2578de549ad7e704d74a78c38f4a58fd8d491d38
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>             /* for local_port_range[] */
54 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
55 #include <net/net_namespace.h>
56 #include <net/netlabel.h>
57 #include <linux/uaccess.h>
58 #include <asm/ioctls.h>
59 #include <linux/atomic.h>
60 #include <linux/bitops.h>
61 #include <linux/interrupt.h>
62 #include <linux/netdevice.h>    /* for network interface checks */
63 #include <linux/netlink.h>
64 #include <linux/tcp.h>
65 #include <linux/udp.h>
66 #include <linux/dccp.h>
67 #include <linux/quota.h>
68 #include <linux/un.h>           /* for Unix socket types */
69 #include <net/af_unix.h>        /* for Unix socket types */
70 #include <linux/parser.h>
71 #include <linux/nfs_mount.h>
72 #include <net/ipv6.h>
73 #include <linux/hugetlb.h>
74 #include <linux/personality.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79 #include <linux/posix-timers.h>
80 #include <linux/syslog.h>
81 #include <linux/user_namespace.h>
82 #include <linux/export.h>
83 #include <linux/msg.h>
84 #include <linux/shm.h>
85
86 #include "avc.h"
87 #include "objsec.h"
88 #include "netif.h"
89 #include "netnode.h"
90 #include "netport.h"
91 #include "xfrm.h"
92 #include "netlabel.h"
93 #include "audit.h"
94 #include "avc_ss.h"
95
96 #define NUM_SEL_MNT_OPTS 5
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!strict_strtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!strict_strtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.
141  *
142  */
143 static int selinux_secmark_enabled(void)
144 {
145         return (atomic_read(&selinux_secmark_refcount) > 0);
146 }
147
148 /*
149  * initialise the security for the init task
150  */
151 static void cred_init_security(void)
152 {
153         struct cred *cred = (struct cred *) current->real_cred;
154         struct task_security_struct *tsec;
155
156         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157         if (!tsec)
158                 panic("SELinux:  Failed to initialize initial task.\n");
159
160         tsec->osid = tsec->sid = SECINITSID_KERNEL;
161         cred->security = tsec;
162 }
163
164 /*
165  * get the security ID of a set of credentials
166  */
167 static inline u32 cred_sid(const struct cred *cred)
168 {
169         const struct task_security_struct *tsec;
170
171         tsec = cred->security;
172         return tsec->sid;
173 }
174
175 /*
176  * get the objective security ID of a task
177  */
178 static inline u32 task_sid(const struct task_struct *task)
179 {
180         u32 sid;
181
182         rcu_read_lock();
183         sid = cred_sid(__task_cred(task));
184         rcu_read_unlock();
185         return sid;
186 }
187
188 /*
189  * get the subjective security ID of the current task
190  */
191 static inline u32 current_sid(void)
192 {
193         const struct task_security_struct *tsec = current_security();
194
195         return tsec->sid;
196 }
197
198 /* Allocate and free functions for each kind of security blob. */
199
200 static int inode_alloc_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec;
203         u32 sid = current_sid();
204
205         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
206         if (!isec)
207                 return -ENOMEM;
208
209         mutex_init(&isec->lock);
210         INIT_LIST_HEAD(&isec->list);
211         isec->inode = inode;
212         isec->sid = SECINITSID_UNLABELED;
213         isec->sclass = SECCLASS_FILE;
214         isec->task_sid = sid;
215         inode->i_security = isec;
216
217         return 0;
218 }
219
220 static void inode_free_security(struct inode *inode)
221 {
222         struct inode_security_struct *isec = inode->i_security;
223         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224
225         spin_lock(&sbsec->isec_lock);
226         if (!list_empty(&isec->list))
227                 list_del_init(&isec->list);
228         spin_unlock(&sbsec->isec_lock);
229
230         inode->i_security = NULL;
231         kmem_cache_free(sel_inode_cache, isec);
232 }
233
234 static int file_alloc_security(struct file *file)
235 {
236         struct file_security_struct *fsec;
237         u32 sid = current_sid();
238
239         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
240         if (!fsec)
241                 return -ENOMEM;
242
243         fsec->sid = sid;
244         fsec->fown_sid = sid;
245         file->f_security = fsec;
246
247         return 0;
248 }
249
250 static void file_free_security(struct file *file)
251 {
252         struct file_security_struct *fsec = file->f_security;
253         file->f_security = NULL;
254         kfree(fsec);
255 }
256
257 static int superblock_alloc_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec;
260
261         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
262         if (!sbsec)
263                 return -ENOMEM;
264
265         mutex_init(&sbsec->lock);
266         INIT_LIST_HEAD(&sbsec->isec_head);
267         spin_lock_init(&sbsec->isec_lock);
268         sbsec->sb = sb;
269         sbsec->sid = SECINITSID_UNLABELED;
270         sbsec->def_sid = SECINITSID_FILE;
271         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
272         sb->s_security = sbsec;
273
274         return 0;
275 }
276
277 static void superblock_free_security(struct super_block *sb)
278 {
279         struct superblock_security_struct *sbsec = sb->s_security;
280         sb->s_security = NULL;
281         kfree(sbsec);
282 }
283
284 /* The file system's label must be initialized prior to use. */
285
286 static const char *labeling_behaviors[6] = {
287         "uses xattr",
288         "uses transition SIDs",
289         "uses task SIDs",
290         "uses genfs_contexts",
291         "not configured for labeling",
292         "uses mountpoint labeling",
293 };
294
295 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296
297 static inline int inode_doinit(struct inode *inode)
298 {
299         return inode_doinit_with_dentry(inode, NULL);
300 }
301
302 enum {
303         Opt_error = -1,
304         Opt_context = 1,
305         Opt_fscontext = 2,
306         Opt_defcontext = 3,
307         Opt_rootcontext = 4,
308         Opt_labelsupport = 5,
309 };
310
311 static const match_table_t tokens = {
312         {Opt_context, CONTEXT_STR "%s"},
313         {Opt_fscontext, FSCONTEXT_STR "%s"},
314         {Opt_defcontext, DEFCONTEXT_STR "%s"},
315         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
316         {Opt_labelsupport, LABELSUPP_STR},
317         {Opt_error, NULL},
318 };
319
320 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
321
322 static int may_context_mount_sb_relabel(u32 sid,
323                         struct superblock_security_struct *sbsec,
324                         const struct cred *cred)
325 {
326         const struct task_security_struct *tsec = cred->security;
327         int rc;
328
329         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
330                           FILESYSTEM__RELABELFROM, NULL);
331         if (rc)
332                 return rc;
333
334         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
335                           FILESYSTEM__RELABELTO, NULL);
336         return rc;
337 }
338
339 static int may_context_mount_inode_relabel(u32 sid,
340                         struct superblock_security_struct *sbsec,
341                         const struct cred *cred)
342 {
343         const struct task_security_struct *tsec = cred->security;
344         int rc;
345         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELFROM, NULL);
347         if (rc)
348                 return rc;
349
350         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
351                           FILESYSTEM__ASSOCIATE, NULL);
352         return rc;
353 }
354
355 static int sb_finish_set_opts(struct super_block *sb)
356 {
357         struct superblock_security_struct *sbsec = sb->s_security;
358         struct dentry *root = sb->s_root;
359         struct inode *root_inode = root->d_inode;
360         int rc = 0;
361
362         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
363                 /* Make sure that the xattr handler exists and that no
364                    error other than -ENODATA is returned by getxattr on
365                    the root directory.  -ENODATA is ok, as this may be
366                    the first boot of the SELinux kernel before we have
367                    assigned xattr values to the filesystem. */
368                 if (!root_inode->i_op->getxattr) {
369                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
370                                "xattr support\n", sb->s_id, sb->s_type->name);
371                         rc = -EOPNOTSUPP;
372                         goto out;
373                 }
374                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
375                 if (rc < 0 && rc != -ENODATA) {
376                         if (rc == -EOPNOTSUPP)
377                                 printk(KERN_WARNING "SELinux: (dev %s, type "
378                                        "%s) has no security xattr handler\n",
379                                        sb->s_id, sb->s_type->name);
380                         else
381                                 printk(KERN_WARNING "SELinux: (dev %s, type "
382                                        "%s) getxattr errno %d\n", sb->s_id,
383                                        sb->s_type->name, -rc);
384                         goto out;
385                 }
386         }
387
388         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
389
390         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392                        sb->s_id, sb->s_type->name);
393         else
394                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395                        sb->s_id, sb->s_type->name,
396                        labeling_behaviors[sbsec->behavior-1]);
397
398         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
399             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
400             sbsec->behavior == SECURITY_FS_USE_NONE ||
401             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 sbsec->flags &= ~SE_SBLABELSUPP;
403
404         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406                 sbsec->flags |= SE_SBLABELSUPP;
407
408         /* Initialize the root inode. */
409         rc = inode_doinit_with_dentry(root_inode, root);
410
411         /* Initialize any other inodes associated with the superblock, e.g.
412            inodes created prior to initial policy load or inodes created
413            during get_sb by a pseudo filesystem that directly
414            populates itself. */
415         spin_lock(&sbsec->isec_lock);
416 next_inode:
417         if (!list_empty(&sbsec->isec_head)) {
418                 struct inode_security_struct *isec =
419                                 list_entry(sbsec->isec_head.next,
420                                            struct inode_security_struct, list);
421                 struct inode *inode = isec->inode;
422                 spin_unlock(&sbsec->isec_lock);
423                 inode = igrab(inode);
424                 if (inode) {
425                         if (!IS_PRIVATE(inode))
426                                 inode_doinit(inode);
427                         iput(inode);
428                 }
429                 spin_lock(&sbsec->isec_lock);
430                 list_del_init(&isec->list);
431                 goto next_inode;
432         }
433         spin_unlock(&sbsec->isec_lock);
434 out:
435         return rc;
436 }
437
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444                                 struct security_mnt_opts *opts)
445 {
446         int rc = 0, i;
447         struct superblock_security_struct *sbsec = sb->s_security;
448         char *context = NULL;
449         u32 len;
450         char tmp;
451
452         security_init_mnt_opts(opts);
453
454         if (!(sbsec->flags & SE_SBINITIALIZED))
455                 return -EINVAL;
456
457         if (!ss_initialized)
458                 return -EINVAL;
459
460         tmp = sbsec->flags & SE_MNTMASK;
461         /* count the number of mount options for this sb */
462         for (i = 0; i < 8; i++) {
463                 if (tmp & 0x01)
464                         opts->num_mnt_opts++;
465                 tmp >>= 1;
466         }
467         /* Check if the Label support flag is set */
468         if (sbsec->flags & SE_SBLABELSUPP)
469                 opts->num_mnt_opts++;
470
471         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472         if (!opts->mnt_opts) {
473                 rc = -ENOMEM;
474                 goto out_free;
475         }
476
477         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478         if (!opts->mnt_opts_flags) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         i = 0;
484         if (sbsec->flags & FSCONTEXT_MNT) {
485                 rc = security_sid_to_context(sbsec->sid, &context, &len);
486                 if (rc)
487                         goto out_free;
488                 opts->mnt_opts[i] = context;
489                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490         }
491         if (sbsec->flags & CONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497         }
498         if (sbsec->flags & DEFCONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504         }
505         if (sbsec->flags & ROOTCONTEXT_MNT) {
506                 struct inode *root = sbsec->sb->s_root->d_inode;
507                 struct inode_security_struct *isec = root->i_security;
508
509                 rc = security_sid_to_context(isec->sid, &context, &len);
510                 if (rc)
511                         goto out_free;
512                 opts->mnt_opts[i] = context;
513                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514         }
515         if (sbsec->flags & SE_SBLABELSUPP) {
516                 opts->mnt_opts[i] = NULL;
517                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         char mnt_flags = sbsec->flags & SE_MNTMASK;
533
534         /* check if the old mount command had the same options */
535         if (sbsec->flags & SE_SBINITIALIZED)
536                 if (!(sbsec->flags & flag) ||
537                     (old_sid != new_sid))
538                         return 1;
539
540         /* check if we were passed the same options twice,
541          * aka someone passed context=a,context=b
542          */
543         if (!(sbsec->flags & SE_SBINITIALIZED))
544                 if (mnt_flags & flag)
545                         return 1;
546         return 0;
547 }
548
549 /*
550  * Allow filesystems with binary mount data to explicitly set mount point
551  * labeling information.
552  */
553 static int selinux_set_mnt_opts(struct super_block *sb,
554                                 struct security_mnt_opts *opts)
555 {
556         const struct cred *cred = current_cred();
557         int rc = 0, i;
558         struct superblock_security_struct *sbsec = sb->s_security;
559         const char *name = sb->s_type->name;
560         struct inode *inode = sbsec->sb->s_root->d_inode;
561         struct inode_security_struct *root_isec = inode->i_security;
562         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563         u32 defcontext_sid = 0;
564         char **mount_options = opts->mnt_opts;
565         int *flags = opts->mnt_opts_flags;
566         int num_opts = opts->num_mnt_opts;
567
568         mutex_lock(&sbsec->lock);
569
570         if (!ss_initialized) {
571                 if (!num_opts) {
572                         /* Defer initialization until selinux_complete_init,
573                            after the initial policy is loaded and the security
574                            server is ready to handle calls. */
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605
606                 if (flags[i] == SE_SBLABELSUPP)
607                         continue;
608                 rc = security_context_to_sid(mount_options[i],
609                                              strlen(mount_options[i]), &sid);
610                 if (rc) {
611                         printk(KERN_WARNING "SELinux: security_context_to_sid"
612                                "(%s) failed for (dev %s, type %s) errno=%d\n",
613                                mount_options[i], sb->s_id, name, rc);
614                         goto out;
615                 }
616                 switch (flags[i]) {
617                 case FSCONTEXT_MNT:
618                         fscontext_sid = sid;
619
620                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
621                                         fscontext_sid))
622                                 goto out_double_mount;
623
624                         sbsec->flags |= FSCONTEXT_MNT;
625                         break;
626                 case CONTEXT_MNT:
627                         context_sid = sid;
628
629                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
630                                         context_sid))
631                                 goto out_double_mount;
632
633                         sbsec->flags |= CONTEXT_MNT;
634                         break;
635                 case ROOTCONTEXT_MNT:
636                         rootcontext_sid = sid;
637
638                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
639                                         rootcontext_sid))
640                                 goto out_double_mount;
641
642                         sbsec->flags |= ROOTCONTEXT_MNT;
643
644                         break;
645                 case DEFCONTEXT_MNT:
646                         defcontext_sid = sid;
647
648                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
649                                         defcontext_sid))
650                                 goto out_double_mount;
651
652                         sbsec->flags |= DEFCONTEXT_MNT;
653
654                         break;
655                 default:
656                         rc = -EINVAL;
657                         goto out;
658                 }
659         }
660
661         if (sbsec->flags & SE_SBINITIALIZED) {
662                 /* previously mounted with options, but not on this attempt? */
663                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
664                         goto out_double_mount;
665                 rc = 0;
666                 goto out;
667         }
668
669         if (strcmp(sb->s_type->name, "proc") == 0)
670                 sbsec->flags |= SE_SBPROC;
671
672         /* Determine the labeling behavior to use for this filesystem type. */
673         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
674         if (rc) {
675                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
676                        __func__, sb->s_type->name, rc);
677                 goto out;
678         }
679
680         /* sets the context of the superblock for the fs being mounted. */
681         if (fscontext_sid) {
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
697                                                           cred);
698                         if (rc)
699                                 goto out;
700                         sbsec->sid = context_sid;
701                 } else {
702                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
703                                                              cred);
704                         if (rc)
705                                 goto out;
706                 }
707                 if (!rootcontext_sid)
708                         rootcontext_sid = context_sid;
709
710                 sbsec->mntpoint_sid = context_sid;
711                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
712         }
713
714         if (rootcontext_sid) {
715                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
716                                                      cred);
717                 if (rc)
718                         goto out;
719
720                 root_isec->sid = rootcontext_sid;
721                 root_isec->initialized = 1;
722         }
723
724         if (defcontext_sid) {
725                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726                         rc = -EINVAL;
727                         printk(KERN_WARNING "SELinux: defcontext option is "
728                                "invalid for this filesystem type\n");
729                         goto out;
730                 }
731
732                 if (defcontext_sid != sbsec->def_sid) {
733                         rc = may_context_mount_inode_relabel(defcontext_sid,
734                                                              sbsec, cred);
735                         if (rc)
736                                 goto out;
737                 }
738
739                 sbsec->def_sid = defcontext_sid;
740         }
741
742         rc = sb_finish_set_opts(sb);
743 out:
744         mutex_unlock(&sbsec->lock);
745         return rc;
746 out_double_mount:
747         rc = -EINVAL;
748         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
749                "security settings for (dev %s, type %s)\n", sb->s_id, name);
750         goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754                                         struct super_block *newsb)
755 {
756         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757         struct superblock_security_struct *newsbsec = newsb->s_security;
758
759         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
760         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
761         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763         /*
764          * if the parent was able to be mounted it clearly had no special lsm
765          * mount options.  thus we can safely deal with this superblock later
766          */
767         if (!ss_initialized)
768                 return;
769
770         /* how can we clone if the old one wasn't set up?? */
771         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
772
773         /* if fs is reusing a sb, just let its options stand... */
774         if (newsbsec->flags & SE_SBINITIALIZED)
775                 return;
776
777         mutex_lock(&newsbsec->lock);
778
779         newsbsec->flags = oldsbsec->flags;
780
781         newsbsec->sid = oldsbsec->sid;
782         newsbsec->def_sid = oldsbsec->def_sid;
783         newsbsec->behavior = oldsbsec->behavior;
784
785         if (set_context) {
786                 u32 sid = oldsbsec->mntpoint_sid;
787
788                 if (!set_fscontext)
789                         newsbsec->sid = sid;
790                 if (!set_rootcontext) {
791                         struct inode *newinode = newsb->s_root->d_inode;
792                         struct inode_security_struct *newisec = newinode->i_security;
793                         newisec->sid = sid;
794                 }
795                 newsbsec->mntpoint_sid = sid;
796         }
797         if (set_rootcontext) {
798                 const struct inode *oldinode = oldsb->s_root->d_inode;
799                 const struct inode_security_struct *oldisec = oldinode->i_security;
800                 struct inode *newinode = newsb->s_root->d_inode;
801                 struct inode_security_struct *newisec = newinode->i_security;
802
803                 newisec->sid = oldisec->sid;
804         }
805
806         sb_finish_set_opts(newsb);
807         mutex_unlock(&newsbsec->lock);
808 }
809
810 static int selinux_parse_opts_str(char *options,
811                                   struct security_mnt_opts *opts)
812 {
813         char *p;
814         char *context = NULL, *defcontext = NULL;
815         char *fscontext = NULL, *rootcontext = NULL;
816         int rc, num_mnt_opts = 0;
817
818         opts->num_mnt_opts = 0;
819
820         /* Standard string-based options. */
821         while ((p = strsep(&options, "|")) != NULL) {
822                 int token;
823                 substring_t args[MAX_OPT_ARGS];
824
825                 if (!*p)
826                         continue;
827
828                 token = match_token(p, tokens, args);
829
830                 switch (token) {
831                 case Opt_context:
832                         if (context || defcontext) {
833                                 rc = -EINVAL;
834                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
835                                 goto out_err;
836                         }
837                         context = match_strdup(&args[0]);
838                         if (!context) {
839                                 rc = -ENOMEM;
840                                 goto out_err;
841                         }
842                         break;
843
844                 case Opt_fscontext:
845                         if (fscontext) {
846                                 rc = -EINVAL;
847                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848                                 goto out_err;
849                         }
850                         fscontext = match_strdup(&args[0]);
851                         if (!fscontext) {
852                                 rc = -ENOMEM;
853                                 goto out_err;
854                         }
855                         break;
856
857                 case Opt_rootcontext:
858                         if (rootcontext) {
859                                 rc = -EINVAL;
860                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861                                 goto out_err;
862                         }
863                         rootcontext = match_strdup(&args[0]);
864                         if (!rootcontext) {
865                                 rc = -ENOMEM;
866                                 goto out_err;
867                         }
868                         break;
869
870                 case Opt_defcontext:
871                         if (context || defcontext) {
872                                 rc = -EINVAL;
873                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874                                 goto out_err;
875                         }
876                         defcontext = match_strdup(&args[0]);
877                         if (!defcontext) {
878                                 rc = -ENOMEM;
879                                 goto out_err;
880                         }
881                         break;
882                 case Opt_labelsupport:
883                         break;
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static void selinux_write_opts(struct seq_file *m,
959                                struct security_mnt_opts *opts)
960 {
961         int i;
962         char *prefix;
963
964         for (i = 0; i < opts->num_mnt_opts; i++) {
965                 char *has_comma;
966
967                 if (opts->mnt_opts[i])
968                         has_comma = strchr(opts->mnt_opts[i], ',');
969                 else
970                         has_comma = NULL;
971
972                 switch (opts->mnt_opts_flags[i]) {
973                 case CONTEXT_MNT:
974                         prefix = CONTEXT_STR;
975                         break;
976                 case FSCONTEXT_MNT:
977                         prefix = FSCONTEXT_STR;
978                         break;
979                 case ROOTCONTEXT_MNT:
980                         prefix = ROOTCONTEXT_STR;
981                         break;
982                 case DEFCONTEXT_MNT:
983                         prefix = DEFCONTEXT_STR;
984                         break;
985                 case SE_SBLABELSUPP:
986                         seq_putc(m, ',');
987                         seq_puts(m, LABELSUPP_STR);
988                         continue;
989                 default:
990                         BUG();
991                         return;
992                 };
993                 /* we need a comma before each option */
994                 seq_putc(m, ',');
995                 seq_puts(m, prefix);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998                 seq_puts(m, opts->mnt_opts[i]);
999                 if (has_comma)
1000                         seq_putc(m, '\"');
1001         }
1002 }
1003
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006         struct security_mnt_opts opts;
1007         int rc;
1008
1009         rc = selinux_get_mnt_opts(sb, &opts);
1010         if (rc) {
1011                 /* before policy load we may get EINVAL, don't show anything */
1012                 if (rc == -EINVAL)
1013                         rc = 0;
1014                 return rc;
1015         }
1016
1017         selinux_write_opts(m, &opts);
1018
1019         security_free_mnt_opts(&opts);
1020
1021         return rc;
1022 }
1023
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026         switch (mode & S_IFMT) {
1027         case S_IFSOCK:
1028                 return SECCLASS_SOCK_FILE;
1029         case S_IFLNK:
1030                 return SECCLASS_LNK_FILE;
1031         case S_IFREG:
1032                 return SECCLASS_FILE;
1033         case S_IFBLK:
1034                 return SECCLASS_BLK_FILE;
1035         case S_IFDIR:
1036                 return SECCLASS_DIR;
1037         case S_IFCHR:
1038                 return SECCLASS_CHR_FILE;
1039         case S_IFIFO:
1040                 return SECCLASS_FIFO_FILE;
1041
1042         }
1043
1044         return SECCLASS_FILE;
1045 }
1046
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059         switch (family) {
1060         case PF_UNIX:
1061                 switch (type) {
1062                 case SOCK_STREAM:
1063                 case SOCK_SEQPACKET:
1064                         return SECCLASS_UNIX_STREAM_SOCKET;
1065                 case SOCK_DGRAM:
1066                         return SECCLASS_UNIX_DGRAM_SOCKET;
1067                 }
1068                 break;
1069         case PF_INET:
1070         case PF_INET6:
1071                 switch (type) {
1072                 case SOCK_STREAM:
1073                         if (default_protocol_stream(protocol))
1074                                 return SECCLASS_TCP_SOCKET;
1075                         else
1076                                 return SECCLASS_RAWIP_SOCKET;
1077                 case SOCK_DGRAM:
1078                         if (default_protocol_dgram(protocol))
1079                                 return SECCLASS_UDP_SOCKET;
1080                         else
1081                                 return SECCLASS_RAWIP_SOCKET;
1082                 case SOCK_DCCP:
1083                         return SECCLASS_DCCP_SOCKET;
1084                 default:
1085                         return SECCLASS_RAWIP_SOCKET;
1086                 }
1087                 break;
1088         case PF_NETLINK:
1089                 switch (protocol) {
1090                 case NETLINK_ROUTE:
1091                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                 case NETLINK_FIREWALL:
1093                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                 case NETLINK_SOCK_DIAG:
1095                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                 case NETLINK_NFLOG:
1097                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                 case NETLINK_XFRM:
1099                         return SECCLASS_NETLINK_XFRM_SOCKET;
1100                 case NETLINK_SELINUX:
1101                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                 case NETLINK_AUDIT:
1103                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                 case NETLINK_IP6_FW:
1105                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                 case NETLINK_DNRTMSG:
1107                         return SECCLASS_NETLINK_DNRT_SOCKET;
1108                 case NETLINK_KOBJECT_UEVENT:
1109                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                 default:
1111                         return SECCLASS_NETLINK_SOCKET;
1112                 }
1113         case PF_PACKET:
1114                 return SECCLASS_PACKET_SOCKET;
1115         case PF_KEY:
1116                 return SECCLASS_KEY_SOCKET;
1117         case PF_APPLETALK:
1118                 return SECCLASS_APPLETALK_SOCKET;
1119         }
1120
1121         return SECCLASS_SOCKET;
1122 }
1123
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126                                 u16 tclass,
1127                                 u32 *sid)
1128 {
1129         int rc;
1130         char *buffer, *path;
1131
1132         buffer = (char *)__get_free_page(GFP_KERNEL);
1133         if (!buffer)
1134                 return -ENOMEM;
1135
1136         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137         if (IS_ERR(path))
1138                 rc = PTR_ERR(path);
1139         else {
1140                 /* each process gets a /proc/PID/ entry. Strip off the
1141                  * PID part to get a valid selinux labeling.
