsigned long ino = inode->i_ino;
1272
1273                                 if (rc == -EINVAL) {
1274                                         if (printk_ratelimit())
1275                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                         "filesystem in question.\n", ino, dev, context);
1278                                 } else {
1279                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                                "returned %d for dev=%s ino=%ld\n",
1281                                                __func__, context, -rc, dev, ino);
1282                                 }
1283                                 kfree(context);
1284                                 /* Leave with the unlabeled SID */
1285                                 rc = 0;
1286                                 break;
1287                         }
1288                 }
1289                 kfree(context);
1290                 isec->sid = sid;
1291                 break;
1292         case SECURITY_FS_USE_TASK:
1293                 isec->sid = isec->task_sid;
1294                 break;
1295         case SECURITY_FS_USE_TRANS:
1296                 /* Default to the fs SID. */
1297                 isec->sid = sbsec->sid;
1298
1299                 /* Try to obtain a transition SID. */
1300                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                              isec->sclass, NULL, &sid);
1303                 if (rc)
1304                         goto out_unlock;
1305                 isec->sid = sid;
1306                 break;
1307         case SECURITY_FS_USE_MNTPOINT:
1308                 isec->sid = sbsec->mntpoint_sid;
1309                 break;
1310         default:
1311                 /* Default to the fs superblock SID. */
1312                 isec->sid = sbsec->sid;
1313
1314                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                         if (opt_dentry) {
1316                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                 rc = selinux_proc_get_sid(opt_dentry,
1318                                                           isec->sclass,
1319                                                           &sid);
1320                                 if (rc)
1321                                         goto out_unlock;
1322                                 isec->sid = sid;
1323                         }
1324                 }
1325                 break;
1326         }
1327
1328         isec->initialized = 1;
1329
1330 out_unlock:
1331         mutex_unlock(&isec->lock);
1332 out:
1333         if (isec->sclass == SECCLASS_FILE)
1334                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335         return rc;
1336 }
1337
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341         u32 perm = 0;
1342
1343         switch (sig) {
1344         case SIGCHLD:
1345                 /* Commonly granted from child to parent. */
1346                 perm = PROCESS__SIGCHLD;
1347                 break;
1348         case SIGKILL:
1349                 /* Cannot be caught or ignored */
1350                 perm = PROCESS__SIGKILL;
1351                 break;
1352         case SIGSTOP:
1353                 /* Cannot be caught or ignored */
1354                 perm = PROCESS__SIGSTOP;
1355                 break;
1356         default:
1357                 /* All other signals. */
1358                 perm = PROCESS__SIGNAL;
1359                 break;
1360         }
1361
1362         return perm;
1363 }
1364
1365 /*
1366  * Check permission between a pair of credentials
1367  * fork check, ptrace check, etc.
1368  */
1369 static int cred_has_perm(const struct cred *actor,
1370                          const struct cred *target,
1371                          u32 perms)
1372 {
1373         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377
1378 /*
1379  * Check permission between a pair of tasks, e.g. signal checks,
1380  * fork check, ptrace check, etc.
1381  * tsk1 is the actor and tsk2 is the target
1382  * - this uses the default subjective creds of tsk1
1383  */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385                          const struct task_struct *tsk2,
1386                          u32 perms)
1387 {
1388         const struct task_security_struct *__tsec1, *__tsec2;
1389         u32 sid1, sid2;
1390
1391         rcu_read_lock();
1392         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394         rcu_read_unlock();
1395         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397
1398 /*
1399  * Check permission between current and another task, e.g. signal checks,
1400  * fork check, ptrace check, etc.
1401  * current is the actor and tsk2 is the target
1402  * - this uses current's subjective creds
1403  */
1404 static int current_has_perm(const struct task_struct *tsk,
1405                             u32 perms)
1406 {
1407         u32 sid, tsid;
1408
1409         sid = current_sid();
1410         tsid = task_sid(tsk);
1411         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417
1418 /* Check whether a task is allowed to use a capability. */
1419 static int cred_has_capability(const struct cred *cred,
1420                                int cap, int audit)
1421 {
1422         struct common_audit_data ad;
1423         struct selinux_audit_data sad = {0,};
1424         struct av_decision avd;
1425         u16 sclass;
1426         u32 sid = cred_sid(cred);
1427         u32 av = CAP_TO_MASK(cap);
1428         int rc;
1429
1430         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1431         ad.selinux_audit_data = &sad;
1432         ad.tsk = current;
1433         ad.u.cap = cap;
1434
1435         switch (CAP_TO_INDEX(cap)) {
1436         case 0:
1437                 sclass = SECCLASS_CAPABILITY;
1438                 break;
1439         case 1:
1440                 sclass = SECCLASS_CAPABILITY2;
1441                 break;
1442         default:
1443                 printk(KERN_ERR
1444                        "SELinux:  out of range capability %d\n", cap);
1445                 BUG();
1446                 return -EINVAL;
1447         }
1448
1449         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1450         if (audit == SECURITY_CAP_AUDIT) {
1451                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1452                 if (rc2)
1453                         return rc2;
1454         }
1455         return rc;
1456 }
1457
1458 /* Check whether a task is allowed to use a system operation. */
1459 static int task_has_system(struct task_struct *tsk,
1460                            u32 perms)
1461 {
1462         u32 sid = task_sid(tsk);
1463
1464         return avc_has_perm(sid, SECINITSID_KERNEL,
1465                             SECCLASS_SYSTEM, perms, NULL);
1466 }
1467
1468 /* Check whether a task has a particular permission to an inode.
1469    The 'adp' parameter is optional and allows other audit
1470    data to be passed (e.g. the dentry). */
1471 static int inode_has_perm(const struct cred *cred,
1472                           struct inode *inode,
1473                           u32 perms,
1474                           struct common_audit_data *adp,
1475                           unsigned flags)
1476 {
1477         struct inode_security_struct *isec;
1478         u32 sid;
1479
1480         validate_creds(cred);
1481
1482         if (unlikely(IS_PRIVATE(inode)))
1483                 return 0;
1484
1485         sid = cred_sid(cred);
1486         isec = inode->i_security;
1487
1488         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1489 }
1490
1491 static int inode_has_perm_noadp(const struct cred *cred,
1492                                 struct inode *inode,
1493                                 u32 perms,
1494                                 unsigned flags)
1495 {
1496         struct common_audit_data ad;
1497         struct selinux_audit_data sad = {0,};
1498
1499         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1500         ad.u.inode = inode;
1501         ad.selinux_audit_data = &sad;
1502         return inode_has_perm(cred, inode, perms, &ad, flags);
1503 }
1504
1505 /* Same as inode_has_perm, but pass explicit audit data containing
1506    the dentry to help the auditing code to more easily generate the
1507    pathname if needed. */
1508 static inline int dentry_has_perm(const struct cred *cred,
1509                                   struct dentry *dentry,
1510                                   u32 av)
1511 {
1512         struct inode *inode = dentry->d_inode;
1513         struct common_audit_data ad;
1514         struct selinux_audit_data sad = {0,};
1515
1516         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1517         ad.u.dentry = dentry;
1518         ad.selinux_audit_data = &sad;
1519         return inode_has_perm(cred, inode, av, &ad, 0);
1520 }
1521
1522 /* Same as inode_has_perm, but pass explicit audit data containing
1523    the path to help the auditing code to more easily generate the
1524    pathname if needed. */
1525 static inline int path_has_perm(const struct cred *cred,
1526                                 struct path *path,
1527                                 u32 av)
1528 {
1529         struct inode *inode = path->dentry->d_inode;
1530         struct common_audit_data ad;
1531         struct selinux_audit_data sad = {0,};
1532
1533         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1534         ad.u.path = *path;
1535         ad.selinux_audit_data = &sad;
1536         return inode_has_perm(cred, inode, av, &ad, 0);
1537 }
1538
1539 /* Check whether a task can use an open file descriptor to
1540    access an inode in a given way.  Check access to the
1541    descriptor itself, and then use dentry_has_perm to
1542    check a particular permission to the file.
1543    Access to the descriptor is implicitly granted if it
1544    has the same SID as the process.  If av is zero, then
1545    access to the file is not checked, e.g. for cases
1546    where only the descriptor is affected like seek. */
1547 static int file_has_perm(const struct cred *cred,
1548                          struct file *file,
1549                          u32 av)
1550 {
1551         struct file_security_struct *fsec = file->f_security;
1552         struct inode *inode = file->f_path.dentry->d_inode;
1553         struct common_audit_data ad;
1554         struct selinux_audit_data sad = {0,};
1555         u32 sid = cred_sid(cred);
1556         int rc;
1557
1558         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1559         ad.u.path = file->f_path;
1560         ad.selinux_audit_data = &sad;
1561
1562         if (sid != fsec->sid) {
1563                 rc = avc_has_perm(sid, fsec->sid,
1564                                   SECCLASS_FD,
1565                                   FD__USE,
1566                                   &ad);
1567                 if (rc)
1568                         goto out;
1569         }
1570
1571         /* av is zero if only checking access to the descriptor. */
1572         rc = 0;
1573         if (av)
1574                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1575
1576 out:
1577         return rc;
1578 }
1579
1580 /* Check whether a task can create a file. */
1581 static int may_create(struct inode *dir,
1582                       struct dentry *dentry,
1583                       u16 tclass)
1584 {
1585         const struct task_security_struct *tsec = current_security();
1586         struct inode_security_struct *dsec;
1587         struct superblock_security_struct *sbsec;
1588         u32 sid, newsid;
1589         struct common_audit_data ad;
1590         struct selinux_audit_data sad = {0,};
1591         int rc;
1592
1593         dsec = dir->i_security;
1594         sbsec = dir->i_sb->s_security;
1595
1596         sid = tsec->sid;
1597         newsid = tsec->create_sid;
1598
1599         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1600         ad.u.dentry = dentry;
1601         ad.selinux_audit_data = &sad;
1602
1603         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1604                           DIR__ADD_NAME | DIR__SEARCH,
1605                           &ad);
1606         if (rc)
1607                 return rc;
1608
1609         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1610                 rc = security_transition_sid(sid, dsec->sid, tclass,
1611                                              &dentry->d_name, &newsid);
1612                 if (rc)
1613                         return rc;
1614         }
1615
1616         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1617         if (rc)
1618                 return rc;
1619
1620         return avc_has_perm(newsid, sbsec->sid,
1621                             SECCLASS_FILESYSTEM,
1622                             FILESYSTEM__ASSOCIATE, &ad);
1623 }
1624
1625 /* Check whether a task can create a key. */
1626 static int may_create_key(u32 ksid,
1627                           struct task_struct *ctx)
1628 {
1629         u32 sid = task_sid(ctx);
1630
1631         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1632 }
1633
1634 #define MAY_LINK        0
1635 #define MAY_UNLINK      1
1636 #define MAY_RMDIR       2
1637
1638 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1639 static int may_link(struct inode *dir,
1640                     struct dentry *dentry,
1641                     int kind)
1642
1643 {
1644         struct inode_security_struct *dsec, *isec;
1645         struct common_audit_data ad;
1646         struct selinux_audit_data sad = {0,};
1647         u32 sid = current_sid();
1648         u32 av;
1649         int rc;
1650
1651         dsec = dir->i_security;
1652         isec = dentry->d_inode->i_security;
1653
1654         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1655         ad.u.dentry = dentry;
1656         ad.selinux_audit_data = &sad;
1657
1658         av = DIR__SEARCH;
1659         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1660         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1661         if (rc)
1662                 return rc;
1663
1664         switch (kind) {
1665         case MAY_LINK:
1666                 av = FILE__LINK;
1667                 break;
1668         case MAY_UNLINK:
1669                 av = FILE__UNLINK;
1670                 break;
1671         case MAY_RMDIR:
1672                 av = DIR__RMDIR;
1673                 break;
1674         default:
1675                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1676                         __func__, kind);
1677                 return 0;
1678         }
1679
1680         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1681         return rc;
1682 }
1683
1684 static inline int may_rename(struct inode *old_dir,
1685                              struct dentry *old_dentry,
1686                              struct inode *new_dir,
1687                              struct dentry *new_dentry)
1688 {
1689         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1690         struct common_audit_data ad;
1691         struct selinux_audit_data sad = {0,};
1692         u32 sid = current_sid();
1693         u32 av;
1694         int old_is_dir, new_is_dir;
1695         int rc;
1696
1697         old_dsec = old_dir->i_security;
1698         old_isec = old_dentry->d_inode->i_security;
1699         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1700         new_dsec = new_dir->i_security;
1701
1702         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1703         ad.selinux_audit_data = &sad;
1704
1705         ad.u.dentry = old_dentry;
1706         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1707                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1708         if (rc)
1709                 return rc;
1710         rc = avc_has_perm(sid, old_isec->sid,
1711                           old_isec->sclass, FILE__RENAME, &ad);
1712         if (rc)
1713                 return rc;
1714         if (old_is_dir && new_dir != old_dir) {
1715                 rc = avc_has_perm(sid, old_isec->sid,
1716                                   old_isec->sclass, DIR__REPARENT, &ad);
1717                 if (rc)
1718                         return rc;
1719         }
1720
1721         ad.u.dentry = new_dentry;
1722         av = DIR__ADD_NAME | DIR__SEARCH;
1723         if (new_dentry->d_inode)
1724                 av |= DIR__REMOVE_NAME;
1725         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1726         if (rc)
1727                 return rc;
1728         if (new_dentry->d_inode) {
1729                 new_isec = new_dentry->d_inode->i_security;
1730                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1731                 rc = avc_has_perm(sid, new_isec->sid,
1732                                   new_isec->sclass,
1733                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1734                 if (rc)
1735                         return rc;
1736         }
1737
1738         return 0;
1739 }
1740
1741 /* Check whether a task can perform a filesystem operation. */
1742 static int superblock_has_perm(const struct cred *cred,
1743                                struct super_block *sb,
1744                                u32 perms,
1745                                struct common_audit_data *ad)
1746 {
1747         struct superblock_security_struct *sbsec;
1748         u32 sid = cred_sid(cred);
1749
1750         sbsec = sb->s_security;
1751         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1752 }
1753
1754 /* Convert a Linux mode and permission mask to an access vector. */
1755 static inline u32 file_mask_to_av(int mode, int mask)
1756 {
1757         u32 av = 0;
1758
1759         if (!S_ISDIR(mode)) {
1760                 if (mask & MAY_EXEC)
1761                         av |= FILE__EXECUTE;
1762                 if (mask & MAY_READ)
1763                         av |= FILE__READ;
1764
1765                 if (mask & MAY_APPEND)
1766                         av |= FILE__APPEND;
1767                 else if (mask & MAY_WRITE)
1768                         av |= FILE__WRITE;
1769
1770         } else {
1771                 if (mask & MAY_EXEC)
1772                         av |= DIR__SEARCH;
1773                 if (mask & MAY_WRITE)
1774                         av |= DIR__WRITE;
1775                 if (mask & MAY_READ)
1776                         av |= DIR__READ;
1777         }
1778
1779         return av;
1780 }
1781
1782 /* Convert a Linux file to an access vector. */
1783 static inline u32 file_to_av(struct file *file)
1784 {
1785         u32 av = 0;
1786
1787         if (file->f_mode & FMODE_READ)
1788                 av |= FILE__READ;
1789         if (file->f_mode & FMODE_WRITE) {
1790                 if (file->f_flags & O_APPEND)
1791                         av |= FILE__APPEND;
1792                 else
1793                         av |= FILE__WRITE;
1794         }
1795         if (!av) {
1796                 /*
1797                  * Special file opened with flags 3 for ioctl-only use.
1798                  */
1799                 av = FILE__IOCTL;
1800         }
1801
1802         return av;
1803 }
1804
1805 /*
1806  * Convert a file to an access vector and include the correct open
1807  * open permission.
1808  */
1809 static inline u32 open_file_to_av(struct file *file)
1810 {
1811         u32 av = file_to_av(file);
1812
1813         if (selinux_policycap_openperm)
1814                 av |= FILE__OPEN;
1815
1816         return av;
1817 }
1818
1819 /* Hook functions begin here. */
1820
1821 static int selinux_ptrace_access_check(struct task_struct *child,
1822                                      unsigned int mode)
1823 {
1824         int rc;
1825
1826         rc = cap_ptrace_access_check(child, mode);
1827         if (rc)
1828                 return rc;
1829
1830         if (mode & PTRACE_MODE_READ) {
1831                 u32 sid = current_sid();
1832                 u32 csid = task_sid(child);
1833                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1834         }
1835
1836         return current_has_perm(child, PROCESS__PTRACE);
1837 }
1838
1839 static int selinux_ptrace_traceme(struct task_struct *parent)
1840 {
1841         int rc;
1842
1843         rc = cap_ptrace_traceme(parent);
1844         if (rc)
1845                 return rc;
1846
1847         return task_has_perm(parent, current, PROCESS__PTRACE);
1848 }
1849
1850 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1851                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1852 {
1853         int error;
1854
1855         error = current_has_perm(target, PROCESS__GETCAP);
1856         if (error)
1857                 return error;
1858
1859         return cap_capget(target, effective, inheritable, permitted);
1860 }
1861
1862 static int selinux_capset(struct cred *new, const struct cred *old,
1863                           const kernel_cap_t *effective,
1864                           const kernel_cap_t *inheritable,
1865                           const kernel_cap_t *permitted)
1866 {
1867         int error;
1868
1869         error = cap_capset(new, old,
1870                                       effective, inheritable, permitted);
1871         if (error)
1872                 return error;
1873
1874         return cred_has_perm(old, new, PROCESS__SETCAP);
1875 }
1876
1877 /*
1878  * (This comment used to live with the selinux_task_setuid hook,
1879  * which was removed).
