selinux: sparse fix: fix several warnings in the security server code
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>    /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>           /* for Unix socket types */
70 #include <net/af_unix.h>        /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92 #include "avc_ss.h"
93
94 #define NUM_SEL_MNT_OPTS 5
95
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.
139  *
140  */
141 static int selinux_secmark_enabled(void)
142 {
143         return (atomic_read(&selinux_secmark_refcount) > 0);
144 }
145
146 /*
147  * initialise the security for the init task
148  */
149 static void cred_init_security(void)
150 {
151         struct cred *cred = (struct cred *) current->real_cred;
152         struct task_security_struct *tsec;
153
154         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155         if (!tsec)
156                 panic("SELinux:  Failed to initialize initial task.\n");
157
158         tsec->osid = tsec->sid = SECINITSID_KERNEL;
159         cred->security = tsec;
160 }
161
162 /*
163  * get the security ID of a set of credentials
164  */
165 static inline u32 cred_sid(const struct cred *cred)
166 {
167         const struct task_security_struct *tsec;
168
169         tsec = cred->security;
170         return tsec->sid;
171 }
172
173 /*
174  * get the objective security ID of a task
175  */
176 static inline u32 task_sid(const struct task_struct *task)
177 {
178         u32 sid;
179
180         rcu_read_lock();
181         sid = cred_sid(__task_cred(task));
182         rcu_read_unlock();
183         return sid;
184 }
185
186 /*
187  * get the subjective security ID of the current task
188  */
189 static inline u32 current_sid(void)
190 {
191         const struct task_security_struct *tsec = current_security();
192
193         return tsec->sid;
194 }
195
196 /* Allocate and free functions for each kind of security blob. */
197
198 static int inode_alloc_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec;
201         u32 sid = current_sid();
202
203         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
204         if (!isec)
205                 return -ENOMEM;
206
207         mutex_init(&isec->lock);
208         INIT_LIST_HEAD(&isec->list);
209         isec->inode = inode;
210         isec->sid = SECINITSID_UNLABELED;
211         isec->sclass = SECCLASS_FILE;
212         isec->task_sid = sid;
213         inode->i_security = isec;
214
215         return 0;
216 }
217
218 static void inode_free_security(struct inode *inode)
219 {
220         struct inode_security_struct *isec = inode->i_security;
221         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
223         spin_lock(&sbsec->isec_lock);
224         if (!list_empty(&isec->list))
225                 list_del_init(&isec->list);
226         spin_unlock(&sbsec->isec_lock);
227
228         inode->i_security = NULL;
229         kmem_cache_free(sel_inode_cache, isec);
230 }
231
232 static int file_alloc_security(struct file *file)
233 {
234         struct file_security_struct *fsec;
235         u32 sid = current_sid();
236
237         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
238         if (!fsec)
239                 return -ENOMEM;
240
241         fsec->sid = sid;
242         fsec->fown_sid = sid;
243         file->f_security = fsec;
244
245         return 0;
246 }
247
248 static void file_free_security(struct file *file)
249 {
250         struct file_security_struct *fsec = file->f_security;
251         file->f_security = NULL;
252         kfree(fsec);
253 }
254
255 static int superblock_alloc_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec;
258
259         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
260         if (!sbsec)
261                 return -ENOMEM;
262
263         mutex_init(&sbsec->lock);
264         INIT_LIST_HEAD(&sbsec->isec_head);
265         spin_lock_init(&sbsec->isec_lock);
266         sbsec->sb = sb;
267         sbsec->sid = SECINITSID_UNLABELED;
268         sbsec->def_sid = SECINITSID_FILE;
269         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270         sb->s_security = sbsec;
271
272         return 0;
273 }
274
275 static void superblock_free_security(struct super_block *sb)
276 {
277         struct superblock_security_struct *sbsec = sb->s_security;
278         sb->s_security = NULL;
279         kfree(sbsec);
280 }
281
282 /* The file system's label must be initialized prior to use. */
283
284 static const char *labeling_behaviors[6] = {
285         "uses xattr",
286         "uses transition SIDs",
287         "uses task SIDs",
288         "uses genfs_contexts",
289         "not configured for labeling",
290         "uses mountpoint labeling",
291 };
292
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
294
295 static inline int inode_doinit(struct inode *inode)
296 {
297         return inode_doinit_with_dentry(inode, NULL);
298 }
299
300 enum {
301         Opt_error = -1,
302         Opt_context = 1,
303         Opt_fscontext = 2,
304         Opt_defcontext = 3,
305         Opt_rootcontext = 4,
306         Opt_labelsupport = 5,
307 };
308
309 static const match_table_t tokens = {
310         {Opt_context, CONTEXT_STR "%s"},
311         {Opt_fscontext, FSCONTEXT_STR "%s"},
312         {Opt_defcontext, DEFCONTEXT_STR "%s"},
313         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314         {Opt_labelsupport, LABELSUPP_STR},
315         {Opt_error, NULL},
316 };
317
318 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
319
320 static int may_context_mount_sb_relabel(u32 sid,
321                         struct superblock_security_struct *sbsec,
322                         const struct cred *cred)
323 {
324         const struct task_security_struct *tsec = cred->security;
325         int rc;
326
327         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328                           FILESYSTEM__RELABELFROM, NULL);
329         if (rc)
330                 return rc;
331
332         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333                           FILESYSTEM__RELABELTO, NULL);
334         return rc;
335 }
336
337 static int may_context_mount_inode_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         const struct cred *cred)
340 {
341         const struct task_security_struct *tsec = cred->security;
342         int rc;
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__ASSOCIATE, NULL);
350         return rc;
351 }
352
353 static int sb_finish_set_opts(struct super_block *sb)
354 {
355         struct superblock_security_struct *sbsec = sb->s_security;
356         struct dentry *root = sb->s_root;
357         struct inode *root_inode = root->d_inode;
358         int rc = 0;
359
360         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361                 /* Make sure that the xattr handler exists and that no
362                    error other than -ENODATA is returned by getxattr on
363                    the root directory.  -ENODATA is ok, as this may be
364                    the first boot of the SELinux kernel before we have
365                    assigned xattr values to the filesystem. */
366                 if (!root_inode->i_op->getxattr) {
367                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368                                "xattr support\n", sb->s_id, sb->s_type->name);
369                         rc = -EOPNOTSUPP;
370                         goto out;
371                 }
372                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373                 if (rc < 0 && rc != -ENODATA) {
374                         if (rc == -EOPNOTSUPP)
375                                 printk(KERN_WARNING "SELinux: (dev %s, type "
376                                        "%s) has no security xattr handler\n",
377                                        sb->s_id, sb->s_type->name);
378                         else
379                                 printk(KERN_WARNING "SELinux: (dev %s, type "
380                                        "%s) getxattr errno %d\n", sb->s_id,
381                                        sb->s_type->name, -rc);
382                         goto out;
383                 }
384         }
385
386         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
387
388         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390                        sb->s_id, sb->s_type->name);
391         else
392                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393                        sb->s_id, sb->s_type->name,
394                        labeling_behaviors[sbsec->behavior-1]);
395
396         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398             sbsec->behavior == SECURITY_FS_USE_NONE ||
399             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400                 sbsec->flags &= ~SE_SBLABELSUPP;
401
402         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
403         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404                 sbsec->flags |= SE_SBLABELSUPP;
405
406         /* Initialize the root inode. */
407         rc = inode_doinit_with_dentry(root_inode, root);
408
409         /* Initialize any other inodes associated with the superblock, e.g.
410            inodes created prior to initial policy load or inodes created
411            during get_sb by a pseudo filesystem that directly
412            populates itself. */
413         spin_lock(&sbsec->isec_lock);
414 next_inode:
415         if (!list_empty(&sbsec->isec_head)) {
416                 struct inode_security_struct *isec =
417                                 list_entry(sbsec->isec_head.next,
418                                            struct inode_security_struct, list);
419                 struct inode *inode = isec->inode;
420                 spin_unlock(&sbsec->isec_lock);
421                 inode = igrab(inode);
422                 if (inode) {
423                         if (!IS_PRIVATE(inode))
424                                 inode_doinit(inode);
425                         iput(inode);
426                 }
427                 spin_lock(&sbsec->isec_lock);
428                 list_del_init(&isec->list);
429                 goto next_inode;
430         }
431         spin_unlock(&sbsec->isec_lock);
432 out:
433         return rc;
434 }
435
436 /*
437  * This function should allow an FS to ask what it's mount security
438  * options were so it can use those later for submounts, displaying
439  * mount options, or whatever.
440  */
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442                                 struct security_mnt_opts *opts)
443 {
444         int rc = 0, i;
445         struct superblock_security_struct *sbsec = sb->s_security;
446         char *context = NULL;
447         u32 len;
448         char tmp;
449
450         security_init_mnt_opts(opts);
451
452         if (!(sbsec->flags & SE_SBINITIALIZED))
453                 return -EINVAL;
454
455         if (!ss_initialized)
456                 return -EINVAL;
457
458         tmp = sbsec->flags & SE_MNTMASK;
459         /* count the number of mount options for this sb */
460         for (i = 0; i < 8; i++) {
461                 if (tmp & 0x01)
462                         opts->num_mnt_opts++;
463                 tmp >>= 1;
464         }
465         /* Check if the Label support flag is set */
466         if (sbsec->flags & SE_SBLABELSUPP)
467                 opts->num_mnt_opts++;
468
469         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470         if (!opts->mnt_opts) {
471                 rc = -ENOMEM;
472                 goto out_free;
473         }
474
475         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476         if (!opts->mnt_opts_flags) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         i = 0;
482         if (sbsec->flags & FSCONTEXT_MNT) {
483                 rc = security_sid_to_context(sbsec->sid, &context, &len);
484                 if (rc)
485                         goto out_free;
486                 opts->mnt_opts[i] = context;
487                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
488         }
489         if (sbsec->flags & CONTEXT_MNT) {
490                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
491                 if (rc)
492                         goto out_free;
493                 opts->mnt_opts[i] = context;
494                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
495         }
496         if (sbsec->flags & DEFCONTEXT_MNT) {
497                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
498                 if (rc)
499                         goto out_free;
500                 opts->mnt_opts[i] = context;
501                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
502         }
503         if (sbsec->flags & ROOTCONTEXT_MNT) {
504                 struct inode *root = sbsec->sb->s_root->d_inode;
505                 struct inode_security_struct *isec = root->i_security;
506
507                 rc = security_sid_to_context(isec->sid, &context, &len);
508                 if (rc)
509                         goto out_free;
510                 opts->mnt_opts[i] = context;
511                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
512         }
513         if (sbsec->flags & SE_SBLABELSUPP) {
514                 opts->mnt_opts[i] = NULL;
515                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
516         }
517
518         BUG_ON(i != opts->num_mnt_opts);
519
520         return 0;
521
522 out_free:
523         security_free_mnt_opts(opts);
524         return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528                       u32 old_sid, u32 new_sid)
529 {
530         char mnt_flags = sbsec->flags & SE_MNTMASK;
531
532         /* check if the old mount command had the same options */
533         if (sbsec->flags & SE_SBINITIALIZED)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!(sbsec->flags & SE_SBINITIALIZED))
542                 if (mnt_flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         const struct cred *cred = current_cred();
555         int rc = 0, i;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct inode *inode = sbsec->sb->s_root->d_inode;
559         struct inode_security_struct *root_isec = inode->i_security;
560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561         u32 defcontext_sid = 0;
562         char **mount_options = opts->mnt_opts;
563         int *flags = opts->mnt_opts_flags;
564         int num_opts = opts->num_mnt_opts;
565
566         mutex_lock(&sbsec->lock);
567
568         if (!ss_initialized) {
569                 if (!num_opts) {
570                         /* Defer initialization until selinux_complete_init,
571                            after the initial policy is loaded and the security
572                            server is ready to handle calls. */
573                         goto out;
574                 }
575                 rc = -EINVAL;
576                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
577                         "before the security server is initialized\n");
578                 goto out;
579         }
580
581         /*
582          * Binary mount data FS will come through this function twice.  Once
583          * from an explicit call and once from the generic calls from the vfs.
584          * Since the generic VFS calls will not contain any security mount data
585          * we need to skip the double mount verification.
586          *
587          * This does open a hole in which we will not notice if the first
588          * mount using this sb set explict options and a second mount using
589          * this sb does not set any security options.  (The first options
590          * will be used for both mounts)
591          */
592         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593             && (num_opts == 0))
594                 goto out;
595
596         /*
597          * parse the mount options, check if they are valid sids.
598          * also check if someone is trying to mount the same sb more
599          * than once with different security options.
600          */
601         for (i = 0; i < num_opts; i++) {
602                 u32 sid;
603
604                 if (flags[i] == SE_SBLABELSUPP)
605                         continue;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->flags & SE_SBINITIALIZED) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->flags |= SE_SBPROC;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __func__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
681                 if (rc)
682                         goto out;
683
684                 sbsec->sid = fscontext_sid;
685         }
686
687         /*
688          * Switch to using mount point labeling behavior.
689          * sets the label used on all file below the mountpoint, and will set
690          * the superblock context if not already set.
691          */
692         if (context_sid) {
693                 if (!fscontext_sid) {
694                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
695                                                           cred);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
701                                                              cred);
702                         if (rc)
703                                 goto out;
704                 }
705                 if (!rootcontext_sid)
706                         rootcontext_sid = context_sid;
707
708                 sbsec->mntpoint_sid = context_sid;
709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710         }
711
712         if (rootcontext_sid) {
713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
714                                                      cred);
715                 if (rc)
716                         goto out;
717
718                 root_isec->sid = rootcontext_sid;
719                 root_isec->initialized = 1;
720         }
721
722         if (defcontext_sid) {
723                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724                         rc = -EINVAL;
725                         printk(KERN_WARNING "SELinux: defcontext option is "
726                                "invalid for this filesystem type\n");
727                         goto out;
728                 }
729
730                 if (defcontext_sid != sbsec->def_sid) {
731                         rc = may_context_mount_inode_relabel(defcontext_sid,
732                                                              sbsec, cred);
733                         if (rc)
734                                 goto out;
735                 }
736
737                 sbsec->def_sid = defcontext_sid;
738         }
739
740         rc = sb_finish_set_opts(sb);
741 out:
742         mutex_unlock(&sbsec->lock);
743         return rc;
744 out_double_mount:
745         rc = -EINVAL;
746         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
747                "security settings for (dev %s, type %s)\n", sb->s_id, name);
748         goto out;
749 }
750
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752                                         struct super_block *newsb)
753 {
754         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755         struct superblock_security_struct *newsbsec = newsb->s_security;
756
757         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
758         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
759         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
760
761         /*
762          * if the parent was able to be mounted it clearly had no special lsm
763          * mount options.  thus we can safely deal with this superblock later
764          */
765         if (!ss_initialized)
766                 return;
767
768         /* how can we clone if the old one wasn't set up?? */
769         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
770
771         /* if fs is reusing a sb, just let its options stand... */
772         if (newsbsec->flags & SE_SBINITIALIZED)
773                 return;
774
775         mutex_lock(&newsbsec->lock);
776
777         newsbsec->flags = oldsbsec->flags;
778
779         newsbsec->sid = oldsbsec->sid;
780         newsbsec->def_sid = oldsbsec->def_sid;
781         newsbsec->behavior = oldsbsec->behavior;
782
783         if (set_context) {
784                 u32 sid = oldsbsec->mntpoint_sid;
785
786                 if (!set_fscontext)
787                         newsbsec->sid = sid;
788                 if (!set_rootcontext) {
789                         struct inode *newinode = newsb->s_root->d_inode;
790                         struct inode_security_struct *newisec = newinode->i_security;
791                         newisec->sid = sid;
792                 }
793                 newsbsec->mntpoint_sid = sid;
794         }
795         if (set_rootcontext) {
796                 const struct inode *oldinode = oldsb->s_root->d_inode;
797                 const struct inode_security_struct *oldisec = oldinode->i_security;
798                 struct inode *newinode = newsb->s_root->d_inode;
799                 struct inode_security_struct *newisec = newinode->i_security;
800
801                 newisec->sid = oldisec->sid;
802         }
803
804         sb_finish_set_opts(newsb);
805         mutex_unlock(&newsbsec->lock);
806 }
807
808 static int selinux_parse_opts_str(char *options,
809                                   struct security_mnt_opts *opts)
810 {
811         char *p;
812         char *context = NULL, *defcontext = NULL;
813         char *fscontext = NULL, *rootcontext = NULL;
814         int rc, num_mnt_opts = 0;
815
816         opts->num_mnt_opts = 0;
817
818         /* Standard string-based options. */
819         while ((p = strsep(&options, "|")) != NULL) {
820                 int token;
821                 substring_t args[MAX_OPT_ARGS];
822
823                 if (!*p)
824                         continue;
825
826                 token = match_token(p, tokens, args);
827
828                 switch (token) {
829                 case Opt_context:
830                         if (context || defcontext) {
831                                 rc = -EINVAL;
832                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833                                 goto out_err;
834                         }
835                         context = match_strdup(&args[0]);
836                         if (!context) {
837                                 rc = -ENOMEM;
838                                 goto out_err;
839                         }
840                         break;
841
842                 case Opt_fscontext:
843                         if (fscontext) {
844                                 rc = -EINVAL;
845                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846                                 goto out_err;
847                         }
848                         fscontext = match_strdup(&args[0]);
849                         if (!fscontext) {
850                                 rc = -ENOMEM;
851                                 goto out_err;
852                         }
853                         break;
854
855                 case Opt_rootcontext:
856                         if (rootcontext) {
857                                 rc = -EINVAL;
858                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859                                 goto out_err;
860                         }
861                         rootcontext = match_strdup(&args[0]);
862                         if (!rootcontext) {
863                                 rc = -ENOMEM;
864                                 goto out_err;
865                         }
866                         break;
867
868                 case Opt_defcontext:
869                         if (context || defcontext) {
870                                 rc = -EINVAL;
871                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872                                 goto out_err;
873                         }
874                         defcontext = match_strdup(&args[0]);
875                         if (!defcontext) {
876                                 rc = -ENOMEM;
877                                 goto out_err;
878                         }
879                         break;
880                 case Opt_labelsupport:
881                         break;
882                 default:
883                         rc = -EINVAL;
884                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
885                         goto out_err;
886
887                 }
888         }
889
890         rc = -ENOMEM;
891         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
892         if (!opts->mnt_opts)
893                 goto out_err;
894
895         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896         if (!opts->mnt_opts_flags) {
897                 kfree(opts->mnt_opts);
898                 goto out_err;
899         }
900
901         if (fscontext) {
902                 opts->mnt_opts[num_mnt_opts] = fscontext;
903                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
904         }
905         if (context) {
906                 opts->mnt_opts[num_mnt_opts] = context;
907                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
908         }
909         if (rootcontext) {
910                 opts->mnt_opts[num_mnt_opts] = rootcontext;
911                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
912         }
913         if (defcontext) {
914                 opts->mnt_opts[num_mnt_opts] = defcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
916         }
917
918         opts->num_mnt_opts = num_mnt_opts;
919         return 0;
920
921 out_err:
922         kfree(context);
923         kfree(defcontext);
924         kfree(fscontext);
925         kfree(rootcontext);
926         return rc;
927 }
928 /*
929  * string mount options parsing and call set the sbsec
930  */
931 static int superblock_doinit(struct super_block *sb, void *data)
932 {
933         int rc = 0;
934         char *options = data;
935         struct security_mnt_opts opts;
936
937         security_init_mnt_opts(&opts);
938
939         if (!data)
940                 goto out;
941
942         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
943
944         rc = selinux_parse_opts_str(options, &opts);
945         if (rc)
946                 goto out_err;
947
948 out:
949         rc = selinux_set_mnt_opts(sb, &opts);
950
951 out_err:
952         security_free_mnt_opts(&opts);
953         return rc;
954 }
955
956 static void selinux_write_opts(struct seq_file *m,
957                                struct security_mnt_opts *opts)
958 {
959         int i;
960         char *prefix;
961
962         for (i = 0; i < opts->num_mnt_opts; i++) {
963                 char *has_comma;
964
965                 if (opts->mnt_opts[i])
966                         has_comma = strchr(opts->mnt_opts[i], ',');
967                 else
968                         has_comma = NULL;
969
970                 switch (opts->mnt_opts_flags[i]) {
971                 case CONTEXT_MNT:
972                         prefix = CONTEXT_STR;
973                         break;
974                 case FSCONTEXT_MNT:
975                         prefix = FSCONTEXT_STR;
976                         break;
977                 case ROOTCONTEXT_MNT:
978                         prefix = ROOTCONTEXT_STR;
979                         break;
980                 case DEFCONTEXT_MNT:
981                         prefix = DEFCONTEXT_STR;
982                         break;
983                 case SE_SBLABELSUPP:
984                         seq_putc(m, ',');
985                         seq_puts(m, LABELSUPP_STR);
986                         continue;
987                 default:
988                         BUG();
989                         return;
990                 };
991                 /* we need a comma before each option */
992                 seq_putc(m, ',');
993                 seq_puts(m, prefix);
994                 if (has_comma)
995                         seq_putc(m, '\"');
996                 seq_puts(m, opts->mnt_opts[i]);
997                 if (has_comma)
998                         seq_putc(m, '\"');
999         }
1000 }
1001
1002 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1003 {
1004         struct security_mnt_opts opts;
1005         int rc;
1006
1007         rc = selinux_get_mnt_opts(sb, &opts);
1008         if (rc) {
1009                 /* before policy load we may get EINVAL, don't show anything */
1010                 if (rc == -EINVAL)
1011                         rc = 0;
1012                 return rc;
1013         }
1014
1015         selinux_write_opts(m, &opts);
1016
1017         security_free_mnt_opts(&opts);
1018
1019         return rc;
1020 }
1021
1022 static inline u16 inode_mode_to_security_class(umode_t mode)
1023 {
1024         switch (mode & S_IFMT) {
1025         case S_IFSOCK:
1026                 return SECCLASS_SOCK_FILE;
1027         case S_IFLNK:
1028                 return SECCLASS_LNK_FILE;
1029         case S_IFREG:
1030                 return SECCLASS_FILE;
1031         case S_IFBLK:
1032                 return SECCLASS_BLK_FILE;
1033         case S_IFDIR:
1034                 return SECCLASS_DIR;
1035         case S_IFCHR:
1036                 return SECCLASS_CHR_FILE;
1037         case S_IFIFO:
1038                 return SECCLASS_FIFO_FILE;
1039
1040         }
1041
1042         return SECCLASS_FILE;
1043 }
1044
1045 static inline int default_protocol_stream(int protocol)
1046 {
1047         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1048 }
1049
1050 static inline int default_protocol_dgram(int protocol)
1051 {
1052         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1053 }
1054
1055 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1056 {
1057         switch (family) {
1058         case PF_UNIX:
1059                 switch (type) {
1060                 case SOCK_STREAM:
1061                 case SOCK_SEQPACKET:
1062                         return SECCLASS_UNIX_STREAM_SOCKET;
1063                 case SOCK_DGRAM:
1064                         return SECCLASS_UNIX_DGRAM_SOCKET;
1065                 }
1066                 break;
1067         case PF_INET:
1068         case PF_INET6:
1069                 switch (type) {
1070                 case SOCK_STREAM:
1071                         if (default_protocol_stream(protocol))
1072                                 return SECCLASS_TCP_SOCKET;
1073                         else
1074                                 return SECCLASS_RAWIP_SOCKET;
1075                 case SOCK_DGRAM:
1076                         if (default_protocol_dgram(protocol))
1077                                 return SECCLASS_UDP_SOCKET;
1078                         else
1079                                 return SECCLASS_RAWIP_SOCKET;
1080                 case SOCK_DCCP:
1081                         return SECCLASS_DCCP_SOCKET;
1082                 default:
1083                         return SECCLASS_RAWIP_SOCKET;
1084                 }
1085                 break;
1086         case PF_NETLINK:
1087                 switch (protocol) {
1088                 case NETLINK_ROUTE:
1089                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1090                 case NETLINK_FIREWALL:
1091                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1092                 case NETLINK_INET_DIAG:
1093                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1094                 case NETLINK_NFLOG:
1095                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1096                 case NETLINK_XFRM:
1097                         return SECCLASS_NETLINK_XFRM_SOCKET;
1098                 case NETLINK_SELINUX:
1099                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1100                 case NETLINK_AUDIT:
1101                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1102                 case NETLINK_IP6_FW:
1103                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1104                 case NETLINK_DNRTMSG:
1105                         return SECCLASS_NETLINK_DNRT_SOCKET;
1106                 case NETLINK_KOBJECT_UEVENT:
1107                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1108                 default:
1109                         return SECCLASS_NETLINK_SOCKET;
1110                 }
1111         case PF_PACKET:
1112                 return SECCLASS_PACKET_SOCKET;
1113         case PF_KEY:
1114                 return SECCLASS_KEY_SOCKET;
1115         case PF_APPLETALK:
1116                 return SECCLASS_APPLETALK_SOCKET;
1117         }
1118
1119         return SECCLASS_SOCKET;
1120 }
1121
1122 #ifdef CONFIG_PROC_FS
1123 static int selinux_proc_get_sid(struct dentry *dentry,
1124                                 u16 tclass,
1125                                 u32 *sid)
1126 {
1127         int rc;
1128         char *buffer, *path;
1129
1130         buffer = (char *)__get_free_page(GFP_KERNEL);
1131         if (!buffer)
1132                 return -ENOMEM;
1133
1134         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1135         if (IS_ERR(path))
1136                 rc = PTR_ERR(path);
1137         else {
1138                 /* each process gets a /proc/PID/ entry. Strip off the
1139                  * PID part to get a valid selinux labeling.
