SELinux: pass last path component in may_create
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <asm/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>    /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>           /* for Unix socket types */
70 #include <net/af_unix.h>        /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82
83 #include "avc.h"
84 #include "objsec.h"
85 #include "netif.h"
86 #include "netnode.h"
87 #include "netport.h"
88 #include "xfrm.h"
89 #include "netlabel.h"
90 #include "audit.h"
91
92 #define NUM_SEL_MNT_OPTS 5
93
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!strict_strtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!strict_strtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129
130 /**
131  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132  *
133  * Description:
134  * This function checks the SECMARK reference counter to see if any SECMARK
135  * targets are currently configured, if the reference counter is greater than
136  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
137  * enabled, false (0) if SECMARK is disabled.
138  *
139  */
140 static int selinux_secmark_enabled(void)
141 {
142         return (atomic_read(&selinux_secmark_refcount) > 0);
143 }
144
145 /*
146  * initialise the security for the init task
147  */
148 static void cred_init_security(void)
149 {
150         struct cred *cred = (struct cred *) current->real_cred;
151         struct task_security_struct *tsec;
152
153         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
154         if (!tsec)
155                 panic("SELinux:  Failed to initialize initial task.\n");
156
157         tsec->osid = tsec->sid = SECINITSID_KERNEL;
158         cred->security = tsec;
159 }
160
161 /*
162  * get the security ID of a set of credentials
163  */
164 static inline u32 cred_sid(const struct cred *cred)
165 {
166         const struct task_security_struct *tsec;
167
168         tsec = cred->security;
169         return tsec->sid;
170 }
171
172 /*
173  * get the objective security ID of a task
174  */
175 static inline u32 task_sid(const struct task_struct *task)
176 {
177         u32 sid;
178
179         rcu_read_lock();
180         sid = cred_sid(__task_cred(task));
181         rcu_read_unlock();
182         return sid;
183 }
184
185 /*
186  * get the subjective security ID of the current task
187  */
188 static inline u32 current_sid(void)
189 {
190         const struct task_security_struct *tsec = current_security();
191
192         return tsec->sid;
193 }
194
195 /* Allocate and free functions for each kind of security blob. */
196
197 static int inode_alloc_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec;
200         u32 sid = current_sid();
201
202         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
203         if (!isec)
204                 return -ENOMEM;
205
206         mutex_init(&isec->lock);
207         INIT_LIST_HEAD(&isec->list);
208         isec->inode = inode;
209         isec->sid = SECINITSID_UNLABELED;
210         isec->sclass = SECCLASS_FILE;
211         isec->task_sid = sid;
212         inode->i_security = isec;
213
214         return 0;
215 }
216
217 static void inode_free_security(struct inode *inode)
218 {
219         struct inode_security_struct *isec = inode->i_security;
220         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
221
222         spin_lock(&sbsec->isec_lock);
223         if (!list_empty(&isec->list))
224                 list_del_init(&isec->list);
225         spin_unlock(&sbsec->isec_lock);
226
227         inode->i_security = NULL;
228         kmem_cache_free(sel_inode_cache, isec);
229 }
230
231 static int file_alloc_security(struct file *file)
232 {
233         struct file_security_struct *fsec;
234         u32 sid = current_sid();
235
236         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
237         if (!fsec)
238                 return -ENOMEM;
239
240         fsec->sid = sid;
241         fsec->fown_sid = sid;
242         file->f_security = fsec;
243
244         return 0;
245 }
246
247 static void file_free_security(struct file *file)
248 {
249         struct file_security_struct *fsec = file->f_security;
250         file->f_security = NULL;
251         kfree(fsec);
252 }
253
254 static int superblock_alloc_security(struct super_block *sb)
255 {
256         struct superblock_security_struct *sbsec;
257
258         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
259         if (!sbsec)
260                 return -ENOMEM;
261
262         mutex_init(&sbsec->lock);
263         INIT_LIST_HEAD(&sbsec->isec_head);
264         spin_lock_init(&sbsec->isec_lock);
265         sbsec->sb = sb;
266         sbsec->sid = SECINITSID_UNLABELED;
267         sbsec->def_sid = SECINITSID_FILE;
268         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
269         sb->s_security = sbsec;
270
271         return 0;
272 }
273
274 static void superblock_free_security(struct super_block *sb)
275 {
276         struct superblock_security_struct *sbsec = sb->s_security;
277         sb->s_security = NULL;
278         kfree(sbsec);
279 }
280
281 /* The security server must be initialized before
282    any labeling or access decisions can be provided. */
283 extern int ss_initialized;
284
285 /* The file system's label must be initialized prior to use. */
286
287 static const char *labeling_behaviors[6] = {
288         "uses xattr",
289         "uses transition SIDs",
290         "uses task SIDs",
291         "uses genfs_contexts",
292         "not configured for labeling",
293         "uses mountpoint labeling",
294 };
295
296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
297
298 static inline int inode_doinit(struct inode *inode)
299 {
300         return inode_doinit_with_dentry(inode, NULL);
301 }
302
303 enum {
304         Opt_error = -1,
305         Opt_context = 1,
306         Opt_fscontext = 2,
307         Opt_defcontext = 3,
308         Opt_rootcontext = 4,
309         Opt_labelsupport = 5,
310 };
311
312 static const match_table_t tokens = {
313         {Opt_context, CONTEXT_STR "%s"},
314         {Opt_fscontext, FSCONTEXT_STR "%s"},
315         {Opt_defcontext, DEFCONTEXT_STR "%s"},
316         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
317         {Opt_labelsupport, LABELSUPP_STR},
318         {Opt_error, NULL},
319 };
320
321 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
322
323 static int may_context_mount_sb_relabel(u32 sid,
324                         struct superblock_security_struct *sbsec,
325                         const struct cred *cred)
326 {
327         const struct task_security_struct *tsec = cred->security;
328         int rc;
329
330         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331                           FILESYSTEM__RELABELFROM, NULL);
332         if (rc)
333                 return rc;
334
335         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336                           FILESYSTEM__RELABELTO, NULL);
337         return rc;
338 }
339
340 static int may_context_mount_inode_relabel(u32 sid,
341                         struct superblock_security_struct *sbsec,
342                         const struct cred *cred)
343 {
344         const struct task_security_struct *tsec = cred->security;
345         int rc;
346         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELFROM, NULL);
348         if (rc)
349                 return rc;
350
351         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352                           FILESYSTEM__ASSOCIATE, NULL);
353         return rc;
354 }
355
356 static int sb_finish_set_opts(struct super_block *sb)
357 {
358         struct superblock_security_struct *sbsec = sb->s_security;
359         struct dentry *root = sb->s_root;
360         struct inode *root_inode = root->d_inode;
361         int rc = 0;
362
363         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364                 /* Make sure that the xattr handler exists and that no
365                    error other than -ENODATA is returned by getxattr on
366                    the root directory.  -ENODATA is ok, as this may be
367                    the first boot of the SELinux kernel before we have
368                    assigned xattr values to the filesystem. */
369                 if (!root_inode->i_op->getxattr) {
370                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371                                "xattr support\n", sb->s_id, sb->s_type->name);
372                         rc = -EOPNOTSUPP;
373                         goto out;
374                 }
375                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376                 if (rc < 0 && rc != -ENODATA) {
377                         if (rc == -EOPNOTSUPP)
378                                 printk(KERN_WARNING "SELinux: (dev %s, type "
379                                        "%s) has no security xattr handler\n",
380                                        sb->s_id, sb->s_type->name);
381                         else
382                                 printk(KERN_WARNING "SELinux: (dev %s, type "
383                                        "%s) getxattr errno %d\n", sb->s_id,
384                                        sb->s_type->name, -rc);
385                         goto out;
386                 }
387         }
388
389         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
390
391         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393                        sb->s_id, sb->s_type->name);
394         else
395                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396                        sb->s_id, sb->s_type->name,
397                        labeling_behaviors[sbsec->behavior-1]);
398
399         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401             sbsec->behavior == SECURITY_FS_USE_NONE ||
402             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 sbsec->flags &= ~SE_SBLABELSUPP;
404
405         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407                 sbsec->flags |= SE_SBLABELSUPP;
408
409         /* Initialize the root inode. */
410         rc = inode_doinit_with_dentry(root_inode, root);
411
412         /* Initialize any other inodes associated with the superblock, e.g.
413            inodes created prior to initial policy load or inodes created
414            during get_sb by a pseudo filesystem that directly
415            populates itself. */
416         spin_lock(&sbsec->isec_lock);
417 next_inode:
418         if (!list_empty(&sbsec->isec_head)) {
419                 struct inode_security_struct *isec =
420                                 list_entry(sbsec->isec_head.next,
421                                            struct inode_security_struct, list);
422                 struct inode *inode = isec->inode;
423                 spin_unlock(&sbsec->isec_lock);
424                 inode = igrab(inode);
425                 if (inode) {
426                         if (!IS_PRIVATE(inode))
427                                 inode_doinit(inode);
428                         iput(inode);
429                 }
430                 spin_lock(&sbsec->isec_lock);
431                 list_del_init(&isec->list);
432                 goto next_inode;
433         }
434         spin_unlock(&sbsec->isec_lock);
435 out:
436         return rc;
437 }
438
439 /*
440  * This function should allow an FS to ask what it's mount security
441  * options were so it can use those later for submounts, displaying
442  * mount options, or whatever.
443  */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445                                 struct security_mnt_opts *opts)
446 {
447         int rc = 0, i;
448         struct superblock_security_struct *sbsec = sb->s_security;
449         char *context = NULL;
450         u32 len;
451         char tmp;
452
453         security_init_mnt_opts(opts);
454
455         if (!(sbsec->flags & SE_SBINITIALIZED))
456                 return -EINVAL;
457
458         if (!ss_initialized)
459                 return -EINVAL;
460
461         tmp = sbsec->flags & SE_MNTMASK;
462         /* count the number of mount options for this sb */
463         for (i = 0; i < 8; i++) {
464                 if (tmp & 0x01)
465                         opts->num_mnt_opts++;
466                 tmp >>= 1;
467         }
468         /* Check if the Label support flag is set */
469         if (sbsec->flags & SE_SBLABELSUPP)
470                 opts->num_mnt_opts++;
471
472         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473         if (!opts->mnt_opts) {
474                 rc = -ENOMEM;
475                 goto out_free;
476         }
477
478         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479         if (!opts->mnt_opts_flags) {
480                 rc = -ENOMEM;
481                 goto out_free;
482         }
483
484         i = 0;
485         if (sbsec->flags & FSCONTEXT_MNT) {
486                 rc = security_sid_to_context(sbsec->sid, &context, &len);
487                 if (rc)
488                         goto out_free;
489                 opts->mnt_opts[i] = context;
490                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491         }
492         if (sbsec->flags & CONTEXT_MNT) {
493                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494                 if (rc)
495                         goto out_free;
496                 opts->mnt_opts[i] = context;
497                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498         }
499         if (sbsec->flags & DEFCONTEXT_MNT) {
500                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501                 if (rc)
502                         goto out_free;
503                 opts->mnt_opts[i] = context;
504                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505         }
506         if (sbsec->flags & ROOTCONTEXT_MNT) {
507                 struct inode *root = sbsec->sb->s_root->d_inode;
508                 struct inode_security_struct *isec = root->i_security;
509
510                 rc = security_sid_to_context(isec->sid, &context, &len);
511                 if (rc)
512                         goto out_free;
513                 opts->mnt_opts[i] = context;
514                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
515         }
516         if (sbsec->flags & SE_SBLABELSUPP) {
517                 opts->mnt_opts[i] = NULL;
518                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
519         }
520
521         BUG_ON(i != opts->num_mnt_opts);
522
523         return 0;
524
525 out_free:
526         security_free_mnt_opts(opts);
527         return rc;
528 }
529
530 static int bad_option(struct superblock_security_struct *sbsec, char flag,
531                       u32 old_sid, u32 new_sid)
532 {
533         char mnt_flags = sbsec->flags & SE_MNTMASK;
534
535         /* check if the old mount command had the same options */
536         if (sbsec->flags & SE_SBINITIALIZED)
537                 if (!(sbsec->flags & flag) ||
538                     (old_sid != new_sid))
539                         return 1;
540
541         /* check if we were passed the same options twice,
542          * aka someone passed context=a,context=b
543          */
544         if (!(sbsec->flags & SE_SBINITIALIZED))
545                 if (mnt_flags & flag)
546                         return 1;
547         return 0;
548 }
549
550 /*
551  * Allow filesystems with binary mount data to explicitly set mount point
552  * labeling information.
553  */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555                                 struct security_mnt_opts *opts)
556 {
557         const struct cred *cred = current_cred();
558         int rc = 0, i;
559         struct superblock_security_struct *sbsec = sb->s_security;
560         const char *name = sb->s_type->name;
561         struct inode *inode = sbsec->sb->s_root->d_inode;
562         struct inode_security_struct *root_isec = inode->i_security;
563         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564         u32 defcontext_sid = 0;
565         char **mount_options = opts->mnt_opts;
566         int *flags = opts->mnt_opts_flags;
567         int num_opts = opts->num_mnt_opts;
568
569         mutex_lock(&sbsec->lock);
570
571         if (!ss_initialized) {
572                 if (!num_opts) {
573                         /* Defer initialization until selinux_complete_init,
574                            after the initial policy is loaded and the security
575                            server is ready to handle calls. */
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580                         "before the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606
607                 if (flags[i] == SE_SBLABELSUPP)
608                         continue;
609                 rc = security_context_to_sid(mount_options[i],
610                                              strlen(mount_options[i]), &sid);
611                 if (rc) {
612                         printk(KERN_WARNING "SELinux: security_context_to_sid"
613                                "(%s) failed for (dev %s, type %s) errno=%d\n",
614                                mount_options[i], sb->s_id, name, rc);
615                         goto out;
616                 }
617                 switch (flags[i]) {
618                 case FSCONTEXT_MNT:
619                         fscontext_sid = sid;
620
621                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622                                         fscontext_sid))
623                                 goto out_double_mount;
624
625                         sbsec->flags |= FSCONTEXT_MNT;
626                         break;
627                 case CONTEXT_MNT:
628                         context_sid = sid;
629
630                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631                                         context_sid))
632                                 goto out_double_mount;
633
634                         sbsec->flags |= CONTEXT_MNT;
635                         break;
636                 case ROOTCONTEXT_MNT:
637                         rootcontext_sid = sid;
638
639                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640                                         rootcontext_sid))
641                                 goto out_double_mount;
642
643                         sbsec->flags |= ROOTCONTEXT_MNT;
644
645                         break;
646                 case DEFCONTEXT_MNT:
647                         defcontext_sid = sid;
648
649                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650                                         defcontext_sid))
651                                 goto out_double_mount;
652
653                         sbsec->flags |= DEFCONTEXT_MNT;
654
655                         break;
656                 default:
657                         rc = -EINVAL;
658                         goto out;
659                 }
660         }
661
662         if (sbsec->flags & SE_SBINITIALIZED) {
663                 /* previously mounted with options, but not on this attempt? */
664                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
665                         goto out_double_mount;
666                 rc = 0;
667                 goto out;
668         }
669
670         if (strcmp(sb->s_type->name, "proc") == 0)
671                 sbsec->flags |= SE_SBPROC;
672
673         /* Determine the labeling behavior to use for this filesystem type. */
674         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
675         if (rc) {
676                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
677                        __func__, sb->s_type->name, rc);
678                 goto out;
679         }
680
681         /* sets the context of the superblock for the fs being mounted. */
682         if (fscontext_sid) {
683                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684                 if (rc)
685                         goto out;
686
687                 sbsec->sid = fscontext_sid;
688         }
689
690         /*
691          * Switch to using mount point labeling behavior.
692          * sets the label used on all file below the mountpoint, and will set
693          * the superblock context if not already set.
