1206cee31c791f7613d461a4770a16d11e40e0bd
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>    /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>           /* for Unix socket types */
70 #include <net/af_unix.h>        /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92
93 #define NUM_SEL_MNT_OPTS 5
94
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!strict_strtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!strict_strtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129
130 /**
131  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132  *
133  * Description:
134  * This function checks the SECMARK reference counter to see if any SECMARK
135  * targets are currently configured, if the reference counter is greater than
136  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
137  * enabled, false (0) if SECMARK is disabled.
138  *
139  */
140 static int selinux_secmark_enabled(void)
141 {
142         return (atomic_read(&selinux_secmark_refcount) > 0);
143 }
144
145 /*
146  * initialise the security for the init task
147  */
148 static void cred_init_security(void)
149 {
150         struct cred *cred = (struct cred *) current->real_cred;
151         struct task_security_struct *tsec;
152
153         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
154         if (!tsec)
155                 panic("SELinux:  Failed to initialize initial task.\n");
156
157         tsec->osid = tsec->sid = SECINITSID_KERNEL;
158         cred->security = tsec;
159 }
160
161 /*
162  * get the security ID of a set of credentials
163  */
164 static inline u32 cred_sid(const struct cred *cred)
165 {
166         const struct task_security_struct *tsec;
167
168         tsec = cred->security;
169         return tsec->sid;
170 }
171
172 /*
173  * get the objective security ID of a task
174  */
175 static inline u32 task_sid(const struct task_struct *task)
176 {
177         u32 sid;
178
179         rcu_read_lock();
180         sid = cred_sid(__task_cred(task));
181         rcu_read_unlock();
182         return sid;
183 }
184
185 /*
186  * get the subjective security ID of the current task
187  */
188 static inline u32 current_sid(void)
189 {
190         const struct task_security_struct *tsec = current_security();
191
192         return tsec->sid;
193 }
194
195 /* Allocate and free functions for each kind of security blob. */
196
197 static int inode_alloc_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec;
200         u32 sid = current_sid();
201
202         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
203         if (!isec)
204                 return -ENOMEM;
205
206         mutex_init(&isec->lock);
207         INIT_LIST_HEAD(&isec->list);
208         isec->inode = inode;
209         isec->sid = SECINITSID_UNLABELED;
210         isec->sclass = SECCLASS_FILE;
211         isec->task_sid = sid;
212         inode->i_security = isec;
213
214         return 0;
215 }
216
217 static void inode_free_security(struct inode *inode)
218 {
219         struct inode_security_struct *isec = inode->i_security;
220         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
221
222         spin_lock(&sbsec->isec_lock);
223         if (!list_empty(&isec->list))
224                 list_del_init(&isec->list);
225         spin_unlock(&sbsec->isec_lock);
226
227         inode->i_security = NULL;
228         kmem_cache_free(sel_inode_cache, isec);
229 }
230
231 static int file_alloc_security(struct file *file)
232 {
233         struct file_security_struct *fsec;
234         u32 sid = current_sid();
235
236         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
237         if (!fsec)
238                 return -ENOMEM;
239
240         fsec->sid = sid;
241         fsec->fown_sid = sid;
242         file->f_security = fsec;
243
244         return 0;
245 }
246
247 static void file_free_security(struct file *file)
248 {
249         struct file_security_struct *fsec = file->f_security;
250         file->f_security = NULL;
251         kfree(fsec);
252 }
253
254 static int superblock_alloc_security(struct super_block *sb)
255 {
256         struct superblock_security_struct *sbsec;
257
258         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
259         if (!sbsec)
260                 return -ENOMEM;
261
262         mutex_init(&sbsec->lock);
263         INIT_LIST_HEAD(&sbsec->isec_head);
264         spin_lock_init(&sbsec->isec_lock);
265         sbsec->sb = sb;
266         sbsec->sid = SECINITSID_UNLABELED;
267         sbsec->def_sid = SECINITSID_FILE;
268         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
269         sb->s_security = sbsec;
270
271         return 0;
272 }
273
274 static void superblock_free_security(struct super_block *sb)
275 {
276         struct superblock_security_struct *sbsec = sb->s_security;
277         sb->s_security = NULL;
278         kfree(sbsec);
279 }
280
281 /* The security server must be initialized before
282    any labeling or access decisions can be provided. */
283 extern int ss_initialized;
284
285 /* The file system's label must be initialized prior to use. */
286
287 static const char *labeling_behaviors[6] = {
288         "uses xattr",
289         "uses transition SIDs",
290         "uses task SIDs",
291         "uses genfs_contexts",
292         "not configured for labeling",
293         "uses mountpoint labeling",
294 };
295
296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
297
298 static inline int inode_doinit(struct inode *inode)
299 {
300         return inode_doinit_with_dentry(inode, NULL);
301 }
302
303 enum {
304         Opt_error = -1,
305         Opt_context = 1,
306         Opt_fscontext = 2,
307         Opt_defcontext = 3,
308         Opt_rootcontext = 4,
309         Opt_labelsupport = 5,
310 };
311
312 static const match_table_t tokens = {
313         {Opt_context, CONTEXT_STR "%s"},
314         {Opt_fscontext, FSCONTEXT_STR "%s"},
315         {Opt_defcontext, DEFCONTEXT_STR "%s"},
316         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
317         {Opt_labelsupport, LABELSUPP_STR},
318         {Opt_error, NULL},
319 };
320
321 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
322
323 static int may_context_mount_sb_relabel(u32 sid,
324                         struct superblock_security_struct *sbsec,
325                         const struct cred *cred)
326 {
327         const struct task_security_struct *tsec = cred->security;
328         int rc;
329
330         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331                           FILESYSTEM__RELABELFROM, NULL);
332         if (rc)
333                 return rc;
334
335         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336                           FILESYSTEM__RELABELTO, NULL);
337         return rc;
338 }
339
340 static int may_context_mount_inode_relabel(u32 sid,
341                         struct superblock_security_struct *sbsec,
342                         const struct cred *cred)
343 {
344         const struct task_security_struct *tsec = cred->security;
345         int rc;
346         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELFROM, NULL);
348         if (rc)
349                 return rc;
350
351         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352                           FILESYSTEM__ASSOCIATE, NULL);
353         return rc;
354 }
355
356 static int sb_finish_set_opts(struct super_block *sb)
357 {
358         struct superblock_security_struct *sbsec = sb->s_security;
359         struct dentry *root = sb->s_root;
360         struct inode *root_inode = root->d_inode;
361         int rc = 0;
362
363         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364                 /* Make sure that the xattr handler exists and that no
365                    error other than -ENODATA is returned by getxattr on
366                    the root directory.  -ENODATA is ok, as this may be
367                    the first boot of the SELinux kernel before we have
368                    assigned xattr values to the filesystem. */
369                 if (!root_inode->i_op->getxattr) {
370                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371                                "xattr support\n", sb->s_id, sb->s_type->name);
372                         rc = -EOPNOTSUPP;
373                         goto out;
374                 }
375                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376                 if (rc < 0 && rc != -ENODATA) {
377                         if (rc == -EOPNOTSUPP)
378                                 printk(KERN_WARNING "SELinux: (dev %s, type "
379                                        "%s) has no security xattr handler\n",
380                                        sb->s_id, sb->s_type->name);
381                         else
382                                 printk(KERN_WARNING "SELinux: (dev %s, type "
383                                        "%s) getxattr errno %d\n", sb->s_id,
384                                        sb->s_type->name, -rc);
385                         goto out;
386                 }
387         }
388
389         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
390
391         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393                        sb->s_id, sb->s_type->name);
394         else
395                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396                        sb->s_id, sb->s_type->name,
397                        labeling_behaviors[sbsec->behavior-1]);
398
399         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401             sbsec->behavior == SECURITY_FS_USE_NONE ||
402             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 sbsec->flags &= ~SE_SBLABELSUPP;
404
405         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407                 sbsec->flags |= SE_SBLABELSUPP;
408
409         /* Initialize the root inode. */
410         rc = inode_doinit_with_dentry(root_inode, root);
411
412         /* Initialize any other inodes associated with the superblock, e.g.
413            inodes created prior to initial policy load or inodes created
414            during get_sb by a pseudo filesystem that directly
415            populates itself. */
416         spin_lock(&sbsec->isec_lock);
417 next_inode:
418         if (!list_empty(&sbsec->isec_head)) {
419                 struct inode_security_struct *isec =
420                                 list_entry(sbsec->isec_head.next,
421                                            struct inode_security_struct, list);
422                 struct inode *inode = isec->inode;
423                 spin_unlock(&sbsec->isec_lock);
424                 inode = igrab(inode);
425                 if (inode) {
426                         if (!IS_PRIVATE(inode))
427                                 inode_doinit(inode);
428                         iput(inode);
429                 }
430                 spin_lock(&sbsec->isec_lock);
431                 list_del_init(&isec->list);
432                 goto next_inode;
433         }
434         spin_unlock(&sbsec->isec_lock);
435 out:
436         return rc;
437 }
438
439 /*
440  * This function should allow an FS to ask what it's mount security
441  * options were so it can use those later for submounts, displaying
442  * mount options, or whatever.
443  */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445                                 struct security_mnt_opts *opts)
446 {
447         int rc = 0, i;
448         struct superblock_security_struct *sbsec = sb->s_security;
449         char *context = NULL;
450         u32 len;
451         char tmp;
452
453         security_init_mnt_opts(opts);
454
455         if (!(sbsec->flags & SE_SBINITIALIZED))
456                 return -EINVAL;
457
458         if (!ss_initialized)
459                 return -EINVAL;
460
461         tmp = sbsec->flags & SE_MNTMASK;
462         /* count the number of mount options for this sb */
463         for (i = 0; i < 8; i++) {
464                 if (tmp & 0x01)
465                         opts->num_mnt_opts++;
466                 tmp >>= 1;
467         }
468         /* Check if the Label support flag is set */
469         if (sbsec->flags & SE_SBLABELSUPP)
470                 opts->num_mnt_opts++;
471
472         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473         if (!opts->mnt_opts) {
474                 rc = -ENOMEM;
475                 goto out_free;
476         }
477
478         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479         if (!opts->mnt_opts_flags) {
480                 rc = -ENOMEM;
481                 goto out_free;
482         }
483
484         i = 0;
485         if (sbsec->flags & FSCONTEXT_MNT) {
486                 rc = security_sid_to_context(sbsec->sid, &context, &len);
487                 if (rc)
488                         goto out_free;
489                 opts->mnt_opts[i] = context;
490                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491         }
492         if (sbsec->flags & CONTEXT_MNT) {
493                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494                 if (rc)
495                         goto out_free;
496                 opts->mnt_opts[i] = context;
497                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498         }
499         if (sbsec->flags & DEFCONTEXT_MNT) {
500                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501                 if (rc)
502                         goto out_free;
503                 opts->mnt_opts[i] = context;
504                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505         }
506         if (sbsec->flags & ROOTCONTEXT_MNT) {
507                 struct inode *root = sbsec->sb->s_root->d_inode;
508                 struct inode_security_struct *isec = root->i_security;
509
510                 rc = security_sid_to_context(isec->sid, &context, &len);
511                 if (rc)
512                         goto out_free;
513                 opts->mnt_opts[i] = context;
514                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
515         }
516         if (sbsec->flags & SE_SBLABELSUPP) {
517                 opts->mnt_opts[i] = NULL;
518                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
519         }
520
521         BUG_ON(i != opts->num_mnt_opts);
522
523         return 0;
524
525 out_free:
526         security_free_mnt_opts(opts);
527         return rc;
528 }
529
530 static int bad_option(struct superblock_security_struct *sbsec, char flag,
531                       u32 old_sid, u32 new_sid)
532 {
533         char mnt_flags = sbsec->flags & SE_MNTMASK;
534
535         /* check if the old mount command had the same options */
536         if (sbsec->flags & SE_SBINITIALIZED)
537                 if (!(sbsec->flags & flag) ||
538                     (old_sid != new_sid))
539                         return 1;
540
541         /* check if we were passed the same options twice,
542          * aka someone passed context=a,context=b
543          */
544         if (!(sbsec->flags & SE_SBINITIALIZED))
545                 if (mnt_flags & flag)
546                         return 1;
547         return 0;
548 }
549
550 /*
551  * Allow filesystems with binary mount data to explicitly set mount point
552  * labeling information.
553  */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555                                 struct security_mnt_opts *opts)
556 {
557         const struct cred *cred = current_cred();
558         int rc = 0, i;
559         struct superblock_security_struct *sbsec = sb->s_security;
560         const char *name = sb->s_type->name;
561         struct inode *inode = sbsec->sb->s_root->d_inode;
562         struct inode_security_struct *root_isec = inode->i_security;
563         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564         u32 defcontext_sid = 0;
565         char **mount_options = opts->mnt_opts;
566         int *flags = opts->mnt_opts_flags;
567         int num_opts = opts->num_mnt_opts;
568
569         mutex_lock(&sbsec->lock);
570
571         if (!ss_initialized) {
572                 if (!num_opts) {
573                         /* Defer initialization until selinux_complete_init,
574                            after the initial policy is loaded and the security
575                            server is ready to handle calls. */
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580                         "before the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606
607                 if (flags[i] == SE_SBLABELSUPP)
608                         continue;
609                 rc = security_context_to_sid(mount_options[i],
610                                              strlen(mount_options[i]), &sid);
611                 if (rc) {
612                         printk(KERN_WARNING "SELinux: security_context_to_sid"
613                                "(%s) failed for (dev %s, type %s) errno=%d\n",
614                                mount_options[i], sb->s_id, name, rc);
615                         goto out;
616                 }
617                 switch (flags[i]) {
618                 case FSCONTEXT_MNT:
619                         fscontext_sid = sid;
620
621                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622                                         fscontext_sid))
623                                 goto out_double_mount;
624
625                         sbsec->flags |= FSCONTEXT_MNT;
626                         break;
627                 case CONTEXT_MNT:
628                         context_sid = sid;
629
630                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631                                         context_sid))
632                                 goto out_double_mount;
633
634                         sbsec->flags |= CONTEXT_MNT;
635                         break;
636                 case ROOTCONTEXT_MNT:
637                         rootcontext_sid = sid;
638
639                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640                                         rootcontext_sid))
641                                 goto out_double_mount;
642
643                         sbsec->flags |= ROOTCONTEXT_MNT;
644
645                         break;
646                 case DEFCONTEXT_MNT:
647                         defcontext_sid = sid;
648
649                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650                                         defcontext_sid))
651                                 goto out_double_mount;
652
653                         sbsec->flags |= DEFCONTEXT_MNT;
654
655                         break;
656                 default:
657                         rc = -EINVAL;
658                         goto out;
659                 }
660         }
661
662         if (sbsec->flags & SE_SBINITIALIZED) {
663                 /* previously mounted with options, but not on this attempt? */
664                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
665                         goto out_double_mount;
666                 rc = 0;
667                 goto out;
668         }
669
670         if (strcmp(sb->s_type->name, "proc") == 0)
671                 sbsec->flags |= SE_SBPROC;
672
673         /* Determine the labeling behavior to use for this filesystem type. */
674         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
675         if (rc) {
676                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
677                        __func__, sb->s_type->name, rc);
678                 goto out;
679         }
680
681         /* sets the context of the superblock for the fs being mounted. */
682         if (fscontext_sid) {
683                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684                 if (rc)
685                         goto out;
686
687                 sbsec->sid = fscontext_sid;
688         }
689
690         /*
691          * Switch to using mount point labeling behavior.
692          * sets the label used on all file below the mountpoint, and will set
693          * the superblock context if not already set.