1140                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1141                 while (path[1] >= '0' && path[1] <= '9') {
1142                         path[1] = '/';
1143                         path++;
1144                 }
1145                 rc = security_genfs_sid("proc", path, tclass, sid);
1146         }
1147         free_page((unsigned long)buffer);
1148         return rc;
1149 }
1150 #else
1151 static int selinux_proc_get_sid(struct dentry *dentry,
1152                                 u16 tclass,
1153                                 u32 *sid)
1154 {
1155         return -EINVAL;
1156 }
1157 #endif
1158
1159 /* The inode's security attributes must be initialized before first use. */
1160 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1161 {
1162         struct superblock_security_struct *sbsec = NULL;
1163         struct inode_security_struct *isec = inode->i_security;
1164         u32 sid;
1165         struct dentry *dentry;
1166 #define INITCONTEXTLEN 255
1167         char *context = NULL;
1168         unsigned len = 0;
1169         int rc = 0;
1170
1171         if (isec->initialized)
1172                 goto out;
1173
1174         mutex_lock(&isec->lock);
1175         if (isec->initialized)
1176                 goto out_unlock;
1177
1178         sbsec = inode->i_sb->s_security;
1179         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1180                 /* Defer initialization until selinux_complete_init,
1181                    after the initial policy is loaded and the security
1182                    server is ready to handle calls. */
1183                 spin_lock(&sbsec->isec_lock);
1184                 if (list_empty(&isec->list))
1185                         list_add(&isec->list, &sbsec->isec_head);
1186                 spin_unlock(&sbsec->isec_lock);
1187                 goto out_unlock;
1188         }
1189
1190         switch (sbsec->behavior) {
1191         case SECURITY_FS_USE_XATTR:
1192                 if (!inode->i_op->getxattr) {
1193                         isec->sid = sbsec->def_sid;
1194                         break;
1195                 }
1196
1197                 /* Need a dentry, since the xattr API requires one.
1198                    Life would be simpler if we could just pass the inode. */
1199                 if (opt_dentry) {
1200                         /* Called from d_instantiate or d_splice_alias. */
1201                         dentry = dget(opt_dentry);
1202                 } else {
1203                         /* Called from selinux_complete_init, try to find a dentry. */
1204                         dentry = d_find_alias(inode);
1205                 }
1206                 if (!dentry) {
1207                         /*
1208                          * this is can be hit on boot when a file is accessed
1209                          * before the policy is loaded.  When we load policy we
1210                          * may find inodes that have no dentry on the
1211                          * sbsec->isec_head list.  No reason to complain as these
1212                          * will get fixed up the next time we go through
1213                          * inode_doinit with a dentry, before these inodes could
1214                          * be used again by userspace.
1215                          */
1216                         goto out_unlock;
1217                 }
1218
1219                 len = INITCONTEXTLEN;
1220                 context = kmalloc(len+1, GFP_NOFS);
1221                 if (!context) {
1222                         rc = -ENOMEM;
1223                         dput(dentry);
1224                         goto out_unlock;
1225                 }
1226                 context[len] = '\0';
1227                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1228                                            context, len);
1229                 if (rc == -ERANGE) {
1230                         kfree(context);
1231
1232                         /* Need a larger buffer.  Query for the right size. */
1233                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1234                                                    NULL, 0);
1235                         if (rc < 0) {
1236                                 dput(dentry);
1237                                 goto out_unlock;
1238                         }
1239                         len = rc;
1240                         context = kmalloc(len+1, GFP_NOFS);
1241                         if (!context) {
1242                                 rc = -ENOMEM;
1243                                 dput(dentry);
1244                                 goto out_unlock;
1245                         }
1246                         context[len] = '\0';
1247                         rc = inode->i_op->getxattr(dentry,
1248                                                    XATTR_NAME_SELINUX,
1249                                                    context, len);
1250                 }
1251                 dput(dentry);
1252                 if (rc < 0) {
1253                         if (rc != -ENODATA) {
1254                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1255                                        "%d for dev=%s ino=%ld\n", __func__,
1256                                        -rc, inode->i_sb->s_id, inode->i_ino);
1257                                 kfree(context);
1258                                 goto out_unlock;
1259                         }
1260                         /* Map ENODATA to the default file SID */
1261                         sid = sbsec->def_sid;
1262                         rc = 0;
1263                 } else {
1264                         rc = security_context_to_sid_default(context, rc, &sid,
1265                                                              sbsec->def_sid,
1266                                                              GFP_NOFS);
1267                         if (rc) {
1268                                 char *dev = inode->i_sb->s_id;
1269                                 unsigned long ino = inode->i_ino;
1270
1271                                 if (rc == -EINVAL) {
1272                                         if (printk_ratelimit())
1273                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1274                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1275                                                         "filesystem in question.\n", ino, dev, context);
1276                                 } else {
1277                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1278                                                "returned %d for dev=%s ino=%ld\n",
1279                                                __func__, context, -rc, dev, ino);
1280                                 }
1281                                 kfree(context);
1282                                 /* Leave with the unlabeled SID */
1283                                 rc = 0;
1284                                 break;
1285                         }
1286                 }
1287                 kfree(context);
1288                 isec->sid = sid;
1289                 break;
1290         case SECURITY_FS_USE_TASK:
1291                 isec->sid = isec->task_sid;
1292                 break;
1293         case SECURITY_FS_USE_TRANS:
1294                 /* Default to the fs SID. */
1295                 isec->sid = sbsec->sid;
1296
1297                 /* Try to obtain a transition SID. */
1298                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1299                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1300                                              isec->sclass, NULL, &sid);
1301                 if (rc)
1302                         goto out_unlock;
1303                 isec->sid = sid;
1304                 break;
1305         case SECURITY_FS_USE_MNTPOINT:
1306                 isec->sid = sbsec->mntpoint_sid;
1307                 break;
1308         default:
1309                 /* Default to the fs superblock SID. */
1310                 isec->sid = sbsec->sid;
1311
1312                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1313                         if (opt_dentry) {
1314                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1315                                 rc = selinux_proc_get_sid(opt_dentry,
1316                                                           isec->sclass,
1317                                                           &sid);
1318                                 if (rc)
1319                                         goto out_unlock;
1320                                 isec->sid = sid;
1321                         }
1322                 }
1323                 break;
1324         }
1325
1326         isec->initialized = 1;
1327
1328 out_unlock:
1329         mutex_unlock(&isec->lock);
1330 out:
1331         if (isec->sclass == SECCLASS_FILE)
1332                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333         return rc;
1334 }
1335
1336 /* Convert a Linux signal to an access vector. */
1337 static inline u32 signal_to_av(int sig)
1338 {
1339         u32 perm = 0;
1340
1341         switch (sig) {
1342         case SIGCHLD:
1343                 /* Commonly granted from child to parent. */
1344                 perm = PROCESS__SIGCHLD;
1345                 break;
1346         case SIGKILL:
1347                 /* Cannot be caught or ignored */
1348                 perm = PROCESS__SIGKILL;
1349                 break;
1350         case SIGSTOP:
1351                 /* Cannot be caught or ignored */
1352                 perm = PROCESS__SIGSTOP;
1353                 break;
1354         default:
1355                 /* All other signals. */
1356                 perm = PROCESS__SIGNAL;
1357                 break;
1358         }
1359
1360         return perm;
1361 }
1362
1363 /*
1364  * Check permission between a pair of credentials
1365  * fork check, ptrace check, etc.
1366  */
1367 static int cred_has_perm(const struct cred *actor,
1368                          const struct cred *target,
1369                          u32 perms)
1370 {
1371         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1372
1373         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1374 }
1375
1376 /*
1377  * Check permission between a pair of tasks, e.g. signal checks,
1378  * fork check, ptrace check, etc.
1379  * tsk1 is the actor and tsk2 is the target
1380  * - this uses the default subjective creds of tsk1
1381  */
1382 static int task_has_perm(const struct task_struct *tsk1,
1383                          const struct task_struct *tsk2,
1384                          u32 perms)
1385 {
1386         const struct task_security_struct *__tsec1, *__tsec2;
1387         u32 sid1, sid2;
1388
1389         rcu_read_lock();
1390         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1391         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1392         rcu_read_unlock();
1393         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1394 }
1395
1396 /*
1397  * Check permission between current and another task, e.g. signal checks,
1398  * fork check, ptrace check, etc.
1399  * current is the actor and tsk2 is the target
1400  * - this uses current's subjective creds
1401  */
1402 static int current_has_perm(const struct task_struct *tsk,
1403                             u32 perms)
1404 {
1405         u32 sid, tsid;
1406
1407         sid = current_sid();
1408         tsid = task_sid(tsk);
1409         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1410 }
1411
1412 #if CAP_LAST_CAP > 63
1413 #error Fix SELinux to handle capabilities > 63.
1414 #endif
1415
1416 /* Check whether a task is allowed to use a capability. */
1417 static int task_has_capability(struct task_struct *tsk,
1418                                const struct cred *cred,
1419                                int cap, int audit)
1420 {
1421         struct common_audit_data ad;
1422         struct av_decision avd;
1423         u16 sclass;
1424         u32 sid = cred_sid(cred);
1425         u32 av = CAP_TO_MASK(cap);
1426         int rc;
1427
1428         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1429         ad.tsk = tsk;
1430         ad.u.cap = cap;
1431
1432         switch (CAP_TO_INDEX(cap)) {
1433         case 0:
1434                 sclass = SECCLASS_CAPABILITY;
1435                 break;
1436         case 1:
1437                 sclass = SECCLASS_CAPABILITY2;
1438                 break;
1439         default:
1440                 printk(KERN_ERR
1441                        "SELinux:  out of range capability %d\n", cap);
1442                 BUG();
1443                 return -EINVAL;
1444         }
1445
1446         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1447         if (audit == SECURITY_CAP_AUDIT) {
1448                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1449                 if (rc2)
1450                         return rc2;
1451         }
1452         return rc;
1453 }
1454
1455 /* Check whether a task is allowed to use a system operation. */
1456 static int task_has_system(struct task_struct *tsk,
1457                            u32 perms)
1458 {
1459         u32 sid = task_sid(tsk);
1460
1461         return avc_has_perm(sid, SECINITSID_KERNEL,
1462                             SECCLASS_SYSTEM, perms, NULL);
1463 }
1464
1465 /* Check whether a task has a particular permission to an inode.
1466    The 'adp' parameter is optional and allows other audit
1467    data to be passed (e.g. the dentry). */
1468 static int inode_has_perm(const struct cred *cred,
1469                           struct inode *inode,
1470                           u32 perms,
1471                           struct common_audit_data *adp,
1472                           unsigned flags)
1473 {
1474         struct inode_security_struct *isec;
1475         u32 sid;
1476
1477         validate_creds(cred);
1478
1479         if (unlikely(IS_PRIVATE(inode)))
1480                 return 0;
1481
1482         sid = cred_sid(cred);
1483         isec = inode->i_security;
1484
1485         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1486 }
1487
1488 static int inode_has_perm_noadp(const struct cred *cred,
1489                                 struct inode *inode,
1490                                 u32 perms,
1491                                 unsigned flags)
1492 {
1493         struct common_audit_data ad;
1494
1495         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1496         ad.u.inode = inode;
1497         return inode_has_perm(cred, inode, perms, &ad, flags);
1498 }
1499
1500 /* Same as inode_has_perm, but pass explicit audit data containing
1501    the dentry to help the auditing code to more easily generate the
1502    pathname if needed. */
1503 static inline int dentry_has_perm(const struct cred *cred,
1504                                   struct dentry *dentry,
1505                                   u32 av)
1506 {
1507         struct inode *inode = dentry->d_inode;
1508         struct common_audit_data ad;
1509
1510         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1511         ad.u.dentry = dentry;
1512         return inode_has_perm(cred, inode, av, &ad, 0);
1513 }
1514
1515 /* Same as inode_has_perm, but pass explicit audit data containing
1516    the path to help the auditing code to more easily generate the
1517    pathname if needed. */
1518 static inline int path_has_perm(const struct cred *cred,
1519                                 struct path *path,
1520                                 u32 av)
1521 {
1522         struct inode *inode = path->dentry->d_inode;
1523         struct common_audit_data ad;
1524
1525         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1526         ad.u.path = *path;
1527         return inode_has_perm(cred, inode, av, &ad, 0);
1528 }
1529
1530 /* Check whether a task can use an open file descriptor to
1531    access an inode in a given way.  Check access to the
1532    descriptor itself, and then use dentry_has_perm to
1533    check a particular permission to the file.