1142                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                 while (path[1] >= '0' && path[1] <= '9') {
1144                         path[1] = '/';
1145                         path++;
1146                 }
1147                 rc = security_genfs_sid("proc", path, tclass, sid);
1148         }
1149         free_page((unsigned long)buffer);
1150         return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154                                 u16 tclass,
1155                                 u32 *sid)
1156 {
1157         return -EINVAL;
1158 }
1159 #endif
1160
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164         struct superblock_security_struct *sbsec = NULL;
1165         struct inode_security_struct *isec = inode->i_security;
1166         u32 sid;
1167         struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169         char *context = NULL;
1170         unsigned len = 0;
1171         int rc = 0;
1172
1173         if (isec->initialized)
1174                 goto out;
1175
1176         mutex_lock(&isec->lock);
1177         if (isec->initialized)
1178                 goto out_unlock;
1179
1180         sbsec = inode->i_sb->s_security;
1181         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                 /* Defer initialization until selinux_complete_init,
1183                    after the initial policy is loaded and the security
1184                    server is ready to handle calls. */
1185                 spin_lock(&sbsec->isec_lock);
1186                 if (list_empty(&isec->list))
1187                         list_add(&isec->list, &sbsec->isec_head);
1188                 spin_unlock(&sbsec->isec_lock);
1189                 goto out_unlock;
1190         }
1191
1192         switch (sbsec->behavior) {
1193         case SECURITY_FS_USE_XATTR:
1194                 if (!inode->i_op->getxattr) {
1195                         isec->sid = sbsec->def_sid;
1196                         break;
1197                 }
1198
1199                 /* Need a dentry, since the xattr API requires one.
1200                    Life would be simpler if we could just pass the inode. */
1201                 if (opt_dentry) {
1202                         /* Called from d_instantiate or d_splice_alias. */
1203                         dentry = dget(opt_dentry);
1204                 } else {
1205                         /* Called from selinux_complete_init, try to find a dentry. */
1206                         dentry = d_find_alias(inode);
1207                 }
1208                 if (!dentry) {
1209                         /*
1210                          * this is can be hit on boot when a file is accessed
1211                          * before the policy is loaded.  When we load policy we
1212                          * may find inodes that have no dentry on the
1213                          * sbsec->isec_head list.  No reason to complain as these
1214                          * will get fixed up the next time we go through
1215                          * inode_doinit with a dentry, before these inodes could
1216                          * be used again by userspace.
1217                          */
1218                         goto out_unlock;
1219                 }
1220
1221                 len = INITCONTEXTLEN;
1222                 context = kmalloc(len+1, GFP_NOFS);
1223                 if (!context) {
1224                         rc = -ENOMEM;
1225                         dput(dentry);
1226                         goto out_unlock;
1227                 }
1228                 context[len] = '\0';
1229                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                            context, len);
1231                 if (rc == -ERANGE) {
1232                         kfree(context);
1233
1234                         /* Need a larger buffer.  Query for the right size. */
1235                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                    NULL, 0);
1237                         if (rc < 0) {
1238                                 dput(dentry);
1239                                 goto out_unlock;
1240                         }
1241                         len = rc;
1242                         context = kmalloc(len+1, GFP_NOFS);
1243                         if (!context) {
1244                                 rc = -ENOMEM;
1245                                 dput(dentry);
1246                                 goto out_unlock;
1247                         }
1248                         context[len] = '\0';
1249                         rc = inode->i_op->getxattr(dentry,
1250                                                    XATTR_NAME_SELINUX,
1251                                                    context, len);
1252                 }
1253                 dput(dentry);
1254                 if (rc < 0) {
1255                         if (rc != -ENODATA) {
1256                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                        "%d for dev=%s ino=%ld\n", __func__,
1258                                        -rc, inode->i_sb->s_id, inode->i_ino);
1259                                 kfree(context);
1260                                 goto out_unlock;
1261                         }
1262                         /* Map ENODATA to the default file SID */
1263                         sid = sbsec->def_sid;
1264                         rc = 0;
1265                 } else {
1266                         rc = security_context_to_sid_default(context, rc, &sid,
1267                                                              sbsec->def_sid,
1268                                                              GFP_NOFS);
1269                         if (rc) {
1270                                 char *dev = inode->i_sb->s_id;
1271                                 unsigned long ino = inode->i_ino;
1272
1273                                 if (rc == -EINVAL) {
1274                                         if (printk_ratelimit())
1275                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                         "filesystem in question.\n", ino, dev, context);
1278                                 } else {
1279                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                                "returned %d for dev=%s ino=%ld\n",
1281                                                __func__, context, -rc, dev, ino);
1282                                 }
1283                                 kfree(context);
1284                                 /* Leave with the unlabeled SID */
1285                                 rc = 0;
1286                                 break;
1287                         }
1288                 }
1289                 kfree(context);
1290                 isec->sid = sid;
1291                 break;
1292         case SECURITY_FS_USE_TASK:
1293                 isec->sid = isec->task_sid;
1294                 break;
1295         case SECURITY_FS_USE_TRANS:
1296                 /* Default to the fs SID. */
1297                 isec->sid = sbsec->sid;
1298
1299                 /* Try to obtain a transition SID. */
1300                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                              isec->sclass, NULL, &sid);
1303                 if (rc)
1304                         goto out_unlock;
1305                 isec->sid = sid;
1306                 break;
1307         case SECURITY_FS_USE_MNTPOINT:
1308                 isec->sid = sbsec->mntpoint_sid;
1309                 break;
1310         default:
1311                 /* Default to the fs superblock SID. */
1312                 isec->sid = sbsec->sid;
1313
1314                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                         if (opt_dentry) {
1316                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                 rc = selinux_proc_get_sid(opt_dentry,
1318                                                           isec->sclass,
1319                                                           &sid);
1320                                 if (rc)
1321                                         goto out_unlock;
1322                                 isec->sid = sid;
1323                         }
1324                 }
1325                 break;
1326         }
1327
1328         isec->initialized = 1;
1329
1330 out_unlock:
1331         mutex_unlock(&isec->lock);
1332 out:
1333         if (isec->sclass == SECCLASS_FILE)
1334                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335         return rc;
1336 }
1337
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341         u32 perm = 0;
1342
1343         switch (sig) {
1344         case SIGCHLD:
1345                 /* Commonly granted from child to parent. */
1346                 perm = PROCESS__SIGCHLD;
1347                 break;
1348         case SIGKILL:
1349                 /* Cannot be caught or ignored */
1350                 perm = PROCESS__SIGKILL;
1351                 break;
1352         case SIGSTOP:
1353                 /* Cannot be caught or ignored */
1354                 perm = PROCESS__SIGSTOP;
1355                 break;
1356         default:
1357                 /* All other signals. */
1358                 perm = PROCESS__SIGNAL;
1359                 break;
1360         }
1361
1362         return perm;
1363 }
1364
1365 /*
1366  * Check permission between a pair of credentials
1367  * fork check, ptrace check, etc.
1368  */
1369 static int cred_has_perm(const struct cred *actor,
1370                          const struct cred *target,
1371                          u32 perms)
1372 {
1373         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377
1378 /*
1379  * Check permission between a pair of tasks, e.g. signal checks,
1380  * fork check, ptrace check, etc.
1381  * tsk1 is the actor and tsk2 is the target
1382  * - this uses the default subjective creds of tsk1
1383  */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385                          const struct task_struct *tsk2,
1386                          u32 perms)
1387 {
1388         const struct task_security_struct *__tsec1, *__tsec2;
1389         u32 sid1, sid2;
1390
1391         rcu_read_lock();
1392         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394         rcu_read_unlock();
1395         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397
1398 /*
1399  * Check permission between current and another task, e.g. signal checks,
1400  * fork check, ptrace check, etc.
1401  * current is the actor and tsk2 is the target
1402  * - this uses current's subjective creds
1403  */
1404 static int current_has_perm(const struct task_struct *tsk,
1405                             u32 perms)
1406 {
1407         u32 sid, tsid;
1408
1409         sid = current_sid();
1410         tsid = task_sid(tsk);
1411         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417
1418 /* Check whether a task is allowed to use a capability. */
1419 static int cred_has_capability(const struct cred *cred,
1420                                int cap, int audit)
1421 {
1422         struct common_audit_data ad;
1423         struct av_decision avd;
1424         u16 sclass;
1425         u32 sid = cred_sid(cred);
1426         u32 av = CAP_TO_MASK(cap);
1427         int rc;
1428
1429         ad.type = LSM_AUDIT_DATA_CAP;
1430         ad.u.cap = cap;
1431
1432         switch (CAP_TO_INDEX(cap)) {
1433         case 0:
1434                 sclass = SECCLASS_CAPABILITY;
1435                 break;
1436         case 1:
1437                 sclass = SECCLASS_CAPABILITY2;
1438                 break;
1439         default:
1440                 printk(KERN_ERR
1441                        "SELinux:  out of range capability %d\n", cap);
1442                 BUG();
1443                 return -EINVAL;
1444         }
1445
1446         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1447         if (audit == SECURITY_CAP_AUDIT) {
1448                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1449                 if (rc2)
1450                         return rc2;
1451         }
1452         return rc;
1453 }
1454
1455 /* Check whether a task is allowed to use a system operation. */
1456 static int task_has_system(struct task_struct *tsk,
1457                            u32 perms)
1458 {
1459         u32 sid = task_sid(tsk);
1460
1461         return avc_has_perm(sid, SECINITSID_KERNEL,
1462                             SECCLASS_SYSTEM, perms, NULL);
1463 }
1464
1465 /* Check whether a task has a particular permission to an inode.
1466    The 'adp' parameter is optional and allows other audit
1467    data to be passed (e.g. the dentry). */
1468 static int inode_has_perm(const struct cred *cred,
1469                           struct inode *inode,
1470                           u32 perms,
1471                           struct common_audit_data *adp,
1472                           unsigned flags)
1473 {
1474         struct inode_security_struct *isec;
1475         u32 sid;
1476
1477         validate_creds(cred);
1478
1479         if (unlikely(IS_PRIVATE(inode)))
1480                 return 0;
1481
1482         sid = cred_sid(cred);
1483         isec = inode->i_security;
1484
1485         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1486 }
1487
1488 /* Same as inode_has_perm, but pass explicit audit data containing
1489    the dentry to help the auditing code to more easily generate the
1490    pathname if needed. */
1491 static inline int dentry_has_perm(const struct cred *cred,
1492                                   struct dentry *dentry,
1493                                   u32 av)
1494 {
1495         struct inode *inode = dentry->d_inode;
1496         struct common_audit_data ad;
1497
1498         ad.type = LSM_AUDIT_DATA_DENTRY;
1499         ad.u.dentry = dentry;
1500         return inode_has_perm(cred, inode, av, &ad, 0);
1501 }
1502
1503 /* Same as inode_has_perm, but pass explicit audit data containing
1504    the path to help the auditing code to more easily generate the
1505    pathname if needed. */
1506 static inline int path_has_perm(const struct cred *cred,
1507                                 struct path *path,
1508                                 u32 av)
1509 {
1510         struct inode *inode = path->dentry->d_inode;
1511         struct common_audit_data ad;
1512
1513         ad.type = LSM_AUDIT_DATA_PATH;
1514         ad.u.path = *path;
1515         return inode_has_perm(cred, inode, av, &ad, 0);
1516 }
1517
1518 /* Check whether a task can use an open file descriptor to
1519    access an inode in a given way.  Check access to the
1520    descriptor itself, and then use dentry_has_perm to
1521    check a particular permission to the file.
