Linux 3.2.87
[pandora-kernel.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>    /* for network interface checks */
65 #include <linux/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h>           /* for Unix socket types */
71 #include <net/af_unix.h>        /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85
86 #include "avc.h"
87 #include "objsec.h"
88 #include "netif.h"
89 #include "netnode.h"
90 #include "netport.h"
91 #include "xfrm.h"
92 #include "netlabel.h"
93 #include "audit.h"
94 #include "avc_ss.h"
95
96 #define NUM_SEL_MNT_OPTS 5
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!strict_strtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!strict_strtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.
141  *
142  */
143 static int selinux_secmark_enabled(void)
144 {
145         return (atomic_read(&selinux_secmark_refcount) > 0);
146 }
147
148 /*
149  * initialise the security for the init task
150  */
151 static void cred_init_security(void)
152 {
153         struct cred *cred = (struct cred *) current->real_cred;
154         struct task_security_struct *tsec;
155
156         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157         if (!tsec)
158                 panic("SELinux:  Failed to initialize initial task.\n");
159
160         tsec->osid = tsec->sid = SECINITSID_KERNEL;
161         cred->security = tsec;
162 }
163
164 /*
165  * get the security ID of a set of credentials
166  */
167 static inline u32 cred_sid(const struct cred *cred)
168 {
169         const struct task_security_struct *tsec;
170
171         tsec = cred->security;
172         return tsec->sid;
173 }
174
175 /*
176  * get the objective security ID of a task
177  */
178 static inline u32 task_sid(const struct task_struct *task)
179 {
180         u32 sid;
181
182         rcu_read_lock();
183         sid = cred_sid(__task_cred(task));
184         rcu_read_unlock();
185         return sid;
186 }
187
188 /*
189  * get the subjective security ID of the current task
190  */
191 static inline u32 current_sid(void)
192 {
193         const struct task_security_struct *tsec = current_security();
194
195         return tsec->sid;
196 }
197
198 /* Allocate and free functions for each kind of security blob. */
199
200 static int inode_alloc_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec;
203         u32 sid = current_sid();
204
205         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
206         if (!isec)
207                 return -ENOMEM;
208
209         mutex_init(&isec->lock);
210         INIT_LIST_HEAD(&isec->list);
211         isec->inode = inode;
212         isec->sid = SECINITSID_UNLABELED;
213         isec->sclass = SECCLASS_FILE;
214         isec->task_sid = sid;
215         inode->i_security = isec;
216
217         return 0;
218 }
219
220 static void inode_free_rcu(struct rcu_head *head)
221 {
222         struct inode_security_struct *isec;
223
224         isec = container_of(head, struct inode_security_struct, rcu);
225         kmem_cache_free(sel_inode_cache, isec);
226 }
227
228 static void inode_free_security(struct inode *inode)
229 {
230         struct inode_security_struct *isec = inode->i_security;
231         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
232
233         spin_lock(&sbsec->isec_lock);
234         if (!list_empty(&isec->list))
235                 list_del_init(&isec->list);
236         spin_unlock(&sbsec->isec_lock);
237
238         /*
239          * The inode may still be referenced in a path walk and
240          * a call to selinux_inode_permission() can be made
241          * after inode_free_security() is called. Ideally, the VFS
242          * wouldn't do this, but fixing that is a much harder
243          * job. For now, simply free the i_security via RCU, and
244          * leave the current inode->i_security pointer intact.
245          * The inode will be freed after the RCU grace period too.
246          */
247         call_rcu(&isec->rcu, inode_free_rcu);
248 }
249
250 static int file_alloc_security(struct file *file)
251 {
252         struct file_security_struct *fsec;
253         u32 sid = current_sid();
254
255         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
256         if (!fsec)
257                 return -ENOMEM;
258
259         fsec->sid = sid;
260         fsec->fown_sid = sid;
261         file->f_security = fsec;
262
263         return 0;
264 }
265
266 static void file_free_security(struct file *file)
267 {
268         struct file_security_struct *fsec = file->f_security;
269         file->f_security = NULL;
270         kfree(fsec);
271 }
272
273 static int superblock_alloc_security(struct super_block *sb)
274 {
275         struct superblock_security_struct *sbsec;
276
277         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
278         if (!sbsec)
279                 return -ENOMEM;
280
281         mutex_init(&sbsec->lock);
282         INIT_LIST_HEAD(&sbsec->isec_head);
283         spin_lock_init(&sbsec->isec_lock);
284         sbsec->sb = sb;
285         sbsec->sid = SECINITSID_UNLABELED;
286         sbsec->def_sid = SECINITSID_FILE;
287         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
288         sb->s_security = sbsec;
289
290         return 0;
291 }
292
293 static void superblock_free_security(struct super_block *sb)
294 {
295         struct superblock_security_struct *sbsec = sb->s_security;
296         sb->s_security = NULL;
297         kfree(sbsec);
298 }
299
300 /* The file system's label must be initialized prior to use. */
301
302 static const char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 3,
323         Opt_rootcontext = 4,
324         Opt_labelsupport = 5,
325 };
326
327 static const match_table_t tokens = {
328         {Opt_context, CONTEXT_STR "%s"},
329         {Opt_fscontext, FSCONTEXT_STR "%s"},
330         {Opt_defcontext, DEFCONTEXT_STR "%s"},
331         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332         {Opt_labelsupport, LABELSUPP_STR},
333         {Opt_error, NULL},
334 };
335
336 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
337
338 static int may_context_mount_sb_relabel(u32 sid,
339                         struct superblock_security_struct *sbsec,
340                         const struct cred *cred)
341 {
342         const struct task_security_struct *tsec = cred->security;
343         int rc;
344
345         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELFROM, NULL);
347         if (rc)
348                 return rc;
349
350         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
351                           FILESYSTEM__RELABELTO, NULL);
352         return rc;
353 }
354
355 static int may_context_mount_inode_relabel(u32 sid,
356                         struct superblock_security_struct *sbsec,
357                         const struct cred *cred)
358 {
359         const struct task_security_struct *tsec = cred->security;
360         int rc;
361         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362                           FILESYSTEM__RELABELFROM, NULL);
363         if (rc)
364                 return rc;
365
366         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367                           FILESYSTEM__ASSOCIATE, NULL);
368         return rc;
369 }
370
371 static int sb_finish_set_opts(struct super_block *sb)
372 {
373         struct superblock_security_struct *sbsec = sb->s_security;
374         struct dentry *root = sb->s_root;
375         struct inode *root_inode = root->d_inode;
376         int rc = 0;
377
378         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379                 /* Make sure that the xattr handler exists and that no
380                    error other than -ENODATA is returned by getxattr on
381                    the root directory.  -ENODATA is ok, as this may be
382                    the first boot of the SELinux kernel before we have
383                    assigned xattr values to the filesystem. */
384                 if (!root_inode->i_op->getxattr) {
385                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386                                "xattr support\n", sb->s_id, sb->s_type->name);
387                         rc = -EOPNOTSUPP;
388                         goto out;
389                 }
390                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391                 if (rc < 0 && rc != -ENODATA) {
392                         if (rc == -EOPNOTSUPP)
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) has no security xattr handler\n",
395                                        sb->s_id, sb->s_type->name);
396                         else
397                                 printk(KERN_WARNING "SELinux: (dev %s, type "
398                                        "%s) getxattr errno %d\n", sb->s_id,
399                                        sb->s_type->name, -rc);
400                         goto out;
401                 }
402         }
403
404         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
405
406         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408                        sb->s_id, sb->s_type->name);
409         else
410                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411                        sb->s_id, sb->s_type->name,
412                        labeling_behaviors[sbsec->behavior-1]);
413
414         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
415             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
416             sbsec->behavior == SECURITY_FS_USE_NONE ||
417             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
418                 sbsec->flags &= ~SE_SBLABELSUPP;
419
420         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
421         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
422                 sbsec->flags |= SE_SBLABELSUPP;
423
424         /* Initialize the root inode. */
425         rc = inode_doinit_with_dentry(root_inode, root);
426
427         /* Initialize any other inodes associated with the superblock, e.g.