1534    Access to the descriptor is implicitly granted if it
1535    has the same SID as the process.  If av is zero, then
1536    access to the file is not checked, e.g. for cases
1537    where only the descriptor is affected like seek. */
1538 static int file_has_perm(const struct cred *cred,
1539                          struct file *file,
1540                          u32 av)
1541 {
1542         struct file_security_struct *fsec = file->f_security;
1543         struct inode *inode = file->f_path.dentry->d_inode;
1544         struct common_audit_data ad;
1545         u32 sid = cred_sid(cred);
1546         int rc;
1547
1548         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1549         ad.u.path = file->f_path;
1550
1551         if (sid != fsec->sid) {
1552                 rc = avc_has_perm(sid, fsec->sid,
1553                                   SECCLASS_FD,
1554                                   FD__USE,
1555                                   &ad);
1556                 if (rc)
1557                         goto out;
1558         }
1559
1560         /* av is zero if only checking access to the descriptor. */
1561         rc = 0;
1562         if (av)
1563                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1564
1565 out:
1566         return rc;
1567 }
1568
1569 /* Check whether a task can create a file. */
1570 static int may_create(struct inode *dir,
1571                       struct dentry *dentry,
1572                       u16 tclass)
1573 {
1574         const struct task_security_struct *tsec = current_security();
1575         struct inode_security_struct *dsec;
1576         struct superblock_security_struct *sbsec;
1577         u32 sid, newsid;
1578         struct common_audit_data ad;
1579         int rc;
1580
1581         dsec = dir->i_security;
1582         sbsec = dir->i_sb->s_security;
1583
1584         sid = tsec->sid;
1585         newsid = tsec->create_sid;
1586
1587         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1588         ad.u.dentry = dentry;
1589
1590         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1591                           DIR__ADD_NAME | DIR__SEARCH,
1592                           &ad);
1593         if (rc)
1594                 return rc;
1595
1596         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1597                 rc = security_transition_sid(sid, dsec->sid, tclass,
1598                                              &dentry->d_name, &newsid);
1599                 if (rc)
1600                         return rc;
1601         }
1602
1603         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1604         if (rc)
1605                 return rc;
1606
1607         return avc_has_perm(newsid, sbsec->sid,
1608                             SECCLASS_FILESYSTEM,
1609                             FILESYSTEM__ASSOCIATE, &ad);
1610 }
1611
1612 /* Check whether a task can create a key. */
1613 static int may_create_key(u32 ksid,
1614                           struct task_struct *ctx)
1615 {
1616         u32 sid = task_sid(ctx);
1617
1618         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1619 }
1620
1621 #define MAY_LINK        0
1622 #define MAY_UNLINK      1
1623 #define MAY_RMDIR       2
1624
1625 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1626 static int may_link(struct inode *dir,
1627                     struct dentry *dentry,
1628                     int kind)
1629
1630 {
1631         struct inode_security_struct *dsec, *isec;
1632         struct common_audit_data ad;
1633         u32 sid = current_sid();
1634         u32 av;
1635         int rc;
1636
1637         dsec = dir->i_security;
1638         isec = dentry->d_inode->i_security;
1639
1640         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1641         ad.u.dentry = dentry;
1642
1643         av = DIR__SEARCH;
1644         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1645         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1646         if (rc)
1647                 return rc;
1648
1649         switch (kind) {
1650         case MAY_LINK:
1651                 av = FILE__LINK;
1652                 break;
1653         case MAY_UNLINK:
1654                 av = FILE__UNLINK;
1655                 break;
1656         case MAY_RMDIR:
1657                 av = DIR__RMDIR;
1658                 break;
1659         default:
1660                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1661                         __func__, kind);
1662                 return 0;
1663         }
1664
1665         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1666         return rc;
1667 }
1668
1669 static inline int may_rename(struct inode *old_dir,
1670                              struct dentry *old_dentry,
1671                              struct inode *new_dir,
1672                              struct dentry *new_dentry)
1673 {
1674         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1675         struct common_audit_data ad;
1676         u32 sid = current_sid();
1677         u32 av;
1678         int old_is_dir, new_is_dir;
1679         int rc;
1680
1681         old_dsec = old_dir->i_security;
1682         old_isec = old_dentry->d_inode->i_security;
1683         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1684         new_dsec = new_dir->i_security;
1685
1686         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1687
1688         ad.u.dentry = old_dentry;
1689         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1690                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1691         if (rc)
1692                 return rc;
1693         rc = avc_has_perm(sid, old_isec->sid,
1694                           old_isec->sclass, FILE__RENAME, &ad);
1695         if (rc)
1696                 return rc;
1697         if (old_is_dir && new_dir != old_dir) {
1698                 rc = avc_has_perm(sid, old_isec->sid,
1699                                   old_isec->sclass, DIR__REPARENT, &ad);
1700                 if (rc)
1701                         return rc;
1702         }
1703
1704         ad.u.dentry = new_dentry;
1705         av = DIR__ADD_NAME | DIR__SEARCH;
1706         if (new_dentry->d_inode)
1707                 av |= DIR__REMOVE_NAME;
1708         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1709         if (rc)
1710                 return rc;
1711         if (new_dentry->d_inode) {
1712                 new_isec = new_dentry->d_inode->i_security;
1713                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1714                 rc = avc_has_perm(sid, new_isec->sid,
1715                                   new_isec->sclass,
1716                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1717                 if (rc)
1718                         return rc;
1719         }
1720
1721         return 0;
1722 }
1723
1724 /* Check whether a task can perform a filesystem operation. */
1725 static int superblock_has_perm(const struct cred *cred,
1726                                struct super_block *sb,
1727                                u32 perms,
1728                                struct common_audit_data *ad)
1729 {
1730         struct superblock_security_struct *sbsec;
1731         u32 sid = cred_sid(cred);
1732
1733         sbsec = sb->s_security;
1734         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1735 }
1736
1737 /* Convert a Linux mode and permission mask to an access vector. */
1738 static inline u32 file_mask_to_av(int mode, int mask)
1739 {
1740         u32 av = 0;
1741
1742         if ((mode & S_IFMT) != S_IFDIR) {
1743                 if (mask & MAY_EXEC)
1744                         av |= FILE__EXECUTE;
1745                 if (mask & MAY_READ)
1746                         av |= FILE__READ;
1747
1748                 if (mask & MAY_APPEND)
1749                         av |= FILE__APPEND;
1750                 else if (mask & MAY_WRITE)
1751                         av |= FILE__WRITE;
1752
1753         } else {
1754                 if (mask & MAY_EXEC)
1755                         av |= DIR__SEARCH;
1756                 if (mask & MAY_WRITE)
1757                         av |= DIR__WRITE;
1758                 if (mask & MAY_READ)
1759                         av |= DIR__READ;
1760         }
1761
1762         return av;
1763 }
1764
1765 /* Convert a Linux file to an access vector. */
1766 static inline u32 file_to_av(struct file *file)
1767 {
1768         u32 av = 0;
1769
1770         if (file->f_mode & FMODE_READ)
1771                 av |= FILE__READ;
1772         if (file->f_mode & FMODE_WRITE) {
1773                 if (file->f_flags & O_APPEND)
1774                         av |= FILE__APPEND;
1775                 else
1776                         av |= FILE__WRITE;
1777         }
1778         if (!av) {
1779                 /*
1780                  * Special file opened with flags 3 for ioctl-only use.
1781                  */
1782                 av = FILE__IOCTL;
1783         }
1784
1785         return av;
1786 }
1787
1788 /*
1789  * Convert a file to an access vector and include the correct open
1790  * open permission.
1791  */
1792 static inline u32 open_file_to_av(struct file *file)
1793 {
1794         u32 av = file_to_av(file);
1795
1796         if (selinux_policycap_openperm)
1797                 av |= FILE__OPEN;
1798
1799         return av;
1800 }
1801
1802 /* Hook functions begin here. */
1803
1804 static int selinux_ptrace_access_check(struct task_struct *child,
1805                                      unsigned int mode)
1806 {
1807         int rc;
1808
1809         rc = cap_ptrace_access_check(child, mode);
1810         if (rc)
1811                 return rc;
1812
1813         if (mode == PTRACE_MODE_READ) {
1814                 u32 sid = current_sid();
1815                 u32 csid = task_sid(child);
1816                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1817         }
1818
1819         return current_has_perm(child, PROCESS__PTRACE);
1820 }
1821
1822 static int selinux_ptrace_traceme(struct task_struct *parent)
1823 {
1824         int rc;
1825
1826         rc = cap_ptrace_traceme(parent);
1827         if (rc)
1828                 return rc;
1829
1830         return task_has_perm(parent, current, PROCESS__PTRACE);
1831 }
1832
1833 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1834                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1835 {
1836         int error;
1837
1838         error = current_has_perm(target, PROCESS__GETCAP);
1839         if (error)
1840                 return error;
1841
1842         return cap_capget(target, effective, inheritable, permitted);
1843 }
1844
1845 static int selinux_capset(struct cred *new, const struct cred *old,
1846                           const kernel_cap_t *effective,
1847                           const kernel_cap_t *inheritable,
1848                           const kernel_cap_t *permitted)
1849 {
1850         int error;
1851
1852         error = cap_capset(new, old,
1853                                       effective, inheritable, permitted);
1854         if (error)
1855                 return error;
1856
1857         return cred_has_perm(old, new, PROCESS__SETCAP);
1858 }
1859
1860 /*
1861  * (This comment used to live with the selinux_task_setuid hook,
1862  * which was removed).
1863  *
1864  * Since setuid only affects the current process, and since the SELinux
1865  * controls are not based on the Linux identity attributes, SELinux does not
1866  * need to control this operation.  However, SELinux does control the use of
1867  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1868  */
1869
1870 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1871                            struct user_namespace *ns, int cap, int audit)
1872 {
1873         int rc;
1874
1875         rc = cap_capable(tsk, cred, ns, cap, audit);
1876         if (rc)
1877                 return rc;
1878
1879         return task_has_capability(tsk, cred, cap, audit);
1880 }
1881
1882 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1883 {
1884         const struct cred *cred = current_cred();
1885         int rc = 0;
1886
1887         if (!sb)
1888                 return 0;
1889
1890         switch (cmds) {
1891         case Q_SYNC:
1892         case Q_QUOTAON:
1893         case Q_QUOTAOFF:
1894         case Q_SETINFO:
1895         case Q_SETQUOTA:
1896                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1897                 break;
1898         case Q_GETFMT:
1899         case Q_GETINFO:
1900         case Q_GETQUOTA:
1901                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1902                 break;
1903         default:
1904                 rc = 0;  /* let the kernel handle invalid cmds */
1905                 break;
1906         }
1907         return rc;
1908 }
1909
1910 static int selinux_quota_on(struct dentry *dentry)
1911 {
1912         const struct cred *cred = current_cred();
1913
1914         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1915 }
1916
1917 static int selinux_syslog(int type)
1918 {
1919         int rc;
1920
1921         switch (type) {
1922         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1923         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1924                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1925                 break;
1926         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1927         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1928         /* Set level of messages printed to console */
1929         case SYSLOG_ACTION_CONSOLE_LEVEL:
1930                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1931                 break;
1932         case SYSLOG_ACTION_CLOSE:       /* Close log */
1933         case SYSLOG_ACTION_OPEN:        /* Open log */
1934         case SYSLOG_ACTION_READ:        /* Read from log */
1935         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1936         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1937         default:
1938                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1939                 break;
1940         }
1941         return rc;
1942 }
1943
1944 /*
1945  * Check that a process has enough memory to allocate a new virtual
1946  * mapping. 0 means there is enough memory for the allocation to
1947  * succeed and -ENOMEM implies there is not.
1948  *
1949  * Do not audit the selinux permission check, as this is applied to all
1950  * processes that allocate mappings.
1951  */
1952 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1953 {
1954         int rc, cap_sys_admin = 0;
1955
1956         rc = selinux_capable(current, current_cred(),
1957                              &init_user_ns, CAP_SYS_ADMIN,
1958                              SECURITY_CAP_NOAUDIT);
1959         if (rc == 0)
1960                 cap_sys_admin = 1;
1961
1962         return __vm_enough_memory(mm, pages, cap_sys_admin);
1963 }
1964
1965 /* binprm security operations */
1966
1967 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1968 {
1969         const struct task_security_struct *old_tsec;
1970         struct task_security_struct *new_tsec;
1971         struct inode_security_struct *isec;
1972         struct common_audit_data ad;
1973         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1974         int rc;
1975
1976         rc = cap_bprm_set_creds(bprm);
1977         if (rc)
1978                 return rc;
1979
1980         /* SELinux context only depends on initial program or script and not
1981          * the script interpreter */
1982         if (bprm->cred_prepared)
1983                 return 0;
1984
1985         old_tsec = current_security();
1986         new_tsec = bprm->cred->security;
1987         isec = inode->i_security;
1988
1989         /* Default to the current task SID. */
1990         new_tsec->sid = old_tsec->sid;
1991         new_tsec->osid = old_tsec->sid;
1992
1993         /* Reset fs, key, and sock SIDs on execve. */
1994         new_tsec->create_sid = 0;
1995         new_tsec->keycreate_sid = 0;
1996         new_tsec->sockcreate_sid = 0;
1997
1998         if (old_tsec->exec_sid) {
1999                 new_tsec->sid = old_tsec->exec_sid;
2000                 /* Reset exec SID on execve. */
2001                 new_tsec->exec_sid = 0;
2002         } else {
2003                 /* Check for a default transition on this program. */
2004                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2005                                              SECCLASS_PROCESS, NULL,
2006                                              &new_tsec->sid);
2007                 if (rc)
2008                         return rc;
2009         }
2010
2011         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2012         ad.u.path = bprm->file->f_path;
2013
2014         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2015                 new_tsec->sid = old_tsec->sid;
2016
2017         if (new_tsec->sid == old_tsec->sid) {
2018                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2019                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2020                 if (rc)
2021                         return rc;
2022         } else {
2023                 /* Check permissions for the transition. */
2024                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2025                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2026                 if (rc)
2027                         return rc;
2028
2029                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2030                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2031                 if (rc)
2032                         return rc;
2033
2034                 /* Check for shared state */
2035                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2036                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2037                                           SECCLASS_PROCESS, PROCESS__SHARE,
2038                                           NULL);
2039                         if (rc)
2040                                 return -EPERM;
2041                 }
2042
2043                 /* Make sure that anyone attempting to ptrace over a task that
2044                  * changes its SID has the appropriate permit */
2045                 if (bprm->unsafe &
2046                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2047                         struct task_struct *tracer;
2048                         struct task_security_struct *sec;
2049                         u32 ptsid = 0;
2050
2051                         rcu_read_lock();
2052                         tracer = ptrace_parent(current);
2053                         if (likely(tracer != NULL)) {
2054                                 sec = __task_cred(tracer)->security;
2055                                 ptsid = sec->sid;
2056                         }
2057                         rcu_read_unlock();
2058
2059                         if (ptsid != 0) {
2060                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2061                                                   SECCLASS_PROCESS,
2062                                                   PROCESS__PTRACE, NULL);
2063                                 if (rc)
2064                                         return -EPERM;
2065                         }
2066                 }
2067
2068                 /* Clear any possibly unsafe personality bits on exec: */
2069                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2070         }
2071
2072         return 0;
2073 }
2074
2075 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2076 {
2077         const struct task_security_struct *tsec = current_security();
2078         u32 sid, osid;
2079         int atsecure = 0;
2080
2081         sid = tsec->sid;
2082         osid = tsec->osid;
2083
2084         if (osid != sid) {
2085                 /* Enable secure mode for SIDs transitions unless
2086                    the noatsecure permission is granted between
2087                    the two SIDs, i.e. ahp returns 0. */
2088                 atsecure = avc_has_perm(osid, sid,
2089                                         SECCLASS_PROCESS,
2090                                         PROCESS__NOATSECURE, NULL);
2091         }
2092
2093         return (atsecure || cap_bprm_secureexec(bprm));
2094 }
2095
2096 /* Derived from fs/exec.c:flush_old_files. */
2097 static inline void flush_unauthorized_files(const struct cred *cred,
2098                                             struct files_struct *files)
2099 {
2100         struct common_audit_data ad;
2101         struct file *file, *devnull = NULL;
2102         struct tty_struct *tty;
2103         struct fdtable *fdt;
2104         long j = -1;
2105         int drop_tty = 0;
2106
2107         tty = get_current_tty();
2108         if (tty) {
2109                 spin_lock(&tty_files_lock);
2110                 if (!list_empty(&tty->tty_files)) {
2111                         struct tty_file_private *file_priv;
2112                         struct inode *inode;
2113
2114                         /* Revalidate access to controlling tty.
2115                            Use inode_has_perm on the tty inode directly rather
2116                            than using file_has_perm, as this particular open
2117                            file may belong to another process and we are only
2118                            interested in the inode-based check here. */
2119                         file_priv = list_first_entry(&tty->tty_files,
2120                                                 struct tty_file_private, list);
2121                         file = file_priv->file;
2122                         inode = file->f_path.dentry->d_inode;
2123                         if (inode_has_perm_noadp(cred, inode,
2124                                            FILE__READ | FILE__WRITE, 0)) {
2125                                 drop_tty = 1;
2126                         }
2127                 }
2128                 spin_unlock(&tty_files_lock);
2129                 tty_kref_put(tty);
2130         }
2131         /* Reset controlling tty. */
2132         if (drop_tty)
2133                 no_tty();
2134
2135         /* Revalidate access to inherited open files. */
2136
2137         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2138
2139         spin_lock(&files->file_lock);
2140         for (;;) {
2141                 unsigned long set, i;
2142                 int fd;
2143
2144                 j++;
2145                 i = j * __NFDBITS;
2146                 fdt = files_fdtable(files);
2147                 if (i >= fdt->max_fds)
2148                         break;
2149                 set = fdt->open_fds->fds_bits[j];
2150                 if (!set)
2151                         continue;
2152                 spin_unlock(&files->file_lock);
2153                 for ( ; set ; i++, set >>= 1) {
2154                         if (set & 1) {
2155                                 file = fget(i);
2156                                 if (!file)
2157                                         continue;
2158                                 if (file_has_perm(cred,
2159                                                   file,
2160                                                   file_to_av(file))) {
2161                                         sys_close(i);
2162                                         fd = get_unused_fd();
2163                                         if (fd != i) {
2164                                                 if (fd >= 0)
2165                                                         put_unused_fd(fd);
2166                                                 fput(file);
2167                                                 continue;
2168                                         }
2169                                         if (devnull) {
2170                                                 get_file(devnull);
2171                                         } else {
2172                                                 devnull = dentry_open(
2173                                                         dget(selinux_null),
2174                                                         mntget(selinuxfs_mount),
2175                                                         O_RDWR, cred);
2176                                                 if (IS_ERR(devnull)) {
2177                                                         devnull = NULL;
2178                                                         put_unused_fd(fd);
2179                                                         fput(file);
2180                                                         continue;
2181                                                 }
2182                                         }
2183                                         fd_install(fd, devnull);
2184                                 }
2185                                 fput(file);
2186                         }
2187                 }
2188                 spin_lock(&files->file_lock);
2189
2190         }
2191         spin_unlock(&files->file_lock);
2192 }
2193
2194 /*
2195  * Prepare a process for imminent new credential changes due to exec
2196  */
2197 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2198 {
2199         struct task_security_struct *new_tsec;
2200         struct rlimit *rlim, *initrlim;
2201         int rc, i;
2202
2203         new_tsec = bprm->cred->security;
2204         if (new_tsec->sid == new_tsec->osid)
2205                 return;
2206
2207         /* Close files for which the new task SID is not authorized. */
2208         flush_unauthorized_files(bprm->cred, current->files);
2209
2210         /* Always clear parent death signal on SID transitions. */
2211         current->pdeath_signal = 0;
2212
2213         /* Check whether the new SID can inherit resource limits from the old
2214          * SID.  If not, reset all soft limits to the lower of the current
2215          * task's hard limit and the init task's soft limit.
2216          *
2217          * Note that the setting of hard limits (even to lower them) can be
2218          * controlled by the setrlimit check.  The inclusion of the init task's
2219          * soft limit into the computation is to avoid resetting soft limits
2220          * higher than the default soft limit for cases where the default is
2221          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2222          */
2223         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2224                           PROCESS__RLIMITINH, NULL);
2225         if (rc) {
2226                 /* protect against do_prlimit() */
2227                 task_lock(current);
2228                 for (i = 0; i < RLIM_NLIMITS; i++) {
2229                         rlim = current->signal->rlim + i;
2230                         initrlim = init_task.signal->rlim + i;
2231                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2232                 }
2233                 task_unlock(current);
2234                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2235         }
2236 }
2237
2238 /*
2239  * Clean up the process immediately after the installation of new credentials
2240  * due to exec
2241  */
2242 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2243 {
2244         const struct task_security_struct *tsec = current_security();
2245         struct itimerval itimer;
2246         u32 osid, sid;
2247         int rc, i;
2248
2249         osid = tsec->osid;
2250         sid = tsec->sid;
2251
2252         if (sid == osid)
2253                 return;
2254
2255         /* Check whether the new SID can inherit signal state from the old SID.
2256          * If not, clear itimers to avoid subsequent signal generation and
2257          * flush and unblock signals.
2258          *
2259          * This must occur _after_ the task SID has been updated so that any
2260          * kill done after the flush will be checked against the new SID.