1522    Access to the descriptor is implicitly granted if it
1523    has the same SID as the process.  If av is zero, then
1524    access to the file is not checked, e.g. for cases
1525    where only the descriptor is affected like seek. */
1526 static int file_has_perm(const struct cred *cred,
1527                          struct file *file,
1528                          u32 av)
1529 {
1530         struct file_security_struct *fsec = file->f_security;
1531         struct inode *inode = file->f_path.dentry->d_inode;
1532         struct common_audit_data ad;
1533         u32 sid = cred_sid(cred);
1534         int rc;
1535
1536         ad.type = LSM_AUDIT_DATA_PATH;
1537         ad.u.path = file->f_path;
1538
1539         if (sid != fsec->sid) {
1540                 rc = avc_has_perm(sid, fsec->sid,
1541                                   SECCLASS_FD,
1542                                   FD__USE,
1543                                   &ad);
1544                 if (rc)
1545                         goto out;
1546         }
1547
1548         /* av is zero if only checking access to the descriptor. */
1549         rc = 0;
1550         if (av)
1551                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1552
1553 out:
1554         return rc;
1555 }
1556
1557 /* Check whether a task can create a file. */
1558 static int may_create(struct inode *dir,
1559                       struct dentry *dentry,
1560                       u16 tclass)
1561 {
1562         const struct task_security_struct *tsec = current_security();
1563         struct inode_security_struct *dsec;
1564         struct superblock_security_struct *sbsec;
1565         u32 sid, newsid;
1566         struct common_audit_data ad;
1567         int rc;
1568
1569         dsec = dir->i_security;
1570         sbsec = dir->i_sb->s_security;
1571
1572         sid = tsec->sid;
1573         newsid = tsec->create_sid;
1574
1575         ad.type = LSM_AUDIT_DATA_DENTRY;
1576         ad.u.dentry = dentry;
1577
1578         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1579                           DIR__ADD_NAME | DIR__SEARCH,
1580                           &ad);
1581         if (rc)
1582                 return rc;
1583
1584         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1585                 rc = security_transition_sid(sid, dsec->sid, tclass,
1586                                              &dentry->d_name, &newsid);
1587                 if (rc)
1588                         return rc;
1589         }
1590
1591         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1592         if (rc)
1593                 return rc;
1594
1595         return avc_has_perm(newsid, sbsec->sid,
1596                             SECCLASS_FILESYSTEM,
1597                             FILESYSTEM__ASSOCIATE, &ad);
1598 }
1599
1600 /* Check whether a task can create a key. */
1601 static int may_create_key(u32 ksid,
1602                           struct task_struct *ctx)
1603 {
1604         u32 sid = task_sid(ctx);
1605
1606         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1607 }
1608
1609 #define MAY_LINK        0
1610 #define MAY_UNLINK      1
1611 #define MAY_RMDIR       2
1612
1613 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1614 static int may_link(struct inode *dir,
1615                     struct dentry *dentry,
1616                     int kind)
1617
1618 {
1619         struct inode_security_struct *dsec, *isec;
1620         struct common_audit_data ad;
1621         u32 sid = current_sid();
1622         u32 av;
1623         int rc;
1624
1625         dsec = dir->i_security;
1626         isec = dentry->d_inode->i_security;
1627
1628         ad.type = LSM_AUDIT_DATA_DENTRY;
1629         ad.u.dentry = dentry;
1630
1631         av = DIR__SEARCH;
1632         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1633         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1634         if (rc)
1635                 return rc;
1636
1637         switch (kind) {
1638         case MAY_LINK:
1639                 av = FILE__LINK;
1640                 break;
1641         case MAY_UNLINK:
1642                 av = FILE__UNLINK;
1643                 break;
1644         case MAY_RMDIR:
1645                 av = DIR__RMDIR;
1646                 break;
1647         default:
1648                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1649                         __func__, kind);
1650                 return 0;
1651         }
1652
1653         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1654         return rc;
1655 }
1656
1657 static inline int may_rename(struct inode *old_dir,
1658                              struct dentry *old_dentry,
1659                              struct inode *new_dir,
1660                              struct dentry *new_dentry)
1661 {
1662         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1663         struct common_audit_data ad;
1664         u32 sid = current_sid();
1665         u32 av;
1666         int old_is_dir, new_is_dir;
1667         int rc;
1668
1669         old_dsec = old_dir->i_security;
1670         old_isec = old_dentry->d_inode->i_security;
1671         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1672         new_dsec = new_dir->i_security;
1673
1674         ad.type = LSM_AUDIT_DATA_DENTRY;
1675
1676         ad.u.dentry = old_dentry;
1677         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1678                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1679         if (rc)
1680                 return rc;
1681         rc = avc_has_perm(sid, old_isec->sid,
1682                           old_isec->sclass, FILE__RENAME, &ad);
1683         if (rc)
1684                 return rc;
1685         if (old_is_dir && new_dir != old_dir) {
1686                 rc = avc_has_perm(sid, old_isec->sid,
1687                                   old_isec->sclass, DIR__REPARENT, &ad);
1688                 if (rc)
1689                         return rc;
1690         }
1691
1692         ad.u.dentry = new_dentry;
1693         av = DIR__ADD_NAME | DIR__SEARCH;
1694         if (new_dentry->d_inode)
1695                 av |= DIR__REMOVE_NAME;
1696         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1697         if (rc)
1698                 return rc;
1699         if (new_dentry->d_inode) {
1700                 new_isec = new_dentry->d_inode->i_security;
1701                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1702                 rc = avc_has_perm(sid, new_isec->sid,
1703                                   new_isec->sclass,
1704                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1705                 if (rc)
1706                         return rc;
1707         }
1708
1709         return 0;
1710 }
1711
1712 /* Check whether a task can perform a filesystem operation. */
1713 static int superblock_has_perm(const struct cred *cred,
1714                                struct super_block *sb,
1715                                u32 perms,
1716                                struct common_audit_data *ad)
1717 {
1718         struct superblock_security_struct *sbsec;
1719         u32 sid = cred_sid(cred);
1720
1721         sbsec = sb->s_security;
1722         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1723 }
1724
1725 /* Convert a Linux mode and permission mask to an access vector. */
1726 static inline u32 file_mask_to_av(int mode, int mask)
1727 {
1728         u32 av = 0;
1729
1730         if (!S_ISDIR(mode)) {
1731                 if (mask & MAY_EXEC)
1732                         av |= FILE__EXECUTE;
1733                 if (mask & MAY_READ)
1734                         av |= FILE__READ;
1735
1736                 if (mask & MAY_APPEND)
1737                         av |= FILE__APPEND;
1738                 else if (mask & MAY_WRITE)
1739                         av |= FILE__WRITE;
1740
1741         } else {
1742                 if (mask & MAY_EXEC)
1743                         av |= DIR__SEARCH;
1744                 if (mask & MAY_WRITE)
1745                         av |= DIR__WRITE;
1746                 if (mask & MAY_READ)
1747                         av |= DIR__READ;
1748         }
1749
1750         return av;
1751 }
1752
1753 /* Convert a Linux file to an access vector. */
1754 static inline u32 file_to_av(struct file *file)
1755 {
1756         u32 av = 0;
1757
1758         if (file->f_mode & FMODE_READ)
1759                 av |= FILE__READ;
1760         if (file->f_mode & FMODE_WRITE) {
1761                 if (file->f_flags & O_APPEND)
1762                         av |= FILE__APPEND;
1763                 else
1764                         av |= FILE__WRITE;
1765         }
1766         if (!av) {
1767                 /*
1768                  * Special file opened with flags 3 for ioctl-only use.
1769                  */
1770                 av = FILE__IOCTL;
1771         }
1772
1773         return av;
1774 }
1775
1776 /*
1777  * Convert a file to an access vector and include the correct open
1778  * open permission.
1779  */
1780 static inline u32 open_file_to_av(struct file *file)
1781 {
1782         u32 av = file_to_av(file);
1783
1784         if (selinux_policycap_openperm)
1785                 av |= FILE__OPEN;
1786
1787         return av;
1788 }
1789
1790 /* Hook functions begin here. */
1791
1792 static int selinux_ptrace_access_check(struct task_struct *child,
1793                                      unsigned int mode)
1794 {
1795         int rc;
1796
1797         rc = cap_ptrace_access_check(child, mode);
1798         if (rc)
1799                 return rc;
1800
1801         if (mode & PTRACE_MODE_READ) {
1802                 u32 sid = current_sid();
1803                 u32 csid = task_sid(child);
1804                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1805         }
1806
1807         return current_has_perm(child, PROCESS__PTRACE);
1808 }
1809
1810 static int selinux_ptrace_traceme(struct task_struct *parent)
1811 {
1812         int rc;
1813
1814         rc = cap_ptrace_traceme(parent);
1815         if (rc)
1816                 return rc;
1817
1818         return task_has_perm(parent, current, PROCESS__PTRACE);
1819 }
1820
1821 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1822                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1823 {
1824         int error;
1825
1826         error = current_has_perm(target, PROCESS__GETCAP);
1827         if (error)
1828                 return error;
1829
1830         return cap_capget(target, effective, inheritable, permitted);
1831 }
1832
1833 static int selinux_capset(struct cred *new, const struct cred *old,
1834                           const kernel_cap_t *effective,
1835                           const kernel_cap_t *inheritable,
1836                           const kernel_cap_t *permitted)
1837 {
1838         int error;
1839
1840         error = cap_capset(new, old,
1841                                       effective, inheritable, permitted);
1842         if (error)
1843                 return error;
1844
1845         return cred_has_perm(old, new, PROCESS__SETCAP);
1846 }
1847
1848 /*
1849  * (This comment used to live with the selinux_task_setuid hook,
1850  * which was removed).
1851  *
1852  * Since setuid only affects the current process, and since the SELinux
1853  * controls are not based on the Linux identity attributes, SELinux does not
1854  * need to control this operation.  However, SELinux does control the use of
1855  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1856  */
1857
1858 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1859                            int cap, int audit)
1860 {
1861         int rc;
1862
1863         rc = cap_capable(cred, ns, cap, audit);
1864         if (rc)
1865                 return rc;
1866
1867         return cred_has_capability(cred, cap, audit);
1868 }
1869
1870 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1871 {
1872         const struct cred *cred = current_cred();
1873         int rc = 0;
1874
1875         if (!sb)
1876                 return 0;
1877
1878         switch (cmds) {
1879         case Q_SYNC:
1880         case Q_QUOTAON:
1881         case Q_QUOTAOFF:
1882         case Q_SETINFO:
1883         case Q_SETQUOTA:
1884                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1885                 break;
1886         case Q_GETFMT:
1887         case Q_GETINFO:
1888         case Q_GETQUOTA:
1889                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1890                 break;
1891         default:
1892                 rc = 0;  /* let the kernel handle invalid cmds */
1893                 break;
1894         }
1895         return rc;
1896 }
1897
1898 static int selinux_quota_on(struct dentry *dentry)
1899 {
1900         const struct cred *cred = current_cred();
1901
1902         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1903 }
1904
1905 static int selinux_syslog(int type)
1906 {
1907         int rc;
1908
1909         switch (type) {
1910         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1911         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1912                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1913                 break;
1914         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1915         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1916         /* Set level of messages printed to console */
1917         case SYSLOG_ACTION_CONSOLE_LEVEL:
1918                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1919                 break;
1920         case SYSLOG_ACTION_CLOSE:       /* Close log */
1921         case SYSLOG_ACTION_OPEN:        /* Open log */
1922         case SYSLOG_ACTION_READ:        /* Read from log */
1923         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1924         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1925         default:
1926                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1927                 break;
1928         }
1929         return rc;
1930 }
1931
1932 /*
1933  * Check that a process has enough memory to allocate a new virtual
1934  * mapping. 0 means there is enough memory for the allocation to
1935  * succeed and -ENOMEM implies there is not.
1936  *
1937  * Do not audit the selinux permission check, as this is applied to all
1938  * processes that allocate mappings.
1939  */
1940 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1941 {
1942         int rc, cap_sys_admin = 0;
1943
1944         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1945                              SECURITY_CAP_NOAUDIT);
1946         if (rc == 0)
1947                 cap_sys_admin = 1;
1948
1949         return __vm_enough_memory(mm, pages, cap_sys_admin);
1950 }
1951
1952 /* binprm security operations */
1953
1954 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1955 {
1956         const struct task_security_struct *old_tsec;
1957         struct task_security_struct *new_tsec;
1958         struct inode_security_struct *isec;
1959         struct common_audit_data ad;
1960         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1961         int rc;
1962
1963         rc = cap_bprm_set_creds(bprm);
1964         if (rc)
1965                 return rc;
1966
1967         /* SELinux context only depends on initial program or script and not
1968          * the script interpreter */
1969         if (bprm->cred_prepared)
1970                 return 0;
1971
1972         old_tsec = current_security();
1973         new_tsec = bprm->cred->security;
1974         isec = inode->i_security;
1975
1976         /* Default to the current task SID. */
1977         new_tsec->sid = old_tsec->sid;
1978         new_tsec->osid = old_tsec->sid;
1979
1980         /* Reset fs, key, and sock SIDs on execve. */
1981         new_tsec->create_sid = 0;
1982         new_tsec->keycreate_sid = 0;
1983         new_tsec->sockcreate_sid = 0;
1984
1985         if (old_tsec->exec_sid) {
1986                 new_tsec->sid = old_tsec->exec_sid;
1987                 /* Reset exec SID on execve. */
1988                 new_tsec->exec_sid = 0;
1989         } else {
1990                 /* Check for a default transition on this program. */
1991                 rc = security_transition_sid(old_tsec->sid, isec->sid,
1992                                              SECCLASS_PROCESS, NULL,
1993                                              &new_tsec->sid);
1994                 if (rc)
1995                         return rc;
1996         }
1997
1998         ad.type = LSM_AUDIT_DATA_PATH;
1999         ad.u.path = bprm->file->f_path;
2000
2001         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2002                 new_tsec->sid = old_tsec->sid;
2003
2004         if (new_tsec->sid == old_tsec->sid) {
2005                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2006                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2007                 if (rc)
2008                         return rc;
2009         } else {
2010                 /* Check permissions for the transition. */
2011                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2012                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2013                 if (rc)
2014                         return rc;
2015
2016                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2017                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2018                 if (rc)
2019                         return rc;
2020
2021                 /* Check for shared state */
2022                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2023                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2024                                           SECCLASS_PROCESS, PROCESS__SHARE,
2025                                           NULL);
2026                         if (rc)
2027                                 return -EPERM;
2028                 }
2029
2030                 /* Make sure that anyone attempting to ptrace over a task that
2031                  * changes its SID has the appropriate permit */
2032                 if (bprm->unsafe &
2033                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2034                         struct task_struct *tracer;
2035                         struct task_security_struct *sec;
2036                         u32 ptsid = 0;
2037
2038                         rcu_read_lock();
2039                         tracer = ptrace_parent(current);
2040                         if (likely(tracer != NULL)) {
2041                                 sec = __task_cred(tracer)->security;
2042                                 ptsid = sec->sid;
2043                         }
2044                         rcu_read_unlock();
2045
2046                         if (ptsid != 0) {
2047                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2048                                                   SECCLASS_PROCESS,
2049                                                   PROCESS__PTRACE, NULL);
2050                                 if (rc)
2051                                         return -EPERM;
2052                         }
2053                 }
2054
2055                 /* Clear any possibly unsafe personality bits on exec: */
2056                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2057         }
2058
2059         return 0;
2060 }
2061
2062 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2063 {
2064         const struct task_security_struct *tsec = current_security();
2065         u32 sid, osid;
2066         int atsecure = 0;
2067
2068         sid = tsec->sid;
2069         osid = tsec->osid;
2070
2071         if (osid != sid) {
2072                 /* Enable secure mode for SIDs transitions unless
2073                    the noatsecure permission is granted between
2074                    the two SIDs, i.e. ahp returns 0. */
2075                 atsecure = avc_has_perm(osid, sid,
2076                                         SECCLASS_PROCESS,
2077                                         PROCESS__NOATSECURE, NULL);
2078         }
2079
2080         return (atsecure || cap_bprm_secureexec(bprm));
2081 }
2082
2083 /* Derived from fs/exec.c:flush_old_files. */
2084 static inline void flush_unauthorized_files(const struct cred *cred,
2085                                             struct files_struct *files)
2086 {
2087         struct common_audit_data ad;
2088         struct file *file, *devnull = NULL;
2089         struct tty_struct *tty;
2090         struct fdtable *fdt;
2091         long j = -1;
2092         int drop_tty = 0;
2093
2094         tty = get_current_tty();
2095         if (tty) {
2096                 spin_lock(&tty_files_lock);
2097                 if (!list_empty(&tty->tty_files)) {
2098                         struct tty_file_private *file_priv;
2099
2100                         /* Revalidate access to controlling tty.
2101                            Use path_has_perm on the tty path directly rather
2102                            than using file_has_perm, as this particular open
2103                            file may belong to another process and we are only
2104                            interested in the inode-based check here. */
2105                         file_priv = list_first_entry(&tty->tty_files,
2106                                                 struct tty_file_private, list);
2107                         file = file_priv->file;
2108                         if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2109                                 drop_tty = 1;
2110                 }
2111                 spin_unlock(&tty_files_lock);
2112                 tty_kref_put(tty);
2113         }
2114         /* Reset controlling tty. */
2115         if (drop_tty)
2116                 no_tty();
2117
2118         /* Revalidate access to inherited open files. */
2119
2120         ad.type = LSM_AUDIT_DATA_INODE;
2121
2122         spin_lock(&files->file_lock);
2123         for (;;) {
2124                 unsigned long set, i;
2125                 int fd;
2126
2127                 j++;
2128                 i = j * __NFDBITS;
2129                 fdt = files_fdtable(files);
2130                 if (i >= fdt->max_fds)
2131                         break;
2132                 set = fdt->open_fds[j];
2133                 if (!set)
2134                         continue;
2135                 spin_unlock(&files->file_lock);
2136                 for ( ; set ; i++, set >>= 1) {
2137                         if (set & 1) {
2138                                 file = fget(i);
2139                                 if (!file)
2140                                         continue;
2141                                 if (file_has_perm(cred,
2142                                                   file,
2143                                                   file_to_av(file))) {
2144                                         sys_close(i);
2145                                         fd = get_unused_fd();
2146                                         if (fd != i) {
2147                                                 if (fd >= 0)
2148                                                         put_unused_fd(fd);
2149                                                 fput(file);
2150                                                 continue;
2151                                         }
2152                                         if (devnull) {
2153                                                 get_file(devnull);
2154                                         } else {
2155                                                 devnull = dentry_open(
2156                                                         dget(selinux_null),
2157                                                         mntget(selinuxfs_mount),
2158                                                         O_RDWR, cred);
2159                                                 if (IS_ERR(devnull)) {
2160                                                         devnull = NULL;
2161                                                         put_unused_fd(fd);
2162                                                         fput(file);
2163                                                         continue;
2164                                                 }
2165                                         }
2166                                         fd_install(fd, devnull);
2167                                 }
2168                                 fput(file);
2169                         }
2170                 }
2171                 spin_lock(&files->file_lock);
2172
2173         }
2174         spin_unlock(&files->file_lock);
2175 }
2176
2177 /*
2178  * Prepare a process for imminent new credential changes due to exec
2179  */
2180 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2181 {
2182         struct task_security_struct *new_tsec;
2183         struct rlimit *rlim, *initrlim;
2184         int rc, i;
2185
2186         new_tsec = bprm->cred->security;
2187         if (new_tsec->sid == new_tsec->osid)
2188                 return;
2189
2190         /* Close files for which the new task SID is not authorized. */
2191         flush_unauthorized_files(bprm->cred, current->files);
2192
2193         /* Always clear parent death signal on SID transitions. */
2194         current->pdeath_signal = 0;
2195
2196         /* Check whether the new SID can inherit resource limits from the old
2197          * SID.  If not, reset all soft limits to the lower of the current
2198          * task's hard limit and the init task's soft limit.
2199          *
2200          * Note that the setting of hard limits (even to lower them) can be
2201          * controlled by the setrlimit check.  The inclusion of the init task's
2202          * soft limit into the computation is to avoid resetting soft limits
2203          * higher than the default soft limit for cases where the default is
2204          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2205          */
2206         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2207                           PROCESS__RLIMITINH, NULL);
2208         if (rc) {
2209                 /* protect against do_prlimit() */
2210                 task_lock(current);
2211                 for (i = 0; i < RLIM_NLIMITS; i++) {
2212                         rlim = current->signal->rlim + i;
2213                         initrlim = init_task.signal->rlim + i;
2214                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2215                 }
2216                 task_unlock(current);
2217                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2218         }
2219 }
2220
2221 /*
2222  * Clean up the process immediately after the installation of new credentials
2223  * due to exec
2224  */
2225 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2226 {
2227         const struct task_security_struct *tsec = current_security();
2228         struct itimerval itimer;
2229         u32 osid, sid;
2230         int rc, i;
2231
2232         osid = tsec->osid;
2233         sid = tsec->sid;
2234
2235         if (sid == osid)
2236                 return;
2237
2238         /* Check whether the new SID can inherit signal state from the old SID.
2239          * If not, clear itimers to avoid subsequent signal generation and
2240          * flush and unblock signals.
2241          *
2242          * This must occur _after_ the task SID has been updated so that any
2243          * kill done after the flush will be checked against the new SID.