694          */
695         if (context_sid) {
696                 if (!fscontext_sid) {
697                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
698                                                           cred);
699                         if (rc)
700                                 goto out;
701                         sbsec->sid = context_sid;
702                 } else {
703                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
704                                                              cred);
705                         if (rc)
706                                 goto out;
707                 }
708                 if (!rootcontext_sid)
709                         rootcontext_sid = context_sid;
710
711                 sbsec->mntpoint_sid = context_sid;
712                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713         }
714
715         if (rootcontext_sid) {
716                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
717                                                      cred);
718                 if (rc)
719                         goto out;
720
721                 root_isec->sid = rootcontext_sid;
722                 root_isec->initialized = 1;
723         }
724
725         if (defcontext_sid) {
726                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727                         rc = -EINVAL;
728                         printk(KERN_WARNING "SELinux: defcontext option is "
729                                "invalid for this filesystem type\n");
730                         goto out;
731                 }
732
733                 if (defcontext_sid != sbsec->def_sid) {
734                         rc = may_context_mount_inode_relabel(defcontext_sid,
735                                                              sbsec, cred);
736                         if (rc)
737                                 goto out;
738                 }
739
740                 sbsec->def_sid = defcontext_sid;
741         }
742
743         rc = sb_finish_set_opts(sb);
744 out:
745         mutex_unlock(&sbsec->lock);
746         return rc;
747 out_double_mount:
748         rc = -EINVAL;
749         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
750                "security settings for (dev %s, type %s)\n", sb->s_id, name);
751         goto out;
752 }
753
754 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
755                                         struct super_block *newsb)
756 {
757         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
758         struct superblock_security_struct *newsbsec = newsb->s_security;
759
760         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
761         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
762         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
763
764         /*
765          * if the parent was able to be mounted it clearly had no special lsm
766          * mount options.  thus we can safely deal with this superblock later
767          */
768         if (!ss_initialized)
769                 return;
770
771         /* how can we clone if the old one wasn't set up?? */
772         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
773
774         /* if fs is reusing a sb, just let its options stand... */
775         if (newsbsec->flags & SE_SBINITIALIZED)
776                 return;
777
778         mutex_lock(&newsbsec->lock);
779
780         newsbsec->flags = oldsbsec->flags;
781
782         newsbsec->sid = oldsbsec->sid;
783         newsbsec->def_sid = oldsbsec->def_sid;
784         newsbsec->behavior = oldsbsec->behavior;
785
786         if (set_context) {
787                 u32 sid = oldsbsec->mntpoint_sid;
788
789                 if (!set_fscontext)
790                         newsbsec->sid = sid;
791                 if (!set_rootcontext) {
792                         struct inode *newinode = newsb->s_root->d_inode;
793                         struct inode_security_struct *newisec = newinode->i_security;
794                         newisec->sid = sid;
795                 }
796                 newsbsec->mntpoint_sid = sid;
797         }
798         if (set_rootcontext) {
799                 const struct inode *oldinode = oldsb->s_root->d_inode;
800                 const struct inode_security_struct *oldisec = oldinode->i_security;
801                 struct inode *newinode = newsb->s_root->d_inode;
802                 struct inode_security_struct *newisec = newinode->i_security;
803
804                 newisec->sid = oldisec->sid;
805         }
806
807         sb_finish_set_opts(newsb);
808         mutex_unlock(&newsbsec->lock);
809 }
810
811 static int selinux_parse_opts_str(char *options,
812                                   struct security_mnt_opts *opts)
813 {
814         char *p;
815         char *context = NULL, *defcontext = NULL;
816         char *fscontext = NULL, *rootcontext = NULL;
817         int rc, num_mnt_opts = 0;
818
819         opts->num_mnt_opts = 0;
820
821         /* Standard string-based options. */
822         while ((p = strsep(&options, "|")) != NULL) {
823                 int token;
824                 substring_t args[MAX_OPT_ARGS];
825
826                 if (!*p)
827                         continue;
828
829                 token = match_token(p, tokens, args);
830
831                 switch (token) {
832                 case Opt_context:
833                         if (context || defcontext) {
834                                 rc = -EINVAL;
835                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836                                 goto out_err;
837                         }
838                         context = match_strdup(&args[0]);
839                         if (!context) {
840                                 rc = -ENOMEM;
841                                 goto out_err;
842                         }
843                         break;
844
845                 case Opt_fscontext:
846                         if (fscontext) {
847                                 rc = -EINVAL;
848                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849                                 goto out_err;
850                         }
851                         fscontext = match_strdup(&args[0]);
852                         if (!fscontext) {
853                                 rc = -ENOMEM;
854                                 goto out_err;
855                         }
856                         break;
857
858                 case Opt_rootcontext:
859                         if (rootcontext) {
860                                 rc = -EINVAL;
861                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862                                 goto out_err;
863                         }
864                         rootcontext = match_strdup(&args[0]);
865                         if (!rootcontext) {
866                                 rc = -ENOMEM;
867                                 goto out_err;
868                         }
869                         break;
870
871                 case Opt_defcontext:
872                         if (context || defcontext) {
873                                 rc = -EINVAL;
874                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875                                 goto out_err;
876                         }
877                         defcontext = match_strdup(&args[0]);
878                         if (!defcontext) {
879                                 rc = -ENOMEM;
880                                 goto out_err;
881                         }
882                         break;
883                 case Opt_labelsupport:
884                         break;
885                 default:
886                         rc = -EINVAL;
887                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
888                         goto out_err;
889
890                 }
891         }
892
893         rc = -ENOMEM;
894         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
895         if (!opts->mnt_opts)
896                 goto out_err;
897
898         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
899         if (!opts->mnt_opts_flags) {
900                 kfree(opts->mnt_opts);
901                 goto out_err;
902         }
903
904         if (fscontext) {
905                 opts->mnt_opts[num_mnt_opts] = fscontext;
906                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
907         }
908         if (context) {
909                 opts->mnt_opts[num_mnt_opts] = context;
910                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
911         }
912         if (rootcontext) {
913                 opts->mnt_opts[num_mnt_opts] = rootcontext;
914                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
915         }
916         if (defcontext) {
917                 opts->mnt_opts[num_mnt_opts] = defcontext;
918                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
919         }
920
921         opts->num_mnt_opts = num_mnt_opts;
922         return 0;
923
924 out_err:
925         kfree(context);
926         kfree(defcontext);
927         kfree(fscontext);
928         kfree(rootcontext);
929         return rc;
930 }
931 /*
932  * string mount options parsing and call set the sbsec
933  */
934 static int superblock_doinit(struct super_block *sb, void *data)
935 {
936         int rc = 0;
937         char *options = data;
938         struct security_mnt_opts opts;
939
940         security_init_mnt_opts(&opts);
941
942         if (!data)
943                 goto out;
944
945         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
946
947         rc = selinux_parse_opts_str(options, &opts);
948         if (rc)
949                 goto out_err;
950
951 out:
952         rc = selinux_set_mnt_opts(sb, &opts);
953
954 out_err:
955         security_free_mnt_opts(&opts);
956         return rc;
957 }
958
959 static void selinux_write_opts(struct seq_file *m,
960                                struct security_mnt_opts *opts)
961 {
962         int i;
963         char *prefix;
964
965         for (i = 0; i < opts->num_mnt_opts; i++) {
966                 char *has_comma;
967
968                 if (opts->mnt_opts[i])
969                         has_comma = strchr(opts->mnt_opts[i], ',');
970                 else
971                         has_comma = NULL;
972
973                 switch (opts->mnt_opts_flags[i]) {
974                 case CONTEXT_MNT:
975                         prefix = CONTEXT_STR;
976                         break;
977                 case FSCONTEXT_MNT:
978                         prefix = FSCONTEXT_STR;
979                         break;
980                 case ROOTCONTEXT_MNT:
981                         prefix = ROOTCONTEXT_STR;
982                         break;
983                 case DEFCONTEXT_MNT:
984                         prefix = DEFCONTEXT_STR;
985                         break;
986                 case SE_SBLABELSUPP:
987                         seq_putc(m, ',');
988                         seq_puts(m, LABELSUPP_STR);
989                         continue;
990                 default:
991                         BUG();
992                         return;
993                 };
994                 /* we need a comma before each option */
995                 seq_putc(m, ',');
996                 seq_puts(m, prefix);
997                 if (has_comma)
998                         seq_putc(m, '\"');
999                 seq_puts(m, opts->mnt_opts[i]);
1000                 if (has_comma)
1001                         seq_putc(m, '\"');
1002         }
1003 }
1004
1005 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1006 {
1007         struct security_mnt_opts opts;
1008         int rc;
1009
1010         rc = selinux_get_mnt_opts(sb, &opts);
1011         if (rc) {
1012                 /* before policy load we may get EINVAL, don't show anything */
1013                 if (rc == -EINVAL)
1014                         rc = 0;
1015                 return rc;
1016         }
1017
1018         selinux_write_opts(m, &opts);
1019
1020         security_free_mnt_opts(&opts);
1021
1022         return rc;
1023 }
1024
1025 static inline u16 inode_mode_to_security_class(umode_t mode)
1026 {
1027         switch (mode & S_IFMT) {
1028         case S_IFSOCK:
1029                 return SECCLASS_SOCK_FILE;
1030         case S_IFLNK:
1031                 return SECCLASS_LNK_FILE;
1032         case S_IFREG:
1033                 return SECCLASS_FILE;
1034         case S_IFBLK:
1035                 return SECCLASS_BLK_FILE;
1036         case S_IFDIR:
1037                 return SECCLASS_DIR;
1038         case S_IFCHR:
1039                 return SECCLASS_CHR_FILE;
1040         case S_IFIFO:
1041                 return SECCLASS_FIFO_FILE;
1042
1043         }
1044
1045         return SECCLASS_FILE;
1046 }
1047
1048 static inline int default_protocol_stream(int protocol)
1049 {
1050         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1051 }
1052
1053 static inline int default_protocol_dgram(int protocol)
1054 {
1055         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1056 }
1057
1058 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1059 {
1060         switch (family) {
1061         case PF_UNIX:
1062                 switch (type) {
1063                 case SOCK_STREAM:
1064                 case SOCK_SEQPACKET:
1065                         return SECCLASS_UNIX_STREAM_SOCKET;
1066                 case SOCK_DGRAM:
1067                         return SECCLASS_UNIX_DGRAM_SOCKET;
1068                 }
1069                 break;
1070         case PF_INET:
1071         case PF_INET6:
1072                 switch (type) {
1073                 case SOCK_STREAM:
1074                         if (default_protocol_stream(protocol))
1075                                 return SECCLASS_TCP_SOCKET;
1076                         else
1077                                 return SECCLASS_RAWIP_SOCKET;
1078                 case SOCK_DGRAM:
1079                         if (default_protocol_dgram(protocol))
1080                                 return SECCLASS_UDP_SOCKET;
1081                         else
1082                                 return SECCLASS_RAWIP_SOCKET;
1083                 case SOCK_DCCP:
1084                         return SECCLASS_DCCP_SOCKET;
1085                 default:
1086                         return SECCLASS_RAWIP_SOCKET;
1087                 }
1088                 break;
1089         case PF_NETLINK:
1090                 switch (protocol) {
1091                 case NETLINK_ROUTE:
1092                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1093                 case NETLINK_FIREWALL:
1094                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1095                 case NETLINK_INET_DIAG:
1096                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1097                 case NETLINK_NFLOG:
1098                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1099                 case NETLINK_XFRM:
1100                         return SECCLASS_NETLINK_XFRM_SOCKET;
1101                 case NETLINK_SELINUX:
1102                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1103                 case NETLINK_AUDIT:
1104                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1105                 case NETLINK_IP6_FW:
1106                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1107                 case NETLINK_DNRTMSG:
1108                         return SECCLASS_NETLINK_DNRT_SOCKET;
1109                 case NETLINK_KOBJECT_UEVENT:
1110                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1111                 default:
1112                         return SECCLASS_NETLINK_SOCKET;
1113                 }
1114         case PF_PACKET:
1115                 return SECCLASS_PACKET_SOCKET;
1116         case PF_KEY:
1117                 return SECCLASS_KEY_SOCKET;
1118         case PF_APPLETALK:
1119                 return SECCLASS_APPLETALK_SOCKET;
1120         }
1121
1122         return SECCLASS_SOCKET;
1123 }
1124
1125 #ifdef CONFIG_PROC_FS
1126 static int selinux_proc_get_sid(struct dentry *dentry,
1127                                 u16 tclass,
1128                                 u32 *sid)
1129 {
1130         int rc;
1131         char *buffer, *path;
1132
1133         buffer = (char *)__get_free_page(GFP_KERNEL);
1134         if (!buffer)
1135                 return -ENOMEM;
1136
1137         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1138         if (IS_ERR(path))
1139                 rc = PTR_ERR(path);
1140         else {
1141                 /* each process gets a /proc/PID/ entry. Strip off the
1142                  * PID part to get a valid selinux labeling.
1143                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1144                 while (path[1] >= '0' && path[1] <= '9') {
1145                         path[1] = '/';
1146                         path++;
1147                 }
1148                 rc = security_genfs_sid("proc", path, tclass, sid);
1149         }
1150         free_page((unsigned long)buffer);
1151         return rc;
1152 }
1153 #else
1154 static int selinux_proc_get_sid(struct dentry *dentry,
1155                                 u16 tclass,
1156                                 u32 *sid)
1157 {
1158         return -EINVAL;
1159 }
1160 #endif
1161
1162 /* The inode's security attributes must be initialized before first use. */
1163 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1164 {
1165         struct superblock_security_struct *sbsec = NULL;
1166         struct inode_security_struct *isec = inode->i_security;
1167         u32 sid;
1168         struct dentry *dentry;
1169 #define INITCONTEXTLEN 255
1170         char *context = NULL;
1171         unsigned len = 0;
1172         int rc = 0;
1173
1174         if (isec->initialized)
1175                 goto out;
1176
1177         mutex_lock(&isec->lock);
1178         if (isec->initialized)
1179                 goto out_unlock;
1180
1181         sbsec = inode->i_sb->s_security;
1182         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1183                 /* Defer initialization until selinux_complete_init,
1184                    after the initial policy is loaded and the security
1185                    server is ready to handle calls. */
1186                 spin_lock(&sbsec->isec_lock);
1187                 if (list_empty(&isec->list))
1188                         list_add(&isec->list, &sbsec->isec_head);
1189                 spin_unlock(&sbsec->isec_lock);
1190                 goto out_unlock;
1191         }
1192
1193         switch (sbsec->behavior) {
1194         case SECURITY_FS_USE_XATTR:
1195                 if (!inode->i_op->getxattr) {
1196                         isec->sid = sbsec->def_sid;
1197                         break;
1198                 }
1199
1200                 /* Need a dentry, since the xattr API requires one.
1201                    Life would be simpler if we could just pass the inode. */
1202                 if (opt_dentry) {
1203                         /* Called from d_instantiate or d_splice_alias. */
1204                         dentry = dget(opt_dentry);
1205                 } else {
1206                         /* Called from selinux_complete_init, try to find a dentry. */
1207                         dentry = d_find_alias(inode);
1208                 }
1209                 if (!dentry) {
1210                         /*
1211                          * this is can be hit on boot when a file is accessed
1212                          * before the policy is loaded.  When we load policy we
1213                          * may find inodes that have no dentry on the
1214                          * sbsec->isec_head list.  No reason to complain as these
1215                          * will get fixed up the next time we go through
1216                          * inode_doinit with a dentry, before these inodes could
1217                          * be used again by userspace.
1218                          */
1219                         goto out_unlock;
1220                 }
1221
1222                 len = INITCONTEXTLEN;
1223                 context = kmalloc(len+1, GFP_NOFS);
1224                 if (!context) {
1225                         rc = -ENOMEM;
1226                         dput(dentry);
1227                         goto out_unlock;
1228                 }
1229                 context[len] = '\0';
1230                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1231                                            context, len);
1232                 if (rc == -ERANGE) {
1233                         kfree(context);
1234
1235                         /* Need a larger buffer.  Query for the right size. */
1236                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1237                                                    NULL, 0);
1238                         if (rc < 0) {
1239                                 dput(dentry);
1240                                 goto out_unlock;
1241                         }
1242                         len = rc;
1243                         context = kmalloc(len+1, GFP_NOFS);
1244                         if (!context) {
1245                                 rc = -ENOMEM;
1246                                 dput(dentry);
1247                                 goto out_unlock;
1248                         }
1249                         context[len] = '\0';
1250                         rc = inode->i_op->getxattr(dentry,
1251                                                    XATTR_NAME_SELINUX,
1252                                                    context, len);
1253                 }
1254                 dput(dentry);
1255                 if (rc < 0) {
1256                         if (rc != -ENODATA) {
1257                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1258                                        "%d for dev=%s ino=%ld\n", __func__,
1259                                        -rc, inode->i_sb->s_id, inode->i_ino);
1260                                 kfree(context);
1261                                 goto out_unlock;
1262                         }
1263                         /* Map ENODATA to the default file SID */
1264                         sid = sbsec->def_sid;
1265                         rc = 0;
1266                 } else {
1267                         rc = security_context_to_sid_default(context, rc, &sid,
1268                                                              sbsec->def_sid,
1269                                                              GFP_NOFS);
1270                         if (rc) {
1271                                 char *dev = inode->i_sb->s_id;
1272                                 unsigned long ino = inode->i_ino;
1273
1274                                 if (rc == -EINVAL) {
1275                                         if (printk_ratelimit())
1276                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1277                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1278                                                         "filesystem in question.\n", ino, dev, context);
1279                                 } else {
1280                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1281                                                "returned %d for dev=%s ino=%ld\n",
1282                                                __func__, context, -rc, dev, ino);
1283                                 }
1284                                 kfree(context);
1285                                 /* Leave with the unlabeled SID */
1286                                 rc = 0;
1287                                 break;
1288                         }
1289                 }
1290                 kfree(context);
1291                 isec->sid = sid;
1292                 break;
1293         case SECURITY_FS_USE_TASK:
1294                 isec->sid = isec->task_sid;
1295                 break;
1296         case SECURITY_FS_USE_TRANS:
1297                 /* Default to the fs SID. */
1298                 isec->sid = sbsec->sid;
1299
1300                 /* Try to obtain a transition SID. */
1301                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1302                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1303                                              isec->sclass, NULL, &sid);
1304                 if (rc)
1305                         goto out_unlock;
1306                 isec->sid = sid;
1307                 break;
1308         case SECURITY_FS_USE_MNTPOINT:
1309                 isec->sid = sbsec->mntpoint_sid;
1310                 break;
1311         default:
1312                 /* Default to the fs superblock SID. */
1313                 isec->sid = sbsec->sid;
1314
1315                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1316                         if (opt_dentry) {
1317                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1318                                 rc = selinux_proc_get_sid(opt_dentry,
1319                                                           isec->sclass,
1320                                                           &sid);
1321                                 if (rc)
1322                                         goto out_unlock;
1323                                 isec->sid = sid;
1324                         }
1325                 }
1326                 break;
1327         }
1328
1329         isec->initialized = 1;
1330
1331 out_unlock:
1332         mutex_unlock(&isec->lock);
1333 out:
1334         if (isec->sclass == SECCLASS_FILE)
1335                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1336         return rc;
1337 }
1338
1339 /* Convert a Linux signal to an access vector. */
1340 static inline u32 signal_to_av(int sig)
1341 {
1342         u32 perm = 0;
1343
1344         switch (sig) {
1345         case SIGCHLD:
1346                 /* Commonly granted from child to parent. */
1347                 perm = PROCESS__SIGCHLD;
1348                 break;
1349         case SIGKILL:
1350                 /* Cannot be caught or ignored */
1351                 perm = PROCESS__SIGKILL;
1352                 break;
1353         case SIGSTOP:
1354                 /* Cannot be caught or ignored */
1355                 perm = PROCESS__SIGSTOP;
1356                 break;
1357         default:
1358                 /* All other signals. */
1359                 perm = PROCESS__SIGNAL;
1360                 break;
1361         }
1362
1363         return perm;
1364 }
1365
1366 /*
1367  * Check permission between a pair of credentials
1368  * fork check, ptrace check, etc.
1369  */
1370 static int cred_has_perm(const struct cred *actor,
1371                          const struct cred *target,
1372                          u32 perms)
1373 {
1374         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1375
1376         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1377 }
1378
1379 /*
1380  * Check permission between a pair of tasks, e.g. signal checks,
1381  * fork check, ptrace check, etc.
1382  * tsk1 is the actor and tsk2 is the target
1383  * - this uses the default subjective creds of tsk1
1384  */
1385 static int task_has_perm(const struct task_struct *tsk1,
1386                          const struct task_struct *tsk2,
1387                          u32 perms)
1388 {
1389         const struct task_security_struct *__tsec1, *__tsec2;
1390         u32 sid1, sid2;
1391
1392         rcu_read_lock();
1393         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1394         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1395         rcu_read_unlock();
1396         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1397 }
1398
1399 /*
1400  * Check permission between current and another task, e.g. signal checks,
1401  * fork check, ptrace check, etc.
1402  * current is the actor and tsk2 is the target
1403  * - this uses current's subjective creds
1404  */
1405 static int current_has_perm(const struct task_struct *tsk,
1406                             u32 perms)
1407 {
1408         u32 sid, tsid;
1409
1410         sid = current_sid();
1411         tsid = task_sid(tsk);
1412         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1413 }
1414
1415 #if CAP_LAST_CAP > 63
1416 #error Fix SELinux to handle capabilities > 63.
1417 #endif
1418
1419 /* Check whether a task is allowed to use a capability. */
1420 static int task_has_capability(struct task_struct *tsk,
1421                                const struct cred *cred,
1422                                int cap, int audit)
1423 {
1424         struct common_audit_data ad;
1425         struct av_decision avd;
1426         u16 sclass;
1427         u32 sid = cred_sid(cred);
1428         u32 av = CAP_TO_MASK(cap);
1429         int rc;
1430
1431         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1432         ad.tsk = tsk;
1433         ad.u.cap = cap;
1434
1435         switch (CAP_TO_INDEX(cap)) {
1436         case 0:
1437                 sclass = SECCLASS_CAPABILITY;
1438                 break;
1439         case 1:
1440                 sclass = SECCLASS_CAPABILITY2;
1441                 break;
1442         default:
1443                 printk(KERN_ERR
1444                        "SELinux:  out of range capability %d\n", cap);
1445                 BUG();
1446                 return -EINVAL;
1447         }
1448
1449         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1450         if (audit == SECURITY_CAP_AUDIT) {
1451                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1452                 if (rc2)
1453                         return rc2;
1454         }
1455         return rc;
1456 }
1457
1458 /* Check whether a task is allowed to use a system operation. */
1459 static int task_has_system(struct task_struct *tsk,
1460                            u32 perms)
1461 {
1462         u32 sid = task_sid(tsk);
1463
1464         return avc_has_perm(sid, SECINITSID_KERNEL,
1465                             SECCLASS_SYSTEM, perms, NULL);
1466 }
1467
1468 /* Check whether a task has a particular permission to an inode.
1469    The 'adp' parameter is optional and allows other audit
1470    data to be passed (e.g. the dentry). */
1471 static int inode_has_perm(const struct cred *cred,
1472                           struct inode *inode,
1473                           u32 perms,
1474                           struct common_audit_data *adp,
1475                           unsigned flags)
1476 {
1477         struct inode_security_struct *isec;
1478         u32 sid;
1479
1480         validate_creds(cred);
1481
1482         if (unlikely(IS_PRIVATE(inode)))
1483                 return 0;
1484
1485         sid = cred_sid(cred);
1486         isec = inode->i_security;
1487
1488         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1489 }
1490
1491 static int inode_has_perm_noadp(const struct cred *cred,
1492                                 struct inode *inode,
1493                                 u32 perms,
1494                                 unsigned flags)
1495 {
1496         struct common_audit_data ad;
1497
1498         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1499         ad.u.inode = inode;
1500         return inode_has_perm(cred, inode, perms, &ad, flags);
1501 }
1502
1503 /* Same as inode_has_perm, but pass explicit audit data containing
1504    the dentry to help the auditing code to more easily generate the
1505    pathname if needed. */
1506 static inline int dentry_has_perm(const struct cred *cred,
1507                                   struct dentry *dentry,
1508                                   u32 av)
1509 {
1510         struct inode *inode = dentry->d_inode;
1511         struct common_audit_data ad;
1512
1513         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1514         ad.u.dentry = dentry;
1515         return inode_has_perm(cred, inode, av, &ad, 0);
1516 }
1517
1518 /* Same as inode_has_perm, but pass explicit audit data containing
1519    the path to help the auditing code to more easily generate the
1520    pathname if needed. */
1521 static inline int path_has_perm(const struct cred *cred,
1522                                 struct path *path,
1523                                 u32 av)
1524 {
1525         struct inode *inode = path->dentry->d_inode;
1526         struct common_audit_data ad;
1527
1528         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1529         ad.u.path = *path;
1530         return inode_has_perm(cred, inode, av, &ad, 0);
1531 }
1532
1533 /* Check whether a task can use an open file descriptor to
1534    access an inode in a given way.  Check access to the
1535    descriptor itself, and then use dentry_has_perm to
1536    check a particular permission to the file.