2261          */
2262         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2263         if (rc) {
2264                 memset(&itimer, 0, sizeof itimer);
2265                 for (i = 0; i < 3; i++)
2266                         do_setitimer(i, &itimer, NULL);
2267                 spin_lock_irq(&current->sighand->siglock);
2268                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2269                         __flush_signals(current);
2270                         flush_signal_handlers(current, 1);
2271                         sigemptyset(&current->blocked);
2272                 }
2273                 spin_unlock_irq(&current->sighand->siglock);
2274         }
2275
2276         /* Wake up the parent if it is waiting so that it can recheck
2277          * wait permission to the new task SID. */
2278         read_lock(&tasklist_lock);
2279         __wake_up_parent(current, current->real_parent);
2280         read_unlock(&tasklist_lock);
2281 }
2282
2283 /* superblock security operations */
2284
2285 static int selinux_sb_alloc_security(struct super_block *sb)
2286 {
2287         return superblock_alloc_security(sb);
2288 }
2289
2290 static void selinux_sb_free_security(struct super_block *sb)
2291 {
2292         superblock_free_security(sb);
2293 }
2294
2295 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2296 {
2297         if (plen > olen)
2298                 return 0;
2299
2300         return !memcmp(prefix, option, plen);
2301 }
2302
2303 static inline int selinux_option(char *option, int len)
2304 {
2305         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2306                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2307                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2308                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2309                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2310 }
2311
2312 static inline void take_option(char **to, char *from, int *first, int len)
2313 {
2314         if (!*first) {
2315                 **to = ',';
2316                 *to += 1;
2317         } else
2318                 *first = 0;
2319         memcpy(*to, from, len);
2320         *to += len;
2321 }
2322
2323 static inline void take_selinux_option(char **to, char *from, int *first,
2324                                        int len)
2325 {
2326         int current_size = 0;
2327
2328         if (!*first) {
2329                 **to = '|';
2330                 *to += 1;
2331         } else
2332                 *first = 0;
2333
2334         while (current_size < len) {
2335                 if (*from != '"') {
2336                         **to = *from;
2337                         *to += 1;
2338                 }
2339                 from += 1;
2340                 current_size += 1;
2341         }
2342 }
2343
2344 static int selinux_sb_copy_data(char *orig, char *copy)
2345 {
2346         int fnosec, fsec, rc = 0;
2347         char *in_save, *in_curr, *in_end;
2348         char *sec_curr, *nosec_save, *nosec;
2349         int open_quote = 0;
2350
2351         in_curr = orig;
2352         sec_curr = copy;
2353
2354         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2355         if (!nosec) {
2356                 rc = -ENOMEM;
2357                 goto out;
2358         }
2359
2360         nosec_save = nosec;
2361         fnosec = fsec = 1;
2362         in_save = in_end = orig;
2363
2364         do {
2365                 if (*in_end == '"')
2366                         open_quote = !open_quote;
2367                 if ((*in_end == ',' && open_quote == 0) ||
2368                                 *in_end == '\0') {
2369                         int len = in_end - in_curr;
2370
2371                         if (selinux_option(in_curr, len))
2372                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2373                         else
2374                                 take_option(&nosec, in_curr, &fnosec, len);
2375
2376                         in_curr = in_end + 1;
2377                 }
2378         } while (*in_end++);
2379
2380         strcpy(in_save, nosec_save);
2381         free_page((unsigned long)nosec_save);
2382 out:
2383         return rc;
2384 }
2385
2386 static int selinux_sb_remount(struct super_block *sb, void *data)
2387 {
2388         int rc, i, *flags;
2389         struct security_mnt_opts opts;
2390         char *secdata, **mount_options;
2391         struct superblock_security_struct *sbsec = sb->s_security;
2392
2393         if (!(sbsec->flags & SE_SBINITIALIZED))
2394                 return 0;
2395
2396         if (!data)
2397                 return 0;
2398
2399         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2400                 return 0;
2401
2402         security_init_mnt_opts(&opts);
2403         secdata = alloc_secdata();
2404         if (!secdata)
2405                 return -ENOMEM;
2406         rc = selinux_sb_copy_data(data, secdata);
2407         if (rc)
2408                 goto out_free_secdata;
2409
2410         rc = selinux_parse_opts_str(secdata, &opts);
2411         if (rc)
2412                 goto out_free_secdata;
2413
2414         mount_options = opts.mnt_opts;
2415         flags = opts.mnt_opts_flags;
2416
2417         for (i = 0; i < opts.num_mnt_opts; i++) {
2418                 u32 sid;
2419                 size_t len;
2420
2421                 if (flags[i] == SE_SBLABELSUPP)
2422                         continue;
2423                 len = strlen(mount_options[i]);
2424                 rc = security_context_to_sid(mount_options[i], len, &sid);
2425                 if (rc) {
2426                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2427                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2428                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2429                         goto out_free_opts;
2430                 }
2431                 rc = -EINVAL;
2432                 switch (flags[i]) {
2433                 case FSCONTEXT_MNT:
2434                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2435                                 goto out_bad_option;
2436                         break;
2437                 case CONTEXT_MNT:
2438                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2439                                 goto out_bad_option;
2440                         break;
2441                 case ROOTCONTEXT_MNT: {
2442                         struct inode_security_struct *root_isec;
2443                         root_isec = sb->s_root->d_inode->i_security;
2444
2445                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2446                                 goto out_bad_option;
2447                         break;
2448                 }
2449                 case DEFCONTEXT_MNT:
2450                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2451                                 goto out_bad_option;
2452                         break;
2453                 default:
2454                         goto out_free_opts;
2455                 }
2456         }
2457
2458         rc = 0;
2459 out_free_opts:
2460         security_free_mnt_opts(&opts);
2461 out_free_secdata:
2462         free_secdata(secdata);
2463         return rc;
2464 out_bad_option:
2465         printk(KERN_WARNING "SELinux: unable to change security options "
2466                "during remount (dev %s, type=%s)\n", sb->s_id,
2467                sb->s_type->name);
2468         goto out_free_opts;
2469 }
2470
2471 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2472 {
2473         const struct cred *cred = current_cred();
2474         struct common_audit_data ad;
2475         int rc;
2476
2477         rc = superblock_doinit(sb, data);
2478         if (rc)
2479                 return rc;
2480
2481         /* Allow all mounts performed by the kernel */
2482         if (flags & MS_KERNMOUNT)
2483                 return 0;
2484
2485         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2486         ad.u.dentry = sb->s_root;
2487         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2488 }
2489
2490 static int selinux_sb_statfs(struct dentry *dentry)
2491 {
2492         const struct cred *cred = current_cred();
2493         struct common_audit_data ad;
2494
2495         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2496         ad.u.dentry = dentry->d_sb->s_root;
2497         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2498 }
2499
2500 static int selinux_mount(char *dev_name,
2501                          struct path *path,
2502                          char *type,
2503                          unsigned long flags,
2504                          void *data)
2505 {
2506         const struct cred *cred = current_cred();
2507
2508         if (flags & MS_REMOUNT)
2509                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2510                                            FILESYSTEM__REMOUNT, NULL);
2511         else
2512                 return path_has_perm(cred, path, FILE__MOUNTON);
2513 }
2514
2515 static int selinux_umount(struct vfsmount *mnt, int flags)
2516 {
2517         const struct cred *cred = current_cred();
2518
2519         return superblock_has_perm(cred, mnt->mnt_sb,
2520                                    FILESYSTEM__UNMOUNT, NULL);
2521 }
2522
2523 /* inode security operations */
2524
2525 static int selinux_inode_alloc_security(struct inode *inode)
2526 {
2527         return inode_alloc_security(inode);
2528 }
2529
2530 static void selinux_inode_free_security(struct inode *inode)
2531 {
2532         inode_free_security(inode);
2533 }
2534
2535 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2536                                        const struct qstr *qstr, char **name,
2537                                        void **value, size_t *len)
2538 {
2539         const struct task_security_struct *tsec = current_security();
2540         struct inode_security_struct *dsec;
2541         struct superblock_security_struct *sbsec;
2542         u32 sid, newsid, clen;
2543         int rc;
2544         char *namep = NULL, *context;
2545
2546         dsec = dir->i_security;
2547         sbsec = dir->i_sb->s_security;
2548
2549         sid = tsec->sid;
2550         newsid = tsec->create_sid;
2551
2552         if ((sbsec->flags & SE_SBINITIALIZED) &&
2553             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2554                 newsid = sbsec->mntpoint_sid;
2555         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2556                 rc = security_transition_sid(sid, dsec->sid,
2557                                              inode_mode_to_security_class(inode->i_mode),
2558                                              qstr, &newsid);
2559                 if (rc) {
2560                         printk(KERN_WARNING "%s:  "
2561                                "security_transition_sid failed, rc=%d (dev=%s "
2562                                "ino=%ld)\n",
2563                                __func__,
2564                                -rc, inode->i_sb->s_id, inode->i_ino);
2565                         return rc;
2566                 }
2567         }
2568
2569         /* Possibly defer initialization to selinux_complete_init. */
2570         if (sbsec->flags & SE_SBINITIALIZED) {
2571                 struct inode_security_struct *isec = inode->i_security;
2572                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2573                 isec->sid = newsid;
2574                 isec->initialized = 1;
2575         }
2576
2577         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2578                 return -EOPNOTSUPP;
2579
2580         if (name) {
2581                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2582                 if (!namep)
2583                         return -ENOMEM;
2584                 *name = namep;
2585         }
2586
2587         if (value && len) {
2588                 rc = security_sid_to_context_force(newsid, &context, &clen);
2589                 if (rc) {
2590                         kfree(namep);
2591                         return rc;
2592                 }
2593                 *value = context;
2594                 *len = clen;
2595         }
2596
2597         return 0;
2598 }
2599
2600 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2601 {
2602         return may_create(dir, dentry, SECCLASS_FILE);
2603 }
2604
2605 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2606 {
2607         return may_link(dir, old_dentry, MAY_LINK);
2608 }
2609
2610 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2611 {
2612         return may_link(dir, dentry, MAY_UNLINK);
2613 }
2614
2615 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2616 {
2617         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2618 }
2619
2620 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2621 {
2622         return may_create(dir, dentry, SECCLASS_DIR);
2623 }
2624
2625 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2626 {
2627         return may_link(dir, dentry, MAY_RMDIR);
2628 }
2629
2630 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2631 {
2632         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2633 }
2634
2635 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2636                                 struct inode *new_inode, struct dentry *new_dentry)
2637 {
2638         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2639 }
2640
2641 static int selinux_inode_readlink(struct dentry *dentry)
2642 {
2643         const struct cred *cred = current_cred();
2644
2645         return dentry_has_perm(cred, dentry, FILE__READ);
2646 }
2647
2648 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2649 {
2650         const struct cred *cred = current_cred();
2651
2652         return dentry_has_perm(cred, dentry, FILE__READ);
2653 }
2654
2655 static int selinux_inode_permission(struct inode *inode, int mask)
2656 {
2657         const struct cred *cred = current_cred();
2658         struct common_audit_data ad;
2659         u32 perms;
2660         bool from_access;
2661         unsigned flags = mask & MAY_NOT_BLOCK;
2662
2663         from_access = mask & MAY_ACCESS;
2664         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2665
2666         /* No permission to check.  Existence test. */
2667         if (!mask)
2668                 return 0;
2669
2670         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2671         ad.u.inode = inode;
2672
2673         if (from_access)
2674                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2675
2676         perms = file_mask_to_av(inode->i_mode, mask);
2677
2678         return inode_has_perm(cred, inode, perms, &ad, flags);
2679 }
2680
2681 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2682 {
2683         const struct cred *cred = current_cred();
2684         unsigned int ia_valid = iattr->ia_valid;
2685
2686         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2687         if (ia_valid & ATTR_FORCE) {
2688                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2689                               ATTR_FORCE);
2690                 if (!ia_valid)
2691                         return 0;
2692         }
2693
2694         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2695                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2696                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2697
2698         return dentry_has_perm(cred, dentry, FILE__WRITE);
2699 }
2700
2701 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2702 {
2703         const struct cred *cred = current_cred();
2704         struct path path;
2705
2706         path.dentry = dentry;
2707         path.mnt = mnt;
2708
2709         return path_has_perm(cred, &path, FILE__GETATTR);
2710 }
2711
2712 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2713 {
2714         const struct cred *cred = current_cred();
2715
2716         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2717                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2718                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2719                         if (!capable(CAP_SETFCAP))
2720                                 return -EPERM;
2721                 } else if (!capable(CAP_SYS_ADMIN)) {
2722                         /* A different attribute in the security namespace.
2723                            Restrict to administrator. */
2724                         return -EPERM;
2725                 }
2726         }
2727
2728         /* Not an attribute we recognize, so just check the
2729            ordinary setattr permission. */
2730         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2731 }
2732
2733 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2734                                   const void *value, size_t size, int flags)
2735 {
2736         struct inode *inode = dentry->d_inode;
2737         struct inode_security_struct *isec = inode->i_security;
2738         struct superblock_security_struct *sbsec;
2739         struct common_audit_data ad;
2740         u32 newsid, sid = current_sid();
2741         int rc = 0;
2742
2743         if (strcmp(name, XATTR_NAME_SELINUX))
2744                 return selinux_inode_setotherxattr(dentry, name);
2745
2746         sbsec = inode->i_sb->s_security;
2747         if (!(sbsec->flags & SE_SBLABELSUPP))
2748                 return -EOPNOTSUPP;
2749
2750         if (!inode_owner_or_capable(inode))
2751                 return -EPERM;
2752
2753         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2754         ad.u.dentry = dentry;
2755
2756         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2757                           FILE__RELABELFROM, &ad);
2758         if (rc)
2759                 return rc;
2760
2761         rc = security_context_to_sid(value, size, &newsid);
2762         if (rc == -EINVAL) {
2763                 if (!capable(CAP_MAC_ADMIN))
2764                         return rc;
2765                 rc = security_context_to_sid_force(value, size, &newsid);
2766         }
2767         if (rc)
2768                 return rc;
2769
2770         rc = avc_has_perm(sid, newsid, isec->sclass,
2771                           FILE__RELABELTO, &ad);
2772         if (rc)
2773                 return rc;
2774
2775         rc = security_validate_transition(isec->sid, newsid, sid,
2776                                           isec->sclass);
2777         if (rc)
2778                 return rc;
2779
2780         return avc_has_perm(newsid,
2781                             sbsec->sid,
2782                             SECCLASS_FILESYSTEM,
2783                             FILESYSTEM__ASSOCIATE,
2784                             &ad);
2785 }
2786
2787 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2788                                         const void *value, size_t size,
2789                                         int flags)
2790 {
2791         struct inode *inode = dentry->d_inode;
2792         struct inode_security_struct *isec = inode->i_security;
2793         u32 newsid;
2794         int rc;
2795
2796         if (strcmp(name, XATTR_NAME_SELINUX)) {
2797                 /* Not an attribute we recognize, so nothing to do. */
2798                 return;
2799         }
2800
2801         rc = security_context_to_sid_force(value, size, &newsid);
2802         if (rc) {
2803                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2804                        "for (%s, %lu), rc=%d\n",
2805                        inode->i_sb->s_id, inode->i_ino, -rc);
2806                 return;
2807         }
2808
2809         isec->sid = newsid;
2810         return;
2811 }
2812
2813 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2814 {
2815         const struct cred *cred = current_cred();
2816
2817         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2818 }
2819
2820 static int selinux_inode_listxattr(struct dentry *dentry)
2821 {
2822         const struct cred *cred = current_cred();
2823
2824         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2825 }
2826
2827 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2828 {
2829         if (strcmp(name, XATTR_NAME_SELINUX))
2830                 return selinux_inode_setotherxattr(dentry, name);
2831
2832         /* No one is allowed to remove a SELinux security label.
2833            You can change the label, but all data must be labeled. */
2834         return -EACCES;
2835 }
2836
2837 /*
2838  * Copy the inode security context value to the user.
2839  *
2840  * Permission check is handled by selinux_inode_getxattr hook.
2841  */
2842 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2843 {
2844         u32 size;
2845         int error;
2846         char *context = NULL;
2847         struct inode_security_struct *isec = inode->i_security;
2848
2849         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2850                 return -EOPNOTSUPP;
2851
2852         /*
2853          * If the caller has CAP_MAC_ADMIN, then get the raw context
2854          * value even if it is not defined by current policy; otherwise,
2855          * use the in-core value under current policy.
2856          * Use the non-auditing forms of the permission checks since
2857          * getxattr may be called by unprivileged processes commonly
2858          * and lack of permission just means that we fall back to the
2859          * in-core context value, not a denial.
2860          */
2861         error = selinux_capable(current, current_cred(),
2862                                 &init_user_ns, CAP_MAC_ADMIN,
2863                                 SECURITY_CAP_NOAUDIT);
2864         if (!error)
2865                 error = security_sid_to_context_force(isec->sid, &context,
2866                                                       &size);
2867         else
2868                 error = security_sid_to_context(isec->sid, &context, &size);
2869         if (error)
2870                 return error;
2871         error = size;
2872         if (alloc) {
2873                 *buffer = context;
2874                 goto out_nofree;
2875         }
2876         kfree(context);
2877 out_nofree:
2878         return error;
2879 }
2880
2881 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2882                                      const void *value, size_t size, int flags)
2883 {
2884         struct inode_security_struct *isec = inode->i_security;
2885         u32 newsid;
2886         int rc;
2887
2888         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2889                 return -EOPNOTSUPP;
2890
2891         if (!value || !size)
2892                 return -EACCES;
2893
2894         rc = security_context_to_sid((void *)value, size, &newsid);
2895         if (rc)
2896                 return rc;
2897
2898         isec->sid = newsid;
2899         isec->initialized = 1;
2900         return 0;
2901 }
2902
2903 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2904 {
2905         const int len = sizeof(XATTR_NAME_SELINUX);
2906         if (buffer && len <= buffer_size)
2907                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2908         return len;
2909 }
2910
2911 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2912 {
2913         struct inode_security_struct *isec = inode->i_security;
2914         *secid = isec->sid;
2915 }
2916
2917 /* file security operations */
2918
2919 static int selinux_revalidate_file_permission(struct file *file, int mask)
2920 {
2921         const struct cred *cred = current_cred();
2922         struct inode *inode = file->f_path.dentry->d_inode;
2923
2924         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2925         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2926                 mask |= MAY_APPEND;
2927
2928         return file_has_perm(cred, file,
2929                              file_mask_to_av(inode->i_mode, mask));
2930 }
2931
2932 static int selinux_file_permission(struct file *file, int mask)
2933 {
2934         struct inode *inode = file->f_path.dentry->d_inode;
2935         struct file_security_struct *fsec = file->f_security;
2936         struct inode_security_struct *isec = inode->i_security;
2937         u32 sid = current_sid();
2938
2939         if (!mask)
2940                 /* No permission to check.  Existence test. */
2941                 return 0;
2942
2943         if (sid == fsec->sid && fsec->isid == isec->sid &&
2944             fsec->pseqno == avc_policy_seqno())
2945                 /* No change since dentry_open check. */
2946                 return 0;
2947
2948         return selinux_revalidate_file_permission(file, mask);
2949 }
2950
2951 static int selinux_file_alloc_security(struct file *file)
2952 {
2953         return file_alloc_security(file);
2954 }
2955
2956 static void selinux_file_free_security(struct file *file)
2957 {
2958         file_free_security(file);
2959 }
2960
2961 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2962                               unsigned long arg)
2963 {
2964         const struct cred *cred = current_cred();
2965         int error = 0;
2966
2967         switch (cmd) {
2968         case FIONREAD:
2969         /* fall through */
2970         case FIBMAP:
2971         /* fall through */
2972         case FIGETBSZ:
2973         /* fall through */
2974         case EXT2_IOC_GETFLAGS:
2975         /* fall through */
2976         case EXT2_IOC_GETVERSION:
2977                 error = file_has_perm(cred, file, FILE__GETATTR);
2978                 break;
2979
2980         case EXT2_IOC_SETFLAGS:
2981         /* fall through */
2982         case EXT2_IOC_SETVERSION:
2983                 error = file_has_perm(cred, file, FILE__SETATTR);
2984                 break;
2985
2986         /* sys_ioctl() checks */
2987         case FIONBIO:
2988         /* fall through */
2989         case FIOASYNC:
2990                 error = file_has_perm(cred, file, 0);
2991                 break;
2992
2993         case KDSKBENT:
2994         case KDSKBSENT:
2995                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2996                                         SECURITY_CAP_AUDIT);
2997                 break;
2998
2999         /* default case assumes that the command will go
3000          * to the file's ioctl() function.
3001          */
3002         default:
3003                 error = file_has_perm(cred, file, FILE__IOCTL);
3004         }
3005         return error;
3006 }
3007
3008 static int default_noexec;
3009
3010 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3011 {
3012         const struct cred *cred = current_cred();
3013         int rc = 0;
3014
3015         if (default_noexec &&
3016             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3017                 /*
3018                  * We are making executable an anonymous mapping or a
3019                  * private file mapping that will also be writable.
