Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <asm/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>    /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>           /* for Unix socket types */
70 #include <net/af_unix.h>        /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82
83 #include "avc.h"
84 #include "objsec.h"
85 #include "netif.h"
86 #include "netnode.h"
87 #include "netport.h"
88 #include "xfrm.h"
89 #include "netlabel.h"
90 #include "audit.h"
91
92 #define NUM_SEL_MNT_OPTS 5
93
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!strict_strtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!strict_strtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129
130 /**
131  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132  *
133  * Description:
134  * This function checks the SECMARK reference counter to see if any SECMARK
135  * targets are currently configured, if the reference counter is greater than
136  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
137  * enabled, false (0) if SECMARK is disabled.
138  *
139  */
140 static int selinux_secmark_enabled(void)
141 {
142         return (atomic_read(&selinux_secmark_refcount) > 0);
143 }
144
145 /*
146  * initialise the security for the init task
147  */
148 static void cred_init_security(void)
149 {
150         struct cred *cred = (struct cred *) current->real_cred;
151         struct task_security_struct *tsec;
152
153         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
154         if (!tsec)
155                 panic("SELinux:  Failed to initialize initial task.\n");
156
157         tsec->osid = tsec->sid = SECINITSID_KERNEL;
158         cred->security = tsec;
159 }
160
161 /*
162  * get the security ID of a set of credentials
163  */
164 static inline u32 cred_sid(const struct cred *cred)
165 {
166         const struct task_security_struct *tsec;
167
168         tsec = cred->security;
169         return tsec->sid;
170 }
171
172 /*
173  * get the objective security ID of a task
174  */
175 static inline u32 task_sid(const struct task_struct *task)
176 {
177         u32 sid;
178
179         rcu_read_lock();
180         sid = cred_sid(__task_cred(task));
181         rcu_read_unlock();
182         return sid;
183 }
184
185 /*
186  * get the subjective security ID of the current task
187  */
188 static inline u32 current_sid(void)
189 {
190         const struct task_security_struct *tsec = current_security();
191
192         return tsec->sid;
193 }
194
195 /* Allocate and free functions for each kind of security blob. */
196
197 static int inode_alloc_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec;
200         u32 sid = current_sid();
201
202         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
203         if (!isec)
204                 return -ENOMEM;
205
206         mutex_init(&isec->lock);
207         INIT_LIST_HEAD(&isec->list);
208         isec->inode = inode;
209         isec->sid = SECINITSID_UNLABELED;
210         isec->sclass = SECCLASS_FILE;
211         isec->task_sid = sid;
212         inode->i_security = isec;
213
214         return 0;
215 }
216
217 static void inode_free_security(struct inode *inode)
218 {
219         struct inode_security_struct *isec = inode->i_security;
220         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
221
222         spin_lock(&sbsec->isec_lock);
223         if (!list_empty(&isec->list))
224                 list_del_init(&isec->list);
225         spin_unlock(&sbsec->isec_lock);
226
227         inode->i_security = NULL;
228         kmem_cache_free(sel_inode_cache, isec);
229 }
230
231 static int file_alloc_security(struct file *file)
232 {
233         struct file_security_struct *fsec;
234         u32 sid = current_sid();
235
236         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
237         if (!fsec)
238                 return -ENOMEM;
239
240         fsec->sid = sid;
241         fsec->fown_sid = sid;
242         file->f_security = fsec;
243
244         return 0;
245 }
246
247 static void file_free_security(struct file *file)
248 {
249         struct file_security_struct *fsec = file->f_security;
250         file->f_security = NULL;
251         kfree(fsec);
252 }
253
254 static int superblock_alloc_security(struct super_block *sb)
255 {
256         struct superblock_security_struct *sbsec;
257
258         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
259         if (!sbsec)
260                 return -ENOMEM;
261
262         mutex_init(&sbsec->lock);
263         INIT_LIST_HEAD(&sbsec->isec_head);
264         spin_lock_init(&sbsec->isec_lock);
265         sbsec->sb = sb;
266         sbsec->sid = SECINITSID_UNLABELED;
267         sbsec->def_sid = SECINITSID_FILE;
268         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
269         sb->s_security = sbsec;
270
271         return 0;
272 }
273
274 static void superblock_free_security(struct super_block *sb)
275 {
276         struct superblock_security_struct *sbsec = sb->s_security;
277         sb->s_security = NULL;
278         kfree(sbsec);
279 }
280
281 /* The security server must be initialized before
282    any labeling or access decisions can be provided. */
283 extern int ss_initialized;
284
285 /* The file system's label must be initialized prior to use. */
286
287 static const char *labeling_behaviors[6] = {
288         "uses xattr",
289         "uses transition SIDs",
290         "uses task SIDs",
291         "uses genfs_contexts",
292         "not configured for labeling",
293         "uses mountpoint labeling",
294 };
295
296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
297
298 static inline int inode_doinit(struct inode *inode)
299 {
300         return inode_doinit_with_dentry(inode, NULL);
301 }
302
303 enum {
304         Opt_error = -1,
305         Opt_context = 1,
306         Opt_fscontext = 2,
307         Opt_defcontext = 3,
308         Opt_rootcontext = 4,
309         Opt_labelsupport = 5,
310 };
311
312 static const match_table_t tokens = {
313         {Opt_context, CONTEXT_STR "%s"},
314         {Opt_fscontext, FSCONTEXT_STR "%s"},
315         {Opt_defcontext, DEFCONTEXT_STR "%s"},
316         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
317         {Opt_labelsupport, LABELSUPP_STR},
318         {Opt_error, NULL},
319 };
320
321 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
322
323 static int may_context_mount_sb_relabel(u32 sid,
324                         struct superblock_security_struct *sbsec,
325                         const struct cred *cred)
326 {
327         const struct task_security_struct *tsec = cred->security;
328         int rc;
329
330         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331                           FILESYSTEM__RELABELFROM, NULL);
332         if (rc)
333                 return rc;
334
335         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336                           FILESYSTEM__RELABELTO, NULL);
337         return rc;
338 }
339
340 static int may_context_mount_inode_relabel(u32 sid,
341                         struct superblock_security_struct *sbsec,
342                         const struct cred *cred)
343 {
344         const struct task_security_struct *tsec = cred->security;
345         int rc;
346         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELFROM, NULL);
348         if (rc)
349                 return rc;
350
351         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352                           FILESYSTEM__ASSOCIATE, NULL);
353         return rc;
354 }
355
356 static int sb_finish_set_opts(struct super_block *sb)
357 {
358         struct superblock_security_struct *sbsec = sb->s_security;
359         struct dentry *root = sb->s_root;
360         struct inode *root_inode = root->d_inode;
361         int rc = 0;
362
363         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364                 /* Make sure that the xattr handler exists and that no
365                    error other than -ENODATA is returned by getxattr on
366                    the root directory.  -ENODATA is ok, as this may be
367                    the first boot of the SELinux kernel before we have
368                    assigned xattr values to the filesystem. */
369                 if (!root_inode->i_op->getxattr) {
370                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371                                "xattr support\n", sb->s_id, sb->s_type->name);
372                         rc = -EOPNOTSUPP;
373                         goto out;
374                 }
375                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376                 if (rc < 0 && rc != -ENODATA) {
377                         if (rc == -EOPNOTSUPP)
378                                 printk(KERN_WARNING "SELinux: (dev %s, type "
379                                        "%s) has no security xattr handler\n",
380                                        sb->s_id, sb->s_type->name);
381                         else
382                                 printk(KERN_WARNING "SELinux: (dev %s, type "
383                                        "%s) getxattr errno %d\n", sb->s_id,
384                                        sb->s_type->name, -rc);
385                         goto out;
386                 }
387         }
388
389         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
390
391         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393                        sb->s_id, sb->s_type->name);
394         else
395                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396                        sb->s_id, sb->s_type->name,
397                        labeling_behaviors[sbsec->behavior-1]);
398
399         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401             sbsec->behavior == SECURITY_FS_USE_NONE ||
402             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 sbsec->flags &= ~SE_SBLABELSUPP;
404
405         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407                 sbsec->flags |= SE_SBLABELSUPP;
408
409         /* Initialize the root inode. */
410         rc = inode_doinit_with_dentry(root_inode, root);
411
412         /* Initialize any other inodes associated with the superblock, e.g.
413            inodes created prior to initial policy load or inodes created
414            during get_sb by a pseudo filesystem that directly
415            populates itself. */
416         spin_lock(&sbsec->isec_lock);
417 next_inode:
418         if (!list_empty(&sbsec->isec_head)) {
419                 struct inode_security_struct *isec =
420                                 list_entry(sbsec->isec_head.next,
421                                            struct inode_security_struct, list);
422                 struct inode *inode = isec->inode;
423                 spin_unlock(&sbsec->isec_lock);
424                 inode = igrab(inode);
425                 if (inode) {
426                         if (!IS_PRIVATE(inode))
427                                 inode_doinit(inode);
428                         iput(inode);
429                 }
430                 spin_lock(&sbsec->isec_lock);
431                 list_del_init(&isec->list);
432                 goto next_inode;
433         }
434         spin_unlock(&sbsec->isec_lock);
435 out:
436         return rc;
437 }
438
439 /*
440  * This function should allow an FS to ask what it's mount security
441  * options were so it can use those later for submounts, displaying
442  * mount options, or whatever.
443  */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445                                 struct security_mnt_opts *opts)
446 {
447         int rc = 0, i;
448         struct superblock_security_struct *sbsec = sb->s_security;
449         char *context = NULL;
450         u32 len;
451         char tmp;
452
453         security_init_mnt_opts(opts);
454
455         if (!(sbsec->flags & SE_SBINITIALIZED))
456                 return -EINVAL;
457
458         if (!ss_initialized)
459                 return -EINVAL;
460
461         tmp = sbsec->flags & SE_MNTMASK;
462         /* count the number of mount options for this sb */
463         for (i = 0; i < 8; i++) {
464                 if (tmp & 0x01)
465                         opts->num_mnt_opts++;
466                 tmp >>= 1;
467         }
468         /* Check if the Label support flag is set */
469         if (sbsec->flags & SE_SBLABELSUPP)
470                 opts->num_mnt_opts++;
471
472         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473         if (!opts->mnt_opts) {
474                 rc = -ENOMEM;
475                 goto out_free;
476         }
477
478         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479         if (!opts->mnt_opts_flags) {
480                 rc = -ENOMEM;
481                 goto out_free;
482         }
483
484         i = 0;
485         if (sbsec->flags & FSCONTEXT_MNT) {
486                 rc = security_sid_to_context(sbsec->sid, &context, &len);
487                 if (rc)
488                         goto out_free;
489                 opts->mnt_opts[i] = context;
490                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491         }
492         if (sbsec->flags & CONTEXT_MNT) {
493                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494                 if (rc)
495                         goto out_free;
496                 opts->mnt_opts[i] = context;
497                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498         }
499         if (sbsec->flags & DEFCONTEXT_MNT) {
500                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501                 if (rc)
502                         goto out_free;
503                 opts->mnt_opts[i] = context;
504                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505         }
506         if (sbsec->flags & ROOTCONTEXT_MNT) {
507                 struct inode *root = sbsec->sb->s_root->d_inode;
508                 struct inode_security_struct *isec = root->i_security;
509
510                 rc = security_sid_to_context(isec->sid, &context, &len);
511                 if (rc)
512                         goto out_free;
513                 opts->mnt_opts[i] = context;
514                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
515         }
516         if (sbsec->flags & SE_SBLABELSUPP) {
517                 opts->mnt_opts[i] = NULL;
518                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
519         }
520
521         BUG_ON(i != opts->num_mnt_opts);
522
523         return 0;
524
525 out_free:
526         security_free_mnt_opts(opts);
527         return rc;
528 }
529
530 static int bad_option(struct superblock_security_struct *sbsec, char flag,
531                       u32 old_sid, u32 new_sid)
532 {
533         char mnt_flags = sbsec->flags & SE_MNTMASK;
534
535         /* check if the old mount command had the same options */
536         if (sbsec->flags & SE_SBINITIALIZED)
537                 if (!(sbsec->flags & flag) ||
538                     (old_sid != new_sid))
539                         return 1;
540
541         /* check if we were passed the same options twice,
542          * aka someone passed context=a,context=b
543          */
544         if (!(sbsec->flags & SE_SBINITIALIZED))
545                 if (mnt_flags & flag)
546                         return 1;
547         return 0;
548 }
549
550 /*
551  * Allow filesystems with binary mount data to explicitly set mount point
552  * labeling information.
553  */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555                                 struct security_mnt_opts *opts)
556 {
557         const struct cred *cred = current_cred();
558         int rc = 0, i;
559         struct superblock_security_struct *sbsec = sb->s_security;
560         const char *name = sb->s_type->name;
561         struct inode *inode = sbsec->sb->s_root->d_inode;
562         struct inode_security_struct *root_isec = inode->i_security;
563         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564         u32 defcontext_sid = 0;
565         char **mount_options = opts->mnt_opts;
566         int *flags = opts->mnt_opts_flags;
567         int num_opts = opts->num_mnt_opts;
568
569         mutex_lock(&sbsec->lock);
570
571         if (!ss_initialized) {
572                 if (!num_opts) {
573                         /* Defer initialization until selinux_complete_init,
574                            after the initial policy is loaded and the security
575                            server is ready to handle calls. */
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580                         "before the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606
607                 if (flags[i] == SE_SBLABELSUPP)
608                         continue;
609                 rc = security_context_to_sid(mount_options[i],
610                                              strlen(mount_options[i]), &sid);
611                 if (rc) {
612                         printk(KERN_WARNING "SELinux: security_context_to_sid"
613                                "(%s) failed for (dev %s, type %s) errno=%d\n",
614                                mount_options[i], sb->s_id, name, rc);
615                         goto out;
616                 }
617                 switch (flags[i]) {
618                 case FSCONTEXT_MNT:
619                         fscontext_sid = sid;
620
621                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622                                         fscontext_sid))
623                                 goto out_double_mount;
624
625                         sbsec->flags |= FSCONTEXT_MNT;
626                         break;
627                 case CONTEXT_MNT:
628                         context_sid = sid;
629
630                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631                                         context_sid))
632                                 goto out_double_mount;
633
634                         sbsec->flags |= CONTEXT_MNT;
635                         break;
636                 case ROOTCONTEXT_MNT:
637                         rootcontext_sid = sid;
638
639                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640                                         rootcontext_sid))
641                                 goto out_double_mount;
642
643                         sbsec->flags |= ROOTCONTEXT_MNT;
644
645                         break;
646                 case DEFCONTEXT_MNT:
647                         defcontext_sid = sid;
648
649                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650                                         defcontext_sid))
651                                 goto out_double_mount;
652
653                         sbsec->flags |= DEFCONTEXT_MNT;
654
655                         break;
656                 default:
657                         rc = -EINVAL;
658                         goto out;
659                 }
660         }
661
662         if (sbsec->flags & SE_SBINITIALIZED) {
663                 /* previously mounted with options, but not on this attempt? */
664                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
665                         goto out_double_mount;
666                 rc = 0;
667                 goto out;
668         }
669
670         if (strcmp(sb->s_type->name, "proc") == 0)
671                 sbsec->flags |= SE_SBPROC;
672
673         /* Determine the labeling behavior to use for this filesystem type. */
674         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
675         if (rc) {
676                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
677                        __func__, sb->s_type->name, rc);
678                 goto out;
679         }
680
681         /* sets the context of the superblock for the fs being mounted. */
682         if (fscontext_sid) {
683                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684                 if (rc)
685                         goto out;
686
687                 sbsec->sid = fscontext_sid;
688         }
689
690         /*
691          * Switch to using mount point labeling behavior.
692          * sets the label used on all file below the mountpoint, and will set
693          * the superblock context if not already set.