428            inodes created prior to initial policy load or inodes created
429            during get_sb by a pseudo filesystem that directly
430            populates itself. */
431         spin_lock(&sbsec->isec_lock);
432 next_inode:
433         if (!list_empty(&sbsec->isec_head)) {
434                 struct inode_security_struct *isec =
435                                 list_entry(sbsec->isec_head.next,
436                                            struct inode_security_struct, list);
437                 struct inode *inode = isec->inode;
438                 list_del_init(&isec->list);
439                 spin_unlock(&sbsec->isec_lock);
440                 inode = igrab(inode);
441                 if (inode) {
442                         if (!IS_PRIVATE(inode))
443                                 inode_doinit(inode);
444                         iput(inode);
445                 }
446                 spin_lock(&sbsec->isec_lock);
447                 goto next_inode;
448         }
449         spin_unlock(&sbsec->isec_lock);
450 out:
451         return rc;
452 }
453
454 /*
455  * This function should allow an FS to ask what it's mount security
456  * options were so it can use those later for submounts, displaying
457  * mount options, or whatever.
458  */
459 static int selinux_get_mnt_opts(const struct super_block *sb,
460                                 struct security_mnt_opts *opts)
461 {
462         int rc = 0, i;
463         struct superblock_security_struct *sbsec = sb->s_security;
464         char *context = NULL;
465         u32 len;
466         char tmp;
467
468         security_init_mnt_opts(opts);
469
470         if (!(sbsec->flags & SE_SBINITIALIZED))
471                 return -EINVAL;
472
473         if (!ss_initialized)
474                 return -EINVAL;
475
476         tmp = sbsec->flags & SE_MNTMASK;
477         /* count the number of mount options for this sb */
478         for (i = 0; i < 8; i++) {
479                 if (tmp & 0x01)
480                         opts->num_mnt_opts++;
481                 tmp >>= 1;
482         }
483         /* Check if the Label support flag is set */
484         if (sbsec->flags & SE_SBLABELSUPP)
485                 opts->num_mnt_opts++;
486
487         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
488         if (!opts->mnt_opts) {
489                 rc = -ENOMEM;
490                 goto out_free;
491         }
492
493         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
494         if (!opts->mnt_opts_flags) {
495                 rc = -ENOMEM;
496                 goto out_free;
497         }
498
499         i = 0;
500         if (sbsec->flags & FSCONTEXT_MNT) {
501                 rc = security_sid_to_context(sbsec->sid, &context, &len);
502                 if (rc)
503                         goto out_free;
504                 opts->mnt_opts[i] = context;
505                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
506         }
507         if (sbsec->flags & CONTEXT_MNT) {
508                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
509                 if (rc)
510                         goto out_free;
511                 opts->mnt_opts[i] = context;
512                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
513         }
514         if (sbsec->flags & DEFCONTEXT_MNT) {
515                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
516                 if (rc)
517                         goto out_free;
518                 opts->mnt_opts[i] = context;
519                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
520         }
521         if (sbsec->flags & ROOTCONTEXT_MNT) {
522                 struct inode *root = sbsec->sb->s_root->d_inode;
523                 struct inode_security_struct *isec = root->i_security;
524
525                 rc = security_sid_to_context(isec->sid, &context, &len);
526                 if (rc)
527                         goto out_free;
528                 opts->mnt_opts[i] = context;
529                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
530         }
531         if (sbsec->flags & SE_SBLABELSUPP) {
532                 opts->mnt_opts[i] = NULL;
533                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
534         }
535
536         BUG_ON(i != opts->num_mnt_opts);
537
538         return 0;
539
540 out_free:
541         security_free_mnt_opts(opts);
542         return rc;
543 }
544
545 static int bad_option(struct superblock_security_struct *sbsec, char flag,
546                       u32 old_sid, u32 new_sid)
547 {
548         char mnt_flags = sbsec->flags & SE_MNTMASK;
549
550         /* check if the old mount command had the same options */
551         if (sbsec->flags & SE_SBINITIALIZED)
552                 if (!(sbsec->flags & flag) ||
553                     (old_sid != new_sid))
554                         return 1;
555
556         /* check if we were passed the same options twice,
557          * aka someone passed context=a,context=b
558          */
559         if (!(sbsec->flags & SE_SBINITIALIZED))
560                 if (mnt_flags & flag)
561                         return 1;
562         return 0;
563 }
564
565 /*
566  * Allow filesystems with binary mount data to explicitly set mount point
567  * labeling information.
568  */
569 static int selinux_set_mnt_opts(struct super_block *sb,
570                                 struct security_mnt_opts *opts)
571 {
572         const struct cred *cred = current_cred();
573         int rc = 0, i;
574         struct superblock_security_struct *sbsec = sb->s_security;
575         const char *name = sb->s_type->name;
576         struct inode *inode = sbsec->sb->s_root->d_inode;
577         struct inode_security_struct *root_isec = inode->i_security;
578         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
579         u32 defcontext_sid = 0;
580         char **mount_options = opts->mnt_opts;
581         int *flags = opts->mnt_opts_flags;
582         int num_opts = opts->num_mnt_opts;
583
584         mutex_lock(&sbsec->lock);
585
586         if (!ss_initialized) {
587                 if (!num_opts) {
588                         /* Defer initialization until selinux_complete_init,
589                            after the initial policy is loaded and the security
590                            server is ready to handle calls. */
591                         goto out;
592                 }
593                 rc = -EINVAL;
594                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
595                         "before the security server is initialized\n");
596                 goto out;
597         }
598
599         /*
600          * Binary mount data FS will come through this function twice.  Once
601          * from an explicit call and once from the generic calls from the vfs.
602          * Since the generic VFS calls will not contain any security mount data
603          * we need to skip the double mount verification.
604          *
605          * This does open a hole in which we will not notice if the first
606          * mount using this sb set explict options and a second mount using
607          * this sb does not set any security options.  (The first options
608          * will be used for both mounts)
609          */
610         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
611             && (num_opts == 0))
612                 goto out;
613
614         /*
615          * parse the mount options, check if they are valid sids.
616          * also check if someone is trying to mount the same sb more
617          * than once with different security options.
618          */
619         for (i = 0; i < num_opts; i++) {
620                 u32 sid;
621
622                 if (flags[i] == SE_SBLABELSUPP)
623                         continue;
624                 rc = security_context_to_sid(mount_options[i],
625                                              strlen(mount_options[i]), &sid);
626                 if (rc) {
627                         printk(KERN_WARNING "SELinux: security_context_to_sid"
628                                "(%s) failed for (dev %s, type %s) errno=%d\n",
629                                mount_options[i], sb->s_id, name, rc);
630                         goto out;
631                 }
632                 switch (flags[i]) {
633                 case FSCONTEXT_MNT:
634                         fscontext_sid = sid;
635
636                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
637                                         fscontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= FSCONTEXT_MNT;
641                         break;
642                 case CONTEXT_MNT:
643                         context_sid = sid;
644
645                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
646                                         context_sid))
647                                 goto out_double_mount;
648
649                         sbsec->flags |= CONTEXT_MNT;
650                         break;
651                 case ROOTCONTEXT_MNT:
652                         rootcontext_sid = sid;
653
654                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
655                                         rootcontext_sid))
656                                 goto out_double_mount;
657
658                         sbsec->flags |= ROOTCONTEXT_MNT;
659
660                         break;
661                 case DEFCONTEXT_MNT:
662                         defcontext_sid = sid;
663
664                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
665                                         defcontext_sid))
666                                 goto out_double_mount;
667
668                         sbsec->flags |= DEFCONTEXT_MNT;
669
670                         break;
671                 default:
672                         rc = -EINVAL;
673                         goto out;
674                 }
675         }
676
677         if (sbsec->flags & SE_SBINITIALIZED) {
678                 /* previously mounted with options, but not on this attempt? */
679                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
680                         goto out_double_mount;
681                 rc = 0;
682                 goto out;
683         }
684
685         if (strcmp(sb->s_type->name, "proc") == 0)
686                 sbsec->flags |= SE_SBPROC;
687
688         /* Determine the labeling behavior to use for this filesystem type. */
689         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
690         if (rc) {
691                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
692                        __func__, sb->s_type->name, rc);
693                 goto out;
694         }
695
696         /* sets the context of the superblock for the fs being mounted. */
697         if (fscontext_sid) {
698                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
699                 if (rc)
700                         goto out;
701
702                 sbsec->sid = fscontext_sid;
703         }
704
705         /*
706          * Switch to using mount point labeling behavior.
707          * sets the label used on all file below the mountpoint, and will set
708          * the superblock context if not already set.