694          */
695         if (context_sid) {
696                 if (!fscontext_sid) {
697                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
698                                                           cred);
699                         if (rc)
700                                 goto out;
701                         sbsec->sid = context_sid;
702                 } else {
703                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
704                                                              cred);
705                         if (rc)
706                                 goto out;
707                 }
708                 if (!rootcontext_sid)
709                         rootcontext_sid = context_sid;
710
711                 sbsec->mntpoint_sid = context_sid;
712                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713         }
714
715         if (rootcontext_sid) {
716                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
717                                                      cred);
718                 if (rc)
719                         goto out;
720
721                 root_isec->sid = rootcontext_sid;
722                 root_isec->initialized = 1;
723         }
724
725         if (defcontext_sid) {
726                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727                         rc = -EINVAL;
728                         printk(KERN_WARNING "SELinux: defcontext option is "
729                                "invalid for this filesystem type\n");
730                         goto out;
731                 }
732
733                 if (defcontext_sid != sbsec->def_sid) {
734                         rc = may_context_mount_inode_relabel(defcontext_sid,
735                                                              sbsec, cred);
736                         if (rc)
737                                 goto out;
738                 }
739
740                 sbsec->def_sid = defcontext_sid;
741         }
742
743         rc = sb_finish_set_opts(sb);
744 out:
745         mutex_unlock(&sbsec->lock);
746         return rc;
747 out_double_mount:
748         rc = -EINVAL;
749         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
750                "security settings for (dev %s, type %s)\n", sb->s_id, name);
751         goto out;
752 }
753
754 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
755                                         struct super_block *newsb)
756 {
757         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
758         struct superblock_security_struct *newsbsec = newsb->s_security;
759
760         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
761         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
762         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
763
764         /*
765          * if the parent was able to be mounted it clearly had no special lsm
766          * mount options.  thus we can safely deal with this superblock later
767          */
768         if (!ss_initialized)
769                 return;
770
771         /* how can we clone if the old one wasn't set up?? */
772         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
773
774         /* if fs is reusing a sb, just let its options stand... */
775         if (newsbsec->flags & SE_SBINITIALIZED)
776                 return;
777
778         mutex_lock(&newsbsec->lock);
779
780         newsbsec->flags = oldsbsec->flags;
781
782         newsbsec->sid = oldsbsec->sid;
783         newsbsec->def_sid = oldsbsec->def_sid;
784         newsbsec->behavior = oldsbsec->behavior;
785
786         if (set_context) {
787                 u32 sid = oldsbsec->mntpoint_sid;
788
789                 if (!set_fscontext)
790                         newsbsec->sid = sid;
791                 if (!set_rootcontext) {
792                         struct inode *newinode = newsb->s_root->d_inode;
793                         struct inode_security_struct *newisec = newinode->i_security;
794                         newisec->sid = sid;
795                 }
796                 newsbsec->mntpoint_sid = sid;
797         }
798         if (set_rootcontext) {
799                 const struct inode *oldinode = oldsb->s_root->d_inode;
800                 const struct inode_security_struct *oldisec = oldinode->i_security;
801                 struct inode *newinode = newsb->s_root->d_inode;
802                 struct inode_security_struct *newisec = newinode->i_security;
803
804                 newisec->sid = oldisec->sid;
805         }
806
807         sb_finish_set_opts(newsb);
808         mutex_unlock(&newsbsec->lock);
809 }
810
811 static int selinux_parse_opts_str(char *options,
812                                   struct security_mnt_opts *opts)
813 {
814         char *p;
815         char *context = NULL, *defcontext = NULL;
816         char *fscontext = NULL, *rootcontext = NULL;
817         int rc, num_mnt_opts = 0;
818
819         opts->num_mnt_opts = 0;
820
821         /* Standard string-based options. */
822         while ((p = strsep(&options, "|")) != NULL) {
823                 int token;
824                 substring_t args[MAX_OPT_ARGS];
825
826                 if (!*p)
827                         continue;
828
829                 token = match_token(p, tokens, args);
830
831                 switch (token) {
832                 case Opt_context:
833                         if (context || defcontext) {
834                                 rc = -EINVAL;
835                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836                                 goto out_err;
837                         }
838                         context = match_strdup(&args[0]);
839                         if (!context) {
840                                 rc = -ENOMEM;
841                                 goto out_err;
842                         }
843                         break;
844
845                 case Opt_fscontext:
846                         if (fscontext) {
847                                 rc = -EINVAL;
848                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849                                 goto out_err;
850                         }
851                         fscontext = match_strdup(&args[0]);
852                         if (!fscontext) {
853                                 rc = -ENOMEM;
854                                 goto out_err;
855                         }
856                         break;
857
858                 case Opt_rootcontext:
859                         if (rootcontext) {
860                                 rc = -EINVAL;
861                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862                                 goto out_err;
863                         }
864                         rootcontext = match_strdup(&args[0]);
865                         if (!rootcontext) {
866                                 rc = -ENOMEM;
867                                 goto out_err;
868                         }
869                         break;
870
871                 case Opt_defcontext:
872                         if (context || defcontext) {
873                                 rc = -EINVAL;
874                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875                                 goto out_err;
876                         }
877                         defcontext = match_strdup(&args[0]);
878                         if (!defcontext) {
879                                 rc = -ENOMEM;
880                                 goto out_err;
881                         }
882                         break;
883                 case Opt_labelsupport:
884                         break;
885                 default:
886                         rc = -EINVAL;
887                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
888                         goto out_err;
889
890                 }
891         }
892
893         rc = -ENOMEM;
894         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
895         if (!opts->mnt_opts)
896                 goto out_err;
897
898         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
899         if (!opts->mnt_opts_flags) {
900                 kfree(opts->mnt_opts);
901                 goto out_err;
902         }
903
904         if (fscontext) {
905                 opts->mnt_opts[num_mnt_opts] = fscontext;
906                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
907         }
908         if (context) {
909                 opts->mnt_opts[num_mnt_opts] = context;
910                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
911         }
912         if (rootcontext) {
913                 opts->mnt_opts[num_mnt_opts] = rootcontext;
914                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
915         }
916         if (defcontext) {
917                 opts->mnt_opts[num_mnt_opts] = defcontext;
918                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
919         }
920
921         opts->num_mnt_opts = num_mnt_opts;
922         return 0;
923
924 out_err:
925         kfree(context);
926         kfree(defcontext);
927         kfree(fscontext);
928         kfree(rootcontext);
929         return rc;
930 }
931 /*
932  * string mount options parsing and call set the sbsec
933  */
934 static int superblock_doinit(struct super_block *sb, void *data)
935 {
936         int rc = 0;
937         char *options = data;
938         struct security_mnt_opts opts;
939
940         security_init_mnt_opts(&opts);
941
942         if (!data)
943                 goto out;
944
945         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
946
947         rc = selinux_parse_opts_str(options, &opts);
948         if (rc)
949                 goto out_err;
950
951 out:
952         rc = selinux_set_mnt_opts(sb, &opts);
953
954 out_err:
955         security_free_mnt_opts(&opts);
956         return rc;
957 }
958
959 static void selinux_write_opts(struct seq_file *m,
960                                struct security_mnt_opts *opts)
961 {
962         int i;
963         char *prefix;
964
965         for (i = 0; i < opts->num_mnt_opts; i++) {
966                 char *has_comma;
967
968                 if (opts->mnt_opts[i])
969                         has_comma = strchr(opts->mnt_opts[i], ',');
970                 else
971                         has_comma = NULL;
972
973                 switch (opts->mnt_opts_flags[i]) {
974                 case CONTEXT_MNT:
975                         prefix = CONTEXT_STR;
976                         break;
977                 case FSCONTEXT_MNT:
978                         prefix = FSCONTEXT_STR;
979                         break;
980                 case ROOTCONTEXT_MNT:
981                         prefix = ROOTCONTEXT_STR;
982                         break;
983                 case DEFCONTEXT_MNT:
984                         prefix = DEFCONTEXT_STR;
985                         break;
986                 case SE_SBLABELSUPP:
987                         seq_putc(m, ',');
988                         seq_puts(m, LABELSUPP_STR);
989                         continue;
990                 default:
991                         BUG();
992                 };
993                 /* we need a comma before each option */
994                 seq_putc(m, ',');
995                 seq_puts(m, prefix);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998                 seq_puts(m, opts->mnt_opts[i]);
999                 if (has_comma)
1000                         seq_putc(m, '\"');
1001         }
1002 }
1003
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006         struct security_mnt_opts opts;
1007         int rc;
1008
1009         rc = selinux_get_mnt_opts(sb, &opts);
1010         if (rc) {
1011                 /* before policy load we may get EINVAL, don't show anything */
1012                 if (rc == -EINVAL)
1013                         rc = 0;
1014                 return rc;
1015         }
1016
1017         selinux_write_opts(m, &opts);
1018
1019         security_free_mnt_opts(&opts);
1020
1021         return rc;
1022 }
1023
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026         switch (mode & S_IFMT) {
1027         case S_IFSOCK:
1028                 return SECCLASS_SOCK_FILE;
1029         case S_IFLNK:
1030                 return SECCLASS_LNK_FILE;
1031         case S_IFREG:
1032                 return SECCLASS_FILE;
1033         case S_IFBLK:
1034                 return SECCLASS_BLK_FILE;
1035         case S_IFDIR:
1036                 return SECCLASS_DIR;
1037         case S_IFCHR:
1038                 return SECCLASS_CHR_FILE;
1039         case S_IFIFO:
1040                 return SECCLASS_FIFO_FILE;
1041
1042         }
1043
1044         return SECCLASS_FILE;
1045 }
1046
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059         switch (family) {
1060         case PF_UNIX:
1061                 switch (type) {
1062                 case SOCK_STREAM:
1063                 case SOCK_SEQPACKET:
1064                         return SECCLASS_UNIX_STREAM_SOCKET;
1065                 case SOCK_DGRAM:
1066                         return SECCLASS_UNIX_DGRAM_SOCKET;
1067                 }
1068                 break;
1069         case PF_INET:
1070         case PF_INET6:
1071                 switch (type) {
1072                 case SOCK_STREAM:
1073                         if (default_protocol_stream(protocol))
1074                                 return SECCLASS_TCP_SOCKET;
1075                         else
1076                                 return SECCLASS_RAWIP_SOCKET;
1077                 case SOCK_DGRAM:
1078                         if (default_protocol_dgram(protocol))
1079                                 return SECCLASS_UDP_SOCKET;
1080                         else
1081                                 return SECCLASS_RAWIP_SOCKET;
1082                 case SOCK_DCCP:
1083                         return SECCLASS_DCCP_SOCKET;
1084                 default:
1085                         return SECCLASS_RAWIP_SOCKET;
1086                 }
1087                 break;
1088         case PF_NETLINK:
1089                 switch (protocol) {
1090                 case NETLINK_ROUTE:
1091                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                 case NETLINK_FIREWALL:
1093                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                 case NETLINK_INET_DIAG:
1095                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                 case NETLINK_NFLOG:
1097                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                 case NETLINK_XFRM:
1099                         return SECCLASS_NETLINK_XFRM_SOCKET;
1100                 case NETLINK_SELINUX:
1101                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                 case NETLINK_AUDIT:
1103                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                 case NETLINK_IP6_FW:
1105                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                 case NETLINK_DNRTMSG:
1107                         return SECCLASS_NETLINK_DNRT_SOCKET;
1108                 case NETLINK_KOBJECT_UEVENT:
1109                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                 default:
1111                         return SECCLASS_NETLINK_SOCKET;
1112                 }
1113         case PF_PACKET:
1114                 return SECCLASS_PACKET_SOCKET;
1115         case PF_KEY:
1116                 return SECCLASS_KEY_SOCKET;
1117         case PF_APPLETALK:
1118                 return SECCLASS_APPLETALK_SOCKET;
1119         }
1120
1121         return SECCLASS_SOCKET;
1122 }
1123
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126                                 u16 tclass,
1127                                 u32 *sid)
1128 {
1129         int rc;
1130         char *buffer, *path;
1131
1132         buffer = (char *)__get_free_page(GFP_KERNEL);
1133         if (!buffer)
1134                 return -ENOMEM;
1135
1136         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137         if (IS_ERR(path))
1138                 rc = PTR_ERR(path);
1139         else {
1140                 /* each process gets a /proc/PID/ entry. Strip off the
1141                  * PID part to get a valid selinux labeling.
1142                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                 while (path[1] >= '0' && path[1] <= '9') {
1144                         path[1] = '/';
1145                         path++;
1146                 }
1147                 rc = security_genfs_sid("proc", path, tclass, sid);
1148         }
1149         free_page((unsigned long)buffer);
1150         return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154                                 u16 tclass,
1155                                 u32 *sid)
1156 {
1157         return -EINVAL;
1158 }
1159 #endif
1160
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164         struct superblock_security_struct *sbsec = NULL;
1165         struct inode_security_struct *isec = inode->i_security;
1166         u32 sid;
1167         struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169         char *context = NULL;
1170         unsigned len = 0;
1171         int rc = 0;
1172
1173         if (isec->initialized)
1174                 goto out;
1175
1176         mutex_lock(&isec->lock);
1177         if (isec->initialized)
1178                 goto out_unlock;
1179
1180         sbsec = inode->i_sb->s_security;
1181         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                 /* Defer initialization until selinux_complete_init,
1183                    after the initial policy is loaded and the security
1184                    server is ready to handle calls. */
1185                 spin_lock(&sbsec->isec_lock);
1186                 if (list_empty(&isec->list))
1187                         list_add(&isec->list, &sbsec->isec_head);
1188                 spin_unlock(&sbsec->isec_lock);
1189                 goto out_unlock;
1190         }
1191
1192         switch (sbsec->behavior) {
1193         case SECURITY_FS_USE_XATTR:
1194                 if (!inode->i_op->getxattr) {
1195                         isec->sid = sbsec->def_sid;
1196                         break;
1197                 }
1198
1199                 /* Need a dentry, since the xattr API requires one.
1200                    Life would be simpler if we could just pass the inode. */
1201                 if (opt_dentry) {
1202                         /* Called from d_instantiate or d_splice_alias. */
1203                         dentry = dget(opt_dentry);
1204                 } else {
1205                         /* Called from selinux_complete_init, try to find a dentry. */
1206                         dentry = d_find_alias(inode);
1207                 }
1208                 if (!dentry) {
1209                         /*
1210                          * this is can be hit on boot when a file is accessed
1211                          * before the policy is loaded.  When we load policy we
1212                          * may find inodes that have no dentry on the
1213                          * sbsec->isec_head list.  No reason to complain as these
1214                          * will get fixed up the next time we go through
1215                          * inode_doinit with a dentry, before these inodes could
1216                          * be used again by userspace.
1217                          */
1218                         goto out_unlock;
1219                 }
1220
1221                 len = INITCONTEXTLEN;
1222                 context = kmalloc(len+1, GFP_NOFS);
1223                 if (!context) {
1224                         rc = -ENOMEM;
1225                         dput(dentry);
1226                         goto out_unlock;
1227                 }
1228                 context[len] = '\0';
1229                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                            context, len);
1231                 if (rc == -ERANGE) {
1232                         kfree(context);
1233
1234                         /* Need a larger buffer.  Query for the right size. */
1235                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                    NULL, 0);
1237                         if (rc < 0) {
1238                                 dput(dentry);
1239                                 goto out_unlock;
1240                         }
1241                         len = rc;
1242                         context = kmalloc(len+1, GFP_NOFS);
1243                         if (!context) {
1244                                 rc = -ENOMEM;
1245                                 dput(dentry);
1246                                 goto out_unlock;
1247                         }
1248                         context[len] = '\0';
1249                         rc = inode->i_op->getxattr(dentry,
1250                                                    XATTR_NAME_SELINUX,
1251                                                    context, len);
1252                 }
1253                 dput(dentry);
1254                 if (rc < 0) {
1255                         if (rc != -ENODATA) {
1256                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                        "%d for dev=%s ino=%ld\n", __func__,
1258                                        -rc, inode->i_sb->s_id, inode->i_ino);
1259                                 kfree(context);
1260                                 goto out_unlock;
1261                         }
1262                         /* Map ENODATA to the default file SID */
1263                         sid = sbsec->def_sid;
1264                         rc = 0;
1265                 } else {
1266                         rc = security_context_to_sid_default(context, rc, &sid,
1267                                                              sbsec->def_sid,
1268                                                              GFP_NOFS);
1269                         if (rc) {
1270                                 char *dev = inode->i_sb->s_id;
1271                                 unsigned long ino = inode->i_ino;
1272
1273                                 if (rc == -EINVAL) {
1274                                         if (printk_ratelimit())
1275                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                         "filesystem in question.\n", ino, dev, context);
1278                                 } else {
1279                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                                "returned %d for dev=%s ino=%ld\n",
1281                                                __func__, context, -rc, dev, ino);
1282                                 }
1283                                 kfree(context);
1284                                 /* Leave with the unlabeled SID */
1285                                 rc = 0;
1286                                 break;
1287                         }
1288                 }
1289                 kfree(context);
1290                 isec->sid = sid;
1291                 break;
1292         case SECURITY_FS_USE_TASK:
1293                 isec->sid = isec->task_sid;
1294                 break;
1295         case SECURITY_FS_USE_TRANS:
1296                 /* Default to the fs SID. */
1297                 isec->sid = sbsec->sid;
1298
1299                 /* Try to obtain a transition SID. */
1300                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                              isec->sclass, NULL, &sid);
1303                 if (rc)
1304                         goto out_unlock;
1305                 isec->sid = sid;
1306                 break;
1307         case SECURITY_FS_USE_MNTPOINT:
1308                 isec->sid = sbsec->mntpoint_sid;
1309                 break;
1310         default:
1311                 /* Default to the fs superblock SID. */
1312                 isec->sid = sbsec->sid;
1313
1314                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                         if (opt_dentry) {
1316                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                 rc = selinux_proc_get_sid(opt_dentry,
1318                                                           isec->sclass,
1319                                                           &sid);
1320                                 if (rc)
1321                                         goto out_unlock;
1322                                 isec->sid = sid;
1323                         }
1324                 }
1325                 break;
1326         }
1327
1328         isec->initialized = 1;
1329
1330 out_unlock:
1331         mutex_unlock(&isec->lock);
1332 out:
1333         if (isec->sclass == SECCLASS_FILE)
1334                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335         return rc;
1336 }
1337
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341         u32 perm = 0;
1342
1343         switch (sig) {
1344         case SIGCHLD:
1345                 /* Commonly granted from child to parent. */
1346                 perm = PROCESS__SIGCHLD;
1347                 break;
1348         case SIGKILL:
1349                 /* Cannot be caught or ignored */
1350                 perm = PROCESS__SIGKILL;
1351                 break;
1352         case SIGSTOP:
1353                 /* Cannot be caught or ignored */
1354                 perm = PROCESS__SIGSTOP;
1355                 break;
1356         default:
1357                 /* All other signals. */
1358                 perm = PROCESS__SIGNAL;
1359                 break;
1360         }
1361
1362         return perm;
1363 }
1364
1365 /*
1366  * Check permission between a pair of credentials
1367  * fork check, ptrace check, etc.
1368  */
1369 static int cred_has_perm(const struct cred *actor,
1370                          const struct cred *target,
1371                          u32 perms)
1372 {
1373         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377
1378 /*
1379  * Check permission between a pair of tasks, e.g. signal checks,
1380  * fork check, ptrace check, etc.
1381  * tsk1 is the actor and tsk2 is the target
1382  * - this uses the default subjective creds of tsk1
1383  */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385                          const struct task_struct *tsk2,
1386                          u32 perms)
1387 {
1388         const struct task_security_struct *__tsec1, *__tsec2;
1389         u32 sid1, sid2;
1390
1391         rcu_read_lock();
1392         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394         rcu_read_unlock();
1395         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397
1398 /*
1399  * Check permission between current and another task, e.g. signal checks,
1400  * fork check, ptrace check, etc.
1401  * current is the actor and tsk2 is the target
1402  * - this uses current's subjective creds
1403  */
1404 static int current_has_perm(const struct task_struct *tsk,
1405                             u32 perms)
1406 {
1407         u32 sid, tsid;
1408
1409         sid = current_sid();
1410         tsid = task_sid(tsk);
1411         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417
1418 /* Check whether a task is allowed to use a capability. */
1419 static int task_has_capability(struct task_struct *tsk,
1420                                const struct cred *cred,
1421                                int cap, int audit)
1422 {
1423         struct common_audit_data ad;
1424         struct av_decision avd;
1425         u16 sclass;
1426         u32 sid = cred_sid(cred);
1427         u32 av = CAP_TO_MASK(cap);
1428         int rc;
1429
1430         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1431         ad.tsk = tsk;
1432         ad.u.cap = cap;
1433
1434         switch (CAP_TO_INDEX(cap)) {
1435         case 0:
1436                 sclass = SECCLASS_CAPABILITY;
1437                 break;
1438         case 1:
1439                 sclass = SECCLASS_CAPABILITY2;
1440                 break;
1441         default:
1442                 printk(KERN_ERR
1443                        "SELinux:  out of range capability %d\n", cap);
1444                 BUG();
1445         }
1446
1447         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1448         if (audit == SECURITY_CAP_AUDIT)
1449                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1450         return rc;
1451 }
1452
1453 /* Check whether a task is allowed to use a system operation. */
1454 static int task_has_system(struct task_struct *tsk,
1455                            u32 perms)
1456 {
1457         u32 sid = task_sid(tsk);
1458
1459         return avc_has_perm(sid, SECINITSID_KERNEL,
1460                             SECCLASS_SYSTEM, perms, NULL);
1461 }
1462
1463 /* Check whether a task has a particular permission to an inode.
1464    The 'adp' parameter is optional and allows other audit
1465    data to be passed (e.g. the dentry). */
1466 static int inode_has_perm(const struct cred *cred,
1467                           struct inode *inode,
1468                           u32 perms,
1469                           struct common_audit_data *adp)
1470 {
1471         struct inode_security_struct *isec;
1472         struct common_audit_data ad;
1473         u32 sid;
1474
1475         validate_creds(cred);
1476
1477         if (unlikely(IS_PRIVATE(inode)))
1478                 return 0;
1479
1480         sid = cred_sid(cred);
1481         isec = inode->i_security;
1482
1483         if (!adp) {
1484                 adp = &ad;
1485                 COMMON_AUDIT_DATA_INIT(&ad, FS);
1486                 ad.u.fs.inode = inode;
1487         }
1488
1489         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1490 }
1491
1492 /* Same as inode_has_perm, but pass explicit audit data containing
1493    the dentry to help the auditing code to more easily generate the
1494    pathname if needed. */
1495 static inline int dentry_has_perm(const struct cred *cred,
1496                                   struct vfsmount *mnt,
1497                                   struct dentry *dentry,
1498                                   u32 av)
1499 {
1500         struct inode *inode = dentry->d_inode;
1501         struct common_audit_data ad;
1502
1503         COMMON_AUDIT_DATA_INIT(&ad, FS);
1504         ad.u.fs.path.mnt = mnt;
1505         ad.u.fs.path.dentry = dentry;
1506         return inode_has_perm(cred, inode, av, &ad);
1507 }
1508
1509 /* Check whether a task can use an open file descriptor to
1510    access an inode in a given way.  Check access to the
1511    descriptor itself, and then use dentry_has_perm to
1512    check a particular permission to the file.