1537    Access to the descriptor is implicitly granted if it
1538    has the same SID as the process.  If av is zero, then
1539    access to the file is not checked, e.g. for cases
1540    where only the descriptor is affected like seek. */
1541 static int file_has_perm(const struct cred *cred,
1542                          struct file *file,
1543                          u32 av)
1544 {
1545         struct file_security_struct *fsec = file->f_security;
1546         struct inode *inode = file->f_path.dentry->d_inode;
1547         struct common_audit_data ad;
1548         u32 sid = cred_sid(cred);
1549         int rc;
1550
1551         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1552         ad.u.path = file->f_path;
1553
1554         if (sid != fsec->sid) {
1555                 rc = avc_has_perm(sid, fsec->sid,
1556                                   SECCLASS_FD,
1557                                   FD__USE,
1558                                   &ad);
1559                 if (rc)
1560                         goto out;
1561         }
1562
1563         /* av is zero if only checking access to the descriptor. */
1564         rc = 0;
1565         if (av)
1566                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1567
1568 out:
1569         return rc;
1570 }
1571
1572 /* Check whether a task can create a file. */
1573 static int may_create(struct inode *dir,
1574                       struct dentry *dentry,
1575                       u16 tclass)
1576 {
1577         const struct task_security_struct *tsec = current_security();
1578         struct inode_security_struct *dsec;
1579         struct superblock_security_struct *sbsec;
1580         u32 sid, newsid;
1581         struct common_audit_data ad;
1582         int rc;
1583
1584         dsec = dir->i_security;
1585         sbsec = dir->i_sb->s_security;
1586
1587         sid = tsec->sid;
1588         newsid = tsec->create_sid;
1589
1590         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1591         ad.u.dentry = dentry;
1592
1593         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1594                           DIR__ADD_NAME | DIR__SEARCH,
1595                           &ad);
1596         if (rc)
1597                 return rc;
1598
1599         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1600                 rc = security_transition_sid(sid, dsec->sid, tclass,
1601                                              &dentry->d_name, &newsid);
1602                 if (rc)
1603                         return rc;
1604         }
1605
1606         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1607         if (rc)
1608                 return rc;
1609
1610         return avc_has_perm(newsid, sbsec->sid,
1611                             SECCLASS_FILESYSTEM,
1612                             FILESYSTEM__ASSOCIATE, &ad);
1613 }
1614
1615 /* Check whether a task can create a key. */
1616 static int may_create_key(u32 ksid,
1617                           struct task_struct *ctx)
1618 {
1619         u32 sid = task_sid(ctx);
1620
1621         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1622 }
1623
1624 #define MAY_LINK        0
1625 #define MAY_UNLINK      1
1626 #define MAY_RMDIR       2
1627
1628 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1629 static int may_link(struct inode *dir,
1630                     struct dentry *dentry,
1631                     int kind)
1632
1633 {
1634         struct inode_security_struct *dsec, *isec;
1635         struct common_audit_data ad;
1636         u32 sid = current_sid();
1637         u32 av;
1638         int rc;
1639
1640         dsec = dir->i_security;
1641         isec = dentry->d_inode->i_security;
1642
1643         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1644         ad.u.dentry = dentry;
1645
1646         av = DIR__SEARCH;
1647         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1648         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1649         if (rc)
1650                 return rc;
1651
1652         switch (kind) {
1653         case MAY_LINK:
1654                 av = FILE__LINK;
1655                 break;
1656         case MAY_UNLINK:
1657                 av = FILE__UNLINK;
1658                 break;
1659         case MAY_RMDIR:
1660                 av = DIR__RMDIR;
1661                 break;
1662         default:
1663                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1664                         __func__, kind);
1665                 return 0;
1666         }
1667
1668         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1669         return rc;
1670 }
1671
1672 static inline int may_rename(struct inode *old_dir,
1673                              struct dentry *old_dentry,
1674                              struct inode *new_dir,
1675                              struct dentry *new_dentry)
1676 {
1677         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1678         struct common_audit_data ad;
1679         u32 sid = current_sid();
1680         u32 av;
1681         int old_is_dir, new_is_dir;
1682         int rc;
1683
1684         old_dsec = old_dir->i_security;
1685         old_isec = old_dentry->d_inode->i_security;
1686         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1687         new_dsec = new_dir->i_security;
1688
1689         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1690
1691         ad.u.dentry = old_dentry;
1692         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1693                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1694         if (rc)
1695                 return rc;
1696         rc = avc_has_perm(sid, old_isec->sid,
1697                           old_isec->sclass, FILE__RENAME, &ad);
1698         if (rc)
1699                 return rc;
1700         if (old_is_dir && new_dir != old_dir) {
1701                 rc = avc_has_perm(sid, old_isec->sid,
1702                                   old_isec->sclass, DIR__REPARENT, &ad);
1703                 if (rc)
1704                         return rc;
1705         }
1706
1707         ad.u.dentry = new_dentry;
1708         av = DIR__ADD_NAME | DIR__SEARCH;
1709         if (new_dentry->d_inode)
1710                 av |= DIR__REMOVE_NAME;
1711         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1712         if (rc)
1713                 return rc;
1714         if (new_dentry->d_inode) {
1715                 new_isec = new_dentry->d_inode->i_security;
1716                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1717                 rc = avc_has_perm(sid, new_isec->sid,
1718                                   new_isec->sclass,
1719                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1720                 if (rc)
1721                         return rc;
1722         }
1723
1724         return 0;
1725 }
1726
1727 /* Check whether a task can perform a filesystem operation. */
1728 static int superblock_has_perm(const struct cred *cred,
1729                                struct super_block *sb,
1730                                u32 perms,
1731                                struct common_audit_data *ad)
1732 {
1733         struct superblock_security_struct *sbsec;
1734         u32 sid = cred_sid(cred);
1735
1736         sbsec = sb->s_security;
1737         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1738 }
1739
1740 /* Convert a Linux mode and permission mask to an access vector. */
1741 static inline u32 file_mask_to_av(int mode, int mask)
1742 {
1743         u32 av = 0;
1744
1745         if ((mode & S_IFMT) != S_IFDIR) {
1746                 if (mask & MAY_EXEC)
1747                         av |= FILE__EXECUTE;
1748                 if (mask & MAY_READ)
1749                         av |= FILE__READ;
1750
1751                 if (mask & MAY_APPEND)
1752                         av |= FILE__APPEND;
1753                 else if (mask & MAY_WRITE)
1754                         av |= FILE__WRITE;
1755
1756         } else {
1757                 if (mask & MAY_EXEC)
1758                         av |= DIR__SEARCH;
1759                 if (mask & MAY_WRITE)
1760                         av |= DIR__WRITE;
1761                 if (mask & MAY_READ)
1762                         av |= DIR__READ;
1763         }
1764
1765         return av;
1766 }
1767
1768 /* Convert a Linux file to an access vector. */
1769 static inline u32 file_to_av(struct file *file)
1770 {
1771         u32 av = 0;
1772
1773         if (file->f_mode & FMODE_READ)
1774                 av |= FILE__READ;
1775         if (file->f_mode & FMODE_WRITE) {
1776                 if (file->f_flags & O_APPEND)
1777                         av |= FILE__APPEND;
1778                 else
1779                         av |= FILE__WRITE;
1780         }
1781         if (!av) {
1782                 /*
1783                  * Special file opened with flags 3 for ioctl-only use.
1784                  */
1785                 av = FILE__IOCTL;
1786         }
1787
1788         return av;
1789 }
1790
1791 /*
1792  * Convert a file to an access vector and include the correct open
1793  * open permission.
1794  */
1795 static inline u32 open_file_to_av(struct file *file)
1796 {
1797         u32 av = file_to_av(file);
1798
1799         if (selinux_policycap_openperm)
1800                 av |= FILE__OPEN;
1801
1802         return av;
1803 }
1804
1805 /* Hook functions begin here. */
1806
1807 static int selinux_ptrace_access_check(struct task_struct *child,
1808                                      unsigned int mode)
1809 {
1810         int rc;
1811
1812         rc = cap_ptrace_access_check(child, mode);
1813         if (rc)
1814                 return rc;
1815
1816         if (mode == PTRACE_MODE_READ) {
1817                 u32 sid = current_sid();
1818                 u32 csid = task_sid(child);
1819                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1820         }
1821
1822         return current_has_perm(child, PROCESS__PTRACE);
1823 }
1824
1825 static int selinux_ptrace_traceme(struct task_struct *parent)
1826 {
1827         int rc;
1828
1829         rc = cap_ptrace_traceme(parent);
1830         if (rc)
1831                 return rc;
1832
1833         return task_has_perm(parent, current, PROCESS__PTRACE);
1834 }
1835
1836 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1837                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1838 {
1839         int error;
1840
1841         error = current_has_perm(target, PROCESS__GETCAP);
1842         if (error)
1843                 return error;
1844
1845         return cap_capget(target, effective, inheritable, permitted);
1846 }
1847
1848 static int selinux_capset(struct cred *new, const struct cred *old,
1849                           const kernel_cap_t *effective,
1850                           const kernel_cap_t *inheritable,
1851                           const kernel_cap_t *permitted)
1852 {
1853         int error;
1854
1855         error = cap_capset(new, old,
1856                                       effective, inheritable, permitted);
1857         if (error)
1858                 return error;
1859
1860         return cred_has_perm(old, new, PROCESS__SETCAP);
1861 }
1862
1863 /*
1864  * (This comment used to live with the selinux_task_setuid hook,
1865  * which was removed).
1866  *
1867  * Since setuid only affects the current process, and since the SELinux
1868  * controls are not based on the Linux identity attributes, SELinux does not
1869  * need to control this operation.  However, SELinux does control the use of
1870  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1871  */
1872
1873 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1874                            struct user_namespace *ns, int cap, int audit)
1875 {
1876         int rc;
1877
1878         rc = cap_capable(tsk, cred, ns, cap, audit);
1879         if (rc)
1880                 return rc;
1881
1882         return task_has_capability(tsk, cred, cap, audit);
1883 }
1884
1885 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1886 {
1887         const struct cred *cred = current_cred();
1888         int rc = 0;
1889
1890         if (!sb)
1891                 return 0;
1892
1893         switch (cmds) {
1894         case Q_SYNC:
1895         case Q_QUOTAON:
1896         case Q_QUOTAOFF:
1897         case Q_SETINFO:
1898         case Q_SETQUOTA:
1899                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1900                 break;
1901         case Q_GETFMT:
1902         case Q_GETINFO:
1903         case Q_GETQUOTA:
1904                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1905                 break;
1906         default:
1907                 rc = 0;  /* let the kernel handle invalid cmds */
1908                 break;
1909         }
1910         return rc;
1911 }
1912
1913 static int selinux_quota_on(struct dentry *dentry)
1914 {
1915         const struct cred *cred = current_cred();
1916
1917         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1918 }
1919
1920 static int selinux_syslog(int type)
1921 {
1922         int rc;
1923
1924         switch (type) {
1925         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1926         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1927                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1928                 break;
1929         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1930         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1931         /* Set level of messages printed to console */
1932         case SYSLOG_ACTION_CONSOLE_LEVEL:
1933                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1934                 break;
1935         case SYSLOG_ACTION_CLOSE:       /* Close log */
1936         case SYSLOG_ACTION_OPEN:        /* Open log */
1937         case SYSLOG_ACTION_READ:        /* Read from log */
1938         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1939         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1940         default:
1941                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1942                 break;
1943         }
1944         return rc;
1945 }
1946
1947 /*
1948  * Check that a process has enough memory to allocate a new virtual
1949  * mapping. 0 means there is enough memory for the allocation to
1950  * succeed and -ENOMEM implies there is not.
1951  *
1952  * Do not audit the selinux permission check, as this is applied to all
1953  * processes that allocate mappings.
1954  */
1955 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1956 {
1957         int rc, cap_sys_admin = 0;
1958
1959         rc = selinux_capable(current, current_cred(),
1960                              &init_user_ns, CAP_SYS_ADMIN,
1961                              SECURITY_CAP_NOAUDIT);
1962         if (rc == 0)
1963                 cap_sys_admin = 1;
1964
1965         return __vm_enough_memory(mm, pages, cap_sys_admin);
1966 }
1967
1968 /* binprm security operations */
1969
1970 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1971 {
1972         const struct task_security_struct *old_tsec;
1973         struct task_security_struct *new_tsec;
1974         struct inode_security_struct *isec;
1975         struct common_audit_data ad;
1976         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1977         int rc;
1978
1979         rc = cap_bprm_set_creds(bprm);
1980         if (rc)
1981                 return rc;
1982
1983         /* SELinux context only depends on initial program or script and not
1984          * the script interpreter */
1985         if (bprm->cred_prepared)
1986                 return 0;
1987
1988         old_tsec = current_security();
1989         new_tsec = bprm->cred->security;
1990         isec = inode->i_security;
1991
1992         /* Default to the current task SID. */
1993         new_tsec->sid = old_tsec->sid;
1994         new_tsec->osid = old_tsec->sid;
1995
1996         /* Reset fs, key, and sock SIDs on execve. */
1997         new_tsec->create_sid = 0;
1998         new_tsec->keycreate_sid = 0;
1999         new_tsec->sockcreate_sid = 0;
2000
2001         if (old_tsec->exec_sid) {
2002                 new_tsec->sid = old_tsec->exec_sid;
2003                 /* Reset exec SID on execve. */
2004                 new_tsec->exec_sid = 0;
2005         } else {
2006                 /* Check for a default transition on this program. */
2007                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2008                                              SECCLASS_PROCESS, NULL,
2009                                              &new_tsec->sid);
2010                 if (rc)
2011                         return rc;
2012         }
2013
2014         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2015         ad.u.path = bprm->file->f_path;
2016
2017         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2018                 new_tsec->sid = old_tsec->sid;
2019
2020         if (new_tsec->sid == old_tsec->sid) {
2021                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2022                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2023                 if (rc)
2024                         return rc;
2025         } else {
2026                 /* Check permissions for the transition. */
2027                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2028                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2029                 if (rc)
2030                         return rc;
2031
2032                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2033                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2034                 if (rc)
2035                         return rc;
2036
2037                 /* Check for shared state */
2038                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2039                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2040                                           SECCLASS_PROCESS, PROCESS__SHARE,
2041                                           NULL);
2042                         if (rc)
2043                                 return -EPERM;
2044                 }
2045
2046                 /* Make sure that anyone attempting to ptrace over a task that
2047                  * changes its SID has the appropriate permit */
2048                 if (bprm->unsafe &
2049                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2050                         struct task_struct *tracer;
2051                         struct task_security_struct *sec;
2052                         u32 ptsid = 0;
2053
2054                         rcu_read_lock();
2055                         tracer = ptrace_parent(current);
2056                         if (likely(tracer != NULL)) {
2057                                 sec = __task_cred(tracer)->security;
2058                                 ptsid = sec->sid;
2059                         }
2060                         rcu_read_unlock();
2061
2062                         if (ptsid != 0) {
2063                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2064                                                   SECCLASS_PROCESS,
2065                                                   PROCESS__PTRACE, NULL);
2066                                 if (rc)
2067                                         return -EPERM;
2068                         }
2069                 }
2070
2071                 /* Clear any possibly unsafe personality bits on exec: */
2072                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2073         }
2074
2075         return 0;
2076 }
2077
2078 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2079 {
2080         const struct task_security_struct *tsec = current_security();
2081         u32 sid, osid;
2082         int atsecure = 0;
2083
2084         sid = tsec->sid;
2085         osid = tsec->osid;
2086
2087         if (osid != sid) {
2088                 /* Enable secure mode for SIDs transitions unless
2089                    the noatsecure permission is granted between
2090                    the two SIDs, i.e. ahp returns 0. */
2091                 atsecure = avc_has_perm(osid, sid,
2092                                         SECCLASS_PROCESS,
2093                                         PROCESS__NOATSECURE, NULL);
2094         }
2095
2096         return (atsecure || cap_bprm_secureexec(bprm));
2097 }
2098
2099 /* Derived from fs/exec.c:flush_old_files. */
2100 static inline void flush_unauthorized_files(const struct cred *cred,
2101                                             struct files_struct *files)
2102 {
2103         struct common_audit_data ad;
2104         struct file *file, *devnull = NULL;
2105         struct tty_struct *tty;
2106         struct fdtable *fdt;
2107         long j = -1;
2108         int drop_tty = 0;
2109
2110         tty = get_current_tty();
2111         if (tty) {
2112                 spin_lock(&tty_files_lock);
2113                 if (!list_empty(&tty->tty_files)) {
2114                         struct tty_file_private *file_priv;
2115                         struct inode *inode;
2116
2117                         /* Revalidate access to controlling tty.
2118                            Use inode_has_perm on the tty inode directly rather
2119                            than using file_has_perm, as this particular open
2120                            file may belong to another process and we are only
2121                            interested in the inode-based check here. */
2122                         file_priv = list_first_entry(&tty->tty_files,
2123                                                 struct tty_file_private, list);
2124                         file = file_priv->file;
2125                         inode = file->f_path.dentry->d_inode;
2126                         if (inode_has_perm_noadp(cred, inode,
2127                                            FILE__READ | FILE__WRITE, 0)) {
2128                                 drop_tty = 1;
2129                         }
2130                 }
2131                 spin_unlock(&tty_files_lock);
2132                 tty_kref_put(tty);
2133         }
2134         /* Reset controlling tty. */
2135         if (drop_tty)
2136                 no_tty();
2137
2138         /* Revalidate access to inherited open files. */
2139
2140         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2141
2142         spin_lock(&files->file_lock);
2143         for (;;) {
2144                 unsigned long set, i;
2145                 int fd;
2146
2147                 j++;
2148                 i = j * __NFDBITS;
2149                 fdt = files_fdtable(files);
2150                 if (i >= fdt->max_fds)
2151                         break;
2152                 set = fdt->open_fds->fds_bits[j];
2153                 if (!set)
2154                         continue;
2155                 spin_unlock(&files->file_lock);
2156                 for ( ; set ; i++, set >>= 1) {
2157                         if (set & 1) {
2158                                 file = fget(i);
2159                                 if (!file)
2160                                         continue;
2161                                 if (file_has_perm(cred,
2162                                                   file,
2163                                                   file_to_av(file))) {
2164                                         sys_close(i);
2165                                         fd = get_unused_fd();
2166                                         if (fd != i) {
2167                                                 if (fd >= 0)
2168                                                         put_unused_fd(fd);
2169                                                 fput(file);
2170                                                 continue;
2171                                         }
2172                                         if (devnull) {
2173                                                 get_file(devnull);
2174                                         } else {
2175                                                 devnull = dentry_open(
2176                                                         dget(selinux_null),
2177                                                         mntget(selinuxfs_mount),
2178                                                         O_RDWR, cred);
2179                                                 if (IS_ERR(devnull)) {
2180                                                         devnull = NULL;
2181                                                         put_unused_fd(fd);
2182                                                         fput(file);
2183                                                         continue;
2184                                                 }
2185                                         }
2186                                         fd_install(fd, devnull);
2187                                 }
2188                                 fput(file);
2189                         }
2190                 }
2191                 spin_lock(&files->file_lock);
2192
2193         }
2194         spin_unlock(&files->file_lock);
2195 }
2196
2197 /*
2198  * Prepare a process for imminent new credential changes due to exec
2199  */
2200 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2201 {
2202         struct task_security_struct *new_tsec;
2203         struct rlimit *rlim, *initrlim;
2204         int rc, i;
2205
2206         new_tsec = bprm->cred->security;
2207         if (new_tsec->sid == new_tsec->osid)
2208                 return;
2209
2210         /* Close files for which the new task SID is not authorized. */
2211         flush_unauthorized_files(bprm->cred, current->files);
2212
2213         /* Always clear parent death signal on SID transitions. */
2214         current->pdeath_signal = 0;
2215
2216         /* Check whether the new SID can inherit resource limits from the old
2217          * SID.  If not, reset all soft limits to the lower of the current
2218          * task's hard limit and the init task's soft limit.
2219          *
2220          * Note that the setting of hard limits (even to lower them) can be
2221          * controlled by the setrlimit check.  The inclusion of the init task's
2222          * soft limit into the computation is to avoid resetting soft limits
2223          * higher than the default soft limit for cases where the default is
2224          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2225          */
2226         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2227                           PROCESS__RLIMITINH, NULL);
2228         if (rc) {
2229                 /* protect against do_prlimit() */
2230                 task_lock(current);
2231                 for (i = 0; i < RLIM_NLIMITS; i++) {
2232                         rlim = current->signal->rlim + i;
2233                         initrlim = init_task.signal->rlim + i;
2234                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2235                 }
2236                 task_unlock(current);
2237                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2238         }
2239 }
2240
2241 /*
2242  * Clean up the process immediately after the installation of new credentials
2243  * due to exec
2244  */
2245 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2246 {
2247         const struct task_security_struct *tsec = current_security();
2248         struct itimerval itimer;
2249         u32 osid, sid;
2250         int rc, i;
2251
2252         osid = tsec->osid;
2253         sid = tsec->sid;
2254
2255         if (sid == osid)
2256                 return;
2257
2258         /* Check whether the new SID can inherit signal state from the old SID.