1880  *
1881  * Since setuid only affects the current process, and since the SELinux
1882  * controls are not based on the Linux identity attributes, SELinux does not
1883  * need to control this operation.  However, SELinux does control the use of
1884  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1885  */
1886
1887 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1888                            int cap, int audit)
1889 {
1890         int rc;
1891
1892         rc = cap_capable(cred, ns, cap, audit);
1893         if (rc)
1894                 return rc;
1895
1896         return cred_has_capability(cred, cap, audit);
1897 }
1898
1899 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1900 {
1901         const struct cred *cred = current_cred();
1902         int rc = 0;
1903
1904         if (!sb)
1905                 return 0;
1906
1907         switch (cmds) {
1908         case Q_SYNC:
1909         case Q_QUOTAON:
1910         case Q_QUOTAOFF:
1911         case Q_SETINFO:
1912         case Q_SETQUOTA:
1913                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1914                 break;
1915         case Q_GETFMT:
1916         case Q_GETINFO:
1917         case Q_GETQUOTA:
1918                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1919                 break;
1920         default:
1921                 rc = 0;  /* let the kernel handle invalid cmds */
1922                 break;
1923         }
1924         return rc;
1925 }
1926
1927 static int selinux_quota_on(struct dentry *dentry)
1928 {
1929         const struct cred *cred = current_cred();
1930
1931         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1932 }
1933
1934 static int selinux_syslog(int type)
1935 {
1936         int rc;
1937
1938         switch (type) {
1939         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1940         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1941                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1942                 break;
1943         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1944         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1945         /* Set level of messages printed to console */
1946         case SYSLOG_ACTION_CONSOLE_LEVEL:
1947                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1948                 break;
1949         case SYSLOG_ACTION_CLOSE:       /* Close log */
1950         case SYSLOG_ACTION_OPEN:        /* Open log */
1951         case SYSLOG_ACTION_READ:        /* Read from log */
1952         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1953         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1954         default:
1955                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1956                 break;
1957         }
1958         return rc;
1959 }
1960
1961 /*
1962  * Check that a process has enough memory to allocate a new virtual
1963  * mapping. 0 means there is enough memory for the allocation to
1964  * succeed and -ENOMEM implies there is not.
1965  *
1966  * Do not audit the selinux permission check, as this is applied to all
1967  * processes that allocate mappings.
1968  */
1969 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1970 {
1971         int rc, cap_sys_admin = 0;
1972
1973         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1974                              SECURITY_CAP_NOAUDIT);
1975         if (rc == 0)
1976                 cap_sys_admin = 1;
1977
1978         return __vm_enough_memory(mm, pages, cap_sys_admin);
1979 }
1980
1981 /* binprm security operations */
1982
1983 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1984 {
1985         const struct task_security_struct *old_tsec;
1986         struct task_security_struct *new_tsec;
1987         struct inode_security_struct *isec;
1988         struct common_audit_data ad;
1989         struct selinux_audit_data sad = {0,};
1990         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1991         int rc;
1992
1993         rc = cap_bprm_set_creds(bprm);
1994         if (rc)
1995                 return rc;
1996
1997         /* SELinux context only depends on initial program or script and not
1998          * the script interpreter */
1999         if (bprm->cred_prepared)
2000                 return 0;
2001
2002         old_tsec = current_security();
2003         new_tsec = bprm->cred->security;
2004         isec = inode->i_security;
2005
2006         /* Default to the current task SID. */
2007         new_tsec->sid = old_tsec->sid;
2008         new_tsec->osid = old_tsec->sid;
2009
2010         /* Reset fs, key, and sock SIDs on execve. */
2011         new_tsec->create_sid = 0;
2012         new_tsec->keycreate_sid = 0;
2013         new_tsec->sockcreate_sid = 0;
2014
2015         if (old_tsec->exec_sid) {
2016                 new_tsec->sid = old_tsec->exec_sid;
2017                 /* Reset exec SID on execve. */
2018                 new_tsec->exec_sid = 0;
2019         } else {
2020                 /* Check for a default transition on this program. */
2021                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2022                                              SECCLASS_PROCESS, NULL,
2023                                              &new_tsec->sid);
2024                 if (rc)
2025                         return rc;
2026         }
2027
2028         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2029         ad.selinux_audit_data = &sad;
2030         ad.u.path = bprm->file->f_path;
2031
2032         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2033                 new_tsec->sid = old_tsec->sid;
2034
2035         if (new_tsec->sid == old_tsec->sid) {
2036                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2037                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2038                 if (rc)
2039                         return rc;
2040         } else {
2041                 /* Check permissions for the transition. */
2042                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2043                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2044                 if (rc)
2045                         return rc;
2046
2047                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2048                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2049                 if (rc)
2050                         return rc;
2051
2052                 /* Check for shared state */
2053                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2054                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2055                                           SECCLASS_PROCESS, PROCESS__SHARE,
2056                                           NULL);
2057                         if (rc)
2058                                 return -EPERM;
2059                 }
2060
2061                 /* Make sure that anyone attempting to ptrace over a task that
2062                  * changes its SID has the appropriate permit */
2063                 if (bprm->unsafe &
2064                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2065                         struct task_struct *tracer;
2066                         struct task_security_struct *sec;
2067                         u32 ptsid = 0;
2068
2069                         rcu_read_lock();
2070                         tracer = ptrace_parent(current);
2071                         if (likely(tracer != NULL)) {
2072                                 sec = __task_cred(tracer)->security;
2073                                 ptsid = sec->sid;
2074                         }
2075                         rcu_read_unlock();
2076
2077                         if (ptsid != 0) {
2078                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2079                                                   SECCLASS_PROCESS,
2080                                                   PROCESS__PTRACE, NULL);
2081                                 if (rc)
2082                                         return -EPERM;
2083                         }
2084                 }
2085
2086                 /* Clear any possibly unsafe personality bits on exec: */
2087                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2088         }
2089
2090         return 0;
2091 }
2092
2093 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2094 {
2095         const struct task_security_struct *tsec = current_security();
2096         u32 sid, osid;
2097         int atsecure = 0;
2098
2099         sid = tsec->sid;
2100         osid = tsec->osid;
2101
2102         if (osid != sid) {
2103                 /* Enable secure mode for SIDs transitions unless
2104                    the noatsecure permission is granted between
2105                    the two SIDs, i.e. ahp returns 0. */
2106                 atsecure = avc_has_perm(osid, sid,
2107                                         SECCLASS_PROCESS,
2108                                         PROCESS__NOATSECURE, NULL);
2109         }
2110
2111         return (atsecure || cap_bprm_secureexec(bprm));
2112 }
2113
2114 /* Derived from fs/exec.c:flush_old_files. */
2115 static inline void flush_unauthorized_files(const struct cred *cred,
2116                                             struct files_struct *files)
2117 {
2118         struct common_audit_data ad;
2119         struct selinux_audit_data sad = {0,};
2120         struct file *file, *devnull = NULL;
2121         struct tty_struct *tty;
2122         struct fdtable *fdt;
2123         long j = -1;
2124         int drop_tty = 0;
2125
2126         tty = get_current_tty();
2127         if (tty) {
2128                 spin_lock(&tty_files_lock);
2129                 if (!list_empty(&tty->tty_files)) {
2130                         struct tty_file_private *file_priv;
2131                         struct inode *inode;
2132
2133                         /* Revalidate access to controlling tty.
2134                            Use inode_has_perm on the tty inode directly rather
2135                            than using file_has_perm, as this particular open
2136                            file may belong to another process and we are only
2137                            interested in the inode-based check here. */
2138                         file_priv = list_first_entry(&tty->tty_files,
2139                                                 struct tty_file_private, list);
2140                         file = file_priv->file;
2141                         inode = file->f_path.dentry->d_inode;
2142                         if (inode_has_perm_noadp(cred, inode,
2143                                            FILE__READ | FILE__WRITE, 0)) {
2144                                 drop_tty = 1;
2145                         }
2146                 }
2147                 spin_unlock(&tty_files_lock);
2148                 tty_kref_put(tty);
2149         }
2150         /* Reset controlling tty. */
2151         if (drop_tty)
2152                 no_tty();
2153
2154         /* Revalidate access to inherited open files. */
2155
2156         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2157         ad.selinux_audit_data = &sad;
2158
2159         spin_lock(&files->file_lock);
2160         for (;;) {
2161                 unsigned long set, i;
2162                 int fd;
2163
2164                 j++;
2165                 i = j * __NFDBITS;
2166                 fdt = files_fdtable(files);
2167                 if (i >= fdt->max_fds)
2168                         break;
2169                 set = fdt->open_fds[j];
2170                 if (!set)
2171                         continue;
2172                 spin_unlock(&files->file_lock);
2173                 for ( ; set ; i++, set >>= 1) {
2174                         if (set & 1) {
2175                                 file = fget(i);
2176                                 if (!file)
2177                                         continue;
2178                                 if (file_has_perm(cred,
2179                                                   file,
2180                                                   file_to_av(file))) {
2181                                         sys_close(i);
2182                                         fd = get_unused_fd();
2183                                         if (fd != i) {
2184                                                 if (fd >= 0)
2185                                                         put_unused_fd(fd);
2186                                                 fput(file);
2187                                                 continue;
2188                                         }
2189                                         if (devnull) {
2190                                                 get_file(devnull);
2191                                         } else {
2192                                                 devnull = dentry_open(
2193                                                         dget(selinux_null),
2194                                                         mntget(selinuxfs_mount),
2195                                                         O_RDWR, cred);
2196                                                 if (IS_ERR(devnull)) {
2197                                                         devnull = NULL;
2198                                                         put_unused_fd(fd);
2199                                                         fput(file);
2200                                                         continue;
2201                                                 }
2202                                         }
2203                                         fd_install(fd, devnull);
2204                                 }
2205                                 fput(file);
2206                         }
2207                 }
2208                 spin_lock(&files->file_lock);
2209
2210         }
2211         spin_unlock(&files->file_lock);
2212 }
2213
2214 /*
2215  * Prepare a process for imminent new credential changes due to exec
2216  */
2217 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2218 {
2219         struct task_security_struct *new_tsec;
2220         struct rlimit *rlim, *initrlim;
2221         int rc, i;
2222
2223         new_tsec = bprm->cred->security;
2224         if (new_tsec->sid == new_tsec->osid)
2225                 return;
2226
2227         /* Close files for which the new task SID is not authorized. */
2228         flush_unauthorized_files(bprm->cred, current->files);
2229
2230         /* Always clear parent death signal on SID transitions. */
2231         current->pdeath_signal = 0;
2232
2233         /* Check whether the new SID can inherit resource limits from the old
2234          * SID.  If not, reset all soft limits to the lower of the current
2235          * task's hard limit and the init task's soft limit.
2236          *
2237          * Note that the setting of hard limits (even to lower them) can be
2238          * controlled by the setrlimit check.  The inclusion of the init task's
2239          * soft limit into the computation is to avoid resetting soft limits
2240          * higher than the default soft limit for cases where the default is
2241          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2242          */
2243         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2244                           PROCESS__RLIMITINH, NULL);
2245         if (rc) {
2246                 /* protect against do_prlimit() */
2247                 task_lock(current);
2248                 for (i = 0; i < RLIM_NLIMITS; i++) {
2249                         rlim = current->signal->rlim + i;
2250                         initrlim = init_task.signal->rlim + i;
2251                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2252                 }
2253                 task_unlock(current);
2254                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2255         }
2256 }
2257
2258 /*
2259  * Clean up the process immediately after the installation of new credentials
2260  * due to exec
2261  */
2262 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2263 {
2264         const struct task_security_struct *tsec = current_security();
2265         struct itimerval itimer;
2266         u32 osid, sid;
2267         int rc, i;
2268
2269         osid = tsec->osid;
2270         sid = tsec->sid;
2271
2272         if (sid == osid)
2273                 return;
2274
2275         /* Check whether the new SID can inherit signal state from the old SID.
2276          * If not, clear itimers to avoid subsequent signal generation and
2277          * flush and unblock signals.
2278          *
2279          * This must occur _after_ the task SID has been updated so that any
2280          * kill done after the flush will be checked against the new SID.