1513    Access to the descriptor is implicitly granted if it
1514    has the same SID as the process.  If av is zero, then
1515    access to the file is not checked, e.g. for cases
1516    where only the descriptor is affected like seek. */
1517 static int file_has_perm(const struct cred *cred,
1518                          struct file *file,
1519                          u32 av)
1520 {
1521         struct file_security_struct *fsec = file->f_security;
1522         struct inode *inode = file->f_path.dentry->d_inode;
1523         struct common_audit_data ad;
1524         u32 sid = cred_sid(cred);
1525         int rc;
1526
1527         COMMON_AUDIT_DATA_INIT(&ad, FS);
1528         ad.u.fs.path = file->f_path;
1529
1530         if (sid != fsec->sid) {
1531                 rc = avc_has_perm(sid, fsec->sid,
1532                                   SECCLASS_FD,
1533                                   FD__USE,
1534                                   &ad);
1535                 if (rc)
1536                         goto out;
1537         }
1538
1539         /* av is zero if only checking access to the descriptor. */
1540         rc = 0;
1541         if (av)
1542                 rc = inode_has_perm(cred, inode, av, &ad);
1543
1544 out:
1545         return rc;
1546 }
1547
1548 /* Check whether a task can create a file. */
1549 static int may_create(struct inode *dir,
1550                       struct dentry *dentry,
1551                       u16 tclass)
1552 {
1553         const struct task_security_struct *tsec = current_security();
1554         struct inode_security_struct *dsec;
1555         struct superblock_security_struct *sbsec;
1556         u32 sid, newsid;
1557         struct common_audit_data ad;
1558         int rc;
1559
1560         dsec = dir->i_security;
1561         sbsec = dir->i_sb->s_security;
1562
1563         sid = tsec->sid;
1564         newsid = tsec->create_sid;
1565
1566         COMMON_AUDIT_DATA_INIT(&ad, FS);
1567         ad.u.fs.path.dentry = dentry;
1568
1569         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1570                           DIR__ADD_NAME | DIR__SEARCH,
1571                           &ad);
1572         if (rc)
1573                 return rc;
1574
1575         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1576                 rc = security_transition_sid(sid, dsec->sid, tclass,
1577                                              &dentry->d_name, &newsid);
1578                 if (rc)
1579                         return rc;
1580         }
1581
1582         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1583         if (rc)
1584                 return rc;
1585
1586         return avc_has_perm(newsid, sbsec->sid,
1587                             SECCLASS_FILESYSTEM,
1588                             FILESYSTEM__ASSOCIATE, &ad);
1589 }
1590
1591 /* Check whether a task can create a key. */
1592 static int may_create_key(u32 ksid,
1593                           struct task_struct *ctx)
1594 {
1595         u32 sid = task_sid(ctx);
1596
1597         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1598 }
1599
1600 #define MAY_LINK        0
1601 #define MAY_UNLINK      1
1602 #define MAY_RMDIR       2
1603
1604 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1605 static int may_link(struct inode *dir,
1606                     struct dentry *dentry,
1607                     int kind)
1608
1609 {
1610         struct inode_security_struct *dsec, *isec;
1611         struct common_audit_data ad;
1612         u32 sid = current_sid();
1613         u32 av;
1614         int rc;
1615
1616         dsec = dir->i_security;
1617         isec = dentry->d_inode->i_security;
1618
1619         COMMON_AUDIT_DATA_INIT(&ad, FS);
1620         ad.u.fs.path.dentry = dentry;
1621
1622         av = DIR__SEARCH;
1623         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1624         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1625         if (rc)
1626                 return rc;
1627
1628         switch (kind) {
1629         case MAY_LINK:
1630                 av = FILE__LINK;
1631                 break;
1632         case MAY_UNLINK:
1633                 av = FILE__UNLINK;
1634                 break;
1635         case MAY_RMDIR:
1636                 av = DIR__RMDIR;
1637                 break;
1638         default:
1639                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1640                         __func__, kind);
1641                 return 0;
1642         }
1643
1644         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1645         return rc;
1646 }
1647
1648 static inline int may_rename(struct inode *old_dir,
1649                              struct dentry *old_dentry,
1650                              struct inode *new_dir,
1651                              struct dentry *new_dentry)
1652 {
1653         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1654         struct common_audit_data ad;
1655         u32 sid = current_sid();
1656         u32 av;
1657         int old_is_dir, new_is_dir;
1658         int rc;
1659
1660         old_dsec = old_dir->i_security;
1661         old_isec = old_dentry->d_inode->i_security;
1662         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1663         new_dsec = new_dir->i_security;
1664
1665         COMMON_AUDIT_DATA_INIT(&ad, FS);
1666
1667         ad.u.fs.path.dentry = old_dentry;
1668         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1669                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1670         if (rc)
1671                 return rc;
1672         rc = avc_has_perm(sid, old_isec->sid,
1673                           old_isec->sclass, FILE__RENAME, &ad);
1674         if (rc)
1675                 return rc;
1676         if (old_is_dir && new_dir != old_dir) {
1677                 rc = avc_has_perm(sid, old_isec->sid,
1678                                   old_isec->sclass, DIR__REPARENT, &ad);
1679                 if (rc)
1680                         return rc;
1681         }
1682
1683         ad.u.fs.path.dentry = new_dentry;
1684         av = DIR__ADD_NAME | DIR__SEARCH;
1685         if (new_dentry->d_inode)
1686                 av |= DIR__REMOVE_NAME;
1687         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1688         if (rc)
1689                 return rc;
1690         if (new_dentry->d_inode) {
1691                 new_isec = new_dentry->d_inode->i_security;
1692                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1693                 rc = avc_has_perm(sid, new_isec->sid,
1694                                   new_isec->sclass,
1695                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1696                 if (rc)
1697                         return rc;
1698         }
1699
1700         return 0;
1701 }
1702
1703 /* Check whether a task can perform a filesystem operation. */
1704 static int superblock_has_perm(const struct cred *cred,
1705                                struct super_block *sb,
1706                                u32 perms,
1707                                struct common_audit_data *ad)
1708 {
1709         struct superblock_security_struct *sbsec;
1710         u32 sid = cred_sid(cred);
1711
1712         sbsec = sb->s_security;
1713         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1714 }
1715
1716 /* Convert a Linux mode and permission mask to an access vector. */
1717 static inline u32 file_mask_to_av(int mode, int mask)
1718 {
1719         u32 av = 0;
1720
1721         if ((mode & S_IFMT) != S_IFDIR) {
1722                 if (mask & MAY_EXEC)
1723                         av |= FILE__EXECUTE;
1724                 if (mask & MAY_READ)
1725                         av |= FILE__READ;
1726
1727                 if (mask & MAY_APPEND)
1728                         av |= FILE__APPEND;
1729                 else if (mask & MAY_WRITE)
1730                         av |= FILE__WRITE;
1731
1732         } else {
1733                 if (mask & MAY_EXEC)
1734                         av |= DIR__SEARCH;
1735                 if (mask & MAY_WRITE)
1736                         av |= DIR__WRITE;
1737                 if (mask & MAY_READ)
1738                         av |= DIR__READ;
1739         }
1740
1741         return av;
1742 }
1743
1744 /* Convert a Linux file to an access vector. */
1745 static inline u32 file_to_av(struct file *file)
1746 {
1747         u32 av = 0;
1748
1749         if (file->f_mode & FMODE_READ)
1750                 av |= FILE__READ;
1751         if (file->f_mode & FMODE_WRITE) {
1752                 if (file->f_flags & O_APPEND)
1753                         av |= FILE__APPEND;
1754                 else
1755                         av |= FILE__WRITE;
1756         }
1757         if (!av) {
1758                 /*
1759                  * Special file opened with flags 3 for ioctl-only use.
1760                  */
1761                 av = FILE__IOCTL;
1762         }
1763
1764         return av;
1765 }
1766
1767 /*
1768  * Convert a file to an access vector and include the correct open
1769  * open permission.
1770  */
1771 static inline u32 open_file_to_av(struct file *file)
1772 {
1773         u32 av = file_to_av(file);
1774
1775         if (selinux_policycap_openperm)
1776                 av |= FILE__OPEN;
1777
1778         return av;
1779 }
1780
1781 /* Hook functions begin here. */
1782
1783 static int selinux_ptrace_access_check(struct task_struct *child,
1784                                      unsigned int mode)
1785 {
1786         int rc;
1787
1788         rc = cap_ptrace_access_check(child, mode);
1789         if (rc)
1790                 return rc;
1791
1792         if (mode == PTRACE_MODE_READ) {
1793                 u32 sid = current_sid();
1794                 u32 csid = task_sid(child);
1795                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1796         }
1797
1798         return current_has_perm(child, PROCESS__PTRACE);
1799 }
1800
1801 static int selinux_ptrace_traceme(struct task_struct *parent)
1802 {
1803         int rc;
1804
1805         rc = cap_ptrace_traceme(parent);
1806         if (rc)
1807                 return rc;
1808
1809         return task_has_perm(parent, current, PROCESS__PTRACE);
1810 }
1811
1812 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1813                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1814 {
1815         int error;
1816
1817         error = current_has_perm(target, PROCESS__GETCAP);
1818         if (error)
1819                 return error;
1820
1821         return cap_capget(target, effective, inheritable, permitted);
1822 }
1823
1824 static int selinux_capset(struct cred *new, const struct cred *old,
1825                           const kernel_cap_t *effective,
1826                           const kernel_cap_t *inheritable,
1827                           const kernel_cap_t *permitted)
1828 {
1829         int error;
1830
1831         error = cap_capset(new, old,
1832                                       effective, inheritable, permitted);
1833         if (error)
1834                 return error;
1835
1836         return cred_has_perm(old, new, PROCESS__SETCAP);
1837 }
1838
1839 /*
1840  * (This comment used to live with the selinux_task_setuid hook,
1841  * which was removed).
1842  *
1843  * Since setuid only affects the current process, and since the SELinux
1844  * controls are not based on the Linux identity attributes, SELinux does not
1845  * need to control this operation.  However, SELinux does control the use of
1846  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1847  */
1848
1849 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1850                            int cap, int audit)
1851 {
1852         int rc;
1853
1854         rc = cap_capable(tsk, cred, cap, audit);
1855         if (rc)
1856                 return rc;
1857
1858         return task_has_capability(tsk, cred, cap, audit);
1859 }
1860
1861 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1862 {
1863         const struct cred *cred = current_cred();
1864         int rc = 0;
1865
1866         if (!sb)
1867                 return 0;
1868
1869         switch (cmds) {
1870         case Q_SYNC:
1871         case Q_QUOTAON:
1872         case Q_QUOTAOFF:
1873         case Q_SETINFO:
1874         case Q_SETQUOTA:
1875                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1876                 break;
1877         case Q_GETFMT:
1878         case Q_GETINFO:
1879         case Q_GETQUOTA:
1880                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1881                 break;
1882         default:
1883                 rc = 0;  /* let the kernel handle invalid cmds */
1884                 break;
1885         }
1886         return rc;
1887 }
1888
1889 static int selinux_quota_on(struct dentry *dentry)
1890 {
1891         const struct cred *cred = current_cred();
1892
1893         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1894 }
1895
1896 static int selinux_syslog(int type)
1897 {
1898         int rc;
1899
1900         switch (type) {
1901         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1902         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1903                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1904                 break;
1905         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1906         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1907         /* Set level of messages printed to console */
1908         case SYSLOG_ACTION_CONSOLE_LEVEL:
1909                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1910                 break;
1911         case SYSLOG_ACTION_CLOSE:       /* Close log */
1912         case SYSLOG_ACTION_OPEN:        /* Open log */
1913         case SYSLOG_ACTION_READ:        /* Read from log */
1914         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1915         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1916         default:
1917                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1918                 break;
1919         }
1920         return rc;
1921 }
1922
1923 /*
1924  * Check that a process has enough memory to allocate a new virtual
1925  * mapping. 0 means there is enough memory for the allocation to
1926  * succeed and -ENOMEM implies there is not.
1927  *
1928  * Do not audit the selinux permission check, as this is applied to all
1929  * processes that allocate mappings.
1930  */
1931 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1932 {
1933         int rc, cap_sys_admin = 0;
1934
1935         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
1936                              SECURITY_CAP_NOAUDIT);
1937         if (rc == 0)
1938                 cap_sys_admin = 1;
1939
1940         return __vm_enough_memory(mm, pages, cap_sys_admin);
1941 }
1942
1943 /* binprm security operations */
1944
1945 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1946 {
1947         const struct task_security_struct *old_tsec;
1948         struct task_security_struct *new_tsec;
1949         struct inode_security_struct *isec;
1950         struct common_audit_data ad;
1951         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1952         int rc;
1953
1954         rc = cap_bprm_set_creds(bprm);
1955         if (rc)
1956                 return rc;
1957
1958         /* SELinux context only depends on initial program or script and not
1959          * the script interpreter */
1960         if (bprm->cred_prepared)
1961                 return 0;
1962
1963         old_tsec = current_security();
1964         new_tsec = bprm->cred->security;
1965         isec = inode->i_security;
1966
1967         /* Default to the current task SID. */
1968         new_tsec->sid = old_tsec->sid;
1969         new_tsec->osid = old_tsec->sid;
1970
1971         /* Reset fs, key, and sock SIDs on execve. */
1972         new_tsec->create_sid = 0;
1973         new_tsec->keycreate_sid = 0;
1974         new_tsec->sockcreate_sid = 0;
1975
1976         if (old_tsec->exec_sid) {
1977                 new_tsec->sid = old_tsec->exec_sid;
1978                 /* Reset exec SID on execve. */
1979                 new_tsec->exec_sid = 0;
1980         } else {
1981                 /* Check for a default transition on this program. */
1982                 rc = security_transition_sid(old_tsec->sid, isec->sid,
1983                                              SECCLASS_PROCESS, NULL,
1984                                              &new_tsec->sid);
1985                 if (rc)
1986                         return rc;
1987         }
1988
1989         COMMON_AUDIT_DATA_INIT(&ad, FS);
1990         ad.u.fs.path = bprm->file->f_path;
1991
1992         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1993                 new_tsec->sid = old_tsec->sid;
1994
1995         if (new_tsec->sid == old_tsec->sid) {
1996                 rc = avc_has_perm(old_tsec->sid, isec->sid,
1997                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1998                 if (rc)
1999                         return rc;
2000         } else {
2001                 /* Check permissions for the transition. */
2002                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2003                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2004                 if (rc)
2005                         return rc;
2006
2007                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2008                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2009                 if (rc)
2010                         return rc;
2011
2012                 /* Check for shared state */
2013                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2014                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2015                                           SECCLASS_PROCESS, PROCESS__SHARE,
2016                                           NULL);
2017                         if (rc)
2018                                 return -EPERM;
2019                 }
2020
2021                 /* Make sure that anyone attempting to ptrace over a task that
2022                  * changes its SID has the appropriate permit */
2023                 if (bprm->unsafe &
2024                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2025                         struct task_struct *tracer;
2026                         struct task_security_struct *sec;
2027                         u32 ptsid = 0;
2028
2029                         rcu_read_lock();
2030                         tracer = tracehook_tracer_task(current);
2031                         if (likely(tracer != NULL)) {
2032                                 sec = __task_cred(tracer)->security;
2033                                 ptsid = sec->sid;
2034                         }
2035                         rcu_read_unlock();
2036
2037                         if (ptsid != 0) {
2038                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2039                                                   SECCLASS_PROCESS,
2040                                                   PROCESS__PTRACE, NULL);
2041                                 if (rc)
2042                                         return -EPERM;
2043                         }
2044                 }
2045
2046                 /* Clear any possibly unsafe personality bits on exec: */
2047                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2048         }
2049
2050         return 0;
2051 }
2052
2053 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2054 {
2055         const struct task_security_struct *tsec = current_security();
2056         u32 sid, osid;
2057         int atsecure = 0;
2058
2059         sid = tsec->sid;
2060         osid = tsec->osid;
2061
2062         if (osid != sid) {
2063                 /* Enable secure mode for SIDs transitions unless
2064                    the noatsecure permission is granted between
2065                    the two SIDs, i.e. ahp returns 0. */
2066                 atsecure = avc_has_perm(osid, sid,
2067                                         SECCLASS_PROCESS,
2068                                         PROCESS__NOATSECURE, NULL);
2069         }
2070
2071         return (atsecure || cap_bprm_secureexec(bprm));
2072 }
2073
2074 extern struct vfsmount *selinuxfs_mount;
2075 extern struct dentry *selinux_null;
2076
2077 /* Derived from fs/exec.c:flush_old_files. */
2078 static inline void flush_unauthorized_files(const struct cred *cred,
2079                                             struct files_struct *files)
2080 {
2081         struct common_audit_data ad;
2082         struct file *file, *devnull = NULL;
2083         struct tty_struct *tty;
2084         struct fdtable *fdt;
2085         long j = -1;
2086         int drop_tty = 0;
2087
2088         tty = get_current_tty();
2089         if (tty) {
2090                 spin_lock(&tty_files_lock);
2091                 if (!list_empty(&tty->tty_files)) {
2092                         struct tty_file_private *file_priv;
2093                         struct inode *inode;
2094
2095                         /* Revalidate access to controlling tty.
2096                            Use inode_has_perm on the tty inode directly rather
2097                            than using file_has_perm, as this particular open
2098                            file may belong to another process and we are only
2099                            interested in the inode-based check here. */
2100                         file_priv = list_first_entry(&tty->tty_files,
2101                                                 struct tty_file_private, list);
2102                         file = file_priv->file;
2103                         inode = file->f_path.dentry->d_inode;
2104                         if (inode_has_perm(cred, inode,
2105                                            FILE__READ | FILE__WRITE, NULL)) {
2106                                 drop_tty = 1;
2107                         }
2108                 }
2109                 spin_unlock(&tty_files_lock);
2110                 tty_kref_put(tty);
2111         }
2112         /* Reset controlling tty. */
2113         if (drop_tty)
2114                 no_tty();
2115
2116         /* Revalidate access to inherited open files. */
2117
2118         COMMON_AUDIT_DATA_INIT(&ad, FS);
2119
2120         spin_lock(&files->file_lock);
2121         for (;;) {
2122                 unsigned long set, i;
2123                 int fd;
2124
2125                 j++;
2126                 i = j * __NFDBITS;
2127                 fdt = files_fdtable(files);
2128                 if (i >= fdt->max_fds)
2129                         break;
2130                 set = fdt->open_fds->fds_bits[j];
2131                 if (!set)
2132                         continue;
2133                 spin_unlock(&files->file_lock);
2134                 for ( ; set ; i++, set >>= 1) {
2135                         if (set & 1) {
2136                                 file = fget(i);
2137                                 if (!file)
2138                                         continue;
2139                                 if (file_has_perm(cred,
2140                                                   file,
2141                                                   file_to_av(file))) {
2142                                         sys_close(i);
2143                                         fd = get_unused_fd();
2144                                         if (fd != i) {
2145                                                 if (fd >= 0)
2146                                                         put_unused_fd(fd);
2147                                                 fput(file);
2148                                                 continue;
2149                                         }
2150                                         if (devnull) {
2151                                                 get_file(devnull);
2152                                         } else {
2153                                                 devnull = dentry_open(
2154                                                         dget(selinux_null),
2155                                                         mntget(selinuxfs_mount),
2156                                                         O_RDWR, cred);
2157                                                 if (IS_ERR(devnull)) {
2158                                                         devnull = NULL;
2159                                                         put_unused_fd(fd);
2160                                                         fput(file);
2161                                                         continue;
2162                                                 }
2163                                         }
2164                                         fd_install(fd, devnull);
2165                                 }
2166                                 fput(file);
2167                         }
2168                 }
2169                 spin_lock(&files->file_lock);
2170
2171         }
2172         spin_unlock(&files->file_lock);
2173 }
2174
2175 /*
2176  * Prepare a process for imminent new credential changes due to exec
2177  */
2178 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2179 {
2180         struct task_security_struct *new_tsec;
2181         struct rlimit *rlim, *initrlim;
2182         int rc, i;
2183
2184         new_tsec = bprm->cred->security;
2185         if (new_tsec->sid == new_tsec->osid)
2186                 return;
2187
2188         /* Close files for which the new task SID is not authorized. */
2189         flush_unauthorized_files(bprm->cred, current->files);
2190
2191         /* Always clear parent death signal on SID transitions. */
2192         current->pdeath_signal = 0;
2193
2194         /* Check whether the new SID can inherit resource limits from the old
2195          * SID.  If not, reset all soft limits to the lower of the current
2196          * task's hard limit and the init task's soft limit.
2197          *
2198          * Note that the setting of hard limits (even to lower them) can be
2199          * controlled by the setrlimit check.  The inclusion of the init task's
2200          * soft limit into the computation is to avoid resetting soft limits
2201          * higher than the default soft limit for cases where the default is
2202          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2203          */
2204         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2205                           PROCESS__RLIMITINH, NULL);
2206         if (rc) {
2207                 /* protect against do_prlimit() */
2208                 task_lock(current);
2209                 for (i = 0; i < RLIM_NLIMITS; i++) {
2210                         rlim = current->signal->rlim + i;
2211                         initrlim = init_task.signal->rlim + i;
2212                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2213                 }
2214                 task_unlock(current);
2215                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2216         }
2217 }
2218
2219 /*
2220  * Clean up the process immediately after the installation of new credentials
2221  * due to exec
2222  */
2223 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2224 {
2225         const struct task_security_struct *tsec = current_security();
2226         struct itimerval itimer;
2227         u32 osid, sid;
2228         int rc, i;
2229
2230         osid = tsec->osid;
2231         sid = tsec->sid;
2232
2233         if (sid == osid)
2234                 return;
2235
2236         /* Check whether the new SID can inherit signal state from the old SID.