694          */
695         if (context_sid) {
696                 if (!fscontext_sid) {
697                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
698                                                           cred);
699                         if (rc)
700                                 goto out;
701                         sbsec->sid = context_sid;
702                 } else {
703                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
704                                                              cred);
705                         if (rc)
706                                 goto out;
707                 }
708                 if (!rootcontext_sid)
709                         rootcontext_sid = context_sid;
710
711                 sbsec->mntpoint_sid = context_sid;
712                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713         }
714
715         if (rootcontext_sid) {
716                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
717                                                      cred);
718                 if (rc)
719                         goto out;
720
721                 root_isec->sid = rootcontext_sid;
722                 root_isec->initialized = 1;
723         }
724
725         if (defcontext_sid) {
726                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727                         rc = -EINVAL;
728                         printk(KERN_WARNING "SELinux: defcontext option is "
729                                "invalid for this filesystem type\n");
730                         goto out;
731                 }
732
733                 if (defcontext_sid != sbsec->def_sid) {
734                         rc = may_context_mount_inode_relabel(defcontext_sid,
735                                                              sbsec, cred);
736                         if (rc)
737                                 goto out;
738                 }
739
740                 sbsec->def_sid = defcontext_sid;
741         }
742
743         rc = sb_finish_set_opts(sb);
744 out:
745         mutex_unlock(&sbsec->lock);
746         return rc;
747 out_double_mount:
748         rc = -EINVAL;
749         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
750                "security settings for (dev %s, type %s)\n", sb->s_id, name);
751         goto out;
752 }
753
754 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
755                                         struct super_block *newsb)
756 {
757         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
758         struct superblock_security_struct *newsbsec = newsb->s_security;
759
760         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
761         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
762         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
763
764         /*
765          * if the parent was able to be mounted it clearly had no special lsm
766          * mount options.  thus we can safely deal with this superblock later
767          */
768         if (!ss_initialized)
769                 return;
770
771         /* how can we clone if the old one wasn't set up?? */
772         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
773
774         /* if fs is reusing a sb, just let its options stand... */
775         if (newsbsec->flags & SE_SBINITIALIZED)
776                 return;
777
778         mutex_lock(&newsbsec->lock);
779
780         newsbsec->flags = oldsbsec->flags;
781
782         newsbsec->sid = oldsbsec->sid;
783         newsbsec->def_sid = oldsbsec->def_sid;
784         newsbsec->behavior = oldsbsec->behavior;
785
786         if (set_context) {
787                 u32 sid = oldsbsec->mntpoint_sid;
788
789                 if (!set_fscontext)
790                         newsbsec->sid = sid;
791                 if (!set_rootcontext) {
792                         struct inode *newinode = newsb->s_root->d_inode;
793                         struct inode_security_struct *newisec = newinode->i_security;
794                         newisec->sid = sid;
795                 }
796                 newsbsec->mntpoint_sid = sid;
797         }
798         if (set_rootcontext) {
799                 const struct inode *oldinode = oldsb->s_root->d_inode;
800                 const struct inode_security_struct *oldisec = oldinode->i_security;
801                 struct inode *newinode = newsb->s_root->d_inode;
802                 struct inode_security_struct *newisec = newinode->i_security;
803
804                 newisec->sid = oldisec->sid;
805         }
806
807         sb_finish_set_opts(newsb);
808         mutex_unlock(&newsbsec->lock);
809 }
810
811 static int selinux_parse_opts_str(char *options,
812                                   struct security_mnt_opts *opts)
813 {
814         char *p;
815         char *context = NULL, *defcontext = NULL;
816         char *fscontext = NULL, *rootcontext = NULL;
817         int rc, num_mnt_opts = 0;
818
819         opts->num_mnt_opts = 0;
820
821         /* Standard string-based options. */
822         while ((p = strsep(&options, "|")) != NULL) {
823                 int token;
824                 substring_t args[MAX_OPT_ARGS];
825
826                 if (!*p)
827                         continue;
828
829                 token = match_token(p, tokens, args);
830
831                 switch (token) {
832                 case Opt_context:
833                         if (context || defcontext) {
834                                 rc = -EINVAL;
835                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836                                 goto out_err;
837                         }
838                         context = match_strdup(&args[0]);
839                         if (!context) {
840                                 rc = -ENOMEM;
841                                 goto out_err;
842                         }
843                         break;
844
845                 case Opt_fscontext:
846                         if (fscontext) {
847                                 rc = -EINVAL;
848                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849                                 goto out_err;
850                         }
851                         fscontext = match_strdup(&args[0]);
852                         if (!fscontext) {
853                                 rc = -ENOMEM;
854                                 goto out_err;
855                         }
856                         break;
857
858                 case Opt_rootcontext:
859                         if (rootcontext) {
860                                 rc = -EINVAL;
861                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862                                 goto out_err;
863                         }
864                         rootcontext = match_strdup(&args[0]);
865                         if (!rootcontext) {
866                                 rc = -ENOMEM;
867                                 goto out_err;
868                         }
869                         break;
870
871                 case Opt_defcontext:
872                         if (context || defcontext) {
873                                 rc = -EINVAL;
874                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875                                 goto out_err;
876                         }
877                         defcontext = match_strdup(&args[0]);
878                         if (!defcontext) {
879                                 rc = -ENOMEM;
880                                 goto out_err;
881                         }
882                         break;
883                 case Opt_labelsupport:
884                         break;
885                 default:
886                         rc = -EINVAL;
887                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
888                         goto out_err;
889
890                 }
891         }
892
893         rc = -ENOMEM;
894         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
895         if (!opts->mnt_opts)
896                 goto out_err;
897
898         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
899         if (!opts->mnt_opts_flags) {
900                 kfree(opts->mnt_opts);
901                 goto out_err;
902         }
903
904         if (fscontext) {
905                 opts->mnt_opts[num_mnt_opts] = fscontext;
906                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
907         }
908         if (context) {
909                 opts->mnt_opts[num_mnt_opts] = context;
910                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
911         }
912         if (rootcontext) {
913                 opts->mnt_opts[num_mnt_opts] = rootcontext;
914                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
915         }
916         if (defcontext) {
917                 opts->mnt_opts[num_mnt_opts] = defcontext;
918                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
919         }
920
921         opts->num_mnt_opts = num_mnt_opts;
922         return 0;
923
924 out_err:
925         kfree(context);
926         kfree(defcontext);
927         kfree(fscontext);
928         kfree(rootcontext);
929         return rc;
930 }
931 /*
932  * string mount options parsing and call set the sbsec
933  */
934 static int superblock_doinit(struct super_block *sb, void *data)
935 {
936         int rc = 0;
937         char *options = data;
938         struct security_mnt_opts opts;
939
940         security_init_mnt_opts(&opts);
941
942         if (!data)
943                 goto out;
944
945         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
946
947         rc = selinux_parse_opts_str(options, &opts);
948         if (rc)
949                 goto out_err;
950
951 out:
952         rc = selinux_set_mnt_opts(sb, &opts);
953
954 out_err:
955         security_free_mnt_opts(&opts);
956         return rc;
957 }
958
959 static void selinux_write_opts(struct seq_file *m,
960                                struct security_mnt_opts *opts)
961 {
962         int i;
963         char *prefix;
964
965         for (i = 0; i < opts->num_mnt_opts; i++) {
966                 char *has_comma;
967
968                 if (opts->mnt_opts[i])
969                         has_comma = strchr(opts->mnt_opts[i], ',');
970                 else
971                         has_comma = NULL;
972
973                 switch (opts->mnt_opts_flags[i]) {
974                 case CONTEXT_MNT:
975                         prefix = CONTEXT_STR;
976                         break;
977                 case FSCONTEXT_MNT:
978                         prefix = FSCONTEXT_STR;
979                         break;
980                 case ROOTCONTEXT_MNT:
981                         prefix = ROOTCONTEXT_STR;
982                         break;
983                 case DEFCONTEXT_MNT:
984                         prefix = DEFCONTEXT_STR;
985                         break;
986                 case SE_SBLABELSUPP:
987                         seq_putc(m, ',');
988                         seq_puts(m, LABELSUPP_STR);
989                         continue;
990                 default:
991                         BUG();
992                 };
993                 /* we need a comma before each option */
994                 seq_putc(m, ',');
995                 seq_puts(m, prefix);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998                 seq_puts(m, opts->mnt_opts[i]);
999                 if (has_comma)
1000                         seq_putc(m, '\"');
1001         }
1002 }
1003
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006         struct security_mnt_opts opts;
1007         int rc;
1008
1009         rc = selinux_get_mnt_opts(sb, &opts);
1010         if (rc) {
1011                 /* before policy load we may get EINVAL, don't show anything */
1012                 if (rc == -EINVAL)
1013                         rc = 0;
1014                 return rc;
1015         }
1016
1017         selinux_write_opts(m, &opts);
1018
1019         security_free_mnt_opts(&opts);
1020
1021         return rc;
1022 }
1023
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026         switch (mode & S_IFMT) {
1027         case S_IFSOCK:
1028                 return SECCLASS_SOCK_FILE;
1029         case S_IFLNK:
1030                 return SECCLASS_LNK_FILE;
1031         case S_IFREG:
1032                 return SECCLASS_FILE;
1033         case S_IFBLK:
1034                 return SECCLASS_BLK_FILE;
1035         case S_IFDIR:
1036                 return SECCLASS_DIR;
1037         case S_IFCHR:
1038                 return SECCLASS_CHR_FILE;
1039         case S_IFIFO:
1040                 return SECCLASS_FIFO_FILE;
1041
1042         }
1043
1044         return SECCLASS_FILE;
1045 }
1046
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059         switch (family) {
1060         case PF_UNIX:
1061                 switch (type) {
1062                 case SOCK_STREAM:
1063                 case SOCK_SEQPACKET:
1064                         return SECCLASS_UNIX_STREAM_SOCKET;
1065                 case SOCK_DGRAM:
1066                         return SECCLASS_UNIX_DGRAM_SOCKET;
1067                 }
1068                 break;
1069         case PF_INET:
1070         case PF_INET6:
1071                 switch (type) {
1072                 case SOCK_STREAM:
1073                         if (default_protocol_stream(protocol))
1074                                 return SECCLASS_TCP_SOCKET;
1075                         else
1076                                 return SECCLASS_RAWIP_SOCKET;
1077                 case SOCK_DGRAM:
1078                         if (default_protocol_dgram(protocol))
1079                                 return SECCLASS_UDP_SOCKET;
1080                         else
1081                                 return SECCLASS_RAWIP_SOCKET;
1082                 case SOCK_DCCP:
1083                         return SECCLASS_DCCP_SOCKET;
1084                 default:
1085                         return SECCLASS_RAWIP_SOCKET;
1086                 }
1087                 break;
1088         case PF_NETLINK:
1089                 switch (protocol) {
1090                 case NETLINK_ROUTE:
1091                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                 case NETLINK_FIREWALL:
1093                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                 case NETLINK_INET_DIAG:
1095                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                 case NETLINK_NFLOG:
1097                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                 case NETLINK_XFRM:
1099                         return SECCLASS_NETLINK_XFRM_SOCKET;
1100                 case NETLINK_SELINUX:
1101                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                 case NETLINK_AUDIT:
1103                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                 case NETLINK_IP6_FW:
1105                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                 case NETLINK_DNRTMSG:
1107                         return SECCLASS_NETLINK_DNRT_SOCKET;
1108                 case NETLINK_KOBJECT_UEVENT:
1109                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                 default:
1111                         return SECCLASS_NETLINK_SOCKET;
1112                 }
1113         case PF_PACKET:
1114                 return SECCLASS_PACKET_SOCKET;
1115         case PF_KEY:
1116                 return SECCLASS_KEY_SOCKET;
1117         case PF_APPLETALK:
1118                 return SECCLASS_APPLETALK_SOCKET;
1119         }
1120
1121         return SECCLASS_SOCKET;
1122 }
1123
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126                                 u16 tclass,
1127                                 u32 *sid)
1128 {
1129         int rc;
1130         char *buffer, *path;
1131
1132         buffer = (char *)__get_free_page(GFP_KERNEL);
1133         if (!buffer)
1134                 return -ENOMEM;
1135
1136         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137         if (IS_ERR(path))
1138                 rc = PTR_ERR(path);
1139         else {
1140                 /* each process gets a /proc/PID/ entry. Strip off the
1141                  * PID part to get a valid selinux labeling.
1142                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                 while (path[1] >= '0' && path[1] <= '9') {
1144                         path[1] = '/';
1145                         path++;
1146                 }
1147                 rc = security_genfs_sid("proc", path, tclass, sid);
1148         }
1149         free_page((unsigned long)buffer);
1150         return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154                                 u16 tclass,
1155                                 u32 *sid)
1156 {
1157         return -EINVAL;
1158 }
1159 #endif
1160
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164         struct superblock_security_struct *sbsec = NULL;
1165         struct inode_security_struct *isec = inode->i_security;
1166         u32 sid;
1167         struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169         char *context = NULL;
1170         unsigned len = 0;
1171         int rc = 0;
1172
1173         if (isec->initialized)
1174                 goto out;
1175
1176         mutex_lock(&isec->lock);
1177         if (isec->initialized)
1178                 goto out_unlock;
1179
1180         sbsec = inode->i_sb->s_security;
1181         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                 /* Defer initialization until selinux_complete_init,
1183                    after the initial policy is loaded and the security
1184                    server is ready to handle calls. */
1185                 spin_lock(&sbsec->isec_lock);
1186                 if (list_empty(&isec->list))
1187                         list_add(&isec->list, &sbsec->isec_head);
1188                 spin_unlock(&sbsec->isec_lock);
1189                 goto out_unlock;
1190         }
1191
1192         switch (sbsec->behavior) {
1193         case SECURITY_FS_USE_XATTR:
1194                 if (!inode->i_op->getxattr) {
1195                         isec->sid = sbsec->def_sid;
1196                         break;
1197                 }
1198
1199                 /* Need a dentry, since the xattr API requires one.
1200                    Life would be simpler if we could just pass the inode. */
1201                 if (opt_dentry) {
1202                         /* Called from d_instantiate or d_splice_alias. */
1203                         dentry = dget(opt_dentry);
1204                 } else {
1205                         /* Called from selinux_complete_init, try to find a dentry. */
1206                         dentry = d_find_alias(inode);
1207                 }
1208                 if (!dentry) {
1209                         /*
1210                          * this is can be hit on boot when a file is accessed
1211                          * before the policy is loaded.  When we load policy we
1212                          * may find inodes that have no dentry on the
1213                          * sbsec->isec_head list.  No reason to complain as these
1214                          * will get fixed up the next time we go through
1215                          * inode_doinit with a dentry, before these inodes could
1216                          * be used again by userspace.
1217                          */
1218                         goto out_unlock;
1219                 }
1220
1221                 len = INITCONTEXTLEN;
1222                 context = kmalloc(len+1, GFP_NOFS);
1223                 if (!context) {
1224                         rc = -ENOMEM;
1225                         dput(dentry);
1226                         goto out_unlock;
1227                 }
1228                 context[len] = '\0';
1229                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                            context, len);
1231                 if (rc == -ERANGE) {
1232                         kfree(context);
1233
1234                         /* Need a larger buffer.  Query for the right size. */
1235                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                    NULL, 0);
1237                         if (rc < 0) {
1238                                 dput(dentry);
1239                                 goto out_unlock;
1240                         }
1241                         len = rc;
1242                         context = kmalloc(len+1, GFP_NOFS);
1243                         if (!context) {
1244                                 rc = -ENOMEM;
1245                                 dput(dentry);
1246                                 goto out_unlock;
1247                         }
1248                         context[len] = '\0';
1249                         rc = inode->i_op->getxattr(dentry,
1250                                                    XATTR_NAME_SELINUX,
1251                                                    context, len);
1252                 }
1253                 dput(dentry);
1254                 if (rc < 0) {
1255                         if (rc != -ENODATA) {
1256                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                        "%d for dev=%s ino=%ld\n", __func__,
1258                                        -rc, inode->i_sb->s_id, inode->i_ino);
1259                                 kfree(context);
1260                                 goto out_unlock;
1261                         }
1262                         /* Map ENODATA to the default file SID */
1263                         sid = sbsec->def_sid;
1264                         rc = 0;
1265                 } else {
1266                         rc = security_context_to_sid_default(context, rc, &sid,
1267                                                              sbsec->def_sid,
1268                                                              GFP_NOFS);
1269                         if (rc) {
1270                                 char *dev = inode->i_sb->s_id;
1271                                 unsigned long ino = inode->i_ino;
1272
1273                                 if (rc == -EINVAL) {
1274                                         if (printk_ratelimit())
1275                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                         "filesystem in question.\n", ino, dev, context);
1278                                 } else {
1279                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                                "returned %d for dev=%s ino=%ld\n",
1281                                                __func__, context, -rc, dev, ino);
1282                                 }
1283                                 kfree(context);
1284                                 /* Leave with the unlabeled SID */
1285                                 rc = 0;
1286                                 break;
1287                         }
1288                 }
1289                 kfree(context);
1290                 isec->sid = sid;
1291                 break;
1292         case SECURITY_FS_USE_TASK:
1293                 isec->sid = isec->task_sid;
1294                 break;
1295         case SECURITY_FS_USE_TRANS:
1296                 /* Default to the fs SID. */
1297                 isec->sid = sbsec->sid;
1298
1299                 /* Try to obtain a transition SID. */
1300                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                              isec->sclass, NULL, &sid);
1303                 if (rc)
1304                         goto out_unlock;
1305                 isec->sid = sid;
1306                 break;
1307         case SECURITY_FS_USE_MNTPOINT:
1308                 isec->sid = sbsec->mntpoint_sid;
1309                 break;
1310         default:
1311                 /* Default to the fs superblock SID. */
1312                 isec->sid = sbsec->sid;
1313
1314                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                         if (opt_dentry) {
1316                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                 rc = selinux_proc_get_sid(opt_dentry,
1318                                                           isec->sclass,
1319                                                           &sid);
1320                                 if (rc)
1321                                         goto out_unlock;
1322                                 isec->sid = sid;
1323                         }
1324                 }
1325                 break;
1326         }
1327
1328         isec->initialized = 1;
1329
1330 out_unlock:
1331         mutex_unlock(&isec->lock);
1332 out:
1333         if (isec->sclass == SECCLASS_FILE)
1334                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335         return rc;
1336 }
1337
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341         u32 perm = 0;
1342
1343         switch (sig) {
1344         case SIGCHLD:
1345                 /* Commonly granted from child to parent. */
1346                 perm = PROCESS__SIGCHLD;
1347                 break;
1348         case SIGKILL:
1349                 /* Cannot be caught or ignored */
1350                 perm = PROCESS__SIGKILL;
1351                 break;
1352         case SIGSTOP:
1353                 /* Cannot be caught or ignored */
1354                 perm = PROCESS__SIGSTOP;
1355                 break;
1356         default:
1357                 /* All other signals. */
1358                 perm = PROCESS__SIGNAL;
1359                 break;
1360         }
1361
1362         return perm;
1363 }
1364
1365 /*
1366  * Check permission between a pair of credentials
1367  * fork check, ptrace check, etc.
1368  */
1369 static int cred_has_perm(const struct cred *actor,
1370                          const struct cred *target,
1371                          u32 perms)
1372 {
1373         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377
1378 /*
1379  * Check permission between a pair of tasks, e.g. signal checks,
1380  * fork check, ptrace check, etc.
1381  * tsk1 is the actor and tsk2 is the target
1382  * - this uses the default subjective creds of tsk1
1383  */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385                          const struct task_struct *tsk2,
1386                          u32 perms)
1387 {
1388         const struct task_security_struct *__tsec1, *__tsec2;
1389         u32 sid1, sid2;
1390
1391         rcu_read_lock();
1392         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394         rcu_read_unlock();
1395         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397
1398 /*
1399  * Check permission between current and another task, e.g. signal checks,
1400  * fork check, ptrace check, etc.
1401  * current is the actor and tsk2 is the target
1402  * - this uses current's subjective creds
1403  */
1404 static int current_has_perm(const struct task_struct *tsk,
1405                             u32 perms)
1406 {
1407         u32 sid, tsid;
1408
1409         sid = current_sid();
1410         tsid = task_sid(tsk);
1411         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417
1418 /* Check whether a task is allowed to use a capability. */
1419 static int task_has_capability(struct task_struct *tsk,
1420                                const struct cred *cred,
1421                                int cap, int audit)
1422 {
1423         struct common_audit_data ad;
1424         struct av_decision avd;
1425         u16 sclass;
1426         u32 sid = cred_sid(cred);
1427         u32 av = CAP_TO_MASK(cap);
1428         int rc;
1429
1430         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1431         ad.tsk = tsk;
1432         ad.u.cap = cap;
1433
1434         switch (CAP_TO_INDEX(cap)) {
1435         case 0:
1436                 sclass = SECCLASS_CAPABILITY;
1437                 break;
1438         case 1:
1439                 sclass = SECCLASS_CAPABILITY2;
1440                 break;
1441         default:
1442                 printk(KERN_ERR
1443                        "SELinux:  out of range capability %d\n", cap);
1444                 BUG();
1445         }
1446
1447         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1448         if (audit == SECURITY_CAP_AUDIT)
1449                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1450         return rc;
1451 }
1452
1453 /* Check whether a task is allowed to use a system operation. */
1454 static int task_has_system(struct task_struct *tsk,
1455                            u32 perms)
1456 {
1457         u32 sid = task_sid(tsk);
1458
1459         return avc_has_perm(sid, SECINITSID_KERNEL,
1460                             SECCLASS_SYSTEM, perms, NULL);
1461 }
1462
1463 /* Check whether a task has a particular permission to an inode.
1464    The 'adp' parameter is optional and allows other audit
1465    data to be passed (e.g. the dentry). */
1466 static int inode_has_perm(const struct cred *cred,
1467                           struct inode *inode,
1468                           u32 perms,
1469                           struct common_audit_data *adp)
1470 {
1471         struct inode_security_struct *isec;
1472         struct common_audit_data ad;
1473         u32 sid;
1474
1475         validate_creds(cred);
1476
1477         if (unlikely(IS_PRIVATE(inode)))
1478                 return 0;
1479
1480         sid = cred_sid(cred);
1481         isec = inode->i_security;
1482
1483         if (!adp) {
1484                 adp = &ad;
1485                 COMMON_AUDIT_DATA_INIT(&ad, FS);
1486                 ad.u.fs.inode = inode;
1487         }
1488
1489         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1490 }
1491
1492 /* Same as inode_has_perm, but pass explicit audit data containing
1493    the dentry to help the auditing code to more easily generate the
1494    pathname if needed. */
1495 static inline int dentry_has_perm(const struct cred *cred,
1496                                   struct vfsmount *mnt,
1497                                   struct dentry *dentry,
1498                                   u32 av)
1499 {
1500         struct inode *inode = dentry->d_inode;
1501         struct common_audit_data ad;
1502
1503         COMMON_AUDIT_DATA_INIT(&ad, FS);
1504         ad.u.fs.path.mnt = mnt;
1505         ad.u.fs.path.dentry = dentry;
1506         return inode_has_perm(cred, inode, av, &ad);
1507 }
1508
1509 /* Check whether a task can use an open file descriptor to
1510    access an inode in a given way.  Check access to the
1511    descriptor itself, and then use dentry_has_perm to
1512    check a particular permission to the file.