2244          */
2245         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2246         if (rc) {
2247                 memset(&itimer, 0, sizeof itimer);
2248                 for (i = 0; i < 3; i++)
2249                         do_setitimer(i, &itimer, NULL);
2250                 spin_lock_irq(&current->sighand->siglock);
2251                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2252                         __flush_signals(current);
2253                         flush_signal_handlers(current, 1);
2254                         sigemptyset(&current->blocked);
2255                 }
2256                 spin_unlock_irq(&current->sighand->siglock);
2257         }
2258
2259         /* Wake up the parent if it is waiting so that it can recheck
2260          * wait permission to the new task SID. */
2261         read_lock(&tasklist_lock);
2262         __wake_up_parent(current, current->real_parent);
2263         read_unlock(&tasklist_lock);
2264 }
2265
2266 /* superblock security operations */
2267
2268 static int selinux_sb_alloc_security(struct super_block *sb)
2269 {
2270         return superblock_alloc_security(sb);
2271 }
2272
2273 static void selinux_sb_free_security(struct super_block *sb)
2274 {
2275         superblock_free_security(sb);
2276 }
2277
2278 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2279 {
2280         if (plen > olen)
2281                 return 0;
2282
2283         return !memcmp(prefix, option, plen);
2284 }
2285
2286 static inline int selinux_option(char *option, int len)
2287 {
2288         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2289                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2290                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2291                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2292                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2293 }
2294
2295 static inline void take_option(char **to, char *from, int *first, int len)
2296 {
2297         if (!*first) {
2298                 **to = ',';
2299                 *to += 1;
2300         } else
2301                 *first = 0;
2302         memcpy(*to, from, len);
2303         *to += len;
2304 }
2305
2306 static inline void take_selinux_option(char **to, char *from, int *first,
2307                                        int len)
2308 {
2309         int current_size = 0;
2310
2311         if (!*first) {
2312                 **to = '|';
2313                 *to += 1;
2314         } else
2315                 *first = 0;
2316
2317         while (current_size < len) {
2318                 if (*from != '"') {
2319                         **to = *from;
2320                         *to += 1;
2321                 }
2322                 from += 1;
2323                 current_size += 1;
2324         }
2325 }
2326
2327 static int selinux_sb_copy_data(char *orig, char *copy)
2328 {
2329         int fnosec, fsec, rc = 0;
2330         char *in_save, *in_curr, *in_end;
2331         char *sec_curr, *nosec_save, *nosec;
2332         int open_quote = 0;
2333
2334         in_curr = orig;
2335         sec_curr = copy;
2336
2337         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2338         if (!nosec) {
2339                 rc = -ENOMEM;
2340                 goto out;
2341         }
2342
2343         nosec_save = nosec;
2344         fnosec = fsec = 1;
2345         in_save = in_end = orig;
2346
2347         do {
2348                 if (*in_end == '"')
2349                         open_quote = !open_quote;
2350                 if ((*in_end == ',' && open_quote == 0) ||
2351                                 *in_end == '\0') {
2352                         int len = in_end - in_curr;
2353
2354                         if (selinux_option(in_curr, len))
2355                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2356                         else
2357                                 take_option(&nosec, in_curr, &fnosec, len);
2358
2359                         in_curr = in_end + 1;
2360                 }
2361         } while (*in_end++);
2362
2363         strcpy(in_save, nosec_save);
2364         free_page((unsigned long)nosec_save);
2365 out:
2366         return rc;
2367 }
2368
2369 static int selinux_sb_remount(struct super_block *sb, void *data)
2370 {
2371         int rc, i, *flags;
2372         struct security_mnt_opts opts;
2373         char *secdata, **mount_options;
2374         struct superblock_security_struct *sbsec = sb->s_security;
2375
2376         if (!(sbsec->flags & SE_SBINITIALIZED))
2377                 return 0;
2378
2379         if (!data)
2380                 return 0;
2381
2382         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2383                 return 0;
2384
2385         security_init_mnt_opts(&opts);
2386         secdata = alloc_secdata();
2387         if (!secdata)
2388                 return -ENOMEM;
2389         rc = selinux_sb_copy_data(data, secdata);
2390         if (rc)
2391                 goto out_free_secdata;
2392
2393         rc = selinux_parse_opts_str(secdata, &opts);
2394         if (rc)
2395                 goto out_free_secdata;
2396
2397         mount_options = opts.mnt_opts;
2398         flags = opts.mnt_opts_flags;
2399
2400         for (i = 0; i < opts.num_mnt_opts; i++) {
2401                 u32 sid;
2402                 size_t len;
2403
2404                 if (flags[i] == SE_SBLABELSUPP)
2405                         continue;
2406                 len = strlen(mount_options[i]);
2407                 rc = security_context_to_sid(mount_options[i], len, &sid);
2408                 if (rc) {
2409                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2410                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2411                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2412                         goto out_free_opts;
2413                 }
2414                 rc = -EINVAL;
2415                 switch (flags[i]) {
2416                 case FSCONTEXT_MNT:
2417                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2418                                 goto out_bad_option;
2419                         break;
2420                 case CONTEXT_MNT:
2421                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2422                                 goto out_bad_option;
2423                         break;
2424                 case ROOTCONTEXT_MNT: {
2425                         struct inode_security_struct *root_isec;
2426                         root_isec = sb->s_root->d_inode->i_security;
2427
2428                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2429                                 goto out_bad_option;
2430                         break;
2431                 }
2432                 case DEFCONTEXT_MNT:
2433                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2434                                 goto out_bad_option;
2435                         break;
2436                 default:
2437                         goto out_free_opts;
2438                 }
2439         }
2440
2441         rc = 0;
2442 out_free_opts:
2443         security_free_mnt_opts(&opts);
2444 out_free_secdata:
2445         free_secdata(secdata);
2446         return rc;
2447 out_bad_option:
2448         printk(KERN_WARNING "SELinux: unable to change security options "
2449                "during remount (dev %s, type=%s)\n", sb->s_id,
2450                sb->s_type->name);
2451         goto out_free_opts;
2452 }
2453
2454 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2455 {
2456         const struct cred *cred = current_cred();
2457         struct common_audit_data ad;
2458         int rc;
2459
2460         rc = superblock_doinit(sb, data);
2461         if (rc)
2462                 return rc;
2463
2464         /* Allow all mounts performed by the kernel */
2465         if (flags & MS_KERNMOUNT)
2466                 return 0;
2467
2468         ad.type = LSM_AUDIT_DATA_DENTRY;
2469         ad.u.dentry = sb->s_root;
2470         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2471 }
2472
2473 static int selinux_sb_statfs(struct dentry *dentry)
2474 {
2475         const struct cred *cred = current_cred();
2476         struct common_audit_data ad;
2477
2478         ad.type = LSM_AUDIT_DATA_DENTRY;
2479         ad.u.dentry = dentry->d_sb->s_root;
2480         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2481 }
2482
2483 static int selinux_mount(char *dev_name,
2484                          struct path *path,
2485                          char *type,
2486                          unsigned long flags,
2487                          void *data)
2488 {
2489         const struct cred *cred = current_cred();
2490
2491         if (flags & MS_REMOUNT)
2492                 return superblock_has_perm(cred, path->dentry->d_sb,
2493                                            FILESYSTEM__REMOUNT, NULL);
2494         else
2495                 return path_has_perm(cred, path, FILE__MOUNTON);
2496 }
2497
2498 static int selinux_umount(struct vfsmount *mnt, int flags)
2499 {
2500         const struct cred *cred = current_cred();
2501
2502         return superblock_has_perm(cred, mnt->mnt_sb,
2503                                    FILESYSTEM__UNMOUNT, NULL);
2504 }
2505
2506 /* inode security operations */
2507
2508 static int selinux_inode_alloc_security(struct inode *inode)
2509 {
2510         return inode_alloc_security(inode);
2511 }
2512
2513 static void selinux_inode_free_security(struct inode *inode)
2514 {
2515         inode_free_security(inode);
2516 }
2517
2518 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2519                                        const struct qstr *qstr, char **name,
2520                                        void **value, size_t *len)
2521 {
2522         const struct task_security_struct *tsec = current_security();
2523         struct inode_security_struct *dsec;
2524         struct superblock_security_struct *sbsec;
2525         u32 sid, newsid, clen;
2526         int rc;
2527         char *namep = NULL, *context;
2528
2529         dsec = dir->i_security;
2530         sbsec = dir->i_sb->s_security;
2531
2532         sid = tsec->sid;
2533         newsid = tsec->create_sid;
2534
2535         if ((sbsec->flags & SE_SBINITIALIZED) &&
2536             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2537                 newsid = sbsec->mntpoint_sid;
2538         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2539                 rc = security_transition_sid(sid, dsec->sid,
2540                                              inode_mode_to_security_class(inode->i_mode),
2541                                              qstr, &newsid);
2542                 if (rc) {
2543                         printk(KERN_WARNING "%s:  "
2544                                "security_transition_sid failed, rc=%d (dev=%s "
2545                                "ino=%ld)\n",
2546                                __func__,
2547                                -rc, inode->i_sb->s_id, inode->i_ino);
2548                         return rc;
2549                 }
2550         }
2551
2552         /* Possibly defer initialization to selinux_complete_init. */
2553         if (sbsec->flags & SE_SBINITIALIZED) {
2554                 struct inode_security_struct *isec = inode->i_security;
2555                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2556                 isec->sid = newsid;
2557                 isec->initialized = 1;
2558         }
2559
2560         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2561                 return -EOPNOTSUPP;
2562
2563         if (name) {
2564                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2565                 if (!namep)
2566                         return -ENOMEM;
2567                 *name = namep;
2568         }
2569
2570         if (value && len) {
2571                 rc = security_sid_to_context_force(newsid, &context, &clen);
2572                 if (rc) {
2573                         kfree(namep);
2574                         return rc;
2575                 }
2576                 *value = context;
2577                 *len = clen;
2578         }
2579
2580         return 0;
2581 }
2582
2583 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2584 {
2585         return may_create(dir, dentry, SECCLASS_FILE);
2586 }
2587
2588 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2589 {
2590         return may_link(dir, old_dentry, MAY_LINK);
2591 }
2592
2593 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2594 {
2595         return may_link(dir, dentry, MAY_UNLINK);
2596 }
2597
2598 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2599 {
2600         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2601 }
2602
2603 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2604 {
2605         return may_create(dir, dentry, SECCLASS_DIR);
2606 }
2607
2608 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2609 {
2610         return may_link(dir, dentry, MAY_RMDIR);
2611 }
2612
2613 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2614 {
2615         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2616 }
2617
2618 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2619                                 struct inode *new_inode, struct dentry *new_dentry)
2620 {
2621         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2622 }
2623
2624 static int selinux_inode_readlink(struct dentry *dentry)
2625 {
2626         const struct cred *cred = current_cred();
2627
2628         return dentry_has_perm(cred, dentry, FILE__READ);
2629 }
2630
2631 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2632 {
2633         const struct cred *cred = current_cred();
2634
2635         return dentry_has_perm(cred, dentry, FILE__READ);
2636 }
2637
2638 static noinline int audit_inode_permission(struct inode *inode,
2639                                            u32 perms, u32 audited, u32 denied,
2640                                            unsigned flags)
2641 {
2642         struct common_audit_data ad;
2643         struct inode_security_struct *isec = inode->i_security;
2644         int rc;
2645
2646         ad.type = LSM_AUDIT_DATA_INODE;
2647         ad.u.inode = inode;
2648
2649         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2650                             audited, denied, &ad, flags);
2651         if (rc)
2652                 return rc;
2653         return 0;
2654 }
2655
2656 static int selinux_inode_permission(struct inode *inode, int mask)
2657 {
2658         const struct cred *cred = current_cred();
2659         u32 perms;
2660         bool from_access;
2661         unsigned flags = mask & MAY_NOT_BLOCK;
2662         struct inode_security_struct *isec;
2663         u32 sid;
2664         struct av_decision avd;
2665         int rc, rc2;
2666         u32 audited, denied;
2667
2668         from_access = mask & MAY_ACCESS;
2669         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2670
2671         /* No permission to check.  Existence test. */
2672         if (!mask)
2673                 return 0;
2674
2675         validate_creds(cred);
2676
2677         if (unlikely(IS_PRIVATE(inode)))
2678                 return 0;
2679
2680         perms = file_mask_to_av(inode->i_mode, mask);
2681
2682         sid = cred_sid(cred);
2683         isec = inode->i_security;
2684
2685         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2686         audited = avc_audit_required(perms, &avd, rc,
2687                                      from_access ? FILE__AUDIT_ACCESS : 0,
2688                                      &denied);
2689         if (likely(!audited))
2690                 return rc;
2691
2692         rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2693         if (rc2)
2694                 return rc2;
2695         return rc;
2696 }
2697
2698 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2699 {
2700         const struct cred *cred = current_cred();
2701         unsigned int ia_valid = iattr->ia_valid;
2702         __u32 av = FILE__WRITE;
2703
2704         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2705         if (ia_valid & ATTR_FORCE) {
2706                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2707                               ATTR_FORCE);
2708                 if (!ia_valid)
2709                         return 0;
2710         }
2711
2712         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2713                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2714                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2715
2716         if (ia_valid & ATTR_SIZE)
2717                 av |= FILE__OPEN;
2718
2719         return dentry_has_perm(cred, dentry, av);
2720 }
2721
2722 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2723 {
2724         const struct cred *cred = current_cred();
2725         struct path path;
2726
2727         path.dentry = dentry;
2728         path.mnt = mnt;
2729
2730         return path_has_perm(cred, &path, FILE__GETATTR);
2731 }
2732
2733 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2734 {
2735         const struct cred *cred = current_cred();
2736
2737         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2738                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2739                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2740                         if (!capable(CAP_SETFCAP))
2741                                 return -EPERM;
2742                 } else if (!capable(CAP_SYS_ADMIN)) {
2743                         /* A different attribute in the security namespace.
2744                            Restrict to administrator. */
2745                         return -EPERM;
2746                 }
2747         }
2748
2749         /* Not an attribute we recognize, so just check the
2750            ordinary setattr permission. */
2751         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2752 }
2753
2754 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2755                                   const void *value, size_t size, int flags)
2756 {
2757         struct inode *inode = dentry->d_inode;
2758         struct inode_security_struct *isec = inode->i_security;
2759         struct superblock_security_struct *sbsec;
2760         struct common_audit_data ad;
2761         u32 newsid, sid = current_sid();
2762         int rc = 0;
2763
2764         if (strcmp(name, XATTR_NAME_SELINUX))
2765                 return selinux_inode_setotherxattr(dentry, name);
2766
2767         sbsec = inode->i_sb->s_security;
2768         if (!(sbsec->flags & SE_SBLABELSUPP))
2769                 return -EOPNOTSUPP;
2770
2771         if (!inode_owner_or_capable(inode))
2772                 return -EPERM;
2773
2774         ad.type = LSM_AUDIT_DATA_DENTRY;
2775         ad.u.dentry = dentry;
2776
2777         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2778                           FILE__RELABELFROM, &ad);
2779         if (rc)
2780                 return rc;
2781
2782         rc = security_context_to_sid(value, size, &newsid);
2783         if (rc == -EINVAL) {
2784                 if (!capable(CAP_MAC_ADMIN)) {
2785                         struct audit_buffer *ab;
2786                         size_t audit_size;
2787                         const char *str;
2788
2789                         /* We strip a nul only if it is at the end, otherwise the
2790                          * context contains a nul and we should audit that */
2791                         str = value;
2792                         if (str[size - 1] == '\0')
2793                                 audit_size = size - 1;
2794                         else
2795                                 audit_size = size;
2796                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2797                         audit_log_format(ab, "op=setxattr invalid_context=");
2798                         audit_log_n_untrustedstring(ab, value, audit_size);
2799                         audit_log_end(ab);
2800
2801                         return rc;
2802                 }
2803                 rc = security_context_to_sid_force(value, size, &newsid);
2804         }
2805         if (rc)
2806                 return rc;
2807
2808         rc = avc_has_perm(sid, newsid, isec->sclass,
2809                           FILE__RELABELTO, &ad);
2810         if (rc)
2811                 return rc;
2812
2813         rc = security_validate_transition(isec->sid, newsid, sid,
2814                                           isec->sclass);
2815         if (rc)
2816                 return rc;
2817
2818         return avc_has_perm(newsid,
2819                             sbsec->sid,
2820                             SECCLASS_FILESYSTEM,
2821                             FILESYSTEM__ASSOCIATE,
2822                             &ad);
2823 }
2824
2825 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2826                                         const void *value, size_t size,
2827                                         int flags)
2828 {
2829         struct inode *inode = dentry->d_inode;
2830         struct inode_security_struct *isec = inode->i_security;
2831         u32 newsid;
2832         int rc;
2833
2834         if (strcmp(name, XATTR_NAME_SELINUX)) {
2835                 /* Not an attribute we recognize, so nothing to do. */
2836                 return;
2837         }
2838
2839         rc = security_context_to_sid_force(value, size, &newsid);
2840         if (rc) {
2841                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2842                        "for (%s, %lu), rc=%d\n",
2843                        inode->i_sb->s_id, inode->i_ino, -rc);
2844                 return;
2845         }
2846
2847         isec->sid = newsid;
2848         return;
2849 }
2850
2851 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2852 {
2853         const struct cred *cred = current_cred();
2854
2855         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2856 }
2857
2858 static int selinux_inode_listxattr(struct dentry *dentry)
2859 {
2860         const struct cred *cred = current_cred();
2861
2862         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2863 }
2864
2865 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2866 {
2867         if (strcmp(name, XATTR_NAME_SELINUX))
2868                 return selinux_inode_setotherxattr(dentry, name);
2869
2870         /* No one is allowed to remove a SELinux security label.
2871            You can change the label, but all data must be labeled. */
2872         return -EACCES;
2873 }
2874
2875 /*
2876  * Copy the inode security context value to the user.
2877  *
2878  * Permission check is handled by selinux_inode_getxattr hook.
2879  */
2880 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2881 {
2882         u32 size;
2883         int error;
2884         char *context = NULL;
2885         struct inode_security_struct *isec = inode->i_security;
2886
2887         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2888                 return -EOPNOTSUPP;
2889
2890         /*
2891          * If the caller has CAP_MAC_ADMIN, then get the raw context
2892          * value even if it is not defined by current policy; otherwise,
2893          * use the in-core value under current policy.
2894          * Use the non-auditing forms of the permission checks since
2895          * getxattr may be called by unprivileged processes commonly
2896          * and lack of permission just means that we fall back to the
2897          * in-core context value, not a denial.
2898          */
2899         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2900                                 SECURITY_CAP_NOAUDIT);
2901         if (!error)
2902                 error = security_sid_to_context_force(isec->sid, &context,
2903                                                       &size);
2904         else
2905                 error = security_sid_to_context(isec->sid, &context, &size);
2906         if (error)
2907                 return error;
2908         error = size;
2909         if (alloc) {
2910                 *buffer = context;
2911                 goto out_nofree;
2912         }
2913         kfree(context);
2914 out_nofree:
2915         return error;
2916 }
2917
2918 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2919                                      const void *value, size_t size, int flags)
2920 {
2921         struct inode_security_struct *isec = inode->i_security;
2922         u32 newsid;
2923         int rc;
2924
2925         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2926                 return -EOPNOTSUPP;
2927
2928         if (!value || !size)
2929                 return -EACCES;
2930
2931         rc = security_context_to_sid((void *)value, size, &newsid);
2932         if (rc)
2933                 return rc;
2934
2935         isec->sid = newsid;
2936         isec->initialized = 1;
2937         return 0;
2938 }
2939
2940 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2941 {
2942         const int len = sizeof(XATTR_NAME_SELINUX);
2943         if (buffer && len <= buffer_size)
2944                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2945         return len;
2946 }
2947
2948 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2949 {
2950         struct inode_security_struct *isec = inode->i_security;
2951         *secid = isec->sid;
2952 }
2953
2954 /* file security operations */
2955
2956 static int selinux_revalidate_file_permission(struct file *file, int mask)
2957 {
2958         const struct cred *cred = current_cred();
2959         struct inode *inode = file->f_path.dentry->d_inode;
2960
2961         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2962         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2963                 mask |= MAY_APPEND;
2964
2965         return file_has_perm(cred, file,
2966                              file_mask_to_av(inode->i_mode, mask));
2967 }
2968
2969 static int selinux_file_permission(struct file *file, int mask)
2970 {
2971         struct inode *inode = file->f_path.dentry->d_inode;
2972         struct file_security_struct *fsec = file->f_security;
2973         struct inode_security_struct *isec = inode->i_security;
2974         u32 sid = current_sid();
2975
2976         if (!mask)
2977                 /* No permission to check.  Existence test. */
2978                 return 0;
2979
2980         if (sid == fsec->sid && fsec->isid == isec->sid &&
2981             fsec->pseqno == avc_policy_seqno())
2982                 /* No change since file_open check. */
2983                 return 0;
2984
2985         return selinux_revalidate_file_permission(file, mask);
2986 }
2987
2988 static int selinux_file_alloc_security(struct file *file)
2989 {
2990         return file_alloc_security(file);
2991 }
2992
2993 static void selinux_file_free_security(struct file *file)
2994 {
2995         file_free_security(file);
2996 }
2997
2998 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2999                               unsigned long arg)
3000 {
3001         const struct cred *cred = current_cred();
3002         int error = 0;
3003
3004         switch (cmd) {
3005         case FIONREAD:
3006         /* fall through */
3007         case FIBMAP:
3008         /* fall through */
3009         case FIGETBSZ:
3010         /* fall through */
3011         case FS_IOC_GETFLAGS:
3012         /* fall through */
3013         case FS_IOC_GETVERSION:
3014                 error = file_has_perm(cred, file, FILE__GETATTR);
3015                 break;
3016
3017         case FS_IOC_SETFLAGS:
3018         /* fall through */
3019         case FS_IOC_SETVERSION:
3020                 error = file_has_perm(cred, file, FILE__SETATTR);
3021                 break;
3022
3023         /* sys_ioctl() checks */
3024         case FIONBIO:
3025         /* fall through */
3026         case FIOASYNC:
3027                 error = file_has_perm(cred, file, 0);
3028                 break;
3029
3030         case KDSKBENT:
3031         case KDSKBSENT:
3032                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3033                                             SECURITY_CAP_AUDIT);
3034                 break;
3035
3036         /* default case assumes that the command will go
3037          * to the file's ioctl() function.
3038          */
3039         default:
3040                 error = file_has_perm(cred, file, FILE__IOCTL);
3041         }
3042         return error;
3043 }
3044
3045 static int default_noexec;
3046
3047 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3048 {
3049         const struct cred *cred = current_cred();
3050         int rc = 0;
3051
3052         if (default_noexec &&
3053             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3054                 /*
3055                  * We are making executable an anonymous mapping or a
3056                  * private file mapping that will also be writable.
3057                  * This has an additional check.