2281          */
2282         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2283         if (rc) {
2284                 memset(&itimer, 0, sizeof itimer);
2285                 for (i = 0; i < 3; i++)
2286                         do_setitimer(i, &itimer, NULL);
2287                 spin_lock_irq(&current->sighand->siglock);
2288                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2289                         __flush_signals(current);
2290                         flush_signal_handlers(current, 1);
2291                         sigemptyset(&current->blocked);
2292                 }
2293                 spin_unlock_irq(&current->sighand->siglock);
2294         }
2295
2296         /* Wake up the parent if it is waiting so that it can recheck
2297          * wait permission to the new task SID. */
2298         read_lock(&tasklist_lock);
2299         __wake_up_parent(current, current->real_parent);
2300         read_unlock(&tasklist_lock);
2301 }
2302
2303 /* superblock security operations */
2304
2305 static int selinux_sb_alloc_security(struct super_block *sb)
2306 {
2307         return superblock_alloc_security(sb);
2308 }
2309
2310 static void selinux_sb_free_security(struct super_block *sb)
2311 {
2312         superblock_free_security(sb);
2313 }
2314
2315 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2316 {
2317         if (plen > olen)
2318                 return 0;
2319
2320         return !memcmp(prefix, option, plen);
2321 }
2322
2323 static inline int selinux_option(char *option, int len)
2324 {
2325         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2326                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2327                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2328                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2329                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2330 }
2331
2332 static inline void take_option(char **to, char *from, int *first, int len)
2333 {
2334         if (!*first) {
2335                 **to = ',';
2336                 *to += 1;
2337         } else
2338                 *first = 0;
2339         memcpy(*to, from, len);
2340         *to += len;
2341 }
2342
2343 static inline void take_selinux_option(char **to, char *from, int *first,
2344                                        int len)
2345 {
2346         int current_size = 0;
2347
2348         if (!*first) {
2349                 **to = '|';
2350                 *to += 1;
2351         } else
2352                 *first = 0;
2353
2354         while (current_size < len) {
2355                 if (*from != '"') {
2356                         **to = *from;
2357                         *to += 1;
2358                 }
2359                 from += 1;
2360                 current_size += 1;
2361         }
2362 }
2363
2364 static int selinux_sb_copy_data(char *orig, char *copy)
2365 {
2366         int fnosec, fsec, rc = 0;
2367         char *in_save, *in_curr, *in_end;
2368         char *sec_curr, *nosec_save, *nosec;
2369         int open_quote = 0;
2370
2371         in_curr = orig;
2372         sec_curr = copy;
2373
2374         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2375         if (!nosec) {
2376                 rc = -ENOMEM;
2377                 goto out;
2378         }
2379
2380         nosec_save = nosec;
2381         fnosec = fsec = 1;
2382         in_save = in_end = orig;
2383
2384         do {
2385                 if (*in_end == '"')
2386                         open_quote = !open_quote;
2387                 if ((*in_end == ',' && open_quote == 0) ||
2388                                 *in_end == '\0') {
2389                         int len = in_end - in_curr;
2390
2391                         if (selinux_option(in_curr, len))
2392                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2393                         else
2394                                 take_option(&nosec, in_curr, &fnosec, len);
2395
2396                         in_curr = in_end + 1;
2397                 }
2398         } while (*in_end++);
2399
2400         strcpy(in_save, nosec_save);
2401         free_page((unsigned long)nosec_save);
2402 out:
2403         return rc;
2404 }
2405
2406 static int selinux_sb_remount(struct super_block *sb, void *data)
2407 {
2408         int rc, i, *flags;
2409         struct security_mnt_opts opts;
2410         char *secdata, **mount_options;
2411         struct superblock_security_struct *sbsec = sb->s_security;
2412
2413         if (!(sbsec->flags & SE_SBINITIALIZED))
2414                 return 0;
2415
2416         if (!data)
2417                 return 0;
2418
2419         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2420                 return 0;
2421
2422         security_init_mnt_opts(&opts);
2423         secdata = alloc_secdata();
2424         if (!secdata)
2425                 return -ENOMEM;
2426         rc = selinux_sb_copy_data(data, secdata);
2427         if (rc)
2428                 goto out_free_secdata;
2429
2430         rc = selinux_parse_opts_str(secdata, &opts);
2431         if (rc)
2432                 goto out_free_secdata;
2433
2434         mount_options = opts.mnt_opts;
2435         flags = opts.mnt_opts_flags;
2436
2437         for (i = 0; i < opts.num_mnt_opts; i++) {
2438                 u32 sid;
2439                 size_t len;
2440
2441                 if (flags[i] == SE_SBLABELSUPP)
2442                         continue;
2443                 len = strlen(mount_options[i]);
2444                 rc = security_context_to_sid(mount_options[i], len, &sid);
2445                 if (rc) {
2446                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2447                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2448                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2449                         goto out_free_opts;
2450                 }
2451                 rc = -EINVAL;
2452                 switch (flags[i]) {
2453                 case FSCONTEXT_MNT:
2454                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2455                                 goto out_bad_option;
2456                         break;
2457                 case CONTEXT_MNT:
2458                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2459                                 goto out_bad_option;
2460                         break;
2461                 case ROOTCONTEXT_MNT: {
2462                         struct inode_security_struct *root_isec;
2463                         root_isec = sb->s_root->d_inode->i_security;
2464
2465                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2466                                 goto out_bad_option;
2467                         break;
2468                 }
2469                 case DEFCONTEXT_MNT:
2470                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2471                                 goto out_bad_option;
2472                         break;
2473                 default:
2474                         goto out_free_opts;
2475                 }
2476         }
2477
2478         rc = 0;
2479 out_free_opts:
2480         security_free_mnt_opts(&opts);
2481 out_free_secdata:
2482         free_secdata(secdata);
2483         return rc;
2484 out_bad_option:
2485         printk(KERN_WARNING "SELinux: unable to change security options "
2486                "during remount (dev %s, type=%s)\n", sb->s_id,
2487                sb->s_type->name);
2488         goto out_free_opts;
2489 }
2490
2491 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2492 {
2493         const struct cred *cred = current_cred();
2494         struct common_audit_data ad;
2495         struct selinux_audit_data sad = {0,};
2496         int rc;
2497
2498         rc = superblock_doinit(sb, data);
2499         if (rc)
2500                 return rc;
2501
2502         /* Allow all mounts performed by the kernel */
2503         if (flags & MS_KERNMOUNT)
2504                 return 0;
2505
2506         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2507         ad.selinux_audit_data = &sad;
2508         ad.u.dentry = sb->s_root;
2509         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2510 }
2511
2512 static int selinux_sb_statfs(struct dentry *dentry)
2513 {
2514         const struct cred *cred = current_cred();
2515         struct common_audit_data ad;
2516         struct selinux_audit_data sad = {0,};
2517
2518         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2519         ad.selinux_audit_data = &sad;
2520         ad.u.dentry = dentry->d_sb->s_root;
2521         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2522 }
2523
2524 static int selinux_mount(char *dev_name,
2525                          struct path *path,
2526                          char *type,
2527                          unsigned long flags,
2528                          void *data)
2529 {
2530         const struct cred *cred = current_cred();
2531
2532         if (flags & MS_REMOUNT)
2533                 return superblock_has_perm(cred, path->dentry->d_sb,
2534                                            FILESYSTEM__REMOUNT, NULL);
2535         else
2536                 return path_has_perm(cred, path, FILE__MOUNTON);
2537 }
2538
2539 static int selinux_umount(struct vfsmount *mnt, int flags)
2540 {
2541         const struct cred *cred = current_cred();
2542
2543         return superblock_has_perm(cred, mnt->mnt_sb,
2544                                    FILESYSTEM__UNMOUNT, NULL);
2545 }
2546
2547 /* inode security operations */
2548
2549 static int selinux_inode_alloc_security(struct inode *inode)
2550 {
2551         return inode_alloc_security(inode);
2552 }
2553
2554 static void selinux_inode_free_security(struct inode *inode)
2555 {
2556         inode_free_security(inode);
2557 }
2558
2559 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2560                                        const struct qstr *qstr, char **name,
2561                                        void **value, size_t *len)
2562 {
2563         const struct task_security_struct *tsec = current_security();
2564         struct inode_security_struct *dsec;
2565         struct superblock_security_struct *sbsec;
2566         u32 sid, newsid, clen;
2567         int rc;
2568         char *namep = NULL, *context;
2569
2570         dsec = dir->i_security;
2571         sbsec = dir->i_sb->s_security;
2572
2573         sid = tsec->sid;
2574         newsid = tsec->create_sid;
2575
2576         if ((sbsec->flags & SE_SBINITIALIZED) &&
2577             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2578                 newsid = sbsec->mntpoint_sid;
2579         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2580                 rc = security_transition_sid(sid, dsec->sid,
2581                                              inode_mode_to_security_class(inode->i_mode),
2582                                              qstr, &newsid);
2583                 if (rc) {
2584                         printk(KERN_WARNING "%s:  "
2585                                "security_transition_sid failed, rc=%d (dev=%s "
2586                                "ino=%ld)\n",
2587                                __func__,
2588                                -rc, inode->i_sb->s_id, inode->i_ino);
2589                         return rc;
2590                 }
2591         }
2592
2593         /* Possibly defer initialization to selinux_complete_init. */
2594         if (sbsec->flags & SE_SBINITIALIZED) {
2595                 struct inode_security_struct *isec = inode->i_security;
2596                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2597                 isec->sid = newsid;
2598                 isec->initialized = 1;
2599         }
2600
2601         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2602                 return -EOPNOTSUPP;
2603
2604         if (name) {
2605                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2606                 if (!namep)
2607                         return -ENOMEM;
2608                 *name = namep;
2609         }
2610
2611         if (value && len) {
2612                 rc = security_sid_to_context_force(newsid, &context, &clen);
2613                 if (rc) {
2614                         kfree(namep);
2615                         return rc;
2616                 }
2617                 *value = context;
2618                 *len = clen;
2619         }
2620
2621         return 0;
2622 }
2623
2624 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2625 {
2626         return may_create(dir, dentry, SECCLASS_FILE);
2627 }
2628
2629 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2630 {
2631         return may_link(dir, old_dentry, MAY_LINK);
2632 }
2633
2634 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2635 {
2636         return may_link(dir, dentry, MAY_UNLINK);
2637 }
2638
2639 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2640 {
2641         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2642 }
2643
2644 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2645 {
2646         return may_create(dir, dentry, SECCLASS_DIR);
2647 }
2648
2649 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2650 {
2651         return may_link(dir, dentry, MAY_RMDIR);
2652 }
2653
2654 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2655 {
2656         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2657 }
2658
2659 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2660                                 struct inode *new_inode, struct dentry *new_dentry)
2661 {
2662         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2663 }
2664
2665 static int selinux_inode_readlink(struct dentry *dentry)
2666 {
2667         const struct cred *cred = current_cred();
2668
2669         return dentry_has_perm(cred, dentry, FILE__READ);
2670 }
2671
2672 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2673 {
2674         const struct cred *cred = current_cred();
2675
2676         return dentry_has_perm(cred, dentry, FILE__READ);
2677 }
2678
2679 static int selinux_inode_permission(struct inode *inode, int mask)
2680 {
2681         const struct cred *cred = current_cred();
2682         struct common_audit_data ad;
2683         struct selinux_audit_data sad = {0,};
2684         u32 perms;
2685         bool from_access;
2686         unsigned flags = mask & MAY_NOT_BLOCK;
2687
2688         from_access = mask & MAY_ACCESS;
2689         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2690
2691         /* No permission to check.  Existence test. */
2692         if (!mask)
2693                 return 0;
2694
2695         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2696         ad.selinux_audit_data = &sad;
2697         ad.u.inode = inode;
2698
2699         if (from_access)
2700                 ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS;
2701
2702         perms = file_mask_to_av(inode->i_mode, mask);
2703
2704         return inode_has_perm(cred, inode, perms, &ad, flags);
2705 }
2706
2707 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2708 {
2709         const struct cred *cred = current_cred();
2710         unsigned int ia_valid = iattr->ia_valid;
2711
2712         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2713         if (ia_valid & ATTR_FORCE) {
2714                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2715                               ATTR_FORCE);
2716                 if (!ia_valid)
2717                         return 0;
2718         }
2719
2720         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2721                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2722                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2723
2724         return dentry_has_perm(cred, dentry, FILE__WRITE);
2725 }
2726
2727 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2728 {
2729         const struct cred *cred = current_cred();
2730         struct path path;
2731
2732         path.dentry = dentry;
2733         path.mnt = mnt;
2734
2735         return path_has_perm(cred, &path, FILE__GETATTR);
2736 }
2737
2738 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2739 {
2740         const struct cred *cred = current_cred();
2741
2742         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2743                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2744                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2745                         if (!capable(CAP_SETFCAP))
2746                                 return -EPERM;
2747                 } else if (!capable(CAP_SYS_ADMIN)) {
2748                         /* A different attribute in the security namespace.
2749                            Restrict to administrator. */
2750                         return -EPERM;
2751                 }
2752         }
2753
2754         /* Not an attribute we recognize, so just check the
2755            ordinary setattr permission. */
2756         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2757 }
2758
2759 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2760                                   const void *value, size_t size, int flags)
2761 {
2762         struct inode *inode = dentry->d_inode;
2763         struct inode_security_struct *isec = inode->i_security;
2764         struct superblock_security_struct *sbsec;
2765         struct common_audit_data ad;
2766         struct selinux_audit_data sad = {0,};
2767         u32 newsid, sid = current_sid();
2768         int rc = 0;
2769
2770         if (strcmp(name, XATTR_NAME_SELINUX))
2771                 return selinux_inode_setotherxattr(dentry, name);
2772
2773         sbsec = inode->i_sb->s_security;
2774         if (!(sbsec->flags & SE_SBLABELSUPP))
2775                 return -EOPNOTSUPP;
2776
2777         if (!inode_owner_or_capable(inode))
2778                 return -EPERM;
2779
2780         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2781         ad.selinux_audit_data = &sad;
2782         ad.u.dentry = dentry;
2783
2784         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2785                           FILE__RELABELFROM, &ad);
2786         if (rc)
2787                 return rc;
2788
2789         rc = security_context_to_sid(value, size, &newsid);
2790         if (rc == -EINVAL) {
2791                 if (!capable(CAP_MAC_ADMIN))
2792                         return rc;
2793                 rc = security_context_to_sid_force(value, size, &newsid);
2794         }
2795         if (rc)
2796                 return rc;
2797
2798         rc = avc_has_perm(sid, newsid, isec->sclass,
2799                           FILE__RELABELTO, &ad);
2800         if (rc)
2801                 return rc;
2802
2803         rc = security_validate_transition(isec->sid, newsid, sid,
2804                                           isec->sclass);
2805         if (rc)
2806                 return rc;
2807
2808         return avc_has_perm(newsid,
2809                             sbsec->sid,
2810                             SECCLASS_FILESYSTEM,
2811                             FILESYSTEM__ASSOCIATE,
2812                             &ad);
2813 }
2814
2815 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2816                                         const void *value, size_t size,
2817                                         int flags)
2818 {
2819         struct inode *inode = dentry->d_inode;
2820         struct inode_security_struct *isec = inode->i_security;
2821         u32 newsid;
2822         int rc;
2823
2824         if (strcmp(name, XATTR_NAME_SELINUX)) {
2825                 /* Not an attribute we recognize, so nothing to do. */
2826                 return;
2827         }
2828
2829         rc = security_context_to_sid_force(value, size, &newsid);
2830         if (rc) {
2831                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2832                        "for (%s, %lu), rc=%d\n",
2833                        inode->i_sb->s_id, inode->i_ino, -rc);
2834                 return;
2835         }
2836
2837         isec->sid = newsid;
2838         return;
2839 }
2840
2841 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2842 {
2843         const struct cred *cred = current_cred();
2844
2845         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2846 }
2847
2848 static int selinux_inode_listxattr(struct dentry *dentry)
2849 {
2850         const struct cred *cred = current_cred();
2851
2852         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2853 }
2854
2855 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2856 {
2857         if (strcmp(name, XATTR_NAME_SELINUX))
2858                 return selinux_inode_setotherxattr(dentry, name);
2859
2860         /* No one is allowed to remove a SELinux security label.
2861            You can change the label, but all data must be labeled. */
2862         return -EACCES;
2863 }
2864
2865 /*
2866  * Copy the inode security context value to the user.
2867  *
2868  * Permission check is handled by selinux_inode_getxattr hook.
2869  */
2870 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2871 {
2872         u32 size;
2873         int error;
2874         char *context = NULL;
2875         struct inode_security_struct *isec = inode->i_security;
2876
2877         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2878                 return -EOPNOTSUPP;
2879
2880         /*
2881          * If the caller has CAP_MAC_ADMIN, then get the raw context
2882          * value even if it is not defined by current policy; otherwise,
2883          * use the in-core value under current policy.
2884          * Use the non-auditing forms of the permission checks since
2885          * getxattr may be called by unprivileged processes commonly
2886          * and lack of permission just means that we fall back to the
2887          * in-core context value, not a denial.
2888          */
2889         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2890                                 SECURITY_CAP_NOAUDIT);
2891         if (!error)
2892                 error = security_sid_to_context_force(isec->sid, &context,
2893                                                       &size);
2894         else
2895                 error = security_sid_to_context(isec->sid, &context, &size);
2896         if (error)
2897                 return error;
2898         error = size;
2899         if (alloc) {
2900                 *buffer = context;
2901                 goto out_nofree;
2902         }
2903         kfree(context);
2904 out_nofree:
2905         return error;
2906 }
2907
2908 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2909                                      const void *value, size_t size, int flags)
2910 {
2911         struct inode_security_struct *isec = inode->i_security;
2912         u32 newsid;
2913         int rc;
2914
2915         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2916                 return -EOPNOTSUPP;
2917
2918         if (!value || !size)
2919                 return -EACCES;
2920
2921         rc = security_context_to_sid((void *)value, size, &newsid);
2922         if (rc)
2923                 return rc;
2924
2925         isec->sid = newsid;
2926         isec->initialized = 1;
2927         return 0;
2928 }
2929
2930 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2931 {
2932         const int len = sizeof(XATTR_NAME_SELINUX);
2933         if (buffer && len <= buffer_size)
2934                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2935         return len;
2936 }
2937
2938 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2939 {
2940         struct inode_security_struct *isec = inode->i_security;
2941         *secid = isec->sid;
2942 }
2943
2944 /* file security operations */
2945
2946 static int selinux_revalidate_file_permission(struct file *file, int mask)
2947 {
2948         const struct cred *cred = current_cred();
2949         struct inode *inode = file->f_path.dentry->d_inode;
2950
2951         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2952         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2953                 mask |= MAY_APPEND;
2954
2955         return file_has_perm(cred, file,
2956                              file_mask_to_av(inode->i_mode, mask));
2957 }
2958
2959 static int selinux_file_permission(struct file *file, int mask)
2960 {
2961         struct inode *inode = file->f_path.dentry->d_inode;
2962         struct file_security_struct *fsec = file->f_security;
2963         struct inode_security_struct *isec = inode->i_security;
2964         u32 sid = current_sid();
2965
2966         if (!mask)
2967                 /* No permission to check.  Existence test. */
2968                 return 0;
2969
2970         if (sid == fsec->sid && fsec->isid == isec->sid &&
2971             fsec->pseqno == avc_policy_seqno())
2972                 /* No change since dentry_open check. */
2973                 return 0;
2974
2975         return selinux_revalidate_file_permission(file, mask);
2976 }
2977
2978 static int selinux_file_alloc_security(struct file *file)
2979 {
2980         return file_alloc_security(file);
2981 }
2982
2983 static void selinux_file_free_security(struct file *file)
2984 {
2985         file_free_security(file);
2986 }
2987
2988 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2989                               unsigned long arg)
2990 {
2991         const struct cred *cred = current_cred();
2992         int error = 0;
2993
2994         switch (cmd) {
2995         case FIONREAD:
2996         /* fall through */
2997         case FIBMAP:
2998         /* fall through */
2999         case FIGETBSZ:
3000         /* fall through */
3001         case FS_IOC_GETFLAGS:
3002         /* fall through */
3003         case FS_IOC_GETVERSION:
3004                 error = file_has_perm(cred, file, FILE__GETATTR);
3005                 break;
3006
3007         case FS_IOC_SETFLAGS:
3008         /* fall through */
3009         case FS_IOC_SETVERSION:
3010                 error = file_has_perm(cred, file, FILE__SETATTR);
3011                 break;
3012
3013         /* sys_ioctl() checks */
3014         case FIONBIO:
3015         /* fall through */
3016         case FIOASYNC:
3017                 error = file_has_perm(cred, file, 0);
3018                 break;
3019
3020         case KDSKBENT:
3021         case KDSKBSENT:
3022                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3023                                             SECURITY_CAP_AUDIT);
3024                 break;
3025
3026         /* default case assumes that the command will go
3027          * to the file's ioctl() function.