2259          * If not, clear itimers to avoid subsequent signal generation and
2260          * flush and unblock signals.
2261          *
2262          * This must occur _after_ the task SID has been updated so that any
2263          * kill done after the flush will be checked against the new SID.
2264          */
2265         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2266         if (rc) {
2267                 memset(&itimer, 0, sizeof itimer);
2268                 for (i = 0; i < 3; i++)
2269                         do_setitimer(i, &itimer, NULL);
2270                 spin_lock_irq(&current->sighand->siglock);
2271                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2272                         __flush_signals(current);
2273                         flush_signal_handlers(current, 1);
2274                         sigemptyset(&current->blocked);
2275                 }
2276                 spin_unlock_irq(&current->sighand->siglock);
2277         }
2278
2279         /* Wake up the parent if it is waiting so that it can recheck
2280          * wait permission to the new task SID. */
2281         read_lock(&tasklist_lock);
2282         __wake_up_parent(current, current->real_parent);
2283         read_unlock(&tasklist_lock);
2284 }
2285
2286 /* superblock security operations */
2287
2288 static int selinux_sb_alloc_security(struct super_block *sb)
2289 {
2290         return superblock_alloc_security(sb);
2291 }
2292
2293 static void selinux_sb_free_security(struct super_block *sb)
2294 {
2295         superblock_free_security(sb);
2296 }
2297
2298 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2299 {
2300         if (plen > olen)
2301                 return 0;
2302
2303         return !memcmp(prefix, option, plen);
2304 }
2305
2306 static inline int selinux_option(char *option, int len)
2307 {
2308         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2309                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2310                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2311                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2312                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2313 }
2314
2315 static inline void take_option(char **to, char *from, int *first, int len)
2316 {
2317         if (!*first) {
2318                 **to = ',';
2319                 *to += 1;
2320         } else
2321                 *first = 0;
2322         memcpy(*to, from, len);
2323         *to += len;
2324 }
2325
2326 static inline void take_selinux_option(char **to, char *from, int *first,
2327                                        int len)
2328 {
2329         int current_size = 0;
2330
2331         if (!*first) {
2332                 **to = '|';
2333                 *to += 1;
2334         } else
2335                 *first = 0;
2336
2337         while (current_size < len) {
2338                 if (*from != '"') {
2339                         **to = *from;
2340                         *to += 1;
2341                 }
2342                 from += 1;
2343                 current_size += 1;
2344         }
2345 }
2346
2347 static int selinux_sb_copy_data(char *orig, char *copy)
2348 {
2349         int fnosec, fsec, rc = 0;
2350         char *in_save, *in_curr, *in_end;
2351         char *sec_curr, *nosec_save, *nosec;
2352         int open_quote = 0;
2353
2354         in_curr = orig;
2355         sec_curr = copy;
2356
2357         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2358         if (!nosec) {
2359                 rc = -ENOMEM;
2360                 goto out;
2361         }
2362
2363         nosec_save = nosec;
2364         fnosec = fsec = 1;
2365         in_save = in_end = orig;
2366
2367         do {
2368                 if (*in_end == '"')
2369                         open_quote = !open_quote;
2370                 if ((*in_end == ',' && open_quote == 0) ||
2371                                 *in_end == '\0') {
2372                         int len = in_end - in_curr;
2373
2374                         if (selinux_option(in_curr, len))
2375                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2376                         else
2377                                 take_option(&nosec, in_curr, &fnosec, len);
2378
2379                         in_curr = in_end + 1;
2380                 }
2381         } while (*in_end++);
2382
2383         strcpy(in_save, nosec_save);
2384         free_page((unsigned long)nosec_save);
2385 out:
2386         return rc;
2387 }
2388
2389 static int selinux_sb_remount(struct super_block *sb, void *data)
2390 {
2391         int rc, i, *flags;
2392         struct security_mnt_opts opts;
2393         char *secdata, **mount_options;
2394         struct superblock_security_struct *sbsec = sb->s_security;
2395
2396         if (!(sbsec->flags & SE_SBINITIALIZED))
2397                 return 0;
2398
2399         if (!data)
2400                 return 0;
2401
2402         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2403                 return 0;
2404
2405         security_init_mnt_opts(&opts);
2406         secdata = alloc_secdata();
2407         if (!secdata)
2408                 return -ENOMEM;
2409         rc = selinux_sb_copy_data(data, secdata);
2410         if (rc)
2411                 goto out_free_secdata;
2412
2413         rc = selinux_parse_opts_str(secdata, &opts);
2414         if (rc)
2415                 goto out_free_secdata;
2416
2417         mount_options = opts.mnt_opts;
2418         flags = opts.mnt_opts_flags;
2419
2420         for (i = 0; i < opts.num_mnt_opts; i++) {
2421                 u32 sid;
2422                 size_t len;
2423
2424                 if (flags[i] == SE_SBLABELSUPP)
2425                         continue;
2426                 len = strlen(mount_options[i]);
2427                 rc = security_context_to_sid(mount_options[i], len, &sid);
2428                 if (rc) {
2429                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2430                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2431                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2432                         goto out_free_opts;
2433                 }
2434                 rc = -EINVAL;
2435                 switch (flags[i]) {
2436                 case FSCONTEXT_MNT:
2437                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2438                                 goto out_bad_option;
2439                         break;
2440                 case CONTEXT_MNT:
2441                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2442                                 goto out_bad_option;
2443                         break;
2444                 case ROOTCONTEXT_MNT: {
2445                         struct inode_security_struct *root_isec;
2446                         root_isec = sb->s_root->d_inode->i_security;
2447
2448                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2449                                 goto out_bad_option;
2450                         break;
2451                 }
2452                 case DEFCONTEXT_MNT:
2453                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2454                                 goto out_bad_option;
2455                         break;
2456                 default:
2457                         goto out_free_opts;
2458                 }
2459         }
2460
2461         rc = 0;
2462 out_free_opts:
2463         security_free_mnt_opts(&opts);
2464 out_free_secdata:
2465         free_secdata(secdata);
2466         return rc;
2467 out_bad_option:
2468         printk(KERN_WARNING "SELinux: unable to change security options "
2469                "during remount (dev %s, type=%s)\n", sb->s_id,
2470                sb->s_type->name);
2471         goto out_free_opts;
2472 }
2473
2474 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2475 {
2476         const struct cred *cred = current_cred();
2477         struct common_audit_data ad;
2478         int rc;
2479
2480         rc = superblock_doinit(sb, data);
2481         if (rc)
2482                 return rc;
2483
2484         /* Allow all mounts performed by the kernel */
2485         if (flags & MS_KERNMOUNT)
2486                 return 0;
2487
2488         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2489         ad.u.dentry = sb->s_root;
2490         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2491 }
2492
2493 static int selinux_sb_statfs(struct dentry *dentry)
2494 {
2495         const struct cred *cred = current_cred();
2496         struct common_audit_data ad;
2497
2498         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2499         ad.u.dentry = dentry->d_sb->s_root;
2500         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2501 }
2502
2503 static int selinux_mount(char *dev_name,
2504                          struct path *path,
2505                          char *type,
2506                          unsigned long flags,
2507                          void *data)
2508 {
2509         const struct cred *cred = current_cred();
2510
2511         if (flags & MS_REMOUNT)
2512                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2513                                            FILESYSTEM__REMOUNT, NULL);
2514         else
2515                 return path_has_perm(cred, path, FILE__MOUNTON);
2516 }
2517
2518 static int selinux_umount(struct vfsmount *mnt, int flags)
2519 {
2520         const struct cred *cred = current_cred();
2521
2522         return superblock_has_perm(cred, mnt->mnt_sb,
2523                                    FILESYSTEM__UNMOUNT, NULL);
2524 }
2525
2526 /* inode security operations */
2527
2528 static int selinux_inode_alloc_security(struct inode *inode)
2529 {
2530         return inode_alloc_security(inode);
2531 }
2532
2533 static void selinux_inode_free_security(struct inode *inode)
2534 {
2535         inode_free_security(inode);
2536 }
2537
2538 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2539                                        const struct qstr *qstr, char **name,
2540                                        void **value, size_t *len)
2541 {
2542         const struct task_security_struct *tsec = current_security();
2543         struct inode_security_struct *dsec;
2544         struct superblock_security_struct *sbsec;
2545         u32 sid, newsid, clen;
2546         int rc;
2547         char *namep = NULL, *context;
2548
2549         dsec = dir->i_security;
2550         sbsec = dir->i_sb->s_security;
2551
2552         sid = tsec->sid;
2553         newsid = tsec->create_sid;
2554
2555         if ((sbsec->flags & SE_SBINITIALIZED) &&
2556             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2557                 newsid = sbsec->mntpoint_sid;
2558         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2559                 rc = security_transition_sid(sid, dsec->sid,
2560                                              inode_mode_to_security_class(inode->i_mode),
2561                                              qstr, &newsid);
2562                 if (rc) {
2563                         printk(KERN_WARNING "%s:  "
2564                                "security_transition_sid failed, rc=%d (dev=%s "
2565                                "ino=%ld)\n",
2566                                __func__,
2567                                -rc, inode->i_sb->s_id, inode->i_ino);
2568                         return rc;
2569                 }
2570         }
2571
2572         /* Possibly defer initialization to selinux_complete_init. */
2573         if (sbsec->flags & SE_SBINITIALIZED) {
2574                 struct inode_security_struct *isec = inode->i_security;
2575                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2576                 isec->sid = newsid;
2577                 isec->initialized = 1;
2578         }
2579
2580         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2581                 return -EOPNOTSUPP;
2582
2583         if (name) {
2584                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2585                 if (!namep)
2586                         return -ENOMEM;
2587                 *name = namep;
2588         }
2589
2590         if (value && len) {
2591                 rc = security_sid_to_context_force(newsid, &context, &clen);
2592                 if (rc) {
2593                         kfree(namep);
2594                         return rc;
2595                 }
2596                 *value = context;
2597                 *len = clen;
2598         }
2599
2600         return 0;
2601 }
2602
2603 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2604 {
2605         return may_create(dir, dentry, SECCLASS_FILE);
2606 }
2607
2608 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2609 {
2610         return may_link(dir, old_dentry, MAY_LINK);
2611 }
2612
2613 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2614 {
2615         return may_link(dir, dentry, MAY_UNLINK);
2616 }
2617
2618 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2619 {
2620         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2621 }
2622
2623 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2624 {
2625         return may_create(dir, dentry, SECCLASS_DIR);
2626 }
2627
2628 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2629 {
2630         return may_link(dir, dentry, MAY_RMDIR);
2631 }
2632
2633 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2634 {
2635         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2636 }
2637
2638 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2639                                 struct inode *new_inode, struct dentry *new_dentry)
2640 {
2641         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2642 }
2643
2644 static int selinux_inode_readlink(struct dentry *dentry)
2645 {
2646         const struct cred *cred = current_cred();
2647
2648         return dentry_has_perm(cred, dentry, FILE__READ);
2649 }
2650
2651 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2652 {
2653         const struct cred *cred = current_cred();
2654
2655         return dentry_has_perm(cred, dentry, FILE__READ);
2656 }
2657
2658 static int selinux_inode_permission(struct inode *inode, int mask)
2659 {
2660         const struct cred *cred = current_cred();
2661         struct common_audit_data ad;
2662         u32 perms;
2663         bool from_access;
2664         unsigned flags = mask & MAY_NOT_BLOCK;
2665
2666         from_access = mask & MAY_ACCESS;
2667         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2668
2669         /* No permission to check.  Existence test. */
2670         if (!mask)
2671                 return 0;
2672
2673         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2674         ad.u.inode = inode;
2675
2676         if (from_access)
2677                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2678
2679         perms = file_mask_to_av(inode->i_mode, mask);
2680
2681         return inode_has_perm(cred, inode, perms, &ad, flags);
2682 }
2683
2684 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2685 {
2686         const struct cred *cred = current_cred();
2687         unsigned int ia_valid = iattr->ia_valid;
2688
2689         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2690         if (ia_valid & ATTR_FORCE) {
2691                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2692                               ATTR_FORCE);
2693                 if (!ia_valid)
2694                         return 0;
2695         }
2696
2697         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2698                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2699                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2700
2701         return dentry_has_perm(cred, dentry, FILE__WRITE);
2702 }
2703
2704 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2705 {
2706         const struct cred *cred = current_cred();
2707         struct path path;
2708
2709         path.dentry = dentry;
2710         path.mnt = mnt;
2711
2712         return path_has_perm(cred, &path, FILE__GETATTR);
2713 }
2714
2715 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2716 {
2717         const struct cred *cred = current_cred();
2718
2719         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2720                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2721                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2722                         if (!capable(CAP_SETFCAP))
2723                                 return -EPERM;
2724                 } else if (!capable(CAP_SYS_ADMIN)) {
2725                         /* A different attribute in the security namespace.
2726                            Restrict to administrator. */
2727                         return -EPERM;
2728                 }
2729         }
2730
2731         /* Not an attribute we recognize, so just check the
2732            ordinary setattr permission. */
2733         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2734 }
2735
2736 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2737                                   const void *value, size_t size, int flags)
2738 {
2739         struct inode *inode = dentry->d_inode;
2740         struct inode_security_struct *isec = inode->i_security;
2741         struct superblock_security_struct *sbsec;
2742         struct common_audit_data ad;
2743         u32 newsid, sid = current_sid();
2744         int rc = 0;
2745
2746         if (strcmp(name, XATTR_NAME_SELINUX))
2747                 return selinux_inode_setotherxattr(dentry, name);
2748
2749         sbsec = inode->i_sb->s_security;
2750         if (!(sbsec->flags & SE_SBLABELSUPP))
2751                 return -EOPNOTSUPP;
2752
2753         if (!inode_owner_or_capable(inode))
2754                 return -EPERM;
2755
2756         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2757         ad.u.dentry = dentry;
2758
2759         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2760                           FILE__RELABELFROM, &ad);
2761         if (rc)
2762                 return rc;
2763
2764         rc = security_context_to_sid(value, size, &newsid);
2765         if (rc == -EINVAL) {
2766                 if (!capable(CAP_MAC_ADMIN))
2767                         return rc;
2768                 rc = security_context_to_sid_force(value, size, &newsid);
2769         }
2770         if (rc)
2771                 return rc;
2772
2773         rc = avc_has_perm(sid, newsid, isec->sclass,
2774                           FILE__RELABELTO, &ad);
2775         if (rc)
2776                 return rc;
2777
2778         rc = security_validate_transition(isec->sid, newsid, sid,
2779                                           isec->sclass);
2780         if (rc)
2781                 return rc;
2782
2783         return avc_has_perm(newsid,
2784                             sbsec->sid,
2785                             SECCLASS_FILESYSTEM,
2786                             FILESYSTEM__ASSOCIATE,
2787                             &ad);
2788 }
2789
2790 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2791                                         const void *value, size_t size,
2792                                         int flags)
2793 {
2794         struct inode *inode = dentry->d_inode;
2795         struct inode_security_struct *isec = inode->i_security;
2796         u32 newsid;
2797         int rc;
2798
2799         if (strcmp(name, XATTR_NAME_SELINUX)) {
2800                 /* Not an attribute we recognize, so nothing to do. */
2801                 return;
2802         }
2803
2804         rc = security_context_to_sid_force(value, size, &newsid);
2805         if (rc) {
2806                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2807                        "for (%s, %lu), rc=%d\n",
2808                        inode->i_sb->s_id, inode->i_ino, -rc);
2809                 return;
2810         }
2811
2812         isec->sid = newsid;
2813         return;
2814 }
2815
2816 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2817 {
2818         const struct cred *cred = current_cred();
2819
2820         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2821 }
2822
2823 static int selinux_inode_listxattr(struct dentry *dentry)
2824 {
2825         const struct cred *cred = current_cred();
2826
2827         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2828 }
2829
2830 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2831 {
2832         if (strcmp(name, XATTR_NAME_SELINUX))
2833                 return selinux_inode_setotherxattr(dentry, name);
2834
2835         /* No one is allowed to remove a SELinux security label.
2836            You can change the label, but all data must be labeled. */
2837         return -EACCES;
2838 }
2839
2840 /*
2841  * Copy the inode security context value to the user.
2842  *
2843  * Permission check is handled by selinux_inode_getxattr hook.
2844  */
2845 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2846 {
2847         u32 size;
2848         int error;
2849         char *context = NULL;
2850         struct inode_security_struct *isec = inode->i_security;
2851
2852         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2853                 return -EOPNOTSUPP;
2854
2855         /*
2856          * If the caller has CAP_MAC_ADMIN, then get the raw context
2857          * value even if it is not defined by current policy; otherwise,
2858          * use the in-core value under current policy.
2859          * Use the non-auditing forms of the permission checks since
2860          * getxattr may be called by unprivileged processes commonly
2861          * and lack of permission just means that we fall back to the
2862          * in-core context value, not a denial.
2863          */
2864         error = selinux_capable(current, current_cred(),
2865                                 &init_user_ns, CAP_MAC_ADMIN,
2866                                 SECURITY_CAP_NOAUDIT);
2867         if (!error)
2868                 error = security_sid_to_context_force(isec->sid, &context,
2869                                                       &size);
2870         else
2871                 error = security_sid_to_context(isec->sid, &context, &size);
2872         if (error)
2873                 return error;
2874         error = size;
2875         if (alloc) {
2876                 *buffer = context;
2877                 goto out_nofree;
2878         }
2879         kfree(context);
2880 out_nofree:
2881         return error;
2882 }
2883
2884 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2885                                      const void *value, size_t size, int flags)
2886 {
2887         struct inode_security_struct *isec = inode->i_security;
2888         u32 newsid;
2889         int rc;
2890
2891         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2892                 return -EOPNOTSUPP;
2893
2894         if (!value || !size)
2895                 return -EACCES;
2896
2897         rc = security_context_to_sid((void *)value, size, &newsid);
2898         if (rc)
2899                 return rc;
2900
2901         isec->sid = newsid;
2902         isec->initialized = 1;
2903         return 0;
2904 }
2905
2906 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2907 {
2908         const int len = sizeof(XATTR_NAME_SELINUX);
2909         if (buffer && len <= buffer_size)
2910                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2911         return len;
2912 }
2913
2914 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2915 {
2916         struct inode_security_struct *isec = inode->i_security;
2917         *secid = isec->sid;
2918 }
2919
2920 /* file security operations */
2921
2922 static int selinux_revalidate_file_permission(struct file *file, int mask)
2923 {
2924         const struct cred *cred = current_cred();
2925         struct inode *inode = file->f_path.dentry->d_inode;
2926
2927         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2928         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2929                 mask |= MAY_APPEND;
2930
2931         return file_has_perm(cred, file,
2932                              file_mask_to_av(inode->i_mode, mask));
2933 }
2934
2935 static int selinux_file_permission(struct file *file, int mask)
2936 {
2937         struct inode *inode = file->f_path.dentry->d_inode;
2938         struct file_security_struct *fsec = file->f_security;
2939         struct inode_security_struct *isec = inode->i_security;
2940         u32 sid = current_sid();
2941
2942         if (!mask)
2943                 /* No permission to check.  Existence test. */
2944                 return 0;
2945
2946         if (sid == fsec->sid && fsec->isid == isec->sid &&
2947             fsec->pseqno == avc_policy_seqno())
2948                 /* No change since dentry_open check. */
2949                 return 0;
2950
2951         return selinux_revalidate_file_permission(file, mask);
2952 }
2953
2954 static int selinux_file_alloc_security(struct file *file)
2955 {
2956         return file_alloc_security(file);
2957 }
2958
2959 static void selinux_file_free_security(struct file *file)
2960 {
2961         file_free_security(file);
2962 }
2963
2964 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2965                               unsigned long arg)
2966 {
2967         const struct cred *cred = current_cred();
2968         int error = 0;
2969
2970         switch (cmd) {
2971         case FIONREAD:
2972         /* fall through */
2973         case FIBMAP:
2974         /* fall through */
2975         case FIGETBSZ:
2976         /* fall through */
2977         case EXT2_IOC_GETFLAGS:
2978         /* fall through */
2979         case EXT2_IOC_GETVERSION:
2980                 error = file_has_perm(cred, file, FILE__GETATTR);
2981                 break;
2982
2983         case EXT2_IOC_SETFLAGS:
2984         /* fall through */
2985         case EXT2_IOC_SETVERSION:
2986                 error = file_has_perm(cred, file, FILE__SETATTR);
2987                 break;
2988
2989         /* sys_ioctl() checks */
2990         case FIONBIO:
2991         /* fall through */
2992         case FIOASYNC:
2993                 error = file_has_perm(cred, file, 0);
2994                 break;
2995
2996         case KDSKBENT:
2997         case KDSKBSENT:
2998                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2999                                         SECURITY_CAP_AUDIT);
3000                 break;
3001
3002         /* default case assumes that the command will go
3003          * to the file's ioctl() function.