2237          * If not, clear itimers to avoid subsequent signal generation and
2238          * flush and unblock signals.
2239          *
2240          * This must occur _after_ the task SID has been updated so that any
2241          * kill done after the flush will be checked against the new SID.
2242          */
2243         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2244         if (rc) {
2245                 memset(&itimer, 0, sizeof itimer);
2246                 for (i = 0; i < 3; i++)
2247                         do_setitimer(i, &itimer, NULL);
2248                 spin_lock_irq(&current->sighand->siglock);
2249                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2250                         __flush_signals(current);
2251                         flush_signal_handlers(current, 1);
2252                         sigemptyset(&current->blocked);
2253                 }
2254                 spin_unlock_irq(&current->sighand->siglock);
2255         }
2256
2257         /* Wake up the parent if it is waiting so that it can recheck
2258          * wait permission to the new task SID. */
2259         read_lock(&tasklist_lock);
2260         __wake_up_parent(current, current->real_parent);
2261         read_unlock(&tasklist_lock);
2262 }
2263
2264 /* superblock security operations */
2265
2266 static int selinux_sb_alloc_security(struct super_block *sb)
2267 {
2268         return superblock_alloc_security(sb);
2269 }
2270
2271 static void selinux_sb_free_security(struct super_block *sb)
2272 {
2273         superblock_free_security(sb);
2274 }
2275
2276 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2277 {
2278         if (plen > olen)
2279                 return 0;
2280
2281         return !memcmp(prefix, option, plen);
2282 }
2283
2284 static inline int selinux_option(char *option, int len)
2285 {
2286         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2287                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2288                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2289                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2290                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2291 }
2292
2293 static inline void take_option(char **to, char *from, int *first, int len)
2294 {
2295         if (!*first) {
2296                 **to = ',';
2297                 *to += 1;
2298         } else
2299                 *first = 0;
2300         memcpy(*to, from, len);
2301         *to += len;
2302 }
2303
2304 static inline void take_selinux_option(char **to, char *from, int *first,
2305                                        int len)
2306 {
2307         int current_size = 0;
2308
2309         if (!*first) {
2310                 **to = '|';
2311                 *to += 1;
2312         } else
2313                 *first = 0;
2314
2315         while (current_size < len) {
2316                 if (*from != '"') {
2317                         **to = *from;
2318                         *to += 1;
2319                 }
2320                 from += 1;
2321                 current_size += 1;
2322         }
2323 }
2324
2325 static int selinux_sb_copy_data(char *orig, char *copy)
2326 {
2327         int fnosec, fsec, rc = 0;
2328         char *in_save, *in_curr, *in_end;
2329         char *sec_curr, *nosec_save, *nosec;
2330         int open_quote = 0;
2331
2332         in_curr = orig;
2333         sec_curr = copy;
2334
2335         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2336         if (!nosec) {
2337                 rc = -ENOMEM;
2338                 goto out;
2339         }
2340
2341         nosec_save = nosec;
2342         fnosec = fsec = 1;
2343         in_save = in_end = orig;
2344
2345         do {
2346                 if (*in_end == '"')
2347                         open_quote = !open_quote;
2348                 if ((*in_end == ',' && open_quote == 0) ||
2349                                 *in_end == '\0') {
2350                         int len = in_end - in_curr;
2351
2352                         if (selinux_option(in_curr, len))
2353                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2354                         else
2355                                 take_option(&nosec, in_curr, &fnosec, len);
2356
2357                         in_curr = in_end + 1;
2358                 }
2359         } while (*in_end++);
2360
2361         strcpy(in_save, nosec_save);
2362         free_page((unsigned long)nosec_save);
2363 out:
2364         return rc;
2365 }
2366
2367 static int selinux_sb_remount(struct super_block *sb, void *data)
2368 {
2369         int rc, i, *flags;
2370         struct security_mnt_opts opts;
2371         char *secdata, **mount_options;
2372         struct superblock_security_struct *sbsec = sb->s_security;
2373
2374         if (!(sbsec->flags & SE_SBINITIALIZED))
2375                 return 0;
2376
2377         if (!data)
2378                 return 0;
2379
2380         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2381                 return 0;
2382
2383         security_init_mnt_opts(&opts);
2384         secdata = alloc_secdata();
2385         if (!secdata)
2386                 return -ENOMEM;
2387         rc = selinux_sb_copy_data(data, secdata);
2388         if (rc)
2389                 goto out_free_secdata;
2390
2391         rc = selinux_parse_opts_str(secdata, &opts);
2392         if (rc)
2393                 goto out_free_secdata;
2394
2395         mount_options = opts.mnt_opts;
2396         flags = opts.mnt_opts_flags;
2397
2398         for (i = 0; i < opts.num_mnt_opts; i++) {
2399                 u32 sid;
2400                 size_t len;
2401
2402                 if (flags[i] == SE_SBLABELSUPP)
2403                         continue;
2404                 len = strlen(mount_options[i]);
2405                 rc = security_context_to_sid(mount_options[i], len, &sid);
2406                 if (rc) {
2407                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2408                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2409                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2410                         goto out_free_opts;
2411                 }
2412                 rc = -EINVAL;
2413                 switch (flags[i]) {
2414                 case FSCONTEXT_MNT:
2415                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2416                                 goto out_bad_option;
2417                         break;
2418                 case CONTEXT_MNT:
2419                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2420                                 goto out_bad_option;
2421                         break;
2422                 case ROOTCONTEXT_MNT: {
2423                         struct inode_security_struct *root_isec;
2424                         root_isec = sb->s_root->d_inode->i_security;
2425
2426                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2427                                 goto out_bad_option;
2428                         break;
2429                 }
2430                 case DEFCONTEXT_MNT:
2431                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2432                                 goto out_bad_option;
2433                         break;
2434                 default:
2435                         goto out_free_opts;
2436                 }
2437         }
2438
2439         rc = 0;
2440 out_free_opts:
2441         security_free_mnt_opts(&opts);
2442 out_free_secdata:
2443         free_secdata(secdata);
2444         return rc;
2445 out_bad_option:
2446         printk(KERN_WARNING "SELinux: unable to change security options "
2447                "during remount (dev %s, type=%s)\n", sb->s_id,
2448                sb->s_type->name);
2449         goto out_free_opts;
2450 }
2451
2452 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2453 {
2454         const struct cred *cred = current_cred();
2455         struct common_audit_data ad;
2456         int rc;
2457
2458         rc = superblock_doinit(sb, data);
2459         if (rc)
2460                 return rc;
2461
2462         /* Allow all mounts performed by the kernel */
2463         if (flags & MS_KERNMOUNT)
2464                 return 0;
2465
2466         COMMON_AUDIT_DATA_INIT(&ad, FS);
2467         ad.u.fs.path.dentry = sb->s_root;
2468         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2469 }
2470
2471 static int selinux_sb_statfs(struct dentry *dentry)
2472 {
2473         const struct cred *cred = current_cred();
2474         struct common_audit_data ad;
2475
2476         COMMON_AUDIT_DATA_INIT(&ad, FS);
2477         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2478         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2479 }
2480
2481 static int selinux_mount(char *dev_name,
2482                          struct path *path,
2483                          char *type,
2484                          unsigned long flags,
2485                          void *data)
2486 {
2487         const struct cred *cred = current_cred();
2488
2489         if (flags & MS_REMOUNT)
2490                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2491                                            FILESYSTEM__REMOUNT, NULL);
2492         else
2493                 return dentry_has_perm(cred, path->mnt, path->dentry,
2494                                        FILE__MOUNTON);
2495 }
2496
2497 static int selinux_umount(struct vfsmount *mnt, int flags)
2498 {
2499         const struct cred *cred = current_cred();
2500
2501         return superblock_has_perm(cred, mnt->mnt_sb,
2502                                    FILESYSTEM__UNMOUNT, NULL);
2503 }
2504
2505 /* inode security operations */
2506
2507 static int selinux_inode_alloc_security(struct inode *inode)
2508 {
2509         return inode_alloc_security(inode);
2510 }
2511
2512 static void selinux_inode_free_security(struct inode *inode)
2513 {
2514         inode_free_security(inode);
2515 }
2516
2517 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2518                                        const struct qstr *qstr, char **name,
2519                                        void **value, size_t *len)
2520 {
2521         const struct task_security_struct *tsec = current_security();
2522         struct inode_security_struct *dsec;
2523         struct superblock_security_struct *sbsec;
2524         u32 sid, newsid, clen;
2525         int rc;
2526         char *namep = NULL, *context;
2527
2528         dsec = dir->i_security;
2529         sbsec = dir->i_sb->s_security;
2530
2531         sid = tsec->sid;
2532         newsid = tsec->create_sid;
2533
2534         if ((sbsec->flags & SE_SBINITIALIZED) &&
2535             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2536                 newsid = sbsec->mntpoint_sid;
2537         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2538                 rc = security_transition_sid(sid, dsec->sid,
2539                                              inode_mode_to_security_class(inode->i_mode),
2540                                              qstr, &newsid);
2541                 if (rc) {
2542                         printk(KERN_WARNING "%s:  "
2543                                "security_transition_sid failed, rc=%d (dev=%s "
2544                                "ino=%ld)\n",
2545                                __func__,
2546                                -rc, inode->i_sb->s_id, inode->i_ino);
2547                         return rc;
2548                 }
2549         }
2550
2551         /* Possibly defer initialization to selinux_complete_init. */
2552         if (sbsec->flags & SE_SBINITIALIZED) {
2553                 struct inode_security_struct *isec = inode->i_security;
2554                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2555                 isec->sid = newsid;
2556                 isec->initialized = 1;
2557         }
2558
2559         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2560                 return -EOPNOTSUPP;
2561
2562         if (name) {
2563                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2564                 if (!namep)
2565                         return -ENOMEM;
2566                 *name = namep;
2567         }
2568
2569         if (value && len) {
2570                 rc = security_sid_to_context_force(newsid, &context, &clen);
2571                 if (rc) {
2572                         kfree(namep);
2573                         return rc;
2574                 }
2575                 *value = context;
2576                 *len = clen;
2577         }
2578
2579         return 0;
2580 }
2581
2582 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2583 {
2584         return may_create(dir, dentry, SECCLASS_FILE);
2585 }
2586
2587 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2588 {
2589         return may_link(dir, old_dentry, MAY_LINK);
2590 }
2591
2592 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2593 {
2594         return may_link(dir, dentry, MAY_UNLINK);
2595 }
2596
2597 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2598 {
2599         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2600 }
2601
2602 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2603 {
2604         return may_create(dir, dentry, SECCLASS_DIR);
2605 }
2606
2607 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2608 {
2609         return may_link(dir, dentry, MAY_RMDIR);
2610 }
2611
2612 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2613 {
2614         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2615 }
2616
2617 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2618                                 struct inode *new_inode, struct dentry *new_dentry)
2619 {
2620         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2621 }
2622
2623 static int selinux_inode_readlink(struct dentry *dentry)
2624 {
2625         const struct cred *cred = current_cred();
2626
2627         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2628 }
2629
2630 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2631 {
2632         const struct cred *cred = current_cred();
2633
2634         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2635 }
2636
2637 static int selinux_inode_permission(struct inode *inode, int mask)
2638 {
2639         const struct cred *cred = current_cred();
2640         struct common_audit_data ad;
2641         u32 perms;
2642         bool from_access;
2643
2644         from_access = mask & MAY_ACCESS;
2645         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2646
2647         /* No permission to check.  Existence test. */
2648         if (!mask)
2649                 return 0;
2650
2651         COMMON_AUDIT_DATA_INIT(&ad, FS);
2652         ad.u.fs.inode = inode;
2653
2654         if (from_access)
2655                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2656
2657         perms = file_mask_to_av(inode->i_mode, mask);
2658
2659         return inode_has_perm(cred, inode, perms, &ad);
2660 }
2661
2662 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2663 {
2664         const struct cred *cred = current_cred();
2665         unsigned int ia_valid = iattr->ia_valid;
2666
2667         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2668         if (ia_valid & ATTR_FORCE) {
2669                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2670                               ATTR_FORCE);
2671                 if (!ia_valid)
2672                         return 0;
2673         }
2674
2675         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2676                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2677                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2678
2679         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2680 }
2681
2682 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2683 {
2684         const struct cred *cred = current_cred();
2685
2686         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2687 }
2688
2689 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2690 {
2691         const struct cred *cred = current_cred();
2692
2693         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2694                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2695                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2696                         if (!capable(CAP_SETFCAP))
2697                                 return -EPERM;
2698                 } else if (!capable(CAP_SYS_ADMIN)) {
2699                         /* A different attribute in the security namespace.
2700                            Restrict to administrator. */
2701                         return -EPERM;
2702                 }
2703         }
2704
2705         /* Not an attribute we recognize, so just check the
2706            ordinary setattr permission. */
2707         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2708 }
2709
2710 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2711                                   const void *value, size_t size, int flags)
2712 {
2713         struct inode *inode = dentry->d_inode;
2714         struct inode_security_struct *isec = inode->i_security;
2715         struct superblock_security_struct *sbsec;
2716         struct common_audit_data ad;
2717         u32 newsid, sid = current_sid();
2718         int rc = 0;
2719
2720         if (strcmp(name, XATTR_NAME_SELINUX))
2721                 return selinux_inode_setotherxattr(dentry, name);
2722
2723         sbsec = inode->i_sb->s_security;
2724         if (!(sbsec->flags & SE_SBLABELSUPP))
2725                 return -EOPNOTSUPP;
2726
2727         if (!is_owner_or_cap(inode))
2728                 return -EPERM;
2729
2730         COMMON_AUDIT_DATA_INIT(&ad, FS);
2731         ad.u.fs.path.dentry = dentry;
2732
2733         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2734                           FILE__RELABELFROM, &ad);
2735         if (rc)
2736                 return rc;
2737
2738         rc = security_context_to_sid(value, size, &newsid);
2739         if (rc == -EINVAL) {
2740                 if (!capable(CAP_MAC_ADMIN))
2741                         return rc;
2742                 rc = security_context_to_sid_force(value, size, &newsid);
2743         }
2744         if (rc)
2745                 return rc;
2746
2747         rc = avc_has_perm(sid, newsid, isec->sclass,
2748                           FILE__RELABELTO, &ad);
2749         if (rc)
2750                 return rc;
2751
2752         rc = security_validate_transition(isec->sid, newsid, sid,
2753                                           isec->sclass);
2754         if (rc)
2755                 return rc;
2756
2757         return avc_has_perm(newsid,
2758                             sbsec->sid,
2759                             SECCLASS_FILESYSTEM,
2760                             FILESYSTEM__ASSOCIATE,
2761                             &ad);
2762 }
2763
2764 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2765                                         const void *value, size_t size,
2766                                         int flags)
2767 {
2768         struct inode *inode = dentry->d_inode;
2769         struct inode_security_struct *isec = inode->i_security;
2770         u32 newsid;
2771         int rc;
2772
2773         if (strcmp(name, XATTR_NAME_SELINUX)) {
2774                 /* Not an attribute we recognize, so nothing to do. */
2775                 return;
2776         }
2777
2778         rc = security_context_to_sid_force(value, size, &newsid);
2779         if (rc) {
2780                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2781                        "for (%s, %lu), rc=%d\n",
2782                        inode->i_sb->s_id, inode->i_ino, -rc);
2783                 return;
2784         }
2785
2786         isec->sid = newsid;
2787         return;
2788 }
2789
2790 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2791 {
2792         const struct cred *cred = current_cred();
2793
2794         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2795 }
2796
2797 static int selinux_inode_listxattr(struct dentry *dentry)
2798 {
2799         const struct cred *cred = current_cred();
2800
2801         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2802 }
2803
2804 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2805 {
2806         if (strcmp(name, XATTR_NAME_SELINUX))
2807                 return selinux_inode_setotherxattr(dentry, name);
2808
2809         /* No one is allowed to remove a SELinux security label.
2810            You can change the label, but all data must be labeled. */
2811         return -EACCES;
2812 }
2813
2814 /*
2815  * Copy the inode security context value to the user.
2816  *
2817  * Permission check is handled by selinux_inode_getxattr hook.
2818  */
2819 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2820 {
2821         u32 size;
2822         int error;
2823         char *context = NULL;
2824         struct inode_security_struct *isec = inode->i_security;
2825
2826         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2827                 return -EOPNOTSUPP;
2828
2829         /*
2830          * If the caller has CAP_MAC_ADMIN, then get the raw context
2831          * value even if it is not defined by current policy; otherwise,
2832          * use the in-core value under current policy.
2833          * Use the non-auditing forms of the permission checks since
2834          * getxattr may be called by unprivileged processes commonly
2835          * and lack of permission just means that we fall back to the
2836          * in-core context value, not a denial.
2837          */
2838         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2839                                 SECURITY_CAP_NOAUDIT);
2840         if (!error)
2841                 error = security_sid_to_context_force(isec->sid, &context,
2842                                                       &size);
2843         else
2844                 error = security_sid_to_context(isec->sid, &context, &size);
2845         if (error)
2846                 return error;
2847         error = size;
2848         if (alloc) {
2849                 *buffer = context;
2850                 goto out_nofree;
2851         }
2852         kfree(context);
2853 out_nofree:
2854         return error;
2855 }
2856
2857 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2858                                      const void *value, size_t size, int flags)
2859 {
2860         struct inode_security_struct *isec = inode->i_security;
2861         u32 newsid;
2862         int rc;
2863
2864         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2865                 return -EOPNOTSUPP;
2866
2867         if (!value || !size)
2868                 return -EACCES;
2869
2870         rc = security_context_to_sid((void *)value, size, &newsid);
2871         if (rc)
2872                 return rc;
2873
2874         isec->sid = newsid;
2875         isec->initialized = 1;
2876         return 0;
2877 }
2878
2879 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2880 {
2881         const int len = sizeof(XATTR_NAME_SELINUX);
2882         if (buffer && len <= buffer_size)
2883                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2884         return len;
2885 }
2886
2887 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2888 {
2889         struct inode_security_struct *isec = inode->i_security;
2890         *secid = isec->sid;
2891 }
2892
2893 /* file security operations */
2894
2895 static int selinux_revalidate_file_permission(struct file *file, int mask)
2896 {
2897         const struct cred *cred = current_cred();
2898         struct inode *inode = file->f_path.dentry->d_inode;
2899
2900         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2901         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2902                 mask |= MAY_APPEND;
2903
2904         return file_has_perm(cred, file,
2905                              file_mask_to_av(inode->i_mode, mask));
2906 }
2907
2908 static int selinux_file_permission(struct file *file, int mask)
2909 {
2910         struct inode *inode = file->f_path.dentry->d_inode;
2911         struct file_security_struct *fsec = file->f_security;
2912         struct inode_security_struct *isec = inode->i_security;
2913         u32 sid = current_sid();
2914
2915         if (!mask)
2916                 /* No permission to check.  Existence test. */
2917                 return 0;
2918
2919         if (sid == fsec->sid && fsec->isid == isec->sid &&
2920             fsec->pseqno == avc_policy_seqno())
2921                 /* No change since dentry_open check. */
2922                 return 0;
2923
2924         return selinux_revalidate_file_permission(file, mask);
2925 }
2926
2927 static int selinux_file_alloc_security(struct file *file)
2928 {
2929         return file_alloc_security(file);
2930 }
2931
2932 static void selinux_file_free_security(struct file *file)
2933 {
2934         file_free_security(file);
2935 }
2936
2937 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2938                               unsigned long arg)
2939 {
2940         const struct cred *cred = current_cred();
2941         int error = 0;
2942
2943         switch (cmd) {
2944         case FIONREAD:
2945         /* fall through */
2946         case FIBMAP:
2947         /* fall through */
2948         case FIGETBSZ:
2949         /* fall through */
2950         case EXT2_IOC_GETFLAGS:
2951         /* fall through */
2952         case EXT2_IOC_GETVERSION:
2953                 error = file_has_perm(cred, file, FILE__GETATTR);
2954                 break;
2955
2956         case EXT2_IOC_SETFLAGS:
2957         /* fall through */
2958         case EXT2_IOC_SETVERSION:
2959                 error = file_has_perm(cred, file, FILE__SETATTR);
2960                 break;
2961
2962         /* sys_ioctl() checks */
2963         case FIONBIO:
2964         /* fall through */
2965         case FIOASYNC:
2966                 error = file_has_perm(cred, file, 0);
2967                 break;
2968
2969         case KDSKBENT:
2970         case KDSKBSENT:
2971                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2972                                             SECURITY_CAP_AUDIT);
2973                 break;
2974
2975         /* default case assumes that the command will go
2976          * to the file's ioctl() function.