3058                  */
3059                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3060                 if (rc)
3061                         goto error;
3062         }
3063
3064         if (file) {
3065                 /* read access is always possible with a mapping */
3066                 u32 av = FILE__READ;
3067
3068                 /* write access only matters if the mapping is shared */
3069                 if (shared && (prot & PROT_WRITE))
3070                         av |= FILE__WRITE;
3071
3072                 if (prot & PROT_EXEC)
3073                         av |= FILE__EXECUTE;
3074
3075                 return file_has_perm(cred, file, av);
3076         }
3077
3078 error:
3079         return rc;
3080 }
3081
3082 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3083                              unsigned long prot, unsigned long flags,
3084                              unsigned long addr, unsigned long addr_only)
3085 {
3086         int rc = 0;
3087         u32 sid = current_sid();
3088
3089         /*
3090          * notice that we are intentionally putting the SELinux check before
3091          * the secondary cap_file_mmap check.  This is such a likely attempt
3092          * at bad behaviour/exploit that we always want to get the AVC, even
3093          * if DAC would have also denied the operation.
3094          */
3095         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3096                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3097                                   MEMPROTECT__MMAP_ZERO, NULL);
3098                 if (rc)
3099                         return rc;
3100         }
3101
3102         /* do DAC check on address space usage */
3103         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3104         if (rc || addr_only)
3105                 return rc;
3106
3107         if (selinux_checkreqprot)
3108                 prot = reqprot;
3109
3110         return file_map_prot_check(file, prot,
3111                                    (flags & MAP_TYPE) == MAP_SHARED);
3112 }
3113
3114 static int selinux_file_mprotect(struct vm_area_struct *vma,
3115                                  unsigned long reqprot,
3116                                  unsigned long prot)
3117 {
3118         const struct cred *cred = current_cred();
3119
3120         if (selinux_checkreqprot)
3121                 prot = reqprot;
3122
3123         if (default_noexec &&
3124             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3125                 int rc = 0;
3126                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3127                     vma->vm_end <= vma->vm_mm->brk) {
3128                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3129                 } else if (!vma->vm_file &&
3130                            vma->vm_start <= vma->vm_mm->start_stack &&
3131                            vma->vm_end >= vma->vm_mm->start_stack) {
3132                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3133                 } else if (vma->vm_file && vma->anon_vma) {
3134                         /*
3135                          * We are making executable a file mapping that has
3136                          * had some COW done. Since pages might have been
3137                          * written, check ability to execute the possibly
3138                          * modified content.  This typically should only
3139                          * occur for text relocations.
3140                          */
3141                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3142                 }
3143                 if (rc)
3144                         return rc;
3145         }
3146
3147         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3148 }
3149
3150 static int selinux_file_lock(struct file *file, unsigned int cmd)
3151 {
3152         const struct cred *cred = current_cred();
3153
3154         return file_has_perm(cred, file, FILE__LOCK);
3155 }
3156
3157 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3158                               unsigned long arg)
3159 {
3160         const struct cred *cred = current_cred();
3161         int err = 0;
3162
3163         switch (cmd) {
3164         case F_SETFL:
3165                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3166                         err = -EINVAL;
3167                         break;
3168                 }
3169
3170                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3171                         err = file_has_perm(cred, file, FILE__WRITE);
3172                         break;
3173                 }
3174                 /* fall through */
3175         case F_SETOWN:
3176         case F_SETSIG:
3177         case F_GETFL:
3178         case F_GETOWN:
3179         case F_GETSIG:
3180                 /* Just check FD__USE permission */
3181                 err = file_has_perm(cred, file, 0);
3182                 break;
3183         case F_GETLK:
3184         case F_SETLK:
3185         case F_SETLKW:
3186 #if BITS_PER_LONG == 32
3187         case F_GETLK64:
3188         case F_SETLK64:
3189         case F_SETLKW64:
3190 #endif
3191                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3192                         err = -EINVAL;
3193                         break;
3194                 }
3195                 err = file_has_perm(cred, file, FILE__LOCK);
3196                 break;
3197         }
3198
3199         return err;
3200 }
3201
3202 static int selinux_file_set_fowner(struct file *file)
3203 {
3204         struct file_security_struct *fsec;
3205
3206         fsec = file->f_security;
3207         fsec->fown_sid = current_sid();
3208
3209         return 0;
3210 }
3211
3212 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3213                                        struct fown_struct *fown, int signum)
3214 {
3215         struct file *file;
3216         u32 sid = task_sid(tsk);
3217         u32 perm;
3218         struct file_security_struct *fsec;
3219
3220         /* struct fown_struct is never outside the context of a struct file */
3221         file = container_of(fown, struct file, f_owner);
3222
3223         fsec = file->f_security;
3224
3225         if (!signum)
3226                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3227         else
3228                 perm = signal_to_av(signum);
3229
3230         return avc_has_perm(fsec->fown_sid, sid,
3231                             SECCLASS_PROCESS, perm, NULL);
3232 }
3233
3234 static int selinux_file_receive(struct file *file)
3235 {
3236         const struct cred *cred = current_cred();
3237
3238         return file_has_perm(cred, file, file_to_av(file));
3239 }
3240
3241 static int selinux_file_open(struct file *file, const struct cred *cred)
3242 {
3243         struct file_security_struct *fsec;
3244         struct inode_security_struct *isec;
3245
3246         fsec = file->f_security;
3247         isec = file->f_path.dentry->d_inode->i_security;
3248         /*
3249          * Save inode label and policy sequence number
3250          * at open-time so that selinux_file_permission
3251          * can determine whether revalidation is necessary.
3252          * Task label is already saved in the file security
3253          * struct as its SID.
3254          */
3255         fsec->isid = isec->sid;
3256         fsec->pseqno = avc_policy_seqno();
3257         /*
3258          * Since the inode label or policy seqno may have changed
3259          * between the selinux_inode_permission check and the saving
3260          * of state above, recheck that access is still permitted.
3261          * Otherwise, access might never be revalidated against the
3262          * new inode label or new policy.
3263          * This check is not redundant - do not remove.
3264          */
3265         return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3266 }
3267
3268 /* task security operations */
3269
3270 static int selinux_task_create(unsigned long clone_flags)
3271 {
3272         return current_has_perm(current, PROCESS__FORK);
3273 }
3274
3275 /*
3276  * allocate the SELinux part of blank credentials
3277  */
3278 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3279 {
3280         struct task_security_struct *tsec;
3281
3282         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3283         if (!tsec)
3284                 return -ENOMEM;
3285
3286         cred->security = tsec;
3287         return 0;
3288 }
3289
3290 /*
3291  * detach and free the LSM part of a set of credentials
3292  */
3293 static void selinux_cred_free(struct cred *cred)
3294 {
3295         struct task_security_struct *tsec = cred->security;
3296
3297         /*
3298          * cred->security == NULL if security_cred_alloc_blank() or
3299          * security_prepare_creds() returned an error.
3300          */
3301         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3302         cred->security = (void *) 0x7UL;
3303         kfree(tsec);
3304 }
3305
3306 /*
3307  * prepare a new set of credentials for modification
3308  */
3309 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3310                                 gfp_t gfp)
3311 {
3312         const struct task_security_struct *old_tsec;
3313         struct task_security_struct *tsec;
3314
3315         old_tsec = old->security;
3316
3317         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3318         if (!tsec)
3319                 return -ENOMEM;
3320
3321         new->security = tsec;
3322         return 0;
3323 }
3324
3325 /*
3326  * transfer the SELinux data to a blank set of creds
3327  */
3328 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3329 {
3330         const struct task_security_struct *old_tsec = old->security;
3331         struct task_security_struct *tsec = new->security;
3332
3333         *tsec = *old_tsec;
3334 }
3335
3336 /*
3337  * set the security data for a kernel service
3338  * - all the creation contexts are set to unlabelled
3339  */
3340 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3341 {
3342         struct task_security_struct *tsec = new->security;
3343         u32 sid = current_sid();
3344         int ret;
3345
3346         ret = avc_has_perm(sid, secid,
3347                            SECCLASS_KERNEL_SERVICE,
3348                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3349                            NULL);
3350         if (ret == 0) {
3351                 tsec->sid = secid;
3352                 tsec->create_sid = 0;
3353                 tsec->keycreate_sid = 0;
3354                 tsec->sockcreate_sid = 0;
3355         }
3356         return ret;
3357 }
3358
3359 /*
3360  * set the file creation context in a security record to the same as the
3361  * objective context of the specified inode
3362  */
3363 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3364 {
3365         struct inode_security_struct *isec = inode->i_security;
3366         struct task_security_struct *tsec = new->security;
3367         u32 sid = current_sid();
3368         int ret;
3369
3370         ret = avc_has_perm(sid, isec->sid,
3371                            SECCLASS_KERNEL_SERVICE,
3372                            KERNEL_SERVICE__CREATE_FILES_AS,
3373                            NULL);
3374
3375         if (ret == 0)
3376                 tsec->create_sid = isec->sid;
3377         return ret;
3378 }
3379
3380 static int selinux_kernel_module_request(char *kmod_name)
3381 {
3382         u32 sid;
3383         struct common_audit_data ad;
3384
3385         sid = task_sid(current);
3386
3387         ad.type = LSM_AUDIT_DATA_KMOD;
3388         ad.u.kmod_name = kmod_name;
3389
3390         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3391                             SYSTEM__MODULE_REQUEST, &ad);
3392 }
3393
3394 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3395 {
3396         return current_has_perm(p, PROCESS__SETPGID);
3397 }
3398
3399 static int selinux_task_getpgid(struct task_struct *p)
3400 {
3401         return current_has_perm(p, PROCESS__GETPGID);
3402 }
3403
3404 static int selinux_task_getsid(struct task_struct *p)
3405 {
3406         return current_has_perm(p, PROCESS__GETSESSION);
3407 }
3408
3409 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3410 {
3411         *secid = task_sid(p);
3412 }
3413
3414 static int selinux_task_setnice(struct task_struct *p, int nice)
3415 {
3416         int rc;
3417
3418         rc = cap_task_setnice(p, nice);
3419         if (rc)
3420                 return rc;
3421
3422         return current_has_perm(p, PROCESS__SETSCHED);
3423 }
3424
3425 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3426 {
3427         int rc;
3428
3429         rc = cap_task_setioprio(p, ioprio);
3430         if (rc)
3431                 return rc;
3432
3433         return current_has_perm(p, PROCESS__SETSCHED);
3434 }
3435
3436 static int selinux_task_getioprio(struct task_struct *p)
3437 {
3438         return current_has_perm(p, PROCESS__GETSCHED);
3439 }
3440
3441 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3442                 struct rlimit *new_rlim)
3443 {
3444         struct rlimit *old_rlim = p->signal->rlim + resource;
3445
3446         /* Control the ability to change the hard limit (whether
3447            lowering or raising it), so that the hard limit can
3448            later be used as a safe reset point for the soft limit
3449            upon context transitions.  See selinux_bprm_committing_creds. */
3450         if (old_rlim->rlim_max != new_rlim->rlim_max)
3451                 return current_has_perm(p, PROCESS__SETRLIMIT);
3452
3453         return 0;
3454 }
3455
3456 static int selinux_task_setscheduler(struct task_struct *p)
3457 {
3458         int rc;
3459
3460         rc = cap_task_setscheduler(p);
3461         if (rc)
3462                 return rc;
3463
3464         return current_has_perm(p, PROCESS__SETSCHED);
3465 }
3466
3467 static int selinux_task_getscheduler(struct task_struct *p)
3468 {
3469         return current_has_perm(p, PROCESS__GETSCHED);
3470 }
3471
3472 static int selinux_task_movememory(struct task_struct *p)
3473 {
3474         return current_has_perm(p, PROCESS__SETSCHED);
3475 }
3476
3477 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3478                                 int sig, u32 secid)
3479 {
3480         u32 perm;
3481         int rc;
3482
3483         if (!sig)
3484                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3485         else
3486                 perm = signal_to_av(sig);
3487         if (secid)
3488                 rc = avc_has_perm(secid, task_sid(p),
3489                                   SECCLASS_PROCESS, perm, NULL);
3490         else
3491                 rc = current_has_perm(p, perm);
3492         return rc;
3493 }
3494
3495 static int selinux_task_wait(struct task_struct *p)
3496 {
3497         return task_has_perm(p, current, PROCESS__SIGCHLD);
3498 }
3499
3500 static void selinux_task_to_inode(struct task_struct *p,
3501                                   struct inode *inode)
3502 {
3503         struct inode_security_struct *isec = inode->i_security;
3504         u32 sid = task_sid(p);
3505
3506         isec->sid = sid;
3507         isec->initialized = 1;
3508 }
3509
3510 /* Returns error only if unable to parse addresses */
3511 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3512                         struct common_audit_data *ad, u8 *proto)
3513 {
3514         int offset, ihlen, ret = -EINVAL;
3515         struct iphdr _iph, *ih;
3516
3517         offset = skb_network_offset(skb);
3518         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3519         if (ih == NULL)
3520                 goto out;
3521
3522         ihlen = ih->ihl * 4;
3523         if (ihlen < sizeof(_iph))
3524                 goto out;
3525
3526         ad->u.net->v4info.saddr = ih->saddr;
3527         ad->u.net->v4info.daddr = ih->daddr;
3528         ret = 0;
3529
3530         if (proto)
3531                 *proto = ih->protocol;
3532
3533         switch (ih->protocol) {
3534         case IPPROTO_TCP: {
3535                 struct tcphdr _tcph, *th;
3536
3537                 if (ntohs(ih->frag_off) & IP_OFFSET)
3538                         break;
3539
3540                 offset += ihlen;
3541                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3542                 if (th == NULL)
3543                         break;
3544
3545                 ad->u.net->sport = th->source;
3546                 ad->u.net->dport = th->dest;
3547                 break;
3548         }
3549
3550         case IPPROTO_UDP: {
3551                 struct udphdr _udph, *uh;
3552
3553                 if (ntohs(ih->frag_off) & IP_OFFSET)
3554                         break;
3555
3556                 offset += ihlen;
3557                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3558                 if (uh == NULL)
3559                         break;
3560
3561                 ad->u.net->sport = uh->source;
3562                 ad->u.net->dport = uh->dest;
3563                 break;
3564         }
3565
3566         case IPPROTO_DCCP: {
3567                 struct dccp_hdr _dccph, *dh;
3568
3569                 if (ntohs(ih->frag_off) & IP_OFFSET)
3570                         break;
3571
3572                 offset += ihlen;
3573                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3574                 if (dh == NULL)
3575                         break;
3576
3577                 ad->u.net->sport = dh->dccph_sport;
3578                 ad->u.net->dport = dh->dccph_dport;
3579                 break;
3580         }
3581
3582         default:
3583                 break;
3584         }
3585 out:
3586         return ret;
3587 }
3588
3589 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3590
3591 /* Returns error only if unable to parse addresses */
3592 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3593                         struct common_audit_data *ad, u8 *proto)
3594 {
3595         u8 nexthdr;
3596         int ret = -EINVAL, offset;
3597         struct ipv6hdr _ipv6h, *ip6;
3598         __be16 frag_off;
3599
3600         offset = skb_network_offset(skb);
3601         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3602         if (ip6 == NULL)
3603                 goto out;
3604
3605         ad->u.net->v6info.saddr = ip6->saddr;
3606         ad->u.net->v6info.daddr = ip6->daddr;
3607         ret = 0;
3608
3609         nexthdr = ip6->nexthdr;
3610         offset += sizeof(_ipv6h);
3611         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3612         if (offset < 0)
3613                 goto out;
3614
3615         if (proto)
3616                 *proto = nexthdr;
3617
3618         switch (nexthdr) {
3619         case IPPROTO_TCP: {
3620                 struct tcphdr _tcph, *th;
3621
3622                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3623                 if (th == NULL)
3624                         break;
3625
3626                 ad->u.net->sport = th->source;
3627                 ad->u.net->dport = th->dest;
3628                 break;
3629         }
3630
3631         case IPPROTO_UDP: {
3632                 struct udphdr _udph, *uh;
3633
3634                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3635                 if (uh == NULL)
3636                         break;
3637
3638                 ad->u.net->sport = uh->source;
3639                 ad->u.net->dport = uh->dest;
3640                 break;
3641         }
3642
3643         case IPPROTO_DCCP: {
3644                 struct dccp_hdr _dccph, *dh;
3645
3646                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3647                 if (dh == NULL)
3648                         break;
3649
3650                 ad->u.net->sport = dh->dccph_sport;
3651                 ad->u.net->dport = dh->dccph_dport;
3652                 break;
3653         }
3654
3655         /* includes fragments */
3656         default:
3657                 break;
3658         }
3659 out:
3660         return ret;
3661 }
3662
3663 #endif /* IPV6 */
3664
3665 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3666                              char **_addrp, int src, u8 *proto)
3667 {
3668         char *addrp;
3669         int ret;
3670
3671         switch (ad->u.net->family) {
3672         case PF_INET:
3673                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3674                 if (ret)
3675                         goto parse_error;
3676                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3677                                        &ad->u.net->v4info.daddr);
3678                 goto okay;
3679
3680 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3681         case PF_INET6:
3682                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3683                 if (ret)
3684                         goto parse_error;
3685                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3686                                        &ad->u.net->v6info.daddr);
3687                 goto okay;
3688 #endif  /* IPV6 */
3689         default:
3690                 addrp = NULL;
3691                 goto okay;
3692         }
3693
3694 parse_error:
3695         printk(KERN_WARNING
3696                "SELinux: failure in selinux_parse_skb(),"
3697                " unable to parse packet\n");
3698         return ret;
3699
3700 okay:
3701         if (_addrp)
3702                 *_addrp = addrp;
3703         return 0;
3704 }
3705
3706 /**
3707  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3708  * @skb: the packet
3709  * @family: protocol family
3710  * @sid: the packet's peer label SID
3711  *
3712  * Description:
3713  * Check the various different forms of network peer labeling and determine
3714  * the peer label/SID for the packet; most of the magic actually occurs in
3715  * the security server function security_net_peersid_cmp().  The function
3716  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3717  * or -EACCES if @sid is invalid due to inconsistencies with the different
3718  * peer labels.
3719  *
3720  */
3721 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3722 {
3723         int err;
3724         u32 xfrm_sid;
3725         u32 nlbl_sid;
3726         u32 nlbl_type;
3727
3728         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3729         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3730
3731         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3732         if (unlikely(err)) {
3733                 printk(KERN_WARNING
3734                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3735                        " unable to determine packet's peer label\n");
3736                 return -EACCES;
3737         }
3738
3739         return 0;
3740 }
3741
3742 /* socket security operations */
3743
3744 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3745                                  u16 secclass, u32 *socksid)
3746 {
3747         if (tsec->sockcreate_sid > SECSID_NULL) {
3748                 *socksid = tsec->sockcreate_sid;
3749                 return 0;
3750         }
3751
3752         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3753                                        socksid);
3754 }
3755
3756 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3757 {
3758         struct sk_security_struct *sksec = sk->sk_security;
3759         struct common_audit_data ad;
3760         struct lsm_network_audit net = {0,};
3761         u32 tsid = task_sid(task);
3762
3763         if (sksec->sid == SECINITSID_KERNEL)
3764                 return 0;
3765
3766         ad.type = LSM_AUDIT_DATA_NET;
3767         ad.u.net = &net;
3768         ad.u.net->sk = sk;
3769
3770         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3771 }
3772
3773 static int selinux_socket_create(int family, int type,
3774                                  int protocol, int kern)
3775 {
3776         const struct task_security_struct *tsec = current_security();
3777         u32 newsid;
3778         u16 secclass;
3779         int rc;
3780
3781         if (kern)
3782                 return 0;
3783
3784         secclass = socket_type_to_security_class(family, type, protocol);
3785         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3786         if (rc)
3787                 return rc;
3788
3789         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3790 }
3791
3792 static int selinux_socket_post_create(struct socket *sock, int family,
3793                                       int type, int protocol, int kern)
3794 {
3795         const struct task_security_struct *tsec = current_security();
3796         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3797         struct sk_security_struct *sksec;
3798         int err = 0;
3799
3800         isec->sclass = socket_type_to_security_class(family, type, protocol);
3801
3802         if (kern)
3803                 isec->sid = SECINITSID_KERNEL;
3804         else {
3805                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3806                 if (err)
3807                         return err;
3808         }
3809
3810         isec->initialized = 1;
3811
3812         if (sock->sk) {
3813                 sksec = sock->sk->sk_security;
3814                 sksec->sid = isec->sid;
3815                 sksec->sclass = isec->sclass;
3816                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3817         }
3818
3819         return err;
3820 }
3821
3822 /* Range of port numbers used to automatically bind.
3823    Need to determine whether we should perform a name_bind
3824    permission check between the socket and the port number. */
3825
3826 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3827 {
3828         struct sock *sk = sock->sk;
3829         u16 family;
3830         int err;
3831
3832         err = sock_has_perm(current, sk, SOCKET__BIND);
3833         if (err)
3834                 goto out;
3835
3836         /*
3837          * If PF_INET or PF_INET6, check name_bind permission for the port.