3028          */
3029         default:
3030                 error = file_has_perm(cred, file, FILE__IOCTL);
3031         }
3032         return error;
3033 }
3034
3035 static int default_noexec;
3036
3037 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3038 {
3039         const struct cred *cred = current_cred();
3040         int rc = 0;
3041
3042         if (default_noexec &&
3043             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3044                 /*
3045                  * We are making executable an anonymous mapping or a
3046                  * private file mapping that will also be writable.
3047                  * This has an additional check.
3048                  */
3049                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3050                 if (rc)
3051                         goto error;
3052         }
3053
3054         if (file) {
3055                 /* read access is always possible with a mapping */
3056                 u32 av = FILE__READ;
3057
3058                 /* write access only matters if the mapping is shared */
3059                 if (shared && (prot & PROT_WRITE))
3060                         av |= FILE__WRITE;
3061
3062                 if (prot & PROT_EXEC)
3063                         av |= FILE__EXECUTE;
3064
3065                 return file_has_perm(cred, file, av);
3066         }
3067
3068 error:
3069         return rc;
3070 }
3071
3072 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3073                              unsigned long prot, unsigned long flags,
3074                              unsigned long addr, unsigned long addr_only)
3075 {
3076         int rc = 0;
3077         u32 sid = current_sid();
3078
3079         /*
3080          * notice that we are intentionally putting the SELinux check before
3081          * the secondary cap_file_mmap check.  This is such a likely attempt
3082          * at bad behaviour/exploit that we always want to get the AVC, even
3083          * if DAC would have also denied the operation.
3084          */
3085         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3086                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3087                                   MEMPROTECT__MMAP_ZERO, NULL);
3088                 if (rc)
3089                         return rc;
3090         }
3091
3092         /* do DAC check on address space usage */
3093         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3094         if (rc || addr_only)
3095                 return rc;
3096
3097         if (selinux_checkreqprot)
3098                 prot = reqprot;
3099
3100         return file_map_prot_check(file, prot,
3101                                    (flags & MAP_TYPE) == MAP_SHARED);
3102 }
3103
3104 static int selinux_file_mprotect(struct vm_area_struct *vma,
3105                                  unsigned long reqprot,
3106                                  unsigned long prot)
3107 {
3108         const struct cred *cred = current_cred();
3109
3110         if (selinux_checkreqprot)
3111                 prot = reqprot;
3112
3113         if (default_noexec &&
3114             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3115                 int rc = 0;
3116                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3117                     vma->vm_end <= vma->vm_mm->brk) {
3118                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3119                 } else if (!vma->vm_file &&
3120                            vma->vm_start <= vma->vm_mm->start_stack &&
3121                            vma->vm_end >= vma->vm_mm->start_stack) {
3122                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3123                 } else if (vma->vm_file && vma->anon_vma) {
3124                         /*
3125                          * We are making executable a file mapping that has
3126                          * had some COW done. Since pages might have been
3127                          * written, check ability to execute the possibly
3128                          * modified content.  This typically should only
3129                          * occur for text relocations.
3130                          */
3131                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3132                 }
3133                 if (rc)
3134                         return rc;
3135         }
3136
3137         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3138 }
3139
3140 static int selinux_file_lock(struct file *file, unsigned int cmd)
3141 {
3142         const struct cred *cred = current_cred();
3143
3144         return file_has_perm(cred, file, FILE__LOCK);
3145 }
3146
3147 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3148                               unsigned long arg)
3149 {
3150         const struct cred *cred = current_cred();
3151         int err = 0;
3152
3153         switch (cmd) {
3154         case F_SETFL:
3155                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3156                         err = -EINVAL;
3157                         break;
3158                 }
3159
3160                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3161                         err = file_has_perm(cred, file, FILE__WRITE);
3162                         break;
3163                 }
3164                 /* fall through */
3165         case F_SETOWN:
3166         case F_SETSIG:
3167         case F_GETFL:
3168         case F_GETOWN:
3169         case F_GETSIG:
3170                 /* Just check FD__USE permission */
3171                 err = file_has_perm(cred, file, 0);
3172                 break;
3173         case F_GETLK:
3174         case F_SETLK:
3175         case F_SETLKW:
3176 #if BITS_PER_LONG == 32
3177         case F_GETLK64:
3178         case F_SETLK64:
3179         case F_SETLKW64:
3180 #endif
3181                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3182                         err = -EINVAL;
3183                         break;
3184                 }
3185                 err = file_has_perm(cred, file, FILE__LOCK);
3186                 break;
3187         }
3188
3189         return err;
3190 }
3191
3192 static int selinux_file_set_fowner(struct file *file)
3193 {
3194         struct file_security_struct *fsec;
3195
3196         fsec = file->f_security;
3197         fsec->fown_sid = current_sid();
3198
3199         return 0;
3200 }
3201
3202 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3203                                        struct fown_struct *fown, int signum)
3204 {
3205         struct file *file;
3206         u32 sid = task_sid(tsk);
3207         u32 perm;
3208         struct file_security_struct *fsec;
3209
3210         /* struct fown_struct is never outside the context of a struct file */
3211         file = container_of(fown, struct file, f_owner);
3212
3213         fsec = file->f_security;
3214
3215         if (!signum)
3216                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3217         else
3218                 perm = signal_to_av(signum);
3219
3220         return avc_has_perm(fsec->fown_sid, sid,
3221                             SECCLASS_PROCESS, perm, NULL);
3222 }
3223
3224 static int selinux_file_receive(struct file *file)
3225 {
3226         const struct cred *cred = current_cred();
3227
3228         return file_has_perm(cred, file, file_to_av(file));
3229 }
3230
3231 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3232 {
3233         struct file_security_struct *fsec;
3234         struct inode *inode;
3235         struct inode_security_struct *isec;
3236
3237         inode = file->f_path.dentry->d_inode;
3238         fsec = file->f_security;
3239         isec = inode->i_security;
3240         /*
3241          * Save inode label and policy sequence number
3242          * at open-time so that selinux_file_permission
3243          * can determine whether revalidation is necessary.
3244          * Task label is already saved in the file security
3245          * struct as its SID.
3246          */
3247         fsec->isid = isec->sid;
3248         fsec->pseqno = avc_policy_seqno();
3249         /*
3250          * Since the inode label or policy seqno may have changed
3251          * between the selinux_inode_permission check and the saving
3252          * of state above, recheck that access is still permitted.
3253          * Otherwise, access might never be revalidated against the
3254          * new inode label or new policy.
3255          * This check is not redundant - do not remove.
3256          */
3257         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3258 }
3259
3260 /* task security operations */
3261
3262 static int selinux_task_create(unsigned long clone_flags)
3263 {
3264         return current_has_perm(current, PROCESS__FORK);
3265 }
3266
3267 /*
3268  * allocate the SELinux part of blank credentials
3269  */
3270 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3271 {
3272         struct task_security_struct *tsec;
3273
3274         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3275         if (!tsec)
3276                 return -ENOMEM;
3277
3278         cred->security = tsec;
3279         return 0;
3280 }
3281
3282 /*
3283  * detach and free the LSM part of a set of credentials
3284  */
3285 static void selinux_cred_free(struct cred *cred)
3286 {
3287         struct task_security_struct *tsec = cred->security;
3288
3289         /*
3290          * cred->security == NULL if security_cred_alloc_blank() or
3291          * security_prepare_creds() returned an error.
3292          */
3293         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3294         cred->security = (void *) 0x7UL;
3295         kfree(tsec);
3296 }
3297
3298 /*
3299  * prepare a new set of credentials for modification
3300  */
3301 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3302                                 gfp_t gfp)
3303 {
3304         const struct task_security_struct *old_tsec;
3305         struct task_security_struct *tsec;
3306
3307         old_tsec = old->security;
3308
3309         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3310         if (!tsec)
3311                 return -ENOMEM;
3312
3313         new->security = tsec;
3314         return 0;
3315 }
3316
3317 /*
3318  * transfer the SELinux data to a blank set of creds
3319  */
3320 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3321 {
3322         const struct task_security_struct *old_tsec = old->security;
3323         struct task_security_struct *tsec = new->security;
3324
3325         *tsec = *old_tsec;
3326 }
3327
3328 /*
3329  * set the security data for a kernel service
3330  * - all the creation contexts are set to unlabelled
3331  */
3332 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3333 {
3334         struct task_security_struct *tsec = new->security;
3335         u32 sid = current_sid();
3336         int ret;
3337
3338         ret = avc_has_perm(sid, secid,
3339                            SECCLASS_KERNEL_SERVICE,
3340                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3341                            NULL);
3342         if (ret == 0) {
3343                 tsec->sid = secid;
3344                 tsec->create_sid = 0;
3345                 tsec->keycreate_sid = 0;
3346                 tsec->sockcreate_sid = 0;
3347         }
3348         return ret;
3349 }
3350
3351 /*
3352  * set the file creation context in a security record to the same as the
3353  * objective context of the specified inode
3354  */
3355 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3356 {
3357         struct inode_security_struct *isec = inode->i_security;
3358         struct task_security_struct *tsec = new->security;
3359         u32 sid = current_sid();
3360         int ret;
3361
3362         ret = avc_has_perm(sid, isec->sid,
3363                            SECCLASS_KERNEL_SERVICE,
3364                            KERNEL_SERVICE__CREATE_FILES_AS,
3365                            NULL);
3366
3367         if (ret == 0)
3368                 tsec->create_sid = isec->sid;
3369         return ret;
3370 }
3371
3372 static int selinux_kernel_module_request(char *kmod_name)
3373 {
3374         u32 sid;
3375         struct common_audit_data ad;
3376         struct selinux_audit_data sad = {0,};
3377
3378         sid = task_sid(current);
3379
3380         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3381         ad.selinux_audit_data = &sad;
3382         ad.u.kmod_name = kmod_name;
3383
3384         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3385                             SYSTEM__MODULE_REQUEST, &ad);
3386 }
3387
3388 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3389 {
3390         return current_has_perm(p, PROCESS__SETPGID);
3391 }
3392
3393 static int selinux_task_getpgid(struct task_struct *p)
3394 {
3395         return current_has_perm(p, PROCESS__GETPGID);
3396 }
3397
3398 static int selinux_task_getsid(struct task_struct *p)
3399 {
3400         return current_has_perm(p, PROCESS__GETSESSION);
3401 }
3402
3403 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3404 {
3405         *secid = task_sid(p);
3406 }
3407
3408 static int selinux_task_setnice(struct task_struct *p, int nice)
3409 {
3410         int rc;
3411
3412         rc = cap_task_setnice(p, nice);
3413         if (rc)
3414                 return rc;
3415
3416         return current_has_perm(p, PROCESS__SETSCHED);
3417 }
3418
3419 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3420 {
3421         int rc;
3422
3423         rc = cap_task_setioprio(p, ioprio);
3424         if (rc)
3425                 return rc;
3426
3427         return current_has_perm(p, PROCESS__SETSCHED);
3428 }
3429
3430 static int selinux_task_getioprio(struct task_struct *p)
3431 {
3432         return current_has_perm(p, PROCESS__GETSCHED);
3433 }
3434
3435 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3436                 struct rlimit *new_rlim)
3437 {
3438         struct rlimit *old_rlim = p->signal->rlim + resource;
3439
3440         /* Control the ability to change the hard limit (whether
3441            lowering or raising it), so that the hard limit can
3442            later be used as a safe reset point for the soft limit
3443            upon context transitions.  See selinux_bprm_committing_creds. */
3444         if (old_rlim->rlim_max != new_rlim->rlim_max)
3445                 return current_has_perm(p, PROCESS__SETRLIMIT);
3446
3447         return 0;
3448 }
3449
3450 static int selinux_task_setscheduler(struct task_struct *p)
3451 {
3452         int rc;
3453
3454         rc = cap_task_setscheduler(p);
3455         if (rc)
3456                 return rc;
3457
3458         return current_has_perm(p, PROCESS__SETSCHED);
3459 }
3460
3461 static int selinux_task_getscheduler(struct task_struct *p)
3462 {
3463         return current_has_perm(p, PROCESS__GETSCHED);
3464 }
3465
3466 static int selinux_task_movememory(struct task_struct *p)
3467 {
3468         return current_has_perm(p, PROCESS__SETSCHED);
3469 }
3470
3471 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3472                                 int sig, u32 secid)
3473 {
3474         u32 perm;
3475         int rc;
3476
3477         if (!sig)
3478                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3479         else
3480                 perm = signal_to_av(sig);
3481         if (secid)
3482                 rc = avc_has_perm(secid, task_sid(p),
3483                                   SECCLASS_PROCESS, perm, NULL);
3484         else
3485                 rc = current_has_perm(p, perm);
3486         return rc;
3487 }
3488
3489 static int selinux_task_wait(struct task_struct *p)
3490 {
3491         return task_has_perm(p, current, PROCESS__SIGCHLD);
3492 }
3493
3494 static void selinux_task_to_inode(struct task_struct *p,
3495                                   struct inode *inode)
3496 {
3497         struct inode_security_struct *isec = inode->i_security;
3498         u32 sid = task_sid(p);
3499
3500         isec->sid = sid;
3501         isec->initialized = 1;
3502 }
3503
3504 /* Returns error only if unable to parse addresses */
3505 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3506                         struct common_audit_data *ad, u8 *proto)
3507 {
3508         int offset, ihlen, ret = -EINVAL;
3509         struct iphdr _iph, *ih;
3510
3511         offset = skb_network_offset(skb);
3512         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3513         if (ih == NULL)
3514                 goto out;
3515
3516         ihlen = ih->ihl * 4;
3517         if (ihlen < sizeof(_iph))
3518                 goto out;
3519
3520         ad->u.net->v4info.saddr = ih->saddr;
3521         ad->u.net->v4info.daddr = ih->daddr;
3522         ret = 0;
3523
3524         if (proto)
3525                 *proto = ih->protocol;
3526
3527         switch (ih->protocol) {
3528         case IPPROTO_TCP: {
3529                 struct tcphdr _tcph, *th;
3530
3531                 if (ntohs(ih->frag_off) & IP_OFFSET)
3532                         break;
3533
3534                 offset += ihlen;
3535                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3536                 if (th == NULL)
3537                         break;
3538
3539                 ad->u.net->sport = th->source;
3540                 ad->u.net->dport = th->dest;
3541                 break;
3542         }
3543
3544         case IPPROTO_UDP: {
3545                 struct udphdr _udph, *uh;
3546
3547                 if (ntohs(ih->frag_off) & IP_OFFSET)
3548                         break;
3549
3550                 offset += ihlen;
3551                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3552                 if (uh == NULL)
3553                         break;
3554
3555                 ad->u.net->sport = uh->source;
3556                 ad->u.net->dport = uh->dest;
3557                 break;
3558         }
3559
3560         case IPPROTO_DCCP: {
3561                 struct dccp_hdr _dccph, *dh;
3562
3563                 if (ntohs(ih->frag_off) & IP_OFFSET)
3564                         break;
3565
3566                 offset += ihlen;
3567                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3568                 if (dh == NULL)
3569                         break;
3570
3571                 ad->u.net->sport = dh->dccph_sport;
3572                 ad->u.net->dport = dh->dccph_dport;
3573                 break;
3574         }
3575
3576         default:
3577                 break;
3578         }
3579 out:
3580         return ret;
3581 }
3582
3583 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3584
3585 /* Returns error only if unable to parse addresses */
3586 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3587                         struct common_audit_data *ad, u8 *proto)
3588 {
3589         u8 nexthdr;
3590         int ret = -EINVAL, offset;
3591         struct ipv6hdr _ipv6h, *ip6;
3592         __be16 frag_off;
3593
3594         offset = skb_network_offset(skb);
3595         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3596         if (ip6 == NULL)
3597                 goto out;
3598
3599         ad->u.net->v6info.saddr = ip6->saddr;
3600         ad->u.net->v6info.daddr = ip6->daddr;
3601         ret = 0;
3602
3603         nexthdr = ip6->nexthdr;
3604         offset += sizeof(_ipv6h);
3605         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3606         if (offset < 0)
3607                 goto out;
3608
3609         if (proto)
3610                 *proto = nexthdr;
3611
3612         switch (nexthdr) {
3613         case IPPROTO_TCP: {
3614                 struct tcphdr _tcph, *th;
3615
3616                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3617                 if (th == NULL)
3618                         break;
3619
3620                 ad->u.net->sport = th->source;
3621                 ad->u.net->dport = th->dest;
3622                 break;
3623         }
3624
3625         case IPPROTO_UDP: {
3626                 struct udphdr _udph, *uh;
3627
3628                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3629                 if (uh == NULL)
3630                         break;
3631
3632                 ad->u.net->sport = uh->source;
3633                 ad->u.net->dport = uh->dest;
3634                 break;
3635         }
3636
3637         case IPPROTO_DCCP: {
3638                 struct dccp_hdr _dccph, *dh;
3639
3640                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3641                 if (dh == NULL)
3642                         break;
3643
3644                 ad->u.net->sport = dh->dccph_sport;
3645                 ad->u.net->dport = dh->dccph_dport;
3646                 break;
3647         }
3648
3649         /* includes fragments */
3650         default:
3651                 break;
3652         }
3653 out:
3654         return ret;
3655 }
3656
3657 #endif /* IPV6 */
3658
3659 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3660                              char **_addrp, int src, u8 *proto)
3661 {
3662         char *addrp;
3663         int ret;
3664
3665         switch (ad->u.net->family) {
3666         case PF_INET:
3667                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3668                 if (ret)
3669                         goto parse_error;
3670                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3671                                        &ad->u.net->v4info.daddr);
3672                 goto okay;
3673
3674 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3675         case PF_INET6:
3676                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3677                 if (ret)
3678                         goto parse_error;
3679                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3680                                        &ad->u.net->v6info.daddr);
3681                 goto okay;
3682 #endif  /* IPV6 */
3683         default:
3684                 addrp = NULL;
3685                 goto okay;
3686         }
3687
3688 parse_error:
3689         printk(KERN_WARNING
3690                "SELinux: failure in selinux_parse_skb(),"
3691                " unable to parse packet\n");
3692         return ret;
3693
3694 okay:
3695         if (_addrp)
3696                 *_addrp = addrp;
3697         return 0;
3698 }
3699
3700 /**
3701  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3702  * @skb: the packet
3703  * @family: protocol family
3704  * @sid: the packet's peer label SID
3705  *
3706  * Description:
3707  * Check the various different forms of network peer labeling and determine
3708  * the peer label/SID for the packet; most of the magic actually occurs in
3709  * the security server function security_net_peersid_cmp().  The function
3710  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3711  * or -EACCES if @sid is invalid due to inconsistencies with the different
3712  * peer labels.