2977          */
2978         default:
2979                 error = file_has_perm(cred, file, FILE__IOCTL);
2980         }
2981         return error;
2982 }
2983
2984 static int default_noexec;
2985
2986 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2987 {
2988         const struct cred *cred = current_cred();
2989         int rc = 0;
2990
2991         if (default_noexec &&
2992             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2993                 /*
2994                  * We are making executable an anonymous mapping or a
2995                  * private file mapping that will also be writable.
2996                  * This has an additional check.
2997                  */
2998                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2999                 if (rc)
3000                         goto error;
3001         }
3002
3003         if (file) {
3004                 /* read access is always possible with a mapping */
3005                 u32 av = FILE__READ;
3006
3007                 /* write access only matters if the mapping is shared */
3008                 if (shared && (prot & PROT_WRITE))
3009                         av |= FILE__WRITE;
3010
3011                 if (prot & PROT_EXEC)
3012                         av |= FILE__EXECUTE;
3013
3014                 return file_has_perm(cred, file, av);
3015         }
3016
3017 error:
3018         return rc;
3019 }
3020
3021 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3022                              unsigned long prot, unsigned long flags,
3023                              unsigned long addr, unsigned long addr_only)
3024 {
3025         int rc = 0;
3026         u32 sid = current_sid();
3027
3028         /*
3029          * notice that we are intentionally putting the SELinux check before
3030          * the secondary cap_file_mmap check.  This is such a likely attempt
3031          * at bad behaviour/exploit that we always want to get the AVC, even
3032          * if DAC would have also denied the operation.
3033          */
3034         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3035                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3036                                   MEMPROTECT__MMAP_ZERO, NULL);
3037                 if (rc)
3038                         return rc;
3039         }
3040
3041         /* do DAC check on address space usage */
3042         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3043         if (rc || addr_only)
3044                 return rc;
3045
3046         if (selinux_checkreqprot)
3047                 prot = reqprot;
3048
3049         return file_map_prot_check(file, prot,
3050                                    (flags & MAP_TYPE) == MAP_SHARED);
3051 }
3052
3053 static int selinux_file_mprotect(struct vm_area_struct *vma,
3054                                  unsigned long reqprot,
3055                                  unsigned long prot)
3056 {
3057         const struct cred *cred = current_cred();
3058
3059         if (selinux_checkreqprot)
3060                 prot = reqprot;
3061
3062         if (default_noexec &&
3063             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3064                 int rc = 0;
3065                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3066                     vma->vm_end <= vma->vm_mm->brk) {
3067                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3068                 } else if (!vma->vm_file &&
3069                            vma->vm_start <= vma->vm_mm->start_stack &&
3070                            vma->vm_end >= vma->vm_mm->start_stack) {
3071                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3072                 } else if (vma->vm_file && vma->anon_vma) {
3073                         /*
3074                          * We are making executable a file mapping that has
3075                          * had some COW done. Since pages might have been
3076                          * written, check ability to execute the possibly
3077                          * modified content.  This typically should only
3078                          * occur for text relocations.
3079                          */
3080                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3081                 }
3082                 if (rc)
3083                         return rc;
3084         }
3085
3086         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3087 }
3088
3089 static int selinux_file_lock(struct file *file, unsigned int cmd)
3090 {
3091         const struct cred *cred = current_cred();
3092
3093         return file_has_perm(cred, file, FILE__LOCK);
3094 }
3095
3096 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3097                               unsigned long arg)
3098 {
3099         const struct cred *cred = current_cred();
3100         int err = 0;
3101
3102         switch (cmd) {
3103         case F_SETFL:
3104                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3105                         err = -EINVAL;
3106                         break;
3107                 }
3108
3109                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3110                         err = file_has_perm(cred, file, FILE__WRITE);
3111                         break;
3112                 }
3113                 /* fall through */
3114         case F_SETOWN:
3115         case F_SETSIG:
3116         case F_GETFL:
3117         case F_GETOWN:
3118         case F_GETSIG:
3119                 /* Just check FD__USE permission */
3120                 err = file_has_perm(cred, file, 0);
3121                 break;
3122         case F_GETLK:
3123         case F_SETLK:
3124         case F_SETLKW:
3125 #if BITS_PER_LONG == 32
3126         case F_GETLK64:
3127         case F_SETLK64:
3128         case F_SETLKW64:
3129 #endif
3130                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3131                         err = -EINVAL;
3132                         break;
3133                 }
3134                 err = file_has_perm(cred, file, FILE__LOCK);
3135                 break;
3136         }
3137
3138         return err;
3139 }
3140
3141 static int selinux_file_set_fowner(struct file *file)
3142 {
3143         struct file_security_struct *fsec;
3144
3145         fsec = file->f_security;
3146         fsec->fown_sid = current_sid();
3147
3148         return 0;
3149 }
3150
3151 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3152                                        struct fown_struct *fown, int signum)
3153 {
3154         struct file *file;
3155         u32 sid = task_sid(tsk);
3156         u32 perm;
3157         struct file_security_struct *fsec;
3158
3159         /* struct fown_struct is never outside the context of a struct file */
3160         file = container_of(fown, struct file, f_owner);
3161
3162         fsec = file->f_security;
3163
3164         if (!signum)
3165                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3166         else
3167                 perm = signal_to_av(signum);
3168
3169         return avc_has_perm(fsec->fown_sid, sid,
3170                             SECCLASS_PROCESS, perm, NULL);
3171 }
3172
3173 static int selinux_file_receive(struct file *file)
3174 {
3175         const struct cred *cred = current_cred();
3176
3177         return file_has_perm(cred, file, file_to_av(file));
3178 }
3179
3180 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3181 {
3182         struct file_security_struct *fsec;
3183         struct inode *inode;
3184         struct inode_security_struct *isec;
3185
3186         inode = file->f_path.dentry->d_inode;
3187         fsec = file->f_security;
3188         isec = inode->i_security;
3189         /*
3190          * Save inode label and policy sequence number
3191          * at open-time so that selinux_file_permission
3192          * can determine whether revalidation is necessary.
3193          * Task label is already saved in the file security
3194          * struct as its SID.
3195          */
3196         fsec->isid = isec->sid;
3197         fsec->pseqno = avc_policy_seqno();
3198         /*
3199          * Since the inode label or policy seqno may have changed
3200          * between the selinux_inode_permission check and the saving
3201          * of state above, recheck that access is still permitted.
3202          * Otherwise, access might never be revalidated against the
3203          * new inode label or new policy.
3204          * This check is not redundant - do not remove.
3205          */
3206         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3207 }
3208
3209 /* task security operations */
3210
3211 static int selinux_task_create(unsigned long clone_flags)
3212 {
3213         return current_has_perm(current, PROCESS__FORK);
3214 }
3215
3216 /*
3217  * allocate the SELinux part of blank credentials
3218  */
3219 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3220 {
3221         struct task_security_struct *tsec;
3222
3223         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3224         if (!tsec)
3225                 return -ENOMEM;
3226
3227         cred->security = tsec;
3228         return 0;
3229 }
3230
3231 /*
3232  * detach and free the LSM part of a set of credentials
3233  */
3234 static void selinux_cred_free(struct cred *cred)
3235 {
3236         struct task_security_struct *tsec = cred->security;
3237
3238         /*
3239          * cred->security == NULL if security_cred_alloc_blank() or
3240          * security_prepare_creds() returned an error.
3241          */
3242         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3243         cred->security = (void *) 0x7UL;
3244         kfree(tsec);
3245 }
3246
3247 /*
3248  * prepare a new set of credentials for modification
3249  */
3250 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3251                                 gfp_t gfp)
3252 {
3253         const struct task_security_struct *old_tsec;
3254         struct task_security_struct *tsec;
3255
3256         old_tsec = old->security;
3257
3258         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3259         if (!tsec)
3260                 return -ENOMEM;
3261
3262         new->security = tsec;
3263         return 0;
3264 }
3265
3266 /*
3267  * transfer the SELinux data to a blank set of creds
3268  */
3269 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3270 {
3271         const struct task_security_struct *old_tsec = old->security;
3272         struct task_security_struct *tsec = new->security;
3273
3274         *tsec = *old_tsec;
3275 }
3276
3277 /*
3278  * set the security data for a kernel service
3279  * - all the creation contexts are set to unlabelled
3280  */
3281 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3282 {
3283         struct task_security_struct *tsec = new->security;
3284         u32 sid = current_sid();
3285         int ret;
3286
3287         ret = avc_has_perm(sid, secid,
3288                            SECCLASS_KERNEL_SERVICE,
3289                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3290                            NULL);
3291         if (ret == 0) {
3292                 tsec->sid = secid;
3293                 tsec->create_sid = 0;
3294                 tsec->keycreate_sid = 0;
3295                 tsec->sockcreate_sid = 0;
3296         }
3297         return ret;
3298 }
3299
3300 /*
3301  * set the file creation context in a security record to the same as the
3302  * objective context of the specified inode
3303  */
3304 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3305 {
3306         struct inode_security_struct *isec = inode->i_security;
3307         struct task_security_struct *tsec = new->security;
3308         u32 sid = current_sid();
3309         int ret;
3310
3311         ret = avc_has_perm(sid, isec->sid,
3312                            SECCLASS_KERNEL_SERVICE,
3313                            KERNEL_SERVICE__CREATE_FILES_AS,
3314                            NULL);
3315
3316         if (ret == 0)
3317                 tsec->create_sid = isec->sid;
3318         return ret;
3319 }
3320
3321 static int selinux_kernel_module_request(char *kmod_name)
3322 {
3323         u32 sid;
3324         struct common_audit_data ad;
3325
3326         sid = task_sid(current);
3327
3328         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3329         ad.u.kmod_name = kmod_name;
3330
3331         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3332                             SYSTEM__MODULE_REQUEST, &ad);
3333 }
3334
3335 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3336 {
3337         return current_has_perm(p, PROCESS__SETPGID);
3338 }
3339
3340 static int selinux_task_getpgid(struct task_struct *p)
3341 {
3342         return current_has_perm(p, PROCESS__GETPGID);
3343 }
3344
3345 static int selinux_task_getsid(struct task_struct *p)
3346 {
3347         return current_has_perm(p, PROCESS__GETSESSION);
3348 }
3349
3350 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3351 {
3352         *secid = task_sid(p);
3353 }
3354
3355 static int selinux_task_setnice(struct task_struct *p, int nice)
3356 {
3357         int rc;
3358
3359         rc = cap_task_setnice(p, nice);
3360         if (rc)
3361                 return rc;
3362
3363         return current_has_perm(p, PROCESS__SETSCHED);
3364 }
3365
3366 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3367 {
3368         int rc;
3369
3370         rc = cap_task_setioprio(p, ioprio);
3371         if (rc)
3372                 return rc;
3373
3374         return current_has_perm(p, PROCESS__SETSCHED);
3375 }
3376
3377 static int selinux_task_getioprio(struct task_struct *p)
3378 {
3379         return current_has_perm(p, PROCESS__GETSCHED);
3380 }
3381
3382 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3383                 struct rlimit *new_rlim)
3384 {
3385         struct rlimit *old_rlim = p->signal->rlim + resource;
3386
3387         /* Control the ability to change the hard limit (whether
3388            lowering or raising it), so that the hard limit can
3389            later be used as a safe reset point for the soft limit
3390            upon context transitions.  See selinux_bprm_committing_creds. */
3391         if (old_rlim->rlim_max != new_rlim->rlim_max)
3392                 return current_has_perm(p, PROCESS__SETRLIMIT);
3393
3394         return 0;
3395 }
3396
3397 static int selinux_task_setscheduler(struct task_struct *p)
3398 {
3399         int rc;
3400
3401         rc = cap_task_setscheduler(p);
3402         if (rc)
3403                 return rc;
3404
3405         return current_has_perm(p, PROCESS__SETSCHED);
3406 }
3407
3408 static int selinux_task_getscheduler(struct task_struct *p)
3409 {
3410         return current_has_perm(p, PROCESS__GETSCHED);
3411 }
3412
3413 static int selinux_task_movememory(struct task_struct *p)
3414 {
3415         return current_has_perm(p, PROCESS__SETSCHED);
3416 }
3417
3418 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3419                                 int sig, u32 secid)
3420 {
3421         u32 perm;
3422         int rc;
3423
3424         if (!sig)
3425                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3426         else
3427                 perm = signal_to_av(sig);
3428         if (secid)
3429                 rc = avc_has_perm(secid, task_sid(p),
3430                                   SECCLASS_PROCESS, perm, NULL);
3431         else
3432                 rc = current_has_perm(p, perm);
3433         return rc;
3434 }
3435
3436 static int selinux_task_wait(struct task_struct *p)
3437 {
3438         return task_has_perm(p, current, PROCESS__SIGCHLD);
3439 }
3440
3441 static void selinux_task_to_inode(struct task_struct *p,
3442                                   struct inode *inode)
3443 {
3444         struct inode_security_struct *isec = inode->i_security;
3445         u32 sid = task_sid(p);
3446
3447         isec->sid = sid;
3448         isec->initialized = 1;
3449 }
3450
3451 /* Returns error only if unable to parse addresses */
3452 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3453                         struct common_audit_data *ad, u8 *proto)
3454 {
3455         int offset, ihlen, ret = -EINVAL;
3456         struct iphdr _iph, *ih;
3457
3458         offset = skb_network_offset(skb);
3459         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3460         if (ih == NULL)
3461                 goto out;
3462
3463         ihlen = ih->ihl * 4;
3464         if (ihlen < sizeof(_iph))
3465                 goto out;
3466
3467         ad->u.net.v4info.saddr = ih->saddr;
3468         ad->u.net.v4info.daddr = ih->daddr;
3469         ret = 0;
3470
3471         if (proto)
3472                 *proto = ih->protocol;
3473
3474         switch (ih->protocol) {
3475         case IPPROTO_TCP: {
3476                 struct tcphdr _tcph, *th;
3477
3478                 if (ntohs(ih->frag_off) & IP_OFFSET)
3479                         break;
3480
3481                 offset += ihlen;
3482                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3483                 if (th == NULL)
3484                         break;
3485
3486                 ad->u.net.sport = th->source;
3487                 ad->u.net.dport = th->dest;
3488                 break;
3489         }
3490
3491         case IPPROTO_UDP: {
3492                 struct udphdr _udph, *uh;
3493
3494                 if (ntohs(ih->frag_off) & IP_OFFSET)
3495                         break;
3496
3497                 offset += ihlen;
3498                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3499                 if (uh == NULL)
3500                         break;
3501
3502                 ad->u.net.sport = uh->source;
3503                 ad->u.net.dport = uh->dest;
3504                 break;
3505         }
3506
3507         case IPPROTO_DCCP: {
3508                 struct dccp_hdr _dccph, *dh;
3509
3510                 if (ntohs(ih->frag_off) & IP_OFFSET)
3511                         break;
3512
3513                 offset += ihlen;
3514                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3515                 if (dh == NULL)
3516                         break;
3517
3518                 ad->u.net.sport = dh->dccph_sport;
3519                 ad->u.net.dport = dh->dccph_dport;
3520                 break;
3521         }
3522
3523         default:
3524                 break;
3525         }
3526 out:
3527         return ret;
3528 }
3529
3530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3531
3532 /* Returns error only if unable to parse addresses */
3533 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3534                         struct common_audit_data *ad, u8 *proto)
3535 {
3536         u8 nexthdr;
3537         int ret = -EINVAL, offset;
3538         struct ipv6hdr _ipv6h, *ip6;
3539
3540         offset = skb_network_offset(skb);
3541         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3542         if (ip6 == NULL)
3543                 goto out;
3544
3545         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3546         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3547         ret = 0;
3548
3549         nexthdr = ip6->nexthdr;
3550         offset += sizeof(_ipv6h);
3551         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3552         if (offset < 0)
3553                 goto out;
3554
3555         if (proto)
3556                 *proto = nexthdr;
3557
3558         switch (nexthdr) {
3559         case IPPROTO_TCP: {
3560                 struct tcphdr _tcph, *th;
3561
3562                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3563                 if (th == NULL)
3564                         break;
3565
3566                 ad->u.net.sport = th->source;
3567                 ad->u.net.dport = th->dest;
3568                 break;
3569         }
3570
3571         case IPPROTO_UDP: {
3572                 struct udphdr _udph, *uh;
3573
3574                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3575                 if (uh == NULL)
3576                         break;
3577
3578                 ad->u.net.sport = uh->source;
3579                 ad->u.net.dport = uh->dest;
3580                 break;
3581         }
3582
3583         case IPPROTO_DCCP: {
3584                 struct dccp_hdr _dccph, *dh;
3585
3586                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3587                 if (dh == NULL)
3588                         break;
3589
3590                 ad->u.net.sport = dh->dccph_sport;
3591                 ad->u.net.dport = dh->dccph_dport;
3592                 break;
3593         }
3594
3595         /* includes fragments */
3596         default:
3597                 break;
3598         }
3599 out:
3600         return ret;
3601 }
3602
3603 #endif /* IPV6 */
3604
3605 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3606                              char **_addrp, int src, u8 *proto)
3607 {
3608         char *addrp;
3609         int ret;
3610
3611         switch (ad->u.net.family) {
3612         case PF_INET:
3613                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3614                 if (ret)
3615                         goto parse_error;
3616                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3617                                        &ad->u.net.v4info.daddr);
3618                 goto okay;
3619
3620 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3621         case PF_INET6:
3622                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3623                 if (ret)
3624                         goto parse_error;
3625                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3626                                        &ad->u.net.v6info.daddr);
3627                 goto okay;
3628 #endif  /* IPV6 */
3629         default:
3630                 addrp = NULL;
3631                 goto okay;
3632         }
3633
3634 parse_error:
3635         printk(KERN_WARNING
3636                "SELinux: failure in selinux_parse_skb(),"
3637                " unable to parse packet\n");
3638         return ret;
3639
3640 okay:
3641         if (_addrp)
3642                 *_addrp = addrp;
3643         return 0;
3644 }
3645
3646 /**
3647  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3648  * @skb: the packet
3649  * @family: protocol family
3650  * @sid: the packet's peer label SID
3651  *
3652  * Description:
3653  * Check the various different forms of network peer labeling and determine
3654  * the peer label/SID for the packet; most of the magic actually occurs in
3655  * the security server function security_net_peersid_cmp().  The function
3656  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3657  * or -EACCES if @sid is invalid due to inconsistencies with the different
3658  * peer labels.
3659  *
3660  */
3661 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3662 {
3663         int err;
3664         u32 xfrm_sid;
3665         u32 nlbl_sid;
3666         u32 nlbl_type;
3667
3668         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3669         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3670
3671         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3672         if (unlikely(err)) {
3673                 printk(KERN_WARNING
3674                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3675                        " unable to determine packet's peer label\n");
3676                 return -EACCES;
3677         }
3678
3679         return 0;
3680 }
3681
3682 /* socket security operations */
3683
3684 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3685                                  u16 secclass, u32 *socksid)
3686 {
3687         if (tsec->sockcreate_sid > SECSID_NULL) {
3688                 *socksid = tsec->sockcreate_sid;
3689                 return 0;
3690         }
3691
3692         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3693                                        socksid);
3694 }
3695
3696 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3697 {
3698         struct sk_security_struct *sksec = sk->sk_security;
3699         struct common_audit_data ad;
3700         u32 tsid = task_sid(task);
3701
3702         if (sksec->sid == SECINITSID_KERNEL)
3703                 return 0;
3704
3705         COMMON_AUDIT_DATA_INIT(&ad, NET);
3706         ad.u.net.sk = sk;
3707
3708         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3709 }
3710
3711 static int selinux_socket_create(int family, int type,
3712                                  int protocol, int kern)
3713 {
3714         const struct task_security_struct *tsec = current_security();
3715         u32 newsid;
3716         u16 secclass;
3717         int rc;
3718
3719         if (kern)
3720                 return 0;
3721
3722         secclass = socket_type_to_security_class(family, type, protocol);
3723         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3724         if (rc)
3725                 return rc;
3726
3727         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3728 }
3729
3730 static int selinux_socket_post_create(struct socket *sock, int family,
3731                                       int type, int protocol, int kern)
3732 {
3733         const struct task_security_struct *tsec = current_security();
3734         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3735         struct sk_security_struct *sksec;
3736         int err = 0;
3737
3738         isec->sclass = socket_type_to_security_class(family, type, protocol);
3739
3740         if (kern)
3741                 isec->sid = SECINITSID_KERNEL;
3742         else {
3743                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3744                 if (err)
3745                         return err;
3746         }
3747
3748         isec->initialized = 1;
3749
3750         if (sock->sk) {
3751                 sksec = sock->sk->sk_security;
3752                 sksec->sid = isec->sid;
3753                 sksec->sclass = isec->sclass;
3754                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3755         }
3756
3757         return err;
3758 }
3759
3760 /* Range of port numbers used to automatically bind.