1513    Access to the descriptor is implicitly granted if it
1514    has the same SID as the process.  If av is zero, then
1515    access to the file is not checked, e.g. for cases
1516    where only the descriptor is affected like seek. */
1517 static int file_has_perm(const struct cred *cred,
1518                          struct file *file,
1519                          u32 av)
1520 {
1521         struct file_security_struct *fsec = file->f_security;
1522         struct inode *inode = file->f_path.dentry->d_inode;
1523         struct common_audit_data ad;
1524         u32 sid = cred_sid(cred);
1525         int rc;
1526
1527         COMMON_AUDIT_DATA_INIT(&ad, FS);
1528         ad.u.fs.path = file->f_path;
1529
1530         if (sid != fsec->sid) {
1531                 rc = avc_has_perm(sid, fsec->sid,
1532                                   SECCLASS_FD,
1533                                   FD__USE,
1534                                   &ad);
1535                 if (rc)
1536                         goto out;
1537         }
1538
1539         /* av is zero if only checking access to the descriptor. */
1540         rc = 0;
1541         if (av)
1542                 rc = inode_has_perm(cred, inode, av, &ad);
1543
1544 out:
1545         return rc;
1546 }
1547
1548 /* Check whether a task can create a file. */
1549 static int may_create(struct inode *dir,
1550                       struct dentry *dentry,
1551                       u16 tclass)
1552 {
1553         const struct task_security_struct *tsec = current_security();
1554         struct inode_security_struct *dsec;
1555         struct superblock_security_struct *sbsec;
1556         u32 sid, newsid;
1557         struct common_audit_data ad;
1558         int rc;
1559
1560         dsec = dir->i_security;
1561         sbsec = dir->i_sb->s_security;
1562
1563         sid = tsec->sid;
1564         newsid = tsec->create_sid;
1565
1566         COMMON_AUDIT_DATA_INIT(&ad, FS);
1567         ad.u.fs.path.dentry = dentry;
1568
1569         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1570                           DIR__ADD_NAME | DIR__SEARCH,
1571                           &ad);
1572         if (rc)
1573                 return rc;
1574
1575         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1576                 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
1577                 if (rc)
1578                         return rc;
1579         }
1580
1581         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1582         if (rc)
1583                 return rc;
1584
1585         return avc_has_perm(newsid, sbsec->sid,
1586                             SECCLASS_FILESYSTEM,
1587                             FILESYSTEM__ASSOCIATE, &ad);
1588 }
1589
1590 /* Check whether a task can create a key. */
1591 static int may_create_key(u32 ksid,
1592                           struct task_struct *ctx)
1593 {
1594         u32 sid = task_sid(ctx);
1595
1596         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1597 }
1598
1599 #define MAY_LINK        0
1600 #define MAY_UNLINK      1
1601 #define MAY_RMDIR       2
1602
1603 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1604 static int may_link(struct inode *dir,
1605                     struct dentry *dentry,
1606                     int kind)
1607
1608 {
1609         struct inode_security_struct *dsec, *isec;
1610         struct common_audit_data ad;
1611         u32 sid = current_sid();
1612         u32 av;
1613         int rc;
1614
1615         dsec = dir->i_security;
1616         isec = dentry->d_inode->i_security;
1617
1618         COMMON_AUDIT_DATA_INIT(&ad, FS);
1619         ad.u.fs.path.dentry = dentry;
1620
1621         av = DIR__SEARCH;
1622         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1623         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1624         if (rc)
1625                 return rc;
1626
1627         switch (kind) {
1628         case MAY_LINK:
1629                 av = FILE__LINK;
1630                 break;
1631         case MAY_UNLINK:
1632                 av = FILE__UNLINK;
1633                 break;
1634         case MAY_RMDIR:
1635                 av = DIR__RMDIR;
1636                 break;
1637         default:
1638                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1639                         __func__, kind);
1640                 return 0;
1641         }
1642
1643         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1644         return rc;
1645 }
1646
1647 static inline int may_rename(struct inode *old_dir,
1648                              struct dentry *old_dentry,
1649                              struct inode *new_dir,
1650                              struct dentry *new_dentry)
1651 {
1652         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1653         struct common_audit_data ad;
1654         u32 sid = current_sid();
1655         u32 av;
1656         int old_is_dir, new_is_dir;
1657         int rc;
1658
1659         old_dsec = old_dir->i_security;
1660         old_isec = old_dentry->d_inode->i_security;
1661         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1662         new_dsec = new_dir->i_security;
1663
1664         COMMON_AUDIT_DATA_INIT(&ad, FS);
1665
1666         ad.u.fs.path.dentry = old_dentry;
1667         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1668                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1669         if (rc)
1670                 return rc;
1671         rc = avc_has_perm(sid, old_isec->sid,
1672                           old_isec->sclass, FILE__RENAME, &ad);
1673         if (rc)
1674                 return rc;
1675         if (old_is_dir && new_dir != old_dir) {
1676                 rc = avc_has_perm(sid, old_isec->sid,
1677                                   old_isec->sclass, DIR__REPARENT, &ad);
1678                 if (rc)
1679                         return rc;
1680         }
1681
1682         ad.u.fs.path.dentry = new_dentry;
1683         av = DIR__ADD_NAME | DIR__SEARCH;
1684         if (new_dentry->d_inode)
1685                 av |= DIR__REMOVE_NAME;
1686         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1687         if (rc)
1688                 return rc;
1689         if (new_dentry->d_inode) {
1690                 new_isec = new_dentry->d_inode->i_security;
1691                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1692                 rc = avc_has_perm(sid, new_isec->sid,
1693                                   new_isec->sclass,
1694                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1695                 if (rc)
1696                         return rc;
1697         }
1698
1699         return 0;
1700 }
1701
1702 /* Check whether a task can perform a filesystem operation. */
1703 static int superblock_has_perm(const struct cred *cred,
1704                                struct super_block *sb,
1705                                u32 perms,
1706                                struct common_audit_data *ad)
1707 {
1708         struct superblock_security_struct *sbsec;
1709         u32 sid = cred_sid(cred);
1710
1711         sbsec = sb->s_security;
1712         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1713 }
1714
1715 /* Convert a Linux mode and permission mask to an access vector. */
1716 static inline u32 file_mask_to_av(int mode, int mask)
1717 {
1718         u32 av = 0;
1719
1720         if ((mode & S_IFMT) != S_IFDIR) {
1721                 if (mask & MAY_EXEC)
1722                         av |= FILE__EXECUTE;
1723                 if (mask & MAY_READ)
1724                         av |= FILE__READ;
1725
1726                 if (mask & MAY_APPEND)
1727                         av |= FILE__APPEND;
1728                 else if (mask & MAY_WRITE)
1729                         av |= FILE__WRITE;
1730
1731         } else {
1732                 if (mask & MAY_EXEC)
1733                         av |= DIR__SEARCH;
1734                 if (mask & MAY_WRITE)
1735                         av |= DIR__WRITE;
1736                 if (mask & MAY_READ)
1737                         av |= DIR__READ;
1738         }
1739
1740         return av;
1741 }
1742
1743 /* Convert a Linux file to an access vector. */
1744 static inline u32 file_to_av(struct file *file)
1745 {
1746         u32 av = 0;
1747
1748         if (file->f_mode & FMODE_READ)
1749                 av |= FILE__READ;
1750         if (file->f_mode & FMODE_WRITE) {
1751                 if (file->f_flags & O_APPEND)
1752                         av |= FILE__APPEND;
1753                 else
1754                         av |= FILE__WRITE;
1755         }
1756         if (!av) {
1757                 /*
1758                  * Special file opened with flags 3 for ioctl-only use.
1759                  */
1760                 av = FILE__IOCTL;
1761         }
1762
1763         return av;
1764 }
1765
1766 /*
1767  * Convert a file to an access vector and include the correct open
1768  * open permission.
1769  */
1770 static inline u32 open_file_to_av(struct file *file)
1771 {
1772         u32 av = file_to_av(file);
1773
1774         if (selinux_policycap_openperm)
1775                 av |= FILE__OPEN;
1776
1777         return av;
1778 }
1779
1780 /* Hook functions begin here. */
1781
1782 static int selinux_ptrace_access_check(struct task_struct *child,
1783                                      unsigned int mode)
1784 {
1785         int rc;
1786
1787         rc = cap_ptrace_access_check(child, mode);
1788         if (rc)
1789                 return rc;
1790
1791         if (mode == PTRACE_MODE_READ) {
1792                 u32 sid = current_sid();
1793                 u32 csid = task_sid(child);
1794                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1795         }
1796
1797         return current_has_perm(child, PROCESS__PTRACE);
1798 }
1799
1800 static int selinux_ptrace_traceme(struct task_struct *parent)
1801 {
1802         int rc;
1803
1804         rc = cap_ptrace_traceme(parent);
1805         if (rc)
1806                 return rc;
1807
1808         return task_has_perm(parent, current, PROCESS__PTRACE);
1809 }
1810
1811 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1812                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1813 {
1814         int error;
1815
1816         error = current_has_perm(target, PROCESS__GETCAP);
1817         if (error)
1818                 return error;
1819
1820         return cap_capget(target, effective, inheritable, permitted);
1821 }
1822
1823 static int selinux_capset(struct cred *new, const struct cred *old,
1824                           const kernel_cap_t *effective,
1825                           const kernel_cap_t *inheritable,
1826                           const kernel_cap_t *permitted)
1827 {
1828         int error;
1829
1830         error = cap_capset(new, old,
1831                                       effective, inheritable, permitted);
1832         if (error)
1833                 return error;
1834
1835         return cred_has_perm(old, new, PROCESS__SETCAP);
1836 }
1837
1838 /*
1839  * (This comment used to live with the selinux_task_setuid hook,
1840  * which was removed).
1841  *
1842  * Since setuid only affects the current process, and since the SELinux
1843  * controls are not based on the Linux identity attributes, SELinux does not
1844  * need to control this operation.  However, SELinux does control the use of
1845  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1846  */
1847
1848 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1849                            int cap, int audit)
1850 {
1851         int rc;
1852
1853         rc = cap_capable(tsk, cred, cap, audit);
1854         if (rc)
1855                 return rc;
1856
1857         return task_has_capability(tsk, cred, cap, audit);
1858 }
1859
1860 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1861 {
1862         const struct cred *cred = current_cred();
1863         int rc = 0;
1864
1865         if (!sb)
1866                 return 0;
1867
1868         switch (cmds) {
1869         case Q_SYNC:
1870         case Q_QUOTAON:
1871         case Q_QUOTAOFF:
1872         case Q_SETINFO:
1873         case Q_SETQUOTA:
1874                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1875                 break;
1876         case Q_GETFMT:
1877         case Q_GETINFO:
1878         case Q_GETQUOTA:
1879                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1880                 break;
1881         default:
1882                 rc = 0;  /* let the kernel handle invalid cmds */
1883                 break;
1884         }
1885         return rc;
1886 }
1887
1888 static int selinux_quota_on(struct dentry *dentry)
1889 {
1890         const struct cred *cred = current_cred();
1891
1892         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1893 }
1894
1895 static int selinux_syslog(int type)
1896 {
1897         int rc;
1898
1899         switch (type) {
1900         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1901         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1902                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1903                 break;
1904         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1905         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1906         /* Set level of messages printed to console */
1907         case SYSLOG_ACTION_CONSOLE_LEVEL:
1908                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1909                 break;
1910         case SYSLOG_ACTION_CLOSE:       /* Close log */
1911         case SYSLOG_ACTION_OPEN:        /* Open log */
1912         case SYSLOG_ACTION_READ:        /* Read from log */
1913         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1914         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1915         default:
1916                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1917                 break;
1918         }
1919         return rc;
1920 }
1921
1922 /*
1923  * Check that a process has enough memory to allocate a new virtual
1924  * mapping. 0 means there is enough memory for the allocation to
1925  * succeed and -ENOMEM implies there is not.
1926  *
1927  * Do not audit the selinux permission check, as this is applied to all
1928  * processes that allocate mappings.
1929  */
1930 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1931 {
1932         int rc, cap_sys_admin = 0;
1933
1934         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
1935                              SECURITY_CAP_NOAUDIT);
1936         if (rc == 0)
1937                 cap_sys_admin = 1;
1938
1939         return __vm_enough_memory(mm, pages, cap_sys_admin);
1940 }
1941
1942 /* binprm security operations */
1943
1944 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1945 {
1946         const struct task_security_struct *old_tsec;
1947         struct task_security_struct *new_tsec;
1948         struct inode_security_struct *isec;
1949         struct common_audit_data ad;
1950         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1951         int rc;
1952
1953         rc = cap_bprm_set_creds(bprm);
1954         if (rc)
1955                 return rc;
1956
1957         /* SELinux context only depends on initial program or script and not
1958          * the script interpreter */
1959         if (bprm->cred_prepared)
1960                 return 0;
1961
1962         old_tsec = current_security();
1963         new_tsec = bprm->cred->security;
1964         isec = inode->i_security;
1965
1966         /* Default to the current task SID. */
1967         new_tsec->sid = old_tsec->sid;
1968         new_tsec->osid = old_tsec->sid;
1969
1970         /* Reset fs, key, and sock SIDs on execve. */
1971         new_tsec->create_sid = 0;
1972         new_tsec->keycreate_sid = 0;
1973         new_tsec->sockcreate_sid = 0;
1974
1975         if (old_tsec->exec_sid) {
1976                 new_tsec->sid = old_tsec->exec_sid;
1977                 /* Reset exec SID on execve. */
1978                 new_tsec->exec_sid = 0;
1979         } else {
1980                 /* Check for a default transition on this program. */
1981                 rc = security_transition_sid(old_tsec->sid, isec->sid,
1982                                              SECCLASS_PROCESS, NULL,
1983                                              &new_tsec->sid);
1984                 if (rc)
1985                         return rc;
1986         }
1987
1988         COMMON_AUDIT_DATA_INIT(&ad, FS);
1989         ad.u.fs.path = bprm->file->f_path;
1990
1991         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1992                 new_tsec->sid = old_tsec->sid;
1993
1994         if (new_tsec->sid == old_tsec->sid) {
1995                 rc = avc_has_perm(old_tsec->sid, isec->sid,
1996                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1997                 if (rc)
1998                         return rc;
1999         } else {
2000                 /* Check permissions for the transition. */
2001                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2002                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2003                 if (rc)
2004                         return rc;
2005
2006                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2007                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2008                 if (rc)
2009                         return rc;
2010
2011                 /* Check for shared state */
2012                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2013                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2014                                           SECCLASS_PROCESS, PROCESS__SHARE,
2015                                           NULL);
2016                         if (rc)
2017                                 return -EPERM;
2018                 }
2019
2020                 /* Make sure that anyone attempting to ptrace over a task that
2021                  * changes its SID has the appropriate permit */
2022                 if (bprm->unsafe &
2023                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2024                         struct task_struct *tracer;
2025                         struct task_security_struct *sec;
2026                         u32 ptsid = 0;
2027
2028                         rcu_read_lock();
2029                         tracer = tracehook_tracer_task(current);
2030                         if (likely(tracer != NULL)) {
2031                                 sec = __task_cred(tracer)->security;
2032                                 ptsid = sec->sid;
2033                         }
2034                         rcu_read_unlock();
2035
2036                         if (ptsid != 0) {
2037                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2038                                                   SECCLASS_PROCESS,
2039                                                   PROCESS__PTRACE, NULL);
2040                                 if (rc)
2041                                         return -EPERM;
2042                         }
2043                 }
2044
2045                 /* Clear any possibly unsafe personality bits on exec: */
2046                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2047         }
2048
2049         return 0;
2050 }
2051
2052 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2053 {
2054         const struct task_security_struct *tsec = current_security();
2055         u32 sid, osid;
2056         int atsecure = 0;
2057
2058         sid = tsec->sid;
2059         osid = tsec->osid;
2060
2061         if (osid != sid) {
2062                 /* Enable secure mode for SIDs transitions unless
2063                    the noatsecure permission is granted between
2064                    the two SIDs, i.e. ahp returns 0. */
2065                 atsecure = avc_has_perm(osid, sid,
2066                                         SECCLASS_PROCESS,
2067                                         PROCESS__NOATSECURE, NULL);
2068         }
2069
2070         return (atsecure || cap_bprm_secureexec(bprm));
2071 }
2072
2073 extern struct vfsmount *selinuxfs_mount;
2074 extern struct dentry *selinux_null;
2075
2076 /* Derived from fs/exec.c:flush_old_files. */
2077 static inline void flush_unauthorized_files(const struct cred *cred,
2078                                             struct files_struct *files)
2079 {
2080         struct common_audit_data ad;
2081         struct file *file, *devnull = NULL;
2082         struct tty_struct *tty;
2083         struct fdtable *fdt;
2084         long j = -1;
2085         int drop_tty = 0;
2086
2087         tty = get_current_tty();
2088         if (tty) {
2089                 spin_lock(&tty_files_lock);
2090                 if (!list_empty(&tty->tty_files)) {
2091                         struct tty_file_private *file_priv;
2092                         struct inode *inode;
2093
2094                         /* Revalidate access to controlling tty.
2095                            Use inode_has_perm on the tty inode directly rather
2096                            than using file_has_perm, as this particular open
2097                            file may belong to another process and we are only
2098                            interested in the inode-based check here. */
2099                         file_priv = list_first_entry(&tty->tty_files,
2100                                                 struct tty_file_private, list);
2101                         file = file_priv->file;
2102                         inode = file->f_path.dentry->d_inode;
2103                         if (inode_has_perm(cred, inode,
2104                                            FILE__READ | FILE__WRITE, NULL)) {
2105                                 drop_tty = 1;
2106                         }
2107                 }
2108                 spin_unlock(&tty_files_lock);
2109                 tty_kref_put(tty);
2110         }
2111         /* Reset controlling tty. */
2112         if (drop_tty)
2113                 no_tty();
2114
2115         /* Revalidate access to inherited open files. */
2116
2117         COMMON_AUDIT_DATA_INIT(&ad, FS);
2118
2119         spin_lock(&files->file_lock);
2120         for (;;) {
2121                 unsigned long set, i;
2122                 int fd;
2123
2124                 j++;
2125                 i = j * __NFDBITS;
2126                 fdt = files_fdtable(files);
2127                 if (i >= fdt->max_fds)
2128                         break;
2129                 set = fdt->open_fds->fds_bits[j];
2130                 if (!set)
2131                         continue;
2132                 spin_unlock(&files->file_lock);
2133                 for ( ; set ; i++, set >>= 1) {
2134                         if (set & 1) {
2135                                 file = fget(i);
2136                                 if (!file)
2137                                         continue;
2138                                 if (file_has_perm(cred,
2139                                                   file,
2140                                                   file_to_av(file))) {
2141                                         sys_close(i);
2142                                         fd = get_unused_fd();
2143                                         if (fd != i) {
2144                                                 if (fd >= 0)
2145                                                         put_unused_fd(fd);
2146                                                 fput(file);
2147                                                 continue;
2148                                         }
2149                                         if (devnull) {
2150                                                 get_file(devnull);
2151                                         } else {
2152                                                 devnull = dentry_open(
2153                                                         dget(selinux_null),
2154                                                         mntget(selinuxfs_mount),
2155                                                         O_RDWR, cred);
2156                                                 if (IS_ERR(devnull)) {
2157                                                         devnull = NULL;
2158                                                         put_unused_fd(fd);
2159                                                         fput(file);
2160                                                         continue;
2161                                                 }
2162                                         }
2163                                         fd_install(fd, devnull);
2164                                 }
2165                                 fput(file);
2166                         }
2167                 }
2168                 spin_lock(&files->file_lock);
2169
2170         }
2171         spin_unlock(&files->file_lock);
2172 }
2173
2174 /*
2175  * Prepare a process for imminent new credential changes due to exec
2176  */
2177 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2178 {
2179         struct task_security_struct *new_tsec;
2180         struct rlimit *rlim, *initrlim;
2181         int rc, i;
2182
2183         new_tsec = bprm->cred->security;
2184         if (new_tsec->sid == new_tsec->osid)
2185                 return;
2186
2187         /* Close files for which the new task SID is not authorized. */
2188         flush_unauthorized_files(bprm->cred, current->files);
2189
2190         /* Always clear parent death signal on SID transitions. */
2191         current->pdeath_signal = 0;
2192
2193         /* Check whether the new SID can inherit resource limits from the old
2194          * SID.  If not, reset all soft limits to the lower of the current
2195          * task's hard limit and the init task's soft limit.
2196          *
2197          * Note that the setting of hard limits (even to lower them) can be
2198          * controlled by the setrlimit check.  The inclusion of the init task's
2199          * soft limit into the computation is to avoid resetting soft limits
2200          * higher than the default soft limit for cases where the default is
2201          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2202          */
2203         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2204                           PROCESS__RLIMITINH, NULL);
2205         if (rc) {
2206                 /* protect against do_prlimit() */
2207                 task_lock(current);
2208                 for (i = 0; i < RLIM_NLIMITS; i++) {
2209                         rlim = current->signal->rlim + i;
2210                         initrlim = init_task.signal->rlim + i;
2211                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2212                 }
2213                 task_unlock(current);
2214                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2215         }
2216 }
2217
2218 /*
2219  * Clean up the process immediately after the installation of new credentials
2220  * due to exec
2221  */
2222 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2223 {
2224         const struct task_security_struct *tsec = current_security();
2225         struct itimerval itimer;
2226         u32 osid, sid;
2227         int rc, i;
2228
2229         osid = tsec->osid;
2230         sid = tsec->sid;
2231
2232         if (sid == osid)
2233                 return;
2234
2235         /* Check whether the new SID can inherit signal state from the old SID.
2236          * If not, clear itimers to avoid subsequent signal generation and
2237          * flush and unblock signals.