709          */
710         if (context_sid) {
711                 if (!fscontext_sid) {
712                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
713                                                           cred);
714                         if (rc)
715                                 goto out;
716                         sbsec->sid = context_sid;
717                 } else {
718                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
719                                                              cred);
720                         if (rc)
721                                 goto out;
722                 }
723                 if (!rootcontext_sid)
724                         rootcontext_sid = context_sid;
725
726                 sbsec->mntpoint_sid = context_sid;
727                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
728         }
729
730         if (rootcontext_sid) {
731                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
732                                                      cred);
733                 if (rc)
734                         goto out;
735
736                 root_isec->sid = rootcontext_sid;
737                 root_isec->initialized = 1;
738         }
739
740         if (defcontext_sid) {
741                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
742                         rc = -EINVAL;
743                         printk(KERN_WARNING "SELinux: defcontext option is "
744                                "invalid for this filesystem type\n");
745                         goto out;
746                 }
747
748                 if (defcontext_sid != sbsec->def_sid) {
749                         rc = may_context_mount_inode_relabel(defcontext_sid,
750                                                              sbsec, cred);
751                         if (rc)
752                                 goto out;
753                 }
754
755                 sbsec->def_sid = defcontext_sid;
756         }
757
758         rc = sb_finish_set_opts(sb);
759 out:
760         mutex_unlock(&sbsec->lock);
761         return rc;
762 out_double_mount:
763         rc = -EINVAL;
764         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
765                "security settings for (dev %s, type %s)\n", sb->s_id, name);
766         goto out;
767 }
768
769 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
770                                         struct super_block *newsb)
771 {
772         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
773         struct superblock_security_struct *newsbsec = newsb->s_security;
774
775         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
776         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
777         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
778
779         /*
780          * if the parent was able to be mounted it clearly had no special lsm
781          * mount options.  thus we can safely deal with this superblock later
782          */
783         if (!ss_initialized)
784                 return;
785
786         /* how can we clone if the old one wasn't set up?? */
787         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
788
789         /* if fs is reusing a sb, just let its options stand... */
790         if (newsbsec->flags & SE_SBINITIALIZED)
791                 return;
792
793         mutex_lock(&newsbsec->lock);
794
795         newsbsec->flags = oldsbsec->flags;
796
797         newsbsec->sid = oldsbsec->sid;
798         newsbsec->def_sid = oldsbsec->def_sid;
799         newsbsec->behavior = oldsbsec->behavior;
800
801         if (set_context) {
802                 u32 sid = oldsbsec->mntpoint_sid;
803
804                 if (!set_fscontext)
805                         newsbsec->sid = sid;
806                 if (!set_rootcontext) {
807                         struct inode *newinode = newsb->s_root->d_inode;
808                         struct inode_security_struct *newisec = newinode->i_security;
809                         newisec->sid = sid;
810                 }
811                 newsbsec->mntpoint_sid = sid;
812         }
813         if (set_rootcontext) {
814                 const struct inode *oldinode = oldsb->s_root->d_inode;
815                 const struct inode_security_struct *oldisec = oldinode->i_security;
816                 struct inode *newinode = newsb->s_root->d_inode;
817                 struct inode_security_struct *newisec = newinode->i_security;
818
819                 newisec->sid = oldisec->sid;
820         }
821
822         sb_finish_set_opts(newsb);
823         mutex_unlock(&newsbsec->lock);
824 }
825
826 static int selinux_parse_opts_str(char *options,
827                                   struct security_mnt_opts *opts)
828 {
829         char *p;
830         char *context = NULL, *defcontext = NULL;
831         char *fscontext = NULL, *rootcontext = NULL;
832         int rc, num_mnt_opts = 0;
833
834         opts->num_mnt_opts = 0;
835
836         /* Standard string-based options. */
837         while ((p = strsep(&options, "|")) != NULL) {
838                 int token;
839                 substring_t args[MAX_OPT_ARGS];
840
841                 if (!*p)
842                         continue;
843
844                 token = match_token(p, tokens, args);
845
846                 switch (token) {
847                 case Opt_context:
848                         if (context || defcontext) {
849                                 rc = -EINVAL;
850                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851                                 goto out_err;
852                         }
853                         context = match_strdup(&args[0]);
854                         if (!context) {
855                                 rc = -ENOMEM;
856                                 goto out_err;
857                         }
858                         break;
859
860                 case Opt_fscontext:
861                         if (fscontext) {
862                                 rc = -EINVAL;
863                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864                                 goto out_err;
865                         }
866                         fscontext = match_strdup(&args[0]);
867                         if (!fscontext) {
868                                 rc = -ENOMEM;
869                                 goto out_err;
870                         }
871                         break;
872
873                 case Opt_rootcontext:
874                         if (rootcontext) {
875                                 rc = -EINVAL;
876                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
877                                 goto out_err;
878                         }
879                         rootcontext = match_strdup(&args[0]);
880                         if (!rootcontext) {
881                                 rc = -ENOMEM;
882                                 goto out_err;
883                         }
884                         break;
885
886                 case Opt_defcontext:
887                         if (context || defcontext) {
888                                 rc = -EINVAL;
889                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
890                                 goto out_err;
891                         }
892                         defcontext = match_strdup(&args[0]);
893                         if (!defcontext) {
894                                 rc = -ENOMEM;
895                                 goto out_err;
896                         }
897                         break;
898                 case Opt_labelsupport:
899                         break;
900                 default:
901                         rc = -EINVAL;
902                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
903                         goto out_err;
904
905                 }
906         }
907
908         rc = -ENOMEM;
909         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
910         if (!opts->mnt_opts)
911                 goto out_err;
912
913         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
914         if (!opts->mnt_opts_flags) {
915                 kfree(opts->mnt_opts);
916                 goto out_err;
917         }
918
919         if (fscontext) {
920                 opts->mnt_opts[num_mnt_opts] = fscontext;
921                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
922         }
923         if (context) {
924                 opts->mnt_opts[num_mnt_opts] = context;
925                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
926         }
927         if (rootcontext) {
928                 opts->mnt_opts[num_mnt_opts] = rootcontext;
929                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
930         }
931         if (defcontext) {
932                 opts->mnt_opts[num_mnt_opts] = defcontext;
933                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
934         }
935
936         opts->num_mnt_opts = num_mnt_opts;
937         return 0;
938
939 out_err:
940         kfree(context);
941         kfree(defcontext);
942         kfree(fscontext);
943         kfree(rootcontext);
944         return rc;
945 }
946 /*
947  * string mount options parsing and call set the sbsec
948  */
949 static int superblock_doinit(struct super_block *sb, void *data)
950 {
951         int rc = 0;
952         char *options = data;
953         struct security_mnt_opts opts;
954
955         security_init_mnt_opts(&opts);
956
957         if (!data)
958                 goto out;
959
960         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
961
962         rc = selinux_parse_opts_str(options, &opts);
963         if (rc)
964                 goto out_err;
965
966 out:
967         rc = selinux_set_mnt_opts(sb, &opts);
968
969 out_err:
970         security_free_mnt_opts(&opts);
971         return rc;
972 }
973
974 static void selinux_write_opts(struct seq_file *m,
975                                struct security_mnt_opts *opts)