3761    Need to determine whether we should perform a name_bind
3762    permission check between the socket and the port number. */
3763
3764 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3765 {
3766         struct sock *sk = sock->sk;
3767         u16 family;
3768         int err;
3769
3770         err = sock_has_perm(current, sk, SOCKET__BIND);
3771         if (err)
3772                 goto out;
3773
3774         /*
3775          * If PF_INET or PF_INET6, check name_bind permission for the port.
3776          * Multiple address binding for SCTP is not supported yet: we just
3777          * check the first address now.
3778          */
3779         family = sk->sk_family;
3780         if (family == PF_INET || family == PF_INET6) {
3781                 char *addrp;
3782                 struct sk_security_struct *sksec = sk->sk_security;
3783                 struct common_audit_data ad;
3784                 struct sockaddr_in *addr4 = NULL;
3785                 struct sockaddr_in6 *addr6 = NULL;
3786                 unsigned short snum;
3787                 u32 sid, node_perm;
3788
3789                 if (family == PF_INET) {
3790                         addr4 = (struct sockaddr_in *)address;
3791                         snum = ntohs(addr4->sin_port);
3792                         addrp = (char *)&addr4->sin_addr.s_addr;
3793                 } else {
3794                         addr6 = (struct sockaddr_in6 *)address;
3795                         snum = ntohs(addr6->sin6_port);
3796                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3797                 }
3798
3799                 if (snum) {
3800                         int low, high;
3801
3802                         inet_get_local_port_range(&low, &high);
3803
3804                         if (snum < max(PROT_SOCK, low) || snum > high) {
3805                                 err = sel_netport_sid(sk->sk_protocol,
3806                                                       snum, &sid);
3807                                 if (err)
3808                                         goto out;
3809                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3810                                 ad.u.net.sport = htons(snum);
3811                                 ad.u.net.family = family;
3812                                 err = avc_has_perm(sksec->sid, sid,
3813                                                    sksec->sclass,
3814                                                    SOCKET__NAME_BIND, &ad);
3815                                 if (err)
3816                                         goto out;
3817                         }
3818                 }
3819
3820                 switch (sksec->sclass) {
3821                 case SECCLASS_TCP_SOCKET:
3822                         node_perm = TCP_SOCKET__NODE_BIND;
3823                         break;
3824
3825                 case SECCLASS_UDP_SOCKET:
3826                         node_perm = UDP_SOCKET__NODE_BIND;
3827                         break;
3828
3829                 case SECCLASS_DCCP_SOCKET:
3830                         node_perm = DCCP_SOCKET__NODE_BIND;
3831                         break;
3832
3833                 default:
3834                         node_perm = RAWIP_SOCKET__NODE_BIND;
3835                         break;
3836                 }
3837
3838                 err = sel_netnode_sid(addrp, family, &sid);
3839                 if (err)
3840                         goto out;
3841
3842                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3843                 ad.u.net.sport = htons(snum);
3844                 ad.u.net.family = family;
3845
3846                 if (family == PF_INET)
3847                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3848                 else
3849                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3850
3851                 err = avc_has_perm(sksec->sid, sid,
3852                                    sksec->sclass, node_perm, &ad);
3853                 if (err)
3854                         goto out;
3855         }
3856 out:
3857         return err;
3858 }
3859
3860 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3861 {
3862         struct sock *sk = sock->sk;
3863         struct sk_security_struct *sksec = sk->sk_security;
3864         int err;
3865
3866         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3867         if (err)
3868                 return err;
3869
3870         /*
3871          * If a TCP or DCCP socket, check name_connect permission for the port.
3872          */
3873         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3874             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3875                 struct common_audit_data ad;
3876                 struct sockaddr_in *addr4 = NULL;
3877                 struct sockaddr_in6 *addr6 = NULL;
3878                 unsigned short snum;
3879                 u32 sid, perm;
3880
3881                 if (sk->sk_family == PF_INET) {
3882                         addr4 = (struct sockaddr_in *)address;
3883                         if (addrlen < sizeof(struct sockaddr_in))
3884                                 return -EINVAL;
3885                         snum = ntohs(addr4->sin_port);
3886                 } else {
3887                         addr6 = (struct sockaddr_in6 *)address;
3888                         if (addrlen < SIN6_LEN_RFC2133)
3889                                 return -EINVAL;
3890                         snum = ntohs(addr6->sin6_port);
3891                 }
3892
3893                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3894                 if (err)
3895                         goto out;
3896
3897                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3898                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3899
3900                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3901                 ad.u.net.dport = htons(snum);
3902                 ad.u.net.family = sk->sk_family;
3903                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3904                 if (err)
3905                         goto out;
3906         }
3907
3908         err = selinux_netlbl_socket_connect(sk, address);
3909
3910 out:
3911         return err;
3912 }
3913
3914 static int selinux_socket_listen(struct socket *sock, int backlog)
3915 {
3916         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3917 }
3918
3919 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3920 {
3921         int err;
3922         struct inode_security_struct *isec;
3923         struct inode_security_struct *newisec;
3924
3925         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3926         if (err)
3927                 return err;
3928
3929         newisec = SOCK_INODE(newsock)->i_security;
3930
3931         isec = SOCK_INODE(sock)->i_security;
3932         newisec->sclass = isec->sclass;
3933         newisec->sid = isec->sid;
3934         newisec->initialized = 1;
3935
3936         return 0;
3937 }
3938
3939 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3940                                   int size)
3941 {
3942         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3943 }
3944
3945 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3946                                   int size, int flags)
3947 {
3948         return sock_has_perm(current, sock->sk, SOCKET__READ);
3949 }
3950
3951 static int selinux_socket_getsockname(struct socket *sock)
3952 {
3953         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3954 }
3955
3956 static int selinux_socket_getpeername(struct socket *sock)
3957 {
3958         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3959 }
3960
3961 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3962 {
3963         int err;
3964
3965         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3966         if (err)
3967                 return err;
3968
3969         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3970 }
3971
3972 static int selinux_socket_getsockopt(struct socket *sock, int level,
3973                                      int optname)
3974 {
3975         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3976 }
3977
3978 static int selinux_socket_shutdown(struct socket *sock, int how)
3979 {
3980         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3981 }
3982
3983 static int selinux_socket_unix_stream_connect(struct sock *sock,
3984                                               struct sock *other,
3985                                               struct sock *newsk)
3986 {
3987         struct sk_security_struct *sksec_sock = sock->sk_security;
3988         struct sk_security_struct *sksec_other = other->sk_security;
3989         struct sk_security_struct *sksec_new = newsk->sk_security;
3990         struct common_audit_data ad;
3991         int err;
3992
3993         COMMON_AUDIT_DATA_INIT(&ad, NET);
3994         ad.u.net.sk = other;
3995
3996         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3997                            sksec_other->sclass,
3998                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3999         if (err)
4000                 return err;
4001
4002         /* server child socket */
4003         sksec_new->peer_sid = sksec_sock->sid;
4004         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4005                                     &sksec_new->sid);
4006         if (err)
4007                 return err;
4008
4009         /* connecting socket */
4010         sksec_sock->peer_sid = sksec_new->sid;
4011
4012         return 0;
4013 }
4014
4015 static int selinux_socket_unix_may_send(struct socket *sock,
4016                                         struct socket *other)
4017 {
4018         struct sk_security_struct *ssec = sock->sk->sk_security;
4019         struct sk_security_struct *osec = other->sk->sk_security;
4020         struct common_audit_data ad;
4021
4022         COMMON_AUDIT_DATA_INIT(&ad, NET);
4023         ad.u.net.sk = other->sk;
4024
4025         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4026                             &ad);
4027 }
4028
4029 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4030                                     u32 peer_sid,
4031                                     struct common_audit_data *ad)
4032 {
4033         int err;
4034         u32 if_sid;
4035         u32 node_sid;
4036
4037         err = sel_netif_sid(ifindex, &if_sid);
4038         if (err)
4039                 return err;
4040         err = avc_has_perm(peer_sid, if_sid,
4041                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4042         if (err)
4043                 return err;
4044
4045         err = sel_netnode_sid(addrp, family, &node_sid);
4046         if (err)
4047                 return err;
4048         return avc_has_perm(peer_sid, node_sid,
4049                             SECCLASS_NODE, NODE__RECVFROM, ad);
4050 }
4051
4052 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4053                                        u16 family)
4054 {
4055         int err = 0;
4056         struct sk_security_struct *sksec = sk->sk_security;
4057         u32 sk_sid = sksec->sid;
4058         struct common_audit_data ad;
4059         char *addrp;
4060
4061         COMMON_AUDIT_DATA_INIT(&ad, NET);
4062         ad.u.net.netif = skb->skb_iif;
4063         ad.u.net.family = family;
4064         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4065         if (err)
4066                 return err;
4067
4068         if (selinux_secmark_enabled()) {
4069                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4070                                    PACKET__RECV, &ad);
4071                 if (err)
4072                         return err;
4073         }
4074
4075         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4076         if (err)
4077                 return err;
4078         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4079
4080         return err;
4081 }
4082
4083 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4084 {
4085         int err;
4086         struct sk_security_struct *sksec = sk->sk_security;
4087         u16 family = sk->sk_family;
4088         u32 sk_sid = sksec->sid;
4089         struct common_audit_data ad;
4090         char *addrp;
4091         u8 secmark_active;
4092         u8 peerlbl_active;
4093
4094         if (family != PF_INET && family != PF_INET6)
4095                 return 0;
4096
4097         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4098         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4099                 family = PF_INET;
4100
4101         /* If any sort of compatibility mode is enabled then handoff processing
4102          * to the selinux_sock_rcv_skb_compat() function to deal with the
4103          * special handling.  We do this in an attempt to keep this function
4104          * as fast and as clean as possible. */
4105         if (!selinux_policycap_netpeer)
4106                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4107
4108         secmark_active = selinux_secmark_enabled();
4109         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4110         if (!secmark_active && !peerlbl_active)
4111                 return 0;
4112
4113         COMMON_AUDIT_DATA_INIT(&ad, NET);
4114         ad.u.net.netif = skb->skb_iif;
4115         ad.u.net.family = family;
4116         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4117         if (err)
4118                 return err;
4119
4120         if (peerlbl_active) {
4121                 u32 peer_sid;
4122
4123                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4124                 if (err)
4125                         return err;
4126                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4127                                                peer_sid, &ad);
4128                 if (err) {
4129                         selinux_netlbl_err(skb, err, 0);
4130                         return err;
4131                 }
4132                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4133                                    PEER__RECV, &ad);
4134                 if (err)
4135                         selinux_netlbl_err(skb, err, 0);
4136         }
4137
4138         if (secmark_active) {
4139                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4140                                    PACKET__RECV, &ad);
4141                 if (err)
4142                         return err;
4143         }
4144
4145         return err;
4146 }
4147
4148 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4149                                             int __user *optlen, unsigned len)
4150 {
4151         int err = 0;
4152         char *scontext;
4153         u32 scontext_len;
4154         struct sk_security_struct *sksec = sock->sk->sk_security;
4155         u32 peer_sid = SECSID_NULL;
4156
4157         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4158             sksec->sclass == SECCLASS_TCP_SOCKET)
4159                 peer_sid = sksec->peer_sid;
4160         if (peer_sid == SECSID_NULL)
4161                 return -ENOPROTOOPT;
4162
4163         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4164         if (err)
4165                 return err;
4166
4167         if (scontext_len > len) {
4168                 err = -ERANGE;
4169                 goto out_len;
4170         }
4171
4172         if (copy_to_user(optval, scontext, scontext_len))
4173                 err = -EFAULT;
4174
4175 out_len:
4176         if (put_user(scontext_len, optlen))
4177                 err = -EFAULT;
4178         kfree(scontext);
4179         return err;
4180 }
4181
4182 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4183 {
4184         u32 peer_secid = SECSID_NULL;
4185         u16 family;
4186
4187         if (skb && skb->protocol == htons(ETH_P_IP))
4188                 family = PF_INET;
4189         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4190                 family = PF_INET6;
4191         else if (sock)
4192                 family = sock->sk->sk_family;
4193         else
4194                 goto out;
4195
4196         if (sock && family == PF_UNIX)
4197                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4198         else if (skb)
4199                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4200
4201 out:
4202         *secid = peer_secid;
4203         if (peer_secid == SECSID_NULL)
4204                 return -EINVAL;
4205         return 0;
4206 }
4207
4208 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4209 {
4210         struct sk_security_struct *sksec;
4211
4212         sksec = kzalloc(sizeof(*sksec), priority);
4213         if (!sksec)
4214                 return -ENOMEM;
4215
4216         sksec->peer_sid = SECINITSID_UNLABELED;
4217         sksec->sid = SECINITSID_UNLABELED;
4218         selinux_netlbl_sk_security_reset(sksec);
4219         sk->sk_security = sksec;
4220
4221         return 0;
4222 }
4223
4224 static void selinux_sk_free_security(struct sock *sk)
4225 {
4226         struct sk_security_struct *sksec = sk->sk_security;
4227
4228         sk->sk_security = NULL;
4229         selinux_netlbl_sk_security_free(sksec);
4230         kfree(sksec);
4231 }
4232
4233 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4234 {
4235         struct sk_security_struct *sksec = sk->sk_security;
4236         struct sk_security_struct *newsksec = newsk->sk_security;
4237
4238         newsksec->sid = sksec->sid;
4239         newsksec->peer_sid = sksec->peer_sid;
4240         newsksec->sclass = sksec->sclass;
4241
4242         selinux_netlbl_sk_security_reset(newsksec);
4243 }
4244
4245 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4246 {
4247         if (!sk)
4248                 *secid = SECINITSID_ANY_SOCKET;
4249         else {
4250                 struct sk_security_struct *sksec = sk->sk_security;
4251
4252                 *secid = sksec->sid;
4253         }
4254 }
4255
4256 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4257 {
4258         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4259         struct sk_security_struct *sksec = sk->sk_security;
4260
4261         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4262             sk->sk_family == PF_UNIX)
4263                 isec->sid = sksec->sid;
4264         sksec->sclass = isec->sclass;
4265 }
4266
4267 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4268                                      struct request_sock *req)
4269 {
4270         struct sk_security_struct *sksec = sk->sk_security;
4271         int err;
4272         u16 family = sk->sk_family;
4273         u32 newsid;
4274         u32 peersid;
4275
4276         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4277         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4278                 family = PF_INET;
4279
4280         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4281         if (err)
4282                 return err;
4283         if (peersid == SECSID_NULL) {
4284                 req->secid = sksec->sid;
4285                 req->peer_secid = SECSID_NULL;
4286         } else {
4287                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4288                 if (err)
4289                         return err;
4290                 req->secid = newsid;
4291                 req->peer_secid = peersid;
4292         }
4293
4294         return selinux_netlbl_inet_conn_request(req, family);
4295 }
4296
4297 static void selinux_inet_csk_clone(struct sock *newsk,
4298                                    const struct request_sock *req)
4299 {
4300         struct sk_security_struct *newsksec = newsk->sk_security;
4301
4302         newsksec->sid = req->secid;
4303         newsksec->peer_sid = req->peer_secid;
4304         /* NOTE: Ideally, we should also get the isec->sid for the
4305            new socket in sync, but we don't have the isec available yet.