2238          *
2239          * This must occur _after_ the task SID has been updated so that any
2240          * kill done after the flush will be checked against the new SID.
2241          */
2242         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2243         if (rc) {
2244                 memset(&itimer, 0, sizeof itimer);
2245                 for (i = 0; i < 3; i++)
2246                         do_setitimer(i, &itimer, NULL);
2247                 spin_lock_irq(&current->sighand->siglock);
2248                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2249                         __flush_signals(current);
2250                         flush_signal_handlers(current, 1);
2251                         sigemptyset(&current->blocked);
2252                 }
2253                 spin_unlock_irq(&current->sighand->siglock);
2254         }
2255
2256         /* Wake up the parent if it is waiting so that it can recheck
2257          * wait permission to the new task SID. */
2258         read_lock(&tasklist_lock);
2259         __wake_up_parent(current, current->real_parent);
2260         read_unlock(&tasklist_lock);
2261 }
2262
2263 /* superblock security operations */
2264
2265 static int selinux_sb_alloc_security(struct super_block *sb)
2266 {
2267         return superblock_alloc_security(sb);
2268 }
2269
2270 static void selinux_sb_free_security(struct super_block *sb)
2271 {
2272         superblock_free_security(sb);
2273 }
2274
2275 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2276 {
2277         if (plen > olen)
2278                 return 0;
2279
2280         return !memcmp(prefix, option, plen);
2281 }
2282
2283 static inline int selinux_option(char *option, int len)
2284 {
2285         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2286                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2287                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2288                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2289                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2290 }
2291
2292 static inline void take_option(char **to, char *from, int *first, int len)
2293 {
2294         if (!*first) {
2295                 **to = ',';
2296                 *to += 1;
2297         } else
2298                 *first = 0;
2299         memcpy(*to, from, len);
2300         *to += len;
2301 }
2302
2303 static inline void take_selinux_option(char **to, char *from, int *first,
2304                                        int len)
2305 {
2306         int current_size = 0;
2307
2308         if (!*first) {
2309                 **to = '|';
2310                 *to += 1;
2311         } else
2312                 *first = 0;
2313
2314         while (current_size < len) {
2315                 if (*from != '"') {
2316                         **to = *from;
2317                         *to += 1;
2318                 }
2319                 from += 1;
2320                 current_size += 1;
2321         }
2322 }
2323
2324 static int selinux_sb_copy_data(char *orig, char *copy)
2325 {
2326         int fnosec, fsec, rc = 0;
2327         char *in_save, *in_curr, *in_end;
2328         char *sec_curr, *nosec_save, *nosec;
2329         int open_quote = 0;
2330
2331         in_curr = orig;
2332         sec_curr = copy;
2333
2334         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2335         if (!nosec) {
2336                 rc = -ENOMEM;
2337                 goto out;
2338         }
2339
2340         nosec_save = nosec;
2341         fnosec = fsec = 1;
2342         in_save = in_end = orig;
2343
2344         do {
2345                 if (*in_end == '"')
2346                         open_quote = !open_quote;
2347                 if ((*in_end == ',' && open_quote == 0) ||
2348                                 *in_end == '\0') {
2349                         int len = in_end - in_curr;
2350
2351                         if (selinux_option(in_curr, len))
2352                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2353                         else
2354                                 take_option(&nosec, in_curr, &fnosec, len);
2355
2356                         in_curr = in_end + 1;
2357                 }
2358         } while (*in_end++);
2359
2360         strcpy(in_save, nosec_save);
2361         free_page((unsigned long)nosec_save);
2362 out:
2363         return rc;
2364 }
2365
2366 static int selinux_sb_remount(struct super_block *sb, void *data)
2367 {
2368         int rc, i, *flags;
2369         struct security_mnt_opts opts;
2370         char *secdata, **mount_options;
2371         struct superblock_security_struct *sbsec = sb->s_security;
2372
2373         if (!(sbsec->flags & SE_SBINITIALIZED))
2374                 return 0;
2375
2376         if (!data)
2377                 return 0;
2378
2379         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2380                 return 0;
2381
2382         security_init_mnt_opts(&opts);
2383         secdata = alloc_secdata();
2384         if (!secdata)
2385                 return -ENOMEM;
2386         rc = selinux_sb_copy_data(data, secdata);
2387         if (rc)
2388                 goto out_free_secdata;
2389
2390         rc = selinux_parse_opts_str(secdata, &opts);
2391         if (rc)
2392                 goto out_free_secdata;
2393
2394         mount_options = opts.mnt_opts;
2395         flags = opts.mnt_opts_flags;
2396
2397         for (i = 0; i < opts.num_mnt_opts; i++) {
2398                 u32 sid;
2399                 size_t len;
2400
2401                 if (flags[i] == SE_SBLABELSUPP)
2402                         continue;
2403                 len = strlen(mount_options[i]);
2404                 rc = security_context_to_sid(mount_options[i], len, &sid);
2405                 if (rc) {
2406                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2407                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2408                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2409                         goto out_free_opts;
2410                 }
2411                 rc = -EINVAL;
2412                 switch (flags[i]) {
2413                 case FSCONTEXT_MNT:
2414                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2415                                 goto out_bad_option;
2416                         break;
2417                 case CONTEXT_MNT:
2418                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2419                                 goto out_bad_option;
2420                         break;
2421                 case ROOTCONTEXT_MNT: {
2422                         struct inode_security_struct *root_isec;
2423                         root_isec = sb->s_root->d_inode->i_security;
2424
2425                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2426                                 goto out_bad_option;
2427                         break;
2428                 }
2429                 case DEFCONTEXT_MNT:
2430                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2431                                 goto out_bad_option;
2432                         break;
2433                 default:
2434                         goto out_free_opts;
2435                 }
2436         }
2437
2438         rc = 0;
2439 out_free_opts:
2440         security_free_mnt_opts(&opts);
2441 out_free_secdata:
2442         free_secdata(secdata);
2443         return rc;
2444 out_bad_option:
2445         printk(KERN_WARNING "SELinux: unable to change security options "
2446                "during remount (dev %s, type=%s)\n", sb->s_id,
2447                sb->s_type->name);
2448         goto out_free_opts;
2449 }
2450
2451 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2452 {
2453         const struct cred *cred = current_cred();
2454         struct common_audit_data ad;
2455         int rc;
2456
2457         rc = superblock_doinit(sb, data);
2458         if (rc)
2459                 return rc;
2460
2461         /* Allow all mounts performed by the kernel */
2462         if (flags & MS_KERNMOUNT)
2463                 return 0;
2464
2465         COMMON_AUDIT_DATA_INIT(&ad, FS);
2466         ad.u.fs.path.dentry = sb->s_root;
2467         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2468 }
2469
2470 static int selinux_sb_statfs(struct dentry *dentry)
2471 {
2472         const struct cred *cred = current_cred();
2473         struct common_audit_data ad;
2474
2475         COMMON_AUDIT_DATA_INIT(&ad, FS);
2476         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2477         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2478 }
2479
2480 static int selinux_mount(char *dev_name,
2481                          struct path *path,
2482                          char *type,
2483                          unsigned long flags,
2484                          void *data)
2485 {
2486         const struct cred *cred = current_cred();
2487
2488         if (flags & MS_REMOUNT)
2489                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2490                                            FILESYSTEM__REMOUNT, NULL);
2491         else
2492                 return dentry_has_perm(cred, path->mnt, path->dentry,
2493                                        FILE__MOUNTON);
2494 }
2495
2496 static int selinux_umount(struct vfsmount *mnt, int flags)
2497 {
2498         const struct cred *cred = current_cred();
2499
2500         return superblock_has_perm(cred, mnt->mnt_sb,
2501                                    FILESYSTEM__UNMOUNT, NULL);
2502 }
2503
2504 /* inode security operations */
2505
2506 static int selinux_inode_alloc_security(struct inode *inode)
2507 {
2508         return inode_alloc_security(inode);
2509 }
2510
2511 static void selinux_inode_free_security(struct inode *inode)
2512 {
2513         inode_free_security(inode);
2514 }
2515
2516 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2517                                        const struct qstr *qstr, char **name,
2518                                        void **value, size_t *len)
2519 {
2520         const struct task_security_struct *tsec = current_security();
2521         struct inode_security_struct *dsec;
2522         struct superblock_security_struct *sbsec;
2523         u32 sid, newsid, clen;
2524         int rc;
2525         char *namep = NULL, *context;
2526
2527         dsec = dir->i_security;
2528         sbsec = dir->i_sb->s_security;
2529
2530         sid = tsec->sid;
2531         newsid = tsec->create_sid;
2532
2533         if ((sbsec->flags & SE_SBINITIALIZED) &&
2534             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2535                 newsid = sbsec->mntpoint_sid;
2536         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2537                 rc = security_transition_sid(sid, dsec->sid,
2538                                              inode_mode_to_security_class(inode->i_mode),
2539                                              qstr, &newsid);
2540                 if (rc) {
2541                         printk(KERN_WARNING "%s:  "
2542                                "security_transition_sid failed, rc=%d (dev=%s "
2543                                "ino=%ld)\n",
2544                                __func__,
2545                                -rc, inode->i_sb->s_id, inode->i_ino);
2546                         return rc;
2547                 }
2548         }
2549
2550         /* Possibly defer initialization to selinux_complete_init. */
2551         if (sbsec->flags & SE_SBINITIALIZED) {
2552                 struct inode_security_struct *isec = inode->i_security;
2553                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2554                 isec->sid = newsid;
2555                 isec->initialized = 1;
2556         }
2557
2558         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2559                 return -EOPNOTSUPP;
2560
2561         if (name) {
2562                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2563                 if (!namep)
2564                         return -ENOMEM;
2565                 *name = namep;
2566         }
2567
2568         if (value && len) {
2569                 rc = security_sid_to_context_force(newsid, &context, &clen);
2570                 if (rc) {
2571                         kfree(namep);
2572                         return rc;
2573                 }
2574                 *value = context;
2575                 *len = clen;
2576         }
2577
2578         return 0;
2579 }
2580
2581 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2582 {
2583         return may_create(dir, dentry, SECCLASS_FILE);
2584 }
2585
2586 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2587 {
2588         return may_link(dir, old_dentry, MAY_LINK);
2589 }
2590
2591 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2592 {
2593         return may_link(dir, dentry, MAY_UNLINK);
2594 }
2595
2596 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2597 {
2598         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2599 }
2600
2601 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2602 {
2603         return may_create(dir, dentry, SECCLASS_DIR);
2604 }
2605
2606 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2607 {
2608         return may_link(dir, dentry, MAY_RMDIR);
2609 }
2610
2611 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2612 {
2613         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2614 }
2615
2616 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2617                                 struct inode *new_inode, struct dentry *new_dentry)
2618 {
2619         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2620 }
2621
2622 static int selinux_inode_readlink(struct dentry *dentry)
2623 {
2624         const struct cred *cred = current_cred();
2625
2626         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2627 }
2628
2629 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2630 {
2631         const struct cred *cred = current_cred();
2632
2633         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2634 }
2635
2636 static int selinux_inode_permission(struct inode *inode, int mask)
2637 {
2638         const struct cred *cred = current_cred();
2639         struct common_audit_data ad;
2640         u32 perms;
2641         bool from_access;
2642
2643         from_access = mask & MAY_ACCESS;
2644         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2645
2646         /* No permission to check.  Existence test. */
2647         if (!mask)
2648                 return 0;
2649
2650         COMMON_AUDIT_DATA_INIT(&ad, FS);
2651         ad.u.fs.inode = inode;
2652
2653         if (from_access)
2654                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2655
2656         perms = file_mask_to_av(inode->i_mode, mask);
2657
2658         return inode_has_perm(cred, inode, perms, &ad);
2659 }
2660
2661 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2662 {
2663         const struct cred *cred = current_cred();
2664         unsigned int ia_valid = iattr->ia_valid;
2665
2666         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2667         if (ia_valid & ATTR_FORCE) {
2668                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2669                               ATTR_FORCE);
2670                 if (!ia_valid)
2671                         return 0;
2672         }
2673
2674         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2675                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2676                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2677
2678         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2679 }
2680
2681 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2682 {
2683         const struct cred *cred = current_cred();
2684
2685         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2686 }
2687
2688 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2689 {
2690         const struct cred *cred = current_cred();
2691
2692         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2693                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2694                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2695                         if (!capable(CAP_SETFCAP))
2696                                 return -EPERM;
2697                 } else if (!capable(CAP_SYS_ADMIN)) {
2698                         /* A different attribute in the security namespace.
2699                            Restrict to administrator. */
2700                         return -EPERM;
2701                 }
2702         }
2703
2704         /* Not an attribute we recognize, so just check the
2705            ordinary setattr permission. */
2706         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2707 }
2708
2709 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2710                                   const void *value, size_t size, int flags)
2711 {
2712         struct inode *inode = dentry->d_inode;
2713         struct inode_security_struct *isec = inode->i_security;
2714         struct superblock_security_struct *sbsec;
2715         struct common_audit_data ad;
2716         u32 newsid, sid = current_sid();
2717         int rc = 0;
2718
2719         if (strcmp(name, XATTR_NAME_SELINUX))
2720                 return selinux_inode_setotherxattr(dentry, name);
2721
2722         sbsec = inode->i_sb->s_security;
2723         if (!(sbsec->flags & SE_SBLABELSUPP))
2724                 return -EOPNOTSUPP;
2725
2726         if (!is_owner_or_cap(inode))
2727                 return -EPERM;
2728
2729         COMMON_AUDIT_DATA_INIT(&ad, FS);
2730         ad.u.fs.path.dentry = dentry;
2731
2732         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2733                           FILE__RELABELFROM, &ad);
2734         if (rc)
2735                 return rc;
2736
2737         rc = security_context_to_sid(value, size, &newsid);
2738         if (rc == -EINVAL) {
2739                 if (!capable(CAP_MAC_ADMIN))
2740                         return rc;
2741                 rc = security_context_to_sid_force(value, size, &newsid);
2742         }
2743         if (rc)
2744                 return rc;
2745
2746         rc = avc_has_perm(sid, newsid, isec->sclass,
2747                           FILE__RELABELTO, &ad);
2748         if (rc)
2749                 return rc;
2750
2751         rc = security_validate_transition(isec->sid, newsid, sid,
2752                                           isec->sclass);
2753         if (rc)
2754                 return rc;
2755
2756         return avc_has_perm(newsid,
2757                             sbsec->sid,
2758                             SECCLASS_FILESYSTEM,
2759                             FILESYSTEM__ASSOCIATE,
2760                             &ad);
2761 }
2762
2763 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2764                                         const void *value, size_t size,
2765                                         int flags)
2766 {
2767         struct inode *inode = dentry->d_inode;
2768         struct inode_security_struct *isec = inode->i_security;
2769         u32 newsid;
2770         int rc;
2771
2772         if (strcmp(name, XATTR_NAME_SELINUX)) {
2773                 /* Not an attribute we recognize, so nothing to do. */
2774                 return;
2775         }
2776
2777         rc = security_context_to_sid_force(value, size, &newsid);
2778         if (rc) {
2779                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2780                        "for (%s, %lu), rc=%d\n",
2781                        inode->i_sb->s_id, inode->i_ino, -rc);
2782                 return;
2783         }
2784
2785         isec->sid = newsid;
2786         return;
2787 }
2788
2789 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2790 {
2791         const struct cred *cred = current_cred();
2792
2793         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2794 }
2795
2796 static int selinux_inode_listxattr(struct dentry *dentry)
2797 {
2798         const struct cred *cred = current_cred();
2799
2800         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2801 }
2802
2803 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2804 {
2805         if (strcmp(name, XATTR_NAME_SELINUX))
2806                 return selinux_inode_setotherxattr(dentry, name);
2807
2808         /* No one is allowed to remove a SELinux security label.
2809            You can change the label, but all data must be labeled. */
2810         return -EACCES;
2811 }
2812
2813 /*
2814  * Copy the inode security context value to the user.
2815  *
2816  * Permission check is handled by selinux_inode_getxattr hook.
2817  */
2818 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2819 {
2820         u32 size;
2821         int error;
2822         char *context = NULL;
2823         struct inode_security_struct *isec = inode->i_security;
2824
2825         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2826                 return -EOPNOTSUPP;
2827
2828         /*
2829          * If the caller has CAP_MAC_ADMIN, then get the raw context
2830          * value even if it is not defined by current policy; otherwise,
2831          * use the in-core value under current policy.
2832          * Use the non-auditing forms of the permission checks since
2833          * getxattr may be called by unprivileged processes commonly
2834          * and lack of permission just means that we fall back to the
2835          * in-core context value, not a denial.
2836          */
2837         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2838                                 SECURITY_CAP_NOAUDIT);
2839         if (!error)
2840                 error = security_sid_to_context_force(isec->sid, &context,
2841                                                       &size);
2842         else
2843                 error = security_sid_to_context(isec->sid, &context, &size);
2844         if (error)
2845                 return error;
2846         error = size;
2847         if (alloc) {
2848                 *buffer = context;
2849                 goto out_nofree;
2850         }
2851         kfree(context);
2852 out_nofree:
2853         return error;
2854 }
2855
2856 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2857                                      const void *value, size_t size, int flags)
2858 {
2859         struct inode_security_struct *isec = inode->i_security;
2860         u32 newsid;
2861         int rc;
2862
2863         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2864                 return -EOPNOTSUPP;
2865
2866         if (!value || !size)
2867                 return -EACCES;
2868
2869         rc = security_context_to_sid((void *)value, size, &newsid);
2870         if (rc)
2871                 return rc;
2872
2873         isec->sid = newsid;
2874         isec->initialized = 1;
2875         return 0;
2876 }
2877
2878 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2879 {
2880         const int len = sizeof(XATTR_NAME_SELINUX);
2881         if (buffer && len <= buffer_size)
2882                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2883         return len;
2884 }
2885
2886 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2887 {
2888         struct inode_security_struct *isec = inode->i_security;
2889         *secid = isec->sid;
2890 }
2891
2892 /* file security operations */
2893
2894 static int selinux_revalidate_file_permission(struct file *file, int mask)
2895 {
2896         const struct cred *cred = current_cred();
2897         struct inode *inode = file->f_path.dentry->d_inode;
2898
2899         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2900         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2901                 mask |= MAY_APPEND;
2902
2903         return file_has_perm(cred, file,
2904                              file_mask_to_av(inode->i_mode, mask));
2905 }
2906
2907 static int selinux_file_permission(struct file *file, int mask)
2908 {
2909         struct inode *inode = file->f_path.dentry->d_inode;
2910         struct file_security_struct *fsec = file->f_security;
2911         struct inode_security_struct *isec = inode->i_security;
2912         u32 sid = current_sid();
2913
2914         if (!mask)
2915                 /* No permission to check.  Existence test. */
2916                 return 0;
2917
2918         if (sid == fsec->sid && fsec->isid == isec->sid &&
2919             fsec->pseqno == avc_policy_seqno())
2920                 /* No change since dentry_open check. */
2921                 return 0;
2922
2923         return selinux_revalidate_file_permission(file, mask);
2924 }
2925
2926 static int selinux_file_alloc_security(struct file *file)
2927 {
2928         return file_alloc_security(file);
2929 }
2930
2931 static void selinux_file_free_security(struct file *file)
2932 {
2933         file_free_security(file);
2934 }
2935
2936 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2937                               unsigned long arg)
2938 {
2939         const struct cred *cred = current_cred();
2940         int error = 0;
2941
2942         switch (cmd) {
2943         case FIONREAD:
2944         /* fall through */
2945         case FIBMAP:
2946         /* fall through */
2947         case FIGETBSZ:
2948         /* fall through */
2949         case EXT2_IOC_GETFLAGS:
2950         /* fall through */
2951         case EXT2_IOC_GETVERSION:
2952                 error = file_has_perm(cred, file, FILE__GETATTR);
2953                 break;
2954
2955         case EXT2_IOC_SETFLAGS:
2956         /* fall through */
2957         case EXT2_IOC_SETVERSION:
2958                 error = file_has_perm(cred, file, FILE__SETATTR);
2959                 break;
2960
2961         /* sys_ioctl() checks */
2962         case FIONBIO:
2963         /* fall through */
2964         case FIOASYNC:
2965                 error = file_has_perm(cred, file, 0);
2966                 break;
2967
2968         case KDSKBENT:
2969         case KDSKBSENT:
2970                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2971                                             SECURITY_CAP_AUDIT);
2972                 break;
2973
2974         /* default case assumes that the command will go
2975          * to the file's ioctl() function.