3713  *
3714  */
3715 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3716 {
3717         int err;
3718         u32 xfrm_sid;
3719         u32 nlbl_sid;
3720         u32 nlbl_type;
3721
3722         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3723         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3724
3725         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3726         if (unlikely(err)) {
3727                 printk(KERN_WARNING
3728                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3729                        " unable to determine packet's peer label\n");
3730                 return -EACCES;
3731         }
3732
3733         return 0;
3734 }
3735
3736 /* socket security operations */
3737
3738 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3739                                  u16 secclass, u32 *socksid)
3740 {
3741         if (tsec->sockcreate_sid > SECSID_NULL) {
3742                 *socksid = tsec->sockcreate_sid;
3743                 return 0;
3744         }
3745
3746         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3747                                        socksid);
3748 }
3749
3750 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3751 {
3752         struct sk_security_struct *sksec = sk->sk_security;
3753         struct common_audit_data ad;
3754         struct selinux_audit_data sad = {0,};
3755         struct lsm_network_audit net = {0,};
3756         u32 tsid = task_sid(task);
3757
3758         if (sksec->sid == SECINITSID_KERNEL)
3759                 return 0;
3760
3761         COMMON_AUDIT_DATA_INIT(&ad, NET);
3762         ad.selinux_audit_data = &sad;
3763         ad.u.net = &net;
3764         ad.u.net->sk = sk;
3765
3766         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3767 }
3768
3769 static int selinux_socket_create(int family, int type,
3770                                  int protocol, int kern)
3771 {
3772         const struct task_security_struct *tsec = current_security();
3773         u32 newsid;
3774         u16 secclass;
3775         int rc;
3776
3777         if (kern)
3778                 return 0;
3779
3780         secclass = socket_type_to_security_class(family, type, protocol);
3781         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3782         if (rc)
3783                 return rc;
3784
3785         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3786 }
3787
3788 static int selinux_socket_post_create(struct socket *sock, int family,
3789                                       int type, int protocol, int kern)
3790 {
3791         const struct task_security_struct *tsec = current_security();
3792         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3793         struct sk_security_struct *sksec;
3794         int err = 0;
3795
3796         isec->sclass = socket_type_to_security_class(family, type, protocol);
3797
3798         if (kern)
3799                 isec->sid = SECINITSID_KERNEL;
3800         else {
3801                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3802                 if (err)
3803                         return err;
3804         }
3805
3806         isec->initialized = 1;
3807
3808         if (sock->sk) {
3809                 sksec = sock->sk->sk_security;
3810                 sksec->sid = isec->sid;
3811                 sksec->sclass = isec->sclass;
3812                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3813         }
3814
3815         return err;
3816 }
3817
3818 /* Range of port numbers used to automatically bind.
3819    Need to determine whether we should perform a name_bind
3820    permission check between the socket and the port number. */
3821
3822 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3823 {
3824         struct sock *sk = sock->sk;
3825         u16 family;
3826         int err;
3827
3828         err = sock_has_perm(current, sk, SOCKET__BIND);
3829         if (err)
3830                 goto out;
3831
3832         /*
3833          * If PF_INET or PF_INET6, check name_bind permission for the port.
3834          * Multiple address binding for SCTP is not supported yet: we just
3835          * check the first address now.
3836          */
3837         family = sk->sk_family;
3838         if (family == PF_INET || family == PF_INET6) {
3839                 char *addrp;
3840                 struct sk_security_struct *sksec = sk->sk_security;
3841                 struct common_audit_data ad;
3842                 struct selinux_audit_data sad = {0,};
3843                 struct lsm_network_audit net = {0,};
3844                 struct sockaddr_in *addr4 = NULL;
3845                 struct sockaddr_in6 *addr6 = NULL;
3846                 unsigned short snum;
3847                 u32 sid, node_perm;
3848
3849                 if (family == PF_INET) {
3850                         addr4 = (struct sockaddr_in *)address;
3851                         snum = ntohs(addr4->sin_port);
3852                         addrp = (char *)&addr4->sin_addr.s_addr;
3853                 } else {
3854                         addr6 = (struct sockaddr_in6 *)address;
3855                         snum = ntohs(addr6->sin6_port);
3856                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3857                 }
3858
3859                 if (snum) {
3860                         int low, high;
3861
3862                         inet_get_local_port_range(&low, &high);
3863
3864                         if (snum < max(PROT_SOCK, low) || snum > high) {
3865                                 err = sel_netport_sid(sk->sk_protocol,
3866                                                       snum, &sid);
3867                                 if (err)
3868                                         goto out;
3869                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3870                                 ad.selinux_audit_data = &sad;
3871                                 ad.u.net = &net;
3872                                 ad.u.net->sport = htons(snum);
3873                                 ad.u.net->family = family;
3874                                 err = avc_has_perm(sksec->sid, sid,
3875                                                    sksec->sclass,
3876                                                    SOCKET__NAME_BIND, &ad);
3877                                 if (err)
3878                                         goto out;
3879                         }
3880                 }
3881
3882                 switch (sksec->sclass) {
3883                 case SECCLASS_TCP_SOCKET:
3884                         node_perm = TCP_SOCKET__NODE_BIND;
3885                         break;
3886
3887                 case SECCLASS_UDP_SOCKET:
3888                         node_perm = UDP_SOCKET__NODE_BIND;
3889                         break;
3890
3891                 case SECCLASS_DCCP_SOCKET:
3892                         node_perm = DCCP_SOCKET__NODE_BIND;
3893                         break;
3894
3895                 default:
3896                         node_perm = RAWIP_SOCKET__NODE_BIND;
3897                         break;
3898                 }
3899
3900                 err = sel_netnode_sid(addrp, family, &sid);
3901                 if (err)
3902                         goto out;
3903
3904                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3905                 ad.selinux_audit_data = &sad;
3906                 ad.u.net = &net;
3907                 ad.u.net->sport = htons(snum);
3908                 ad.u.net->family = family;
3909
3910                 if (family == PF_INET)
3911                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3912                 else
3913                         ad.u.net->v6info.saddr = addr6->sin6_addr;
3914
3915                 err = avc_has_perm(sksec->sid, sid,
3916                                    sksec->sclass, node_perm, &ad);
3917                 if (err)
3918                         goto out;
3919         }
3920 out:
3921         return err;
3922 }
3923
3924 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3925 {
3926         struct sock *sk = sock->sk;
3927         struct sk_security_struct *sksec = sk->sk_security;
3928         int err;
3929
3930         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3931         if (err)
3932                 return err;
3933
3934         /*
3935          * If a TCP or DCCP socket, check name_connect permission for the port.
3936          */
3937         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3938             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3939                 struct common_audit_data ad;
3940                 struct selinux_audit_data sad = {0,};
3941                 struct lsm_network_audit net = {0,};
3942                 struct sockaddr_in *addr4 = NULL;
3943                 struct sockaddr_in6 *addr6 = NULL;
3944                 unsigned short snum;
3945                 u32 sid, perm;
3946
3947                 if (sk->sk_family == PF_INET) {
3948                         addr4 = (struct sockaddr_in *)address;
3949                         if (addrlen < sizeof(struct sockaddr_in))
3950                                 return -EINVAL;
3951                         snum = ntohs(addr4->sin_port);
3952                 } else {
3953                         addr6 = (struct sockaddr_in6 *)address;
3954                         if (addrlen < SIN6_LEN_RFC2133)
3955                                 return -EINVAL;
3956                         snum = ntohs(addr6->sin6_port);
3957                 }
3958
3959                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3960                 if (err)
3961                         goto out;
3962
3963                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3964                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3965
3966                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3967                 ad.selinux_audit_data = &sad;
3968                 ad.u.net = &net;
3969                 ad.u.net->dport = htons(snum);
3970                 ad.u.net->family = sk->sk_family;
3971                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3972                 if (err)
3973                         goto out;
3974         }
3975
3976         err = selinux_netlbl_socket_connect(sk, address);
3977
3978 out:
3979         return err;
3980 }
3981
3982 static int selinux_socket_listen(struct socket *sock, int backlog)
3983 {
3984         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3985 }
3986
3987 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3988 {
3989         int err;
3990         struct inode_security_struct *isec;
3991         struct inode_security_struct *newisec;
3992
3993         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3994         if (err)
3995                 return err;
3996
3997         newisec = SOCK_INODE(newsock)->i_security;
3998
3999         isec = SOCK_INODE(sock)->i_security;
4000         newisec->sclass = isec->sclass;
4001         newisec->sid = isec->sid;
4002         newisec->initialized = 1;
4003
4004         return 0;
4005 }
4006
4007 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4008                                   int size)
4009 {
4010         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4011 }
4012
4013 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4014                                   int size, int flags)
4015 {
4016         return sock_has_perm(current, sock->sk, SOCKET__READ);
4017 }
4018
4019 static int selinux_socket_getsockname(struct socket *sock)
4020 {
4021         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4022 }
4023
4024 static int selinux_socket_getpeername(struct socket *sock)
4025 {
4026         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4027 }
4028
4029 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4030 {
4031         int err;
4032
4033         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4034         if (err)
4035                 return err;
4036
4037         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4038 }
4039
4040 static int selinux_socket_getsockopt(struct socket *sock, int level,
4041                                      int optname)
4042 {
4043         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4044 }
4045
4046 static int selinux_socket_shutdown(struct socket *sock, int how)
4047 {
4048         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4049 }
4050
4051 static int selinux_socket_unix_stream_connect(struct sock *sock,
4052                                               struct sock *other,
4053                                               struct sock *newsk)
4054 {
4055         struct sk_security_struct *sksec_sock = sock->sk_security;
4056         struct sk_security_struct *sksec_other = other->sk_security;
4057         struct sk_security_struct *sksec_new = newsk->sk_security;
4058         struct common_audit_data ad;
4059         struct selinux_audit_data sad = {0,};
4060         struct lsm_network_audit net = {0,};
4061         int err;
4062
4063         COMMON_AUDIT_DATA_INIT(&ad, NET);
4064         ad.selinux_audit_data = &sad;
4065         ad.u.net = &net;
4066         ad.u.net->sk = other;
4067
4068         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4069                            sksec_other->sclass,
4070                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4071         if (err)
4072                 return err;
4073
4074         /* server child socket */
4075         sksec_new->peer_sid = sksec_sock->sid;
4076         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4077                                     &sksec_new->sid);
4078         if (err)
4079                 return err;
4080
4081         /* connecting socket */
4082         sksec_sock->peer_sid = sksec_new->sid;
4083
4084         return 0;
4085 }
4086
4087 static int selinux_socket_unix_may_send(struct socket *sock,
4088                                         struct socket *other)
4089 {
4090         struct sk_security_struct *ssec = sock->sk->sk_security;
4091         struct sk_security_struct *osec = other->sk->sk_security;
4092         struct common_audit_data ad;
4093         struct selinux_audit_data sad = {0,};
4094         struct lsm_network_audit net = {0,};
4095
4096         COMMON_AUDIT_DATA_INIT(&ad, NET);
4097         ad.selinux_audit_data = &sad;
4098         ad.u.net = &net;
4099         ad.u.net->sk = other->sk;
4100
4101         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4102                             &ad);
4103 }
4104
4105 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4106                                     u32 peer_sid,
4107                                     struct common_audit_data *ad)
4108 {
4109         int err;
4110         u32 if_sid;
4111         u32 node_sid;
4112
4113         err = sel_netif_sid(ifindex, &if_sid);
4114         if (err)
4115                 return err;
4116         err = avc_has_perm(peer_sid, if_sid,
4117                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4118         if (err)
4119                 return err;
4120
4121         err = sel_netnode_sid(addrp, family, &node_sid);
4122         if (err)
4123                 return err;
4124         return avc_has_perm(peer_sid, node_sid,
4125                             SECCLASS_NODE, NODE__RECVFROM, ad);
4126 }
4127
4128 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4129                                        u16 family)
4130 {
4131         int err = 0;
4132         struct sk_security_struct *sksec = sk->sk_security;
4133         u32 sk_sid = sksec->sid;
4134         struct common_audit_data ad;
4135         struct selinux_audit_data sad = {0,};
4136         struct lsm_network_audit net = {0,};
4137         char *addrp;
4138
4139         COMMON_AUDIT_DATA_INIT(&ad, NET);
4140         ad.selinux_audit_data = &sad;
4141         ad.u.net = &net;
4142         ad.u.net->netif = skb->skb_iif;
4143         ad.u.net->family = family;
4144         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4145         if (err)
4146                 return err;
4147
4148         if (selinux_secmark_enabled()) {
4149                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4150                                    PACKET__RECV, &ad);
4151                 if (err)
4152                         return err;
4153         }
4154
4155         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4156         if (err)
4157                 return err;
4158         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4159
4160         return err;
4161 }
4162
4163 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4164 {
4165         int err;
4166         struct sk_security_struct *sksec = sk->sk_security;
4167         u16 family = sk->sk_family;
4168         u32 sk_sid = sksec->sid;
4169         struct common_audit_data ad;
4170         struct selinux_audit_data sad = {0,};
4171         struct lsm_network_audit net = {0,};
4172         char *addrp;
4173         u8 secmark_active;
4174         u8 peerlbl_active;
4175
4176         if (family != PF_INET && family != PF_INET6)
4177                 return 0;
4178
4179         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4180         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4181                 family = PF_INET;
4182
4183         /* If any sort of compatibility mode is enabled then handoff processing
4184          * to the selinux_sock_rcv_skb_compat() function to deal with the
4185          * special handling.  We do this in an attempt to keep this function
4186          * as fast and as clean as possible. */
4187         if (!selinux_policycap_netpeer)
4188                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4189
4190         secmark_active = selinux_secmark_enabled();
4191         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4192         if (!secmark_active && !peerlbl_active)
4193                 return 0;
4194
4195         COMMON_AUDIT_DATA_INIT(&ad, NET);
4196         ad.selinux_audit_data = &sad;
4197         ad.u.net = &net;
4198         ad.u.net->netif = skb->skb_iif;
4199         ad.u.net->family = family;
4200         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4201         if (err)
4202                 return err;
4203
4204         if (peerlbl_active) {
4205                 u32 peer_sid;
4206
4207                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4208                 if (err)
4209                         return err;
4210                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4211                                                peer_sid, &ad);
4212                 if (err) {
4213                         selinux_netlbl_err(skb, err, 0);
4214                         return err;
4215                 }
4216                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4217                                    PEER__RECV, &ad);
4218                 if (err)
4219                         selinux_netlbl_err(skb, err, 0);
4220         }
4221
4222         if (secmark_active) {
4223                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4224                                    PACKET__RECV, &ad);
4225                 if (err)
4226                         return err;
4227         }
4228
4229         return err;
4230 }
4231
4232 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4233                                             int __user *optlen, unsigned len)
4234 {
4235         int err = 0;
4236         char *scontext;
4237         u32 scontext_len;
4238         struct sk_security_struct *sksec = sock->sk->sk_security;
4239         u32 peer_sid = SECSID_NULL;
4240
4241         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4242             sksec->sclass == SECCLASS_TCP_SOCKET)
4243                 peer_sid = sksec->peer_sid;
4244         if (peer_sid == SECSID_NULL)
4245                 return -ENOPROTOOPT;
4246
4247         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4248         if (err)
4249                 return err;
4250
4251         if (scontext_len > len) {
4252                 err = -ERANGE;
4253                 goto out_len;
4254         }
4255
4256         if (copy_to_user(optval, scontext, scontext_len))
4257                 err = -EFAULT;
4258
4259 out_len:
4260         if (put_user(scontext_len, optlen))
4261                 err = -EFAULT;
4262         kfree(scontext);
4263         return err;
4264 }
4265
4266 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4267 {
4268         u32 peer_secid = SECSID_NULL;
4269         u16 family;
4270
4271         if (skb && skb->protocol == htons(ETH_P_IP))
4272                 family = PF_INET;
4273         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4274                 family = PF_INET6;
4275         else if (sock)
4276                 family = sock->sk->sk_family;
4277         else
4278                 goto out;
4279
4280         if (sock && family == PF_UNIX)
4281                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4282         else if (skb)
4283                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4284
4285 out:
4286         *secid = peer_secid;
4287         if (peer_secid == SECSID_NULL)
4288                 return -EINVAL;
4289         return 0;
4290 }
4291
4292 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4293 {
4294         struct sk_security_struct *sksec;
4295
4296         sksec = kzalloc(sizeof(*sksec), priority);
4297         if (!sksec)
4298                 return -ENOMEM;
4299
4300         sksec->peer_sid = SECINITSID_UNLABELED;
4301         sksec->sid = SECINITSID_UNLABELED;
4302         selinux_netlbl_sk_security_reset(sksec);
4303         sk->sk_security = sksec;
4304
4305         return 0;
4306 }
4307
4308 static void selinux_sk_free_security(struct sock *sk)
4309 {
4310         struct sk_security_struct *sksec = sk->sk_security;
4311
4312         sk->sk_security = NULL;
4313         selinux_netlbl_sk_security_free(sksec);
4314         kfree(sksec);
4315 }
4316
4317 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4318 {
4319         struct sk_security_struct *sksec = sk->sk_security;
4320         struct sk_security_struct *newsksec = newsk->sk_security;
4321
4322         newsksec->sid = sksec->sid;
4323         newsksec->peer_sid = sksec->peer_sid;
4324         newsksec->sclass = sksec->sclass;
4325
4326         selinux_netlbl_sk_security_reset(newsksec);
4327 }
4328
4329 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4330 {
4331         if (!sk)
4332                 *secid = SECINITSID_ANY_SOCKET;
4333         else {
4334                 struct sk_security_struct *sksec = sk->sk_security;
4335
4336                 *secid = sksec->sid;
4337         }
4338 }
4339
4340 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4341 {
4342         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4343         struct sk_security_struct *sksec = sk->sk_security;
4344
4345         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4346             sk->sk_family == PF_UNIX)
4347                 isec->sid = sksec->sid;
4348         sksec->sclass = isec->sclass;
4349 }
4350
4351 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4352                                      struct request_sock *req)
4353 {
4354         struct sk_security_struct *sksec = sk->sk_security;
4355         int err;
4356         u16 family = sk->sk_family;
4357         u32 newsid;
4358         u32 peersid;
4359
4360         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4361         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4362                 family = PF_INET;
4363
4364         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4365         if (err)
4366                 return err;
4367         if (peersid == SECSID_NULL) {
4368                 req->secid = sksec->sid;
4369                 req->peer_secid = SECSID_NULL;
4370         } else {
4371                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4372                 if (err)
4373                         return err;
4374                 req->secid = newsid;
4375                 req->peer_secid = peersid;
4376         }
4377
4378         return selinux_netlbl_inet_conn_request(req, family);
4379 }
4380
4381 static void selinux_inet_csk_clone(struct sock *newsk,
4382                                    const struct request_sock *req)
4383 {
4384         struct sk_security_struct *newsksec = newsk->sk_security;
4385
4386         newsksec->sid = req->secid;
4387         newsksec->peer_sid = req->peer_secid;
4388         /* NOTE: Ideally, we should also get the isec->sid for the
4389            new socket in sync, but we don't have the isec available yet.