976 {
977         int i;
978         char *prefix;
979
980         for (i = 0; i < opts->num_mnt_opts; i++) {
981                 char *has_comma;
982
983                 if (opts->mnt_opts[i])
984                         has_comma = strchr(opts->mnt_opts[i], ',');
985                 else
986                         has_comma = NULL;
987
988                 switch (opts->mnt_opts_flags[i]) {
989                 case CONTEXT_MNT:
990                         prefix = CONTEXT_STR;
991                         break;
992                 case FSCONTEXT_MNT:
993                         prefix = FSCONTEXT_STR;
994                         break;
995                 case ROOTCONTEXT_MNT:
996                         prefix = ROOTCONTEXT_STR;
997                         break;
998                 case DEFCONTEXT_MNT:
999                         prefix = DEFCONTEXT_STR;
1000                         break;
1001                 case SE_SBLABELSUPP:
1002                         seq_putc(m, ',');
1003                         seq_puts(m, LABELSUPP_STR);
1004                         continue;
1005                 default:
1006                         BUG();
1007                         return;
1008                 };
1009                 /* we need a comma before each option */
1010                 seq_putc(m, ',');
1011                 seq_puts(m, prefix);
1012                 if (has_comma)
1013                         seq_putc(m, '\"');
1014                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1015                 if (has_comma)
1016                         seq_putc(m, '\"');
1017         }
1018 }
1019
1020 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1021 {
1022         struct security_mnt_opts opts;
1023         int rc;
1024
1025         rc = selinux_get_mnt_opts(sb, &opts);
1026         if (rc) {
1027                 /* before policy load we may get EINVAL, don't show anything */
1028                 if (rc == -EINVAL)
1029                         rc = 0;
1030                 return rc;
1031         }
1032
1033         selinux_write_opts(m, &opts);
1034
1035         security_free_mnt_opts(&opts);
1036
1037         return rc;
1038 }
1039
1040 static inline u16 inode_mode_to_security_class(umode_t mode)
1041 {
1042         switch (mode & S_IFMT) {
1043         case S_IFSOCK:
1044                 return SECCLASS_SOCK_FILE;
1045         case S_IFLNK:
1046                 return SECCLASS_LNK_FILE;
1047         case S_IFREG:
1048                 return SECCLASS_FILE;
1049         case S_IFBLK:
1050                 return SECCLASS_BLK_FILE;
1051         case S_IFDIR:
1052                 return SECCLASS_DIR;
1053         case S_IFCHR:
1054                 return SECCLASS_CHR_FILE;
1055         case S_IFIFO:
1056                 return SECCLASS_FIFO_FILE;
1057
1058         }
1059
1060         return SECCLASS_FILE;
1061 }
1062
1063 static inline int default_protocol_stream(int protocol)
1064 {
1065         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1066 }
1067
1068 static inline int default_protocol_dgram(int protocol)
1069 {
1070         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1071 }
1072
1073 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1074 {
1075         switch (family) {
1076         case PF_UNIX:
1077                 switch (type) {
1078                 case SOCK_STREAM:
1079                 case SOCK_SEQPACKET:
1080                         return SECCLASS_UNIX_STREAM_SOCKET;
1081                 case SOCK_DGRAM:
1082                         return SECCLASS_UNIX_DGRAM_SOCKET;
1083                 }
1084                 break;
1085         case PF_INET:
1086         case PF_INET6:
1087                 switch (type) {
1088                 case SOCK_STREAM:
1089                         if (default_protocol_stream(protocol))
1090                                 return SECCLASS_TCP_SOCKET;
1091                         else
1092                                 return SECCLASS_RAWIP_SOCKET;
1093                 case SOCK_DGRAM:
1094                         if (default_protocol_dgram(protocol))
1095                                 return SECCLASS_UDP_SOCKET;
1096                         else
1097                                 return SECCLASS_RAWIP_SOCKET;
1098                 case SOCK_DCCP:
1099                         return SECCLASS_DCCP_SOCKET;
1100                 default:
1101                         return SECCLASS_RAWIP_SOCKET;
1102                 }
1103                 break;
1104         case PF_NETLINK:
1105                 switch (protocol) {
1106                 case NETLINK_ROUTE:
1107                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1108                 case NETLINK_FIREWALL:
1109                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1110                 case NETLINK_INET_DIAG:
1111                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1112                 case NETLINK_NFLOG:
1113                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1114                 case NETLINK_XFRM:
1115                         return SECCLASS_NETLINK_XFRM_SOCKET;
1116                 case NETLINK_SELINUX:
1117                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1118                 case NETLINK_AUDIT:
1119                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1120                 case NETLINK_IP6_FW:
1121                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1122                 case NETLINK_DNRTMSG:
1123                         return SECCLASS_NETLINK_DNRT_SOCKET;
1124                 case NETLINK_KOBJECT_UEVENT:
1125                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1126                 default:
1127                         return SECCLASS_NETLINK_SOCKET;
1128                 }
1129         case PF_PACKET:
1130                 return SECCLASS_PACKET_SOCKET;
1131         case PF_KEY:
1132                 return SECCLASS_KEY_SOCKET;
1133         case PF_APPLETALK:
1134                 return SECCLASS_APPLETALK_SOCKET;
1135         }
1136
1137         return SECCLASS_SOCKET;
1138 }
1139
1140 #ifdef CONFIG_PROC_FS
1141 static int selinux_proc_get_sid(struct dentry *dentry,
1142                                 u16 tclass,
1143                                 u32 *sid)
1144 {
1145         int rc;
1146         char *buffer, *path;
1147
1148         buffer = (char *)__get_free_page(GFP_KERNEL);
1149         if (!buffer)
1150                 return -ENOMEM;
1151
1152         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1153         if (IS_ERR(path))
1154                 rc = PTR_ERR(path);
1155         else {
1156                 /* each process gets a /proc/PID/ entry. Strip off the
1157                  * PID part to get a valid selinux labeling.
1158                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1159                 while (path[1] >= '0' && path[1] <= '9') {
1160                         path[1] = '/';
1161                         path++;
1162                 }
1163                 rc = security_genfs_sid("proc", path, tclass, sid);
1164         }
1165         free_page((unsigned long)buffer);
1166         return rc;
1167 }
1168 #else
1169 static int selinux_proc_get_sid(struct dentry *dentry,
1170                                 u16 tclass,
1171                                 u32 *sid)
1172 {
1173         return -EINVAL;
1174 }
1175 #endif
1176
1177 /* The inode's security attributes must be initialized before first use. */
1178 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1179 {
1180         struct superblock_security_struct *sbsec = NULL;
1181         struct inode_security_struct *isec = inode->i_security;
1182         u32 sid;
1183         struct dentry *dentry;
1184 #define INITCONTEXTLEN 255
1185         char *context = NULL;
1186         unsigned len = 0;
1187         int rc = 0;
1188
1189         if (isec->initialized)
1190                 goto out;
1191
1192         mutex_lock(&isec->lock);
1193         if (isec->initialized)
1194                 goto out_unlock;
1195
1196         sbsec = inode->i_sb->s_security;
1197         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1198                 /* Defer initialization until selinux_complete_init,
1199                    after the initial policy is loaded and the security
1200                    server is ready to handle calls. */
1201                 spin_lock(&sbsec->isec_lock);
1202                 if (list_empty(&isec->list))
1203                         list_add(&isec->list, &sbsec->isec_head);
1204                 spin_unlock(&sbsec->isec_lock);
1205                 goto out_unlock;
1206         }
1207
1208         switch (sbsec->behavior) {
1209         case SECURITY_FS_USE_XATTR:
1210                 if (!inode->i_op->getxattr) {
1211                         isec->sid = sbsec->def_sid;
1212                         break;
1213                 }
1214
1215                 /* Need a dentry, since the xattr API requires one.
1216                    Life would be simpler if we could just pass the inode. */
1217                 if (opt_dentry) {
1218                         /* Called from d_instantiate or d_splice_alias. */
1219                         dentry = dget(opt_dentry);
1220                 } else {
1221                         /* Called from selinux_complete_init, try to find a dentry. */
1222                         dentry = d_find_alias(inode);
1223                 }
1224                 if (!dentry) {
1225                         /*
1226                          * this is can be hit on boot when a file is accessed
1227                          * before the policy is loaded.  When we load policy we
1228                          * may find inodes that have no dentry on the
1229                          * sbsec->isec_head list.  No reason to complain as these
1230                          * will get fixed up the next time we go through
1231                          * inode_doinit with a dentry, before these inodes could
1232                          * be used again by userspace.