2976          */
2977         default:
2978                 error = file_has_perm(cred, file, FILE__IOCTL);
2979         }
2980         return error;
2981 }
2982
2983 static int default_noexec;
2984
2985 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2986 {
2987         const struct cred *cred = current_cred();
2988         int rc = 0;
2989
2990         if (default_noexec &&
2991             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2992                 /*
2993                  * We are making executable an anonymous mapping or a
2994                  * private file mapping that will also be writable.
2995                  * This has an additional check.
2996                  */
2997                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2998                 if (rc)
2999                         goto error;
3000         }
3001
3002         if (file) {
3003                 /* read access is always possible with a mapping */
3004                 u32 av = FILE__READ;
3005
3006                 /* write access only matters if the mapping is shared */
3007                 if (shared && (prot & PROT_WRITE))
3008                         av |= FILE__WRITE;
3009
3010                 if (prot & PROT_EXEC)
3011                         av |= FILE__EXECUTE;
3012
3013                 return file_has_perm(cred, file, av);
3014         }
3015
3016 error:
3017         return rc;
3018 }
3019
3020 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3021                              unsigned long prot, unsigned long flags,
3022                              unsigned long addr, unsigned long addr_only)
3023 {
3024         int rc = 0;
3025         u32 sid = current_sid();
3026
3027         /*
3028          * notice that we are intentionally putting the SELinux check before
3029          * the secondary cap_file_mmap check.  This is such a likely attempt
3030          * at bad behaviour/exploit that we always want to get the AVC, even
3031          * if DAC would have also denied the operation.
3032          */
3033         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3034                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3035                                   MEMPROTECT__MMAP_ZERO, NULL);
3036                 if (rc)
3037                         return rc;
3038         }
3039
3040         /* do DAC check on address space usage */
3041         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3042         if (rc || addr_only)
3043                 return rc;
3044
3045         if (selinux_checkreqprot)
3046                 prot = reqprot;
3047
3048         return file_map_prot_check(file, prot,
3049                                    (flags & MAP_TYPE) == MAP_SHARED);
3050 }
3051
3052 static int selinux_file_mprotect(struct vm_area_struct *vma,
3053                                  unsigned long reqprot,
3054                                  unsigned long prot)
3055 {
3056         const struct cred *cred = current_cred();
3057
3058         if (selinux_checkreqprot)
3059                 prot = reqprot;
3060
3061         if (default_noexec &&
3062             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3063                 int rc = 0;
3064                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3065                     vma->vm_end <= vma->vm_mm->brk) {
3066                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3067                 } else if (!vma->vm_file &&
3068                            vma->vm_start <= vma->vm_mm->start_stack &&
3069                            vma->vm_end >= vma->vm_mm->start_stack) {
3070                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3071                 } else if (vma->vm_file && vma->anon_vma) {
3072                         /*
3073                          * We are making executable a file mapping that has
3074                          * had some COW done. Since pages might have been
3075                          * written, check ability to execute the possibly
3076                          * modified content.  This typically should only
3077                          * occur for text relocations.
3078                          */
3079                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3080                 }
3081                 if (rc)
3082                         return rc;
3083         }
3084
3085         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3086 }
3087
3088 static int selinux_file_lock(struct file *file, unsigned int cmd)
3089 {
3090         const struct cred *cred = current_cred();
3091
3092         return file_has_perm(cred, file, FILE__LOCK);
3093 }
3094
3095 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3096                               unsigned long arg)
3097 {
3098         const struct cred *cred = current_cred();
3099         int err = 0;
3100
3101         switch (cmd) {
3102         case F_SETFL:
3103                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3104                         err = -EINVAL;
3105                         break;
3106                 }
3107
3108                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3109                         err = file_has_perm(cred, file, FILE__WRITE);
3110                         break;
3111                 }
3112                 /* fall through */
3113         case F_SETOWN:
3114         case F_SETSIG:
3115         case F_GETFL:
3116         case F_GETOWN:
3117         case F_GETSIG:
3118                 /* Just check FD__USE permission */
3119                 err = file_has_perm(cred, file, 0);
3120                 break;
3121         case F_GETLK:
3122         case F_SETLK:
3123         case F_SETLKW:
3124 #if BITS_PER_LONG == 32
3125         case F_GETLK64:
3126         case F_SETLK64:
3127         case F_SETLKW64:
3128 #endif
3129                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3130                         err = -EINVAL;
3131                         break;
3132                 }
3133                 err = file_has_perm(cred, file, FILE__LOCK);
3134                 break;
3135         }
3136
3137         return err;
3138 }
3139
3140 static int selinux_file_set_fowner(struct file *file)
3141 {
3142         struct file_security_struct *fsec;
3143
3144         fsec = file->f_security;
3145         fsec->fown_sid = current_sid();
3146
3147         return 0;
3148 }
3149
3150 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3151                                        struct fown_struct *fown, int signum)
3152 {
3153         struct file *file;
3154         u32 sid = task_sid(tsk);
3155         u32 perm;
3156         struct file_security_struct *fsec;
3157
3158         /* struct fown_struct is never outside the context of a struct file */
3159         file = container_of(fown, struct file, f_owner);
3160
3161         fsec = file->f_security;
3162
3163         if (!signum)
3164                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3165         else
3166                 perm = signal_to_av(signum);
3167
3168         return avc_has_perm(fsec->fown_sid, sid,
3169                             SECCLASS_PROCESS, perm, NULL);
3170 }
3171
3172 static int selinux_file_receive(struct file *file)
3173 {
3174         const struct cred *cred = current_cred();
3175
3176         return file_has_perm(cred, file, file_to_av(file));
3177 }
3178
3179 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3180 {
3181         struct file_security_struct *fsec;
3182         struct inode *inode;
3183         struct inode_security_struct *isec;
3184
3185         inode = file->f_path.dentry->d_inode;
3186         fsec = file->f_security;
3187         isec = inode->i_security;
3188         /*
3189          * Save inode label and policy sequence number
3190          * at open-time so that selinux_file_permission
3191          * can determine whether revalidation is necessary.
3192          * Task label is already saved in the file security
3193          * struct as its SID.
3194          */
3195         fsec->isid = isec->sid;
3196         fsec->pseqno = avc_policy_seqno();
3197         /*
3198          * Since the inode label or policy seqno may have changed
3199          * between the selinux_inode_permission check and the saving
3200          * of state above, recheck that access is still permitted.
3201          * Otherwise, access might never be revalidated against the
3202          * new inode label or new policy.
3203          * This check is not redundant - do not remove.
3204          */
3205         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3206 }
3207
3208 /* task security operations */
3209
3210 static int selinux_task_create(unsigned long clone_flags)
3211 {
3212         return current_has_perm(current, PROCESS__FORK);
3213 }
3214
3215 /*
3216  * allocate the SELinux part of blank credentials
3217  */
3218 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3219 {
3220         struct task_security_struct *tsec;
3221
3222         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3223         if (!tsec)
3224                 return -ENOMEM;
3225
3226         cred->security = tsec;
3227         return 0;
3228 }
3229
3230 /*
3231  * detach and free the LSM part of a set of credentials
3232  */
3233 static void selinux_cred_free(struct cred *cred)
3234 {
3235         struct task_security_struct *tsec = cred->security;
3236
3237         /*
3238          * cred->security == NULL if security_cred_alloc_blank() or
3239          * security_prepare_creds() returned an error.
3240          */
3241         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3242         cred->security = (void *) 0x7UL;
3243         kfree(tsec);
3244 }
3245
3246 /*
3247  * prepare a new set of credentials for modification
3248  */
3249 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3250                                 gfp_t gfp)
3251 {
3252         const struct task_security_struct *old_tsec;
3253         struct task_security_struct *tsec;
3254
3255         old_tsec = old->security;
3256
3257         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3258         if (!tsec)
3259                 return -ENOMEM;
3260
3261         new->security = tsec;
3262         return 0;
3263 }
3264
3265 /*
3266  * transfer the SELinux data to a blank set of creds
3267  */
3268 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3269 {
3270         const struct task_security_struct *old_tsec = old->security;
3271         struct task_security_struct *tsec = new->security;
3272
3273         *tsec = *old_tsec;
3274 }
3275
3276 /*
3277  * set the security data for a kernel service
3278  * - all the creation contexts are set to unlabelled
3279  */
3280 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3281 {
3282         struct task_security_struct *tsec = new->security;
3283         u32 sid = current_sid();
3284         int ret;
3285
3286         ret = avc_has_perm(sid, secid,
3287                            SECCLASS_KERNEL_SERVICE,
3288                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3289                            NULL);
3290         if (ret == 0) {
3291                 tsec->sid = secid;
3292                 tsec->create_sid = 0;
3293                 tsec->keycreate_sid = 0;
3294                 tsec->sockcreate_sid = 0;
3295         }
3296         return ret;
3297 }
3298
3299 /*
3300  * set the file creation context in a security record to the same as the
3301  * objective context of the specified inode
3302  */
3303 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3304 {
3305         struct inode_security_struct *isec = inode->i_security;
3306         struct task_security_struct *tsec = new->security;
3307         u32 sid = current_sid();
3308         int ret;
3309
3310         ret = avc_has_perm(sid, isec->sid,
3311                            SECCLASS_KERNEL_SERVICE,
3312                            KERNEL_SERVICE__CREATE_FILES_AS,
3313                            NULL);
3314
3315         if (ret == 0)
3316                 tsec->create_sid = isec->sid;
3317         return ret;
3318 }
3319
3320 static int selinux_kernel_module_request(char *kmod_name)
3321 {
3322         u32 sid;
3323         struct common_audit_data ad;
3324
3325         sid = task_sid(current);
3326
3327         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3328         ad.u.kmod_name = kmod_name;
3329
3330         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3331                             SYSTEM__MODULE_REQUEST, &ad);
3332 }
3333
3334 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3335 {
3336         return current_has_perm(p, PROCESS__SETPGID);
3337 }
3338
3339 static int selinux_task_getpgid(struct task_struct *p)
3340 {
3341         return current_has_perm(p, PROCESS__GETPGID);
3342 }
3343
3344 static int selinux_task_getsid(struct task_struct *p)
3345 {
3346         return current_has_perm(p, PROCESS__GETSESSION);
3347 }
3348
3349 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3350 {
3351         *secid = task_sid(p);
3352 }
3353
3354 static int selinux_task_setnice(struct task_struct *p, int nice)
3355 {
3356         int rc;
3357
3358         rc = cap_task_setnice(p, nice);
3359         if (rc)
3360                 return rc;
3361
3362         return current_has_perm(p, PROCESS__SETSCHED);
3363 }
3364
3365 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3366 {
3367         int rc;
3368
3369         rc = cap_task_setioprio(p, ioprio);
3370         if (rc)
3371                 return rc;
3372
3373         return current_has_perm(p, PROCESS__SETSCHED);
3374 }
3375
3376 static int selinux_task_getioprio(struct task_struct *p)
3377 {
3378         return current_has_perm(p, PROCESS__GETSCHED);
3379 }
3380
3381 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3382                 struct rlimit *new_rlim)
3383 {
3384         struct rlimit *old_rlim = p->signal->rlim + resource;
3385
3386         /* Control the ability to change the hard limit (whether
3387            lowering or raising it), so that the hard limit can
3388            later be used as a safe reset point for the soft limit
3389            upon context transitions.  See selinux_bprm_committing_creds. */
3390         if (old_rlim->rlim_max != new_rlim->rlim_max)
3391                 return current_has_perm(p, PROCESS__SETRLIMIT);
3392
3393         return 0;
3394 }
3395
3396 static int selinux_task_setscheduler(struct task_struct *p)
3397 {
3398         int rc;
3399
3400         rc = cap_task_setscheduler(p);
3401         if (rc)
3402                 return rc;
3403
3404         return current_has_perm(p, PROCESS__SETSCHED);
3405 }
3406
3407 static int selinux_task_getscheduler(struct task_struct *p)
3408 {
3409         return current_has_perm(p, PROCESS__GETSCHED);
3410 }
3411
3412 static int selinux_task_movememory(struct task_struct *p)
3413 {
3414         return current_has_perm(p, PROCESS__SETSCHED);
3415 }
3416
3417 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3418                                 int sig, u32 secid)
3419 {
3420         u32 perm;
3421         int rc;
3422
3423         if (!sig)
3424                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3425         else
3426                 perm = signal_to_av(sig);
3427         if (secid)
3428                 rc = avc_has_perm(secid, task_sid(p),
3429                                   SECCLASS_PROCESS, perm, NULL);
3430         else
3431                 rc = current_has_perm(p, perm);
3432         return rc;
3433 }
3434
3435 static int selinux_task_wait(struct task_struct *p)
3436 {
3437         return task_has_perm(p, current, PROCESS__SIGCHLD);
3438 }
3439
3440 static void selinux_task_to_inode(struct task_struct *p,
3441                                   struct inode *inode)
3442 {
3443         struct inode_security_struct *isec = inode->i_security;
3444         u32 sid = task_sid(p);
3445
3446         isec->sid = sid;
3447         isec->initialized = 1;
3448 }
3449
3450 /* Returns error only if unable to parse addresses */
3451 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3452                         struct common_audit_data *ad, u8 *proto)
3453 {
3454         int offset, ihlen, ret = -EINVAL;
3455         struct iphdr _iph, *ih;
3456
3457         offset = skb_network_offset(skb);
3458         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3459         if (ih == NULL)
3460                 goto out;
3461
3462         ihlen = ih->ihl * 4;
3463         if (ihlen < sizeof(_iph))
3464                 goto out;
3465
3466         ad->u.net.v4info.saddr = ih->saddr;
3467         ad->u.net.v4info.daddr = ih->daddr;
3468         ret = 0;
3469
3470         if (proto)
3471                 *proto = ih->protocol;
3472
3473         switch (ih->protocol) {
3474         case IPPROTO_TCP: {
3475                 struct tcphdr _tcph, *th;
3476
3477                 if (ntohs(ih->frag_off) & IP_OFFSET)
3478                         break;
3479
3480                 offset += ihlen;
3481                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3482                 if (th == NULL)
3483                         break;
3484
3485                 ad->u.net.sport = th->source;
3486                 ad->u.net.dport = th->dest;
3487                 break;
3488         }
3489
3490         case IPPROTO_UDP: {
3491                 struct udphdr _udph, *uh;
3492
3493                 if (ntohs(ih->frag_off) & IP_OFFSET)
3494                         break;
3495
3496                 offset += ihlen;
3497                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3498                 if (uh == NULL)
3499                         break;
3500
3501                 ad->u.net.sport = uh->source;
3502                 ad->u.net.dport = uh->dest;
3503                 break;
3504         }
3505
3506         case IPPROTO_DCCP: {
3507                 struct dccp_hdr _dccph, *dh;
3508
3509                 if (ntohs(ih->frag_off) & IP_OFFSET)
3510                         break;
3511
3512                 offset += ihlen;
3513                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3514                 if (dh == NULL)
3515                         break;
3516
3517                 ad->u.net.sport = dh->dccph_sport;
3518                 ad->u.net.dport = dh->dccph_dport;
3519                 break;
3520         }
3521
3522         default:
3523                 break;
3524         }
3525 out:
3526         return ret;
3527 }
3528
3529 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3530
3531 /* Returns error only if unable to parse addresses */
3532 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3533                         struct common_audit_data *ad, u8 *proto)
3534 {
3535         u8 nexthdr;
3536         int ret = -EINVAL, offset;
3537         struct ipv6hdr _ipv6h, *ip6;
3538
3539         offset = skb_network_offset(skb);
3540         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3541         if (ip6 == NULL)
3542                 goto out;
3543
3544         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3545         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3546         ret = 0;
3547
3548         nexthdr = ip6->nexthdr;
3549         offset += sizeof(_ipv6h);
3550         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3551         if (offset < 0)
3552                 goto out;
3553
3554         if (proto)
3555                 *proto = nexthdr;
3556
3557         switch (nexthdr) {
3558         case IPPROTO_TCP: {
3559                 struct tcphdr _tcph, *th;
3560
3561                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3562                 if (th == NULL)
3563                         break;
3564
3565                 ad->u.net.sport = th->source;
3566                 ad->u.net.dport = th->dest;
3567                 break;
3568         }
3569
3570         case IPPROTO_UDP: {
3571                 struct udphdr _udph, *uh;
3572
3573                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3574                 if (uh == NULL)
3575                         break;
3576
3577                 ad->u.net.sport = uh->source;
3578                 ad->u.net.dport = uh->dest;
3579                 break;
3580         }
3581
3582         case IPPROTO_DCCP: {
3583                 struct dccp_hdr _dccph, *dh;
3584
3585                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3586                 if (dh == NULL)
3587                         break;
3588
3589                 ad->u.net.sport = dh->dccph_sport;
3590                 ad->u.net.dport = dh->dccph_dport;
3591                 break;
3592         }
3593
3594         /* includes fragments */
3595         default:
3596                 break;
3597         }
3598 out:
3599         return ret;
3600 }
3601
3602 #endif /* IPV6 */
3603
3604 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3605                              char **_addrp, int src, u8 *proto)
3606 {
3607         char *addrp;
3608         int ret;
3609
3610         switch (ad->u.net.family) {
3611         case PF_INET:
3612                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3613                 if (ret)
3614                         goto parse_error;
3615                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3616                                        &ad->u.net.v4info.daddr);
3617                 goto okay;
3618
3619 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3620         case PF_INET6:
3621                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3622                 if (ret)
3623                         goto parse_error;
3624                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3625                                        &ad->u.net.v6info.daddr);
3626                 goto okay;
3627 #endif  /* IPV6 */
3628         default:
3629                 addrp = NULL;
3630                 goto okay;
3631         }
3632
3633 parse_error:
3634         printk(KERN_WARNING
3635                "SELinux: failure in selinux_parse_skb(),"
3636                " unable to parse packet\n");
3637         return ret;
3638
3639 okay:
3640         if (_addrp)
3641                 *_addrp = addrp;
3642         return 0;
3643 }
3644
3645 /**
3646  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3647  * @skb: the packet
3648  * @family: protocol family
3649  * @sid: the packet's peer label SID
3650  *
3651  * Description:
3652  * Check the various different forms of network peer labeling and determine
3653  * the peer label/SID for the packet; most of the magic actually occurs in
3654  * the security server function security_net_peersid_cmp().  The function
3655  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3656  * or -EACCES if @sid is invalid due to inconsistencies with the different
3657  * peer labels.
3658  *
3659  */
3660 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3661 {
3662         int err;
3663         u32 xfrm_sid;
3664         u32 nlbl_sid;
3665         u32 nlbl_type;
3666
3667         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3668         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3669
3670         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3671         if (unlikely(err)) {
3672                 printk(KERN_WARNING
3673                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3674                        " unable to determine packet's peer label\n");
3675                 return -EACCES;
3676         }
3677
3678         return 0;
3679 }
3680
3681 /* socket security operations */
3682
3683 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3684                                  u16 secclass, u32 *socksid)
3685 {
3686         if (tsec->sockcreate_sid > SECSID_NULL) {
3687                 *socksid = tsec->sockcreate_sid;
3688                 return 0;
3689         }
3690
3691         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3692                                        socksid);
3693 }
3694
3695 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3696 {
3697         struct sk_security_struct *sksec = sk->sk_security;
3698         struct common_audit_data ad;
3699         u32 tsid = task_sid(task);
3700
3701         if (sksec->sid == SECINITSID_KERNEL)
3702                 return 0;
3703
3704         COMMON_AUDIT_DATA_INIT(&ad, NET);
3705         ad.u.net.sk = sk;
3706
3707         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3708 }
3709
3710 static int selinux_socket_create(int family, int type,
3711                                  int protocol, int kern)
3712 {
3713         const struct task_security_struct *tsec = current_security();
3714         u32 newsid;
3715         u16 secclass;
3716         int rc;
3717
3718         if (kern)
3719                 return 0;
3720
3721         secclass = socket_type_to_security_class(family, type, protocol);
3722         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3723         if (rc)
3724                 return rc;
3725
3726         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3727 }
3728
3729 static int selinux_socket_post_create(struct socket *sock, int family,
3730                                       int type, int protocol, int kern)
3731 {
3732         const struct task_security_struct *tsec = current_security();
3733         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3734         struct sk_security_struct *sksec;
3735         int err = 0;
3736
3737         isec->sclass = socket_type_to_security_class(family, type, protocol);
3738
3739         if (kern)
3740                 isec->sid = SECINITSID_KERNEL;
3741         else {
3742                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3743                 if (err)
3744                         return err;
3745         }
3746
3747         isec->initialized = 1;
3748
3749         if (sock->sk) {
3750                 sksec = sock->sk->sk_security;
3751                 sksec->sid = isec->sid;
3752                 sksec->sclass = isec->sclass;
3753                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3754         }
3755
3756         return err;
3757 }
3758
3759 /* Range of port numbers used to automatically bind.