3020                  * This has an additional check.
3021                  */
3022                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3023                 if (rc)
3024                         goto error;
3025         }
3026
3027         if (file) {
3028                 /* read access is always possible with a mapping */
3029                 u32 av = FILE__READ;
3030
3031                 /* write access only matters if the mapping is shared */
3032                 if (shared && (prot & PROT_WRITE))
3033                         av |= FILE__WRITE;
3034
3035                 if (prot & PROT_EXEC)
3036                         av |= FILE__EXECUTE;
3037
3038                 return file_has_perm(cred, file, av);
3039         }
3040
3041 error:
3042         return rc;
3043 }
3044
3045 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3046                              unsigned long prot, unsigned long flags,
3047                              unsigned long addr, unsigned long addr_only)
3048 {
3049         int rc = 0;
3050         u32 sid = current_sid();
3051
3052         /*
3053          * notice that we are intentionally putting the SELinux check before
3054          * the secondary cap_file_mmap check.  This is such a likely attempt
3055          * at bad behaviour/exploit that we always want to get the AVC, even
3056          * if DAC would have also denied the operation.
3057          */
3058         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3059                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3060                                   MEMPROTECT__MMAP_ZERO, NULL);
3061                 if (rc)
3062                         return rc;
3063         }
3064
3065         /* do DAC check on address space usage */
3066         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3067         if (rc || addr_only)
3068                 return rc;
3069
3070         if (selinux_checkreqprot)
3071                 prot = reqprot;
3072
3073         return file_map_prot_check(file, prot,
3074                                    (flags & MAP_TYPE) == MAP_SHARED);
3075 }
3076
3077 static int selinux_file_mprotect(struct vm_area_struct *vma,
3078                                  unsigned long reqprot,
3079                                  unsigned long prot)
3080 {
3081         const struct cred *cred = current_cred();
3082
3083         if (selinux_checkreqprot)
3084                 prot = reqprot;
3085
3086         if (default_noexec &&
3087             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3088                 int rc = 0;
3089                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3090                     vma->vm_end <= vma->vm_mm->brk) {
3091                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3092                 } else if (!vma->vm_file &&
3093                            vma->vm_start <= vma->vm_mm->start_stack &&
3094                            vma->vm_end >= vma->vm_mm->start_stack) {
3095                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3096                 } else if (vma->vm_file && vma->anon_vma) {
3097                         /*
3098                          * We are making executable a file mapping that has
3099                          * had some COW done. Since pages might have been
3100                          * written, check ability to execute the possibly
3101                          * modified content.  This typically should only
3102                          * occur for text relocations.
3103                          */
3104                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3105                 }
3106                 if (rc)
3107                         return rc;
3108         }
3109
3110         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3111 }
3112
3113 static int selinux_file_lock(struct file *file, unsigned int cmd)
3114 {
3115         const struct cred *cred = current_cred();
3116
3117         return file_has_perm(cred, file, FILE__LOCK);
3118 }
3119
3120 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3121                               unsigned long arg)
3122 {
3123         const struct cred *cred = current_cred();
3124         int err = 0;
3125
3126         switch (cmd) {
3127         case F_SETFL:
3128                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3129                         err = -EINVAL;
3130                         break;
3131                 }
3132
3133                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3134                         err = file_has_perm(cred, file, FILE__WRITE);
3135                         break;
3136                 }
3137                 /* fall through */
3138         case F_SETOWN:
3139         case F_SETSIG:
3140         case F_GETFL:
3141         case F_GETOWN:
3142         case F_GETSIG:
3143                 /* Just check FD__USE permission */
3144                 err = file_has_perm(cred, file, 0);
3145                 break;
3146         case F_GETLK:
3147         case F_SETLK:
3148         case F_SETLKW:
3149 #if BITS_PER_LONG == 32
3150         case F_GETLK64:
3151         case F_SETLK64:
3152         case F_SETLKW64:
3153 #endif
3154                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3155                         err = -EINVAL;
3156                         break;
3157                 }
3158                 err = file_has_perm(cred, file, FILE__LOCK);
3159                 break;
3160         }
3161
3162         return err;
3163 }
3164
3165 static int selinux_file_set_fowner(struct file *file)
3166 {
3167         struct file_security_struct *fsec;
3168
3169         fsec = file->f_security;
3170         fsec->fown_sid = current_sid();
3171
3172         return 0;
3173 }
3174
3175 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3176                                        struct fown_struct *fown, int signum)
3177 {
3178         struct file *file;
3179         u32 sid = task_sid(tsk);
3180         u32 perm;
3181         struct file_security_struct *fsec;
3182
3183         /* struct fown_struct is never outside the context of a struct file */
3184         file = container_of(fown, struct file, f_owner);
3185
3186         fsec = file->f_security;
3187
3188         if (!signum)
3189                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3190         else
3191                 perm = signal_to_av(signum);
3192
3193         return avc_has_perm(fsec->fown_sid, sid,
3194                             SECCLASS_PROCESS, perm, NULL);
3195 }
3196
3197 static int selinux_file_receive(struct file *file)
3198 {
3199         const struct cred *cred = current_cred();
3200
3201         return file_has_perm(cred, file, file_to_av(file));
3202 }
3203
3204 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3205 {
3206         struct file_security_struct *fsec;
3207         struct inode *inode;
3208         struct inode_security_struct *isec;
3209
3210         inode = file->f_path.dentry->d_inode;
3211         fsec = file->f_security;
3212         isec = inode->i_security;
3213         /*
3214          * Save inode label and policy sequence number
3215          * at open-time so that selinux_file_permission
3216          * can determine whether revalidation is necessary.
3217          * Task label is already saved in the file security
3218          * struct as its SID.
3219          */
3220         fsec->isid = isec->sid;
3221         fsec->pseqno = avc_policy_seqno();
3222         /*
3223          * Since the inode label or policy seqno may have changed
3224          * between the selinux_inode_permission check and the saving
3225          * of state above, recheck that access is still permitted.
3226          * Otherwise, access might never be revalidated against the
3227          * new inode label or new policy.
3228          * This check is not redundant - do not remove.
3229          */
3230         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3231 }
3232
3233 /* task security operations */
3234
3235 static int selinux_task_create(unsigned long clone_flags)
3236 {
3237         return current_has_perm(current, PROCESS__FORK);
3238 }
3239
3240 /*
3241  * allocate the SELinux part of blank credentials
3242  */
3243 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3244 {
3245         struct task_security_struct *tsec;
3246
3247         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3248         if (!tsec)
3249                 return -ENOMEM;
3250
3251         cred->security = tsec;
3252         return 0;
3253 }
3254
3255 /*
3256  * detach and free the LSM part of a set of credentials
3257  */
3258 static void selinux_cred_free(struct cred *cred)
3259 {
3260         struct task_security_struct *tsec = cred->security;
3261
3262         /*
3263          * cred->security == NULL if security_cred_alloc_blank() or
3264          * security_prepare_creds() returned an error.
3265          */
3266         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3267         cred->security = (void *) 0x7UL;
3268         kfree(tsec);
3269 }
3270
3271 /*
3272  * prepare a new set of credentials for modification
3273  */
3274 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3275                                 gfp_t gfp)
3276 {
3277         const struct task_security_struct *old_tsec;
3278         struct task_security_struct *tsec;
3279
3280         old_tsec = old->security;
3281
3282         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3283         if (!tsec)
3284                 return -ENOMEM;
3285
3286         new->security = tsec;
3287         return 0;
3288 }
3289
3290 /*
3291  * transfer the SELinux data to a blank set of creds
3292  */
3293 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3294 {
3295         const struct task_security_struct *old_tsec = old->security;
3296         struct task_security_struct *tsec = new->security;
3297
3298         *tsec = *old_tsec;
3299 }
3300
3301 /*
3302  * set the security data for a kernel service
3303  * - all the creation contexts are set to unlabelled
3304  */
3305 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3306 {
3307         struct task_security_struct *tsec = new->security;
3308         u32 sid = current_sid();
3309         int ret;
3310
3311         ret = avc_has_perm(sid, secid,
3312                            SECCLASS_KERNEL_SERVICE,
3313                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3314                            NULL);
3315         if (ret == 0) {
3316                 tsec->sid = secid;
3317                 tsec->create_sid = 0;
3318                 tsec->keycreate_sid = 0;
3319                 tsec->sockcreate_sid = 0;
3320         }
3321         return ret;
3322 }
3323
3324 /*
3325  * set the file creation context in a security record to the same as the
3326  * objective context of the specified inode
3327  */
3328 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3329 {
3330         struct inode_security_struct *isec = inode->i_security;
3331         struct task_security_struct *tsec = new->security;
3332         u32 sid = current_sid();
3333         int ret;
3334
3335         ret = avc_has_perm(sid, isec->sid,
3336                            SECCLASS_KERNEL_SERVICE,
3337                            KERNEL_SERVICE__CREATE_FILES_AS,
3338                            NULL);
3339
3340         if (ret == 0)
3341                 tsec->create_sid = isec->sid;
3342         return ret;
3343 }
3344
3345 static int selinux_kernel_module_request(char *kmod_name)
3346 {
3347         u32 sid;
3348         struct common_audit_data ad;
3349
3350         sid = task_sid(current);
3351
3352         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3353         ad.u.kmod_name = kmod_name;
3354
3355         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3356                             SYSTEM__MODULE_REQUEST, &ad);
3357 }
3358
3359 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3360 {
3361         return current_has_perm(p, PROCESS__SETPGID);
3362 }
3363
3364 static int selinux_task_getpgid(struct task_struct *p)
3365 {
3366         return current_has_perm(p, PROCESS__GETPGID);
3367 }
3368
3369 static int selinux_task_getsid(struct task_struct *p)
3370 {
3371         return current_has_perm(p, PROCESS__GETSESSION);
3372 }
3373
3374 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3375 {
3376         *secid = task_sid(p);
3377 }
3378
3379 static int selinux_task_setnice(struct task_struct *p, int nice)
3380 {
3381         int rc;
3382
3383         rc = cap_task_setnice(p, nice);
3384         if (rc)
3385                 return rc;
3386
3387         return current_has_perm(p, PROCESS__SETSCHED);
3388 }
3389
3390 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3391 {
3392         int rc;
3393
3394         rc = cap_task_setioprio(p, ioprio);
3395         if (rc)
3396                 return rc;
3397
3398         return current_has_perm(p, PROCESS__SETSCHED);
3399 }
3400
3401 static int selinux_task_getioprio(struct task_struct *p)
3402 {
3403         return current_has_perm(p, PROCESS__GETSCHED);
3404 }
3405
3406 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3407                 struct rlimit *new_rlim)
3408 {
3409         struct rlimit *old_rlim = p->signal->rlim + resource;
3410
3411         /* Control the ability to change the hard limit (whether
3412            lowering or raising it), so that the hard limit can
3413            later be used as a safe reset point for the soft limit
3414            upon context transitions.  See selinux_bprm_committing_creds. */
3415         if (old_rlim->rlim_max != new_rlim->rlim_max)
3416                 return current_has_perm(p, PROCESS__SETRLIMIT);
3417
3418         return 0;
3419 }
3420
3421 static int selinux_task_setscheduler(struct task_struct *p)
3422 {
3423         int rc;
3424
3425         rc = cap_task_setscheduler(p);
3426         if (rc)
3427                 return rc;
3428
3429         return current_has_perm(p, PROCESS__SETSCHED);
3430 }
3431
3432 static int selinux_task_getscheduler(struct task_struct *p)
3433 {
3434         return current_has_perm(p, PROCESS__GETSCHED);
3435 }
3436
3437 static int selinux_task_movememory(struct task_struct *p)
3438 {
3439         return current_has_perm(p, PROCESS__SETSCHED);
3440 }
3441
3442 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3443                                 int sig, u32 secid)
3444 {
3445         u32 perm;
3446         int rc;
3447
3448         if (!sig)
3449                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3450         else
3451                 perm = signal_to_av(sig);
3452         if (secid)
3453                 rc = avc_has_perm(secid, task_sid(p),
3454                                   SECCLASS_PROCESS, perm, NULL);
3455         else
3456                 rc = current_has_perm(p, perm);
3457         return rc;
3458 }
3459
3460 static int selinux_task_wait(struct task_struct *p)
3461 {
3462         return task_has_perm(p, current, PROCESS__SIGCHLD);
3463 }
3464
3465 static void selinux_task_to_inode(struct task_struct *p,
3466                                   struct inode *inode)
3467 {
3468         struct inode_security_struct *isec = inode->i_security;
3469         u32 sid = task_sid(p);
3470
3471         isec->sid = sid;
3472         isec->initialized = 1;
3473 }
3474
3475 /* Returns error only if unable to parse addresses */
3476 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3477                         struct common_audit_data *ad, u8 *proto)
3478 {
3479         int offset, ihlen, ret = -EINVAL;
3480         struct iphdr _iph, *ih;
3481
3482         offset = skb_network_offset(skb);
3483         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3484         if (ih == NULL)
3485                 goto out;
3486
3487         ihlen = ih->ihl * 4;
3488         if (ihlen < sizeof(_iph))
3489                 goto out;
3490
3491         ad->u.net.v4info.saddr = ih->saddr;
3492         ad->u.net.v4info.daddr = ih->daddr;
3493         ret = 0;
3494
3495         if (proto)
3496                 *proto = ih->protocol;
3497
3498         switch (ih->protocol) {
3499         case IPPROTO_TCP: {
3500                 struct tcphdr _tcph, *th;
3501
3502                 if (ntohs(ih->frag_off) & IP_OFFSET)
3503                         break;
3504
3505                 offset += ihlen;
3506                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3507                 if (th == NULL)
3508                         break;
3509
3510                 ad->u.net.sport = th->source;
3511                 ad->u.net.dport = th->dest;
3512                 break;
3513         }
3514
3515         case IPPROTO_UDP: {
3516                 struct udphdr _udph, *uh;
3517
3518                 if (ntohs(ih->frag_off) & IP_OFFSET)
3519                         break;
3520
3521                 offset += ihlen;
3522                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3523                 if (uh == NULL)
3524                         break;
3525
3526                 ad->u.net.sport = uh->source;
3527                 ad->u.net.dport = uh->dest;
3528                 break;
3529         }
3530
3531         case IPPROTO_DCCP: {
3532                 struct dccp_hdr _dccph, *dh;
3533
3534                 if (ntohs(ih->frag_off) & IP_OFFSET)
3535                         break;
3536
3537                 offset += ihlen;
3538                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3539                 if (dh == NULL)
3540                         break;
3541
3542                 ad->u.net.sport = dh->dccph_sport;
3543                 ad->u.net.dport = dh->dccph_dport;
3544                 break;
3545         }
3546
3547         default:
3548                 break;
3549         }
3550 out:
3551         return ret;
3552 }
3553
3554 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3555
3556 /* Returns error only if unable to parse addresses */
3557 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3558                         struct common_audit_data *ad, u8 *proto)
3559 {
3560         u8 nexthdr;
3561         int ret = -EINVAL, offset;
3562         struct ipv6hdr _ipv6h, *ip6;
3563
3564         offset = skb_network_offset(skb);
3565         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3566         if (ip6 == NULL)
3567                 goto out;
3568
3569         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3570         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3571         ret = 0;
3572
3573         nexthdr = ip6->nexthdr;
3574         offset += sizeof(_ipv6h);
3575         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3576         if (offset < 0)
3577                 goto out;
3578
3579         if (proto)
3580                 *proto = nexthdr;
3581
3582         switch (nexthdr) {
3583         case IPPROTO_TCP: {
3584                 struct tcphdr _tcph, *th;
3585
3586                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3587                 if (th == NULL)
3588                         break;
3589
3590                 ad->u.net.sport = th->source;
3591                 ad->u.net.dport = th->dest;
3592                 break;
3593         }
3594
3595         case IPPROTO_UDP: {
3596                 struct udphdr _udph, *uh;
3597
3598                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3599                 if (uh == NULL)
3600                         break;
3601
3602                 ad->u.net.sport = uh->source;
3603                 ad->u.net.dport = uh->dest;
3604                 break;
3605         }
3606
3607         case IPPROTO_DCCP: {
3608                 struct dccp_hdr _dccph, *dh;
3609
3610                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3611                 if (dh == NULL)
3612                         break;
3613
3614                 ad->u.net.sport = dh->dccph_sport;
3615                 ad->u.net.dport = dh->dccph_dport;
3616                 break;
3617         }
3618
3619         /* includes fragments */
3620         default:
3621                 break;
3622         }
3623 out:
3624         return ret;
3625 }
3626
3627 #endif /* IPV6 */
3628
3629 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3630                              char **_addrp, int src, u8 *proto)
3631 {
3632         char *addrp;
3633         int ret;
3634
3635         switch (ad->u.net.family) {
3636         case PF_INET:
3637                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3638                 if (ret)
3639                         goto parse_error;
3640                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3641                                        &ad->u.net.v4info.daddr);
3642                 goto okay;
3643
3644 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3645         case PF_INET6:
3646                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3647                 if (ret)
3648                         goto parse_error;
3649                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3650                                        &ad->u.net.v6info.daddr);
3651                 goto okay;
3652 #endif  /* IPV6 */
3653         default:
3654                 addrp = NULL;
3655                 goto okay;
3656         }
3657
3658 parse_error:
3659         printk(KERN_WARNING
3660                "SELinux: failure in selinux_parse_skb(),"
3661                " unable to parse packet\n");
3662         return ret;
3663
3664 okay:
3665         if (_addrp)
3666                 *_addrp = addrp;
3667         return 0;
3668 }
3669
3670 /**
3671  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3672  * @skb: the packet
3673  * @family: protocol family
3674  * @sid: the packet's peer label SID
3675  *
3676  * Description:
3677  * Check the various different forms of network peer labeling and determine
3678  * the peer label/SID for the packet; most of the magic actually occurs in
3679  * the security server function security_net_peersid_cmp().  The function
3680  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3681  * or -EACCES if @sid is invalid due to inconsistencies with the different
3682  * peer labels.
3683  *
3684  */
3685 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3686 {
3687         int err;
3688         u32 xfrm_sid;
3689         u32 nlbl_sid;
3690         u32 nlbl_type;
3691
3692         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3693         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3694
3695         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3696         if (unlikely(err)) {
3697                 printk(KERN_WARNING
3698                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3699                        " unable to determine packet's peer label\n");
3700                 return -EACCES;
3701         }
3702
3703         return 0;
3704 }
3705
3706 /* socket security operations */
3707
3708 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3709                                  u16 secclass, u32 *socksid)
3710 {
3711         if (tsec->sockcreate_sid > SECSID_NULL) {
3712                 *socksid = tsec->sockcreate_sid;
3713                 return 0;
3714         }
3715
3716         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3717                                        socksid);
3718 }
3719
3720 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3721 {
3722         struct sk_security_struct *sksec = sk->sk_security;
3723         struct common_audit_data ad;
3724         u32 tsid = task_sid(task);
3725
3726         if (sksec->sid == SECINITSID_KERNEL)
3727                 return 0;
3728
3729         COMMON_AUDIT_DATA_INIT(&ad, NET);
3730         ad.u.net.sk = sk;
3731
3732         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3733 }
3734
3735 static int selinux_socket_create(int family, int type,
3736                                  int protocol, int kern)
3737 {
3738         const struct task_security_struct *tsec = current_security();
3739         u32 newsid;
3740         u16 secclass;
3741         int rc;
3742
3743         if (kern)
3744                 return 0;
3745
3746         secclass = socket_type_to_security_class(family, type, protocol);
3747         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3748         if (rc)
3749                 return rc;
3750
3751         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3752 }
3753
3754 static int selinux_socket_post_create(struct socket *sock, int family,
3755                                       int type, int protocol, int kern)
3756 {
3757         const struct task_security_struct *tsec = current_security();
3758         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3759         struct sk_security_struct *sksec;
3760         int err = 0;
3761
3762         isec->sclass = socket_type_to_security_class(family, type, protocol);
3763
3764         if (kern)
3765                 isec->sid = SECINITSID_KERNEL;
3766         else {
3767                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3768                 if (err)
3769                         return err;
3770         }
3771
3772         isec->initialized = 1;
3773
3774         if (sock->sk) {
3775                 sksec = sock->sk->sk_security;
3776                 sksec->sid = isec->sid;
3777                 sksec->sclass = isec->sclass;
3778                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3779         }
3780
3781         return err;
3782 }
3783
3784 /* Range of port numbers used to automatically bind.