1233                          */
1234                         goto out_unlock;
1235                 }
1236
1237                 len = INITCONTEXTLEN;
1238                 context = kmalloc(len+1, GFP_NOFS);
1239                 if (!context) {
1240                         rc = -ENOMEM;
1241                         dput(dentry);
1242                         goto out_unlock;
1243                 }
1244                 context[len] = '\0';
1245                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1246                                            context, len);
1247                 if (rc == -ERANGE) {
1248                         kfree(context);
1249
1250                         /* Need a larger buffer.  Query for the right size. */
1251                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1252                                                    NULL, 0);
1253                         if (rc < 0) {
1254                                 dput(dentry);
1255                                 goto out_unlock;
1256                         }
1257                         len = rc;
1258                         context = kmalloc(len+1, GFP_NOFS);
1259                         if (!context) {
1260                                 rc = -ENOMEM;
1261                                 dput(dentry);
1262                                 goto out_unlock;
1263                         }
1264                         context[len] = '\0';
1265                         rc = inode->i_op->getxattr(dentry,
1266                                                    XATTR_NAME_SELINUX,
1267                                                    context, len);
1268                 }
1269                 dput(dentry);
1270                 if (rc < 0) {
1271                         if (rc != -ENODATA) {
1272                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1273                                        "%d for dev=%s ino=%ld\n", __func__,
1274                                        -rc, inode->i_sb->s_id, inode->i_ino);
1275                                 kfree(context);
1276                                 goto out_unlock;
1277                         }
1278                         /* Map ENODATA to the default file SID */
1279                         sid = sbsec->def_sid;
1280                         rc = 0;
1281                 } else {
1282                         rc = security_context_to_sid_default(context, rc, &sid,
1283                                                              sbsec->def_sid,
1284                                                              GFP_NOFS);
1285                         if (rc) {
1286                                 char *dev = inode->i_sb->s_id;
1287                                 unsigned long ino = inode->i_ino;
1288
1289                                 if (rc == -EINVAL) {
1290                                         if (printk_ratelimit())
1291                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1292                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1293                                                         "filesystem in question.\n", ino, dev, context);
1294                                 } else {
1295                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1296                                                "returned %d for dev=%s ino=%ld\n",
1297                                                __func__, context, -rc, dev, ino);
1298                                 }
1299                                 kfree(context);
1300                                 /* Leave with the unlabeled SID */
1301                                 rc = 0;
1302                                 break;
1303                         }
1304                 }
1305                 kfree(context);
1306                 isec->sid = sid;
1307                 break;
1308         case SECURITY_FS_USE_TASK:
1309                 isec->sid = isec->task_sid;
1310                 break;
1311         case SECURITY_FS_USE_TRANS:
1312                 /* Default to the fs SID. */
1313                 isec->sid = sbsec->sid;
1314
1315                 /* Try to obtain a transition SID. */
1316                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1318                                              isec->sclass, NULL, &sid);
1319                 if (rc)
1320                         goto out_unlock;
1321                 isec->sid = sid;
1322                 break;
1323         case SECURITY_FS_USE_MNTPOINT:
1324                 isec->sid = sbsec->mntpoint_sid;
1325                 break;
1326         default:
1327                 /* Default to the fs superblock SID. */
1328                 isec->sid = sbsec->sid;
1329
1330                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1331                         /* We must have a dentry to determine the label on
1332                          * procfs inodes */
1333                         if (opt_dentry)
1334                                 /* Called from d_instantiate or
1335                                  * d_splice_alias. */
1336                                 dentry = dget(opt_dentry);
1337                         else
1338                                 /* Called from selinux_complete_init, try to
1339                                  * find a dentry. */
1340                                 dentry = d_find_alias(inode);
1341                         /*
1342                          * This can be hit on boot when a file is accessed
1343                          * before the policy is loaded.  When we load policy we
1344                          * may find inodes that have no dentry on the
1345                          * sbsec->isec_head list.  No reason to complain as
1346                          * these will get fixed up the next time we go through
1347                          * inode_doinit() with a dentry, before these inodes
1348                          * could be used again by userspace.
1349                          */
1350                         if (!dentry)
1351                                 goto out_unlock;
1352                         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1353                         rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1354                         dput(dentry);
1355                         if (rc)
1356                                 goto out_unlock;
1357                         isec->sid = sid;
1358                 }
1359                 break;
1360         }
1361
1362         isec->initialized = 1;
1363
1364 out_unlock:
1365         mutex_unlock(&isec->lock);
1366 out:
1367         if (isec->sclass == SECCLASS_FILE)
1368                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1369         return rc;
1370 }
1371
1372 /* Convert a Linux signal to an access vector. */
1373 static inline u32 signal_to_av(int sig)
1374 {
1375         u32 perm = 0;
1376
1377         switch (sig) {
1378         case SIGCHLD:
1379                 /* Commonly granted from child to parent. */
1380                 perm = PROCESS__SIGCHLD;
1381                 break;
1382         case SIGKILL:
1383                 /* Cannot be caught or ignored */
1384                 perm = PROCESS__SIGKILL;
1385                 break;
1386         case SIGSTOP:
1387                 /* Cannot be caught or ignored */
1388                 perm = PROCESS__SIGSTOP;
1389                 break;
1390         default:
1391                 /* All other signals. */
1392                 perm = PROCESS__SIGNAL;
1393                 break;
1394         }
1395
1396         return perm;
1397 }
1398
1399 /*
1400  * Check permission between a pair of credentials
1401  * fork check, ptrace check, etc.
1402  */
1403 static int cred_has_perm(const struct cred *actor,
1404                          const struct cred *target,
1405                          u32 perms)
1406 {
1407         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1408
1409         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1410 }
1411
1412 /*
1413  * Check permission between a pair of tasks, e.g. signal checks,
1414  * fork check, ptrace check, etc.
1415  * tsk1 is the actor and tsk2 is the target
1416  * - this uses the default subjective creds of tsk1
1417  */
1418 static int task_has_perm(const struct task_struct *tsk1,
1419                          const struct task_struct *tsk2,
1420                          u32 perms)
1421 {
1422         const struct task_security_struct *__tsec1, *__tsec2;
1423         u32 sid1, sid2;
1424
1425         rcu_read_lock();
1426         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1427         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1428         rcu_read_unlock();
1429         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1430 }
1431
1432 /*
1433  * Check permission between current and another task, e.g. signal checks,
1434  * fork check, ptrace check, etc.
1435  * current is the actor and tsk2 is the target
1436  * - this uses current's subjective creds
1437  */
1438 static int current_has_perm(const struct task_struct *tsk,
1439                             u32 perms)
1440 {
1441         u32 sid, tsid;
1442
1443         sid = current_sid();
1444         tsid = task_sid(tsk);
1445         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1446 }
1447
1448 #if CAP_LAST_CAP > 63
1449 #error Fix SELinux to handle capabilities > 63.
1450 #endif
1451
1452 /* Check whether a task is allowed to use a capability. */
1453 static int task_has_capability(struct task_struct *tsk,
1454                                const struct cred *cred,
1455                                int cap, int audit)
1456 {
1457         struct common_audit_data ad;
1458         struct av_decision avd;
1459         u16 sclass;
1460         u32 sid = cred_sid(cred);
1461         u32 av = CAP_TO_MASK(cap);
1462         int rc;
1463
1464         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1465         ad.tsk = tsk;
1466         ad.u.cap = cap;
1467
1468         switch (CAP_TO_INDEX(cap)) {
1469         case 0:
1470                 sclass = SECCLASS_CAPABILITY;
1471                 break;
1472         case 1:
1473                 sclass = SECCLASS_CAPABILITY2;
1474                 break;
1475         default:
1476                 printk(KERN_ERR
1477                        "SELinux:  out of range capability %d\n", cap);
1478                 BUG();
1479                 return -EINVAL;
1480         }
1481
1482         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1483         if (audit == SECURITY_CAP_AUDIT) {
1484                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1485                 if (rc2)
1486                         return rc2;
1487         }
1488         return rc;
1489 }
1490
1491 /* Check whether a task is allowed to use a system operation. */
1492 static int task_has_system(struct task_struct *tsk,
1493                            u32 perms)
1494 {
1495         u32 sid = task_sid(tsk);
1496
1497         return avc_has_perm(sid, SECINITSID_KERNEL,
1498                             SECCLASS_SYSTEM, perms, NULL);
1499 }
1500
1501 /* Check whether a task has a particular permission to an inode.
1502    The 'adp' parameter is optional and allows other audit
1503    data to be passed (e.g. the dentry). */
1504 static int inode_has_perm(const struct cred *cred,
1505                           struct inode *inode,
1506                           u32 perms,
1507                           struct common_audit_data *adp,
1508                           unsigned flags)
1509 {
1510         struct inode_security_struct *isec;
1511         u32 sid;
1512
1513         validate_creds(cred);
1514
1515         if (unlikely(IS_PRIVATE(inode)))
1516                 return 0;
1517
1518         sid = cred_sid(cred);
1519         isec = inode->i_security;
1520
1521         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1522 }
1523
1524 static int inode_has_perm_noadp(const struct cred *cred,
1525                                 struct inode *inode,
1526                                 u32 perms,
1527                                 unsigned flags)
1528 {
1529         struct common_audit_data ad;
1530
1531         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1532         ad.u.inode = inode;
1533         return inode_has_perm(cred, inode, perms, &ad, flags);
1534 }
1535
1536 /* Same as inode_has_perm, but pass explicit audit data containing
1537    the dentry to help the auditing code to more easily generate the
1538    pathname if needed. */
1539 static inline int dentry_has_perm(const struct cred *cred,
1540                                   struct dentry *dentry,
1541                                   u32 av)
1542 {
1543         struct inode *inode = dentry->d_inode;
1544         struct common_audit_data ad;
1545
1546         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1547         ad.u.dentry = dentry;
1548         return inode_has_perm(cred, inode, av, &ad, 0);
1549 }
1550
1551 /* Same as inode_has_perm, but pass explicit audit data containing
1552    the path to help the auditing code to more easily generate the
1553    pathname if needed. */
1554 static inline int path_has_perm(const struct cred *cred,
1555                                 struct path *path,
1556                                 u32 av)
1557 {
1558         struct inode *inode = path->dentry->d_inode;
1559         struct common_audit_data ad;
1560
1561         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1562         ad.u.path = *path;
1563         return inode_has_perm(cred, inode, av, &ad, 0);
1564 }
1565
1566 /* Check whether a task can use an open file descriptor to
1567    access an inode in a given way.  Check access to the
1568    descriptor itself, and then use dentry_has_perm to
1569    check a particular permission to the file.