3760    Need to determine whether we should perform a name_bind
3761    permission check between the socket and the port number. */
3762
3763 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3764 {
3765         struct sock *sk = sock->sk;
3766         u16 family;
3767         int err;
3768
3769         err = sock_has_perm(current, sk, SOCKET__BIND);
3770         if (err)
3771                 goto out;
3772
3773         /*
3774          * If PF_INET or PF_INET6, check name_bind permission for the port.
3775          * Multiple address binding for SCTP is not supported yet: we just
3776          * check the first address now.
3777          */
3778         family = sk->sk_family;
3779         if (family == PF_INET || family == PF_INET6) {
3780                 char *addrp;
3781                 struct sk_security_struct *sksec = sk->sk_security;
3782                 struct common_audit_data ad;
3783                 struct sockaddr_in *addr4 = NULL;
3784                 struct sockaddr_in6 *addr6 = NULL;
3785                 unsigned short snum;
3786                 u32 sid, node_perm;
3787
3788                 if (family == PF_INET) {
3789                         addr4 = (struct sockaddr_in *)address;
3790                         snum = ntohs(addr4->sin_port);
3791                         addrp = (char *)&addr4->sin_addr.s_addr;
3792                 } else {
3793                         addr6 = (struct sockaddr_in6 *)address;
3794                         snum = ntohs(addr6->sin6_port);
3795                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3796                 }
3797
3798                 if (snum) {
3799                         int low, high;
3800
3801                         inet_get_local_port_range(&low, &high);
3802
3803                         if (snum < max(PROT_SOCK, low) || snum > high) {
3804                                 err = sel_netport_sid(sk->sk_protocol,
3805                                                       snum, &sid);
3806                                 if (err)
3807                                         goto out;
3808                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3809                                 ad.u.net.sport = htons(snum);
3810                                 ad.u.net.family = family;
3811                                 err = avc_has_perm(sksec->sid, sid,
3812                                                    sksec->sclass,
3813                                                    SOCKET__NAME_BIND, &ad);
3814                                 if (err)
3815                                         goto out;
3816                         }
3817                 }
3818
3819                 switch (sksec->sclass) {
3820                 case SECCLASS_TCP_SOCKET:
3821                         node_perm = TCP_SOCKET__NODE_BIND;
3822                         break;
3823
3824                 case SECCLASS_UDP_SOCKET:
3825                         node_perm = UDP_SOCKET__NODE_BIND;
3826                         break;
3827
3828                 case SECCLASS_DCCP_SOCKET:
3829                         node_perm = DCCP_SOCKET__NODE_BIND;
3830                         break;
3831
3832                 default:
3833                         node_perm = RAWIP_SOCKET__NODE_BIND;
3834                         break;
3835                 }
3836
3837                 err = sel_netnode_sid(addrp, family, &sid);
3838                 if (err)
3839                         goto out;
3840
3841                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3842                 ad.u.net.sport = htons(snum);
3843                 ad.u.net.family = family;
3844
3845                 if (family == PF_INET)
3846                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3847                 else
3848                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3849
3850                 err = avc_has_perm(sksec->sid, sid,
3851                                    sksec->sclass, node_perm, &ad);
3852                 if (err)
3853                         goto out;
3854         }
3855 out:
3856         return err;
3857 }
3858
3859 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3860 {
3861         struct sock *sk = sock->sk;
3862         struct sk_security_struct *sksec = sk->sk_security;
3863         int err;
3864
3865         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3866         if (err)
3867                 return err;
3868
3869         /*
3870          * If a TCP or DCCP socket, check name_connect permission for the port.
3871          */
3872         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3873             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3874                 struct common_audit_data ad;
3875                 struct sockaddr_in *addr4 = NULL;
3876                 struct sockaddr_in6 *addr6 = NULL;
3877                 unsigned short snum;
3878                 u32 sid, perm;
3879
3880                 if (sk->sk_family == PF_INET) {
3881                         addr4 = (struct sockaddr_in *)address;
3882                         if (addrlen < sizeof(struct sockaddr_in))
3883                                 return -EINVAL;
3884                         snum = ntohs(addr4->sin_port);
3885                 } else {
3886                         addr6 = (struct sockaddr_in6 *)address;
3887                         if (addrlen < SIN6_LEN_RFC2133)
3888                                 return -EINVAL;
3889                         snum = ntohs(addr6->sin6_port);
3890                 }
3891
3892                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3893                 if (err)
3894                         goto out;
3895
3896                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3897                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3898
3899                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3900                 ad.u.net.dport = htons(snum);
3901                 ad.u.net.family = sk->sk_family;
3902                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3903                 if (err)
3904                         goto out;
3905         }
3906
3907         err = selinux_netlbl_socket_connect(sk, address);
3908
3909 out:
3910         return err;
3911 }
3912
3913 static int selinux_socket_listen(struct socket *sock, int backlog)
3914 {
3915         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3916 }
3917
3918 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3919 {
3920         int err;
3921         struct inode_security_struct *isec;
3922         struct inode_security_struct *newisec;
3923
3924         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3925         if (err)
3926                 return err;
3927
3928         newisec = SOCK_INODE(newsock)->i_security;
3929
3930         isec = SOCK_INODE(sock)->i_security;
3931         newisec->sclass = isec->sclass;
3932         newisec->sid = isec->sid;
3933         newisec->initialized = 1;
3934
3935         return 0;
3936 }
3937
3938 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3939                                   int size)
3940 {
3941         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3942 }
3943
3944 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3945                                   int size, int flags)
3946 {
3947         return sock_has_perm(current, sock->sk, SOCKET__READ);
3948 }
3949
3950 static int selinux_socket_getsockname(struct socket *sock)
3951 {
3952         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3953 }
3954
3955 static int selinux_socket_getpeername(struct socket *sock)
3956 {
3957         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3958 }
3959
3960 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3961 {
3962         int err;
3963
3964         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3965         if (err)
3966                 return err;
3967
3968         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3969 }
3970
3971 static int selinux_socket_getsockopt(struct socket *sock, int level,
3972                                      int optname)
3973 {
3974         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3975 }
3976
3977 static int selinux_socket_shutdown(struct socket *sock, int how)
3978 {
3979         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3980 }
3981
3982 static int selinux_socket_unix_stream_connect(struct sock *sock,
3983                                               struct sock *other,
3984                                               struct sock *newsk)
3985 {
3986         struct sk_security_struct *sksec_sock = sock->sk_security;
3987         struct sk_security_struct *sksec_other = other->sk_security;
3988         struct sk_security_struct *sksec_new = newsk->sk_security;
3989         struct common_audit_data ad;
3990         int err;
3991
3992         COMMON_AUDIT_DATA_INIT(&ad, NET);
3993         ad.u.net.sk = other;
3994
3995         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3996                            sksec_other->sclass,
3997                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3998         if (err)
3999                 return err;
4000
4001         /* server child socket */
4002         sksec_new->peer_sid = sksec_sock->sid;
4003         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4004                                     &sksec_new->sid);
4005         if (err)
4006                 return err;
4007
4008         /* connecting socket */
4009         sksec_sock->peer_sid = sksec_new->sid;
4010
4011         return 0;
4012 }
4013
4014 static int selinux_socket_unix_may_send(struct socket *sock,
4015                                         struct socket *other)
4016 {
4017         struct sk_security_struct *ssec = sock->sk->sk_security;
4018         struct sk_security_struct *osec = other->sk->sk_security;
4019         struct common_audit_data ad;
4020
4021         COMMON_AUDIT_DATA_INIT(&ad, NET);
4022         ad.u.net.sk = other->sk;
4023
4024         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4025                             &ad);
4026 }
4027
4028 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4029                                     u32 peer_sid,
4030                                     struct common_audit_data *ad)
4031 {
4032         int err;
4033         u32 if_sid;
4034         u32 node_sid;
4035
4036         err = sel_netif_sid(ifindex, &if_sid);
4037         if (err)
4038                 return err;
4039         err = avc_has_perm(peer_sid, if_sid,
4040                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4041         if (err)
4042                 return err;
4043
4044         err = sel_netnode_sid(addrp, family, &node_sid);
4045         if (err)
4046                 return err;
4047         return avc_has_perm(peer_sid, node_sid,
4048                             SECCLASS_NODE, NODE__RECVFROM, ad);
4049 }
4050
4051 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4052                                        u16 family)
4053 {
4054         int err = 0;
4055         struct sk_security_struct *sksec = sk->sk_security;
4056         u32 sk_sid = sksec->sid;
4057         struct common_audit_data ad;
4058         char *addrp;
4059
4060         COMMON_AUDIT_DATA_INIT(&ad, NET);
4061         ad.u.net.netif = skb->skb_iif;
4062         ad.u.net.family = family;
4063         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4064         if (err)
4065                 return err;
4066
4067         if (selinux_secmark_enabled()) {
4068                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4069                                    PACKET__RECV, &ad);
4070                 if (err)
4071                         return err;
4072         }
4073
4074         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4075         if (err)
4076                 return err;
4077         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4078
4079         return err;
4080 }
4081
4082 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4083 {
4084         int err;
4085         struct sk_security_struct *sksec = sk->sk_security;
4086         u16 family = sk->sk_family;
4087         u32 sk_sid = sksec->sid;
4088         struct common_audit_data ad;
4089         char *addrp;
4090         u8 secmark_active;
4091         u8 peerlbl_active;
4092
4093         if (family != PF_INET && family != PF_INET6)
4094                 return 0;
4095
4096         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4097         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4098                 family = PF_INET;
4099
4100         /* If any sort of compatibility mode is enabled then handoff processing
4101          * to the selinux_sock_rcv_skb_compat() function to deal with the
4102          * special handling.  We do this in an attempt to keep this function
4103          * as fast and as clean as possible. */
4104         if (!selinux_policycap_netpeer)
4105                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4106
4107         secmark_active = selinux_secmark_enabled();
4108         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4109         if (!secmark_active && !peerlbl_active)
4110                 return 0;
4111
4112         COMMON_AUDIT_DATA_INIT(&ad, NET);
4113         ad.u.net.netif = skb->skb_iif;
4114         ad.u.net.family = family;
4115         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4116         if (err)
4117                 return err;
4118
4119         if (peerlbl_active) {
4120                 u32 peer_sid;
4121
4122                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4123                 if (err)
4124                         return err;
4125                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4126                                                peer_sid, &ad);
4127                 if (err) {
4128                         selinux_netlbl_err(skb, err, 0);
4129                         return err;
4130                 }
4131                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4132                                    PEER__RECV, &ad);
4133                 if (err)
4134                         selinux_netlbl_err(skb, err, 0);
4135         }
4136
4137         if (secmark_active) {
4138                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4139                                    PACKET__RECV, &ad);
4140                 if (err)
4141                         return err;
4142         }
4143
4144         return err;
4145 }
4146
4147 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4148                                             int __user *optlen, unsigned len)
4149 {
4150         int err = 0;
4151         char *scontext;
4152         u32 scontext_len;
4153         struct sk_security_struct *sksec = sock->sk->sk_security;
4154         u32 peer_sid = SECSID_NULL;
4155
4156         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4157             sksec->sclass == SECCLASS_TCP_SOCKET)
4158                 peer_sid = sksec->peer_sid;
4159         if (peer_sid == SECSID_NULL)
4160                 return -ENOPROTOOPT;
4161
4162         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4163         if (err)
4164                 return err;
4165
4166         if (scontext_len > len) {
4167                 err = -ERANGE;
4168                 goto out_len;
4169         }
4170
4171         if (copy_to_user(optval, scontext, scontext_len))
4172                 err = -EFAULT;
4173
4174 out_len:
4175         if (put_user(scontext_len, optlen))
4176                 err = -EFAULT;
4177         kfree(scontext);
4178         return err;
4179 }
4180
4181 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4182 {
4183         u32 peer_secid = SECSID_NULL;
4184         u16 family;
4185
4186         if (skb && skb->protocol == htons(ETH_P_IP))
4187                 family = PF_INET;
4188         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4189                 family = PF_INET6;
4190         else if (sock)
4191                 family = sock->sk->sk_family;
4192         else
4193                 goto out;
4194
4195         if (sock && family == PF_UNIX)
4196                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4197         else if (skb)
4198                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4199
4200 out:
4201         *secid = peer_secid;
4202         if (peer_secid == SECSID_NULL)
4203                 return -EINVAL;
4204         return 0;
4205 }
4206
4207 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4208 {
4209         struct sk_security_struct *sksec;
4210
4211         sksec = kzalloc(sizeof(*sksec), priority);
4212         if (!sksec)
4213                 return -ENOMEM;
4214
4215         sksec->peer_sid = SECINITSID_UNLABELED;
4216         sksec->sid = SECINITSID_UNLABELED;
4217         selinux_netlbl_sk_security_reset(sksec);
4218         sk->sk_security = sksec;
4219
4220         return 0;
4221 }
4222
4223 static void selinux_sk_free_security(struct sock *sk)
4224 {
4225         struct sk_security_struct *sksec = sk->sk_security;
4226
4227         sk->sk_security = NULL;
4228         selinux_netlbl_sk_security_free(sksec);
4229         kfree(sksec);
4230 }
4231
4232 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4233 {
4234         struct sk_security_struct *sksec = sk->sk_security;
4235         struct sk_security_struct *newsksec = newsk->sk_security;
4236
4237         newsksec->sid = sksec->sid;
4238         newsksec->peer_sid = sksec->peer_sid;
4239         newsksec->sclass = sksec->sclass;
4240
4241         selinux_netlbl_sk_security_reset(newsksec);
4242 }
4243
4244 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4245 {
4246         if (!sk)
4247                 *secid = SECINITSID_ANY_SOCKET;
4248         else {
4249                 struct sk_security_struct *sksec = sk->sk_security;
4250
4251                 *secid = sksec->sid;
4252         }
4253 }
4254
4255 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4256 {
4257         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4258         struct sk_security_struct *sksec = sk->sk_security;
4259
4260         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4261             sk->sk_family == PF_UNIX)
4262                 isec->sid = sksec->sid;
4263         sksec->sclass = isec->sclass;
4264 }
4265
4266 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4267                                      struct request_sock *req)
4268 {
4269         struct sk_security_struct *sksec = sk->sk_security;
4270         int err;
4271         u16 family = sk->sk_family;
4272         u32 newsid;
4273         u32 peersid;
4274
4275         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4276         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4277                 family = PF_INET;
4278
4279         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4280         if (err)
4281                 return err;
4282         if (peersid == SECSID_NULL) {
4283                 req->secid = sksec->sid;
4284                 req->peer_secid = SECSID_NULL;
4285         } else {
4286                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4287                 if (err)
4288                         return err;
4289                 req->secid = newsid;
4290                 req->peer_secid = peersid;
4291         }
4292
4293         return selinux_netlbl_inet_conn_request(req, family);
4294 }
4295
4296 static void selinux_inet_csk_clone(struct sock *newsk,
4297                                    const struct request_sock *req)
4298 {
4299         struct sk_security_struct *newsksec = newsk->sk_security;
4300
4301         newsksec->sid = req->secid;
4302         newsksec->peer_sid = req->peer_secid;
4303         /* NOTE: Ideally, we should also get the isec->sid for the
4304            new socket in sync, but we don't have the isec available yet.