3838          * Multiple address binding for SCTP is not supported yet: we just
3839          * check the first address now.
3840          */
3841         family = sk->sk_family;
3842         if (family == PF_INET || family == PF_INET6) {
3843                 char *addrp;
3844                 struct sk_security_struct *sksec = sk->sk_security;
3845                 struct common_audit_data ad;
3846                 struct lsm_network_audit net = {0,};
3847                 struct sockaddr_in *addr4 = NULL;
3848                 struct sockaddr_in6 *addr6 = NULL;
3849                 unsigned short snum;
3850                 u32 sid, node_perm;
3851
3852                 if (family == PF_INET) {
3853                         addr4 = (struct sockaddr_in *)address;
3854                         snum = ntohs(addr4->sin_port);
3855                         addrp = (char *)&addr4->sin_addr.s_addr;
3856                 } else {
3857                         addr6 = (struct sockaddr_in6 *)address;
3858                         snum = ntohs(addr6->sin6_port);
3859                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3860                 }
3861
3862                 if (snum) {
3863                         int low, high;
3864
3865                         inet_get_local_port_range(&low, &high);
3866
3867                         if (snum < max(PROT_SOCK, low) || snum > high) {
3868                                 err = sel_netport_sid(sk->sk_protocol,
3869                                                       snum, &sid);
3870                                 if (err)
3871                                         goto out;
3872                                 ad.type = LSM_AUDIT_DATA_NET;
3873                                 ad.u.net = &net;
3874                                 ad.u.net->sport = htons(snum);
3875                                 ad.u.net->family = family;
3876                                 err = avc_has_perm(sksec->sid, sid,
3877                                                    sksec->sclass,
3878                                                    SOCKET__NAME_BIND, &ad);
3879                                 if (err)
3880                                         goto out;
3881                         }
3882                 }
3883
3884                 switch (sksec->sclass) {
3885                 case SECCLASS_TCP_SOCKET:
3886                         node_perm = TCP_SOCKET__NODE_BIND;
3887                         break;
3888
3889                 case SECCLASS_UDP_SOCKET:
3890                         node_perm = UDP_SOCKET__NODE_BIND;
3891                         break;
3892
3893                 case SECCLASS_DCCP_SOCKET:
3894                         node_perm = DCCP_SOCKET__NODE_BIND;
3895                         break;
3896
3897                 default:
3898                         node_perm = RAWIP_SOCKET__NODE_BIND;
3899                         break;
3900                 }
3901
3902                 err = sel_netnode_sid(addrp, family, &sid);
3903                 if (err)
3904                         goto out;
3905
3906                 ad.type = LSM_AUDIT_DATA_NET;
3907                 ad.u.net = &net;
3908                 ad.u.net->sport = htons(snum);
3909                 ad.u.net->family = family;
3910
3911                 if (family == PF_INET)
3912                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3913                 else
3914                         ad.u.net->v6info.saddr = addr6->sin6_addr;
3915
3916                 err = avc_has_perm(sksec->sid, sid,
3917                                    sksec->sclass, node_perm, &ad);
3918                 if (err)
3919                         goto out;
3920         }
3921 out:
3922         return err;
3923 }
3924
3925 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3926 {
3927         struct sock *sk = sock->sk;
3928         struct sk_security_struct *sksec = sk->sk_security;
3929         int err;
3930
3931         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3932         if (err)
3933                 return err;
3934
3935         /*
3936          * If a TCP or DCCP socket, check name_connect permission for the port.
3937          */
3938         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3939             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3940                 struct common_audit_data ad;
3941                 struct lsm_network_audit net = {0,};
3942                 struct sockaddr_in *addr4 = NULL;
3943                 struct sockaddr_in6 *addr6 = NULL;
3944                 unsigned short snum;
3945                 u32 sid, perm;
3946
3947                 if (sk->sk_family == PF_INET) {
3948                         addr4 = (struct sockaddr_in *)address;
3949                         if (addrlen < sizeof(struct sockaddr_in))
3950                                 return -EINVAL;
3951                         snum = ntohs(addr4->sin_port);
3952                 } else {
3953                         addr6 = (struct sockaddr_in6 *)address;
3954                         if (addrlen < SIN6_LEN_RFC2133)
3955                                 return -EINVAL;
3956                         snum = ntohs(addr6->sin6_port);
3957                 }
3958
3959                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3960                 if (err)
3961                         goto out;
3962
3963                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3964                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3965
3966                 ad.type = LSM_AUDIT_DATA_NET;
3967                 ad.u.net = &net;
3968                 ad.u.net->dport = htons(snum);
3969                 ad.u.net->family = sk->sk_family;
3970                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3971                 if (err)
3972                         goto out;
3973         }
3974
3975         err = selinux_netlbl_socket_connect(sk, address);
3976
3977 out:
3978         return err;
3979 }
3980
3981 static int selinux_socket_listen(struct socket *sock, int backlog)
3982 {
3983         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3984 }
3985
3986 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3987 {
3988         int err;
3989         struct inode_security_struct *isec;
3990         struct inode_security_struct *newisec;
3991
3992         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3993         if (err)
3994                 return err;
3995
3996         newisec = SOCK_INODE(newsock)->i_security;
3997
3998         isec = SOCK_INODE(sock)->i_security;
3999         newisec->sclass = isec->sclass;
4000         newisec->sid = isec->sid;
4001         newisec->initialized = 1;
4002
4003         return 0;
4004 }
4005
4006 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4007                                   int size)
4008 {
4009         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4010 }
4011
4012 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4013                                   int size, int flags)
4014 {
4015         return sock_has_perm(current, sock->sk, SOCKET__READ);
4016 }
4017
4018 static int selinux_socket_getsockname(struct socket *sock)
4019 {
4020         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4021 }
4022
4023 static int selinux_socket_getpeername(struct socket *sock)
4024 {
4025         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4026 }
4027
4028 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4029 {
4030         int err;
4031
4032         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4033         if (err)
4034                 return err;
4035
4036         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4037 }
4038
4039 static int selinux_socket_getsockopt(struct socket *sock, int level,
4040                                      int optname)
4041 {
4042         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4043 }
4044
4045 static int selinux_socket_shutdown(struct socket *sock, int how)
4046 {
4047         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4048 }
4049
4050 static int selinux_socket_unix_stream_connect(struct sock *sock,
4051                                               struct sock *other,
4052                                               struct sock *newsk)
4053 {
4054         struct sk_security_struct *sksec_sock = sock->sk_security;
4055         struct sk_security_struct *sksec_other = other->sk_security;
4056         struct sk_security_struct *sksec_new = newsk->sk_security;
4057         struct common_audit_data ad;
4058         struct lsm_network_audit net = {0,};
4059         int err;
4060
4061         ad.type = LSM_AUDIT_DATA_NET;
4062         ad.u.net = &net;
4063         ad.u.net->sk = other;
4064
4065         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4066                            sksec_other->sclass,
4067                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4068         if (err)
4069                 return err;
4070
4071         /* server child socket */
4072         sksec_new->peer_sid = sksec_sock->sid;
4073         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4074                                     &sksec_new->sid);
4075         if (err)
4076                 return err;
4077
4078         /* connecting socket */
4079         sksec_sock->peer_sid = sksec_new->sid;
4080
4081         return 0;
4082 }
4083
4084 static int selinux_socket_unix_may_send(struct socket *sock,
4085                                         struct socket *other)
4086 {
4087         struct sk_security_struct *ssec = sock->sk->sk_security;
4088         struct sk_security_struct *osec = other->sk->sk_security;
4089         struct common_audit_data ad;
4090         struct lsm_network_audit net = {0,};
4091
4092         ad.type = LSM_AUDIT_DATA_NET;
4093         ad.u.net = &net;
4094         ad.u.net->sk = other->sk;
4095
4096         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4097                             &ad);
4098 }
4099
4100 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4101                                     u32 peer_sid,
4102                                     struct common_audit_data *ad)
4103 {
4104         int err;
4105         u32 if_sid;
4106         u32 node_sid;
4107
4108         err = sel_netif_sid(ifindex, &if_sid);
4109         if (err)
4110                 return err;
4111         err = avc_has_perm(peer_sid, if_sid,
4112                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4113         if (err)
4114                 return err;
4115
4116         err = sel_netnode_sid(addrp, family, &node_sid);
4117         if (err)
4118                 return err;
4119         return avc_has_perm(peer_sid, node_sid,
4120                             SECCLASS_NODE, NODE__RECVFROM, ad);
4121 }
4122
4123 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4124                                        u16 family)
4125 {
4126         int err = 0;
4127         struct sk_security_struct *sksec = sk->sk_security;
4128         u32 sk_sid = sksec->sid;
4129         struct common_audit_data ad;
4130         struct lsm_network_audit net = {0,};
4131         char *addrp;
4132
4133         ad.type = LSM_AUDIT_DATA_NET;
4134         ad.u.net = &net;
4135         ad.u.net->netif = skb->skb_iif;
4136         ad.u.net->family = family;
4137         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4138         if (err)
4139                 return err;
4140
4141         if (selinux_secmark_enabled()) {
4142                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4143                                    PACKET__RECV, &ad);
4144                 if (err)
4145                         return err;
4146         }
4147
4148         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4149         if (err)
4150                 return err;
4151         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4152
4153         return err;
4154 }
4155
4156 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4157 {
4158         int err;
4159         struct sk_security_struct *sksec = sk->sk_security;
4160         u16 family = sk->sk_family;
4161         u32 sk_sid = sksec->sid;
4162         struct common_audit_data ad;
4163         struct lsm_network_audit net = {0,};
4164         char *addrp;
4165         u8 secmark_active;
4166         u8 peerlbl_active;
4167
4168         if (family != PF_INET && family != PF_INET6)
4169                 return 0;
4170
4171         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4172         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4173                 family = PF_INET;
4174
4175         /* If any sort of compatibility mode is enabled then handoff processing
4176          * to the selinux_sock_rcv_skb_compat() function to deal with the
4177          * special handling.  We do this in an attempt to keep this function
4178          * as fast and as clean as possible. */
4179         if (!selinux_policycap_netpeer)
4180                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4181
4182         secmark_active = selinux_secmark_enabled();
4183         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4184         if (!secmark_active && !peerlbl_active)
4185                 return 0;
4186
4187         ad.type = LSM_AUDIT_DATA_NET;
4188         ad.u.net = &net;
4189         ad.u.net->netif = skb->skb_iif;
4190         ad.u.net->family = family;
4191         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4192         if (err)
4193                 return err;
4194
4195         if (peerlbl_active) {
4196                 u32 peer_sid;
4197
4198                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4199                 if (err)
4200                         return err;
4201                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4202                                                peer_sid, &ad);
4203                 if (err) {
4204                         selinux_netlbl_err(skb, err, 0);
4205                         return err;
4206                 }
4207                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4208                                    PEER__RECV, &ad);
4209                 if (err)
4210                         selinux_netlbl_err(skb, err, 0);
4211         }
4212
4213         if (secmark_active) {
4214                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4215                                    PACKET__RECV, &ad);
4216                 if (err)
4217                         return err;
4218         }
4219
4220         return err;
4221 }
4222
4223 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4224                                             int __user *optlen, unsigned len)
4225 {
4226         int err = 0;
4227         char *scontext;
4228         u32 scontext_len;
4229         struct sk_security_struct *sksec = sock->sk->sk_security;
4230         u32 peer_sid = SECSID_NULL;
4231
4232         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4233             sksec->sclass == SECCLASS_TCP_SOCKET)
4234                 peer_sid = sksec->peer_sid;
4235         if (peer_sid == SECSID_NULL)
4236                 return -ENOPROTOOPT;
4237
4238         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4239         if (err)
4240                 return err;
4241
4242         if (scontext_len > len) {
4243                 err = -ERANGE;
4244                 goto out_len;
4245         }
4246
4247         if (copy_to_user(optval, scontext, scontext_len))
4248                 err = -EFAULT;
4249
4250 out_len:
4251         if (put_user(scontext_len, optlen))
4252                 err = -EFAULT;
4253         kfree(scontext);
4254         return err;
4255 }
4256
4257 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4258 {
4259         u32 peer_secid = SECSID_NULL;
4260         u16 family;
4261
4262         if (skb && skb->protocol == htons(ETH_P_IP))
4263                 family = PF_INET;
4264         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4265                 family = PF_INET6;
4266         else if (sock)
4267                 family = sock->sk->sk_family;
4268         else
4269                 goto out;
4270
4271         if (sock && family == PF_UNIX)
4272                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4273         else if (skb)
4274                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4275
4276 out:
4277         *secid = peer_secid;
4278         if (peer_secid == SECSID_NULL)
4279                 return -EINVAL;
4280         return 0;
4281 }
4282
4283 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4284 {
4285         struct sk_security_struct *sksec;
4286
4287         sksec = kzalloc(sizeof(*sksec), priority);
4288         if (!sksec)
4289                 return -ENOMEM;
4290
4291         sksec->peer_sid = SECINITSID_UNLABELED;
4292         sksec->sid = SECINITSID_UNLABELED;
4293         selinux_netlbl_sk_security_reset(sksec);
4294         sk->sk_security = sksec;
4295
4296         return 0;
4297 }
4298
4299 static void selinux_sk_free_security(struct sock *sk)
4300 {
4301         struct sk_security_struct *sksec = sk->sk_security;
4302
4303         sk->sk_security = NULL;
4304         selinux_netlbl_sk_security_free(sksec);
4305         kfree(sksec);
4306 }
4307
4308 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4309 {
4310         struct sk_security_struct *sksec = sk->sk_security;
4311         struct sk_security_struct *newsksec = newsk->sk_security;
4312
4313         newsksec->sid = sksec->sid;
4314         newsksec->peer_sid = sksec->peer_sid;
4315         newsksec->sclass = sksec->sclass;
4316
4317         selinux_netlbl_sk_security_reset(newsksec);
4318 }
4319
4320 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4321 {
4322         if (!sk)
4323                 *secid = SECINITSID_ANY_SOCKET;
4324         else {
4325                 struct sk_security_struct *sksec = sk->sk_security;
4326
4327                 *secid = sksec->sid;
4328         }
4329 }
4330
4331 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4332 {
4333         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4334         struct sk_security_struct *sksec = sk->sk_security;
4335
4336         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4337             sk->sk_family == PF_UNIX)
4338                 isec->sid = sksec->sid;
4339         sksec->sclass = isec->sclass;
4340 }
4341
4342 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4343                                      struct request_sock *req)
4344 {
4345         struct sk_security_struct *sksec = sk->sk_security;
4346         int err;
4347         u16 family = sk->sk_family;
4348         u32 newsid;
4349         u32 peersid;
4350
4351         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4352         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4353                 family = PF_INET;
4354
4355         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4356         if (err)
4357                 return err;
4358         if (peersid == SECSID_NULL) {
4359                 req->secid = sksec->sid;
4360                 req->peer_secid = SECSID_NULL;
4361         } else {
4362                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4363                 if (err)
4364                         return err;
4365                 req->secid = newsid;
4366                 req->peer_secid = peersid;
4367         }
4368
4369         return selinux_netlbl_inet_conn_request(req, family);
4370 }
4371
4372 static void selinux_inet_csk_clone(struct sock *newsk,
4373                                    const struct request_sock *req)
4374 {
4375         struct sk_security_struct *newsksec = newsk->sk_security;
4376
4377         newsksec->sid = req->secid;
4378         newsksec->peer_sid = req->peer_secid;
4379         /* NOTE: Ideally, we should also get the isec->sid for the
4380            new socket in sync, but we don't have the isec available yet.
4381            So we will wait until sock_graft to do it, by which
4382            time it will have been created and available. */
4383
4384         /* We don't need to take any sort of lock here as we are the only
4385          * thread with access to newsksec */
4386         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4387 }
4388
4389 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4390 {
4391         u16 family = sk->sk_family;
4392         struct sk_security_struct *sksec = sk->sk_security;
4393
4394         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4395         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4396                 family = PF_INET;
4397
4398         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4399 }
4400
4401 static int selinux_secmark_relabel_packet(u32 sid)
4402 {
4403         const struct task_security_struct *__tsec;
4404         u32 tsid;
4405
4406         __tsec = current_security();
4407         tsid = __tsec->sid;
4408
4409         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4410 }
4411
4412 static void selinux_secmark_refcount_inc(void)
4413 {
4414         atomic_inc(&selinux_secmark_refcount);
4415 }
4416
4417 static void selinux_secmark_refcount_dec(void)
4418 {
4419         atomic_dec(&selinux_secmark_refcount);
4420 }
4421
4422 static void selinux_req_classify_flow(const struct request_sock *req,
4423                                       struct flowi *fl)
4424 {
4425         fl->flowi_secid = req->secid;
4426 }
4427
4428 static int selinux_tun_dev_create(void)
4429 {
4430         u32 sid = current_sid();
4431
4432         /* we aren't taking into account the "sockcreate" SID since the socket
4433          * that is being created here is not a socket in the traditional sense,
4434          * instead it is a private sock, accessible only to the kernel, and
4435          * representing a wide range of network traffic spanning multiple
4436          * connections unlike traditional sockets - check the TUN driver to
4437          * get a better understanding of why this socket is special */
4438
4439         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4440                             NULL);
4441 }
4442
4443 static void selinux_tun_dev_post_create(struct sock *sk)
4444 {
4445         struct sk_security_struct *sksec = sk->sk_security;
4446
4447         /* we don't currently perform any NetLabel based labeling here and it
4448          * isn't clear that we would want to do so anyway; while we could apply
4449          * labeling without the support of the TUN user the resulting labeled
4450          * traffic from the other end of the connection would almost certainly
4451          * cause confusion to the TUN user that had no idea network labeling
4452          * protocols were being used */
4453
4454         /* see the comments in selinux_tun_dev_create() about why we don't use
4455          * the sockcreate SID here */
4456
4457         sksec->sid = current_sid();
4458         sksec->sclass = SECCLASS_TUN_SOCKET;
4459 }
4460
4461 static int selinux_tun_dev_attach(struct sock *sk)
4462 {
4463         struct sk_security_struct *sksec = sk->sk_security;
4464         u32 sid = current_sid();
4465         int err;
4466
4467         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4468                            TUN_SOCKET__RELABELFROM, NULL);
4469         if (err)
4470                 return err;
4471         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4472                            TUN_SOCKET__RELABELTO, NULL);
4473         if (err)
4474                 return err;
4475
4476         sksec->sid = sid;
4477
4478         return 0;
4479 }
4480
4481 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4482 {
4483         int err = 0;
4484         u32 perm;
4485         struct nlmsghdr *nlh;
4486         struct sk_security_struct *sksec = sk->sk_security;
4487
4488         if (skb->len < NLMSG_SPACE(0)) {
4489                 err = -EINVAL;
4490                 goto out;
4491         }
4492         nlh = nlmsg_hdr(skb);
4493
4494         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4495         if (err) {
4496                 if (err == -EINVAL) {
4497                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4498                                   "SELinux:  unrecognized netlink message"
4499                                   " type=%hu for sclass=%hu\n",
4500                                   nlh->nlmsg_type, sksec->sclass);
4501                         if (!selinux_enforcing || security_get_allow_unknown())
4502                                 err = 0;
4503                 }
4504
4505                 /* Ignore */
4506                 if (err == -ENOENT)
4507                         err = 0;
4508                 goto out;
4509         }
4510
4511         err = sock_has_perm(current, sk, perm);
4512 out:
4513         return err;
4514 }
4515
4516 #ifdef CONFIG_NETFILTER
4517
4518 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4519                                        u16 family)
4520 {
4521         int err;
4522         char *addrp;
4523         u32 peer_sid;
4524         struct common_audit_data ad;
4525         struct lsm_network_audit net = {0,};
4526         u8 secmark_active;
4527         u8 netlbl_active;
4528         u8 peerlbl_active;
4529
4530         if (!selinux_policycap_netpeer)
4531                 return NF_ACCEPT;
4532
4533         secmark_active = selinux_secmark_enabled();
4534         netlbl_active = netlbl_enabled();
4535         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4536         if (!secmark_active && !peerlbl_active)
4537                 return NF_ACCEPT;
4538
4539         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4540                 return NF_DROP;
4541
4542         ad.type = LSM_AUDIT_DATA_NET;
4543         ad.u.net = &net;
4544         ad.u.net->netif = ifindex;
4545         ad.u.net->family = family;
4546         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4547                 return NF_DROP;
4548
4549         if (peerlbl_active) {
4550                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4551                                                peer_sid, &ad);
4552                 if (err) {
4553                         selinux_netlbl_err(skb, err, 1);
4554                         return NF_DROP;
4555                 }
4556         }
4557
4558         if (secmark_active)
4559                 if (avc_has_perm(peer_sid, skb->secmark,
4560                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4561                         return NF_DROP;
4562
4563         if (netlbl_active)
4564                 /* we do this in the FORWARD path and not the POST_ROUTING
4565                  * path because we want to make sure we apply the necessary
4566                  * labeling before IPsec is applied so we can leverage AH
4567                  * protection */
4568                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4569                         return NF_DROP;
4570
4571         return NF_ACCEPT;
4572 }
4573
4574 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4575                                          struct sk_buff *skb,
4576                                          const struct net_device *in,
4577                                          const struct net_device *out,
4578                                          int (*okfn)(struct sk_buff *))
4579 {
4580         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4581 }
4582
4583 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4584 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4585                                          struct sk_buff *skb,
4586                                          const struct net_device *in,
4587                                          const struct net_device *out,
4588                                          int (*okfn)(struct sk_buff *))
4589 {
4590         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4591 }
4592 #endif  /* IPV6 */
4593
4594 static unsigned int selinux_ip_output(struct sk_buff *skb,
4595                                       u16 family)
4596 {
4597         u32 sid;
4598
4599         if (!netlbl_enabled())
4600                 return NF_ACCEPT;
4601
4602         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4603          * because we want to make sure we apply the necessary labeling
4604          * before IPsec is applied so we can leverage AH protection */
4605         if (skb->sk) {
4606                 struct sk_security_struct *sksec = skb->sk->sk_security;
4607                 sid = sksec->sid;
4608         } else
4609                 sid = SECINITSID_KERNEL;
4610         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4611                 return NF_DROP;
4612
4613         return NF_ACCEPT;
4614 }
4615
4616 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4617                                         struct sk_buff *skb,
4618                                         const struct net_device *in,
4619                                         const struct net_device *out,
4620                                         int (*okfn)(struct sk_buff *))
4621 {
4622         return selinux_ip_output(skb, PF_INET);
4623 }
4624
4625 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4626                                                 int ifindex,
4627                                                 u16 family)
4628 {
4629         struct sock *sk = skb->sk;
4630         struct sk_security_struct *sksec;
4631         struct common_audit_data ad;
4632         struct lsm_network_audit net = {0,};
4633         char *addrp;
4634         u8 proto;
4635
4636         if (sk == NULL)
4637                 return NF_ACCEPT;
4638         sksec = sk->sk_security;
4639
4640         ad.type = LSM_AUDIT_DATA_NET;
4641         ad.u.net = &net;
4642         ad.u.net->netif = ifindex;
4643         ad.u.net->family = family;
4644         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4645                 return NF_DROP;
4646
4647         if (selinux_secmark_enabled())
4648                 if (avc_has_perm(sksec->sid, skb->secmark,
4649                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4650                         return NF_DROP_ERR(-ECONNREFUSED);
4651
4652         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4653                 return NF_DROP_ERR(-ECONNREFUSED);
4654
4655         return NF_ACCEPT;
4656 }
4657
4658 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4659                                          u16 family)
4660 {
4661         u32 secmark_perm;
4662         u32 peer_sid;
4663         struct sock *sk;
4664         struct common_audit_data ad;
4665         struct lsm_network_audit net = {0,};
4666         char *addrp;
4667         u8 secmark_active;
4668         u8 peerlbl_active;
4669
4670         /* If any sort of compatibility mode is enabled then handoff processing
4671          * to the selinux_ip_postroute_compat() function to deal with the
4672          * special handling.  We do this in an attempt to keep this function
4673          * as fast and as clean as possible. */
4674         if (!selinux_policycap_netpeer)
4675                 return selinux_ip_postroute_compat(skb, ifindex, family);
4676 #ifdef CONFIG_XFRM
4677         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4678          * packet transformation so allow the packet to pass without any checks
4679          * since we'll have another chance to perform access control checks
4680          * when the packet is on it's final way out.