3785    Need to determine whether we should perform a name_bind
3786    permission check between the socket and the port number. */
3787
3788 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3789 {
3790         struct sock *sk = sock->sk;
3791         u16 family;
3792         int err;
3793
3794         err = sock_has_perm(current, sk, SOCKET__BIND);
3795         if (err)
3796                 goto out;
3797
3798         /*
3799          * If PF_INET or PF_INET6, check name_bind permission for the port.
3800          * Multiple address binding for SCTP is not supported yet: we just
3801          * check the first address now.
3802          */
3803         family = sk->sk_family;
3804         if (family == PF_INET || family == PF_INET6) {
3805                 char *addrp;
3806                 struct sk_security_struct *sksec = sk->sk_security;
3807                 struct common_audit_data ad;
3808                 struct sockaddr_in *addr4 = NULL;
3809                 struct sockaddr_in6 *addr6 = NULL;
3810                 unsigned short snum;
3811                 u32 sid, node_perm;
3812
3813                 if (family == PF_INET) {
3814                         addr4 = (struct sockaddr_in *)address;
3815                         snum = ntohs(addr4->sin_port);
3816                         addrp = (char *)&addr4->sin_addr.s_addr;
3817                 } else {
3818                         addr6 = (struct sockaddr_in6 *)address;
3819                         snum = ntohs(addr6->sin6_port);
3820                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3821                 }
3822
3823                 if (snum) {
3824                         int low, high;
3825
3826                         inet_get_local_port_range(&low, &high);
3827
3828                         if (snum < max(PROT_SOCK, low) || snum > high) {
3829                                 err = sel_netport_sid(sk->sk_protocol,
3830                                                       snum, &sid);
3831                                 if (err)
3832                                         goto out;
3833                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3834                                 ad.u.net.sport = htons(snum);
3835                                 ad.u.net.family = family;
3836                                 err = avc_has_perm(sksec->sid, sid,
3837                                                    sksec->sclass,
3838                                                    SOCKET__NAME_BIND, &ad);
3839                                 if (err)
3840                                         goto out;
3841                         }
3842                 }
3843
3844                 switch (sksec->sclass) {
3845                 case SECCLASS_TCP_SOCKET:
3846                         node_perm = TCP_SOCKET__NODE_BIND;
3847                         break;
3848
3849                 case SECCLASS_UDP_SOCKET:
3850                         node_perm = UDP_SOCKET__NODE_BIND;
3851                         break;
3852
3853                 case SECCLASS_DCCP_SOCKET:
3854                         node_perm = DCCP_SOCKET__NODE_BIND;
3855                         break;
3856
3857                 default:
3858                         node_perm = RAWIP_SOCKET__NODE_BIND;
3859                         break;
3860                 }
3861
3862                 err = sel_netnode_sid(addrp, family, &sid);
3863                 if (err)
3864                         goto out;
3865
3866                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3867                 ad.u.net.sport = htons(snum);
3868                 ad.u.net.family = family;
3869
3870                 if (family == PF_INET)
3871                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3872                 else
3873                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3874
3875                 err = avc_has_perm(sksec->sid, sid,
3876                                    sksec->sclass, node_perm, &ad);
3877                 if (err)
3878                         goto out;
3879         }
3880 out:
3881         return err;
3882 }
3883
3884 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3885 {
3886         struct sock *sk = sock->sk;
3887         struct sk_security_struct *sksec = sk->sk_security;
3888         int err;
3889
3890         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3891         if (err)
3892                 return err;
3893
3894         /*
3895          * If a TCP or DCCP socket, check name_connect permission for the port.
3896          */
3897         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3898             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3899                 struct common_audit_data ad;
3900                 struct sockaddr_in *addr4 = NULL;
3901                 struct sockaddr_in6 *addr6 = NULL;
3902                 unsigned short snum;
3903                 u32 sid, perm;
3904
3905                 if (sk->sk_family == PF_INET) {
3906                         addr4 = (struct sockaddr_in *)address;
3907                         if (addrlen < sizeof(struct sockaddr_in))
3908                                 return -EINVAL;
3909                         snum = ntohs(addr4->sin_port);
3910                 } else {
3911                         addr6 = (struct sockaddr_in6 *)address;
3912                         if (addrlen < SIN6_LEN_RFC2133)
3913                                 return -EINVAL;
3914                         snum = ntohs(addr6->sin6_port);
3915                 }
3916
3917                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3918                 if (err)
3919                         goto out;
3920
3921                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3922                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3923
3924                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3925                 ad.u.net.dport = htons(snum);
3926                 ad.u.net.family = sk->sk_family;
3927                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3928                 if (err)
3929                         goto out;
3930         }
3931
3932         err = selinux_netlbl_socket_connect(sk, address);
3933
3934 out:
3935         return err;
3936 }
3937
3938 static int selinux_socket_listen(struct socket *sock, int backlog)
3939 {
3940         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3941 }
3942
3943 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3944 {
3945         int err;
3946         struct inode_security_struct *isec;
3947         struct inode_security_struct *newisec;
3948
3949         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3950         if (err)
3951                 return err;
3952
3953         newisec = SOCK_INODE(newsock)->i_security;
3954
3955         isec = SOCK_INODE(sock)->i_security;
3956         newisec->sclass = isec->sclass;
3957         newisec->sid = isec->sid;
3958         newisec->initialized = 1;
3959
3960         return 0;
3961 }
3962
3963 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3964                                   int size)
3965 {
3966         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3967 }
3968
3969 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3970                                   int size, int flags)
3971 {
3972         return sock_has_perm(current, sock->sk, SOCKET__READ);
3973 }
3974
3975 static int selinux_socket_getsockname(struct socket *sock)
3976 {
3977         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3978 }
3979
3980 static int selinux_socket_getpeername(struct socket *sock)
3981 {
3982         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3983 }
3984
3985 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3986 {
3987         int err;
3988
3989         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3990         if (err)
3991                 return err;
3992
3993         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3994 }
3995
3996 static int selinux_socket_getsockopt(struct socket *sock, int level,
3997                                      int optname)
3998 {
3999         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4000 }
4001
4002 static int selinux_socket_shutdown(struct socket *sock, int how)
4003 {
4004         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4005 }
4006
4007 static int selinux_socket_unix_stream_connect(struct sock *sock,
4008                                               struct sock *other,
4009                                               struct sock *newsk)
4010 {
4011         struct sk_security_struct *sksec_sock = sock->sk_security;
4012         struct sk_security_struct *sksec_other = other->sk_security;
4013         struct sk_security_struct *sksec_new = newsk->sk_security;
4014         struct common_audit_data ad;
4015         int err;
4016
4017         COMMON_AUDIT_DATA_INIT(&ad, NET);
4018         ad.u.net.sk = other;
4019
4020         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4021                            sksec_other->sclass,
4022                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4023         if (err)
4024                 return err;
4025
4026         /* server child socket */
4027         sksec_new->peer_sid = sksec_sock->sid;
4028         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4029                                     &sksec_new->sid);
4030         if (err)
4031                 return err;
4032
4033         /* connecting socket */
4034         sksec_sock->peer_sid = sksec_new->sid;
4035
4036         return 0;
4037 }
4038
4039 static int selinux_socket_unix_may_send(struct socket *sock,
4040                                         struct socket *other)
4041 {
4042         struct sk_security_struct *ssec = sock->sk->sk_security;
4043         struct sk_security_struct *osec = other->sk->sk_security;
4044         struct common_audit_data ad;
4045
4046         COMMON_AUDIT_DATA_INIT(&ad, NET);
4047         ad.u.net.sk = other->sk;
4048
4049         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4050                             &ad);
4051 }
4052
4053 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4054                                     u32 peer_sid,
4055                                     struct common_audit_data *ad)
4056 {
4057         int err;
4058         u32 if_sid;
4059         u32 node_sid;
4060
4061         err = sel_netif_sid(ifindex, &if_sid);
4062         if (err)
4063                 return err;
4064         err = avc_has_perm(peer_sid, if_sid,
4065                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4066         if (err)
4067                 return err;
4068
4069         err = sel_netnode_sid(addrp, family, &node_sid);
4070         if (err)
4071                 return err;
4072         return avc_has_perm(peer_sid, node_sid,
4073                             SECCLASS_NODE, NODE__RECVFROM, ad);
4074 }
4075
4076 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4077                                        u16 family)
4078 {
4079         int err = 0;
4080         struct sk_security_struct *sksec = sk->sk_security;
4081         u32 sk_sid = sksec->sid;
4082         struct common_audit_data ad;
4083         char *addrp;
4084
4085         COMMON_AUDIT_DATA_INIT(&ad, NET);
4086         ad.u.net.netif = skb->skb_iif;
4087         ad.u.net.family = family;
4088         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4089         if (err)
4090                 return err;
4091
4092         if (selinux_secmark_enabled()) {
4093                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4094                                    PACKET__RECV, &ad);
4095                 if (err)
4096                         return err;
4097         }
4098
4099         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4100         if (err)
4101                 return err;
4102         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4103
4104         return err;
4105 }
4106
4107 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4108 {
4109         int err;
4110         struct sk_security_struct *sksec = sk->sk_security;
4111         u16 family = sk->sk_family;
4112         u32 sk_sid = sksec->sid;
4113         struct common_audit_data ad;
4114         char *addrp;
4115         u8 secmark_active;
4116         u8 peerlbl_active;
4117
4118         if (family != PF_INET && family != PF_INET6)
4119                 return 0;
4120
4121         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4122         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4123                 family = PF_INET;
4124
4125         /* If any sort of compatibility mode is enabled then handoff processing
4126          * to the selinux_sock_rcv_skb_compat() function to deal with the
4127          * special handling.  We do this in an attempt to keep this function
4128          * as fast and as clean as possible. */
4129         if (!selinux_policycap_netpeer)
4130                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4131
4132         secmark_active = selinux_secmark_enabled();
4133         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4134         if (!secmark_active && !peerlbl_active)
4135                 return 0;
4136
4137         COMMON_AUDIT_DATA_INIT(&ad, NET);
4138         ad.u.net.netif = skb->skb_iif;
4139         ad.u.net.family = family;
4140         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4141         if (err)
4142                 return err;
4143
4144         if (peerlbl_active) {
4145                 u32 peer_sid;
4146
4147                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4148                 if (err)
4149                         return err;
4150                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4151                                                peer_sid, &ad);
4152                 if (err) {
4153                         selinux_netlbl_err(skb, err, 0);
4154                         return err;
4155                 }
4156                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4157                                    PEER__RECV, &ad);
4158                 if (err)
4159                         selinux_netlbl_err(skb, err, 0);
4160         }
4161
4162         if (secmark_active) {
4163                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4164                                    PACKET__RECV, &ad);
4165                 if (err)
4166                         return err;
4167         }
4168
4169         return err;
4170 }
4171
4172 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4173                                             int __user *optlen, unsigned len)
4174 {
4175         int err = 0;
4176         char *scontext;
4177         u32 scontext_len;
4178         struct sk_security_struct *sksec = sock->sk->sk_security;
4179         u32 peer_sid = SECSID_NULL;
4180
4181         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4182             sksec->sclass == SECCLASS_TCP_SOCKET)
4183                 peer_sid = sksec->peer_sid;
4184         if (peer_sid == SECSID_NULL)
4185                 return -ENOPROTOOPT;
4186
4187         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4188         if (err)
4189                 return err;
4190
4191         if (scontext_len > len) {
4192                 err = -ERANGE;
4193                 goto out_len;
4194         }
4195
4196         if (copy_to_user(optval, scontext, scontext_len))
4197                 err = -EFAULT;
4198
4199 out_len:
4200         if (put_user(scontext_len, optlen))
4201                 err = -EFAULT;
4202         kfree(scontext);
4203         return err;
4204 }
4205
4206 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4207 {
4208         u32 peer_secid = SECSID_NULL;
4209         u16 family;
4210
4211         if (skb && skb->protocol == htons(ETH_P_IP))
4212                 family = PF_INET;
4213         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4214                 family = PF_INET6;
4215         else if (sock)
4216                 family = sock->sk->sk_family;
4217         else
4218                 goto out;
4219
4220         if (sock && family == PF_UNIX)
4221                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4222         else if (skb)
4223                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4224
4225 out:
4226         *secid = peer_secid;
4227         if (peer_secid == SECSID_NULL)
4228                 return -EINVAL;
4229         return 0;
4230 }
4231
4232 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4233 {
4234         struct sk_security_struct *sksec;
4235
4236         sksec = kzalloc(sizeof(*sksec), priority);
4237         if (!sksec)
4238                 return -ENOMEM;
4239
4240         sksec->peer_sid = SECINITSID_UNLABELED;
4241         sksec->sid = SECINITSID_UNLABELED;
4242         selinux_netlbl_sk_security_reset(sksec);
4243         sk->sk_security = sksec;
4244
4245         return 0;
4246 }
4247
4248 static void selinux_sk_free_security(struct sock *sk)
4249 {
4250         struct sk_security_struct *sksec = sk->sk_security;
4251
4252         sk->sk_security = NULL;
4253         selinux_netlbl_sk_security_free(sksec);
4254         kfree(sksec);
4255 }
4256
4257 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4258 {
4259         struct sk_security_struct *sksec = sk->sk_security;
4260         struct sk_security_struct *newsksec = newsk->sk_security;
4261
4262         newsksec->sid = sksec->sid;
4263         newsksec->peer_sid = sksec->peer_sid;
4264         newsksec->sclass = sksec->sclass;
4265
4266         selinux_netlbl_sk_security_reset(newsksec);
4267 }
4268
4269 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4270 {
4271         if (!sk)
4272                 *secid = SECINITSID_ANY_SOCKET;
4273         else {
4274                 struct sk_security_struct *sksec = sk->sk_security;
4275
4276                 *secid = sksec->sid;
4277         }
4278 }
4279
4280 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4281 {
4282         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4283         struct sk_security_struct *sksec = sk->sk_security;
4284
4285         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4286             sk->sk_family == PF_UNIX)
4287                 isec->sid = sksec->sid;
4288         sksec->sclass = isec->sclass;
4289 }
4290
4291 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4292                                      struct request_sock *req)
4293 {
4294         struct sk_security_struct *sksec = sk->sk_security;
4295         int err;
4296         u16 family = sk->sk_family;
4297         u32 newsid;
4298         u32 peersid;
4299
4300         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4301         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4302                 family = PF_INET;
4303
4304         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4305         if (err)
4306                 return err;
4307         if (peersid == SECSID_NULL) {
4308                 req->secid = sksec->sid;
4309                 req->peer_secid = SECSID_NULL;
4310         } else {
4311                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4312                 if (err)
4313                         return err;
4314                 req->secid = newsid;
4315                 req->peer_secid = peersid;
4316         }
4317
4318         return selinux_netlbl_inet_conn_request(req, family);
4319 }
4320
4321 static void selinux_inet_csk_clone(struct sock *newsk,
4322                                    const struct request_sock *req)
4323 {
4324         struct sk_security_struct *newsksec = newsk->sk_security;
4325
4326         newsksec->sid = req->secid;
4327         newsksec->peer_sid = req->peer_secid;
4328         /* NOTE: Ideally, we should also get the isec->sid for the
4329            new socket in sync, but we don't have the isec available yet.
4330            So we will wait until sock_graft to do it, by which
4331            time it will have been created and available. */
4332
4333         /* We don't need to take any sort of lock here as we are the only
4334          * thread with access to newsksec */
4335         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4336 }
4337
4338 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4339 {
4340         u16 family = sk->sk_family;
4341         struct sk_security_struct *sksec = sk->sk_security;
4342
4343         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4344         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4345                 family = PF_INET;
4346
4347         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4348 }
4349
4350 static int selinux_secmark_relabel_packet(u32 sid)
4351 {
4352         const struct task_security_struct *__tsec;
4353         u32 tsid;
4354
4355         __tsec = current_security();
4356         tsid = __tsec->sid;
4357
4358         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4359 }
4360
4361 static void selinux_secmark_refcount_inc(void)
4362 {
4363         atomic_inc(&selinux_secmark_refcount);
4364 }
4365
4366 static void selinux_secmark_refcount_dec(void)
4367 {
4368         atomic_dec(&selinux_secmark_refcount);
4369 }
4370
4371 static void selinux_req_classify_flow(const struct request_sock *req,
4372                                       struct flowi *fl)
4373 {
4374         fl->flowi_secid = req->secid;
4375 }
4376
4377 static int selinux_tun_dev_create(void)
4378 {
4379         u32 sid = current_sid();
4380
4381         /* we aren't taking into account the "sockcreate" SID since the socket
4382          * that is being created here is not a socket in the traditional sense,
4383          * instead it is a private sock, accessible only to the kernel, and
4384          * representing a wide range of network traffic spanning multiple
4385          * connections unlike traditional sockets - check the TUN driver to
4386          * get a better understanding of why this socket is special */
4387
4388         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4389                             NULL);
4390 }
4391
4392 static void selinux_tun_dev_post_create(struct sock *sk)
4393 {
4394         struct sk_security_struct *sksec = sk->sk_security;
4395
4396         /* we don't currently perform any NetLabel based labeling here and it
4397          * isn't clear that we would want to do so anyway; while we could apply
4398          * labeling without the support of the TUN user the resulting labeled
4399          * traffic from the other end of the connection would almost certainly
4400          * cause confusion to the TUN user that had no idea network labeling
4401          * protocols were being used */
4402
4403         /* see the comments in selinux_tun_dev_create() about why we don't use
4404          * the sockcreate SID here */
4405
4406         sksec->sid = current_sid();
4407         sksec->sclass = SECCLASS_TUN_SOCKET;
4408 }
4409
4410 static int selinux_tun_dev_attach(struct sock *sk)
4411 {
4412         struct sk_security_struct *sksec = sk->sk_security;
4413         u32 sid = current_sid();
4414         int err;
4415
4416         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4417                            TUN_SOCKET__RELABELFROM, NULL);
4418         if (err)
4419                 return err;
4420         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4421                            TUN_SOCKET__RELABELTO, NULL);
4422         if (err)
4423                 return err;
4424
4425         sksec->sid = sid;
4426
4427         return 0;
4428 }
4429
4430 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4431 {
4432         int err = 0;
4433         u32 perm;
4434         struct nlmsghdr *nlh;
4435         struct sk_security_struct *sksec = sk->sk_security;
4436
4437         if (skb->len < NLMSG_SPACE(0)) {
4438                 err = -EINVAL;
4439                 goto out;
4440         }
4441         nlh = nlmsg_hdr(skb);
4442
4443         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4444         if (err) {
4445                 if (err == -EINVAL) {
4446                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4447                                   "SELinux:  unrecognized netlink message"
4448                                   " type=%hu for sclass=%hu\n",
4449                                   nlh->nlmsg_type, sksec->sclass);
4450                         if (!selinux_enforcing || security_get_allow_unknown())
4451                                 err = 0;
4452                 }
4453
4454                 /* Ignore */
4455                 if (err == -ENOENT)
4456                         err = 0;
4457                 goto out;
4458         }
4459
4460         err = sock_has_perm(current, sk, perm);
4461 out:
4462         return err;
4463 }
4464
4465 #ifdef CONFIG_NETFILTER
4466
4467 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4468                                        u16 family)
4469 {
4470         int err;
4471         char *addrp;
4472         u32 peer_sid;
4473         struct common_audit_data ad;
4474         u8 secmark_active;
4475         u8 netlbl_active;
4476         u8 peerlbl_active;
4477
4478         if (!selinux_policycap_netpeer)
4479                 return NF_ACCEPT;
4480
4481         secmark_active = selinux_secmark_enabled();
4482         netlbl_active = netlbl_enabled();
4483         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4484         if (!secmark_active && !peerlbl_active)
4485                 return NF_ACCEPT;
4486
4487         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4488                 return NF_DROP;
4489
4490         COMMON_AUDIT_DATA_INIT(&ad, NET);
4491         ad.u.net.netif = ifindex;
4492         ad.u.net.family = family;
4493         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4494                 return NF_DROP;
4495
4496         if (peerlbl_active) {
4497                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4498                                                peer_sid, &ad);
4499                 if (err) {
4500                         selinux_netlbl_err(skb, err, 1);
4501                         return NF_DROP;
4502                 }
4503         }
4504
4505         if (secmark_active)
4506                 if (avc_has_perm(peer_sid, skb->secmark,
4507                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4508                         return NF_DROP;
4509
4510         if (netlbl_active)
4511                 /* we do this in the FORWARD path and not the POST_ROUTING
4512                  * path because we want to make sure we apply the necessary
4513                  * labeling before IPsec is applied so we can leverage AH
4514                  * protection */
4515                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4516                         return NF_DROP;
4517
4518         return NF_ACCEPT;
4519 }
4520
4521 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4522                                          struct sk_buff *skb,
4523                                          const struct net_device *in,
4524                                          const struct net_device *out,
4525                                          int (*okfn)(struct sk_buff *))
4526 {
4527         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4528 }
4529
4530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4531 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4532                                          struct sk_buff *skb,
4533                                          const struct net_device *in,
4534                                          const struct net_device *out,
4535                                          int (*okfn)(struct sk_buff *))
4536 {
4537         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4538 }
4539 #endif  /* IPV6 */
4540
4541 static unsigned int selinux_ip_output(struct sk_buff *skb,
4542                                       u16 family)
4543 {
4544         u32 sid;
4545
4546         if (!netlbl_enabled())
4547                 return NF_ACCEPT;
4548
4549         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4550          * because we want to make sure we apply the necessary labeling
4551          * before IPsec is applied so we can leverage AH protection */
4552         if (skb->sk) {
4553                 struct sk_security_struct *sksec = skb->sk->sk_security;
4554                 sid = sksec->sid;
4555         } else
4556                 sid = SECINITSID_KERNEL;
4557         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4558                 return NF_DROP;
4559
4560         return NF_ACCEPT;
4561 }
4562
4563 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4564                                         struct sk_buff *skb,
4565                                         const struct net_device *in,
4566                                         const struct net_device *out,
4567                                         int (*okfn)(struct sk_buff *))
4568 {
4569         return selinux_ip_output(skb, PF_INET);
4570 }
4571
4572 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4573                                                 int ifindex,
4574                                                 u16 family)
4575 {
4576         struct sock *sk = skb->sk;
4577         struct sk_security_struct *sksec;
4578         struct common_audit_data ad;
4579         char *addrp;
4580         u8 proto;
4581
4582         if (sk == NULL)
4583                 return NF_ACCEPT;
4584         sksec = sk->sk_security;
4585
4586         COMMON_AUDIT_DATA_INIT(&ad, NET);
4587         ad.u.net.netif = ifindex;
4588         ad.u.net.family = family;
4589         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4590                 return NF_DROP;
4591
4592         if (selinux_secmark_enabled())
4593                 if (avc_has_perm(sksec->sid, skb->secmark,
4594                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4595                         return NF_DROP_ERR(-ECONNREFUSED);
4596
4597         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4598                 return NF_DROP_ERR(-ECONNREFUSED);
4599
4600         return NF_ACCEPT;
4601 }
4602
4603 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4604                                          u16 family)
4605 {
4606         u32 secmark_perm;
4607         u32 peer_sid;
4608         struct sock *sk;
4609         struct common_audit_data ad;
4610         char *addrp;
4611         u8 secmark_active;
4612         u8 peerlbl_active;
4613
4614         /* If any sort of compatibility mode is enabled then handoff processing
4615          * to the selinux_ip_postroute_compat() function to deal with the
4616          * special handling.  We do this in an attempt to keep this function
4617          * as fast and as clean as possible. */
4618         if (!selinux_policycap_netpeer)
4619                 return selinux_ip_postroute_compat(skb, ifindex, family);
4620 #ifdef CONFIG_XFRM
4621         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4622          * packet transformation so allow the packet to pass without any checks
4623          * since we'll have another chance to perform access control checks
4624          * when the packet is on it's final way out.