4305            So we will wait until sock_graft to do it, by which
4306            time it will have been created and available. */
4307
4308         /* We don't need to take any sort of lock here as we are the only
4309          * thread with access to newsksec */
4310         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4311 }
4312
4313 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4314 {
4315         u16 family = sk->sk_family;
4316         struct sk_security_struct *sksec = sk->sk_security;
4317
4318         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4319         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4320                 family = PF_INET;
4321
4322         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4323 }
4324
4325 static int selinux_secmark_relabel_packet(u32 sid)
4326 {
4327         const struct task_security_struct *__tsec;
4328         u32 tsid;
4329
4330         __tsec = current_security();
4331         tsid = __tsec->sid;
4332
4333         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4334 }
4335
4336 static void selinux_secmark_refcount_inc(void)
4337 {
4338         atomic_inc(&selinux_secmark_refcount);
4339 }
4340
4341 static void selinux_secmark_refcount_dec(void)
4342 {
4343         atomic_dec(&selinux_secmark_refcount);
4344 }
4345
4346 static void selinux_req_classify_flow(const struct request_sock *req,
4347                                       struct flowi *fl)
4348 {
4349         fl->secid = req->secid;
4350 }
4351
4352 static int selinux_tun_dev_create(void)
4353 {
4354         u32 sid = current_sid();
4355
4356         /* we aren't taking into account the "sockcreate" SID since the socket
4357          * that is being created here is not a socket in the traditional sense,
4358          * instead it is a private sock, accessible only to the kernel, and
4359          * representing a wide range of network traffic spanning multiple
4360          * connections unlike traditional sockets - check the TUN driver to
4361          * get a better understanding of why this socket is special */
4362
4363         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4364                             NULL);
4365 }
4366
4367 static void selinux_tun_dev_post_create(struct sock *sk)
4368 {
4369         struct sk_security_struct *sksec = sk->sk_security;
4370
4371         /* we don't currently perform any NetLabel based labeling here and it
4372          * isn't clear that we would want to do so anyway; while we could apply
4373          * labeling without the support of the TUN user the resulting labeled
4374          * traffic from the other end of the connection would almost certainly
4375          * cause confusion to the TUN user that had no idea network labeling
4376          * protocols were being used */
4377
4378         /* see the comments in selinux_tun_dev_create() about why we don't use
4379          * the sockcreate SID here */
4380
4381         sksec->sid = current_sid();
4382         sksec->sclass = SECCLASS_TUN_SOCKET;
4383 }
4384
4385 static int selinux_tun_dev_attach(struct sock *sk)
4386 {
4387         struct sk_security_struct *sksec = sk->sk_security;
4388         u32 sid = current_sid();
4389         int err;
4390
4391         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4392                            TUN_SOCKET__RELABELFROM, NULL);
4393         if (err)
4394                 return err;
4395         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4396                            TUN_SOCKET__RELABELTO, NULL);
4397         if (err)
4398                 return err;
4399
4400         sksec->sid = sid;
4401
4402         return 0;
4403 }
4404
4405 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4406 {
4407         int err = 0;
4408         u32 perm;
4409         struct nlmsghdr *nlh;
4410         struct sk_security_struct *sksec = sk->sk_security;
4411
4412         if (skb->len < NLMSG_SPACE(0)) {
4413                 err = -EINVAL;
4414                 goto out;
4415         }
4416         nlh = nlmsg_hdr(skb);
4417
4418         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4419         if (err) {
4420                 if (err == -EINVAL) {
4421                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4422                                   "SELinux:  unrecognized netlink message"
4423                                   " type=%hu for sclass=%hu\n",
4424                                   nlh->nlmsg_type, sksec->sclass);
4425                         if (!selinux_enforcing || security_get_allow_unknown())
4426                                 err = 0;
4427                 }
4428
4429                 /* Ignore */
4430                 if (err == -ENOENT)
4431                         err = 0;
4432                 goto out;
4433         }
4434
4435         err = sock_has_perm(current, sk, perm);
4436 out:
4437         return err;
4438 }
4439
4440 #ifdef CONFIG_NETFILTER
4441
4442 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4443                                        u16 family)
4444 {
4445         int err;
4446         char *addrp;
4447         u32 peer_sid;
4448         struct common_audit_data ad;
4449         u8 secmark_active;
4450         u8 netlbl_active;
4451         u8 peerlbl_active;
4452
4453         if (!selinux_policycap_netpeer)
4454                 return NF_ACCEPT;
4455
4456         secmark_active = selinux_secmark_enabled();
4457         netlbl_active = netlbl_enabled();
4458         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4459         if (!secmark_active && !peerlbl_active)
4460                 return NF_ACCEPT;
4461
4462         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4463                 return NF_DROP;
4464
4465         COMMON_AUDIT_DATA_INIT(&ad, NET);
4466         ad.u.net.netif = ifindex;
4467         ad.u.net.family = family;
4468         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4469                 return NF_DROP;
4470
4471         if (peerlbl_active) {
4472                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4473                                                peer_sid, &ad);
4474                 if (err) {
4475                         selinux_netlbl_err(skb, err, 1);
4476                         return NF_DROP;
4477                 }
4478         }
4479
4480         if (secmark_active)
4481                 if (avc_has_perm(peer_sid, skb->secmark,
4482                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4483                         return NF_DROP;
4484
4485         if (netlbl_active)
4486                 /* we do this in the FORWARD path and not the POST_ROUTING
4487                  * path because we want to make sure we apply the necessary
4488                  * labeling before IPsec is applied so we can leverage AH
4489                  * protection */
4490                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4491                         return NF_DROP;
4492
4493         return NF_ACCEPT;
4494 }
4495
4496 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4497                                          struct sk_buff *skb,
4498                                          const struct net_device *in,
4499                                          const struct net_device *out,
4500                                          int (*okfn)(struct sk_buff *))
4501 {
4502         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4503 }
4504
4505 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4506 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4507                                          struct sk_buff *skb,
4508                                          const struct net_device *in,
4509                                          const struct net_device *out,
4510                                          int (*okfn)(struct sk_buff *))
4511 {
4512         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4513 }
4514 #endif  /* IPV6 */
4515
4516 static unsigned int selinux_ip_output(struct sk_buff *skb,
4517                                       u16 family)
4518 {
4519         u32 sid;
4520
4521         if (!netlbl_enabled())
4522                 return NF_ACCEPT;
4523
4524         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4525          * because we want to make sure we apply the necessary labeling
4526          * before IPsec is applied so we can leverage AH protection */
4527         if (skb->sk) {
4528                 struct sk_security_struct *sksec = skb->sk->sk_security;
4529                 sid = sksec->sid;
4530         } else
4531                 sid = SECINITSID_KERNEL;
4532         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4533                 return NF_DROP;
4534
4535         return NF_ACCEPT;
4536 }
4537
4538 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4539                                         struct sk_buff *skb,
4540                                         const struct net_device *in,
4541                                         const struct net_device *out,
4542                                         int (*okfn)(struct sk_buff *))
4543 {
4544         return selinux_ip_output(skb, PF_INET);
4545 }
4546
4547 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4548                                                 int ifindex,
4549                                                 u16 family)
4550 {
4551         struct sock *sk = skb->sk;
4552         struct sk_security_struct *sksec;
4553         struct common_audit_data ad;
4554         char *addrp;
4555         u8 proto;
4556
4557         if (sk == NULL)
4558                 return NF_ACCEPT;
4559         sksec = sk->sk_security;
4560
4561         COMMON_AUDIT_DATA_INIT(&ad, NET);
4562         ad.u.net.netif = ifindex;
4563         ad.u.net.family = family;
4564         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4565                 return NF_DROP;
4566
4567         if (selinux_secmark_enabled())
4568                 if (avc_has_perm(sksec->sid, skb->secmark,
4569                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4570                         return NF_DROP_ERR(-ECONNREFUSED);
4571
4572         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4573                 return NF_DROP_ERR(-ECONNREFUSED);
4574
4575         return NF_ACCEPT;
4576 }
4577
4578 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4579                                          u16 family)
4580 {
4581         u32 secmark_perm;
4582         u32 peer_sid;
4583         struct sock *sk;
4584         struct common_audit_data ad;
4585         char *addrp;
4586         u8 secmark_active;
4587         u8 peerlbl_active;
4588
4589         /* If any sort of compatibility mode is enabled then handoff processing
4590          * to the selinux_ip_postroute_compat() function to deal with the
4591          * special handling.  We do this in an attempt to keep this function
4592          * as fast and as clean as possible. */
4593         if (!selinux_policycap_netpeer)
4594                 return selinux_ip_postroute_compat(skb, ifindex, family);
4595 #ifdef CONFIG_XFRM
4596         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4597          * packet transformation so allow the packet to pass without any checks
4598          * since we'll have another chance to perform access control checks
4599          * when the packet is on it's final way out.
4600          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4601          *       is NULL, in this case go ahead and apply access control. */
4602         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4603                 return NF_ACCEPT;
4604 #endif
4605         secmark_active = selinux_secmark_enabled();
4606         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4607         if (!secmark_active && !peerlbl_active)
4608                 return NF_ACCEPT;
4609
4610         /* if the packet is being forwarded then get the peer label from the
4611          * packet itself; otherwise check to see if it is from a local
4612          * application or the kernel, if from an application get the peer label
4613          * from the sending socket, otherwise use the kernel's sid */
4614         sk = skb->sk;
4615         if (sk == NULL) {
4616                 if (skb->skb_iif) {
4617                         secmark_perm = PACKET__FORWARD_OUT;
4618                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4619                                 return NF_DROP;
4620                 } else {
4621                         secmark_perm = PACKET__SEND;
4622                         peer_sid = SECINITSID_KERNEL;
4623                 }
4624         } else {
4625                 struct sk_security_struct *sksec = sk->sk_security;
4626                 peer_sid = sksec->sid;
4627                 secmark_perm = PACKET__SEND;
4628         }
4629
4630         COMMON_AUDIT_DATA_INIT(&ad, NET);
4631         ad.u.net.netif = ifindex;
4632         ad.u.net.family = family;
4633         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4634                 return NF_DROP;
4635
4636         if (secmark_active)
4637                 if (avc_has_perm(peer_sid, skb->secmark,
4638                                  SECCLASS_PACKET, secmark_perm, &ad))
4639                         return NF_DROP_ERR(-ECONNREFUSED);
4640
4641         if (peerlbl_active) {
4642                 u32 if_sid;
4643                 u32 node_sid;
4644
4645                 if (sel_netif_sid(ifindex, &if_sid))
4646                         return NF_DROP;
4647                 if (avc_has_perm(peer_sid, if_sid,
4648                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4649                         return NF_DROP_ERR(-ECONNREFUSED);
4650
4651                 if (sel_netnode_sid(addrp, family, &node_sid))
4652                         return NF_DROP;
4653                 if (avc_has_perm(peer_sid, node_sid,
4654                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4655                         return NF_DROP_ERR(-ECONNREFUSED);
4656         }
4657
4658         return NF_ACCEPT;
4659 }
4660
4661 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4662                                            struct sk_buff *skb,
4663                                            const struct net_device *in,
4664                                            const struct net_device *out,
4665                                            int (*okfn)(struct sk_buff *))
4666 {
4667         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4668 }
4669
4670 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4671 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4672                                            struct sk_buff *skb,
4673                                            const struct net_device *in,
4674                                            const struct net_device *out,
4675                                            int (*okfn)(struct sk_buff *))
4676 {
4677         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4678 }
4679 #endif  /* IPV6 */
4680
4681 #endif  /* CONFIG_NETFILTER */
4682
4683 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4684 {
4685         int err;
4686
4687         err = cap_netlink_send(sk, skb);
4688         if (err)
4689                 return err;
4690
4691         return selinux_nlmsg_perm(sk, skb);
4692 }
4693
4694 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4695 {
4696         int err;
4697         struct common_audit_data ad;
4698
4699         err = cap_netlink_recv(skb, capability);
4700         if (err)
4701                 return err;
4702
4703         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4704         ad.u.cap = capability;
4705
4706         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4707                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4708 }
4709
4710 static int ipc_alloc_security(struct task_struct *task,
4711                               struct kern_ipc_perm *perm,
4712                               u16 sclass)
4713 {
4714         struct ipc_security_struct *isec;
4715         u32 sid;
4716
4717         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4718         if (!isec)
4719                 return -ENOMEM;
4720
4721         sid = task_sid(task);
4722         isec->sclass = sclass;
4723         isec->sid = sid;
4724         perm->security = isec;
4725
4726         return 0;
4727 }
4728
4729 static void ipc_free_security(struct kern_ipc_perm *perm)
4730 {
4731         struct ipc_security_struct *isec = perm->security;
4732         perm->security = NULL;
4733         kfree(isec);
4734 }
4735
4736 static int msg_msg_alloc_security(struct msg_msg *msg)
4737 {
4738         struct msg_security_struct *msec;
4739
4740         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4741         if (!msec)
4742                 return -ENOMEM;
4743
4744         msec->sid = SECINITSID_UNLABELED;
4745         msg->security = msec;
4746
4747         return 0;
4748 }
4749
4750 static void msg_msg_free_security(struct msg_msg *msg)
4751 {
4752         struct msg_security_struct *msec = msg->security;
4753
4754         msg->security = NULL;
4755         kfree(msec);
4756 }
4757
4758 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4759                         u32 perms)
4760 {
4761         struct ipc_security_struct *isec;
4762         struct common_audit_data ad;
4763         u32 sid = current_sid();
4764
4765         isec = ipc_perms->security;
4766
4767         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4768         ad.u.ipc_id = ipc_perms->key;
4769
4770         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4771 }
4772
4773 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4774 {
4775         return msg_msg_alloc_security(msg);
4776 }
4777
4778 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4779 {
4780         msg_msg_free_security(msg);
4781 }
4782
4783 /* message queue security operations */
4784 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4785 {
4786         struct ipc_security_struct *isec;
4787         struct common_audit_data ad;
4788         u32 sid = current_sid();
4789         int rc;
4790
4791         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4792         if (rc)
4793                 return rc;
4794
4795         isec = msq->q_perm.security;
4796
4797         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4798         ad.u.ipc_id = msq->q_perm.key;
4799
4800         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4801                           MSGQ__CREATE, &ad);
4802         if (rc) {
4803                 ipc_free_security(&msq->q_perm);
4804                 return rc;
4805         }
4806         return 0;
4807 }
4808
4809 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4810 {
4811         ipc_free_security(&msq->q_perm);
4812 }
4813
4814 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4815 {
4816         struct ipc_security_struct *isec;
4817         struct common_audit_data ad;
4818         u32 sid = current_sid();
4819
4820         isec = msq->q_perm.security;
4821
4822         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4823         ad.u.ipc_id = msq->q_perm.key;
4824
4825         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4826                             MSGQ__ASSOCIATE, &ad);
4827 }
4828
4829 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4830 {
4831         int err;
4832         int perms;
4833
4834         switch (cmd) {
4835         case IPC_INFO:
4836         case MSG_INFO:
4837                 /* No specific object, just general system-wide information. */
4838                 return task_has_system(current, SYSTEM__IPC_INFO);
4839         case IPC_STAT:
4840         case MSG_STAT:
4841                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4842                 break;
4843         case IPC_SET:
4844                 perms = MSGQ__SETATTR;
4845                 break;
4846         case IPC_RMID:
4847                 perms = MSGQ__DESTROY;
4848                 break;
4849         default:
4850                 return 0;
4851         }
4852
4853         err = ipc_has_perm(&msq->q_perm, perms);
4854         return err;
4855 }
4856
4857 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4858 {
4859         struct ipc_security_struct *isec;
4860         struct msg_security_struct *msec;
4861         struct common_audit_data ad;
4862         u32 sid = current_sid();
4863         int rc;
4864
4865         isec = msq->q_perm.security;
4866         msec = msg->security;
4867
4868         /*
4869          * First time through, need to assign label to the message
4870          */
4871         if (msec->sid == SECINITSID_UNLABELED) {
4872                 /*
4873                  * Compute new sid based on current process and
4874                  * message queue this message will be stored in
4875                  */
4876                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4877                                              NULL, &msec->sid);
4878                 if (rc)
4879                         return rc;
4880         }
4881
4882         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4883         ad.u.ipc_id = msq->q_perm.key;
4884
4885         /* Can this process write to the queue? */
4886         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4887                           MSGQ__WRITE, &ad);
4888         if (!rc)
4889                 /* Can this process send the message */
4890                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4891                                   MSG__SEND, &ad);
4892         if (!rc)
4893                 /* Can the message be put in the queue? */
4894                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4895                                   MSGQ__ENQUEUE, &ad);
4896
4897         return rc;
4898 }
4899
4900 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4901                                     struct task_struct *target,
4902                                     long type, int mode)
4903 {
4904         struct ipc_security_struct *isec;
4905         struct msg_security_struct *msec;
4906         struct common_audit_data ad;
4907         u32 sid = task_sid(target);
4908         int rc;
4909
4910         isec = msq->q_perm.security;
4911         msec = msg->security;
4912
4913         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4914         ad.u.ipc_id = msq->q_perm.key;
4915
4916         rc = avc_has_perm(sid, isec->sid,
4917                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4918         if (!rc)
4919                 rc = avc_has_perm(sid, msec->sid,
4920                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4921         return rc;
4922 }
4923
4924 /* Shared Memory security operations */
4925 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4926 {
4927         struct ipc_security_struct *isec;
4928         struct common_audit_data ad;
4929         u32 sid = current_sid();
4930         int rc;
4931
4932         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4933         if (rc)
4934                 return rc;
4935
4936         isec = shp->shm_perm.security;
4937
4938         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4939         ad.u.ipc_id = shp->shm_perm.key;
4940
4941         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4942                           SHM__CREATE, &ad);
4943         if (rc) {
4944                 ipc_free_security(&shp->shm_perm);
4945                 return rc;
4946         }
4947         return 0;
4948 }
4949
4950 static void selinux_shm_free_security(struct shmid_kernel *shp)
4951 {
4952         ipc_free_security(&shp->shm_perm);
4953 }
4954
4955 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4956 {
4957         struct ipc_security_struct *isec;
4958         struct common_audit_data ad;
4959         u32 sid = current_sid();
4960
4961         isec = shp->shm_perm.security;
4962
4963         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4964         ad.u.ipc_id = shp->shm_perm.key;
4965
4966         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4967                             SHM__ASSOCIATE, &ad);
4968 }
4969
4970 /* Note, at this point, shp is locked down */
4971 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4972 {
4973         int perms;
4974         int err;
4975
4976         switch (cmd) {
4977         case IPC_INFO:
4978         case SHM_INFO:
4979                 /* No specific object, just general system-wide information. */
4980                 return task_has_system(current, SYSTEM__IPC_INFO);
4981         case IPC_STAT:
4982         case SHM_STAT:
4983                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4984                 break;
4985         case IPC_SET:
4986                 perms = SHM__SETATTR;
4987                 break;
4988         case SHM_LOCK:
4989         case SHM_UNLOCK:
4990                 perms = SHM__LOCK;
4991                 break;
4992         case IPC_RMID:
4993                 perms = SHM__DESTROY;
4994                 break;
4995         default:
4996                 return 0;
4997         }
4998
4999         err = ipc_has_perm(&shp->shm_perm, perms);
5000         return err;
5001 }
5002
5003 static int selinux_shm_shmat(struct shmid_kernel *shp,
5004                              char __user *shmaddr, int shmflg)
5005 {
5006         u32 perms;
5007
5008         if (shmflg & SHM_RDONLY)
5009                 perms = SHM__READ;
5010         else
5011                 perms = SHM__READ | SHM__WRITE;
5012
5013         return ipc_has_perm(&shp->shm_perm, perms);
5014 }
5015
5016 /* Semaphore security operations */
5017 static int selinux_sem_alloc_security(struct sem_array *sma)
5018 {
5019         struct ipc_security_struct *isec;
5020         struct common_audit_data ad;
5021         u32 sid = current_sid();
5022         int rc;
5023
5024         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5025         if (rc)
5026                 return rc;
5027
5028         isec = sma->sem_perm.security;
5029
5030         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5031         ad.u.ipc_id = sma->sem_perm.key;
5032
5033         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5034                           SEM__CREATE, &ad);
5035         if (rc) {
5036                 ipc_free_security(&sma->sem_perm);
5037                 return rc;
5038         }
5039         return 0;
5040 }
5041
5042 static void selinux_sem_free_security(struct sem_array *sma)
5043 {
5044         ipc_free_security(&sma->sem_perm);
5045 }
5046
5047 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5048 {
5049         struct ipc_security_struct *isec;
5050         struct common_audit_data ad;
5051         u32 sid = current_sid();
5052
5053         isec = sma->sem_perm.security;
5054
5055         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5056         ad.u.ipc_id = sma->sem_perm.key;
5057
5058         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5059                             SEM__ASSOCIATE, &ad);
5060 }
5061
5062 /* Note, at this point, sma is locked down */
5063 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5064 {
5065         int err;
5066         u32 perms;
5067
5068         switch (cmd) {
5069         case IPC_INFO:
5070         case SEM_INFO:
5071                 /* No specific object, just general system-wide information. */
5072                 return task_has_system(current, SYSTEM__IPC_INFO);
5073         case GETPID:
5074         case GETNCNT:
5075         case GETZCNT:
5076                 perms = SEM__GETATTR;
5077                 break;
5078         case GETVAL:
5079         case GETALL:
5080                 perms = SEM__READ;
5081                 break;
5082         case SETVAL:
5083         case SETALL:
5084                 perms = SEM__WRITE;
5085                 break;
5086         case IPC_RMID:
5087                 perms = SEM__DESTROY;
5088                 break;
5089         case IPC_SET:
5090                 perms = SEM__SETATTR;
5091                 break;
5092         case IPC_STAT:
5093         case SEM_STAT:
5094                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5095                 break;
5096         default:
5097                 return 0;
5098         }
5099
5100         err = ipc_has_perm(&sma->sem_perm, perms);
5101         return err;
5102 }
5103
5104 static int selinux_sem_semop(struct sem_array *sma,
5105                              struct sembuf *sops, unsigned nsops, int alter)
5106 {
5107         u32 perms;
5108
5109         if (alter)
5110                 perms = SEM__READ | SEM__WRITE;
5111         else
5112                 perms = SEM__READ;
5113
5114         return ipc_has_perm(&sma->sem_perm, perms);
5115 }
5116
5117 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5118 {
5119         u32 av = 0;
5120
5121         av = 0;
5122         if (flag & S_IRUGO)
5123                 av |= IPC__UNIX_READ;
5124         if (flag & S_IWUGO)
5125                 av |= IPC__UNIX_WRITE;
5126
5127         if (av == 0)
5128                 return 0;
5129
5130         return ipc_has_perm(ipcp, av);
5131 }
5132
5133 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5134 {
5135         struct ipc_security_struct *isec = ipcp->security;
5136         *secid = isec->sid;
5137 }
5138
5139 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5140 {
5141         if (inode)
5142                 inode_doinit_with_dentry(inode, dentry);
5143 }
5144
5145 static int selinux_getprocattr(struct task_struct *p,
5146                                char *name, char **value)
5147 {
5148         const struct task_security_struct *__tsec;
5149         u32 sid;
5150         int error;
5151         unsigned len;
5152
5153         if (current != p) {
5154                 error = current_has_perm(p, PROCESS__GETATTR);
5155                 if (error)
5156                         return error;
5157         }
5158
5159         rcu_read_lock();
5160         __tsec = __task_cred(p)->security;
5161
5162         if (!strcmp(name, "current"))
5163                 sid = __tsec->sid;
5164         else if (!strcmp(name, "prev"))
5165                 sid = __tsec->osid;
5166         else if (!strcmp(name, "exec"))
5167                 sid = __tsec->exec_sid;
5168         else if (!strcmp(name, "fscreate"))
5169                 sid = __tsec->create_sid;
5170         else if (!strcmp(name, "keycreate"))
5171                 sid = __tsec->keycreate_sid;
5172         else if (!strcmp(name, "sockcreate"))
5173                 sid = __tsec->sockcreate_sid;
5174         else
5175                 goto invalid;
5176         rcu_read_unlock();
5177
5178         if (!sid)
5179                 return 0;
5180
5181         error = security_sid_to_context(sid, value, &len);
5182         if (error)
5183                 return error;
5184         return len;
5185
5186 invalid:
5187         rcu_read_unlock();
5188         return -EINVAL;
5189 }
5190
5191 static int selinux_setprocattr(struct task_struct *p,
5192                                char *name, void *value, size_t size)
5193 {
5194         struct task_security_struct *tsec;
5195         struct task_struct *tracer;
5196         struct cred *new;
5197         u32 sid = 0, ptsid;
5198         int error;
5199         char *str = value;
5200
5201         if (current != p) {
5202                 /* SELinux only allows a process to change its own
5203                    security attributes. */
5204                 return -EACCES;
5205         }
5206
5207         /*
5208          * Basic control over ability to set these attributes at all.