3004          */
3005         default:
3006                 error = file_has_perm(cred, file, FILE__IOCTL);
3007         }
3008         return error;
3009 }
3010
3011 static int default_noexec;
3012
3013 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3014 {
3015         const struct cred *cred = current_cred();
3016         int rc = 0;
3017
3018         if (default_noexec &&
3019             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3020                 /*
3021                  * We are making executable an anonymous mapping or a
3022                  * private file mapping that will also be writable.
3023                  * This has an additional check.
3024                  */
3025                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3026                 if (rc)
3027                         goto error;
3028         }
3029
3030         if (file) {
3031                 /* read access is always possible with a mapping */
3032                 u32 av = FILE__READ;
3033
3034                 /* write access only matters if the mapping is shared */
3035                 if (shared && (prot & PROT_WRITE))
3036                         av |= FILE__WRITE;
3037
3038                 if (prot & PROT_EXEC)
3039                         av |= FILE__EXECUTE;
3040
3041                 return file_has_perm(cred, file, av);
3042         }
3043
3044 error:
3045         return rc;
3046 }
3047
3048 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3049                              unsigned long prot, unsigned long flags,
3050                              unsigned long addr, unsigned long addr_only)
3051 {
3052         int rc = 0;
3053         u32 sid = current_sid();
3054
3055         /*
3056          * notice that we are intentionally putting the SELinux check before
3057          * the secondary cap_file_mmap check.  This is such a likely attempt
3058          * at bad behaviour/exploit that we always want to get the AVC, even
3059          * if DAC would have also denied the operation.
3060          */
3061         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3062                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3063                                   MEMPROTECT__MMAP_ZERO, NULL);
3064                 if (rc)
3065                         return rc;
3066         }
3067
3068         /* do DAC check on address space usage */
3069         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3070         if (rc || addr_only)
3071                 return rc;
3072
3073         if (selinux_checkreqprot)
3074                 prot = reqprot;
3075
3076         return file_map_prot_check(file, prot,
3077                                    (flags & MAP_TYPE) == MAP_SHARED);
3078 }
3079
3080 static int selinux_file_mprotect(struct vm_area_struct *vma,
3081                                  unsigned long reqprot,
3082                                  unsigned long prot)
3083 {
3084         const struct cred *cred = current_cred();
3085
3086         if (selinux_checkreqprot)
3087                 prot = reqprot;
3088
3089         if (default_noexec &&
3090             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3091                 int rc = 0;
3092                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3093                     vma->vm_end <= vma->vm_mm->brk) {
3094                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3095                 } else if (!vma->vm_file &&
3096                            vma->vm_start <= vma->vm_mm->start_stack &&
3097                            vma->vm_end >= vma->vm_mm->start_stack) {
3098                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3099                 } else if (vma->vm_file && vma->anon_vma) {
3100                         /*
3101                          * We are making executable a file mapping that has
3102                          * had some COW done. Since pages might have been
3103                          * written, check ability to execute the possibly
3104                          * modified content.  This typically should only
3105                          * occur for text relocations.
3106                          */
3107                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3108                 }
3109                 if (rc)
3110                         return rc;
3111         }
3112
3113         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3114 }
3115
3116 static int selinux_file_lock(struct file *file, unsigned int cmd)
3117 {
3118         const struct cred *cred = current_cred();
3119
3120         return file_has_perm(cred, file, FILE__LOCK);
3121 }
3122
3123 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3124                               unsigned long arg)
3125 {
3126         const struct cred *cred = current_cred();
3127         int err = 0;
3128
3129         switch (cmd) {
3130         case F_SETFL:
3131                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3132                         err = -EINVAL;
3133                         break;
3134                 }
3135
3136                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3137                         err = file_has_perm(cred, file, FILE__WRITE);
3138                         break;
3139                 }
3140                 /* fall through */
3141         case F_SETOWN:
3142         case F_SETSIG:
3143         case F_GETFL:
3144         case F_GETOWN:
3145         case F_GETSIG:
3146                 /* Just check FD__USE permission */
3147                 err = file_has_perm(cred, file, 0);
3148                 break;
3149         case F_GETLK:
3150         case F_SETLK:
3151         case F_SETLKW:
3152 #if BITS_PER_LONG == 32
3153         case F_GETLK64:
3154         case F_SETLK64:
3155         case F_SETLKW64:
3156 #endif
3157                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3158                         err = -EINVAL;
3159                         break;
3160                 }
3161                 err = file_has_perm(cred, file, FILE__LOCK);
3162                 break;
3163         }
3164
3165         return err;
3166 }
3167
3168 static int selinux_file_set_fowner(struct file *file)
3169 {
3170         struct file_security_struct *fsec;
3171
3172         fsec = file->f_security;
3173         fsec->fown_sid = current_sid();
3174
3175         return 0;
3176 }
3177
3178 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3179                                        struct fown_struct *fown, int signum)
3180 {
3181         struct file *file;
3182         u32 sid = task_sid(tsk);
3183         u32 perm;
3184         struct file_security_struct *fsec;
3185
3186         /* struct fown_struct is never outside the context of a struct file */
3187         file = container_of(fown, struct file, f_owner);
3188
3189         fsec = file->f_security;
3190
3191         if (!signum)
3192                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3193         else
3194                 perm = signal_to_av(signum);
3195
3196         return avc_has_perm(fsec->fown_sid, sid,
3197                             SECCLASS_PROCESS, perm, NULL);
3198 }
3199
3200 static int selinux_file_receive(struct file *file)
3201 {
3202         const struct cred *cred = current_cred();
3203
3204         return file_has_perm(cred, file, file_to_av(file));
3205 }
3206
3207 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3208 {
3209         struct file_security_struct *fsec;
3210         struct inode *inode;
3211         struct inode_security_struct *isec;
3212
3213         inode = file->f_path.dentry->d_inode;
3214         fsec = file->f_security;
3215         isec = inode->i_security;
3216         /*
3217          * Save inode label and policy sequence number
3218          * at open-time so that selinux_file_permission
3219          * can determine whether revalidation is necessary.
3220          * Task label is already saved in the file security
3221          * struct as its SID.
3222          */
3223         fsec->isid = isec->sid;
3224         fsec->pseqno = avc_policy_seqno();
3225         /*
3226          * Since the inode label or policy seqno may have changed
3227          * between the selinux_inode_permission check and the saving
3228          * of state above, recheck that access is still permitted.
3229          * Otherwise, access might never be revalidated against the
3230          * new inode label or new policy.
3231          * This check is not redundant - do not remove.
3232          */
3233         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3234 }
3235
3236 /* task security operations */
3237
3238 static int selinux_task_create(unsigned long clone_flags)
3239 {
3240         return current_has_perm(current, PROCESS__FORK);
3241 }
3242
3243 /*
3244  * allocate the SELinux part of blank credentials
3245  */
3246 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3247 {
3248         struct task_security_struct *tsec;
3249
3250         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3251         if (!tsec)
3252                 return -ENOMEM;
3253
3254         cred->security = tsec;
3255         return 0;
3256 }
3257
3258 /*
3259  * detach and free the LSM part of a set of credentials
3260  */
3261 static void selinux_cred_free(struct cred *cred)
3262 {
3263         struct task_security_struct *tsec = cred->security;
3264
3265         /*
3266          * cred->security == NULL if security_cred_alloc_blank() or
3267          * security_prepare_creds() returned an error.
3268          */
3269         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3270         cred->security = (void *) 0x7UL;
3271         kfree(tsec);
3272 }
3273
3274 /*
3275  * prepare a new set of credentials for modification
3276  */
3277 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3278                                 gfp_t gfp)
3279 {
3280         const struct task_security_struct *old_tsec;
3281         struct task_security_struct *tsec;
3282
3283         old_tsec = old->security;
3284
3285         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3286         if (!tsec)
3287                 return -ENOMEM;
3288
3289         new->security = tsec;
3290         return 0;
3291 }
3292
3293 /*
3294  * transfer the SELinux data to a blank set of creds
3295  */
3296 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3297 {
3298         const struct task_security_struct *old_tsec = old->security;
3299         struct task_security_struct *tsec = new->security;
3300
3301         *tsec = *old_tsec;
3302 }
3303
3304 /*
3305  * set the security data for a kernel service
3306  * - all the creation contexts are set to unlabelled
3307  */
3308 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3309 {
3310         struct task_security_struct *tsec = new->security;
3311         u32 sid = current_sid();
3312         int ret;
3313
3314         ret = avc_has_perm(sid, secid,
3315                            SECCLASS_KERNEL_SERVICE,
3316                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3317                            NULL);
3318         if (ret == 0) {
3319                 tsec->sid = secid;
3320                 tsec->create_sid = 0;
3321                 tsec->keycreate_sid = 0;
3322                 tsec->sockcreate_sid = 0;
3323         }
3324         return ret;
3325 }
3326
3327 /*
3328  * set the file creation context in a security record to the same as the
3329  * objective context of the specified inode
3330  */
3331 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3332 {
3333         struct inode_security_struct *isec = inode->i_security;
3334         struct task_security_struct *tsec = new->security;
3335         u32 sid = current_sid();
3336         int ret;
3337
3338         ret = avc_has_perm(sid, isec->sid,
3339                            SECCLASS_KERNEL_SERVICE,
3340                            KERNEL_SERVICE__CREATE_FILES_AS,
3341                            NULL);
3342
3343         if (ret == 0)
3344                 tsec->create_sid = isec->sid;
3345         return ret;
3346 }
3347
3348 static int selinux_kernel_module_request(char *kmod_name)
3349 {
3350         u32 sid;
3351         struct common_audit_data ad;
3352
3353         sid = task_sid(current);
3354
3355         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3356         ad.u.kmod_name = kmod_name;
3357
3358         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3359                             SYSTEM__MODULE_REQUEST, &ad);
3360 }
3361
3362 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3363 {
3364         return current_has_perm(p, PROCESS__SETPGID);
3365 }
3366
3367 static int selinux_task_getpgid(struct task_struct *p)
3368 {
3369         return current_has_perm(p, PROCESS__GETPGID);
3370 }
3371
3372 static int selinux_task_getsid(struct task_struct *p)
3373 {
3374         return current_has_perm(p, PROCESS__GETSESSION);
3375 }
3376
3377 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3378 {
3379         *secid = task_sid(p);
3380 }
3381
3382 static int selinux_task_setnice(struct task_struct *p, int nice)
3383 {
3384         int rc;
3385
3386         rc = cap_task_setnice(p, nice);
3387         if (rc)
3388                 return rc;
3389
3390         return current_has_perm(p, PROCESS__SETSCHED);
3391 }
3392
3393 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3394 {
3395         int rc;
3396
3397         rc = cap_task_setioprio(p, ioprio);
3398         if (rc)
3399                 return rc;
3400
3401         return current_has_perm(p, PROCESS__SETSCHED);
3402 }
3403
3404 static int selinux_task_getioprio(struct task_struct *p)
3405 {
3406         return current_has_perm(p, PROCESS__GETSCHED);
3407 }
3408
3409 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3410                 struct rlimit *new_rlim)
3411 {
3412         struct rlimit *old_rlim = p->signal->rlim + resource;
3413
3414         /* Control the ability to change the hard limit (whether
3415            lowering or raising it), so that the hard limit can
3416            later be used as a safe reset point for the soft limit
3417            upon context transitions.  See selinux_bprm_committing_creds. */
3418         if (old_rlim->rlim_max != new_rlim->rlim_max)
3419                 return current_has_perm(p, PROCESS__SETRLIMIT);
3420
3421         return 0;
3422 }
3423
3424 static int selinux_task_setscheduler(struct task_struct *p)
3425 {
3426         int rc;
3427
3428         rc = cap_task_setscheduler(p);
3429         if (rc)
3430                 return rc;
3431
3432         return current_has_perm(p, PROCESS__SETSCHED);
3433 }
3434
3435 static int selinux_task_getscheduler(struct task_struct *p)
3436 {
3437         return current_has_perm(p, PROCESS__GETSCHED);
3438 }
3439
3440 static int selinux_task_movememory(struct task_struct *p)
3441 {
3442         return current_has_perm(p, PROCESS__SETSCHED);
3443 }
3444
3445 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3446                                 int sig, u32 secid)
3447 {
3448         u32 perm;
3449         int rc;
3450
3451         if (!sig)
3452                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3453         else
3454                 perm = signal_to_av(sig);
3455         if (secid)
3456                 rc = avc_has_perm(secid, task_sid(p),
3457                                   SECCLASS_PROCESS, perm, NULL);
3458         else
3459                 rc = current_has_perm(p, perm);
3460         return rc;
3461 }
3462
3463 static int selinux_task_wait(struct task_struct *p)
3464 {
3465         return task_has_perm(p, current, PROCESS__SIGCHLD);
3466 }
3467
3468 static void selinux_task_to_inode(struct task_struct *p,
3469                                   struct inode *inode)
3470 {
3471         struct inode_security_struct *isec = inode->i_security;
3472         u32 sid = task_sid(p);
3473
3474         isec->sid = sid;
3475         isec->initialized = 1;
3476 }
3477
3478 /* Returns error only if unable to parse addresses */
3479 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3480                         struct common_audit_data *ad, u8 *proto)
3481 {
3482         int offset, ihlen, ret = -EINVAL;
3483         struct iphdr _iph, *ih;
3484
3485         offset = skb_network_offset(skb);
3486         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3487         if (ih == NULL)
3488                 goto out;
3489
3490         ihlen = ih->ihl * 4;
3491         if (ihlen < sizeof(_iph))
3492                 goto out;
3493
3494         ad->u.net.v4info.saddr = ih->saddr;
3495         ad->u.net.v4info.daddr = ih->daddr;
3496         ret = 0;
3497
3498         if (proto)
3499                 *proto = ih->protocol;
3500
3501         switch (ih->protocol) {
3502         case IPPROTO_TCP: {
3503                 struct tcphdr _tcph, *th;
3504
3505                 if (ntohs(ih->frag_off) & IP_OFFSET)
3506                         break;
3507
3508                 offset += ihlen;
3509                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3510                 if (th == NULL)
3511                         break;
3512
3513                 ad->u.net.sport = th->source;
3514                 ad->u.net.dport = th->dest;
3515                 break;
3516         }
3517
3518         case IPPROTO_UDP: {
3519                 struct udphdr _udph, *uh;
3520
3521                 if (ntohs(ih->frag_off) & IP_OFFSET)
3522                         break;
3523
3524                 offset += ihlen;
3525                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3526                 if (uh == NULL)
3527                         break;
3528
3529                 ad->u.net.sport = uh->source;
3530                 ad->u.net.dport = uh->dest;
3531                 break;
3532         }
3533
3534         case IPPROTO_DCCP: {
3535                 struct dccp_hdr _dccph, *dh;
3536
3537                 if (ntohs(ih->frag_off) & IP_OFFSET)
3538                         break;
3539
3540                 offset += ihlen;
3541                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3542                 if (dh == NULL)
3543                         break;
3544
3545                 ad->u.net.sport = dh->dccph_sport;
3546                 ad->u.net.dport = dh->dccph_dport;
3547                 break;
3548         }
3549
3550         default:
3551                 break;
3552         }
3553 out:
3554         return ret;
3555 }
3556
3557 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3558
3559 /* Returns error only if unable to parse addresses */
3560 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3561                         struct common_audit_data *ad, u8 *proto)
3562 {
3563         u8 nexthdr;
3564         int ret = -EINVAL, offset;
3565         struct ipv6hdr _ipv6h, *ip6;
3566
3567         offset = skb_network_offset(skb);
3568         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3569         if (ip6 == NULL)
3570                 goto out;
3571
3572         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3573         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3574         ret = 0;
3575
3576         nexthdr = ip6->nexthdr;
3577         offset += sizeof(_ipv6h);
3578         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3579         if (offset < 0)
3580                 goto out;
3581
3582         if (proto)
3583                 *proto = nexthdr;
3584
3585         switch (nexthdr) {
3586         case IPPROTO_TCP: {
3587                 struct tcphdr _tcph, *th;
3588
3589                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3590                 if (th == NULL)
3591                         break;
3592
3593                 ad->u.net.sport = th->source;
3594                 ad->u.net.dport = th->dest;
3595                 break;
3596         }
3597
3598         case IPPROTO_UDP: {
3599                 struct udphdr _udph, *uh;
3600
3601                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3602                 if (uh == NULL)
3603                         break;
3604
3605                 ad->u.net.sport = uh->source;
3606                 ad->u.net.dport = uh->dest;
3607                 break;
3608         }
3609
3610         case IPPROTO_DCCP: {
3611                 struct dccp_hdr _dccph, *dh;
3612
3613                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3614                 if (dh == NULL)
3615                         break;
3616
3617                 ad->u.net.sport = dh->dccph_sport;
3618                 ad->u.net.dport = dh->dccph_dport;
3619                 break;
3620         }
3621
3622         /* includes fragments */
3623         default:
3624                 break;
3625         }
3626 out:
3627         return ret;
3628 }
3629
3630 #endif /* IPV6 */
3631
3632 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3633                              char **_addrp, int src, u8 *proto)
3634 {
3635         char *addrp;
3636         int ret;
3637
3638         switch (ad->u.net.family) {
3639         case PF_INET:
3640                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3641                 if (ret)
3642                         goto parse_error;
3643                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3644                                        &ad->u.net.v4info.daddr);
3645                 goto okay;
3646
3647 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3648         case PF_INET6:
3649                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3650                 if (ret)
3651                         goto parse_error;
3652                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3653                                        &ad->u.net.v6info.daddr);
3654                 goto okay;
3655 #endif  /* IPV6 */
3656         default:
3657                 addrp = NULL;
3658                 goto okay;
3659         }
3660
3661 parse_error:
3662         printk(KERN_WARNING
3663                "SELinux: failure in selinux_parse_skb(),"
3664                " unable to parse packet\n");
3665         return ret;
3666
3667 okay:
3668         if (_addrp)
3669                 *_addrp = addrp;
3670         return 0;
3671 }
3672
3673 /**
3674  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3675  * @skb: the packet
3676  * @family: protocol family
3677  * @sid: the packet's peer label SID
3678  *
3679  * Description:
3680  * Check the various different forms of network peer labeling and determine
3681  * the peer label/SID for the packet; most of the magic actually occurs in
3682  * the security server function security_net_peersid_cmp().  The function
3683  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3684  * or -EACCES if @sid is invalid due to inconsistencies with the different
3685  * peer labels.