4390            So we will wait until sock_graft to do it, by which
4391            time it will have been created and available. */
4392
4393         /* We don't need to take any sort of lock here as we are the only
4394          * thread with access to newsksec */
4395         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4396 }
4397
4398 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4399 {
4400         u16 family = sk->sk_family;
4401         struct sk_security_struct *sksec = sk->sk_security;
4402
4403         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4404         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4405                 family = PF_INET;
4406
4407         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4408 }
4409
4410 static int selinux_secmark_relabel_packet(u32 sid)
4411 {
4412         const struct task_security_struct *__tsec;
4413         u32 tsid;
4414
4415         __tsec = current_security();
4416         tsid = __tsec->sid;
4417
4418         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4419 }
4420
4421 static void selinux_secmark_refcount_inc(void)
4422 {
4423         atomic_inc(&selinux_secmark_refcount);
4424 }
4425
4426 static void selinux_secmark_refcount_dec(void)
4427 {
4428         atomic_dec(&selinux_secmark_refcount);
4429 }
4430
4431 static void selinux_req_classify_flow(const struct request_sock *req,
4432                                       struct flowi *fl)
4433 {
4434         fl->flowi_secid = req->secid;
4435 }
4436
4437 static int selinux_tun_dev_create(void)
4438 {
4439         u32 sid = current_sid();
4440
4441         /* we aren't taking into account the "sockcreate" SID since the socket
4442          * that is being created here is not a socket in the traditional sense,
4443          * instead it is a private sock, accessible only to the kernel, and
4444          * representing a wide range of network traffic spanning multiple
4445          * connections unlike traditional sockets - check the TUN driver to
4446          * get a better understanding of why this socket is special */
4447
4448         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4449                             NULL);
4450 }
4451
4452 static void selinux_tun_dev_post_create(struct sock *sk)
4453 {
4454         struct sk_security_struct *sksec = sk->sk_security;
4455
4456         /* we don't currently perform any NetLabel based labeling here and it
4457          * isn't clear that we would want to do so anyway; while we could apply
4458          * labeling without the support of the TUN user the resulting labeled
4459          * traffic from the other end of the connection would almost certainly
4460          * cause confusion to the TUN user that had no idea network labeling
4461          * protocols were being used */
4462
4463         /* see the comments in selinux_tun_dev_create() about why we don't use
4464          * the sockcreate SID here */
4465
4466         sksec->sid = current_sid();
4467         sksec->sclass = SECCLASS_TUN_SOCKET;
4468 }
4469
4470 static int selinux_tun_dev_attach(struct sock *sk)
4471 {
4472         struct sk_security_struct *sksec = sk->sk_security;
4473         u32 sid = current_sid();
4474         int err;
4475
4476         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4477                            TUN_SOCKET__RELABELFROM, NULL);
4478         if (err)
4479                 return err;
4480         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4481                            TUN_SOCKET__RELABELTO, NULL);
4482         if (err)
4483                 return err;
4484
4485         sksec->sid = sid;
4486
4487         return 0;
4488 }
4489
4490 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4491 {
4492         int err = 0;
4493         u32 perm;
4494         struct nlmsghdr *nlh;
4495         struct sk_security_struct *sksec = sk->sk_security;
4496
4497         if (skb->len < NLMSG_SPACE(0)) {
4498                 err = -EINVAL;
4499                 goto out;
4500         }
4501         nlh = nlmsg_hdr(skb);
4502
4503         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4504         if (err) {
4505                 if (err == -EINVAL) {
4506                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4507                                   "SELinux:  unrecognized netlink message"
4508                                   " type=%hu for sclass=%hu\n",
4509                                   nlh->nlmsg_type, sksec->sclass);
4510                         if (!selinux_enforcing || security_get_allow_unknown())
4511                                 err = 0;
4512                 }
4513
4514                 /* Ignore */
4515                 if (err == -ENOENT)
4516                         err = 0;
4517                 goto out;
4518         }
4519
4520         err = sock_has_perm(current, sk, perm);
4521 out:
4522         return err;
4523 }
4524
4525 #ifdef CONFIG_NETFILTER
4526
4527 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4528                                        u16 family)
4529 {
4530         int err;
4531         char *addrp;
4532         u32 peer_sid;
4533         struct common_audit_data ad;
4534         struct selinux_audit_data sad = {0,};
4535         struct lsm_network_audit net = {0,};
4536         u8 secmark_active;
4537         u8 netlbl_active;
4538         u8 peerlbl_active;
4539
4540         if (!selinux_policycap_netpeer)
4541                 return NF_ACCEPT;
4542
4543         secmark_active = selinux_secmark_enabled();
4544         netlbl_active = netlbl_enabled();
4545         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4546         if (!secmark_active && !peerlbl_active)
4547                 return NF_ACCEPT;
4548
4549         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4550                 return NF_DROP;
4551
4552         COMMON_AUDIT_DATA_INIT(&ad, NET);
4553         ad.selinux_audit_data = &sad;
4554         ad.u.net = &net;
4555         ad.u.net->netif = ifindex;
4556         ad.u.net->family = family;
4557         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4558                 return NF_DROP;
4559
4560         if (peerlbl_active) {
4561                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4562                                                peer_sid, &ad);
4563                 if (err) {
4564                         selinux_netlbl_err(skb, err, 1);
4565                         return NF_DROP;
4566                 }
4567         }
4568
4569         if (secmark_active)
4570                 if (avc_has_perm(peer_sid, skb->secmark,
4571                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4572                         return NF_DROP;
4573
4574         if (netlbl_active)
4575                 /* we do this in the FORWARD path and not the POST_ROUTING
4576                  * path because we want to make sure we apply the necessary
4577                  * labeling before IPsec is applied so we can leverage AH
4578                  * protection */
4579                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4580                         return NF_DROP;
4581
4582         return NF_ACCEPT;
4583 }
4584
4585 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4586                                          struct sk_buff *skb,
4587                                          const struct net_device *in,
4588                                          const struct net_device *out,
4589                                          int (*okfn)(struct sk_buff *))
4590 {
4591         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4592 }
4593
4594 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4595 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4596                                          struct sk_buff *skb,
4597                                          const struct net_device *in,
4598                                          const struct net_device *out,
4599                                          int (*okfn)(struct sk_buff *))
4600 {
4601         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4602 }
4603 #endif  /* IPV6 */
4604
4605 static unsigned int selinux_ip_output(struct sk_buff *skb,
4606                                       u16 family)
4607 {
4608         u32 sid;
4609
4610         if (!netlbl_enabled())
4611                 return NF_ACCEPT;
4612
4613         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4614          * because we want to make sure we apply the necessary labeling
4615          * before IPsec is applied so we can leverage AH protection */
4616         if (skb->sk) {
4617                 struct sk_security_struct *sksec = skb->sk->sk_security;
4618                 sid = sksec->sid;
4619         } else
4620                 sid = SECINITSID_KERNEL;
4621         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4622                 return NF_DROP;
4623
4624         return NF_ACCEPT;
4625 }
4626
4627 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4628                                         struct sk_buff *skb,
4629                                         const struct net_device *in,
4630                                         const struct net_device *out,
4631                                         int (*okfn)(struct sk_buff *))
4632 {
4633         return selinux_ip_output(skb, PF_INET);
4634 }
4635
4636 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4637                                                 int ifindex,
4638                                                 u16 family)
4639 {
4640         struct sock *sk = skb->sk;
4641         struct sk_security_struct *sksec;
4642         struct common_audit_data ad;
4643         struct selinux_audit_data sad = {0,};
4644         struct lsm_network_audit net = {0,};
4645         char *addrp;
4646         u8 proto;
4647
4648         if (sk == NULL)
4649                 return NF_ACCEPT;
4650         sksec = sk->sk_security;
4651
4652         COMMON_AUDIT_DATA_INIT(&ad, NET);
4653         ad.selinux_audit_data = &sad;
4654         ad.u.net = &net;
4655         ad.u.net->netif = ifindex;
4656         ad.u.net->family = family;
4657         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4658                 return NF_DROP;
4659
4660         if (selinux_secmark_enabled())
4661                 if (avc_has_perm(sksec->sid, skb->secmark,
4662                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4663                         return NF_DROP_ERR(-ECONNREFUSED);
4664
4665         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4666                 return NF_DROP_ERR(-ECONNREFUSED);
4667
4668         return NF_ACCEPT;
4669 }
4670
4671 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4672                                          u16 family)
4673 {
4674         u32 secmark_perm;
4675         u32 peer_sid;
4676         struct sock *sk;
4677         struct common_audit_data ad;
4678         struct selinux_audit_data sad = {0,};
4679         struct lsm_network_audit net = {0,};
4680         char *addrp;
4681         u8 secmark_active;
4682         u8 peerlbl_active;
4683
4684         /* If any sort of compatibility mode is enabled then handoff processing
4685          * to the selinux_ip_postroute_compat() function to deal with the
4686          * special handling.  We do this in an attempt to keep this function
4687          * as fast and as clean as possible. */
4688         if (!selinux_policycap_netpeer)
4689                 return selinux_ip_postroute_compat(skb, ifindex, family);
4690 #ifdef CONFIG_XFRM
4691         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4692          * packet transformation so allow the packet to pass without any checks
4693          * since we'll have another chance to perform access control checks
4694          * when the packet is on it's final way out.