1570    Access to the descriptor is implicitly granted if it
1571    has the same SID as the process.  If av is zero, then
1572    access to the file is not checked, e.g. for cases
1573    where only the descriptor is affected like seek. */
1574 static int file_has_perm(const struct cred *cred,
1575                          struct file *file,
1576                          u32 av)
1577 {
1578         struct file_security_struct *fsec = file->f_security;
1579         struct inode *inode = file->f_path.dentry->d_inode;
1580         struct common_audit_data ad;
1581         u32 sid = cred_sid(cred);
1582         int rc;
1583
1584         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1585         ad.u.path = file->f_path;
1586
1587         if (sid != fsec->sid) {
1588                 rc = avc_has_perm(sid, fsec->sid,
1589                                   SECCLASS_FD,
1590                                   FD__USE,
1591                                   &ad);
1592                 if (rc)
1593                         goto out;
1594         }
1595
1596         /* av is zero if only checking access to the descriptor. */
1597         rc = 0;
1598         if (av)
1599                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1600
1601 out:
1602         return rc;
1603 }
1604
1605 /* Check whether a task can create a file. */
1606 static int may_create(struct inode *dir,
1607                       struct dentry *dentry,
1608                       u16 tclass)
1609 {
1610         const struct task_security_struct *tsec = current_security();
1611         struct inode_security_struct *dsec;
1612         struct superblock_security_struct *sbsec;
1613         u32 sid, newsid;
1614         struct common_audit_data ad;
1615         int rc;
1616
1617         dsec = dir->i_security;
1618         sbsec = dir->i_sb->s_security;
1619
1620         sid = tsec->sid;
1621         newsid = tsec->create_sid;
1622
1623         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1624         ad.u.dentry = dentry;
1625
1626         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1627                           DIR__ADD_NAME | DIR__SEARCH,
1628                           &ad);
1629         if (rc)
1630                 return rc;
1631
1632         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1633                 rc = security_transition_sid(sid, dsec->sid, tclass,
1634                                              &dentry->d_name, &newsid);
1635                 if (rc)
1636                         return rc;
1637         }
1638
1639         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1640         if (rc)
1641                 return rc;
1642
1643         return avc_has_perm(newsid, sbsec->sid,
1644                             SECCLASS_FILESYSTEM,
1645                             FILESYSTEM__ASSOCIATE, &ad);
1646 }
1647
1648 /* Check whether a task can create a key. */
1649 static int may_create_key(u32 ksid,
1650                           struct task_struct *ctx)
1651 {
1652         u32 sid = task_sid(ctx);
1653
1654         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1655 }
1656
1657 #define MAY_LINK        0
1658 #define MAY_UNLINK      1
1659 #define MAY_RMDIR       2
1660
1661 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1662 static int may_link(struct inode *dir,
1663                     struct dentry *dentry,
1664                     int kind)
1665
1666 {
1667         struct inode_security_struct *dsec, *isec;
1668         struct common_audit_data ad;
1669         u32 sid = current_sid();
1670         u32 av;
1671         int rc;
1672
1673         dsec = dir->i_security;
1674         isec = dentry->d_inode->i_security;
1675
1676         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1677         ad.u.dentry = dentry;
1678
1679         av = DIR__SEARCH;
1680         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1681         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1682         if (rc)
1683                 return rc;
1684
1685         switch (kind) {
1686         case MAY_LINK:
1687                 av = FILE__LINK;
1688                 break;
1689         case MAY_UNLINK:
1690                 av = FILE__UNLINK;
1691                 break;
1692         case MAY_RMDIR:
1693                 av = DIR__RMDIR;
1694                 break;
1695         default:
1696                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1697                         __func__, kind);
1698                 return 0;
1699         }
1700
1701         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1702         return rc;
1703 }
1704
1705 static inline int may_rename(struct inode *old_dir,
1706                              struct dentry *old_dentry,
1707                              struct inode *new_dir,
1708                              struct dentry *new_dentry)
1709 {
1710         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1711         struct common_audit_data ad;
1712         u32 sid = current_sid();
1713         u32 av;
1714         int old_is_dir, new_is_dir;
1715         int rc;
1716
1717         old_dsec = old_dir->i_security;
1718         old_isec = old_dentry->d_inode->i_security;
1719         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1720         new_dsec = new_dir->i_security;
1721
1722         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1723
1724         ad.u.dentry = old_dentry;
1725         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1726                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1727         if (rc)
1728                 return rc;
1729         rc = avc_has_perm(sid, old_isec->sid,
1730                           old_isec->sclass, FILE__RENAME, &ad);
1731         if (rc)
1732                 return rc;
1733         if (old_is_dir && new_dir != old_dir) {
1734                 rc = avc_has_perm(sid, old_isec->sid,
1735                                   old_isec->sclass, DIR__REPARENT, &ad);
1736                 if (rc)
1737                         return rc;
1738         }
1739
1740         ad.u.dentry = new_dentry;
1741         av = DIR__ADD_NAME | DIR__SEARCH;
1742         if (new_dentry->d_inode)
1743                 av |= DIR__REMOVE_NAME;
1744         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1745         if (rc)
1746                 return rc;
1747         if (new_dentry->d_inode) {
1748                 new_isec = new_dentry->d_inode->i_security;
1749                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1750                 rc = avc_has_perm(sid, new_isec->sid,
1751                                   new_isec->sclass,
1752                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1753                 if (rc)
1754                         return rc;
1755         }
1756
1757         return 0;
1758 }
1759
1760 /* Check whether a task can perform a filesystem operation. */
1761 static int superblock_has_perm(const struct cred *cred,
1762                                struct super_block *sb,
1763                                u32 perms,
1764                                struct common_audit_data *ad)
1765 {
1766         struct superblock_security_struct *sbsec;
1767         u32 sid = cred_sid(cred);
1768
1769         sbsec = sb->s_security;
1770         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1771 }
1772
1773 /* Convert a Linux mode and permission mask to an access vector. */
1774 static inline u32 file_mask_to_av(int mode, int mask)
1775 {
1776         u32 av = 0;
1777
1778         if ((mode & S_IFMT) != S_IFDIR) {
1779                 if (mask & MAY_EXEC)
1780                         av |= FILE__EXECUTE;
1781                 if (mask & MAY_READ)
1782                         av |= FILE__READ;
1783
1784                 if (mask & MAY_APPEND)
1785                         av |= FILE__APPEND;
1786                 else if (mask & MAY_WRITE)
1787                         av |= FILE__WRITE;
1788
1789         } else {
1790                 if (mask & MAY_EXEC)
1791                         av |= DIR__SEARCH;
1792                 if (mask & MAY_WRITE)
1793                         av |= DIR__WRITE;
1794                 if (mask & MAY_READ)
1795                         av |= DIR__READ;
1796         }
1797
1798         return av;
1799 }
1800
1801 /* Convert a Linux file to an access vector. */
1802 static inline u32 file_to_av(struct file *file)
1803 {
1804         u32 av = 0;
1805
1806         if (file->f_mode & FMODE_READ)
1807                 av |= FILE__READ;
1808         if (file->f_mode & FMODE_WRITE) {
1809                 if (file->f_flags & O_APPEND)
1810                         av |= FILE__APPEND;
1811                 else
1812                         av |= FILE__WRITE;
1813         }
1814         if (!av) {
1815                 /*
1816                  * Special file opened with flags 3 for ioctl-only use.
1817                  */
1818                 av = FILE__IOCTL;
1819         }
1820
1821         return av;
1822 }
1823
1824 /*
1825  * Convert a file to an access vector and include the correct open
1826  * open permission.