4681          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4682          *       is NULL, in this case go ahead and apply access control. */
4683         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4684                 return NF_ACCEPT;
4685 #endif
4686         secmark_active = selinux_secmark_enabled();
4687         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4688         if (!secmark_active && !peerlbl_active)
4689                 return NF_ACCEPT;
4690
4691         /* if the packet is being forwarded then get the peer label from the
4692          * packet itself; otherwise check to see if it is from a local
4693          * application or the kernel, if from an application get the peer label
4694          * from the sending socket, otherwise use the kernel's sid */
4695         sk = skb->sk;
4696         if (sk == NULL) {
4697                 if (skb->skb_iif) {
4698                         secmark_perm = PACKET__FORWARD_OUT;
4699                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4700                                 return NF_DROP;
4701                 } else {
4702                         secmark_perm = PACKET__SEND;
4703                         peer_sid = SECINITSID_KERNEL;
4704                 }
4705         } else {
4706                 struct sk_security_struct *sksec = sk->sk_security;
4707                 peer_sid = sksec->sid;
4708                 secmark_perm = PACKET__SEND;
4709         }
4710
4711         ad.type = LSM_AUDIT_DATA_NET;
4712         ad.u.net = &net;
4713         ad.u.net->netif = ifindex;
4714         ad.u.net->family = family;
4715         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4716                 return NF_DROP;
4717
4718         if (secmark_active)
4719                 if (avc_has_perm(peer_sid, skb->secmark,
4720                                  SECCLASS_PACKET, secmark_perm, &ad))
4721                         return NF_DROP_ERR(-ECONNREFUSED);
4722
4723         if (peerlbl_active) {
4724                 u32 if_sid;
4725                 u32 node_sid;
4726
4727                 if (sel_netif_sid(ifindex, &if_sid))
4728                         return NF_DROP;
4729                 if (avc_has_perm(peer_sid, if_sid,
4730                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4731                         return NF_DROP_ERR(-ECONNREFUSED);
4732
4733                 if (sel_netnode_sid(addrp, family, &node_sid))
4734                         return NF_DROP;
4735                 if (avc_has_perm(peer_sid, node_sid,
4736                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4737                         return NF_DROP_ERR(-ECONNREFUSED);
4738         }
4739
4740         return NF_ACCEPT;
4741 }
4742
4743 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4744                                            struct sk_buff *skb,
4745                                            const struct net_device *in,
4746                                            const struct net_device *out,
4747                                            int (*okfn)(struct sk_buff *))
4748 {
4749         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4750 }
4751
4752 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4753 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4754                                            struct sk_buff *skb,
4755                                            const struct net_device *in,
4756                                            const struct net_device *out,
4757                                            int (*okfn)(struct sk_buff *))
4758 {
4759         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4760 }
4761 #endif  /* IPV6 */
4762
4763 #endif  /* CONFIG_NETFILTER */
4764
4765 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4766 {
4767         int err;
4768
4769         err = cap_netlink_send(sk, skb);
4770         if (err)
4771                 return err;
4772
4773         return selinux_nlmsg_perm(sk, skb);
4774 }
4775
4776 static int ipc_alloc_security(struct task_struct *task,
4777                               struct kern_ipc_perm *perm,
4778                               u16 sclass)
4779 {
4780         struct ipc_security_struct *isec;
4781         u32 sid;
4782
4783         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4784         if (!isec)
4785                 return -ENOMEM;
4786
4787         sid = task_sid(task);
4788         isec->sclass = sclass;
4789         isec->sid = sid;
4790         perm->security = isec;
4791
4792         return 0;
4793 }
4794
4795 static void ipc_free_security(struct kern_ipc_perm *perm)
4796 {
4797         struct ipc_security_struct *isec = perm->security;
4798         perm->security = NULL;
4799         kfree(isec);
4800 }
4801
4802 static int msg_msg_alloc_security(struct msg_msg *msg)
4803 {
4804         struct msg_security_struct *msec;
4805
4806         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4807         if (!msec)
4808                 return -ENOMEM;
4809
4810         msec->sid = SECINITSID_UNLABELED;
4811         msg->security = msec;
4812
4813         return 0;
4814 }
4815
4816 static void msg_msg_free_security(struct msg_msg *msg)
4817 {
4818         struct msg_security_struct *msec = msg->security;
4819
4820         msg->security = NULL;
4821         kfree(msec);
4822 }
4823
4824 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4825                         u32 perms)
4826 {
4827         struct ipc_security_struct *isec;
4828         struct common_audit_data ad;
4829         u32 sid = current_sid();
4830
4831         isec = ipc_perms->security;
4832
4833         ad.type = LSM_AUDIT_DATA_IPC;
4834         ad.u.ipc_id = ipc_perms->key;
4835
4836         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4837 }
4838
4839 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4840 {
4841         return msg_msg_alloc_security(msg);
4842 }
4843
4844 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4845 {
4846         msg_msg_free_security(msg);
4847 }
4848
4849 /* message queue security operations */
4850 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4851 {
4852         struct ipc_security_struct *isec;
4853         struct common_audit_data ad;
4854         u32 sid = current_sid();
4855         int rc;
4856
4857         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4858         if (rc)
4859                 return rc;
4860
4861         isec = msq->q_perm.security;
4862
4863         ad.type = LSM_AUDIT_DATA_IPC;
4864         ad.u.ipc_id = msq->q_perm.key;
4865
4866         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4867                           MSGQ__CREATE, &ad);
4868         if (rc) {
4869                 ipc_free_security(&msq->q_perm);
4870                 return rc;
4871         }
4872         return 0;
4873 }
4874
4875 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4876 {
4877         ipc_free_security(&msq->q_perm);
4878 }
4879
4880 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4881 {
4882         struct ipc_security_struct *isec;
4883         struct common_audit_data ad;
4884         u32 sid = current_sid();
4885
4886         isec = msq->q_perm.security;
4887
4888         ad.type = LSM_AUDIT_DATA_IPC;
4889         ad.u.ipc_id = msq->q_perm.key;
4890
4891         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4892                             MSGQ__ASSOCIATE, &ad);
4893 }
4894
4895 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4896 {
4897         int err;
4898         int perms;
4899
4900         switch (cmd) {
4901         case IPC_INFO:
4902         case MSG_INFO:
4903                 /* No specific object, just general system-wide information. */
4904                 return task_has_system(current, SYSTEM__IPC_INFO);
4905         case IPC_STAT:
4906         case MSG_STAT:
4907                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4908                 break;
4909         case IPC_SET:
4910                 perms = MSGQ__SETATTR;
4911                 break;
4912         case IPC_RMID:
4913                 perms = MSGQ__DESTROY;
4914                 break;
4915         default:
4916                 return 0;
4917         }
4918
4919         err = ipc_has_perm(&msq->q_perm, perms);
4920         return err;
4921 }
4922
4923 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4924 {
4925         struct ipc_security_struct *isec;
4926         struct msg_security_struct *msec;
4927         struct common_audit_data ad;
4928         u32 sid = current_sid();
4929         int rc;
4930
4931         isec = msq->q_perm.security;
4932         msec = msg->security;
4933
4934         /*
4935          * First time through, need to assign label to the message
4936          */
4937         if (msec->sid == SECINITSID_UNLABELED) {
4938                 /*
4939                  * Compute new sid based on current process and
4940                  * message queue this message will be stored in
4941                  */
4942                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4943                                              NULL, &msec->sid);
4944                 if (rc)
4945                         return rc;
4946         }
4947
4948         ad.type = LSM_AUDIT_DATA_IPC;
4949         ad.u.ipc_id = msq->q_perm.key;
4950
4951         /* Can this process write to the queue? */
4952         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4953                           MSGQ__WRITE, &ad);
4954         if (!rc)
4955                 /* Can this process send the message */
4956                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4957                                   MSG__SEND, &ad);
4958         if (!rc)
4959                 /* Can the message be put in the queue? */
4960                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4961                                   MSGQ__ENQUEUE, &ad);
4962
4963         return rc;
4964 }
4965
4966 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4967                                     struct task_struct *target,
4968                                     long type, int mode)
4969 {
4970         struct ipc_security_struct *isec;
4971         struct msg_security_struct *msec;
4972         struct common_audit_data ad;
4973         u32 sid = task_sid(target);
4974         int rc;
4975
4976         isec = msq->q_perm.security;
4977         msec = msg->security;
4978
4979         ad.type = LSM_AUDIT_DATA_IPC;
4980         ad.u.ipc_id = msq->q_perm.key;
4981
4982         rc = avc_has_perm(sid, isec->sid,
4983                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4984         if (!rc)
4985                 rc = avc_has_perm(sid, msec->sid,
4986                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4987         return rc;
4988 }
4989
4990 /* Shared Memory security operations */
4991 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4992 {
4993         struct ipc_security_struct *isec;
4994         struct common_audit_data ad;
4995         u32 sid = current_sid();
4996         int rc;
4997
4998         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4999         if (rc)
5000                 return rc;
5001
5002         isec = shp->shm_perm.security;
5003
5004         ad.type = LSM_AUDIT_DATA_IPC;
5005         ad.u.ipc_id = shp->shm_perm.key;
5006
5007         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5008                           SHM__CREATE, &ad);
5009         if (rc) {
5010                 ipc_free_security(&shp->shm_perm);
5011                 return rc;
5012         }
5013         return 0;
5014 }
5015
5016 static void selinux_shm_free_security(struct shmid_kernel *shp)
5017 {
5018         ipc_free_security(&shp->shm_perm);
5019 }
5020
5021 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5022 {
5023         struct ipc_security_struct *isec;
5024         struct common_audit_data ad;
5025         u32 sid = current_sid();
5026
5027         isec = shp->shm_perm.security;
5028
5029         ad.type = LSM_AUDIT_DATA_IPC;
5030         ad.u.ipc_id = shp->shm_perm.key;
5031
5032         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5033                             SHM__ASSOCIATE, &ad);
5034 }
5035
5036 /* Note, at this point, shp is locked down */
5037 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5038 {
5039         int perms;
5040         int err;
5041
5042         switch (cmd) {
5043         case IPC_INFO:
5044         case SHM_INFO:
5045                 /* No specific object, just general system-wide information. */
5046                 return task_has_system(current, SYSTEM__IPC_INFO);
5047         case IPC_STAT:
5048         case SHM_STAT:
5049                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5050                 break;
5051         case IPC_SET:
5052                 perms = SHM__SETATTR;
5053                 break;
5054         case SHM_LOCK:
5055         case SHM_UNLOCK:
5056                 perms = SHM__LOCK;
5057                 break;
5058         case IPC_RMID:
5059                 perms = SHM__DESTROY;
5060                 break;
5061         default:
5062                 return 0;
5063         }
5064
5065         err = ipc_has_perm(&shp->shm_perm, perms);
5066         return err;
5067 }
5068
5069 static int selinux_shm_shmat(struct shmid_kernel *shp,
5070                              char __user *shmaddr, int shmflg)
5071 {
5072         u32 perms;
5073
5074         if (shmflg & SHM_RDONLY)
5075                 perms = SHM__READ;
5076         else
5077                 perms = SHM__READ | SHM__WRITE;
5078
5079         return ipc_has_perm(&shp->shm_perm, perms);
5080 }
5081
5082 /* Semaphore security operations */
5083 static int selinux_sem_alloc_security(struct sem_array *sma)
5084 {
5085         struct ipc_security_struct *isec;
5086         struct common_audit_data ad;
5087         u32 sid = current_sid();
5088         int rc;
5089
5090         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5091         if (rc)
5092                 return rc;
5093
5094         isec = sma->sem_perm.security;
5095
5096         ad.type = LSM_AUDIT_DATA_IPC;
5097         ad.u.ipc_id = sma->sem_perm.key;
5098
5099         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5100                           SEM__CREATE, &ad);
5101         if (rc) {
5102                 ipc_free_security(&sma->sem_perm);
5103                 return rc;
5104         }
5105         return 0;
5106 }
5107
5108 static void selinux_sem_free_security(struct sem_array *sma)
5109 {
5110         ipc_free_security(&sma->sem_perm);
5111 }
5112
5113 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5114 {
5115         struct ipc_security_struct *isec;
5116         struct common_audit_data ad;
5117         u32 sid = current_sid();
5118
5119         isec = sma->sem_perm.security;
5120
5121         ad.type = LSM_AUDIT_DATA_IPC;
5122         ad.u.ipc_id = sma->sem_perm.key;
5123
5124         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5125                             SEM__ASSOCIATE, &ad);
5126 }
5127
5128 /* Note, at this point, sma is locked down */
5129 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5130 {
5131         int err;
5132         u32 perms;
5133
5134         switch (cmd) {
5135         case IPC_INFO:
5136         case SEM_INFO:
5137                 /* No specific object, just general system-wide information. */
5138                 return task_has_system(current, SYSTEM__IPC_INFO);
5139         case GETPID:
5140         case GETNCNT:
5141         case GETZCNT:
5142                 perms = SEM__GETATTR;
5143                 break;
5144         case GETVAL:
5145         case GETALL:
5146                 perms = SEM__READ;
5147                 break;
5148         case SETVAL:
5149         case SETALL:
5150                 perms = SEM__WRITE;
5151                 break;
5152         case IPC_RMID:
5153                 perms = SEM__DESTROY;
5154                 break;
5155         case IPC_SET:
5156                 perms = SEM__SETATTR;
5157                 break;
5158         case IPC_STAT:
5159         case SEM_STAT:
5160                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5161                 break;
5162         default:
5163                 return 0;
5164         }
5165
5166         err = ipc_has_perm(&sma->sem_perm, perms);
5167         return err;
5168 }
5169
5170 static int selinux_sem_semop(struct sem_array *sma,
5171                              struct sembuf *sops, unsigned nsops, int alter)
5172 {
5173         u32 perms;
5174
5175         if (alter)
5176                 perms = SEM__READ | SEM__WRITE;
5177         else
5178                 perms = SEM__READ;
5179
5180         return ipc_has_perm(&sma->sem_perm, perms);
5181 }
5182
5183 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5184 {
5185         u32 av = 0;
5186
5187         av = 0;
5188         if (flag & S_IRUGO)
5189                 av |= IPC__UNIX_READ;
5190         if (flag & S_IWUGO)
5191                 av |= IPC__UNIX_WRITE;
5192
5193         if (av == 0)
5194                 return 0;
5195
5196         return ipc_has_perm(ipcp, av);
5197 }
5198
5199 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5200 {
5201         struct ipc_security_struct *isec = ipcp->security;
5202         *secid = isec->sid;
5203 }
5204
5205 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5206 {
5207         if (inode)
5208                 inode_doinit_with_dentry(inode, dentry);
5209 }
5210
5211 static int selinux_getprocattr(struct task_struct *p,
5212                                char *name, char **value)
5213 {
5214         const struct task_security_struct *__tsec;
5215         u32 sid;
5216         int error;
5217         unsigned len;
5218
5219         if (current != p) {
5220                 error = current_has_perm(p, PROCESS__GETATTR);
5221                 if (error)
5222                         return error;
5223         }
5224
5225         rcu_read_lock();
5226         __tsec = __task_cred(p)->security;
5227
5228         if (!strcmp(name, "current"))
5229                 sid = __tsec->sid;
5230         else if (!strcmp(name, "prev"))
5231                 sid = __tsec->osid;
5232         else if (!strcmp(name, "exec"))
5233                 sid = __tsec->exec_sid;
5234         else if (!strcmp(name, "fscreate"))
5235                 sid = __tsec->create_sid;
5236         else if (!strcmp(name, "keycreate"))
5237                 sid = __tsec->keycreate_sid;
5238         else if (!strcmp(name, "sockcreate"))
5239                 sid = __tsec->sockcreate_sid;
5240         else
5241                 goto invalid;
5242         rcu_read_unlock();
5243
5244         if (!sid)
5245                 return 0;
5246
5247         error = security_sid_to_context(sid, value, &len);
5248         if (error)
5249                 return error;
5250         return len;
5251
5252 invalid:
5253         rcu_read_unlock();
5254         return -EINVAL;
5255 }
5256
5257 static int selinux_setprocattr(struct task_struct *p,
5258                                char *name, void *value, size_t size)
5259 {
5260         struct task_security_struct *tsec;
5261         struct task_struct *tracer;
5262         struct cred *new;
5263         u32 sid = 0, ptsid;
5264         int error;
5265         char *str = value;
5266
5267         if (current != p) {
5268                 /* SELinux only allows a process to change its own
5269                    security attributes. */
5270                 return -EACCES;
5271         }
5272
5273         /*
5274          * Basic control over ability to set these attributes at all.