5209          * current == p, but we'll pass them separately in case the
5210          * above restriction is ever removed.
5211          */
5212         if (!strcmp(name, "exec"))
5213                 error = current_has_perm(p, PROCESS__SETEXEC);
5214         else if (!strcmp(name, "fscreate"))
5215                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5216         else if (!strcmp(name, "keycreate"))
5217                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5218         else if (!strcmp(name, "sockcreate"))
5219                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5220         else if (!strcmp(name, "current"))
5221                 error = current_has_perm(p, PROCESS__SETCURRENT);
5222         else
5223                 error = -EINVAL;
5224         if (error)
5225                 return error;
5226
5227         /* Obtain a SID for the context, if one was specified. */
5228         if (size && str[1] && str[1] != '\n') {
5229                 if (str[size-1] == '\n') {
5230                         str[size-1] = 0;
5231                         size--;
5232                 }
5233                 error = security_context_to_sid(value, size, &sid);
5234                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5235                         if (!capable(CAP_MAC_ADMIN))
5236                                 return error;
5237                         error = security_context_to_sid_force(value, size,
5238                                                               &sid);
5239                 }
5240                 if (error)
5241                         return error;
5242         }
5243
5244         new = prepare_creds();
5245         if (!new)
5246                 return -ENOMEM;
5247
5248         /* Permission checking based on the specified context is
5249            performed during the actual operation (execve,
5250            open/mkdir/...), when we know the full context of the
5251            operation.  See selinux_bprm_set_creds for the execve
5252            checks and may_create for the file creation checks. The
5253            operation will then fail if the context is not permitted. */
5254         tsec = new->security;
5255         if (!strcmp(name, "exec")) {
5256                 tsec->exec_sid = sid;
5257         } else if (!strcmp(name, "fscreate")) {
5258                 tsec->create_sid = sid;
5259         } else if (!strcmp(name, "keycreate")) {
5260                 error = may_create_key(sid, p);
5261                 if (error)
5262                         goto abort_change;
5263                 tsec->keycreate_sid = sid;
5264         } else if (!strcmp(name, "sockcreate")) {
5265                 tsec->sockcreate_sid = sid;
5266         } else if (!strcmp(name, "current")) {
5267                 error = -EINVAL;
5268                 if (sid == 0)
5269                         goto abort_change;
5270
5271                 /* Only allow single threaded processes to change context */
5272                 error = -EPERM;
5273                 if (!current_is_single_threaded()) {
5274                         error = security_bounded_transition(tsec->sid, sid);
5275                         if (error)
5276                                 goto abort_change;
5277                 }
5278
5279                 /* Check permissions for the transition. */
5280                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5281                                      PROCESS__DYNTRANSITION, NULL);
5282                 if (error)
5283                         goto abort_change;
5284
5285                 /* Check for ptracing, and update the task SID if ok.
5286                    Otherwise, leave SID unchanged and fail. */
5287                 ptsid = 0;
5288                 task_lock(p);
5289                 tracer = tracehook_tracer_task(p);
5290                 if (tracer)
5291                         ptsid = task_sid(tracer);
5292                 task_unlock(p);
5293
5294                 if (tracer) {
5295                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5296                                              PROCESS__PTRACE, NULL);
5297                         if (error)
5298                                 goto abort_change;
5299                 }
5300
5301                 tsec->sid = sid;
5302         } else {
5303                 error = -EINVAL;
5304                 goto abort_change;
5305         }
5306
5307         commit_creds(new);
5308         return size;
5309
5310 abort_change:
5311         abort_creds(new);
5312         return error;
5313 }
5314
5315 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5316 {
5317         return security_sid_to_context(secid, secdata, seclen);
5318 }
5319
5320 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5321 {
5322         return security_context_to_sid(secdata, seclen, secid);
5323 }
5324
5325 static void selinux_release_secctx(char *secdata, u32 seclen)
5326 {
5327         kfree(secdata);
5328 }
5329
5330 /*
5331  *      called with inode->i_mutex locked
5332  */
5333 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5334 {
5335         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5336 }
5337
5338 /*
5339  *      called with inode->i_mutex locked
5340  */
5341 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5342 {
5343         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5344 }
5345
5346 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5347 {
5348         int len = 0;
5349         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5350                                                 ctx, true);
5351         if (len < 0)
5352                 return len;
5353         *ctxlen = len;
5354         return 0;
5355 }
5356 #ifdef CONFIG_KEYS
5357
5358 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5359                              unsigned long flags)
5360 {
5361         const struct task_security_struct *tsec;
5362         struct key_security_struct *ksec;
5363
5364         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5365         if (!ksec)
5366                 return -ENOMEM;
5367
5368         tsec = cred->security;
5369         if (tsec->keycreate_sid)
5370                 ksec->sid = tsec->keycreate_sid;
5371         else
5372                 ksec->sid = tsec->sid;
5373
5374         k->security = ksec;
5375         return 0;
5376 }
5377
5378 static void selinux_key_free(struct key *k)
5379 {
5380         struct key_security_struct *ksec = k->security;
5381
5382         k->security = NULL;
5383         kfree(ksec);
5384 }
5385
5386 static int selinux_key_permission(key_ref_t key_ref,
5387                                   const struct cred *cred,
5388                                   key_perm_t perm)
5389 {
5390         struct key *key;
5391         struct key_security_struct *ksec;
5392         u32 sid;
5393
5394         /* if no specific permissions are requested, we skip the
5395            permission check. No serious, additional covert channels
5396            appear to be created. */
5397         if (perm == 0)
5398                 return 0;
5399
5400         sid = cred_sid(cred);
5401
5402         key = key_ref_to_ptr(key_ref);
5403         ksec = key->security;
5404
5405         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5406 }
5407
5408 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5409 {
5410         struct key_security_struct *ksec = key->security;
5411         char *context = NULL;
5412         unsigned len;
5413         int rc;
5414
5415         rc = security_sid_to_context(ksec->sid, &context, &len);
5416         if (!rc)
5417                 rc = len;
5418         *_buffer = context;
5419         return rc;
5420 }
5421
5422 #endif
5423
5424 static struct security_operations selinux_ops = {
5425         .name =                         "selinux",
5426
5427         .ptrace_access_check =          selinux_ptrace_access_check,
5428         .ptrace_traceme =               selinux_ptrace_traceme,
5429         .capget =                       selinux_capget,
5430         .capset =                       selinux_capset,
5431         .capable =                      selinux_capable,
5432         .quotactl =                     selinux_quotactl,
5433         .quota_on =                     selinux_quota_on,
5434         .syslog =                       selinux_syslog,
5435         .vm_enough_memory =             selinux_vm_enough_memory,
5436
5437         .netlink_send =                 selinux_netlink_send,
5438         .netlink_recv =                 selinux_netlink_recv,
5439
5440         .bprm_set_creds =               selinux_bprm_set_creds,
5441         .bprm_committing_creds =        selinux_bprm_committing_creds,
5442         .bprm_committed_creds =         selinux_bprm_committed_creds,
5443         .bprm_secureexec =              selinux_bprm_secureexec,
5444
5445         .sb_alloc_security =            selinux_sb_alloc_security,
5446         .sb_free_security =             selinux_sb_free_security,
5447         .sb_copy_data =                 selinux_sb_copy_data,
5448         .sb_remount =                   selinux_sb_remount,
5449         .sb_kern_mount =                selinux_sb_kern_mount,
5450         .sb_show_options =              selinux_sb_show_options,
5451         .sb_statfs =                    selinux_sb_statfs,
5452         .sb_mount =                     selinux_mount,
5453         .sb_umount =                    selinux_umount,
5454         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5455         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5456         .sb_parse_opts_str =            selinux_parse_opts_str,
5457
5458
5459         .inode_alloc_security =         selinux_inode_alloc_security,
5460         .inode_free_security =          selinux_inode_free_security,
5461         .inode_init_security =          selinux_inode_init_security,
5462         .inode_create =                 selinux_inode_create,
5463         .inode_link =                   selinux_inode_link,
5464         .inode_unlink =                 selinux_inode_unlink,
5465         .inode_symlink =                selinux_inode_symlink,
5466         .inode_mkdir =                  selinux_inode_mkdir,
5467         .inode_rmdir =                  selinux_inode_rmdir,
5468         .inode_mknod =                  selinux_inode_mknod,
5469         .inode_rename =                 selinux_inode_rename,
5470         .inode_readlink =               selinux_inode_readlink,
5471         .inode_follow_link =            selinux_inode_follow_link,
5472         .inode_permission =             selinux_inode_permission,
5473         .inode_setattr =                selinux_inode_setattr,
5474         .inode_getattr =                selinux_inode_getattr,
5475         .inode_setxattr =               selinux_inode_setxattr,
5476         .inode_post_setxattr =          selinux_inode_post_setxattr,
5477         .inode_getxattr =               selinux_inode_getxattr,
5478         .inode_listxattr =              selinux_inode_listxattr,
5479         .inode_removexattr =            selinux_inode_removexattr,
5480         .inode_getsecurity =            selinux_inode_getsecurity,
5481         .inode_setsecurity =            selinux_inode_setsecurity,
5482         .inode_listsecurity =           selinux_inode_listsecurity,
5483         .inode_getsecid =               selinux_inode_getsecid,
5484
5485         .file_permission =              selinux_file_permission,
5486         .file_alloc_security =          selinux_file_alloc_security,
5487         .file_free_security =           selinux_file_free_security,
5488         .file_ioctl =                   selinux_file_ioctl,
5489         .file_mmap =                    selinux_file_mmap,
5490         .file_mprotect =                selinux_file_mprotect,
5491         .file_lock =                    selinux_file_lock,
5492         .file_fcntl =                   selinux_file_fcntl,
5493         .file_set_fowner =              selinux_file_set_fowner,
5494         .file_send_sigiotask =          selinux_file_send_sigiotask,
5495         .file_receive =                 selinux_file_receive,
5496
5497         .dentry_open =                  selinux_dentry_open,
5498
5499         .task_create =                  selinux_task_create,
5500         .cred_alloc_blank =             selinux_cred_alloc_blank,
5501         .cred_free =                    selinux_cred_free,
5502         .cred_prepare =                 selinux_cred_prepare,
5503         .cred_transfer =                selinux_cred_transfer,
5504         .kernel_act_as =                selinux_kernel_act_as,
5505         .kernel_create_files_as =       selinux_kernel_create_files_as,
5506         .kernel_module_request =        selinux_kernel_module_request,
5507         .task_setpgid =                 selinux_task_setpgid,
5508         .task_getpgid =                 selinux_task_getpgid,
5509         .task_getsid =                  selinux_task_getsid,
5510         .task_getsecid =                selinux_task_getsecid,
5511         .task_setnice =                 selinux_task_setnice,
5512         .task_setioprio =               selinux_task_setioprio,
5513         .task_getioprio =               selinux_task_getioprio,
5514         .task_setrlimit =               selinux_task_setrlimit,
5515         .task_setscheduler =            selinux_task_setscheduler,
5516         .task_getscheduler =            selinux_task_getscheduler,
5517         .task_movememory =              selinux_task_movememory,
5518         .task_kill =                    selinux_task_kill,
5519         .task_wait =                    selinux_task_wait,
5520         .task_to_inode =                selinux_task_to_inode,
5521
5522         .ipc_permission =               selinux_ipc_permission,
5523         .ipc_getsecid =                 selinux_ipc_getsecid,
5524
5525         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5526         .msg_msg_free_security =        selinux_msg_msg_free_security,
5527
5528         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5529         .msg_queue_free_security =      selinux_msg_queue_free_security,
5530         .msg_queue_associate =          selinux_msg_queue_associate,
5531         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5532         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5533         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5534
5535         .shm_alloc_security =           selinux_shm_alloc_security,
5536         .shm_free_security =            selinux_shm_free_security,
5537         .shm_associate =                selinux_shm_associate,
5538         .shm_shmctl =                   selinux_shm_shmctl,
5539         .shm_shmat =                    selinux_shm_shmat,
5540
5541         .sem_alloc_security =           selinux_sem_alloc_security,
5542         .sem_free_security =            selinux_sem_free_security,
5543         .sem_associate =                selinux_sem_associate,
5544         .sem_semctl =                   selinux_sem_semctl,
5545         .sem_semop =                    selinux_sem_semop,
5546
5547         .d_instantiate =                selinux_d_instantiate,
5548
5549         .getprocattr =                  selinux_getprocattr,
5550         .setprocattr =                  selinux_setprocattr,
5551
5552         .secid_to_secctx =              selinux_secid_to_secctx,
5553         .secctx_to_secid =              selinux_secctx_to_secid,
5554         .release_secctx =               selinux_release_secctx,
5555         .inode_notifysecctx =           selinux_inode_notifysecctx,
5556         .inode_setsecctx =              selinux_inode_setsecctx,
5557         .inode_getsecctx =              selinux_inode_getsecctx,
5558
5559         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5560         .unix_may_send =                selinux_socket_unix_may_send,
5561
5562         .socket_create =                selinux_socket_create,
5563         .socket_post_create =           selinux_socket_post_create,
5564         .socket_bind =                  selinux_socket_bind,
5565         .socket_connect =               selinux_socket_connect,
5566         .socket_listen =                selinux_socket_listen,
5567         .socket_accept =                selinux_socket_accept,
5568         .socket_sendmsg =               selinux_socket_sendmsg,
5569         .socket_recvmsg =               selinux_socket_recvmsg,
5570         .socket_getsockname =           selinux_socket_getsockname,
5571         .socket_getpeername =           selinux_socket_getpeername,
5572         .socket_getsockopt =            selinux_socket_getsockopt,
5573         .socket_setsockopt =            selinux_socket_setsockopt,
5574         .socket_shutdown =              selinux_socket_shutdown,
5575         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5576         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5577         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5578         .sk_alloc_security =            selinux_sk_alloc_security,
5579         .sk_free_security =             selinux_sk_free_security,
5580         .sk_clone_security =            selinux_sk_clone_security,
5581         .sk_getsecid =                  selinux_sk_getsecid,
5582         .sock_graft =                   selinux_sock_graft,
5583         .inet_conn_request =            selinux_inet_conn_request,
5584         .inet_csk_clone =               selinux_inet_csk_clone,
5585         .inet_conn_established =        selinux_inet_conn_established,
5586         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5587         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5588         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5589         .req_classify_flow =            selinux_req_classify_flow,
5590         .tun_dev_create =               selinux_tun_dev_create,
5591         .tun_dev_post_create =          selinux_tun_dev_post_create,
5592         .tun_dev_attach =               selinux_tun_dev_attach,
5593
5594 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5595         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5596         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5597         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5598         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5599         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5600         .xfrm_state_free_security =     selinux_xfrm_state_free,
5601         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5602         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5603         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5604         .xfrm_decode_session =          selinux_xfrm_decode_session,
5605 #endif
5606
5607 #ifdef CONFIG_KEYS
5608         .key_alloc =                    selinux_key_alloc,
5609         .key_free =                     selinux_key_free,
5610         .key_permission =               selinux_key_permission,
5611         .key_getsecurity =              selinux_key_getsecurity,
5612 #endif
5613
5614 #ifdef CONFIG_AUDIT
5615         .audit_rule_init =              selinux_audit_rule_init,
5616         .audit_rule_known =             selinux_audit_rule_known,
5617         .audit_rule_match =             selinux_audit_rule_match,
5618         .audit_rule_free =              selinux_audit_rule_free,
5619 #endif
5620 };
5621
5622 static __init int selinux_init(void)
5623 {
5624         if (!security_module_enable(&selinux_ops)) {
5625                 selinux_enabled = 0;
5626                 return 0;
5627         }
5628
5629         if (!selinux_enabled) {
5630                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5631                 return 0;
5632         }
5633
5634         printk(KERN_INFO "SELinux:  Initializing.\n");
5635
5636         /* Set the security state for the initial task. */
5637         cred_init_security();
5638
5639         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5640
5641         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5642                                             sizeof(struct inode_security_struct),
5643                                             0, SLAB_PANIC, NULL);
5644         avc_init();
5645
5646         if (register_security(&selinux_ops))
5647                 panic("SELinux: Unable to register with kernel.\n");
5648
5649         if (selinux_enforcing)
5650                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5651         else
5652                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5653
5654         return 0;
5655 }
5656
5657 static void delayed_superblock_init(struct super_block *sb, void *unused)
5658 {
5659         superblock_doinit(sb, NULL);
5660 }
5661
5662 void selinux_complete_init(void)
5663 {
5664         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5665
5666         /* Set up any superblocks initialized prior to the policy load. */
5667         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5668         iterate_supers(delayed_superblock_init, NULL);
5669 }
5670
5671 /* SELinux requires early initialization in order to label
5672    all processes and objects when they are created. */
5673 security_initcall(selinux_init);
5674
5675 #if defined(CONFIG_NETFILTER)
5676
5677 static struct nf_hook_ops selinux_ipv4_ops[] = {
5678         {
5679                 .hook =         selinux_ipv4_postroute,
5680                 .owner =        THIS_MODULE,
5681                 .pf =           PF_INET,
5682                 .hooknum =      NF_INET_POST_ROUTING,
5683                 .priority =     NF_IP_PRI_SELINUX_LAST,
5684         },
5685         {
5686                 .hook =         selinux_ipv4_forward,
5687                 .owner =        THIS_MODULE,
5688                 .pf =           PF_INET,
5689                 .hooknum =      NF_INET_FORWARD,
5690                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5691         },
5692         {
5693                 .hook =         selinux_ipv4_output,
5694                 .owner =        THIS_MODULE,
5695                 .pf =           PF_INET,
5696                 .hooknum =      NF_INET_LOCAL_OUT,
5697                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5698         }
5699 };
5700
5701 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5702
5703 static struct nf_hook_ops selinux_ipv6_ops[] = {
5704         {
5705                 .hook =         selinux_ipv6_postroute,
5706                 .owner =        THIS_MODULE,
5707                 .pf =           PF_INET6,
5708                 .hooknum =      NF_INET_POST_ROUTING,
5709                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5710         },
5711         {
5712                 .hook =         selinux_ipv6_forward,
5713                 .owner =        THIS_MODULE,
5714                 .pf =           PF_INET6,
5715                 .hooknum =      NF_INET_FORWARD,
5716                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5717         }
5718 };
5719
5720 #endif  /* IPV6 */
5721
5722 static int __init selinux_nf_ip_init(void)
5723 {
5724         int err = 0;
5725
5726         if (!selinux_enabled)
5727                 goto out;
5728
5729         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5730
5731         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5732         if (err)
5733                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5734
5735 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5736         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5737         if (err)
5738                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5739 #endif  /* IPV6 */
5740
5741 out:
5742         return err;
5743 }
5744
5745 __initcall(selinux_nf_ip_init);
5746
5747 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5748 static void selinux_nf_ip_exit(void)
5749 {
5750         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5751
5752         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5753 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5754         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5755 #endif  /* IPV6 */
5756 }
5757 #endif
5758
5759 #else /* CONFIG_NETFILTER */
5760
5761 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5762 #define selinux_nf_ip_exit()
5763 #endif
5764
5765 #endif /* CONFIG_NETFILTER */
5766
5767 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5768 static int selinux_disabled;
5769
5770 int selinux_disable(void)
5771 {
5772         extern void exit_sel_fs(void);
5773
5774         if (ss_initialized) {
5775                 /* Not permitted after initial policy load. */
5776                 return -EINVAL;
5777         }
5778
5779         if (selinux_disabled) {
5780                 /* Only do this once. */
5781                 return -EINVAL;
5782         }
5783
5784         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5785
5786         selinux_disabled = 1;
5787         selinux_enabled = 0;
5788
5789         reset_security_ops();
5790
5791         /* Try to destroy the avc node cache */
5792         avc_disable();
5793
5794         /* Unregister netfilter hooks. */
5795         selinux_nf_ip_exit();
5796
5797         /* Unregister selinuxfs. */
5798         exit_sel_fs();
5799
5800         return 0;
5801 }
5802 #endif