1827  */
1828 static inline u32 open_file_to_av(struct file *file)
1829 {
1830         u32 av = file_to_av(file);
1831
1832         if (selinux_policycap_openperm)
1833                 av |= FILE__OPEN;
1834
1835         return av;
1836 }
1837
1838 /* Hook functions begin here. */
1839
1840 static int selinux_ptrace_access_check(struct task_struct *child,
1841                                      unsigned int mode)
1842 {
1843         int rc;
1844
1845         rc = cap_ptrace_access_check(child, mode);
1846         if (rc)
1847                 return rc;
1848
1849         if (mode == PTRACE_MODE_READ) {
1850                 u32 sid = current_sid();
1851                 u32 csid = task_sid(child);
1852                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1853         }
1854
1855         return current_has_perm(child, PROCESS__PTRACE);
1856 }
1857
1858 static int selinux_ptrace_traceme(struct task_struct *parent)
1859 {
1860         int rc;
1861
1862         rc = cap_ptrace_traceme(parent);
1863         if (rc)
1864                 return rc;
1865
1866         return task_has_perm(parent, current, PROCESS__PTRACE);
1867 }
1868
1869 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1870                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1871 {
1872         int error;
1873
1874         error = current_has_perm(target, PROCESS__GETCAP);
1875         if (error)
1876                 return error;
1877
1878         return cap_capget(target, effective, inheritable, permitted);
1879 }
1880
1881 static int selinux_capset(struct cred *new, const struct cred *old,
1882                           const kernel_cap_t *effective,
1883                           const kernel_cap_t *inheritable,
1884                           const kernel_cap_t *permitted)
1885 {
1886         int error;
1887
1888         error = cap_capset(new, old,
1889                                       effective, inheritable, permitted);
1890         if (error)
1891                 return error;
1892
1893         return cred_has_perm(old, new, PROCESS__SETCAP);
1894 }
1895
1896 /*
1897  * (This comment used to live with the selinux_task_setuid hook,
1898  * which was removed).
1899  *
1900  * Since setuid only affects the current process, and since the SELinux
1901  * controls are not based on the Linux identity attributes, SELinux does not
1902  * need to control this operation.  However, SELinux does control the use of
1903  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1904  */
1905
1906 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1907                            struct user_namespace *ns, int cap, int audit)
1908 {
1909         int rc;
1910
1911         rc = cap_capable(tsk, cred, ns, cap, audit);
1912         if (rc)
1913                 return rc;
1914
1915         return task_has_capability(tsk, cred, cap, audit);
1916 }
1917
1918 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1919 {
1920         const struct cred *cred = current_cred();
1921         int rc = 0;
1922
1923         if (!sb)
1924                 return 0;
1925
1926         switch (cmds) {
1927         case Q_SYNC:
1928         case Q_QUOTAON:
1929         case Q_QUOTAOFF:
1930         case Q_SETINFO:
1931         case Q_SETQUOTA:
1932                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1933                 break;
1934         case Q_GETFMT:
1935         case Q_GETINFO:
1936         case Q_GETQUOTA:
1937                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1938                 break;
1939         default:
1940                 rc = 0;  /* let the kernel handle invalid cmds */
1941                 break;
1942         }
1943         return rc;
1944 }
1945
1946 static int selinux_quota_on(struct dentry *dentry)
1947 {
1948         const struct cred *cred = current_cred();
1949
1950         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1951 }
1952
1953 static int selinux_syslog(int type)
1954 {
1955         int rc;
1956
1957         switch (type) {
1958         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1959         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1960                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1961                 break;
1962         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1963         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1964         /* Set level of messages printed to console */
1965         case SYSLOG_ACTION_CONSOLE_LEVEL:
1966                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1967                 break;
1968         case SYSLOG_ACTION_CLOSE:       /* Close log */
1969         case SYSLOG_ACTION_OPEN:        /* Open log */
1970         case SYSLOG_ACTION_READ:        /* Read from log */
1971         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1972         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1973         default:
1974                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1975                 break;
1976         }
1977         return rc;
1978 }
1979
1980 /*
1981  * Check that a process has enough memory to allocate a new virtual
1982  * mapping. 0 means there is enough memory for the allocation to
1983  * succeed and -ENOMEM implies there is not.
1984  *
1985  * Do not audit the selinux permission check, as this is applied to all
1986  * processes that allocate mappings.
1987  */
1988 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1989 {
1990         int rc, cap_sys_admin = 0;
1991
1992         rc = selinux_capable(current, current_cred(),
1993                              &init_user_ns, CAP_SYS_ADMIN,
1994                              SECURITY_CAP_NOAUDIT);
1995         if (rc == 0)
1996                 cap_sys_admin = 1;
1997
1998         return __vm_enough_memory(mm, pages, cap_sys_admin);
1999 }
2000
2001 /* binprm security operations */
2002
2003 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2004 {
2005         const struct task_security_struct *old_tsec;
2006         struct task_security_struct *new_tsec;
2007         struct inode_security_struct *isec;
2008         struct common_audit_data ad;
2009         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2010         int rc;
2011
2012         rc = cap_bprm_set_creds(bprm);
2013         if (rc)
2014                 return rc;
2015
2016         /* SELinux context only depends on initial program or script and not
2017          * the script interpreter */
2018         if (bprm->cred_prepared)
2019                 return 0;
2020
2021         old_tsec = current_security();
2022         new_tsec = bprm->cred->security;
2023         isec = inode->i_security;
2024
2025         /* Default to the current task SID. */
2026         new_tsec->sid = old_tsec->sid;
2027         new_tsec->osid = old_tsec->sid;
2028
2029         /* Reset fs, key, and sock SIDs on execve. */
2030         new_tsec->create_sid = 0;
2031         new_tsec->keycreate_sid = 0;
2032         new_tsec->sockcreate_sid = 0;
2033
2034         if (old_tsec->exec_sid) {
2035                 new_tsec->sid = old_tsec->exec_sid;
2036                 /* Reset exec SID on execve. */
2037                 new_tsec->exec_sid = 0;
2038         } else {
2039                 /* Check for a default transition on this program. */
2040                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2041                                              SECCLASS_PROCESS, NULL,
2042                                              &new_tsec->sid);
2043                 if (rc)
2044                         return rc;
2045         }
2046
2047         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2048         ad.u.path = bprm->file->f_path;
2049
2050         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2051                 new_tsec->sid = old_tsec->sid;
2052
2053         if (new_tsec->sid == old_tsec->sid) {
2054                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2055                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2056                 if (rc)
2057                         return rc;
2058         } else {
2059                 /* Check permissions for the transition. */
2060                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2061                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2062                 if (rc)
2063                         return rc;
2064
2065                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2066                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2067                 if (rc)
2068                         return rc;
2069
2070                 /* Check for shared state */
2071                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2072                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2073                                           SECCLASS_PROCESS, PROCESS__SHARE,
2074                                           NULL);
2075                         if (rc)
2076                                 return -EPERM;
2077                 }
2078
2079                 /* Make sure that anyone attempting to ptrace over a task that
2080                  * changes its SID has the appropriate permit */
2081                 if (bprm->unsafe &
2082                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2083                         struct task_struct *tracer;
2084                         struct task_security_struct *sec;
2085                         u32 ptsid = 0;
2086
2087                         rcu_read_lock();
2088                         tracer = ptrace_parent(current);
2089                         if (likely(tracer != NULL)) {
2090                                 sec = __task_cred(tracer)->security;
2091                                 ptsid = sec->sid;
2092                         }
2093                         rcu_read_unlock();
2094
2095                         if (ptsid != 0) {
2096                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2097                                                   SECCLASS_PROCESS,
2098                                                   PROCESS__PTRACE, NULL);
2099                                 if (rc)
2100                                         return -EPERM;
2101                         }
2102                 }
2103
2104                 /* Clear any possibly unsafe personality bits on exec: */
2105                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2106         }
2107
2108         return 0;
2109 }
2110
2111 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2112 {
2113         const struct task_security_struct *tsec = current_security();
2114         u32 sid, osid;
2115         int atsecure = 0;
2116
2117         sid = tsec->sid;
2118         osid = tsec->osid;
2119
2120         if (osid != sid) {
2121                 /* Enable secure mode for SIDs transitions unless
2122                    the noatsecure permission is granted between
2123                    the two SIDs, i.e. ahp returns 0. */
2124                 atsecure = avc_has_perm(osid, sid,
2125                                         SECCLASS_PROCESS,
2126                                         PROCESS__NOATSECURE, NULL);
2127         }
2128
2129         return (atsecure || cap_bprm_secureexec(bprm));
2130 }
2131
2132 /* Derived from fs/exec.c:flush_old_files. */
2133 static inline void flush_unauthorized_files(const struct cred *cred,
2134                                             struct files_struct *files)
2135 {
2136         struct common_audit_data ad;
2137         struct file *file, *devnull = NULL;
2138         struct tty_struct *tty;
2139         struct fdtable *fdt;
2140         long j = -1;
2141         int drop_tty = 0;
2142
2143         tty = get_current_tty();
2144         if (tty) {
2145                 spin_lock(&tty_files_lock);
2146                 if (!list_empty(&tty->tty_files)) {
2147                         struct tty_file_private *file_priv;
2148                         struct inode *inode;
2149
2150                         /* Revalidate access to controlling tty.