4625          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4626          *       is NULL, in this case go ahead and apply access control. */
4627         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4628                 return NF_ACCEPT;
4629 #endif
4630         secmark_active = selinux_secmark_enabled();
4631         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4632         if (!secmark_active && !peerlbl_active)
4633                 return NF_ACCEPT;
4634
4635         /* if the packet is being forwarded then get the peer label from the
4636          * packet itself; otherwise check to see if it is from a local
4637          * application or the kernel, if from an application get the peer label
4638          * from the sending socket, otherwise use the kernel's sid */
4639         sk = skb->sk;
4640         if (sk == NULL) {
4641                 if (skb->skb_iif) {
4642                         secmark_perm = PACKET__FORWARD_OUT;
4643                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4644                                 return NF_DROP;
4645                 } else {
4646                         secmark_perm = PACKET__SEND;
4647                         peer_sid = SECINITSID_KERNEL;
4648                 }
4649         } else {
4650                 struct sk_security_struct *sksec = sk->sk_security;
4651                 peer_sid = sksec->sid;
4652                 secmark_perm = PACKET__SEND;
4653         }
4654
4655         COMMON_AUDIT_DATA_INIT(&ad, NET);
4656         ad.u.net.netif = ifindex;
4657         ad.u.net.family = family;
4658         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4659                 return NF_DROP;
4660
4661         if (secmark_active)
4662                 if (avc_has_perm(peer_sid, skb->secmark,
4663                                  SECCLASS_PACKET, secmark_perm, &ad))
4664                         return NF_DROP_ERR(-ECONNREFUSED);
4665
4666         if (peerlbl_active) {
4667                 u32 if_sid;
4668                 u32 node_sid;
4669
4670                 if (sel_netif_sid(ifindex, &if_sid))
4671                         return NF_DROP;
4672                 if (avc_has_perm(peer_sid, if_sid,
4673                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4674                         return NF_DROP_ERR(-ECONNREFUSED);
4675
4676                 if (sel_netnode_sid(addrp, family, &node_sid))
4677                         return NF_DROP;
4678                 if (avc_has_perm(peer_sid, node_sid,
4679                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4680                         return NF_DROP_ERR(-ECONNREFUSED);
4681         }
4682
4683         return NF_ACCEPT;
4684 }
4685
4686 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4687                                            struct sk_buff *skb,
4688                                            const struct net_device *in,
4689                                            const struct net_device *out,
4690                                            int (*okfn)(struct sk_buff *))
4691 {
4692         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4693 }
4694
4695 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4696 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4697                                            struct sk_buff *skb,
4698                                            const struct net_device *in,
4699                                            const struct net_device *out,
4700                                            int (*okfn)(struct sk_buff *))
4701 {
4702         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4703 }
4704 #endif  /* IPV6 */
4705
4706 #endif  /* CONFIG_NETFILTER */
4707
4708 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4709 {
4710         int err;
4711
4712         err = cap_netlink_send(sk, skb);
4713         if (err)
4714                 return err;
4715
4716         return selinux_nlmsg_perm(sk, skb);
4717 }
4718
4719 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4720 {
4721         int err;
4722         struct common_audit_data ad;
4723         u32 sid;
4724
4725         err = cap_netlink_recv(skb, capability);
4726         if (err)
4727                 return err;
4728
4729         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4730         ad.u.cap = capability;
4731
4732         security_task_getsecid(current, &sid);
4733         return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4734                             CAP_TO_MASK(capability), &ad);
4735 }
4736
4737 static int ipc_alloc_security(struct task_struct *task,
4738                               struct kern_ipc_perm *perm,
4739                               u16 sclass)
4740 {
4741         struct ipc_security_struct *isec;
4742         u32 sid;
4743
4744         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4745         if (!isec)
4746                 return -ENOMEM;
4747
4748         sid = task_sid(task);
4749         isec->sclass = sclass;
4750         isec->sid = sid;
4751         perm->security = isec;
4752
4753         return 0;
4754 }
4755
4756 static void ipc_free_security(struct kern_ipc_perm *perm)
4757 {
4758         struct ipc_security_struct *isec = perm->security;
4759         perm->security = NULL;
4760         kfree(isec);
4761 }
4762
4763 static int msg_msg_alloc_security(struct msg_msg *msg)
4764 {
4765         struct msg_security_struct *msec;
4766
4767         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4768         if (!msec)
4769                 return -ENOMEM;
4770
4771         msec->sid = SECINITSID_UNLABELED;
4772         msg->security = msec;
4773
4774         return 0;
4775 }
4776
4777 static void msg_msg_free_security(struct msg_msg *msg)
4778 {
4779         struct msg_security_struct *msec = msg->security;
4780
4781         msg->security = NULL;
4782         kfree(msec);
4783 }
4784
4785 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4786                         u32 perms)
4787 {
4788         struct ipc_security_struct *isec;
4789         struct common_audit_data ad;
4790         u32 sid = current_sid();
4791
4792         isec = ipc_perms->security;
4793
4794         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4795         ad.u.ipc_id = ipc_perms->key;
4796
4797         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4798 }
4799
4800 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4801 {
4802         return msg_msg_alloc_security(msg);
4803 }
4804
4805 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4806 {
4807         msg_msg_free_security(msg);
4808 }
4809
4810 /* message queue security operations */
4811 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4812 {
4813         struct ipc_security_struct *isec;
4814         struct common_audit_data ad;
4815         u32 sid = current_sid();
4816         int rc;
4817
4818         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4819         if (rc)
4820                 return rc;
4821
4822         isec = msq->q_perm.security;
4823
4824         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4825         ad.u.ipc_id = msq->q_perm.key;
4826
4827         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4828                           MSGQ__CREATE, &ad);
4829         if (rc) {
4830                 ipc_free_security(&msq->q_perm);
4831                 return rc;
4832         }
4833         return 0;
4834 }
4835
4836 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4837 {
4838         ipc_free_security(&msq->q_perm);
4839 }
4840
4841 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4842 {
4843         struct ipc_security_struct *isec;
4844         struct common_audit_data ad;
4845         u32 sid = current_sid();
4846
4847         isec = msq->q_perm.security;
4848
4849         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4850         ad.u.ipc_id = msq->q_perm.key;
4851
4852         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4853                             MSGQ__ASSOCIATE, &ad);
4854 }
4855
4856 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4857 {
4858         int err;
4859         int perms;
4860
4861         switch (cmd) {
4862         case IPC_INFO:
4863         case MSG_INFO:
4864                 /* No specific object, just general system-wide information. */
4865                 return task_has_system(current, SYSTEM__IPC_INFO);
4866         case IPC_STAT:
4867         case MSG_STAT:
4868                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4869                 break;
4870         case IPC_SET:
4871                 perms = MSGQ__SETATTR;
4872                 break;
4873         case IPC_RMID:
4874                 perms = MSGQ__DESTROY;
4875                 break;
4876         default:
4877                 return 0;
4878         }
4879
4880         err = ipc_has_perm(&msq->q_perm, perms);
4881         return err;
4882 }
4883
4884 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4885 {
4886         struct ipc_security_struct *isec;
4887         struct msg_security_struct *msec;
4888         struct common_audit_data ad;
4889         u32 sid = current_sid();
4890         int rc;
4891
4892         isec = msq->q_perm.security;
4893         msec = msg->security;
4894
4895         /*
4896          * First time through, need to assign label to the message
4897          */
4898         if (msec->sid == SECINITSID_UNLABELED) {
4899                 /*
4900                  * Compute new sid based on current process and
4901                  * message queue this message will be stored in
4902                  */
4903                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4904                                              NULL, &msec->sid);
4905                 if (rc)
4906                         return rc;
4907         }
4908
4909         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4910         ad.u.ipc_id = msq->q_perm.key;
4911
4912         /* Can this process write to the queue? */
4913         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4914                           MSGQ__WRITE, &ad);
4915         if (!rc)
4916                 /* Can this process send the message */
4917                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4918                                   MSG__SEND, &ad);
4919         if (!rc)
4920                 /* Can the message be put in the queue? */
4921                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4922                                   MSGQ__ENQUEUE, &ad);
4923
4924         return rc;
4925 }
4926
4927 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4928                                     struct task_struct *target,
4929                                     long type, int mode)
4930 {
4931         struct ipc_security_struct *isec;
4932         struct msg_security_struct *msec;
4933         struct common_audit_data ad;
4934         u32 sid = task_sid(target);
4935         int rc;
4936
4937         isec = msq->q_perm.security;
4938         msec = msg->security;
4939
4940         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4941         ad.u.ipc_id = msq->q_perm.key;
4942
4943         rc = avc_has_perm(sid, isec->sid,
4944                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4945         if (!rc)
4946                 rc = avc_has_perm(sid, msec->sid,
4947                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4948         return rc;
4949 }
4950
4951 /* Shared Memory security operations */
4952 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4953 {
4954         struct ipc_security_struct *isec;
4955         struct common_audit_data ad;
4956         u32 sid = current_sid();
4957         int rc;
4958
4959         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4960         if (rc)
4961                 return rc;
4962
4963         isec = shp->shm_perm.security;
4964
4965         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4966         ad.u.ipc_id = shp->shm_perm.key;
4967
4968         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4969                           SHM__CREATE, &ad);
4970         if (rc) {
4971                 ipc_free_security(&shp->shm_perm);
4972                 return rc;
4973         }
4974         return 0;
4975 }
4976
4977 static void selinux_shm_free_security(struct shmid_kernel *shp)
4978 {
4979         ipc_free_security(&shp->shm_perm);
4980 }
4981
4982 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4983 {
4984         struct ipc_security_struct *isec;
4985         struct common_audit_data ad;
4986         u32 sid = current_sid();
4987
4988         isec = shp->shm_perm.security;
4989
4990         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4991         ad.u.ipc_id = shp->shm_perm.key;
4992
4993         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4994                             SHM__ASSOCIATE, &ad);
4995 }
4996
4997 /* Note, at this point, shp is locked down */
4998 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4999 {
5000         int perms;
5001         int err;
5002
5003         switch (cmd) {
5004         case IPC_INFO:
5005         case SHM_INFO:
5006                 /* No specific object, just general system-wide information. */
5007                 return task_has_system(current, SYSTEM__IPC_INFO);
5008         case IPC_STAT:
5009         case SHM_STAT:
5010                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5011                 break;
5012         case IPC_SET:
5013                 perms = SHM__SETATTR;
5014                 break;
5015         case SHM_LOCK:
5016         case SHM_UNLOCK:
5017                 perms = SHM__LOCK;
5018                 break;
5019         case IPC_RMID:
5020                 perms = SHM__DESTROY;
5021                 break;
5022         default:
5023                 return 0;
5024         }
5025
5026         err = ipc_has_perm(&shp->shm_perm, perms);
5027         return err;
5028 }
5029
5030 static int selinux_shm_shmat(struct shmid_kernel *shp,
5031                              char __user *shmaddr, int shmflg)
5032 {
5033         u32 perms;
5034
5035         if (shmflg & SHM_RDONLY)
5036                 perms = SHM__READ;
5037         else
5038                 perms = SHM__READ | SHM__WRITE;
5039
5040         return ipc_has_perm(&shp->shm_perm, perms);
5041 }
5042
5043 /* Semaphore security operations */
5044 static int selinux_sem_alloc_security(struct sem_array *sma)
5045 {
5046         struct ipc_security_struct *isec;
5047         struct common_audit_data ad;
5048         u32 sid = current_sid();
5049         int rc;
5050
5051         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5052         if (rc)
5053                 return rc;
5054
5055         isec = sma->sem_perm.security;
5056
5057         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5058         ad.u.ipc_id = sma->sem_perm.key;
5059
5060         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5061                           SEM__CREATE, &ad);
5062         if (rc) {
5063                 ipc_free_security(&sma->sem_perm);
5064                 return rc;
5065         }
5066         return 0;
5067 }
5068
5069 static void selinux_sem_free_security(struct sem_array *sma)
5070 {
5071         ipc_free_security(&sma->sem_perm);
5072 }
5073
5074 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5075 {
5076         struct ipc_security_struct *isec;
5077         struct common_audit_data ad;
5078         u32 sid = current_sid();
5079
5080         isec = sma->sem_perm.security;
5081
5082         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5083         ad.u.ipc_id = sma->sem_perm.key;
5084
5085         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5086                             SEM__ASSOCIATE, &ad);
5087 }
5088
5089 /* Note, at this point, sma is locked down */
5090 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5091 {
5092         int err;
5093         u32 perms;
5094
5095         switch (cmd) {
5096         case IPC_INFO:
5097         case SEM_INFO:
5098                 /* No specific object, just general system-wide information. */
5099                 return task_has_system(current, SYSTEM__IPC_INFO);
5100         case GETPID:
5101         case GETNCNT:
5102         case GETZCNT:
5103                 perms = SEM__GETATTR;
5104                 break;
5105         case GETVAL:
5106         case GETALL:
5107                 perms = SEM__READ;
5108                 break;
5109         case SETVAL:
5110         case SETALL:
5111                 perms = SEM__WRITE;
5112                 break;
5113         case IPC_RMID:
5114                 perms = SEM__DESTROY;
5115                 break;
5116         case IPC_SET:
5117                 perms = SEM__SETATTR;
5118                 break;
5119         case IPC_STAT:
5120         case SEM_STAT:
5121                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5122                 break;
5123         default:
5124                 return 0;
5125         }
5126
5127         err = ipc_has_perm(&sma->sem_perm, perms);
5128         return err;
5129 }
5130
5131 static int selinux_sem_semop(struct sem_array *sma,
5132                              struct sembuf *sops, unsigned nsops, int alter)
5133 {
5134         u32 perms;
5135
5136         if (alter)
5137                 perms = SEM__READ | SEM__WRITE;
5138         else
5139                 perms = SEM__READ;
5140
5141         return ipc_has_perm(&sma->sem_perm, perms);
5142 }
5143
5144 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5145 {
5146         u32 av = 0;
5147
5148         av = 0;
5149         if (flag & S_IRUGO)
5150                 av |= IPC__UNIX_READ;
5151         if (flag & S_IWUGO)
5152                 av |= IPC__UNIX_WRITE;
5153
5154         if (av == 0)
5155                 return 0;
5156
5157         return ipc_has_perm(ipcp, av);
5158 }
5159
5160 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5161 {
5162         struct ipc_security_struct *isec = ipcp->security;
5163         *secid = isec->sid;
5164 }
5165
5166 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5167 {
5168         if (inode)
5169                 inode_doinit_with_dentry(inode, dentry);
5170 }
5171
5172 static int selinux_getprocattr(struct task_struct *p,
5173                                char *name, char **value)
5174 {
5175         const struct task_security_struct *__tsec;
5176         u32 sid;
5177         int error;
5178         unsigned len;
5179
5180         if (current != p) {
5181                 error = current_has_perm(p, PROCESS__GETATTR);
5182                 if (error)
5183                         return error;
5184         }
5185
5186         rcu_read_lock();
5187         __tsec = __task_cred(p)->security;
5188
5189         if (!strcmp(name, "current"))
5190                 sid = __tsec->sid;
5191         else if (!strcmp(name, "prev"))
5192                 sid = __tsec->osid;
5193         else if (!strcmp(name, "exec"))
5194                 sid = __tsec->exec_sid;
5195         else if (!strcmp(name, "fscreate"))
5196                 sid = __tsec->create_sid;
5197         else if (!strcmp(name, "keycreate"))
5198                 sid = __tsec->keycreate_sid;
5199         else if (!strcmp(name, "sockcreate"))
5200                 sid = __tsec->sockcreate_sid;
5201         else
5202                 goto invalid;
5203         rcu_read_unlock();
5204
5205         if (!sid)
5206                 return 0;
5207
5208         error = security_sid_to_context(sid, value, &len);
5209         if (error)
5210                 return error;
5211         return len;
5212
5213 invalid:
5214         rcu_read_unlock();
5215         return -EINVAL;
5216 }
5217
5218 static int selinux_setprocattr(struct task_struct *p,
5219                                char *name, void *value, size_t size)
5220 {
5221         struct task_security_struct *tsec;
5222         struct task_struct *tracer;
5223         struct cred *new;
5224         u32 sid = 0, ptsid;
5225         int error;
5226         char *str = value;
5227
5228         if (current != p) {
5229                 /* SELinux only allows a process to change its own
5230                    security attributes. */
5231                 return -EACCES;
5232         }
5233
5234         /*
5235          * Basic control over ability to set these attributes at all.