4306            So we will wait until sock_graft to do it, by which
4307            time it will have been created and available. */
4308
4309         /* We don't need to take any sort of lock here as we are the only
4310          * thread with access to newsksec */
4311         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4312 }
4313
4314 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4315 {
4316         u16 family = sk->sk_family;
4317         struct sk_security_struct *sksec = sk->sk_security;
4318
4319         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4320         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4321                 family = PF_INET;
4322
4323         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4324 }
4325
4326 static int selinux_secmark_relabel_packet(u32 sid)
4327 {
4328         const struct task_security_struct *__tsec;
4329         u32 tsid;
4330
4331         __tsec = current_security();
4332         tsid = __tsec->sid;
4333
4334         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4335 }
4336
4337 static void selinux_secmark_refcount_inc(void)
4338 {
4339         atomic_inc(&selinux_secmark_refcount);
4340 }
4341
4342 static void selinux_secmark_refcount_dec(void)
4343 {
4344         atomic_dec(&selinux_secmark_refcount);
4345 }
4346
4347 static void selinux_req_classify_flow(const struct request_sock *req,
4348                                       struct flowi *fl)
4349 {
4350         fl->secid = req->secid;
4351 }
4352
4353 static int selinux_tun_dev_create(void)
4354 {
4355         u32 sid = current_sid();
4356
4357         /* we aren't taking into account the "sockcreate" SID since the socket
4358          * that is being created here is not a socket in the traditional sense,
4359          * instead it is a private sock, accessible only to the kernel, and
4360          * representing a wide range of network traffic spanning multiple
4361          * connections unlike traditional sockets - check the TUN driver to
4362          * get a better understanding of why this socket is special */
4363
4364         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4365                             NULL);
4366 }
4367
4368 static void selinux_tun_dev_post_create(struct sock *sk)
4369 {
4370         struct sk_security_struct *sksec = sk->sk_security;
4371
4372         /* we don't currently perform any NetLabel based labeling here and it
4373          * isn't clear that we would want to do so anyway; while we could apply
4374          * labeling without the support of the TUN user the resulting labeled
4375          * traffic from the other end of the connection would almost certainly
4376          * cause confusion to the TUN user that had no idea network labeling
4377          * protocols were being used */
4378
4379         /* see the comments in selinux_tun_dev_create() about why we don't use
4380          * the sockcreate SID here */
4381
4382         sksec->sid = current_sid();
4383         sksec->sclass = SECCLASS_TUN_SOCKET;
4384 }
4385
4386 static int selinux_tun_dev_attach(struct sock *sk)
4387 {
4388         struct sk_security_struct *sksec = sk->sk_security;
4389         u32 sid = current_sid();
4390         int err;
4391
4392         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4393                            TUN_SOCKET__RELABELFROM, NULL);
4394         if (err)
4395                 return err;
4396         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4397                            TUN_SOCKET__RELABELTO, NULL);
4398         if (err)
4399                 return err;
4400
4401         sksec->sid = sid;
4402
4403         return 0;
4404 }
4405
4406 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4407 {
4408         int err = 0;
4409         u32 perm;
4410         struct nlmsghdr *nlh;
4411         struct sk_security_struct *sksec = sk->sk_security;
4412
4413         if (skb->len < NLMSG_SPACE(0)) {
4414                 err = -EINVAL;
4415                 goto out;
4416         }
4417         nlh = nlmsg_hdr(skb);
4418
4419         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4420         if (err) {
4421                 if (err == -EINVAL) {
4422                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4423                                   "SELinux:  unrecognized netlink message"
4424                                   " type=%hu for sclass=%hu\n",
4425                                   nlh->nlmsg_type, sksec->sclass);
4426                         if (!selinux_enforcing || security_get_allow_unknown())
4427                                 err = 0;
4428                 }
4429
4430                 /* Ignore */
4431                 if (err == -ENOENT)
4432                         err = 0;
4433                 goto out;
4434         }
4435
4436         err = sock_has_perm(current, sk, perm);
4437 out:
4438         return err;
4439 }
4440
4441 #ifdef CONFIG_NETFILTER
4442
4443 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4444                                        u16 family)
4445 {
4446         int err;
4447         char *addrp;
4448         u32 peer_sid;
4449         struct common_audit_data ad;
4450         u8 secmark_active;
4451         u8 netlbl_active;
4452         u8 peerlbl_active;
4453
4454         if (!selinux_policycap_netpeer)
4455                 return NF_ACCEPT;
4456
4457         secmark_active = selinux_secmark_enabled();
4458         netlbl_active = netlbl_enabled();
4459         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4460         if (!secmark_active && !peerlbl_active)
4461                 return NF_ACCEPT;
4462
4463         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4464                 return NF_DROP;
4465
4466         COMMON_AUDIT_DATA_INIT(&ad, NET);
4467         ad.u.net.netif = ifindex;
4468         ad.u.net.family = family;
4469         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4470                 return NF_DROP;
4471
4472         if (peerlbl_active) {
4473                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4474                                                peer_sid, &ad);
4475                 if (err) {
4476                         selinux_netlbl_err(skb, err, 1);
4477                         return NF_DROP;
4478                 }
4479         }
4480
4481         if (secmark_active)
4482                 if (avc_has_perm(peer_sid, skb->secmark,
4483                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4484                         return NF_DROP;
4485
4486         if (netlbl_active)
4487                 /* we do this in the FORWARD path and not the POST_ROUTING
4488                  * path because we want to make sure we apply the necessary
4489                  * labeling before IPsec is applied so we can leverage AH
4490                  * protection */
4491                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4492                         return NF_DROP;
4493
4494         return NF_ACCEPT;
4495 }
4496
4497 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4498                                          struct sk_buff *skb,
4499                                          const struct net_device *in,
4500                                          const struct net_device *out,
4501                                          int (*okfn)(struct sk_buff *))
4502 {
4503         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4504 }
4505
4506 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4507 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4508                                          struct sk_buff *skb,
4509                                          const struct net_device *in,
4510                                          const struct net_device *out,
4511                                          int (*okfn)(struct sk_buff *))
4512 {
4513         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4514 }
4515 #endif  /* IPV6 */
4516
4517 static unsigned int selinux_ip_output(struct sk_buff *skb,
4518                                       u16 family)
4519 {
4520         u32 sid;
4521
4522         if (!netlbl_enabled())
4523                 return NF_ACCEPT;
4524
4525         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4526          * because we want to make sure we apply the necessary labeling
4527          * before IPsec is applied so we can leverage AH protection */
4528         if (skb->sk) {
4529                 struct sk_security_struct *sksec = skb->sk->sk_security;
4530                 sid = sksec->sid;
4531         } else
4532                 sid = SECINITSID_KERNEL;
4533         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4534                 return NF_DROP;
4535
4536         return NF_ACCEPT;
4537 }
4538
4539 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4540                                         struct sk_buff *skb,
4541                                         const struct net_device *in,
4542                                         const struct net_device *out,
4543                                         int (*okfn)(struct sk_buff *))
4544 {
4545         return selinux_ip_output(skb, PF_INET);
4546 }
4547
4548 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4549                                                 int ifindex,
4550                                                 u16 family)
4551 {
4552         struct sock *sk = skb->sk;
4553         struct sk_security_struct *sksec;
4554         struct common_audit_data ad;
4555         char *addrp;
4556         u8 proto;
4557
4558         if (sk == NULL)
4559                 return NF_ACCEPT;
4560         sksec = sk->sk_security;
4561
4562         COMMON_AUDIT_DATA_INIT(&ad, NET);
4563         ad.u.net.netif = ifindex;
4564         ad.u.net.family = family;
4565         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4566                 return NF_DROP;
4567
4568         if (selinux_secmark_enabled())
4569                 if (avc_has_perm(sksec->sid, skb->secmark,
4570                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4571                         return NF_DROP_ERR(-ECONNREFUSED);
4572
4573         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4574                 return NF_DROP_ERR(-ECONNREFUSED);
4575
4576         return NF_ACCEPT;
4577 }
4578
4579 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4580                                          u16 family)
4581 {
4582         u32 secmark_perm;
4583         u32 peer_sid;
4584         struct sock *sk;
4585         struct common_audit_data ad;
4586         char *addrp;
4587         u8 secmark_active;
4588         u8 peerlbl_active;
4589
4590         /* If any sort of compatibility mode is enabled then handoff processing
4591          * to the selinux_ip_postroute_compat() function to deal with the
4592          * special handling.  We do this in an attempt to keep this function
4593          * as fast and as clean as possible. */
4594         if (!selinux_policycap_netpeer)
4595                 return selinux_ip_postroute_compat(skb, ifindex, family);
4596 #ifdef CONFIG_XFRM
4597         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4598          * packet transformation so allow the packet to pass without any checks
4599          * since we'll have another chance to perform access control checks
4600          * when the packet is on it's final way out.
4601          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4602          *       is NULL, in this case go ahead and apply access control. */
4603         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4604                 return NF_ACCEPT;
4605 #endif
4606         secmark_active = selinux_secmark_enabled();
4607         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4608         if (!secmark_active && !peerlbl_active)
4609                 return NF_ACCEPT;
4610
4611         /* if the packet is being forwarded then get the peer label from the
4612          * packet itself; otherwise check to see if it is from a local
4613          * application or the kernel, if from an application get the peer label
4614          * from the sending socket, otherwise use the kernel's sid */
4615         sk = skb->sk;
4616         if (sk == NULL) {
4617                 if (skb->skb_iif) {
4618                         secmark_perm = PACKET__FORWARD_OUT;
4619                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4620                                 return NF_DROP;
4621                 } else {
4622                         secmark_perm = PACKET__SEND;
4623                         peer_sid = SECINITSID_KERNEL;
4624                 }
4625         } else {
4626                 struct sk_security_struct *sksec = sk->sk_security;
4627                 peer_sid = sksec->sid;
4628                 secmark_perm = PACKET__SEND;
4629         }
4630
4631         COMMON_AUDIT_DATA_INIT(&ad, NET);
4632         ad.u.net.netif = ifindex;
4633         ad.u.net.family = family;
4634         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4635                 return NF_DROP;
4636
4637         if (secmark_active)
4638                 if (avc_has_perm(peer_sid, skb->secmark,
4639                                  SECCLASS_PACKET, secmark_perm, &ad))
4640                         return NF_DROP_ERR(-ECONNREFUSED);
4641
4642         if (peerlbl_active) {
4643                 u32 if_sid;
4644                 u32 node_sid;
4645
4646                 if (sel_netif_sid(ifindex, &if_sid))
4647                         return NF_DROP;
4648                 if (avc_has_perm(peer_sid, if_sid,
4649                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4650                         return NF_DROP_ERR(-ECONNREFUSED);
4651
4652                 if (sel_netnode_sid(addrp, family, &node_sid))
4653                         return NF_DROP;
4654                 if (avc_has_perm(peer_sid, node_sid,
4655                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4656                         return NF_DROP_ERR(-ECONNREFUSED);
4657         }
4658
4659         return NF_ACCEPT;
4660 }
4661
4662 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4663                                            struct sk_buff *skb,
4664                                            const struct net_device *in,
4665                                            const struct net_device *out,
4666                                            int (*okfn)(struct sk_buff *))
4667 {
4668         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4669 }
4670
4671 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4672 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4673                                            struct sk_buff *skb,
4674                                            const struct net_device *in,
4675                                            const struct net_device *out,
4676                                            int (*okfn)(struct sk_buff *))
4677 {
4678         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4679 }
4680 #endif  /* IPV6 */
4681
4682 #endif  /* CONFIG_NETFILTER */
4683
4684 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4685 {
4686         int err;
4687
4688         err = cap_netlink_send(sk, skb);
4689         if (err)
4690                 return err;
4691
4692         return selinux_nlmsg_perm(sk, skb);
4693 }
4694
4695 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4696 {
4697         int err;
4698         struct common_audit_data ad;
4699
4700         err = cap_netlink_recv(skb, capability);
4701         if (err)
4702                 return err;
4703
4704         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4705         ad.u.cap = capability;
4706
4707         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4708                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4709 }
4710
4711 static int ipc_alloc_security(struct task_struct *task,
4712                               struct kern_ipc_perm *perm,
4713                               u16 sclass)
4714 {
4715         struct ipc_security_struct *isec;
4716         u32 sid;
4717
4718         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4719         if (!isec)
4720                 return -ENOMEM;
4721
4722         sid = task_sid(task);
4723         isec->sclass = sclass;
4724         isec->sid = sid;
4725         perm->security = isec;
4726
4727         return 0;
4728 }
4729
4730 static void ipc_free_security(struct kern_ipc_perm *perm)
4731 {
4732         struct ipc_security_struct *isec = perm->security;
4733         perm->security = NULL;
4734         kfree(isec);
4735 }
4736
4737 static int msg_msg_alloc_security(struct msg_msg *msg)
4738 {
4739         struct msg_security_struct *msec;
4740
4741         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4742         if (!msec)
4743                 return -ENOMEM;
4744
4745         msec->sid = SECINITSID_UNLABELED;
4746         msg->security = msec;
4747
4748         return 0;
4749 }
4750
4751 static void msg_msg_free_security(struct msg_msg *msg)
4752 {
4753         struct msg_security_struct *msec = msg->security;
4754
4755         msg->security = NULL;
4756         kfree(msec);
4757 }
4758
4759 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4760                         u32 perms)
4761 {
4762         struct ipc_security_struct *isec;
4763         struct common_audit_data ad;
4764         u32 sid = current_sid();
4765
4766         isec = ipc_perms->security;
4767
4768         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4769         ad.u.ipc_id = ipc_perms->key;
4770
4771         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4772 }
4773
4774 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4775 {
4776         return msg_msg_alloc_security(msg);
4777 }
4778
4779 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4780 {
4781         msg_msg_free_security(msg);
4782 }
4783
4784 /* message queue security operations */
4785 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4786 {
4787         struct ipc_security_struct *isec;
4788         struct common_audit_data ad;
4789         u32 sid = current_sid();
4790         int rc;
4791
4792         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4793         if (rc)
4794                 return rc;
4795
4796         isec = msq->q_perm.security;
4797
4798         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4799         ad.u.ipc_id = msq->q_perm.key;
4800
4801         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4802                           MSGQ__CREATE, &ad);
4803         if (rc) {
4804                 ipc_free_security(&msq->q_perm);
4805                 return rc;
4806         }
4807         return 0;
4808 }
4809
4810 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4811 {
4812         ipc_free_security(&msq->q_perm);
4813 }
4814
4815 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4816 {
4817         struct ipc_security_struct *isec;
4818         struct common_audit_data ad;
4819         u32 sid = current_sid();
4820
4821         isec = msq->q_perm.security;
4822
4823         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4824         ad.u.ipc_id = msq->q_perm.key;
4825
4826         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4827                             MSGQ__ASSOCIATE, &ad);
4828 }
4829
4830 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4831 {
4832         int err;
4833         int perms;
4834
4835         switch (cmd) {
4836         case IPC_INFO:
4837         case MSG_INFO:
4838                 /* No specific object, just general system-wide information. */
4839                 return task_has_system(current, SYSTEM__IPC_INFO);
4840         case IPC_STAT:
4841         case MSG_STAT:
4842                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4843                 break;
4844         case IPC_SET:
4845                 perms = MSGQ__SETATTR;
4846                 break;
4847         case IPC_RMID:
4848                 perms = MSGQ__DESTROY;
4849                 break;
4850         default:
4851                 return 0;
4852         }
4853
4854         err = ipc_has_perm(&msq->q_perm, perms);
4855         return err;
4856 }
4857
4858 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4859 {
4860         struct ipc_security_struct *isec;
4861         struct msg_security_struct *msec;
4862         struct common_audit_data ad;
4863         u32 sid = current_sid();
4864         int rc;
4865
4866         isec = msq->q_perm.security;
4867         msec = msg->security;
4868
4869         /*
4870          * First time through, need to assign label to the message
4871          */
4872         if (msec->sid == SECINITSID_UNLABELED) {
4873                 /*
4874                  * Compute new sid based on current process and
4875                  * message queue this message will be stored in
4876                  */
4877                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4878                                              NULL, &msec->sid);
4879                 if (rc)
4880                         return rc;
4881         }
4882
4883         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4884         ad.u.ipc_id = msq->q_perm.key;
4885
4886         /* Can this process write to the queue? */
4887         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4888                           MSGQ__WRITE, &ad);
4889         if (!rc)
4890                 /* Can this process send the message */
4891                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4892                                   MSG__SEND, &ad);
4893         if (!rc)
4894                 /* Can the message be put in the queue? */
4895                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4896                                   MSGQ__ENQUEUE, &ad);
4897
4898         return rc;
4899 }
4900
4901 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4902                                     struct task_struct *target,
4903                                     long type, int mode)
4904 {
4905         struct ipc_security_struct *isec;
4906         struct msg_security_struct *msec;
4907         struct common_audit_data ad;
4908         u32 sid = task_sid(target);
4909         int rc;
4910
4911         isec = msq->q_perm.security;
4912         msec = msg->security;
4913
4914         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4915         ad.u.ipc_id = msq->q_perm.key;
4916
4917         rc = avc_has_perm(sid, isec->sid,
4918                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4919         if (!rc)
4920                 rc = avc_has_perm(sid, msec->sid,
4921                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4922         return rc;
4923 }
4924
4925 /* Shared Memory security operations */
4926 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4927 {
4928         struct ipc_security_struct *isec;
4929         struct common_audit_data ad;
4930         u32 sid = current_sid();
4931         int rc;
4932
4933         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4934         if (rc)
4935                 return rc;
4936
4937         isec = shp->shm_perm.security;
4938
4939         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4940         ad.u.ipc_id = shp->shm_perm.key;
4941
4942         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4943                           SHM__CREATE, &ad);
4944         if (rc) {
4945                 ipc_free_security(&shp->shm_perm);
4946                 return rc;
4947         }
4948         return 0;
4949 }
4950
4951 static void selinux_shm_free_security(struct shmid_kernel *shp)
4952 {
4953         ipc_free_security(&shp->shm_perm);
4954 }
4955
4956 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4957 {
4958         struct ipc_security_struct *isec;
4959         struct common_audit_data ad;
4960         u32 sid = current_sid();
4961
4962         isec = shp->shm_perm.security;
4963
4964         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4965         ad.u.ipc_id = shp->shm_perm.key;
4966
4967         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4968                             SHM__ASSOCIATE, &ad);
4969 }
4970
4971 /* Note, at this point, shp is locked down */
4972 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4973 {
4974         int perms;
4975         int err;
4976
4977         switch (cmd) {
4978         case IPC_INFO:
4979         case SHM_INFO:
4980                 /* No specific object, just general system-wide information. */
4981                 return task_has_system(current, SYSTEM__IPC_INFO);
4982         case IPC_STAT:
4983         case SHM_STAT:
4984                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4985                 break;
4986         case IPC_SET:
4987                 perms = SHM__SETATTR;
4988                 break;
4989         case SHM_LOCK:
4990         case SHM_UNLOCK:
4991                 perms = SHM__LOCK;
4992                 break;
4993         case IPC_RMID:
4994                 perms = SHM__DESTROY;
4995                 break;
4996         default:
4997                 return 0;
4998         }
4999
5000         err = ipc_has_perm(&shp->shm_perm, perms);
5001         return err;
5002 }
5003
5004 static int selinux_shm_shmat(struct shmid_kernel *shp,
5005                              char __user *shmaddr, int shmflg)
5006 {
5007         u32 perms;
5008
5009         if (shmflg & SHM_RDONLY)
5010                 perms = SHM__READ;
5011         else
5012                 perms = SHM__READ | SHM__WRITE;
5013
5014         return ipc_has_perm(&shp->shm_perm, perms);
5015 }
5016
5017 /* Semaphore security operations */
5018 static int selinux_sem_alloc_security(struct sem_array *sma)
5019 {
5020         struct ipc_security_struct *isec;
5021         struct common_audit_data ad;
5022         u32 sid = current_sid();
5023         int rc;
5024
5025         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5026         if (rc)
5027                 return rc;
5028
5029         isec = sma->sem_perm.security;
5030
5031         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5032         ad.u.ipc_id = sma->sem_perm.key;
5033
5034         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5035                           SEM__CREATE, &ad);
5036         if (rc) {
5037                 ipc_free_security(&sma->sem_perm);
5038                 return rc;
5039         }
5040         return 0;
5041 }
5042
5043 static void selinux_sem_free_security(struct sem_array *sma)
5044 {
5045         ipc_free_security(&sma->sem_perm);
5046 }
5047
5048 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5049 {
5050         struct ipc_security_struct *isec;
5051         struct common_audit_data ad;
5052         u32 sid = current_sid();
5053
5054         isec = sma->sem_perm.security;
5055
5056         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5057         ad.u.ipc_id = sma->sem_perm.key;
5058
5059         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5060                             SEM__ASSOCIATE, &ad);
5061 }
5062
5063 /* Note, at this point, sma is locked down */
5064 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5065 {
5066         int err;
5067         u32 perms;
5068
5069         switch (cmd) {
5070         case IPC_INFO:
5071         case SEM_INFO:
5072                 /* No specific object, just general system-wide information. */
5073                 return task_has_system(current, SYSTEM__IPC_INFO);
5074         case GETPID:
5075         case GETNCNT:
5076         case GETZCNT:
5077                 perms = SEM__GETATTR;
5078                 break;
5079         case GETVAL:
5080         case GETALL:
5081                 perms = SEM__READ;
5082                 break;
5083         case SETVAL:
5084         case SETALL:
5085                 perms = SEM__WRITE;
5086                 break;
5087         case IPC_RMID:
5088                 perms = SEM__DESTROY;
5089                 break;
5090         case IPC_SET:
5091                 perms = SEM__SETATTR;
5092                 break;
5093         case IPC_STAT:
5094         case SEM_STAT:
5095                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5096                 break;
5097         default:
5098                 return 0;
5099         }
5100
5101         err = ipc_has_perm(&sma->sem_perm, perms);
5102         return err;
5103 }
5104
5105 static int selinux_sem_semop(struct sem_array *sma,
5106                              struct sembuf *sops, unsigned nsops, int alter)
5107 {
5108         u32 perms;
5109
5110         if (alter)
5111                 perms = SEM__READ | SEM__WRITE;
5112         else
5113                 perms = SEM__READ;
5114
5115         return ipc_has_perm(&sma->sem_perm, perms);
5116 }
5117
5118 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5119 {
5120         u32 av = 0;
5121
5122         av = 0;
5123         if (flag & S_IRUGO)
5124                 av |= IPC__UNIX_READ;
5125         if (flag & S_IWUGO)
5126                 av |= IPC__UNIX_WRITE;
5127
5128         if (av == 0)
5129                 return 0;
5130
5131         return ipc_has_perm(ipcp, av);
5132 }
5133
5134 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5135 {
5136         struct ipc_security_struct *isec = ipcp->security;
5137         *secid = isec->sid;
5138 }
5139
5140 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5141 {
5142         if (inode)
5143                 inode_doinit_with_dentry(inode, dentry);
5144 }
5145
5146 static int selinux_getprocattr(struct task_struct *p,
5147                                char *name, char **value)
5148 {
5149         const struct task_security_struct *__tsec;
5150         u32 sid;
5151         int error;
5152         unsigned len;
5153
5154         if (current != p) {
5155                 error = current_has_perm(p, PROCESS__GETATTR);
5156                 if (error)
5157                         return error;
5158         }
5159
5160         rcu_read_lock();
5161         __tsec = __task_cred(p)->security;
5162
5163         if (!strcmp(name, "current"))
5164                 sid = __tsec->sid;
5165         else if (!strcmp(name, "prev"))
5166                 sid = __tsec->osid;
5167         else if (!strcmp(name, "exec"))
5168                 sid = __tsec->exec_sid;
5169         else if (!strcmp(name, "fscreate"))
5170                 sid = __tsec->create_sid;
5171         else if (!strcmp(name, "keycreate"))
5172                 sid = __tsec->keycreate_sid;
5173         else if (!strcmp(name, "sockcreate"))
5174                 sid = __tsec->sockcreate_sid;
5175         else
5176                 goto invalid;
5177         rcu_read_unlock();
5178
5179         if (!sid)
5180                 return 0;
5181
5182         error = security_sid_to_context(sid, value, &len);
5183         if (error)
5184                 return error;
5185         return len;
5186
5187 invalid:
5188         rcu_read_unlock();
5189         return -EINVAL;
5190 }
5191
5192 static int selinux_setprocattr(struct task_struct *p,
5193                                char *name, void *value, size_t size)
5194 {
5195         struct task_security_struct *tsec;
5196         struct task_struct *tracer;
5197         struct cred *new;
5198         u32 sid = 0, ptsid;
5199         int error;
5200         char *str = value;
5201
5202         if (current != p) {
5203                 /* SELinux only allows a process to change its own
5204                    security attributes. */
5205                 return -EACCES;
5206         }
5207
5208         /*
5209          * Basic control over ability to set these attributes at all.