3686  *
3687  */
3688 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3689 {
3690         int err;
3691         u32 xfrm_sid;
3692         u32 nlbl_sid;
3693         u32 nlbl_type;
3694
3695         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3696         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3697
3698         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3699         if (unlikely(err)) {
3700                 printk(KERN_WARNING
3701                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3702                        " unable to determine packet's peer label\n");
3703                 return -EACCES;
3704         }
3705
3706         return 0;
3707 }
3708
3709 /* socket security operations */
3710
3711 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3712                                  u16 secclass, u32 *socksid)
3713 {
3714         if (tsec->sockcreate_sid > SECSID_NULL) {
3715                 *socksid = tsec->sockcreate_sid;
3716                 return 0;
3717         }
3718
3719         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3720                                        socksid);
3721 }
3722
3723 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3724 {
3725         struct sk_security_struct *sksec = sk->sk_security;
3726         struct common_audit_data ad;
3727         u32 tsid = task_sid(task);
3728
3729         if (sksec->sid == SECINITSID_KERNEL)
3730                 return 0;
3731
3732         COMMON_AUDIT_DATA_INIT(&ad, NET);
3733         ad.u.net.sk = sk;
3734
3735         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3736 }
3737
3738 static int selinux_socket_create(int family, int type,
3739                                  int protocol, int kern)
3740 {
3741         const struct task_security_struct *tsec = current_security();
3742         u32 newsid;
3743         u16 secclass;
3744         int rc;
3745
3746         if (kern)
3747                 return 0;
3748
3749         secclass = socket_type_to_security_class(family, type, protocol);
3750         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3751         if (rc)
3752                 return rc;
3753
3754         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3755 }
3756
3757 static int selinux_socket_post_create(struct socket *sock, int family,
3758                                       int type, int protocol, int kern)
3759 {
3760         const struct task_security_struct *tsec = current_security();
3761         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3762         struct sk_security_struct *sksec;
3763         int err = 0;
3764
3765         isec->sclass = socket_type_to_security_class(family, type, protocol);
3766
3767         if (kern)
3768                 isec->sid = SECINITSID_KERNEL;
3769         else {
3770                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3771                 if (err)
3772                         return err;
3773         }
3774
3775         isec->initialized = 1;
3776
3777         if (sock->sk) {
3778                 sksec = sock->sk->sk_security;
3779                 sksec->sid = isec->sid;
3780                 sksec->sclass = isec->sclass;
3781                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3782         }
3783
3784         return err;
3785 }
3786
3787 /* Range of port numbers used to automatically bind.
3788    Need to determine whether we should perform a name_bind
3789    permission check between the socket and the port number. */
3790
3791 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3792 {
3793         struct sock *sk = sock->sk;
3794         u16 family;
3795         int err;
3796
3797         err = sock_has_perm(current, sk, SOCKET__BIND);
3798         if (err)
3799                 goto out;
3800
3801         /*
3802          * If PF_INET or PF_INET6, check name_bind permission for the port.
3803          * Multiple address binding for SCTP is not supported yet: we just
3804          * check the first address now.
3805          */
3806         family = sk->sk_family;
3807         if (family == PF_INET || family == PF_INET6) {
3808                 char *addrp;
3809                 struct sk_security_struct *sksec = sk->sk_security;
3810                 struct common_audit_data ad;
3811                 struct sockaddr_in *addr4 = NULL;
3812                 struct sockaddr_in6 *addr6 = NULL;
3813                 unsigned short snum;
3814                 u32 sid, node_perm;
3815
3816                 if (family == PF_INET) {
3817                         addr4 = (struct sockaddr_in *)address;
3818                         snum = ntohs(addr4->sin_port);
3819                         addrp = (char *)&addr4->sin_addr.s_addr;
3820                 } else {
3821                         addr6 = (struct sockaddr_in6 *)address;
3822                         snum = ntohs(addr6->sin6_port);
3823                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3824                 }
3825
3826                 if (snum) {
3827                         int low, high;
3828
3829                         inet_get_local_port_range(&low, &high);
3830
3831                         if (snum < max(PROT_SOCK, low) || snum > high) {
3832                                 err = sel_netport_sid(sk->sk_protocol,
3833                                                       snum, &sid);
3834                                 if (err)
3835                                         goto out;
3836                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3837                                 ad.u.net.sport = htons(snum);
3838                                 ad.u.net.family = family;
3839                                 err = avc_has_perm(sksec->sid, sid,
3840                                                    sksec->sclass,
3841                                                    SOCKET__NAME_BIND, &ad);
3842                                 if (err)
3843                                         goto out;
3844                         }
3845                 }
3846
3847                 switch (sksec->sclass) {
3848                 case SECCLASS_TCP_SOCKET:
3849                         node_perm = TCP_SOCKET__NODE_BIND;
3850                         break;
3851
3852                 case SECCLASS_UDP_SOCKET:
3853                         node_perm = UDP_SOCKET__NODE_BIND;
3854                         break;
3855
3856                 case SECCLASS_DCCP_SOCKET:
3857                         node_perm = DCCP_SOCKET__NODE_BIND;
3858                         break;
3859
3860                 default:
3861                         node_perm = RAWIP_SOCKET__NODE_BIND;
3862                         break;
3863                 }
3864
3865                 err = sel_netnode_sid(addrp, family, &sid);
3866                 if (err)
3867                         goto out;
3868
3869                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3870                 ad.u.net.sport = htons(snum);
3871                 ad.u.net.family = family;
3872
3873                 if (family == PF_INET)
3874                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3875                 else
3876                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3877
3878                 err = avc_has_perm(sksec->sid, sid,
3879                                    sksec->sclass, node_perm, &ad);
3880                 if (err)
3881                         goto out;
3882         }
3883 out:
3884         return err;
3885 }
3886
3887 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3888 {
3889         struct sock *sk = sock->sk;
3890         struct sk_security_struct *sksec = sk->sk_security;
3891         int err;
3892
3893         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3894         if (err)
3895                 return err;
3896
3897         /*
3898          * If a TCP or DCCP socket, check name_connect permission for the port.
3899          */
3900         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3901             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3902                 struct common_audit_data ad;
3903                 struct sockaddr_in *addr4 = NULL;
3904                 struct sockaddr_in6 *addr6 = NULL;
3905                 unsigned short snum;
3906                 u32 sid, perm;
3907
3908                 if (sk->sk_family == PF_INET) {
3909                         addr4 = (struct sockaddr_in *)address;
3910                         if (addrlen < sizeof(struct sockaddr_in))
3911                                 return -EINVAL;
3912                         snum = ntohs(addr4->sin_port);
3913                 } else {
3914                         addr6 = (struct sockaddr_in6 *)address;
3915                         if (addrlen < SIN6_LEN_RFC2133)
3916                                 return -EINVAL;
3917                         snum = ntohs(addr6->sin6_port);
3918                 }
3919
3920                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3921                 if (err)
3922                         goto out;
3923
3924                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3925                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3926
3927                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3928                 ad.u.net.dport = htons(snum);
3929                 ad.u.net.family = sk->sk_family;
3930                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3931                 if (err)
3932                         goto out;
3933         }
3934
3935         err = selinux_netlbl_socket_connect(sk, address);
3936
3937 out:
3938         return err;
3939 }
3940
3941 static int selinux_socket_listen(struct socket *sock, int backlog)
3942 {
3943         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3944 }
3945
3946 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3947 {
3948         int err;
3949         struct inode_security_struct *isec;
3950         struct inode_security_struct *newisec;
3951
3952         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3953         if (err)
3954                 return err;
3955
3956         newisec = SOCK_INODE(newsock)->i_security;
3957
3958         isec = SOCK_INODE(sock)->i_security;
3959         newisec->sclass = isec->sclass;
3960         newisec->sid = isec->sid;
3961         newisec->initialized = 1;
3962
3963         return 0;
3964 }
3965
3966 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3967                                   int size)
3968 {
3969         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3970 }
3971
3972 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3973                                   int size, int flags)
3974 {
3975         return sock_has_perm(current, sock->sk, SOCKET__READ);
3976 }
3977
3978 static int selinux_socket_getsockname(struct socket *sock)
3979 {
3980         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3981 }
3982
3983 static int selinux_socket_getpeername(struct socket *sock)
3984 {
3985         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3986 }
3987
3988 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3989 {
3990         int err;
3991
3992         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3993         if (err)
3994                 return err;
3995
3996         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3997 }
3998
3999 static int selinux_socket_getsockopt(struct socket *sock, int level,
4000                                      int optname)
4001 {
4002         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4003 }
4004
4005 static int selinux_socket_shutdown(struct socket *sock, int how)
4006 {
4007         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4008 }
4009
4010 static int selinux_socket_unix_stream_connect(struct sock *sock,
4011                                               struct sock *other,
4012                                               struct sock *newsk)
4013 {
4014         struct sk_security_struct *sksec_sock = sock->sk_security;
4015         struct sk_security_struct *sksec_other = other->sk_security;
4016         struct sk_security_struct *sksec_new = newsk->sk_security;
4017         struct common_audit_data ad;
4018         int err;
4019
4020         COMMON_AUDIT_DATA_INIT(&ad, NET);
4021         ad.u.net.sk = other;
4022
4023         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4024                            sksec_other->sclass,
4025                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4026         if (err)
4027                 return err;
4028
4029         /* server child socket */
4030         sksec_new->peer_sid = sksec_sock->sid;
4031         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4032                                     &sksec_new->sid);
4033         if (err)
4034                 return err;
4035
4036         /* connecting socket */
4037         sksec_sock->peer_sid = sksec_new->sid;
4038
4039         return 0;
4040 }
4041
4042 static int selinux_socket_unix_may_send(struct socket *sock,
4043                                         struct socket *other)
4044 {
4045         struct sk_security_struct *ssec = sock->sk->sk_security;
4046         struct sk_security_struct *osec = other->sk->sk_security;
4047         struct common_audit_data ad;
4048
4049         COMMON_AUDIT_DATA_INIT(&ad, NET);
4050         ad.u.net.sk = other->sk;
4051
4052         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4053                             &ad);
4054 }
4055
4056 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4057                                     u32 peer_sid,
4058                                     struct common_audit_data *ad)
4059 {
4060         int err;
4061         u32 if_sid;
4062         u32 node_sid;
4063
4064         err = sel_netif_sid(ifindex, &if_sid);
4065         if (err)
4066                 return err;
4067         err = avc_has_perm(peer_sid, if_sid,
4068                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4069         if (err)
4070                 return err;
4071
4072         err = sel_netnode_sid(addrp, family, &node_sid);
4073         if (err)
4074                 return err;
4075         return avc_has_perm(peer_sid, node_sid,
4076                             SECCLASS_NODE, NODE__RECVFROM, ad);
4077 }
4078
4079 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4080                                        u16 family)
4081 {
4082         int err = 0;
4083         struct sk_security_struct *sksec = sk->sk_security;
4084         u32 sk_sid = sksec->sid;
4085         struct common_audit_data ad;
4086         char *addrp;
4087
4088         COMMON_AUDIT_DATA_INIT(&ad, NET);
4089         ad.u.net.netif = skb->skb_iif;
4090         ad.u.net.family = family;
4091         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4092         if (err)
4093                 return err;
4094
4095         if (selinux_secmark_enabled()) {
4096                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4097                                    PACKET__RECV, &ad);
4098                 if (err)
4099                         return err;
4100         }
4101
4102         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4103         if (err)
4104                 return err;
4105         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4106
4107         return err;
4108 }
4109
4110 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4111 {
4112         int err;
4113         struct sk_security_struct *sksec = sk->sk_security;
4114         u16 family = sk->sk_family;
4115         u32 sk_sid = sksec->sid;
4116         struct common_audit_data ad;
4117         char *addrp;
4118         u8 secmark_active;
4119         u8 peerlbl_active;
4120
4121         if (family != PF_INET && family != PF_INET6)
4122                 return 0;
4123
4124         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4125         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4126                 family = PF_INET;
4127
4128         /* If any sort of compatibility mode is enabled then handoff processing
4129          * to the selinux_sock_rcv_skb_compat() function to deal with the
4130          * special handling.  We do this in an attempt to keep this function
4131          * as fast and as clean as possible. */
4132         if (!selinux_policycap_netpeer)
4133                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4134
4135         secmark_active = selinux_secmark_enabled();
4136         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4137         if (!secmark_active && !peerlbl_active)
4138                 return 0;
4139
4140         COMMON_AUDIT_DATA_INIT(&ad, NET);
4141         ad.u.net.netif = skb->skb_iif;
4142         ad.u.net.family = family;
4143         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4144         if (err)
4145                 return err;
4146
4147         if (peerlbl_active) {
4148                 u32 peer_sid;
4149
4150                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4151                 if (err)
4152                         return err;
4153                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4154                                                peer_sid, &ad);
4155                 if (err) {
4156                         selinux_netlbl_err(skb, err, 0);
4157                         return err;
4158                 }
4159                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4160                                    PEER__RECV, &ad);
4161                 if (err)
4162                         selinux_netlbl_err(skb, err, 0);
4163         }
4164
4165         if (secmark_active) {
4166                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4167                                    PACKET__RECV, &ad);
4168                 if (err)
4169                         return err;
4170         }
4171
4172         return err;
4173 }
4174
4175 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4176                                             int __user *optlen, unsigned len)
4177 {
4178         int err = 0;
4179         char *scontext;
4180         u32 scontext_len;
4181         struct sk_security_struct *sksec = sock->sk->sk_security;
4182         u32 peer_sid = SECSID_NULL;
4183
4184         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4185             sksec->sclass == SECCLASS_TCP_SOCKET)
4186                 peer_sid = sksec->peer_sid;
4187         if (peer_sid == SECSID_NULL)
4188                 return -ENOPROTOOPT;
4189
4190         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4191         if (err)
4192                 return err;
4193
4194         if (scontext_len > len) {
4195                 err = -ERANGE;
4196                 goto out_len;
4197         }
4198
4199         if (copy_to_user(optval, scontext, scontext_len))
4200                 err = -EFAULT;
4201
4202 out_len:
4203         if (put_user(scontext_len, optlen))
4204                 err = -EFAULT;
4205         kfree(scontext);
4206         return err;
4207 }
4208
4209 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4210 {
4211         u32 peer_secid = SECSID_NULL;
4212         u16 family;
4213
4214         if (skb && skb->protocol == htons(ETH_P_IP))
4215                 family = PF_INET;
4216         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4217                 family = PF_INET6;
4218         else if (sock)
4219                 family = sock->sk->sk_family;
4220         else
4221                 goto out;
4222
4223         if (sock && family == PF_UNIX)
4224                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4225         else if (skb)
4226                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4227
4228 out:
4229         *secid = peer_secid;
4230         if (peer_secid == SECSID_NULL)
4231                 return -EINVAL;
4232         return 0;
4233 }
4234
4235 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4236 {
4237         struct sk_security_struct *sksec;
4238
4239         sksec = kzalloc(sizeof(*sksec), priority);
4240         if (!sksec)
4241                 return -ENOMEM;
4242
4243         sksec->peer_sid = SECINITSID_UNLABELED;
4244         sksec->sid = SECINITSID_UNLABELED;
4245         selinux_netlbl_sk_security_reset(sksec);
4246         sk->sk_security = sksec;
4247
4248         return 0;
4249 }
4250
4251 static void selinux_sk_free_security(struct sock *sk)
4252 {
4253         struct sk_security_struct *sksec = sk->sk_security;
4254
4255         sk->sk_security = NULL;
4256         selinux_netlbl_sk_security_free(sksec);
4257         kfree(sksec);
4258 }
4259
4260 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4261 {
4262         struct sk_security_struct *sksec = sk->sk_security;
4263         struct sk_security_struct *newsksec = newsk->sk_security;
4264
4265         newsksec->sid = sksec->sid;
4266         newsksec->peer_sid = sksec->peer_sid;
4267         newsksec->sclass = sksec->sclass;
4268
4269         selinux_netlbl_sk_security_reset(newsksec);
4270 }
4271
4272 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4273 {
4274         if (!sk)
4275                 *secid = SECINITSID_ANY_SOCKET;
4276         else {
4277                 struct sk_security_struct *sksec = sk->sk_security;
4278
4279                 *secid = sksec->sid;
4280         }
4281 }
4282
4283 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4284 {
4285         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4286         struct sk_security_struct *sksec = sk->sk_security;
4287
4288         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4289             sk->sk_family == PF_UNIX)
4290                 isec->sid = sksec->sid;
4291         sksec->sclass = isec->sclass;
4292 }
4293
4294 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4295                                      struct request_sock *req)
4296 {
4297         struct sk_security_struct *sksec = sk->sk_security;
4298         int err;
4299         u16 family = sk->sk_family;
4300         u32 newsid;
4301         u32 peersid;
4302
4303         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4304         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4305                 family = PF_INET;
4306
4307         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4308         if (err)
4309                 return err;
4310         if (peersid == SECSID_NULL) {
4311                 req->secid = sksec->sid;
4312                 req->peer_secid = SECSID_NULL;
4313         } else {
4314                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4315                 if (err)
4316                         return err;
4317                 req->secid = newsid;
4318                 req->peer_secid = peersid;
4319         }
4320
4321         return selinux_netlbl_inet_conn_request(req, family);
4322 }
4323
4324 static void selinux_inet_csk_clone(struct sock *newsk,
4325                                    const struct request_sock *req)
4326 {
4327         struct sk_security_struct *newsksec = newsk->sk_security;
4328
4329         newsksec->sid = req->secid;
4330         newsksec->peer_sid = req->peer_secid;
4331         /* NOTE: Ideally, we should also get the isec->sid for the
4332            new socket in sync, but we don't have the isec available yet.