4695          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4696          *       is NULL, in this case go ahead and apply access control. */
4697         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4698                 return NF_ACCEPT;
4699 #endif
4700         secmark_active = selinux_secmark_enabled();
4701         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4702         if (!secmark_active && !peerlbl_active)
4703                 return NF_ACCEPT;
4704
4705         /* if the packet is being forwarded then get the peer label from the
4706          * packet itself; otherwise check to see if it is from a local
4707          * application or the kernel, if from an application get the peer label
4708          * from the sending socket, otherwise use the kernel's sid */
4709         sk = skb->sk;
4710         if (sk == NULL) {
4711                 if (skb->skb_iif) {
4712                         secmark_perm = PACKET__FORWARD_OUT;
4713                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4714                                 return NF_DROP;
4715                 } else {
4716                         secmark_perm = PACKET__SEND;
4717                         peer_sid = SECINITSID_KERNEL;
4718                 }
4719         } else {
4720                 struct sk_security_struct *sksec = sk->sk_security;
4721                 peer_sid = sksec->sid;
4722                 secmark_perm = PACKET__SEND;
4723         }
4724
4725         COMMON_AUDIT_DATA_INIT(&ad, NET);
4726         ad.selinux_audit_data = &sad;
4727         ad.u.net = &net;
4728         ad.u.net->netif = ifindex;
4729         ad.u.net->family = family;
4730         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4731                 return NF_DROP;
4732
4733         if (secmark_active)
4734                 if (avc_has_perm(peer_sid, skb->secmark,
4735                                  SECCLASS_PACKET, secmark_perm, &ad))
4736                         return NF_DROP_ERR(-ECONNREFUSED);
4737
4738         if (peerlbl_active) {
4739                 u32 if_sid;
4740                 u32 node_sid;
4741
4742                 if (sel_netif_sid(ifindex, &if_sid))
4743                         return NF_DROP;
4744                 if (avc_has_perm(peer_sid, if_sid,
4745                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4746                         return NF_DROP_ERR(-ECONNREFUSED);
4747
4748                 if (sel_netnode_sid(addrp, family, &node_sid))
4749                         return NF_DROP;
4750                 if (avc_has_perm(peer_sid, node_sid,
4751                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4752                         return NF_DROP_ERR(-ECONNREFUSED);
4753         }
4754
4755         return NF_ACCEPT;
4756 }
4757
4758 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4759                                            struct sk_buff *skb,
4760                                            const struct net_device *in,
4761                                            const struct net_device *out,
4762                                            int (*okfn)(struct sk_buff *))
4763 {
4764         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4765 }
4766
4767 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4768 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4769                                            struct sk_buff *skb,
4770                                            const struct net_device *in,
4771                                            const struct net_device *out,
4772                                            int (*okfn)(struct sk_buff *))
4773 {
4774         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4775 }
4776 #endif  /* IPV6 */
4777
4778 #endif  /* CONFIG_NETFILTER */
4779
4780 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4781 {
4782         int err;
4783
4784         err = cap_netlink_send(sk, skb);
4785         if (err)
4786                 return err;
4787
4788         return selinux_nlmsg_perm(sk, skb);
4789 }
4790
4791 static int ipc_alloc_security(struct task_struct *task,
4792                               struct kern_ipc_perm *perm,
4793                               u16 sclass)
4794 {
4795         struct ipc_security_struct *isec;
4796         u32 sid;
4797
4798         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4799         if (!isec)
4800                 return -ENOMEM;
4801
4802         sid = task_sid(task);
4803         isec->sclass = sclass;
4804         isec->sid = sid;
4805         perm->security = isec;
4806
4807         return 0;
4808 }
4809
4810 static void ipc_free_security(struct kern_ipc_perm *perm)
4811 {
4812         struct ipc_security_struct *isec = perm->security;
4813         perm->security = NULL;
4814         kfree(isec);
4815 }
4816
4817 static int msg_msg_alloc_security(struct msg_msg *msg)
4818 {
4819         struct msg_security_struct *msec;
4820
4821         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4822         if (!msec)
4823                 return -ENOMEM;
4824
4825         msec->sid = SECINITSID_UNLABELED;
4826         msg->security = msec;
4827
4828         return 0;
4829 }
4830
4831 static void msg_msg_free_security(struct msg_msg *msg)
4832 {
4833         struct msg_security_struct *msec = msg->security;
4834
4835         msg->security = NULL;
4836         kfree(msec);
4837 }
4838
4839 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4840                         u32 perms)
4841 {
4842         struct ipc_security_struct *isec;
4843         struct common_audit_data ad;
4844         struct selinux_audit_data sad = {0,};
4845         u32 sid = current_sid();
4846
4847         isec = ipc_perms->security;
4848
4849         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4850         ad.selinux_audit_data = &sad;
4851         ad.u.ipc_id = ipc_perms->key;
4852
4853         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4854 }
4855
4856 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4857 {
4858         return msg_msg_alloc_security(msg);
4859 }
4860
4861 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4862 {
4863         msg_msg_free_security(msg);
4864 }
4865
4866 /* message queue security operations */
4867 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4868 {
4869         struct ipc_security_struct *isec;
4870         struct common_audit_data ad;
4871         struct selinux_audit_data sad = {0,};
4872         u32 sid = current_sid();
4873         int rc;
4874
4875         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4876         if (rc)
4877                 return rc;
4878
4879         isec = msq->q_perm.security;
4880
4881         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4882         ad.selinux_audit_data = &sad;
4883         ad.u.ipc_id = msq->q_perm.key;
4884
4885         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4886                           MSGQ__CREATE, &ad);
4887         if (rc) {
4888                 ipc_free_security(&msq->q_perm);
4889                 return rc;
4890         }
4891         return 0;
4892 }
4893
4894 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4895 {
4896         ipc_free_security(&msq->q_perm);
4897 }
4898
4899 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4900 {
4901         struct ipc_security_struct *isec;
4902         struct common_audit_data ad;
4903         struct selinux_audit_data sad = {0,};
4904         u32 sid = current_sid();
4905
4906         isec = msq->q_perm.security;
4907
4908         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4909         ad.selinux_audit_data = &sad;
4910         ad.u.ipc_id = msq->q_perm.key;
4911
4912         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4913                             MSGQ__ASSOCIATE, &ad);
4914 }
4915
4916 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4917 {
4918         int err;
4919         int perms;
4920
4921         switch (cmd) {
4922         case IPC_INFO:
4923         case MSG_INFO:
4924                 /* No specific object, just general system-wide information. */
4925                 return task_has_system(current, SYSTEM__IPC_INFO);
4926         case IPC_STAT:
4927         case MSG_STAT:
4928                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4929                 break;
4930         case IPC_SET:
4931                 perms = MSGQ__SETATTR;
4932                 break;
4933         case IPC_RMID:
4934                 perms = MSGQ__DESTROY;
4935                 break;
4936         default:
4937                 return 0;
4938         }
4939
4940         err = ipc_has_perm(&msq->q_perm, perms);
4941         return err;
4942 }
4943
4944 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4945 {
4946         struct ipc_security_struct *isec;
4947         struct msg_security_struct *msec;
4948         struct common_audit_data ad;
4949         struct selinux_audit_data sad = {0,};
4950         u32 sid = current_sid();
4951         int rc;
4952
4953         isec = msq->q_perm.security;
4954         msec = msg->security;
4955
4956         /*
4957          * First time through, need to assign label to the message
4958          */
4959         if (msec->sid == SECINITSID_UNLABELED) {
4960                 /*
4961                  * Compute new sid based on current process and
4962                  * message queue this message will be stored in
4963                  */
4964                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4965                                              NULL, &msec->sid);
4966                 if (rc)
4967                         return rc;
4968         }
4969
4970         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4971         ad.selinux_audit_data = &sad;
4972         ad.u.ipc_id = msq->q_perm.key;
4973
4974         /* Can this process write to the queue? */
4975         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4976                           MSGQ__WRITE, &ad);
4977         if (!rc)
4978                 /* Can this process send the message */
4979                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4980                                   MSG__SEND, &ad);
4981         if (!rc)
4982                 /* Can the message be put in the queue? */
4983                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4984                                   MSGQ__ENQUEUE, &ad);
4985
4986         return rc;
4987 }
4988
4989 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4990                                     struct task_struct *target,
4991                                     long type, int mode)
4992 {
4993         struct ipc_security_struct *isec;
4994         struct msg_security_struct *msec;
4995         struct common_audit_data ad;
4996         struct selinux_audit_data sad = {0,};
4997         u32 sid = task_sid(target);
4998         int rc;
4999
5000         isec = msq->q_perm.security;
5001         msec = msg->security;
5002
5003         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5004         ad.selinux_audit_data = &sad;
5005         ad.u.ipc_id = msq->q_perm.key;
5006
5007         rc = avc_has_perm(sid, isec->sid,
5008                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5009         if (!rc)
5010                 rc = avc_has_perm(sid, msec->sid,
5011                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5012         return rc;
5013 }
5014
5015 /* Shared Memory security operations */
5016 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5017 {
5018         struct ipc_security_struct *isec;
5019         struct common_audit_data ad;
5020         struct selinux_audit_data sad = {0,};
5021         u32 sid = current_sid();
5022         int rc;
5023
5024         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5025         if (rc)
5026                 return rc;
5027
5028         isec = shp->shm_perm.security;
5029
5030         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5031         ad.selinux_audit_data = &sad;
5032         ad.u.ipc_id = shp->shm_perm.key;
5033
5034         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5035                           SHM__CREATE, &ad);
5036         if (rc) {
5037                 ipc_free_security(&shp->shm_perm);
5038                 return rc;
5039         }
5040         return 0;
5041 }
5042
5043 static void selinux_shm_free_security(struct shmid_kernel *shp)
5044 {
5045         ipc_free_security(&shp->shm_perm);
5046 }
5047
5048 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5049 {
5050         struct ipc_security_struct *isec;
5051         struct common_audit_data ad;
5052         struct selinux_audit_data sad = {0,};
5053         u32 sid = current_sid();
5054
5055         isec = shp->shm_perm.security;
5056
5057         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5058         ad.selinux_audit_data = &sad;
5059         ad.u.ipc_id = shp->shm_perm.key;
5060
5061         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5062                             SHM__ASSOCIATE, &ad);
5063 }
5064
5065 /* Note, at this point, shp is locked down */
5066 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5067 {
5068         int perms;
5069         int err;
5070
5071         switch (cmd) {
5072         case IPC_INFO:
5073         case SHM_INFO:
5074                 /* No specific object, just general system-wide information. */
5075                 return task_has_system(current, SYSTEM__IPC_INFO);
5076         case IPC_STAT:
5077         case SHM_STAT:
5078                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5079                 break;
5080         case IPC_SET:
5081                 perms = SHM__SETATTR;
5082                 break;
5083         case SHM_LOCK:
5084         case SHM_UNLOCK:
5085                 perms = SHM__LOCK;
5086                 break;
5087         case IPC_RMID:
5088                 perms = SHM__DESTROY;
5089                 break;
5090         default:
5091                 return 0;
5092         }
5093
5094         err = ipc_has_perm(&shp->shm_perm, perms);
5095         return err;
5096 }
5097
5098 static int selinux_shm_shmat(struct shmid_kernel *shp,
5099                              char __user *shmaddr, int shmflg)
5100 {
5101         u32 perms;
5102
5103         if (shmflg & SHM_RDONLY)
5104                 perms = SHM__READ;
5105         else
5106                 perms = SHM__READ | SHM__WRITE;
5107
5108         return ipc_has_perm(&shp->shm_perm, perms);
5109 }
5110
5111 /* Semaphore security operations */
5112 static int selinux_sem_alloc_security(struct sem_array *sma)
5113 {
5114         struct ipc_security_struct *isec;
5115         struct common_audit_data ad;
5116         struct selinux_audit_data sad = {0,};
5117         u32 sid = current_sid();
5118         int rc;
5119
5120         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5121         if (rc)
5122                 return rc;
5123
5124         isec = sma->sem_perm.security;
5125
5126         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5127         ad.selinux_audit_data = &sad;
5128         ad.u.ipc_id = sma->sem_perm.key;
5129
5130         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5131                           SEM__CREATE, &ad);
5132         if (rc) {
5133                 ipc_free_security(&sma->sem_perm);
5134                 return rc;
5135         }
5136         return 0;
5137 }
5138
5139 static void selinux_sem_free_security(struct sem_array *sma)
5140 {
5141         ipc_free_security(&sma->sem_perm);
5142 }
5143
5144 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5145 {
5146         struct ipc_security_struct *isec;
5147         struct common_audit_data ad;
5148         struct selinux_audit_data sad = {0,};
5149         u32 sid = current_sid();
5150
5151         isec = sma->sem_perm.security;
5152
5153         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5154         ad.selinux_audit_data = &sad;
5155         ad.u.ipc_id = sma->sem_perm.key;
5156
5157         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5158                             SEM__ASSOCIATE, &ad);
5159 }
5160
5161 /* Note, at this point, sma is locked down */
5162 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5163 {
5164         int err;
5165         u32 perms;
5166
5167         switch (cmd) {
5168         case IPC_INFO:
5169         case SEM_INFO:
5170                 /* No specific object, just general system-wide information. */
5171                 return task_has_system(current, SYSTEM__IPC_INFO);
5172         case GETPID:
5173         case GETNCNT:
5174         case GETZCNT:
5175                 perms = SEM__GETATTR;
5176                 break;
5177         case GETVAL:
5178         case GETALL:
5179                 perms = SEM__READ;
5180                 break;
5181         case SETVAL:
5182         case SETALL:
5183                 perms = SEM__WRITE;
5184                 break;
5185         case IPC_RMID:
5186                 perms = SEM__DESTROY;
5187                 break;
5188         case IPC_SET:
5189                 perms = SEM__SETATTR;
5190                 break;
5191         case IPC_STAT:
5192         case SEM_STAT:
5193                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5194                 break;
5195         default:
5196                 return 0;
5197         }
5198
5199         err = ipc_has_perm(&sma->sem_perm, perms);
5200         return err;
5201 }
5202
5203 static int selinux_sem_semop(struct sem_array *sma,
5204                              struct sembuf *sops, unsigned nsops, int alter)
5205 {
5206         u32 perms;
5207
5208         if (alter)
5209                 perms = SEM__READ | SEM__WRITE;
5210         else
5211                 perms = SEM__READ;
5212
5213         return ipc_has_perm(&sma->sem_perm, perms);
5214 }
5215
5216 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5217 {
5218         u32 av = 0;
5219
5220         av = 0;
5221         if (flag & S_IRUGO)
5222                 av |= IPC__UNIX_READ;
5223         if (flag & S_IWUGO)
5224                 av |= IPC__UNIX_WRITE;
5225
5226         if (av == 0)
5227                 return 0;
5228
5229         return ipc_has_perm(ipcp, av);
5230 }
5231
5232 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5233 {
5234         struct ipc_security_struct *isec = ipcp->security;
5235         *secid = isec->sid;
5236 }
5237
5238 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5239 {
5240         if (inode)
5241                 inode_doinit_with_dentry(inode, dentry);
5242 }
5243
5244 static int selinux_getprocattr(struct task_struct *p,
5245                                char *name, char **value)
5246 {
5247         const struct task_security_struct *__tsec;
5248         u32 sid;
5249         int error;
5250         unsigned len;
5251
5252         if (current != p) {
5253                 error = current_has_perm(p, PROCESS__GETATTR);
5254                 if (error)
5255                         return error;
5256         }
5257
5258         rcu_read_lock();
5259         __tsec = __task_cred(p)->security;
5260
5261         if (!strcmp(name, "current"))
5262                 sid = __tsec->sid;
5263         else if (!strcmp(name, "prev"))
5264                 sid = __tsec->osid;
5265         else if (!strcmp(name, "exec"))
5266                 sid = __tsec->exec_sid;
5267         else if (!strcmp(name, "fscreate"))
5268                 sid = __tsec->create_sid;
5269         else if (!strcmp(name, "keycreate"))
5270                 sid = __tsec->keycreate_sid;
5271         else if (!strcmp(name, "sockcreate"))
5272                 sid = __tsec->sockcreate_sid;
5273         else
5274                 goto invalid;
5275         rcu_read_unlock();
5276
5277         if (!sid)
5278                 return 0;
5279
5280         error = security_sid_to_context(sid, value, &len);
5281         if (error)
5282                 return error;
5283         return len;
5284
5285 invalid:
5286         rcu_read_unlock();
5287         return -EINVAL;
5288 }
5289
5290 static int selinux_setprocattr(struct task_struct *p,
5291                                char *name, void *value, size_t size)
5292 {
5293         struct task_security_struct *tsec;
5294         struct task_struct *tracer;
5295         struct cred *new;
5296         u32 sid = 0, ptsid;
5297         int error;
5298         char *str = value;
5299
5300         if (current != p) {
5301                 /* SELinux only allows a process to change its own
5302                    security attributes. */
5303                 return -EACCES;
5304         }
5305
5306         /*
5307          * Basic control over ability to set these attributes at all.
5308          * current == p, but we'll pass them separately in case the
5309          * above restriction is ever removed.
5310          */
5311         if (!strcmp(name, "exec"))
5312                 error = current_has_perm(p, PROCESS__SETEXEC);
5313         else if (!strcmp(name, "fscreate"))
5314                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5315         else if (!strcmp(name, "keycreate"))
5316                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5317         else if (!strcmp(name, "sockcreate"))
5318                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5319         else if (!strcmp(name, "current"))
5320                 error = current_has_perm(p, PROCESS__SETCURRENT);
5321         else
5322                 error = -EINVAL;
5323         if (error)
5324                 return error;
5325
5326         /* Obtain a SID for the context, if one was specified. */
5327         if (size && str[1] && str[1] != '\n') {
5328                 if (str[size-1] == '\n') {
5329                         str[size-1] = 0;
5330                         size--;
5331                 }
5332                 error = security_context_to_sid(value, size, &sid);
5333                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5334                         if (!capable(CAP_MAC_ADMIN))
5335                                 return error;
5336                         error = security_context_to_sid_force(value, size,
5337                                                               &sid);
5338                 }
5339                 if (error)
5340                         return error;
5341         }
5342
5343         new = prepare_creds();
5344         if (!new)
5345                 return -ENOMEM;
5346
5347         /* Permission checking based on the specified context is
5348            performed during the actual operation (execve,
5349            open/mkdir/...), when we know the full context of the
5350            operation.  See selinux_bprm_set_creds for the execve
5351            checks and may_create for the file creation checks. The
5352            operation will then fail if the context is not permitted. */
5353         tsec = new->security;
5354         if (!strcmp(name, "exec")) {
5355                 tsec->exec_sid = sid;
5356         } else if (!strcmp(name, "fscreate")) {
5357                 tsec->create_sid = sid;
5358         } else if (!strcmp(name, "keycreate")) {
5359                 error = may_create_key(sid, p);
5360                 if (error)
5361                         goto abort_change;
5362                 tsec->keycreate_sid = sid;
5363         } else if (!strcmp(name, "sockcreate")) {
5364                 tsec->sockcreate_sid = sid;
5365         } else if (!strcmp(name, "current")) {
5366                 error = -EINVAL;
5367                 if (sid == 0)
5368                         goto abort_change;
5369
5370                 /* Only allow single threaded processes to change context */
5371                 error = -EPERM;
5372                 if (!current_is_single_threaded()) {
5373                         error = security_bounded_transition(tsec->sid, sid);
5374                         if (error)
5375                                 goto abort_change;
5376                 }
5377
5378                 /* Check permissions for the transition. */
5379                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5380                                      PROCESS__DYNTRANSITION, NULL);
5381                 if (error)
5382                         goto abort_change;
5383
5384                 /* Check for ptracing, and update the task SID if ok.