5210          * current == p, but we'll pass them separately in case the
5211          * above restriction is ever removed.
5212          */
5213         if (!strcmp(name, "exec"))
5214                 error = current_has_perm(p, PROCESS__SETEXEC);
5215         else if (!strcmp(name, "fscreate"))
5216                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5217         else if (!strcmp(name, "keycreate"))
5218                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5219         else if (!strcmp(name, "sockcreate"))
5220                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5221         else if (!strcmp(name, "current"))
5222                 error = current_has_perm(p, PROCESS__SETCURRENT);
5223         else
5224                 error = -EINVAL;
5225         if (error)
5226                 return error;
5227
5228         /* Obtain a SID for the context, if one was specified. */
5229         if (size && str[1] && str[1] != '\n') {
5230                 if (str[size-1] == '\n') {
5231                         str[size-1] = 0;
5232                         size--;
5233                 }
5234                 error = security_context_to_sid(value, size, &sid);
5235                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5236                         if (!capable(CAP_MAC_ADMIN))
5237                                 return error;
5238                         error = security_context_to_sid_force(value, size,
5239                                                               &sid);
5240                 }
5241                 if (error)
5242                         return error;
5243         }
5244
5245         new = prepare_creds();
5246         if (!new)
5247                 return -ENOMEM;
5248
5249         /* Permission checking based on the specified context is
5250            performed during the actual operation (execve,
5251            open/mkdir/...), when we know the full context of the
5252            operation.  See selinux_bprm_set_creds for the execve
5253            checks and may_create for the file creation checks. The
5254            operation will then fail if the context is not permitted. */
5255         tsec = new->security;
5256         if (!strcmp(name, "exec")) {
5257                 tsec->exec_sid = sid;
5258         } else if (!strcmp(name, "fscreate")) {
5259                 tsec->create_sid = sid;
5260         } else if (!strcmp(name, "keycreate")) {
5261                 error = may_create_key(sid, p);
5262                 if (error)
5263                         goto abort_change;
5264                 tsec->keycreate_sid = sid;
5265         } else if (!strcmp(name, "sockcreate")) {
5266                 tsec->sockcreate_sid = sid;
5267         } else if (!strcmp(name, "current")) {
5268                 error = -EINVAL;
5269                 if (sid == 0)
5270                         goto abort_change;
5271
5272                 /* Only allow single threaded processes to change context */
5273                 error = -EPERM;
5274                 if (!current_is_single_threaded()) {
5275                         error = security_bounded_transition(tsec->sid, sid);
5276                         if (error)
5277                                 goto abort_change;
5278                 }
5279
5280                 /* Check permissions for the transition. */
5281                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5282                                      PROCESS__DYNTRANSITION, NULL);
5283                 if (error)
5284                         goto abort_change;
5285
5286                 /* Check for ptracing, and update the task SID if ok.
5287                    Otherwise, leave SID unchanged and fail. */
5288                 ptsid = 0;
5289                 task_lock(p);
5290                 tracer = tracehook_tracer_task(p);
5291                 if (tracer)
5292                         ptsid = task_sid(tracer);
5293                 task_unlock(p);
5294
5295                 if (tracer) {
5296                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5297                                              PROCESS__PTRACE, NULL);
5298                         if (error)
5299                                 goto abort_change;
5300                 }
5301
5302                 tsec->sid = sid;
5303         } else {
5304                 error = -EINVAL;
5305                 goto abort_change;
5306         }
5307
5308         commit_creds(new);
5309         return size;
5310
5311 abort_change:
5312         abort_creds(new);
5313         return error;
5314 }
5315
5316 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5317 {
5318         return security_sid_to_context(secid, secdata, seclen);
5319 }
5320
5321 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5322 {
5323         return security_context_to_sid(secdata, seclen, secid);
5324 }
5325
5326 static void selinux_release_secctx(char *secdata, u32 seclen)
5327 {
5328         kfree(secdata);
5329 }
5330
5331 /*
5332  *      called with inode->i_mutex locked
5333  */
5334 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5335 {
5336         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5337 }
5338
5339 /*
5340  *      called with inode->i_mutex locked
5341  */
5342 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5343 {
5344         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5345 }
5346
5347 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5348 {
5349         int len = 0;
5350         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5351                                                 ctx, true);
5352         if (len < 0)
5353                 return len;
5354         *ctxlen = len;
5355         return 0;
5356 }
5357 #ifdef CONFIG_KEYS
5358
5359 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5360                              unsigned long flags)
5361 {
5362         const struct task_security_struct *tsec;
5363         struct key_security_struct *ksec;
5364
5365         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5366         if (!ksec)
5367                 return -ENOMEM;
5368
5369         tsec = cred->security;
5370         if (tsec->keycreate_sid)
5371                 ksec->sid = tsec->keycreate_sid;
5372         else
5373                 ksec->sid = tsec->sid;
5374
5375         k->security = ksec;
5376         return 0;
5377 }
5378
5379 static void selinux_key_free(struct key *k)
5380 {
5381         struct key_security_struct *ksec = k->security;
5382
5383         k->security = NULL;
5384         kfree(ksec);
5385 }
5386
5387 static int selinux_key_permission(key_ref_t key_ref,
5388                                   const struct cred *cred,
5389                                   key_perm_t perm)
5390 {
5391         struct key *key;
5392         struct key_security_struct *ksec;
5393         u32 sid;
5394
5395         /* if no specific permissions are requested, we skip the
5396            permission check. No serious, additional covert channels
5397            appear to be created. */
5398         if (perm == 0)
5399                 return 0;
5400
5401         sid = cred_sid(cred);
5402
5403         key = key_ref_to_ptr(key_ref);
5404         ksec = key->security;
5405
5406         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5407 }
5408
5409 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5410 {
5411         struct key_security_struct *ksec = key->security;
5412         char *context = NULL;
5413         unsigned len;
5414         int rc;
5415
5416         rc = security_sid_to_context(ksec->sid, &context, &len);
5417         if (!rc)
5418                 rc = len;
5419         *_buffer = context;
5420         return rc;
5421 }
5422
5423 #endif
5424
5425 static struct security_operations selinux_ops = {
5426         .name =                         "selinux",
5427
5428         .ptrace_access_check =          selinux_ptrace_access_check,
5429         .ptrace_traceme =               selinux_ptrace_traceme,
5430         .capget =                       selinux_capget,
5431         .capset =                       selinux_capset,
5432         .capable =                      selinux_capable,
5433         .quotactl =                     selinux_quotactl,
5434         .quota_on =                     selinux_quota_on,
5435         .syslog =                       selinux_syslog,
5436         .vm_enough_memory =             selinux_vm_enough_memory,
5437
5438         .netlink_send =                 selinux_netlink_send,
5439         .netlink_recv =                 selinux_netlink_recv,
5440
5441         .bprm_set_creds =               selinux_bprm_set_creds,
5442         .bprm_committing_creds =        selinux_bprm_committing_creds,
5443         .bprm_committed_creds =         selinux_bprm_committed_creds,
5444         .bprm_secureexec =              selinux_bprm_secureexec,
5445
5446         .sb_alloc_security =            selinux_sb_alloc_security,
5447         .sb_free_security =             selinux_sb_free_security,
5448         .sb_copy_data =                 selinux_sb_copy_data,
5449         .sb_remount =                   selinux_sb_remount,
5450         .sb_kern_mount =                selinux_sb_kern_mount,
5451         .sb_show_options =              selinux_sb_show_options,
5452         .sb_statfs =                    selinux_sb_statfs,
5453         .sb_mount =                     selinux_mount,
5454         .sb_umount =                    selinux_umount,
5455         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5456         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5457         .sb_parse_opts_str =            selinux_parse_opts_str,
5458
5459
5460         .inode_alloc_security =         selinux_inode_alloc_security,
5461         .inode_free_security =          selinux_inode_free_security,
5462         .inode_init_security =          selinux_inode_init_security,
5463         .inode_create =                 selinux_inode_create,
5464         .inode_link =                   selinux_inode_link,
5465         .inode_unlink =                 selinux_inode_unlink,
5466         .inode_symlink =                selinux_inode_symlink,
5467         .inode_mkdir =                  selinux_inode_mkdir,
5468         .inode_rmdir =                  selinux_inode_rmdir,
5469         .inode_mknod =                  selinux_inode_mknod,
5470         .inode_rename =                 selinux_inode_rename,
5471         .inode_readlink =               selinux_inode_readlink,
5472         .inode_follow_link =            selinux_inode_follow_link,
5473         .inode_permission =             selinux_inode_permission,
5474         .inode_setattr =                selinux_inode_setattr,
5475         .inode_getattr =                selinux_inode_getattr,
5476         .inode_setxattr =               selinux_inode_setxattr,
5477         .inode_post_setxattr =          selinux_inode_post_setxattr,
5478         .inode_getxattr =               selinux_inode_getxattr,
5479         .inode_listxattr =              selinux_inode_listxattr,
5480         .inode_removexattr =            selinux_inode_removexattr,
5481         .inode_getsecurity =            selinux_inode_getsecurity,
5482         .inode_setsecurity =            selinux_inode_setsecurity,
5483         .inode_listsecurity =           selinux_inode_listsecurity,
5484         .inode_getsecid =               selinux_inode_getsecid,
5485
5486         .file_permission =              selinux_file_permission,
5487         .file_alloc_security =          selinux_file_alloc_security,
5488         .file_free_security =           selinux_file_free_security,
5489         .file_ioctl =                   selinux_file_ioctl,
5490         .file_mmap =                    selinux_file_mmap,
5491         .file_mprotect =                selinux_file_mprotect,
5492         .file_lock =                    selinux_file_lock,
5493         .file_fcntl =                   selinux_file_fcntl,
5494         .file_set_fowner =              selinux_file_set_fowner,
5495         .file_send_sigiotask =          selinux_file_send_sigiotask,
5496         .file_receive =                 selinux_file_receive,
5497
5498         .dentry_open =                  selinux_dentry_open,
5499
5500         .task_create =                  selinux_task_create,
5501         .cred_alloc_blank =             selinux_cred_alloc_blank,
5502         .cred_free =                    selinux_cred_free,
5503         .cred_prepare =                 selinux_cred_prepare,
5504         .cred_transfer =                selinux_cred_transfer,
5505         .kernel_act_as =                selinux_kernel_act_as,
5506         .kernel_create_files_as =       selinux_kernel_create_files_as,
5507         .kernel_module_request =        selinux_kernel_module_request,
5508         .task_setpgid =                 selinux_task_setpgid,
5509         .task_getpgid =                 selinux_task_getpgid,
5510         .task_getsid =                  selinux_task_getsid,
5511         .task_getsecid =                selinux_task_getsecid,
5512         .task_setnice =                 selinux_task_setnice,
5513         .task_setioprio =               selinux_task_setioprio,
5514         .task_getioprio =               selinux_task_getioprio,
5515         .task_setrlimit =               selinux_task_setrlimit,
5516         .task_setscheduler =            selinux_task_setscheduler,
5517         .task_getscheduler =            selinux_task_getscheduler,
5518         .task_movememory =              selinux_task_movememory,
5519         .task_kill =                    selinux_task_kill,
5520         .task_wait =                    selinux_task_wait,
5521         .task_to_inode =                selinux_task_to_inode,
5522
5523         .ipc_permission =               selinux_ipc_permission,
5524         .ipc_getsecid =                 selinux_ipc_getsecid,
5525
5526         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5527         .msg_msg_free_security =        selinux_msg_msg_free_security,
5528
5529         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5530         .msg_queue_free_security =      selinux_msg_queue_free_security,
5531         .msg_queue_associate =          selinux_msg_queue_associate,
5532         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5533         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5534         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5535
5536         .shm_alloc_security =           selinux_shm_alloc_security,
5537         .shm_free_security =            selinux_shm_free_security,
5538         .shm_associate =                selinux_shm_associate,
5539         .shm_shmctl =                   selinux_shm_shmctl,
5540         .shm_shmat =                    selinux_shm_shmat,
5541
5542         .sem_alloc_security =           selinux_sem_alloc_security,
5543         .sem_free_security =            selinux_sem_free_security,
5544         .sem_associate =                selinux_sem_associate,
5545         .sem_semctl =                   selinux_sem_semctl,
5546         .sem_semop =                    selinux_sem_semop,
5547
5548         .d_instantiate =                selinux_d_instantiate,
5549
5550         .getprocattr =                  selinux_getprocattr,
5551         .setprocattr =                  selinux_setprocattr,
5552
5553         .secid_to_secctx =              selinux_secid_to_secctx,
5554         .secctx_to_secid =              selinux_secctx_to_secid,
5555         .release_secctx =               selinux_release_secctx,
5556         .inode_notifysecctx =           selinux_inode_notifysecctx,
5557         .inode_setsecctx =              selinux_inode_setsecctx,
5558         .inode_getsecctx =              selinux_inode_getsecctx,
5559
5560         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5561         .unix_may_send =                selinux_socket_unix_may_send,
5562
5563         .socket_create =                selinux_socket_create,
5564         .socket_post_create =           selinux_socket_post_create,
5565         .socket_bind =                  selinux_socket_bind,
5566         .socket_connect =               selinux_socket_connect,
5567         .socket_listen =                selinux_socket_listen,
5568         .socket_accept =                selinux_socket_accept,
5569         .socket_sendmsg =               selinux_socket_sendmsg,
5570         .socket_recvmsg =               selinux_socket_recvmsg,
5571         .socket_getsockname =           selinux_socket_getsockname,
5572         .socket_getpeername =           selinux_socket_getpeername,
5573         .socket_getsockopt =            selinux_socket_getsockopt,
5574         .socket_setsockopt =            selinux_socket_setsockopt,
5575         .socket_shutdown =              selinux_socket_shutdown,
5576         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5577         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5578         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5579         .sk_alloc_security =            selinux_sk_alloc_security,
5580         .sk_free_security =             selinux_sk_free_security,
5581         .sk_clone_security =            selinux_sk_clone_security,
5582         .sk_getsecid =                  selinux_sk_getsecid,
5583         .sock_graft =                   selinux_sock_graft,
5584         .inet_conn_request =            selinux_inet_conn_request,
5585         .inet_csk_clone =               selinux_inet_csk_clone,
5586         .inet_conn_established =        selinux_inet_conn_established,
5587         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5588         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5589         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5590         .req_classify_flow =            selinux_req_classify_flow,
5591         .tun_dev_create =               selinux_tun_dev_create,
5592         .tun_dev_post_create =          selinux_tun_dev_post_create,
5593         .tun_dev_attach =               selinux_tun_dev_attach,
5594
5595 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5596         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5597         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5598         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5599         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5600         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5601         .xfrm_state_free_security =     selinux_xfrm_state_free,
5602         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5603         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5604         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5605         .xfrm_decode_session =          selinux_xfrm_decode_session,
5606 #endif
5607
5608 #ifdef CONFIG_KEYS
5609         .key_alloc =                    selinux_key_alloc,
5610         .key_free =                     selinux_key_free,
5611         .key_permission =               selinux_key_permission,
5612         .key_getsecurity =              selinux_key_getsecurity,
5613 #endif
5614
5615 #ifdef CONFIG_AUDIT
5616         .audit_rule_init =              selinux_audit_rule_init,
5617         .audit_rule_known =             selinux_audit_rule_known,
5618         .audit_rule_match =             selinux_audit_rule_match,
5619         .audit_rule_free =              selinux_audit_rule_free,
5620 #endif
5621 };
5622
5623 static __init int selinux_init(void)
5624 {
5625         if (!security_module_enable(&selinux_ops)) {
5626                 selinux_enabled = 0;
5627                 return 0;
5628         }
5629
5630         if (!selinux_enabled) {
5631                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5632                 return 0;
5633         }
5634
5635         printk(KERN_INFO "SELinux:  Initializing.\n");
5636
5637         /* Set the security state for the initial task. */
5638         cred_init_security();
5639
5640         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5641
5642         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5643                                             sizeof(struct inode_security_struct),
5644                                             0, SLAB_PANIC, NULL);
5645         avc_init();
5646
5647         if (register_security(&selinux_ops))
5648                 panic("SELinux: Unable to register with kernel.\n");
5649
5650         if (selinux_enforcing)
5651                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5652         else
5653                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5654
5655         return 0;
5656 }
5657
5658 static void delayed_superblock_init(struct super_block *sb, void *unused)
5659 {
5660         superblock_doinit(sb, NULL);
5661 }
5662
5663 void selinux_complete_init(void)
5664 {
5665         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5666
5667         /* Set up any superblocks initialized prior to the policy load. */
5668         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5669         iterate_supers(delayed_superblock_init, NULL);
5670 }
5671
5672 /* SELinux requires early initialization in order to label
5673    all processes and objects when they are created. */
5674 security_initcall(selinux_init);
5675
5676 #if defined(CONFIG_NETFILTER)
5677
5678 static struct nf_hook_ops selinux_ipv4_ops[] = {
5679         {
5680                 .hook =         selinux_ipv4_postroute,
5681                 .owner =        THIS_MODULE,
5682                 .pf =           PF_INET,
5683                 .hooknum =      NF_INET_POST_ROUTING,
5684                 .priority =     NF_IP_PRI_SELINUX_LAST,
5685         },
5686         {
5687                 .hook =         selinux_ipv4_forward,
5688                 .owner =        THIS_MODULE,
5689                 .pf =           PF_INET,
5690                 .hooknum =      NF_INET_FORWARD,
5691                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5692         },
5693         {
5694                 .hook =         selinux_ipv4_output,
5695                 .owner =        THIS_MODULE,
5696                 .pf =           PF_INET,
5697                 .hooknum =      NF_INET_LOCAL_OUT,
5698                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5699         }
5700 };
5701
5702 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5703
5704 static struct nf_hook_ops selinux_ipv6_ops[] = {
5705         {
5706                 .hook =         selinux_ipv6_postroute,
5707                 .owner =        THIS_MODULE,
5708                 .pf =           PF_INET6,
5709                 .hooknum =      NF_INET_POST_ROUTING,
5710                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5711         },
5712         {
5713                 .hook =         selinux_ipv6_forward,
5714                 .owner =        THIS_MODULE,
5715                 .pf =           PF_INET6,
5716                 .hooknum =      NF_INET_FORWARD,
5717                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5718         }
5719 };
5720
5721 #endif  /* IPV6 */
5722
5723 static int __init selinux_nf_ip_init(void)
5724 {
5725         int err = 0;
5726
5727         if (!selinux_enabled)
5728                 goto out;
5729
5730         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5731
5732         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5733         if (err)
5734                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5735
5736 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5737         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5738         if (err)
5739                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5740 #endif  /* IPV6 */
5741
5742 out:
5743         return err;
5744 }
5745
5746 __initcall(selinux_nf_ip_init);
5747
5748 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5749 static void selinux_nf_ip_exit(void)
5750 {
5751         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5752
5753         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5754 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5755         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5756 #endif  /* IPV6 */
5757 }
5758 #endif
5759
5760 #else /* CONFIG_NETFILTER */
5761
5762 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5763 #define selinux_nf_ip_exit()
5764 #endif
5765
5766 #endif /* CONFIG_NETFILTER */
5767
5768 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5769 static int selinux_disabled;
5770
5771 int selinux_disable(void)
5772 {
5773         extern void exit_sel_fs(void);
5774
5775         if (ss_initialized) {
5776                 /* Not permitted after initial policy load. */
5777                 return -EINVAL;
5778         }
5779
5780         if (selinux_disabled) {
5781                 /* Only do this once. */
5782                 return -EINVAL;
5783         }
5784
5785         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5786
5787         selinux_disabled = 1;
5788         selinux_enabled = 0;
5789
5790         reset_security_ops();
5791
5792         /* Try to destroy the avc node cache */
5793         avc_disable();
5794
5795         /* Unregister netfilter hooks. */
5796         selinux_nf_ip_exit();
5797
5798         /* Unregister selinuxfs. */
5799         exit_sel_fs();
5800
5801         return 0;
5802 }
5803 #endif