4333            So we will wait until sock_graft to do it, by which
4334            time it will have been created and available. */
4335
4336         /* We don't need to take any sort of lock here as we are the only
4337          * thread with access to newsksec */
4338         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4339 }
4340
4341 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4342 {
4343         u16 family = sk->sk_family;
4344         struct sk_security_struct *sksec = sk->sk_security;
4345
4346         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4347         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4348                 family = PF_INET;
4349
4350         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4351 }
4352
4353 static int selinux_secmark_relabel_packet(u32 sid)
4354 {
4355         const struct task_security_struct *__tsec;
4356         u32 tsid;
4357
4358         __tsec = current_security();
4359         tsid = __tsec->sid;
4360
4361         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4362 }
4363
4364 static void selinux_secmark_refcount_inc(void)
4365 {
4366         atomic_inc(&selinux_secmark_refcount);
4367 }
4368
4369 static void selinux_secmark_refcount_dec(void)
4370 {
4371         atomic_dec(&selinux_secmark_refcount);
4372 }
4373
4374 static void selinux_req_classify_flow(const struct request_sock *req,
4375                                       struct flowi *fl)
4376 {
4377         fl->flowi_secid = req->secid;
4378 }
4379
4380 static int selinux_tun_dev_create(void)
4381 {
4382         u32 sid = current_sid();
4383
4384         /* we aren't taking into account the "sockcreate" SID since the socket
4385          * that is being created here is not a socket in the traditional sense,
4386          * instead it is a private sock, accessible only to the kernel, and
4387          * representing a wide range of network traffic spanning multiple
4388          * connections unlike traditional sockets - check the TUN driver to
4389          * get a better understanding of why this socket is special */
4390
4391         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4392                             NULL);
4393 }
4394
4395 static void selinux_tun_dev_post_create(struct sock *sk)
4396 {
4397         struct sk_security_struct *sksec = sk->sk_security;
4398
4399         /* we don't currently perform any NetLabel based labeling here and it
4400          * isn't clear that we would want to do so anyway; while we could apply
4401          * labeling without the support of the TUN user the resulting labeled
4402          * traffic from the other end of the connection would almost certainly
4403          * cause confusion to the TUN user that had no idea network labeling
4404          * protocols were being used */
4405
4406         /* see the comments in selinux_tun_dev_create() about why we don't use
4407          * the sockcreate SID here */
4408
4409         sksec->sid = current_sid();
4410         sksec->sclass = SECCLASS_TUN_SOCKET;
4411 }
4412
4413 static int selinux_tun_dev_attach(struct sock *sk)
4414 {
4415         struct sk_security_struct *sksec = sk->sk_security;
4416         u32 sid = current_sid();
4417         int err;
4418
4419         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4420                            TUN_SOCKET__RELABELFROM, NULL);
4421         if (err)
4422                 return err;
4423         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4424                            TUN_SOCKET__RELABELTO, NULL);
4425         if (err)
4426                 return err;
4427
4428         sksec->sid = sid;
4429
4430         return 0;
4431 }
4432
4433 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4434 {
4435         int err = 0;
4436         u32 perm;
4437         struct nlmsghdr *nlh;
4438         struct sk_security_struct *sksec = sk->sk_security;
4439
4440         if (skb->len < NLMSG_SPACE(0)) {
4441                 err = -EINVAL;
4442                 goto out;
4443         }
4444         nlh = nlmsg_hdr(skb);
4445
4446         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4447         if (err) {
4448                 if (err == -EINVAL) {
4449                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4450                                   "SELinux:  unrecognized netlink message"
4451                                   " type=%hu for sclass=%hu\n",
4452                                   nlh->nlmsg_type, sksec->sclass);
4453                         if (!selinux_enforcing || security_get_allow_unknown())
4454                                 err = 0;
4455                 }
4456
4457                 /* Ignore */
4458                 if (err == -ENOENT)
4459                         err = 0;
4460                 goto out;
4461         }
4462
4463         err = sock_has_perm(current, sk, perm);
4464 out:
4465         return err;
4466 }
4467
4468 #ifdef CONFIG_NETFILTER
4469
4470 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4471                                        u16 family)
4472 {
4473         int err;
4474         char *addrp;
4475         u32 peer_sid;
4476         struct common_audit_data ad;
4477         u8 secmark_active;
4478         u8 netlbl_active;
4479         u8 peerlbl_active;
4480
4481         if (!selinux_policycap_netpeer)
4482                 return NF_ACCEPT;
4483
4484         secmark_active = selinux_secmark_enabled();
4485         netlbl_active = netlbl_enabled();
4486         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4487         if (!secmark_active && !peerlbl_active)
4488                 return NF_ACCEPT;
4489
4490         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4491                 return NF_DROP;
4492
4493         COMMON_AUDIT_DATA_INIT(&ad, NET);
4494         ad.u.net.netif = ifindex;
4495         ad.u.net.family = family;
4496         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4497                 return NF_DROP;
4498
4499         if (peerlbl_active) {
4500                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4501                                                peer_sid, &ad);
4502                 if (err) {
4503                         selinux_netlbl_err(skb, err, 1);
4504                         return NF_DROP;
4505                 }
4506         }
4507
4508         if (secmark_active)
4509                 if (avc_has_perm(peer_sid, skb->secmark,
4510                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4511                         return NF_DROP;
4512
4513         if (netlbl_active)
4514                 /* we do this in the FORWARD path and not the POST_ROUTING
4515                  * path because we want to make sure we apply the necessary
4516                  * labeling before IPsec is applied so we can leverage AH
4517                  * protection */
4518                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4519                         return NF_DROP;
4520
4521         return NF_ACCEPT;
4522 }
4523
4524 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4525                                          struct sk_buff *skb,
4526                                          const struct net_device *in,
4527                                          const struct net_device *out,
4528                                          int (*okfn)(struct sk_buff *))
4529 {
4530         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4531 }
4532
4533 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4534 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4535                                          struct sk_buff *skb,
4536                                          const struct net_device *in,
4537                                          const struct net_device *out,
4538                                          int (*okfn)(struct sk_buff *))
4539 {
4540         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4541 }
4542 #endif  /* IPV6 */
4543
4544 static unsigned int selinux_ip_output(struct sk_buff *skb,
4545                                       u16 family)
4546 {
4547         u32 sid;
4548
4549         if (!netlbl_enabled())
4550                 return NF_ACCEPT;
4551
4552         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4553          * because we want to make sure we apply the necessary labeling
4554          * before IPsec is applied so we can leverage AH protection */
4555         if (skb->sk) {
4556                 struct sk_security_struct *sksec = skb->sk->sk_security;
4557                 sid = sksec->sid;
4558         } else
4559                 sid = SECINITSID_KERNEL;
4560         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4561                 return NF_DROP;
4562
4563         return NF_ACCEPT;
4564 }
4565
4566 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4567                                         struct sk_buff *skb,
4568                                         const struct net_device *in,
4569                                         const struct net_device *out,
4570                                         int (*okfn)(struct sk_buff *))
4571 {
4572         return selinux_ip_output(skb, PF_INET);
4573 }
4574
4575 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4576                                                 int ifindex,
4577                                                 u16 family)
4578 {
4579         struct sock *sk = skb->sk;
4580         struct sk_security_struct *sksec;
4581         struct common_audit_data ad;
4582         char *addrp;
4583         u8 proto;
4584
4585         if (sk == NULL)
4586                 return NF_ACCEPT;
4587         sksec = sk->sk_security;
4588
4589         COMMON_AUDIT_DATA_INIT(&ad, NET);
4590         ad.u.net.netif = ifindex;
4591         ad.u.net.family = family;
4592         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4593                 return NF_DROP;
4594
4595         if (selinux_secmark_enabled())
4596                 if (avc_has_perm(sksec->sid, skb->secmark,
4597                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4598                         return NF_DROP_ERR(-ECONNREFUSED);
4599
4600         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4601                 return NF_DROP_ERR(-ECONNREFUSED);
4602
4603         return NF_ACCEPT;
4604 }
4605
4606 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4607                                          u16 family)
4608 {
4609         u32 secmark_perm;
4610         u32 peer_sid;
4611         struct sock *sk;
4612         struct common_audit_data ad;
4613         char *addrp;
4614         u8 secmark_active;
4615         u8 peerlbl_active;
4616
4617         /* If any sort of compatibility mode is enabled then handoff processing
4618          * to the selinux_ip_postroute_compat() function to deal with the
4619          * special handling.  We do this in an attempt to keep this function
4620          * as fast and as clean as possible. */
4621         if (!selinux_policycap_netpeer)
4622                 return selinux_ip_postroute_compat(skb, ifindex, family);
4623 #ifdef CONFIG_XFRM
4624         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4625          * packet transformation so allow the packet to pass without any checks
4626          * since we'll have another chance to perform access control checks
4627          * when the packet is on it's final way out.
4628          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4629          *       is NULL, in this case go ahead and apply access control. */
4630         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4631                 return NF_ACCEPT;
4632 #endif
4633         secmark_active = selinux_secmark_enabled();
4634         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4635         if (!secmark_active && !peerlbl_active)
4636                 return NF_ACCEPT;
4637
4638         /* if the packet is being forwarded then get the peer label from the
4639          * packet itself; otherwise check to see if it is from a local
4640          * application or the kernel, if from an application get the peer label
4641          * from the sending socket, otherwise use the kernel's sid */
4642         sk = skb->sk;
4643         if (sk == NULL) {
4644                 if (skb->skb_iif) {
4645                         secmark_perm = PACKET__FORWARD_OUT;
4646                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4647                                 return NF_DROP;
4648                 } else {
4649                         secmark_perm = PACKET__SEND;
4650                         peer_sid = SECINITSID_KERNEL;
4651                 }
4652         } else {
4653                 struct sk_security_struct *sksec = sk->sk_security;
4654                 peer_sid = sksec->sid;
4655                 secmark_perm = PACKET__SEND;
4656         }
4657
4658         COMMON_AUDIT_DATA_INIT(&ad, NET);
4659         ad.u.net.netif = ifindex;
4660         ad.u.net.family = family;
4661         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4662                 return NF_DROP;
4663
4664         if (secmark_active)
4665                 if (avc_has_perm(peer_sid, skb->secmark,
4666                                  SECCLASS_PACKET, secmark_perm, &ad))
4667                         return NF_DROP_ERR(-ECONNREFUSED);
4668
4669         if (peerlbl_active) {
4670                 u32 if_sid;
4671                 u32 node_sid;
4672
4673                 if (sel_netif_sid(ifindex, &if_sid))
4674                         return NF_DROP;
4675                 if (avc_has_perm(peer_sid, if_sid,
4676                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4677                         return NF_DROP_ERR(-ECONNREFUSED);
4678
4679                 if (sel_netnode_sid(addrp, family, &node_sid))
4680                         return NF_DROP;
4681                 if (avc_has_perm(peer_sid, node_sid,
4682                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4683                         return NF_DROP_ERR(-ECONNREFUSED);
4684         }
4685
4686         return NF_ACCEPT;
4687 }
4688
4689 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4690                                            struct sk_buff *skb,
4691                                            const struct net_device *in,
4692                                            const struct net_device *out,
4693                                            int (*okfn)(struct sk_buff *))
4694 {
4695         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4696 }
4697
4698 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4699 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4700                                            struct sk_buff *skb,
4701                                            const struct net_device *in,
4702                                            const struct net_device *out,
4703                                            int (*okfn)(struct sk_buff *))
4704 {
4705         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4706 }
4707 #endif  /* IPV6 */
4708
4709 #endif  /* CONFIG_NETFILTER */
4710
4711 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4712 {
4713         int err;
4714
4715         err = cap_netlink_send(sk, skb);
4716         if (err)
4717                 return err;
4718
4719         return selinux_nlmsg_perm(sk, skb);
4720 }
4721
4722 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4723 {
4724         int err;
4725         struct common_audit_data ad;
4726         u32 sid;
4727
4728         err = cap_netlink_recv(skb, capability);
4729         if (err)
4730                 return err;
4731
4732         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4733         ad.u.cap = capability;
4734
4735         security_task_getsecid(current, &sid);
4736         return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4737                             CAP_TO_MASK(capability), &ad);
4738 }
4739
4740 static int ipc_alloc_security(struct task_struct *task,
4741                               struct kern_ipc_perm *perm,
4742                               u16 sclass)
4743 {
4744         struct ipc_security_struct *isec;
4745         u32 sid;
4746
4747         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4748         if (!isec)
4749                 return -ENOMEM;
4750
4751         sid = task_sid(task);
4752         isec->sclass = sclass;
4753         isec->sid = sid;
4754         perm->security = isec;
4755
4756         return 0;
4757 }
4758
4759 static void ipc_free_security(struct kern_ipc_perm *perm)
4760 {
4761         struct ipc_security_struct *isec = perm->security;
4762         perm->security = NULL;
4763         kfree(isec);
4764 }
4765
4766 static int msg_msg_alloc_security(struct msg_msg *msg)
4767 {
4768         struct msg_security_struct *msec;
4769
4770         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4771         if (!msec)
4772                 return -ENOMEM;
4773
4774         msec->sid = SECINITSID_UNLABELED;
4775         msg->security = msec;
4776
4777         return 0;
4778 }
4779
4780 static void msg_msg_free_security(struct msg_msg *msg)
4781 {
4782         struct msg_security_struct *msec = msg->security;
4783
4784         msg->security = NULL;
4785         kfree(msec);
4786 }
4787
4788 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4789                         u32 perms)
4790 {
4791         struct ipc_security_struct *isec;
4792         struct common_audit_data ad;
4793         u32 sid = current_sid();
4794
4795         isec = ipc_perms->security;
4796
4797         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4798         ad.u.ipc_id = ipc_perms->key;
4799
4800         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4801 }
4802
4803 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4804 {
4805         return msg_msg_alloc_security(msg);
4806 }
4807
4808 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4809 {
4810         msg_msg_free_security(msg);
4811 }
4812
4813 /* message queue security operations */
4814 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4815 {
4816         struct ipc_security_struct *isec;
4817         struct common_audit_data ad;
4818         u32 sid = current_sid();
4819         int rc;
4820
4821         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4822         if (rc)
4823                 return rc;
4824
4825         isec = msq->q_perm.security;
4826
4827         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4828         ad.u.ipc_id = msq->q_perm.key;
4829
4830         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4831                           MSGQ__CREATE, &ad);
4832         if (rc) {
4833                 ipc_free_security(&msq->q_perm);
4834                 return rc;
4835         }
4836         return 0;
4837 }
4838
4839 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4840 {
4841         ipc_free_security(&msq->q_perm);
4842 }
4843
4844 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4845 {
4846         struct ipc_security_struct *isec;
4847         struct common_audit_data ad;
4848         u32 sid = current_sid();
4849
4850         isec = msq->q_perm.security;
4851
4852         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4853         ad.u.ipc_id = msq->q_perm.key;
4854
4855         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4856                             MSGQ__ASSOCIATE, &ad);
4857 }
4858
4859 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4860 {
4861         int err;
4862         int perms;
4863
4864         switch (cmd) {
4865         case IPC_INFO:
4866         case MSG_INFO:
4867                 /* No specific object, just general system-wide information. */
4868                 return task_has_system(current, SYSTEM__IPC_INFO);
4869         case IPC_STAT:
4870         case MSG_STAT:
4871                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4872                 break;
4873         case IPC_SET:
4874                 perms = MSGQ__SETATTR;
4875                 break;
4876         case IPC_RMID:
4877                 perms = MSGQ__DESTROY;
4878                 break;
4879         default:
4880                 return 0;
4881         }
4882
4883         err = ipc_has_perm(&msq->q_perm, perms);
4884         return err;
4885 }
4886
4887 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4888 {
4889         struct ipc_security_struct *isec;
4890         struct msg_security_struct *msec;
4891         struct common_audit_data ad;
4892         u32 sid = current_sid();
4893         int rc;
4894
4895         isec = msq->q_perm.security;
4896         msec = msg->security;
4897
4898         /*
4899          * First time through, need to assign label to the message
4900          */
4901         if (msec->sid == SECINITSID_UNLABELED) {
4902                 /*
4903                  * Compute new sid based on current process and
4904                  * message queue this message will be stored in
4905                  */
4906                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4907                                              NULL, &msec->sid);
4908                 if (rc)
4909                         return rc;
4910         }
4911
4912         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4913         ad.u.ipc_id = msq->q_perm.key;
4914
4915         /* Can this process write to the queue? */
4916         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4917                           MSGQ__WRITE, &ad);
4918         if (!rc)
4919                 /* Can this process send the message */
4920                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4921                                   MSG__SEND, &ad);
4922         if (!rc)
4923                 /* Can the message be put in the queue? */
4924                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4925                                   MSGQ__ENQUEUE, &ad);
4926
4927         return rc;
4928 }
4929
4930 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4931                                     struct task_struct *target,
4932                                     long type, int mode)
4933 {
4934         struct ipc_security_struct *isec;
4935         struct msg_security_struct *msec;
4936         struct common_audit_data ad;
4937         u32 sid = task_sid(target);
4938         int rc;
4939
4940         isec = msq->q_perm.security;
4941         msec = msg->security;
4942
4943         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4944         ad.u.ipc_id = msq->q_perm.key;
4945
4946         rc = avc_has_perm(sid, isec->sid,
4947                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4948         if (!rc)
4949                 rc = avc_has_perm(sid, msec->sid,
4950                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4951         return rc;
4952 }
4953
4954 /* Shared Memory security operations */
4955 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4956 {
4957         struct ipc_security_struct *isec;
4958         struct common_audit_data ad;
4959         u32 sid = current_sid();
4960         int rc;
4961
4962         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4963         if (rc)
4964                 return rc;
4965
4966         isec = shp->shm_perm.security;
4967
4968         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4969         ad.u.ipc_id = shp->shm_perm.key;
4970
4971         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4972                           SHM__CREATE, &ad);
4973         if (rc) {
4974                 ipc_free_security(&shp->shm_perm);
4975                 return rc;
4976         }
4977         return 0;
4978 }
4979
4980 static void selinux_shm_free_security(struct shmid_kernel *shp)
4981 {
4982         ipc_free_security(&shp->shm_perm);
4983 }
4984
4985 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4986 {
4987         struct ipc_security_struct *isec;
4988         struct common_audit_data ad;
4989         u32 sid = current_sid();
4990
4991         isec = shp->shm_perm.security;
4992
4993         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4994         ad.u.ipc_id = shp->shm_perm.key;
4995
4996         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4997                             SHM__ASSOCIATE, &ad);
4998 }
4999
5000 /* Note, at this point, shp is locked down */
5001 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5002 {
5003         int perms;
5004         int err;
5005
5006         switch (cmd) {
5007         case IPC_INFO:
5008         case SHM_INFO:
5009                 /* No specific object, just general system-wide information. */
5010                 return task_has_system(current, SYSTEM__IPC_INFO);
5011         case IPC_STAT:
5012         case SHM_STAT:
5013                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5014                 break;
5015         case IPC_SET:
5016                 perms = SHM__SETATTR;
5017                 break;
5018         case SHM_LOCK:
5019         case SHM_UNLOCK:
5020                 perms = SHM__LOCK;
5021                 break;
5022         case IPC_RMID:
5023                 perms = SHM__DESTROY;
5024                 break;
5025         default:
5026                 return 0;
5027         }
5028
5029         err = ipc_has_perm(&shp->shm_perm, perms);
5030         return err;
5031 }
5032
5033 static int selinux_shm_shmat(struct shmid_kernel *shp,
5034                              char __user *shmaddr, int shmflg)
5035 {
5036         u32 perms;
5037
5038         if (shmflg & SHM_RDONLY)
5039                 perms = SHM__READ;
5040         else
5041                 perms = SHM__READ | SHM__WRITE;
5042
5043         return ipc_has_perm(&shp->shm_perm, perms);
5044 }
5045
5046 /* Semaphore security operations */
5047 static int selinux_sem_alloc_security(struct sem_array *sma)
5048 {
5049         struct ipc_security_struct *isec;
5050         struct common_audit_data ad;
5051         u32 sid = current_sid();
5052         int rc;
5053
5054         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5055         if (rc)
5056                 return rc;
5057
5058         isec = sma->sem_perm.security;
5059
5060         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5061         ad.u.ipc_id = sma->sem_perm.key;
5062
5063         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5064                           SEM__CREATE, &ad);
5065         if (rc) {
5066                 ipc_free_security(&sma->sem_perm);
5067                 return rc;
5068         }
5069         return 0;
5070 }
5071
5072 static void selinux_sem_free_security(struct sem_array *sma)
5073 {
5074         ipc_free_security(&sma->sem_perm);
5075 }
5076
5077 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5078 {
5079         struct ipc_security_struct *isec;
5080         struct common_audit_data ad;
5081         u32 sid = current_sid();
5082
5083         isec = sma->sem_perm.security;
5084
5085         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5086         ad.u.ipc_id = sma->sem_perm.key;
5087
5088         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5089                             SEM__ASSOCIATE, &ad);
5090 }
5091
5092 /* Note, at this point, sma is locked down */
5093 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5094 {
5095         int err;
5096         u32 perms;
5097
5098         switch (cmd) {
5099         case IPC_INFO:
5100         case SEM_INFO:
5101                 /* No specific object, just general system-wide information. */
5102                 return task_has_system(current, SYSTEM__IPC_INFO);
5103         case GETPID:
5104         case GETNCNT:
5105         case GETZCNT:
5106                 perms = SEM__GETATTR;
5107                 break;
5108         case GETVAL:
5109         case GETALL:
5110                 perms = SEM__READ;
5111                 break;
5112         case SETVAL:
5113         case SETALL:
5114                 perms = SEM__WRITE;
5115                 break;
5116         case IPC_RMID:
5117                 perms = SEM__DESTROY;
5118                 break;
5119         case IPC_SET:
5120                 perms = SEM__SETATTR;
5121                 break;
5122         case IPC_STAT:
5123         case SEM_STAT:
5124                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5125                 break;
5126         default:
5127                 return 0;
5128         }
5129
5130         err = ipc_has_perm(&sma->sem_perm, perms);
5131         return err;
5132 }
5133
5134 static int selinux_sem_semop(struct sem_array *sma,
5135                              struct sembuf *sops, unsigned nsops, int alter)
5136 {
5137         u32 perms;
5138
5139         if (alter)
5140                 perms = SEM__READ | SEM__WRITE;
5141         else
5142                 perms = SEM__READ;
5143
5144         return ipc_has_perm(&sma->sem_perm, perms);
5145 }
5146
5147 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5148 {
5149         u32 av = 0;
5150
5151         av = 0;
5152         if (flag & S_IRUGO)
5153                 av |= IPC__UNIX_READ;
5154         if (flag & S_IWUGO)
5155                 av |= IPC__UNIX_WRITE;
5156
5157         if (av == 0)
5158                 return 0;
5159
5160         return ipc_has_perm(ipcp, av);
5161 }
5162
5163 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5164 {
5165         struct ipc_security_struct *isec = ipcp->security;
5166         *secid = isec->sid;
5167 }
5168
5169 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5170 {
5171         if (inode)
5172                 inode_doinit_with_dentry(inode, dentry);
5173 }
5174
5175 static int selinux_getprocattr(struct task_struct *p,
5176                                char *name, char **value)
5177 {
5178         const struct task_security_struct *__tsec;
5179         u32 sid;
5180         int error;
5181         unsigned len;
5182
5183         if (current != p) {
5184                 error = current_has_perm(p, PROCESS__GETATTR);
5185                 if (error)
5186                         return error;
5187         }
5188
5189         rcu_read_lock();
5190         __tsec = __task_cred(p)->security;
5191
5192         if (!strcmp(name, "current"))
5193                 sid = __tsec->sid;
5194         else if (!strcmp(name, "prev"))
5195                 sid = __tsec->osid;
5196         else if (!strcmp(name, "exec"))
5197                 sid = __tsec->exec_sid;
5198         else if (!strcmp(name, "fscreate"))
5199                 sid = __tsec->create_sid;
5200         else if (!strcmp(name, "keycreate"))
5201                 sid = __tsec->keycreate_sid;
5202         else if (!strcmp(name, "sockcreate"))
5203                 sid = __tsec->sockcreate_sid;
5204         else
5205                 goto invalid;
5206         rcu_read_unlock();
5207
5208         if (!sid)
5209                 return 0;
5210
5211         error = security_sid_to_context(sid, value, &len);
5212         if (error)
5213                 return error;
5214         return len;
5215
5216 invalid:
5217         rcu_read_unlock();
5218         return -EINVAL;
5219 }
5220
5221 static int selinux_setprocattr(struct task_struct *p,
5222                                char *name, void *value, size_t size)
5223 {
5224         struct task_security_struct *tsec;
5225         struct task_struct *tracer;
5226         struct cred *new;
5227         u32 sid = 0, ptsid;
5228         int error;
5229         char *str = value;
5230
5231         if (current != p) {
5232                 /* SELinux only allows a process to change its own
5233                    security attributes. */
5234                 return -EACCES;
5235         }
5236
5237         /*
5238          * Basic control over ability to set these attributes at all.