5385                    Otherwise, leave SID unchanged and fail. */
5386                 ptsid = 0;
5387                 task_lock(p);
5388                 tracer = ptrace_parent(p);
5389                 if (tracer)
5390                         ptsid = task_sid(tracer);
5391                 task_unlock(p);
5392
5393                 if (tracer) {
5394                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5395                                              PROCESS__PTRACE, NULL);
5396                         if (error)
5397                                 goto abort_change;
5398                 }
5399
5400                 tsec->sid = sid;
5401         } else {
5402                 error = -EINVAL;
5403                 goto abort_change;
5404         }
5405
5406         commit_creds(new);
5407         return size;
5408
5409 abort_change:
5410         abort_creds(new);
5411         return error;
5412 }
5413
5414 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5415 {
5416         return security_sid_to_context(secid, secdata, seclen);
5417 }
5418
5419 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5420 {
5421         return security_context_to_sid(secdata, seclen, secid);
5422 }
5423
5424 static void selinux_release_secctx(char *secdata, u32 seclen)
5425 {
5426         kfree(secdata);
5427 }
5428
5429 /*
5430  *      called with inode->i_mutex locked
5431  */
5432 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5433 {
5434         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5435 }
5436
5437 /*
5438  *      called with inode->i_mutex locked
5439  */
5440 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5441 {
5442         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5443 }
5444
5445 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5446 {
5447         int len = 0;
5448         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5449                                                 ctx, true);
5450         if (len < 0)
5451                 return len;
5452         *ctxlen = len;
5453         return 0;
5454 }
5455 #ifdef CONFIG_KEYS
5456
5457 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5458                              unsigned long flags)
5459 {
5460         const struct task_security_struct *tsec;
5461         struct key_security_struct *ksec;
5462
5463         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5464         if (!ksec)
5465                 return -ENOMEM;
5466
5467         tsec = cred->security;
5468         if (tsec->keycreate_sid)
5469                 ksec->sid = tsec->keycreate_sid;
5470         else
5471                 ksec->sid = tsec->sid;
5472
5473         k->security = ksec;
5474         return 0;
5475 }
5476
5477 static void selinux_key_free(struct key *k)
5478 {
5479         struct key_security_struct *ksec = k->security;
5480
5481         k->security = NULL;
5482         kfree(ksec);
5483 }
5484
5485 static int selinux_key_permission(key_ref_t key_ref,
5486                                   const struct cred *cred,
5487                                   key_perm_t perm)
5488 {
5489         struct key *key;
5490         struct key_security_struct *ksec;
5491         u32 sid;
5492
5493         /* if no specific permissions are requested, we skip the
5494            permission check. No serious, additional covert channels
5495            appear to be created. */
5496         if (perm == 0)
5497                 return 0;
5498
5499         sid = cred_sid(cred);
5500
5501         key = key_ref_to_ptr(key_ref);
5502         ksec = key->security;
5503
5504         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5505 }
5506
5507 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5508 {
5509         struct key_security_struct *ksec = key->security;
5510         char *context = NULL;
5511         unsigned len;
5512         int rc;
5513
5514         rc = security_sid_to_context(ksec->sid, &context, &len);
5515         if (!rc)
5516                 rc = len;
5517         *_buffer = context;
5518         return rc;
5519 }
5520
5521 #endif
5522
5523 static struct security_operations selinux_ops = {
5524         .name =                         "selinux",
5525
5526         .ptrace_access_check =          selinux_ptrace_access_check,
5527         .ptrace_traceme =               selinux_ptrace_traceme,
5528         .capget =                       selinux_capget,
5529         .capset =                       selinux_capset,
5530         .capable =                      selinux_capable,
5531         .quotactl =                     selinux_quotactl,
5532         .quota_on =                     selinux_quota_on,
5533         .syslog =                       selinux_syslog,
5534         .vm_enough_memory =             selinux_vm_enough_memory,
5535
5536         .netlink_send =                 selinux_netlink_send,
5537
5538         .bprm_set_creds =               selinux_bprm_set_creds,
5539         .bprm_committing_creds =        selinux_bprm_committing_creds,
5540         .bprm_committed_creds =         selinux_bprm_committed_creds,
5541         .bprm_secureexec =              selinux_bprm_secureexec,
5542
5543         .sb_alloc_security =            selinux_sb_alloc_security,
5544         .sb_free_security =             selinux_sb_free_security,
5545         .sb_copy_data =                 selinux_sb_copy_data,
5546         .sb_remount =                   selinux_sb_remount,
5547         .sb_kern_mount =                selinux_sb_kern_mount,
5548         .sb_show_options =              selinux_sb_show_options,
5549         .sb_statfs =                    selinux_sb_statfs,
5550         .sb_mount =                     selinux_mount,
5551         .sb_umount =                    selinux_umount,
5552         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5553         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5554         .sb_parse_opts_str =            selinux_parse_opts_str,
5555
5556
5557         .inode_alloc_security =         selinux_inode_alloc_security,
5558         .inode_free_security =          selinux_inode_free_security,
5559         .inode_init_security =          selinux_inode_init_security,
5560         .inode_create =                 selinux_inode_create,
5561         .inode_link =                   selinux_inode_link,
5562         .inode_unlink =                 selinux_inode_unlink,
5563         .inode_symlink =                selinux_inode_symlink,
5564         .inode_mkdir =                  selinux_inode_mkdir,
5565         .inode_rmdir =                  selinux_inode_rmdir,
5566         .inode_mknod =                  selinux_inode_mknod,
5567         .inode_rename =                 selinux_inode_rename,
5568         .inode_readlink =               selinux_inode_readlink,
5569         .inode_follow_link =            selinux_inode_follow_link,
5570         .inode_permission =             selinux_inode_permission,
5571         .inode_setattr =                selinux_inode_setattr,
5572         .inode_getattr =                selinux_inode_getattr,
5573         .inode_setxattr =               selinux_inode_setxattr,
5574         .inode_post_setxattr =          selinux_inode_post_setxattr,
5575         .inode_getxattr =               selinux_inode_getxattr,
5576         .inode_listxattr =              selinux_inode_listxattr,
5577         .inode_removexattr =            selinux_inode_removexattr,
5578         .inode_getsecurity =            selinux_inode_getsecurity,
5579         .inode_setsecurity =            selinux_inode_setsecurity,
5580         .inode_listsecurity =           selinux_inode_listsecurity,
5581         .inode_getsecid =               selinux_inode_getsecid,
5582
5583         .file_permission =              selinux_file_permission,
5584         .file_alloc_security =          selinux_file_alloc_security,
5585         .file_free_security =           selinux_file_free_security,
5586         .file_ioctl =                   selinux_file_ioctl,
5587         .file_mmap =                    selinux_file_mmap,
5588         .file_mprotect =                selinux_file_mprotect,
5589         .file_lock =                    selinux_file_lock,
5590         .file_fcntl =                   selinux_file_fcntl,
5591         .file_set_fowner =              selinux_file_set_fowner,
5592         .file_send_sigiotask =          selinux_file_send_sigiotask,
5593         .file_receive =                 selinux_file_receive,
5594
5595         .dentry_open =                  selinux_dentry_open,
5596
5597         .task_create =                  selinux_task_create,
5598         .cred_alloc_blank =             selinux_cred_alloc_blank,
5599         .cred_free =                    selinux_cred_free,
5600         .cred_prepare =                 selinux_cred_prepare,
5601         .cred_transfer =                selinux_cred_transfer,
5602         .kernel_act_as =                selinux_kernel_act_as,
5603         .kernel_create_files_as =       selinux_kernel_create_files_as,
5604         .kernel_module_request =        selinux_kernel_module_request,
5605         .task_setpgid =                 selinux_task_setpgid,
5606         .task_getpgid =                 selinux_task_getpgid,
5607         .task_getsid =                  selinux_task_getsid,
5608         .task_getsecid =                selinux_task_getsecid,
5609         .task_setnice =                 selinux_task_setnice,
5610         .task_setioprio =               selinux_task_setioprio,
5611         .task_getioprio =               selinux_task_getioprio,
5612         .task_setrlimit =               selinux_task_setrlimit,
5613         .task_setscheduler =            selinux_task_setscheduler,
5614         .task_getscheduler =            selinux_task_getscheduler,
5615         .task_movememory =              selinux_task_movememory,
5616         .task_kill =                    selinux_task_kill,
5617         .task_wait =                    selinux_task_wait,
5618         .task_to_inode =                selinux_task_to_inode,
5619
5620         .ipc_permission =               selinux_ipc_permission,
5621         .ipc_getsecid =                 selinux_ipc_getsecid,
5622
5623         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5624         .msg_msg_free_security =        selinux_msg_msg_free_security,
5625
5626         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5627         .msg_queue_free_security =      selinux_msg_queue_free_security,
5628         .msg_queue_associate =          selinux_msg_queue_associate,
5629         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5630         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5631         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5632
5633         .shm_alloc_security =           selinux_shm_alloc_security,
5634         .shm_free_security =            selinux_shm_free_security,
5635         .shm_associate =                selinux_shm_associate,
5636         .shm_shmctl =                   selinux_shm_shmctl,
5637         .shm_shmat =                    selinux_shm_shmat,
5638
5639         .sem_alloc_security =           selinux_sem_alloc_security,
5640         .sem_free_security =            selinux_sem_free_security,
5641         .sem_associate =                selinux_sem_associate,
5642         .sem_semctl =                   selinux_sem_semctl,
5643         .sem_semop =                    selinux_sem_semop,
5644
5645         .d_instantiate =                selinux_d_instantiate,
5646
5647         .getprocattr =                  selinux_getprocattr,
5648         .setprocattr =                  selinux_setprocattr,
5649
5650         .secid_to_secctx =              selinux_secid_to_secctx,
5651         .secctx_to_secid =              selinux_secctx_to_secid,
5652         .release_secctx =               selinux_release_secctx,
5653         .inode_notifysecctx =           selinux_inode_notifysecctx,
5654         .inode_setsecctx =              selinux_inode_setsecctx,
5655         .inode_getsecctx =              selinux_inode_getsecctx,
5656
5657         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5658         .unix_may_send =                selinux_socket_unix_may_send,
5659
5660         .socket_create =                selinux_socket_create,
5661         .socket_post_create =           selinux_socket_post_create,
5662         .socket_bind =                  selinux_socket_bind,
5663         .socket_connect =               selinux_socket_connect,
5664         .socket_listen =                selinux_socket_listen,
5665         .socket_accept =                selinux_socket_accept,
5666         .socket_sendmsg =               selinux_socket_sendmsg,
5667         .socket_recvmsg =               selinux_socket_recvmsg,
5668         .socket_getsockname =           selinux_socket_getsockname,
5669         .socket_getpeername =           selinux_socket_getpeername,
5670         .socket_getsockopt =            selinux_socket_getsockopt,
5671         .socket_setsockopt =            selinux_socket_setsockopt,
5672         .socket_shutdown =              selinux_socket_shutdown,
5673         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5674         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5675         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5676         .sk_alloc_security =            selinux_sk_alloc_security,
5677         .sk_free_security =             selinux_sk_free_security,
5678         .sk_clone_security =            selinux_sk_clone_security,
5679         .sk_getsecid =                  selinux_sk_getsecid,
5680         .sock_graft =                   selinux_sock_graft,
5681         .inet_conn_request =            selinux_inet_conn_request,
5682         .inet_csk_clone =               selinux_inet_csk_clone,
5683         .inet_conn_established =        selinux_inet_conn_established,
5684         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5685         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5686         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5687         .req_classify_flow =            selinux_req_classify_flow,
5688         .tun_dev_create =               selinux_tun_dev_create,
5689         .tun_dev_post_create =          selinux_tun_dev_post_create,
5690         .tun_dev_attach =               selinux_tun_dev_attach,
5691
5692 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5693         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5694         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5695         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5696         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5697         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5698         .xfrm_state_free_security =     selinux_xfrm_state_free,
5699         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5700         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5701         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5702         .xfrm_decode_session =          selinux_xfrm_decode_session,
5703 #endif
5704
5705 #ifdef CONFIG_KEYS
5706         .key_alloc =                    selinux_key_alloc,
5707         .key_free =                     selinux_key_free,
5708         .key_permission =               selinux_key_permission,
5709         .key_getsecurity =              selinux_key_getsecurity,
5710 #endif
5711
5712 #ifdef CONFIG_AUDIT
5713         .audit_rule_init =              selinux_audit_rule_init,
5714         .audit_rule_known =             selinux_audit_rule_known,
5715         .audit_rule_match =             selinux_audit_rule_match,
5716         .audit_rule_free =              selinux_audit_rule_free,
5717 #endif
5718 };
5719
5720 static __init int selinux_init(void)
5721 {
5722         if (!security_module_enable(&selinux_ops)) {
5723                 selinux_enabled = 0;
5724                 return 0;
5725         }
5726
5727         if (!selinux_enabled) {
5728                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5729                 return 0;
5730         }
5731
5732         printk(KERN_INFO "SELinux:  Initializing.\n");
5733
5734         /* Set the security state for the initial task. */
5735         cred_init_security();
5736
5737         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5738
5739         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5740                                             sizeof(struct inode_security_struct),
5741                                             0, SLAB_PANIC, NULL);
5742         avc_init();
5743
5744         if (register_security(&selinux_ops))
5745                 panic("SELinux: Unable to register with kernel.\n");
5746
5747         if (selinux_enforcing)
5748                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5749         else
5750                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5751
5752         return 0;
5753 }
5754
5755 static void delayed_superblock_init(struct super_block *sb, void *unused)
5756 {
5757         superblock_doinit(sb, NULL);
5758 }
5759
5760 void selinux_complete_init(void)
5761 {
5762         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5763
5764         /* Set up any superblocks initialized prior to the policy load. */
5765         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5766         iterate_supers(delayed_superblock_init, NULL);
5767 }
5768
5769 /* SELinux requires early initialization in order to label
5770    all processes and objects when they are created. */
5771 security_initcall(selinux_init);
5772
5773 #if defined(CONFIG_NETFILTER)
5774
5775 static struct nf_hook_ops selinux_ipv4_ops[] = {
5776         {
5777                 .hook =         selinux_ipv4_postroute,
5778                 .owner =        THIS_MODULE,
5779                 .pf =           PF_INET,
5780                 .hooknum =      NF_INET_POST_ROUTING,
5781                 .priority =     NF_IP_PRI_SELINUX_LAST,
5782         },
5783         {
5784                 .hook =         selinux_ipv4_forward,
5785                 .owner =        THIS_MODULE,
5786                 .pf =           PF_INET,
5787                 .hooknum =      NF_INET_FORWARD,
5788                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5789         },
5790         {
5791                 .hook =         selinux_ipv4_output,
5792                 .owner =        THIS_MODULE,
5793                 .pf =           PF_INET,
5794                 .hooknum =      NF_INET_LOCAL_OUT,
5795                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5796         }
5797 };
5798
5799 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5800
5801 static struct nf_hook_ops selinux_ipv6_ops[] = {
5802         {
5803                 .hook =         selinux_ipv6_postroute,
5804                 .owner =        THIS_MODULE,
5805                 .pf =           PF_INET6,
5806                 .hooknum =      NF_INET_POST_ROUTING,
5807                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5808         },
5809         {
5810                 .hook =         selinux_ipv6_forward,
5811                 .owner =        THIS_MODULE,
5812                 .pf =           PF_INET6,
5813                 .hooknum =      NF_INET_FORWARD,
5814                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5815         }
5816 };
5817
5818 #endif  /* IPV6 */
5819
5820 static int __init selinux_nf_ip_init(void)
5821 {
5822         int err = 0;
5823
5824         if (!selinux_enabled)
5825                 goto out;
5826
5827         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5828
5829         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5830         if (err)
5831                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5832
5833 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5834         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5835         if (err)
5836                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5837 #endif  /* IPV6 */
5838
5839 out:
5840         return err;
5841 }
5842
5843 __initcall(selinux_nf_ip_init);
5844
5845 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5846 static void selinux_nf_ip_exit(void)
5847 {
5848         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5849
5850         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5851 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5852         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5853 #endif  /* IPV6 */
5854 }
5855 #endif
5856
5857 #else /* CONFIG_NETFILTER */
5858
5859 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5860 #define selinux_nf_ip_exit()
5861 #endif
5862
5863 #endif /* CONFIG_NETFILTER */
5864
5865 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5866 static int selinux_disabled;
5867
5868 int selinux_disable(void)
5869 {
5870         if (ss_initialized) {
5871                 /* Not permitted after initial policy load. */
5872                 return -EINVAL;
5873         }
5874
5875         if (selinux_disabled) {
5876                 /* Only do this once. */
5877                 return -EINVAL;
5878         }
5879
5880         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5881
5882         selinux_disabled = 1;
5883         selinux_enabled = 0;
5884
5885         reset_security_ops();
5886
5887         /* Try to destroy the avc node cache */
5888         avc_disable();
5889
5890         /* Unregister netfilter hooks. */
5891         selinux_nf_ip_exit();
5892
5893         /* Unregister selinuxfs. */
5894         exit_sel_fs();
5895
5896         return 0;
5897 }
5898 #endif