5275          * current == p, but we'll pass them separately in case the
5276          * above restriction is ever removed.
5277          */
5278         if (!strcmp(name, "exec"))
5279                 error = current_has_perm(p, PROCESS__SETEXEC);
5280         else if (!strcmp(name, "fscreate"))
5281                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5282         else if (!strcmp(name, "keycreate"))
5283                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5284         else if (!strcmp(name, "sockcreate"))
5285                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5286         else if (!strcmp(name, "current"))
5287                 error = current_has_perm(p, PROCESS__SETCURRENT);
5288         else
5289                 error = -EINVAL;
5290         if (error)
5291                 return error;
5292
5293         /* Obtain a SID for the context, if one was specified. */
5294         if (size && str[1] && str[1] != '\n') {
5295                 if (str[size-1] == '\n') {
5296                         str[size-1] = 0;
5297                         size--;
5298                 }
5299                 error = security_context_to_sid(value, size, &sid);
5300                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5301                         if (!capable(CAP_MAC_ADMIN)) {
5302                                 struct audit_buffer *ab;
5303                                 size_t audit_size;
5304
5305                                 /* We strip a nul only if it is at the end, otherwise the
5306                                  * context contains a nul and we should audit that */
5307                                 if (str[size - 1] == '\0')
5308                                         audit_size = size - 1;
5309                                 else
5310                                         audit_size = size;
5311                                 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5312                                 audit_log_format(ab, "op=fscreate invalid_context=");
5313                                 audit_log_n_untrustedstring(ab, value, audit_size);
5314                                 audit_log_end(ab);
5315
5316                                 return error;
5317                         }
5318                         error = security_context_to_sid_force(value, size,
5319                                                               &sid);
5320                 }
5321                 if (error)
5322                         return error;
5323         }
5324
5325         new = prepare_creds();
5326         if (!new)
5327                 return -ENOMEM;
5328
5329         /* Permission checking based on the specified context is
5330            performed during the actual operation (execve,
5331            open/mkdir/...), when we know the full context of the
5332            operation.  See selinux_bprm_set_creds for the execve
5333            checks and may_create for the file creation checks. The
5334            operation will then fail if the context is not permitted. */
5335         tsec = new->security;
5336         if (!strcmp(name, "exec")) {
5337                 tsec->exec_sid = sid;
5338         } else if (!strcmp(name, "fscreate")) {
5339                 tsec->create_sid = sid;
5340         } else if (!strcmp(name, "keycreate")) {
5341                 error = may_create_key(sid, p);
5342                 if (error)
5343                         goto abort_change;
5344                 tsec->keycreate_sid = sid;
5345         } else if (!strcmp(name, "sockcreate")) {
5346                 tsec->sockcreate_sid = sid;
5347         } else if (!strcmp(name, "current")) {
5348                 error = -EINVAL;
5349                 if (sid == 0)
5350                         goto abort_change;
5351
5352                 /* Only allow single threaded processes to change context */
5353                 error = -EPERM;
5354                 if (!current_is_single_threaded()) {
5355                         error = security_bounded_transition(tsec->sid, sid);
5356                         if (error)
5357                                 goto abort_change;
5358                 }
5359
5360                 /* Check permissions for the transition. */
5361                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5362                                      PROCESS__DYNTRANSITION, NULL);
5363                 if (error)
5364                         goto abort_change;
5365
5366                 /* Check for ptracing, and update the task SID if ok.
5367                    Otherwise, leave SID unchanged and fail. */
5368                 ptsid = 0;
5369                 task_lock(p);
5370                 tracer = ptrace_parent(p);
5371                 if (tracer)
5372                         ptsid = task_sid(tracer);
5373                 task_unlock(p);
5374
5375                 if (tracer) {
5376                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5377                                              PROCESS__PTRACE, NULL);
5378                         if (error)
5379                                 goto abort_change;
5380                 }
5381
5382                 tsec->sid = sid;
5383         } else {
5384                 error = -EINVAL;
5385                 goto abort_change;
5386         }
5387
5388         commit_creds(new);
5389         return size;
5390
5391 abort_change:
5392         abort_creds(new);
5393         return error;
5394 }
5395
5396 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5397 {
5398         return security_sid_to_context(secid, secdata, seclen);
5399 }
5400
5401 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5402 {
5403         return security_context_to_sid(secdata, seclen, secid);
5404 }
5405
5406 static void selinux_release_secctx(char *secdata, u32 seclen)
5407 {
5408         kfree(secdata);
5409 }
5410
5411 /*
5412  *      called with inode->i_mutex locked
5413  */
5414 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5415 {
5416         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5417 }
5418
5419 /*
5420  *      called with inode->i_mutex locked
5421  */
5422 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5423 {
5424         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5425 }
5426
5427 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5428 {
5429         int len = 0;
5430         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5431                                                 ctx, true);
5432         if (len < 0)
5433                 return len;
5434         *ctxlen = len;
5435         return 0;
5436 }
5437 #ifdef CONFIG_KEYS
5438
5439 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5440                              unsigned long flags)
5441 {
5442         const struct task_security_struct *tsec;
5443         struct key_security_struct *ksec;
5444
5445         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5446         if (!ksec)
5447                 return -ENOMEM;
5448
5449         tsec = cred->security;
5450         if (tsec->keycreate_sid)
5451                 ksec->sid = tsec->keycreate_sid;
5452         else
5453                 ksec->sid = tsec->sid;
5454
5455         k->security = ksec;
5456         return 0;
5457 }
5458
5459 static void selinux_key_free(struct key *k)
5460 {
5461         struct key_security_struct *ksec = k->security;
5462
5463         k->security = NULL;
5464         kfree(ksec);
5465 }
5466
5467 static int selinux_key_permission(key_ref_t key_ref,
5468                                   const struct cred *cred,
5469                                   key_perm_t perm)
5470 {
5471         struct key *key;
5472         struct key_security_struct *ksec;
5473         u32 sid;
5474
5475         /* if no specific permissions are requested, we skip the
5476            permission check. No serious, additional covert channels
5477            appear to be created. */
5478         if (perm == 0)
5479                 return 0;
5480
5481         sid = cred_sid(cred);
5482
5483         key = key_ref_to_ptr(key_ref);
5484         ksec = key->security;
5485
5486         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5487 }
5488
5489 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5490 {
5491         struct key_security_struct *ksec = key->security;
5492         char *context = NULL;
5493         unsigned len;
5494         int rc;
5495
5496         rc = security_sid_to_context(ksec->sid, &context, &len);
5497         if (!rc)
5498                 rc = len;
5499         *_buffer = context;
5500         return rc;
5501 }
5502
5503 #endif
5504
5505 static struct security_operations selinux_ops = {
5506         .name =                         "selinux",
5507
5508         .ptrace_access_check =          selinux_ptrace_access_check,
5509         .ptrace_traceme =               selinux_ptrace_traceme,
5510         .capget =                       selinux_capget,
5511         .capset =                       selinux_capset,
5512         .capable =                      selinux_capable,
5513         .quotactl =                     selinux_quotactl,
5514         .quota_on =                     selinux_quota_on,
5515         .syslog =                       selinux_syslog,
5516         .vm_enough_memory =             selinux_vm_enough_memory,
5517
5518         .netlink_send =                 selinux_netlink_send,
5519
5520         .bprm_set_creds =               selinux_bprm_set_creds,
5521         .bprm_committing_creds =        selinux_bprm_committing_creds,
5522         .bprm_committed_creds =         selinux_bprm_committed_creds,
5523         .bprm_secureexec =              selinux_bprm_secureexec,
5524
5525         .sb_alloc_security =            selinux_sb_alloc_security,
5526         .sb_free_security =             selinux_sb_free_security,
5527         .sb_copy_data =                 selinux_sb_copy_data,
5528         .sb_remount =                   selinux_sb_remount,
5529         .sb_kern_mount =                selinux_sb_kern_mount,
5530         .sb_show_options =              selinux_sb_show_options,
5531         .sb_statfs =                    selinux_sb_statfs,
5532         .sb_mount =                     selinux_mount,
5533         .sb_umount =                    selinux_umount,
5534         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5535         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5536         .sb_parse_opts_str =            selinux_parse_opts_str,
5537
5538
5539         .inode_alloc_security =         selinux_inode_alloc_security,
5540         .inode_free_security =          selinux_inode_free_security,
5541         .inode_init_security =          selinux_inode_init_security,
5542         .inode_create =                 selinux_inode_create,
5543         .inode_link =                   selinux_inode_link,
5544         .inode_unlink =                 selinux_inode_unlink,
5545         .inode_symlink =                selinux_inode_symlink,
5546         .inode_mkdir =                  selinux_inode_mkdir,
5547         .inode_rmdir =                  selinux_inode_rmdir,
5548         .inode_mknod =                  selinux_inode_mknod,
5549         .inode_rename =                 selinux_inode_rename,
5550         .inode_readlink =               selinux_inode_readlink,
5551         .inode_follow_link =            selinux_inode_follow_link,
5552         .inode_permission =             selinux_inode_permission,
5553         .inode_setattr =                selinux_inode_setattr,
5554         .inode_getattr =                selinux_inode_getattr,
5555         .inode_setxattr =               selinux_inode_setxattr,
5556         .inode_post_setxattr =          selinux_inode_post_setxattr,
5557         .inode_getxattr =               selinux_inode_getxattr,
5558         .inode_listxattr =              selinux_inode_listxattr,
5559         .inode_removexattr =            selinux_inode_removexattr,
5560         .inode_getsecurity =            selinux_inode_getsecurity,
5561         .inode_setsecurity =            selinux_inode_setsecurity,
5562         .inode_listsecurity =           selinux_inode_listsecurity,
5563         .inode_getsecid =               selinux_inode_getsecid,
5564
5565         .file_permission =              selinux_file_permission,
5566         .file_alloc_security =          selinux_file_alloc_security,
5567         .file_free_security =           selinux_file_free_security,
5568         .file_ioctl =                   selinux_file_ioctl,
5569         .file_mmap =                    selinux_file_mmap,
5570         .file_mprotect =                selinux_file_mprotect,
5571         .file_lock =                    selinux_file_lock,
5572         .file_fcntl =                   selinux_file_fcntl,
5573         .file_set_fowner =              selinux_file_set_fowner,
5574         .file_send_sigiotask =          selinux_file_send_sigiotask,
5575         .file_receive =                 selinux_file_receive,
5576
5577         .file_open =                    selinux_file_open,
5578
5579         .task_create =                  selinux_task_create,
5580         .cred_alloc_blank =             selinux_cred_alloc_blank,
5581         .cred_free =                    selinux_cred_free,
5582         .cred_prepare =                 selinux_cred_prepare,
5583         .cred_transfer =                selinux_cred_transfer,
5584         .kernel_act_as =                selinux_kernel_act_as,
5585         .kernel_create_files_as =       selinux_kernel_create_files_as,
5586         .kernel_module_request =        selinux_kernel_module_request,
5587         .task_setpgid =                 selinux_task_setpgid,
5588         .task_getpgid =                 selinux_task_getpgid,
5589         .task_getsid =                  selinux_task_getsid,
5590         .task_getsecid =                selinux_task_getsecid,
5591         .task_setnice =                 selinux_task_setnice,
5592         .task_setioprio =               selinux_task_setioprio,
5593         .task_getioprio =               selinux_task_getioprio,
5594         .task_setrlimit =               selinux_task_setrlimit,
5595         .task_setscheduler =            selinux_task_setscheduler,
5596         .task_getscheduler =            selinux_task_getscheduler,
5597         .task_movememory =              selinux_task_movememory,
5598         .task_kill =                    selinux_task_kill,
5599         .task_wait =                    selinux_task_wait,
5600         .task_to_inode =                selinux_task_to_inode,
5601
5602         .ipc_permission =               selinux_ipc_permission,
5603         .ipc_getsecid =                 selinux_ipc_getsecid,
5604
5605         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5606         .msg_msg_free_security =        selinux_msg_msg_free_security,
5607
5608         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5609         .msg_queue_free_security =      selinux_msg_queue_free_security,
5610         .msg_queue_associate =          selinux_msg_queue_associate,
5611         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5612         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5613         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5614
5615         .shm_alloc_security =           selinux_shm_alloc_security,
5616         .shm_free_security =            selinux_shm_free_security,
5617         .shm_associate =                selinux_shm_associate,
5618         .shm_shmctl =                   selinux_shm_shmctl,
5619         .shm_shmat =                    selinux_shm_shmat,
5620
5621         .sem_alloc_security =           selinux_sem_alloc_security,
5622         .sem_free_security =            selinux_sem_free_security,
5623         .sem_associate =                selinux_sem_associate,
5624         .sem_semctl =                   selinux_sem_semctl,
5625         .sem_semop =                    selinux_sem_semop,
5626
5627         .d_instantiate =                selinux_d_instantiate,
5628
5629         .getprocattr =                  selinux_getprocattr,
5630         .setprocattr =                  selinux_setprocattr,
5631
5632         .secid_to_secctx =              selinux_secid_to_secctx,
5633         .secctx_to_secid =              selinux_secctx_to_secid,
5634         .release_secctx =               selinux_release_secctx,
5635         .inode_notifysecctx =           selinux_inode_notifysecctx,
5636         .inode_setsecctx =              selinux_inode_setsecctx,
5637         .inode_getsecctx =              selinux_inode_getsecctx,
5638
5639         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5640         .unix_may_send =                selinux_socket_unix_may_send,
5641
5642         .socket_create =                selinux_socket_create,
5643         .socket_post_create =           selinux_socket_post_create,
5644         .socket_bind =                  selinux_socket_bind,
5645         .socket_connect =               selinux_socket_connect,
5646         .socket_listen =                selinux_socket_listen,
5647         .socket_accept =                selinux_socket_accept,
5648         .socket_sendmsg =               selinux_socket_sendmsg,
5649         .socket_recvmsg =               selinux_socket_recvmsg,
5650         .socket_getsockname =           selinux_socket_getsockname,
5651         .socket_getpeername =           selinux_socket_getpeername,
5652         .socket_getsockopt =            selinux_socket_getsockopt,
5653         .socket_setsockopt =            selinux_socket_setsockopt,
5654         .socket_shutdown =              selinux_socket_shutdown,
5655         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5656         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5657         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5658         .sk_alloc_security =            selinux_sk_alloc_security,
5659         .sk_free_security =             selinux_sk_free_security,
5660         .sk_clone_security =            selinux_sk_clone_security,
5661         .sk_getsecid =                  selinux_sk_getsecid,
5662         .sock_graft =                   selinux_sock_graft,
5663         .inet_conn_request =            selinux_inet_conn_request,
5664         .inet_csk_clone =               selinux_inet_csk_clone,
5665         .inet_conn_established =        selinux_inet_conn_established,
5666         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5667         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5668         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5669         .req_classify_flow =            selinux_req_classify_flow,
5670         .tun_dev_create =               selinux_tun_dev_create,
5671         .tun_dev_post_create =          selinux_tun_dev_post_create,
5672         .tun_dev_attach =               selinux_tun_dev_attach,
5673
5674 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5675         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5676         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5677         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5678         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5679         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5680         .xfrm_state_free_security =     selinux_xfrm_state_free,
5681         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5682         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5683         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5684         .xfrm_decode_session =          selinux_xfrm_decode_session,
5685 #endif
5686
5687 #ifdef CONFIG_KEYS
5688         .key_alloc =                    selinux_key_alloc,
5689         .key_free =                     selinux_key_free,
5690         .key_permission =               selinux_key_permission,
5691         .key_getsecurity =              selinux_key_getsecurity,
5692 #endif
5693
5694 #ifdef CONFIG_AUDIT
5695         .audit_rule_init =              selinux_audit_rule_init,
5696         .audit_rule_known =             selinux_audit_rule_known,
5697         .audit_rule_match =             selinux_audit_rule_match,
5698         .audit_rule_free =              selinux_audit_rule_free,
5699 #endif
5700 };
5701
5702 static __init int selinux_init(void)
5703 {
5704         if (!security_module_enable(&selinux_ops)) {
5705                 selinux_enabled = 0;
5706                 return 0;
5707         }
5708
5709         if (!selinux_enabled) {
5710                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5711                 return 0;
5712         }
5713
5714         printk(KERN_INFO "SELinux:  Initializing.\n");
5715
5716         /* Set the security state for the initial task. */
5717         cred_init_security();
5718
5719         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5720
5721         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5722                                             sizeof(struct inode_security_struct),
5723                                             0, SLAB_PANIC, NULL);
5724         avc_init();
5725
5726         if (register_security(&selinux_ops))
5727                 panic("SELinux: Unable to register with kernel.\n");
5728
5729         if (selinux_enforcing)
5730                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5731         else
5732                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5733
5734         return 0;
5735 }
5736
5737 static void delayed_superblock_init(struct super_block *sb, void *unused)
5738 {
5739         superblock_doinit(sb, NULL);
5740 }
5741
5742 void selinux_complete_init(void)
5743 {
5744         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5745
5746         /* Set up any superblocks initialized prior to the policy load. */
5747         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5748         iterate_supers(delayed_superblock_init, NULL);
5749 }
5750
5751 /* SELinux requires early initialization in order to label
5752    all processes and objects when they are created. */
5753 security_initcall(selinux_init);
5754
5755 #if defined(CONFIG_NETFILTER)
5756
5757 static struct nf_hook_ops selinux_ipv4_ops[] = {
5758         {
5759                 .hook =         selinux_ipv4_postroute,
5760                 .owner =        THIS_MODULE,
5761                 .pf =           PF_INET,
5762                 .hooknum =      NF_INET_POST_ROUTING,
5763                 .priority =     NF_IP_PRI_SELINUX_LAST,
5764         },
5765         {
5766                 .hook =         selinux_ipv4_forward,
5767                 .owner =        THIS_MODULE,
5768                 .pf =           PF_INET,
5769                 .hooknum =      NF_INET_FORWARD,
5770                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5771         },
5772         {
5773                 .hook =         selinux_ipv4_output,
5774                 .owner =        THIS_MODULE,
5775                 .pf =           PF_INET,
5776                 .hooknum =      NF_INET_LOCAL_OUT,
5777                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5778         }
5779 };
5780
5781 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5782
5783 static struct nf_hook_ops selinux_ipv6_ops[] = {
5784         {
5785                 .hook =         selinux_ipv6_postroute,
5786                 .owner =        THIS_MODULE,
5787                 .pf =           PF_INET6,
5788                 .hooknum =      NF_INET_POST_ROUTING,
5789                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5790         },
5791         {
5792                 .hook =         selinux_ipv6_forward,
5793                 .owner =        THIS_MODULE,
5794                 .pf =           PF_INET6,
5795                 .hooknum =      NF_INET_FORWARD,
5796                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5797         }
5798 };
5799
5800 #endif  /* IPV6 */
5801
5802 static int __init selinux_nf_ip_init(void)
5803 {
5804         int err = 0;
5805
5806         if (!selinux_enabled)
5807                 goto out;
5808
5809         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5810
5811         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5812         if (err)
5813                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5814
5815 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5816         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5817         if (err)
5818                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5819 #endif  /* IPV6 */
5820
5821 out:
5822         return err;
5823 }
5824
5825 __initcall(selinux_nf_ip_init);
5826
5827 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5828 static void selinux_nf_ip_exit(void)
5829 {
5830         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5831
5832         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5833 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5834         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5835 #endif  /* IPV6 */
5836 }
5837 #endif
5838
5839 #else /* CONFIG_NETFILTER */
5840
5841 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5842 #define selinux_nf_ip_exit()
5843 #endif
5844
5845 #endif /* CONFIG_NETFILTER */
5846
5847 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5848 static int selinux_disabled;
5849
5850 int selinux_disable(void)
5851 {
5852         if (ss_initialized) {
5853                 /* Not permitted after initial policy load. */
5854                 return -EINVAL;
5855         }
5856
5857         if (selinux_disabled) {
5858                 /* Only do this once. */
5859                 return -EINVAL;
5860         }
5861
5862         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5863
5864         selinux_disabled = 1;
5865         selinux_enabled = 0;
5866
5867         reset_security_ops();
5868
5869         /* Try to destroy the avc node cache */
5870         avc_disable();
5871
5872         /* Unregister netfilter hooks. */
5873         selinux_nf_ip_exit();
5874
5875         /* Unregister selinuxfs. */
5876         exit_sel_fs();
5877
5878         return 0;
5879 }
5880 #endif