5236          * current == p, but we'll pass them separately in case the
5237          * above restriction is ever removed.
5238          */
5239         if (!strcmp(name, "exec"))
5240                 error = current_has_perm(p, PROCESS__SETEXEC);
5241         else if (!strcmp(name, "fscreate"))
5242                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5243         else if (!strcmp(name, "keycreate"))
5244                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5245         else if (!strcmp(name, "sockcreate"))
5246                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5247         else if (!strcmp(name, "current"))
5248                 error = current_has_perm(p, PROCESS__SETCURRENT);
5249         else
5250                 error = -EINVAL;
5251         if (error)
5252                 return error;
5253
5254         /* Obtain a SID for the context, if one was specified. */
5255         if (size && str[1] && str[1] != '\n') {
5256                 if (str[size-1] == '\n') {
5257                         str[size-1] = 0;
5258                         size--;
5259                 }
5260                 error = security_context_to_sid(value, size, &sid);
5261                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5262                         if (!capable(CAP_MAC_ADMIN))
5263                                 return error;
5264                         error = security_context_to_sid_force(value, size,
5265                                                               &sid);
5266                 }
5267                 if (error)
5268                         return error;
5269         }
5270
5271         new = prepare_creds();
5272         if (!new)
5273                 return -ENOMEM;
5274
5275         /* Permission checking based on the specified context is
5276            performed during the actual operation (execve,
5277            open/mkdir/...), when we know the full context of the
5278            operation.  See selinux_bprm_set_creds for the execve
5279            checks and may_create for the file creation checks. The
5280            operation will then fail if the context is not permitted. */
5281         tsec = new->security;
5282         if (!strcmp(name, "exec")) {
5283                 tsec->exec_sid = sid;
5284         } else if (!strcmp(name, "fscreate")) {
5285                 tsec->create_sid = sid;
5286         } else if (!strcmp(name, "keycreate")) {
5287                 error = may_create_key(sid, p);
5288                 if (error)
5289                         goto abort_change;
5290                 tsec->keycreate_sid = sid;
5291         } else if (!strcmp(name, "sockcreate")) {
5292                 tsec->sockcreate_sid = sid;
5293         } else if (!strcmp(name, "current")) {
5294                 error = -EINVAL;
5295                 if (sid == 0)
5296                         goto abort_change;
5297
5298                 /* Only allow single threaded processes to change context */
5299                 error = -EPERM;
5300                 if (!current_is_single_threaded()) {
5301                         error = security_bounded_transition(tsec->sid, sid);
5302                         if (error)
5303                                 goto abort_change;
5304                 }
5305
5306                 /* Check permissions for the transition. */
5307                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5308                                      PROCESS__DYNTRANSITION, NULL);
5309                 if (error)
5310                         goto abort_change;
5311
5312                 /* Check for ptracing, and update the task SID if ok.
5313                    Otherwise, leave SID unchanged and fail. */
5314                 ptsid = 0;
5315                 task_lock(p);
5316                 tracer = ptrace_parent(p);
5317                 if (tracer)
5318                         ptsid = task_sid(tracer);
5319                 task_unlock(p);
5320
5321                 if (tracer) {
5322                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5323                                              PROCESS__PTRACE, NULL);
5324                         if (error)
5325                                 goto abort_change;
5326                 }
5327
5328                 tsec->sid = sid;
5329         } else {
5330                 error = -EINVAL;
5331                 goto abort_change;
5332         }
5333
5334         commit_creds(new);
5335         return size;
5336
5337 abort_change:
5338         abort_creds(new);
5339         return error;
5340 }
5341
5342 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5343 {
5344         return security_sid_to_context(secid, secdata, seclen);
5345 }
5346
5347 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5348 {
5349         return security_context_to_sid(secdata, seclen, secid);
5350 }
5351
5352 static void selinux_release_secctx(char *secdata, u32 seclen)
5353 {
5354         kfree(secdata);
5355 }
5356
5357 /*
5358  *      called with inode->i_mutex locked
5359  */
5360 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5361 {
5362         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5363 }
5364
5365 /*
5366  *      called with inode->i_mutex locked
5367  */
5368 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5369 {
5370         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5371 }
5372
5373 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5374 {
5375         int len = 0;
5376         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5377                                                 ctx, true);
5378         if (len < 0)
5379                 return len;
5380         *ctxlen = len;
5381         return 0;
5382 }
5383 #ifdef CONFIG_KEYS
5384
5385 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5386                              unsigned long flags)
5387 {
5388         const struct task_security_struct *tsec;
5389         struct key_security_struct *ksec;
5390
5391         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5392         if (!ksec)
5393                 return -ENOMEM;
5394
5395         tsec = cred->security;
5396         if (tsec->keycreate_sid)
5397                 ksec->sid = tsec->keycreate_sid;
5398         else
5399                 ksec->sid = tsec->sid;
5400
5401         k->security = ksec;
5402         return 0;
5403 }
5404
5405 static void selinux_key_free(struct key *k)
5406 {
5407         struct key_security_struct *ksec = k->security;
5408
5409         k->security = NULL;
5410         kfree(ksec);
5411 }
5412
5413 static int selinux_key_permission(key_ref_t key_ref,
5414                                   const struct cred *cred,
5415                                   key_perm_t perm)
5416 {
5417         struct key *key;
5418         struct key_security_struct *ksec;
5419         u32 sid;
5420
5421         /* if no specific permissions are requested, we skip the
5422            permission check. No serious, additional covert channels
5423            appear to be created. */
5424         if (perm == 0)
5425                 return 0;
5426
5427         sid = cred_sid(cred);
5428
5429         key = key_ref_to_ptr(key_ref);
5430         ksec = key->security;
5431
5432         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5433 }
5434
5435 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5436 {
5437         struct key_security_struct *ksec = key->security;
5438         char *context = NULL;
5439         unsigned len;
5440         int rc;
5441
5442         rc = security_sid_to_context(ksec->sid, &context, &len);
5443         if (!rc)
5444                 rc = len;
5445         *_buffer = context;
5446         return rc;
5447 }
5448
5449 #endif
5450
5451 static struct security_operations selinux_ops = {
5452         .name =                         "selinux",
5453
5454         .ptrace_access_check =          selinux_ptrace_access_check,
5455         .ptrace_traceme =               selinux_ptrace_traceme,
5456         .capget =                       selinux_capget,
5457         .capset =                       selinux_capset,
5458         .capable =                      selinux_capable,
5459         .quotactl =                     selinux_quotactl,
5460         .quota_on =                     selinux_quota_on,
5461         .syslog =                       selinux_syslog,
5462         .vm_enough_memory =             selinux_vm_enough_memory,
5463
5464         .netlink_send =                 selinux_netlink_send,
5465         .netlink_recv =                 selinux_netlink_recv,
5466
5467         .bprm_set_creds =               selinux_bprm_set_creds,
5468         .bprm_committing_creds =        selinux_bprm_committing_creds,
5469         .bprm_committed_creds =         selinux_bprm_committed_creds,
5470         .bprm_secureexec =              selinux_bprm_secureexec,
5471
5472         .sb_alloc_security =            selinux_sb_alloc_security,
5473         .sb_free_security =             selinux_sb_free_security,
5474         .sb_copy_data =                 selinux_sb_copy_data,
5475         .sb_remount =                   selinux_sb_remount,
5476         .sb_kern_mount =                selinux_sb_kern_mount,
5477         .sb_show_options =              selinux_sb_show_options,
5478         .sb_statfs =                    selinux_sb_statfs,
5479         .sb_mount =                     selinux_mount,
5480         .sb_umount =                    selinux_umount,
5481         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5482         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5483         .sb_parse_opts_str =            selinux_parse_opts_str,
5484
5485
5486         .inode_alloc_security =         selinux_inode_alloc_security,
5487         .inode_free_security =          selinux_inode_free_security,
5488         .inode_init_security =          selinux_inode_init_security,
5489         .inode_create =                 selinux_inode_create,
5490         .inode_link =                   selinux_inode_link,
5491         .inode_unlink =                 selinux_inode_unlink,
5492         .inode_symlink =                selinux_inode_symlink,
5493         .inode_mkdir =                  selinux_inode_mkdir,
5494         .inode_rmdir =                  selinux_inode_rmdir,
5495         .inode_mknod =                  selinux_inode_mknod,
5496         .inode_rename =                 selinux_inode_rename,
5497         .inode_readlink =               selinux_inode_readlink,
5498         .inode_follow_link =            selinux_inode_follow_link,
5499         .inode_permission =             selinux_inode_permission,
5500         .inode_setattr =                selinux_inode_setattr,
5501         .inode_getattr =                selinux_inode_getattr,
5502         .inode_setxattr =               selinux_inode_setxattr,
5503         .inode_post_setxattr =          selinux_inode_post_setxattr,
5504         .inode_getxattr =               selinux_inode_getxattr,
5505         .inode_listxattr =              selinux_inode_listxattr,
5506         .inode_removexattr =            selinux_inode_removexattr,
5507         .inode_getsecurity =            selinux_inode_getsecurity,
5508         .inode_setsecurity =            selinux_inode_setsecurity,
5509         .inode_listsecurity =           selinux_inode_listsecurity,
5510         .inode_getsecid =               selinux_inode_getsecid,
5511
5512         .file_permission =              selinux_file_permission,
5513         .file_alloc_security =          selinux_file_alloc_security,
5514         .file_free_security =           selinux_file_free_security,
5515         .file_ioctl =                   selinux_file_ioctl,
5516         .file_mmap =                    selinux_file_mmap,
5517         .file_mprotect =                selinux_file_mprotect,
5518         .file_lock =                    selinux_file_lock,
5519         .file_fcntl =                   selinux_file_fcntl,
5520         .file_set_fowner =              selinux_file_set_fowner,
5521         .file_send_sigiotask =          selinux_file_send_sigiotask,
5522         .file_receive =                 selinux_file_receive,
5523
5524         .dentry_open =                  selinux_dentry_open,
5525
5526         .task_create =                  selinux_task_create,
5527         .cred_alloc_blank =             selinux_cred_alloc_blank,
5528         .cred_free =                    selinux_cred_free,
5529         .cred_prepare =                 selinux_cred_prepare,
5530         .cred_transfer =                selinux_cred_transfer,
5531         .kernel_act_as =                selinux_kernel_act_as,
5532         .kernel_create_files_as =       selinux_kernel_create_files_as,
5533         .kernel_module_request =        selinux_kernel_module_request,
5534         .task_setpgid =                 selinux_task_setpgid,
5535         .task_getpgid =                 selinux_task_getpgid,
5536         .task_getsid =                  selinux_task_getsid,
5537         .task_getsecid =                selinux_task_getsecid,
5538         .task_setnice =                 selinux_task_setnice,
5539         .task_setioprio =               selinux_task_setioprio,
5540         .task_getioprio =               selinux_task_getioprio,
5541         .task_setrlimit =               selinux_task_setrlimit,
5542         .task_setscheduler =            selinux_task_setscheduler,
5543         .task_getscheduler =            selinux_task_getscheduler,
5544         .task_movememory =              selinux_task_movememory,
5545         .task_kill =                    selinux_task_kill,
5546         .task_wait =                    selinux_task_wait,
5547         .task_to_inode =                selinux_task_to_inode,
5548
5549         .ipc_permission =               selinux_ipc_permission,
5550         .ipc_getsecid =                 selinux_ipc_getsecid,
5551
5552         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5553         .msg_msg_free_security =        selinux_msg_msg_free_security,
5554
5555         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5556         .msg_queue_free_security =      selinux_msg_queue_free_security,
5557         .msg_queue_associate =          selinux_msg_queue_associate,
5558         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5559         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5560         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5561
5562         .shm_alloc_security =           selinux_shm_alloc_security,
5563         .shm_free_security =            selinux_shm_free_security,
5564         .shm_associate =                selinux_shm_associate,
5565         .shm_shmctl =                   selinux_shm_shmctl,
5566         .shm_shmat =                    selinux_shm_shmat,
5567
5568         .sem_alloc_security =           selinux_sem_alloc_security,
5569         .sem_free_security =            selinux_sem_free_security,
5570         .sem_associate =                selinux_sem_associate,
5571         .sem_semctl =                   selinux_sem_semctl,
5572         .sem_semop =                    selinux_sem_semop,
5573
5574         .d_instantiate =                selinux_d_instantiate,
5575
5576         .getprocattr =                  selinux_getprocattr,
5577         .setprocattr =                  selinux_setprocattr,
5578
5579         .secid_to_secctx =              selinux_secid_to_secctx,
5580         .secctx_to_secid =              selinux_secctx_to_secid,
5581         .release_secctx =               selinux_release_secctx,
5582         .inode_notifysecctx =           selinux_inode_notifysecctx,
5583         .inode_setsecctx =              selinux_inode_setsecctx,
5584         .inode_getsecctx =              selinux_inode_getsecctx,
5585
5586         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5587         .unix_may_send =                selinux_socket_unix_may_send,
5588
5589         .socket_create =                selinux_socket_create,
5590         .socket_post_create =           selinux_socket_post_create,
5591         .socket_bind =                  selinux_socket_bind,
5592         .socket_connect =               selinux_socket_connect,
5593         .socket_listen =                selinux_socket_listen,
5594         .socket_accept =                selinux_socket_accept,
5595         .socket_sendmsg =               selinux_socket_sendmsg,
5596         .socket_recvmsg =               selinux_socket_recvmsg,
5597         .socket_getsockname =           selinux_socket_getsockname,
5598         .socket_getpeername =           selinux_socket_getpeername,
5599         .socket_getsockopt =            selinux_socket_getsockopt,
5600         .socket_setsockopt =            selinux_socket_setsockopt,
5601         .socket_shutdown =              selinux_socket_shutdown,
5602         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5603         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5604         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5605         .sk_alloc_security =            selinux_sk_alloc_security,
5606         .sk_free_security =             selinux_sk_free_security,
5607         .sk_clone_security =            selinux_sk_clone_security,
5608         .sk_getsecid =                  selinux_sk_getsecid,
5609         .sock_graft =                   selinux_sock_graft,
5610         .inet_conn_request =            selinux_inet_conn_request,
5611         .inet_csk_clone =               selinux_inet_csk_clone,
5612         .inet_conn_established =        selinux_inet_conn_established,
5613         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5614         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5615         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5616         .req_classify_flow =            selinux_req_classify_flow,
5617         .tun_dev_create =               selinux_tun_dev_create,
5618         .tun_dev_post_create =          selinux_tun_dev_post_create,
5619         .tun_dev_attach =               selinux_tun_dev_attach,
5620
5621 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5622         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5623         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5624         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5625         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5626         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5627         .xfrm_state_free_security =     selinux_xfrm_state_free,
5628         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5629         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5630         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5631         .xfrm_decode_session =          selinux_xfrm_decode_session,
5632 #endif
5633
5634 #ifdef CONFIG_KEYS
5635         .key_alloc =                    selinux_key_alloc,
5636         .key_free =                     selinux_key_free,
5637         .key_permission =               selinux_key_permission,
5638         .key_getsecurity =              selinux_key_getsecurity,
5639 #endif
5640
5641 #ifdef CONFIG_AUDIT
5642         .audit_rule_init =              selinux_audit_rule_init,
5643         .audit_rule_known =             selinux_audit_rule_known,
5644         .audit_rule_match =             selinux_audit_rule_match,
5645         .audit_rule_free =              selinux_audit_rule_free,
5646 #endif
5647 };
5648
5649 static __init int selinux_init(void)
5650 {
5651         if (!security_module_enable(&selinux_ops)) {
5652                 selinux_enabled = 0;
5653                 return 0;
5654         }
5655
5656         if (!selinux_enabled) {
5657                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5658                 return 0;
5659         }
5660
5661         printk(KERN_INFO "SELinux:  Initializing.\n");
5662
5663         /* Set the security state for the initial task. */
5664         cred_init_security();
5665
5666         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5667
5668         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5669                                             sizeof(struct inode_security_struct),
5670                                             0, SLAB_PANIC, NULL);
5671         avc_init();
5672
5673         if (register_security(&selinux_ops))
5674                 panic("SELinux: Unable to register with kernel.\n");
5675
5676         if (selinux_enforcing)
5677                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5678         else
5679                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5680
5681         return 0;
5682 }
5683
5684 static void delayed_superblock_init(struct super_block *sb, void *unused)
5685 {
5686         superblock_doinit(sb, NULL);
5687 }
5688
5689 void selinux_complete_init(void)
5690 {
5691         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5692
5693         /* Set up any superblocks initialized prior to the policy load. */
5694         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5695         iterate_supers(delayed_superblock_init, NULL);
5696 }
5697
5698 /* SELinux requires early initialization in order to label
5699    all processes and objects when they are created. */
5700 security_initcall(selinux_init);
5701
5702 #if defined(CONFIG_NETFILTER)
5703
5704 static struct nf_hook_ops selinux_ipv4_ops[] = {
5705         {
5706                 .hook =         selinux_ipv4_postroute,
5707                 .owner =        THIS_MODULE,
5708                 .pf =           PF_INET,
5709                 .hooknum =      NF_INET_POST_ROUTING,
5710                 .priority =     NF_IP_PRI_SELINUX_LAST,
5711         },
5712         {
5713                 .hook =         selinux_ipv4_forward,
5714                 .owner =        THIS_MODULE,
5715                 .pf =           PF_INET,
5716                 .hooknum =      NF_INET_FORWARD,
5717                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5718         },
5719         {
5720                 .hook =         selinux_ipv4_output,
5721                 .owner =        THIS_MODULE,
5722                 .pf =           PF_INET,
5723                 .hooknum =      NF_INET_LOCAL_OUT,
5724                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5725         }
5726 };
5727
5728 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5729
5730 static struct nf_hook_ops selinux_ipv6_ops[] = {
5731         {
5732                 .hook =         selinux_ipv6_postroute,
5733                 .owner =        THIS_MODULE,
5734                 .pf =           PF_INET6,
5735                 .hooknum =      NF_INET_POST_ROUTING,
5736                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5737         },
5738         {
5739                 .hook =         selinux_ipv6_forward,
5740                 .owner =        THIS_MODULE,
5741                 .pf =           PF_INET6,
5742                 .hooknum =      NF_INET_FORWARD,
5743                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5744         }
5745 };
5746
5747 #endif  /* IPV6 */
5748
5749 static int __init selinux_nf_ip_init(void)
5750 {
5751         int err = 0;
5752
5753         if (!selinux_enabled)
5754                 goto out;
5755
5756         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5757
5758         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5759         if (err)
5760                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5761
5762 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5763         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5764         if (err)
5765                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5766 #endif  /* IPV6 */
5767
5768 out:
5769         return err;
5770 }
5771
5772 __initcall(selinux_nf_ip_init);
5773
5774 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5775 static void selinux_nf_ip_exit(void)
5776 {
5777         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5778
5779         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5780 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5781         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5782 #endif  /* IPV6 */
5783 }
5784 #endif
5785
5786 #else /* CONFIG_NETFILTER */
5787
5788 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5789 #define selinux_nf_ip_exit()
5790 #endif
5791
5792 #endif /* CONFIG_NETFILTER */
5793
5794 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5795 static int selinux_disabled;
5796
5797 int selinux_disable(void)
5798 {
5799         if (ss_initialized) {
5800                 /* Not permitted after initial policy load. */
5801                 return -EINVAL;
5802         }
5803
5804         if (selinux_disabled) {
5805                 /* Only do this once. */
5806                 return -EINVAL;
5807         }
5808
5809         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5810
5811         selinux_disabled = 1;
5812         selinux_enabled = 0;
5813
5814         reset_security_ops();
5815
5816         /* Try to destroy the avc node cache */
5817         avc_disable();
5818
5819         /* Unregister netfilter hooks. */
5820         selinux_nf_ip_exit();
5821
5822         /* Unregister selinuxfs. */
5823         exit_sel_fs();
5824
5825         return 0;
5826 }
5827 #endif