5239          * current == p, but we'll pass them separately in case the
5240          * above restriction is ever removed.
5241          */
5242         if (!strcmp(name, "exec"))
5243                 error = current_has_perm(p, PROCESS__SETEXEC);
5244         else if (!strcmp(name, "fscreate"))
5245                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5246         else if (!strcmp(name, "keycreate"))
5247                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5248         else if (!strcmp(name, "sockcreate"))
5249                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5250         else if (!strcmp(name, "current"))
5251                 error = current_has_perm(p, PROCESS__SETCURRENT);
5252         else
5253                 error = -EINVAL;
5254         if (error)
5255                 return error;
5256
5257         /* Obtain a SID for the context, if one was specified. */
5258         if (size && str[1] && str[1] != '\n') {
5259                 if (str[size-1] == '\n') {
5260                         str[size-1] = 0;
5261                         size--;
5262                 }
5263                 error = security_context_to_sid(value, size, &sid);
5264                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5265                         if (!capable(CAP_MAC_ADMIN))
5266                                 return error;
5267                         error = security_context_to_sid_force(value, size,
5268                                                               &sid);
5269                 }
5270                 if (error)
5271                         return error;
5272         }
5273
5274         new = prepare_creds();
5275         if (!new)
5276                 return -ENOMEM;
5277
5278         /* Permission checking based on the specified context is
5279            performed during the actual operation (execve,
5280            open/mkdir/...), when we know the full context of the
5281            operation.  See selinux_bprm_set_creds for the execve
5282            checks and may_create for the file creation checks. The
5283            operation will then fail if the context is not permitted. */
5284         tsec = new->security;
5285         if (!strcmp(name, "exec")) {
5286                 tsec->exec_sid = sid;
5287         } else if (!strcmp(name, "fscreate")) {
5288                 tsec->create_sid = sid;
5289         } else if (!strcmp(name, "keycreate")) {
5290                 error = may_create_key(sid, p);
5291                 if (error)
5292                         goto abort_change;
5293                 tsec->keycreate_sid = sid;
5294         } else if (!strcmp(name, "sockcreate")) {
5295                 tsec->sockcreate_sid = sid;
5296         } else if (!strcmp(name, "current")) {
5297                 error = -EINVAL;
5298                 if (sid == 0)
5299                         goto abort_change;
5300
5301                 /* Only allow single threaded processes to change context */
5302                 error = -EPERM;
5303                 if (!current_is_single_threaded()) {
5304                         error = security_bounded_transition(tsec->sid, sid);
5305                         if (error)
5306                                 goto abort_change;
5307                 }
5308
5309                 /* Check permissions for the transition. */
5310                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5311                                      PROCESS__DYNTRANSITION, NULL);
5312                 if (error)
5313                         goto abort_change;
5314
5315                 /* Check for ptracing, and update the task SID if ok.
5316                    Otherwise, leave SID unchanged and fail. */
5317                 ptsid = 0;
5318                 task_lock(p);
5319                 tracer = ptrace_parent(p);
5320                 if (tracer)
5321                         ptsid = task_sid(tracer);
5322                 task_unlock(p);
5323
5324                 if (tracer) {
5325                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5326                                              PROCESS__PTRACE, NULL);
5327                         if (error)
5328                                 goto abort_change;
5329                 }
5330
5331                 tsec->sid = sid;
5332         } else {
5333                 error = -EINVAL;
5334                 goto abort_change;
5335         }
5336
5337         commit_creds(new);
5338         return size;
5339
5340 abort_change:
5341         abort_creds(new);
5342         return error;
5343 }
5344
5345 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5346 {
5347         return security_sid_to_context(secid, secdata, seclen);
5348 }
5349
5350 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5351 {
5352         return security_context_to_sid(secdata, seclen, secid);
5353 }
5354
5355 static void selinux_release_secctx(char *secdata, u32 seclen)
5356 {
5357         kfree(secdata);
5358 }
5359
5360 /*
5361  *      called with inode->i_mutex locked
5362  */
5363 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5364 {
5365         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5366 }
5367
5368 /*
5369  *      called with inode->i_mutex locked
5370  */
5371 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5372 {
5373         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5374 }
5375
5376 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5377 {
5378         int len = 0;
5379         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5380                                                 ctx, true);
5381         if (len < 0)
5382                 return len;
5383         *ctxlen = len;
5384         return 0;
5385 }
5386 #ifdef CONFIG_KEYS
5387
5388 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5389                              unsigned long flags)
5390 {
5391         const struct task_security_struct *tsec;
5392         struct key_security_struct *ksec;
5393
5394         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5395         if (!ksec)
5396                 return -ENOMEM;
5397
5398         tsec = cred->security;
5399         if (tsec->keycreate_sid)
5400                 ksec->sid = tsec->keycreate_sid;
5401         else
5402                 ksec->sid = tsec->sid;
5403
5404         k->security = ksec;
5405         return 0;
5406 }
5407
5408 static void selinux_key_free(struct key *k)
5409 {
5410         struct key_security_struct *ksec = k->security;
5411
5412         k->security = NULL;
5413         kfree(ksec);
5414 }
5415
5416 static int selinux_key_permission(key_ref_t key_ref,
5417                                   const struct cred *cred,
5418                                   key_perm_t perm)
5419 {
5420         struct key *key;
5421         struct key_security_struct *ksec;
5422         u32 sid;
5423
5424         /* if no specific permissions are requested, we skip the
5425            permission check. No serious, additional covert channels
5426            appear to be created. */
5427         if (perm == 0)
5428                 return 0;
5429
5430         sid = cred_sid(cred);
5431
5432         key = key_ref_to_ptr(key_ref);
5433         ksec = key->security;
5434
5435         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5436 }
5437
5438 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5439 {
5440         struct key_security_struct *ksec = key->security;
5441         char *context = NULL;
5442         unsigned len;
5443         int rc;
5444
5445         rc = security_sid_to_context(ksec->sid, &context, &len);
5446         if (!rc)
5447                 rc = len;
5448         *_buffer = context;
5449         return rc;
5450 }
5451
5452 #endif
5453
5454 static struct security_operations selinux_ops = {
5455         .name =                         "selinux",
5456
5457         .ptrace_access_check =          selinux_ptrace_access_check,
5458         .ptrace_traceme =               selinux_ptrace_traceme,
5459         .capget =                       selinux_capget,
5460         .capset =                       selinux_capset,
5461         .capable =                      selinux_capable,
5462         .quotactl =                     selinux_quotactl,
5463         .quota_on =                     selinux_quota_on,
5464         .syslog =                       selinux_syslog,
5465         .vm_enough_memory =             selinux_vm_enough_memory,
5466
5467         .netlink_send =                 selinux_netlink_send,
5468         .netlink_recv =                 selinux_netlink_recv,
5469
5470         .bprm_set_creds =               selinux_bprm_set_creds,
5471         .bprm_committing_creds =        selinux_bprm_committing_creds,
5472         .bprm_committed_creds =         selinux_bprm_committed_creds,
5473         .bprm_secureexec =              selinux_bprm_secureexec,
5474
5475         .sb_alloc_security =            selinux_sb_alloc_security,
5476         .sb_free_security =             selinux_sb_free_security,
5477         .sb_copy_data =                 selinux_sb_copy_data,
5478         .sb_remount =                   selinux_sb_remount,
5479         .sb_kern_mount =                selinux_sb_kern_mount,
5480         .sb_show_options =              selinux_sb_show_options,
5481         .sb_statfs =                    selinux_sb_statfs,
5482         .sb_mount =                     selinux_mount,
5483         .sb_umount =                    selinux_umount,
5484         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5485         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5486         .sb_parse_opts_str =            selinux_parse_opts_str,
5487
5488
5489         .inode_alloc_security =         selinux_inode_alloc_security,
5490         .inode_free_security =          selinux_inode_free_security,
5491         .inode_init_security =          selinux_inode_init_security,
5492         .inode_create =                 selinux_inode_create,
5493         .inode_link =                   selinux_inode_link,
5494         .inode_unlink =                 selinux_inode_unlink,
5495         .inode_symlink =                selinux_inode_symlink,
5496         .inode_mkdir =                  selinux_inode_mkdir,
5497         .inode_rmdir =                  selinux_inode_rmdir,
5498         .inode_mknod =                  selinux_inode_mknod,
5499         .inode_rename =                 selinux_inode_rename,
5500         .inode_readlink =               selinux_inode_readlink,
5501         .inode_follow_link =            selinux_inode_follow_link,
5502         .inode_permission =             selinux_inode_permission,
5503         .inode_setattr =                selinux_inode_setattr,
5504         .inode_getattr =                selinux_inode_getattr,
5505         .inode_setxattr =               selinux_inode_setxattr,
5506         .inode_post_setxattr =          selinux_inode_post_setxattr,
5507         .inode_getxattr =               selinux_inode_getxattr,
5508         .inode_listxattr =              selinux_inode_listxattr,
5509         .inode_removexattr =            selinux_inode_removexattr,
5510         .inode_getsecurity =            selinux_inode_getsecurity,
5511         .inode_setsecurity =            selinux_inode_setsecurity,
5512         .inode_listsecurity =           selinux_inode_listsecurity,
5513         .inode_getsecid =               selinux_inode_getsecid,
5514
5515         .file_permission =              selinux_file_permission,
5516         .file_alloc_security =          selinux_file_alloc_security,
5517         .file_free_security =           selinux_file_free_security,
5518         .file_ioctl =                   selinux_file_ioctl,
5519         .file_mmap =                    selinux_file_mmap,
5520         .file_mprotect =                selinux_file_mprotect,
5521         .file_lock =                    selinux_file_lock,
5522         .file_fcntl =                   selinux_file_fcntl,
5523         .file_set_fowner =              selinux_file_set_fowner,
5524         .file_send_sigiotask =          selinux_file_send_sigiotask,
5525         .file_receive =                 selinux_file_receive,
5526
5527         .dentry_open =                  selinux_dentry_open,
5528
5529         .task_create =                  selinux_task_create,
5530         .cred_alloc_blank =             selinux_cred_alloc_blank,
5531         .cred_free =                    selinux_cred_free,
5532         .cred_prepare =                 selinux_cred_prepare,
5533         .cred_transfer =                selinux_cred_transfer,
5534         .kernel_act_as =                selinux_kernel_act_as,
5535         .kernel_create_files_as =       selinux_kernel_create_files_as,
5536         .kernel_module_request =        selinux_kernel_module_request,
5537         .task_setpgid =                 selinux_task_setpgid,
5538         .task_getpgid =                 selinux_task_getpgid,
5539         .task_getsid =                  selinux_task_getsid,
5540         .task_getsecid =                selinux_task_getsecid,
5541         .task_setnice =                 selinux_task_setnice,
5542         .task_setioprio =               selinux_task_setioprio,
5543         .task_getioprio =               selinux_task_getioprio,
5544         .task_setrlimit =               selinux_task_setrlimit,
5545         .task_setscheduler =            selinux_task_setscheduler,
5546         .task_getscheduler =            selinux_task_getscheduler,
5547         .task_movememory =              selinux_task_movememory,
5548         .task_kill =                    selinux_task_kill,
5549         .task_wait =                    selinux_task_wait,
5550         .task_to_inode =                selinux_task_to_inode,
5551
5552         .ipc_permission =               selinux_ipc_permission,
5553         .ipc_getsecid =                 selinux_ipc_getsecid,
5554
5555         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5556         .msg_msg_free_security =        selinux_msg_msg_free_security,
5557
5558         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5559         .msg_queue_free_security =      selinux_msg_queue_free_security,
5560         .msg_queue_associate =          selinux_msg_queue_associate,
5561         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5562         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5563         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5564
5565         .shm_alloc_security =           selinux_shm_alloc_security,
5566         .shm_free_security =            selinux_shm_free_security,
5567         .shm_associate =                selinux_shm_associate,
5568         .shm_shmctl =                   selinux_shm_shmctl,
5569         .shm_shmat =                    selinux_shm_shmat,
5570
5571         .sem_alloc_security =           selinux_sem_alloc_security,
5572         .sem_free_security =            selinux_sem_free_security,
5573         .sem_associate =                selinux_sem_associate,
5574         .sem_semctl =                   selinux_sem_semctl,
5575         .sem_semop =                    selinux_sem_semop,
5576
5577         .d_instantiate =                selinux_d_instantiate,
5578
5579         .getprocattr =                  selinux_getprocattr,
5580         .setprocattr =                  selinux_setprocattr,
5581
5582         .secid_to_secctx =              selinux_secid_to_secctx,
5583         .secctx_to_secid =              selinux_secctx_to_secid,
5584         .release_secctx =               selinux_release_secctx,
5585         .inode_notifysecctx =           selinux_inode_notifysecctx,
5586         .inode_setsecctx =              selinux_inode_setsecctx,
5587         .inode_getsecctx =              selinux_inode_getsecctx,
5588
5589         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5590         .unix_may_send =                selinux_socket_unix_may_send,
5591
5592         .socket_create =                selinux_socket_create,
5593         .socket_post_create =           selinux_socket_post_create,
5594         .socket_bind =                  selinux_socket_bind,
5595         .socket_connect =               selinux_socket_connect,
5596         .socket_listen =                selinux_socket_listen,
5597         .socket_accept =                selinux_socket_accept,
5598         .socket_sendmsg =               selinux_socket_sendmsg,
5599         .socket_recvmsg =               selinux_socket_recvmsg,
5600         .socket_getsockname =           selinux_socket_getsockname,
5601         .socket_getpeername =           selinux_socket_getpeername,
5602         .socket_getsockopt =            selinux_socket_getsockopt,
5603         .socket_setsockopt =            selinux_socket_setsockopt,
5604         .socket_shutdown =              selinux_socket_shutdown,
5605         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5606         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5607         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5608         .sk_alloc_security =            selinux_sk_alloc_security,
5609         .sk_free_security =             selinux_sk_free_security,
5610         .sk_clone_security =            selinux_sk_clone_security,
5611         .sk_getsecid =                  selinux_sk_getsecid,
5612         .sock_graft =                   selinux_sock_graft,
5613         .inet_conn_request =            selinux_inet_conn_request,
5614         .inet_csk_clone =               selinux_inet_csk_clone,
5615         .inet_conn_established =        selinux_inet_conn_established,
5616         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5617         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5618         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5619         .req_classify_flow =            selinux_req_classify_flow,
5620         .tun_dev_create =               selinux_tun_dev_create,
5621         .tun_dev_post_create =          selinux_tun_dev_post_create,
5622         .tun_dev_attach =               selinux_tun_dev_attach,
5623
5624 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5625         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5626         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5627         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5628         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5629         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5630         .xfrm_state_free_security =     selinux_xfrm_state_free,
5631         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5632         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5633         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5634         .xfrm_decode_session =          selinux_xfrm_decode_session,
5635 #endif
5636
5637 #ifdef CONFIG_KEYS
5638         .key_alloc =                    selinux_key_alloc,
5639         .key_free =                     selinux_key_free,
5640         .key_permission =               selinux_key_permission,
5641         .key_getsecurity =              selinux_key_getsecurity,
5642 #endif
5643
5644 #ifdef CONFIG_AUDIT
5645         .audit_rule_init =              selinux_audit_rule_init,
5646         .audit_rule_known =             selinux_audit_rule_known,
5647         .audit_rule_match =             selinux_audit_rule_match,
5648         .audit_rule_free =              selinux_audit_rule_free,
5649 #endif
5650 };
5651
5652 static __init int selinux_init(void)
5653 {
5654         if (!security_module_enable(&selinux_ops)) {
5655                 selinux_enabled = 0;
5656                 return 0;
5657         }
5658
5659         if (!selinux_enabled) {
5660                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5661                 return 0;
5662         }
5663
5664         printk(KERN_INFO "SELinux:  Initializing.\n");
5665
5666         /* Set the security state for the initial task. */
5667         cred_init_security();
5668
5669         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5670
5671         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5672                                             sizeof(struct inode_security_struct),
5673                                             0, SLAB_PANIC, NULL);
5674         avc_init();
5675
5676         if (register_security(&selinux_ops))
5677                 panic("SELinux: Unable to register with kernel.\n");
5678
5679         if (selinux_enforcing)
5680                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5681         else
5682                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5683
5684         return 0;
5685 }
5686
5687 static void delayed_superblock_init(struct super_block *sb, void *unused)
5688 {
5689         superblock_doinit(sb, NULL);
5690 }
5691
5692 void selinux_complete_init(void)
5693 {
5694         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5695
5696         /* Set up any superblocks initialized prior to the policy load. */
5697         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5698         iterate_supers(delayed_superblock_init, NULL);
5699 }
5700
5701 /* SELinux requires early initialization in order to label
5702    all processes and objects when they are created. */
5703 security_initcall(selinux_init);
5704
5705 #if defined(CONFIG_NETFILTER)
5706
5707 static struct nf_hook_ops selinux_ipv4_ops[] = {
5708         {
5709                 .hook =         selinux_ipv4_postroute,
5710                 .owner =        THIS_MODULE,
5711                 .pf =           PF_INET,
5712                 .hooknum =      NF_INET_POST_ROUTING,
5713                 .priority =     NF_IP_PRI_SELINUX_LAST,
5714         },
5715         {
5716                 .hook =         selinux_ipv4_forward,
5717                 .owner =        THIS_MODULE,
5718                 .pf =           PF_INET,
5719                 .hooknum =      NF_INET_FORWARD,
5720                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5721         },
5722         {
5723                 .hook =         selinux_ipv4_output,
5724                 .owner =        THIS_MODULE,
5725                 .pf =           PF_INET,
5726                 .hooknum =      NF_INET_LOCAL_OUT,
5727                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5728         }
5729 };
5730
5731 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5732
5733 static struct nf_hook_ops selinux_ipv6_ops[] = {
5734         {
5735                 .hook =         selinux_ipv6_postroute,
5736                 .owner =        THIS_MODULE,
5737                 .pf =           PF_INET6,
5738                 .hooknum =      NF_INET_POST_ROUTING,
5739                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5740         },
5741         {
5742                 .hook =         selinux_ipv6_forward,
5743                 .owner =        THIS_MODULE,
5744                 .pf =           PF_INET6,
5745                 .hooknum =      NF_INET_FORWARD,
5746                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5747         }
5748 };
5749
5750 #endif  /* IPV6 */
5751
5752 static int __init selinux_nf_ip_init(void)
5753 {
5754         int err = 0;
5755
5756         if (!selinux_enabled)
5757                 goto out;
5758
5759         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5760
5761         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5762         if (err)
5763                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5764
5765 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5766         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5767         if (err)
5768                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5769 #endif  /* IPV6 */
5770
5771 out:
5772         return err;
5773 }
5774
5775 __initcall(selinux_nf_ip_init);
5776
5777 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5778 static void selinux_nf_ip_exit(void)
5779 {
5780         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5781
5782         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5783 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5784         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5785 #endif  /* IPV6 */
5786 }
5787 #endif
5788
5789 #else /* CONFIG_NETFILTER */
5790
5791 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5792 #define selinux_nf_ip_exit()
5793 #endif
5794
5795 #endif /* CONFIG_NETFILTER */
5796
5797 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5798 static int selinux_disabled;
5799
5800 int selinux_disable(void)
5801 {
5802         if (ss_initialized) {
5803                 /* Not permitted after initial policy load. */
5804                 return -EINVAL;
5805         }
5806
5807         if (selinux_disabled) {
5808                 /* Only do this once. */
5809                 return -EINVAL;
5810         }
5811
5812         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5813
5814         selinux_disabled = 1;
5815         selinux_enabled = 0;
5816
5817         reset_security_ops();
5818
5819         /* Try to destroy the avc node cache */
5820         avc_disable();
5821
5822         /* Unregister netfilter hooks. */
5823         selinux_nf_ip_exit();
5824
5825         /* Unregister selinuxfs. */
5826         exit_sel_fs();
5827
5828         return 0;
5829 }
5830 #endif