2151                            Use inode_has_perm on the tty inode directly rather
2152                            than using file_has_perm, as this particular open
2153                            file may belong to another process and we are only
2154                            interested in the inode-based check here. */
2155                         file_priv = list_first_entry(&tty->tty_files,
2156                                                 struct tty_file_private, list);
2157                         file = file_priv->file;
2158                         inode = file->f_path.dentry->d_inode;
2159                         if (inode_has_perm_noadp(cred, inode,
2160                                            FILE__READ | FILE__WRITE, 0)) {
2161                                 drop_tty = 1;
2162                         }
2163                 }
2164                 spin_unlock(&tty_files_lock);
2165                 tty_kref_put(tty);
2166         }
2167         /* Reset controlling tty. */
2168         if (drop_tty)
2169                 no_tty();
2170
2171         /* Revalidate access to inherited open files. */
2172
2173         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2174
2175         spin_lock(&files->file_lock);
2176         for (;;) {
2177                 unsigned long set, i;
2178                 int fd;
2179
2180                 j++;
2181                 i = j * __NFDBITS;
2182                 fdt = files_fdtable(files);
2183                 if (i >= fdt->max_fds)
2184                         break;
2185                 set = fdt->open_fds->fds_bits[j];
2186                 if (!set)
2187                         continue;
2188                 spin_unlock(&files->file_lock);
2189                 for ( ; set ; i++, set >>= 1) {
2190                         if (set & 1) {
2191                                 file = fget(i);
2192                                 if (!file)
2193                                         continue;
2194                                 if (file_has_perm(cred,
2195                                                   file,
2196                                                   file_to_av(file))) {
2197                                         sys_close(i);
2198                                         fd = get_unused_fd();
2199                                         if (fd != i) {
2200                                                 if (fd >= 0)
2201                                                         put_unused_fd(fd);
2202                                                 fput(file);
2203                                                 continue;
2204                                         }
2205                                         if (devnull) {
2206                                                 get_file(devnull);
2207                                         } else {
2208                                                 devnull = dentry_open(
2209                                                         dget(selinux_null),
2210                                                         mntget(selinuxfs_mount),
2211                                                         O_RDWR, cred);
2212                                                 if (IS_ERR(devnull)) {
2213                                                         devnull = NULL;
2214                                                         put_unused_fd(fd);
2215                                                         fput(file);
2216                                                         continue;
2217                                                 }
2218                                         }
2219                                         fd_install(fd, devnull);
2220                                 }
2221                                 fput(file);
2222                         }
2223                 }
2224                 spin_lock(&files->file_lock);
2225
2226         }
2227         spin_unlock(&files->file_lock);
2228 }
2229
2230 /*
2231  * Prepare a process for imminent new credential changes due to exec
2232  */
2233 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2234 {
2235         struct task_security_struct *new_tsec;
2236         struct rlimit *rlim, *initrlim;
2237         int rc, i;
2238
2239         new_tsec = bprm->cred->security;
2240         if (new_tsec->sid == new_tsec->osid)
2241                 return;
2242
2243         /* Close files for which the new task SID is not authorized. */
2244         flush_unauthorized_files(bprm->cred, current->files);
2245
2246         /* Always clear parent death signal on SID transitions. */
2247         current->pdeath_signal = 0;
2248
2249         /* Check whether the new SID can inherit resource limits from the old
2250          * SID.  If not, reset all soft limits to the lower of the current
2251          * task's hard limit and the init task's soft limit.
2252          *
2253          * Note that the setting of hard limits (even to lower them) can be
2254          * controlled by the setrlimit check.  The inclusion of the init task's
2255          * soft limit into the computation is to avoid resetting soft limits
2256          * higher than the default soft limit for cases where the default is
2257          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2258          */
2259         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2260                           PROCESS__RLIMITINH, NULL);
2261         if (rc) {
2262                 /* protect against do_prlimit() */
2263                 task_lock(current);
2264                 for (i = 0; i < RLIM_NLIMITS; i++) {
2265                         rlim = current->signal->rlim + i;
2266                         initrlim = init_task.signal->rlim + i;
2267                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2268                 }
2269                 task_unlock(current);
2270                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2271         }
2272 }
2273
2274 /*
2275  * Clean up the process immediately after the installation of new credentials
2276  * due to exec
2277  */
2278 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2279 {
2280         const struct task_security_struct *tsec = current_security();
2281         struct itimerval itimer;
2282         u32 osid, sid;
2283         int rc, i;
2284
2285         osid = tsec->osid;
2286         sid = tsec->sid;
2287
2288         if (sid == osid)
2289                 return;
2290
2291         /* Check whether the new SID can inherit signal state from the old SID.
2292          * If not, clear itimers to avoid subsequent signal generation and
2293          * flush and unblock signals.
2294          *
2295          * This must occur _after_ the task SID has been updated so that any
2296          * kill done after the flush will be checked against the new SID.
2297          */
2298         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2299         if (rc) {
2300                 memset(&itimer, 0, sizeof itimer);
2301                 for (i = 0; i < 3; i++)
2302                         do_setitimer(i, &itimer, NULL);
2303                 spin_lock_irq(&current->sighand->siglock);
2304                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2305                         __flush_signals(current);
2306                         flush_signal_handlers(current, 1);
2307                         sigemptyset(&current->blocked);
2308                 }
2309                 spin_unlock_irq(&current->sighand->siglock);
2310         }
2311
2312         /* Wake up the parent if it is waiting so that it can recheck
2313          * wait permission to the new task SID. */
2314         read_lock(&tasklist_lock);
2315         __wake_up_parent(current, current->real_parent);
2316         read_unlock(&tasklist_lock);
2317 }
2318
2319 /* superblock security operations */
2320
2321 static int selinux_sb_alloc_security(struct super_block *sb)
2322 {
2323         return superblock_alloc_security(sb);
2324 }
2325
2326 static void selinux_sb_free_security(struct super_block *sb)
2327 {
2328         superblock_free_security(sb);
2329 }
2330
2331 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2332 {
2333         if (plen > olen)
2334                 return 0;
2335
2336         return !memcmp(prefix, option, plen);
2337 }
2338
2339 static inline int selinux_option(char *option, int len)
2340 {
2341         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2342                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2343                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2344                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2345                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2346 }
2347
2348 static inline void take_option(char **to, char *from, int *first, int len)
2349 {
2350         if (!*first) {
2351                 **to = ',';
2352                 *to += 1;
2353         } else
2354                 *first = 0;
2355         memcpy(*to, from, len);
2356         *to += len;
2357 }
2358
2359 static inline void take_selinux_option(char **to, char *from, int *first,
2360                                        int len)
2361 {
2362         int current_size = 0;
2363
2364         if (!*first) {
2365                 **to = '|';
2366                 *to += 1;
2367         } else
2368                 *first = 0;
2369
2370         while (current_size < len) {
2371                 if (*from != '"') {
2372                         **to = *from;
2373                         *to += 1;
2374                 }
2375                 from += 1;
2376                 current_size += 1;
2377         }
2378 }
2379
2380 static int selinux_sb_copy_data(char *orig, char *copy)
2381 {
2382         int fnosec, fsec, rc = 0;
2383         char *in_save, *in_curr, *in_end;
2384         char *sec_curr, *nosec_save, *nosec;
2385         int open_quote = 0;
2386
2387         in_curr = orig;
2388         sec_curr = copy;
2389
2390         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2391         if (!nosec) {
2392                 rc = -ENOMEM;
2393                 goto out;
2394         }
2395
2396         nosec_save = nosec;
2397         fnosec = fsec = 1;
2398         in_save = in_end = orig;
2399
2400         do {
2401                 if (*in_end == '"')
2402                         open_quote = !open_quote;
2403                 if ((*in_end == ',' && open_quote == 0) ||
2404                                 *in_end == '\0') {
2405                         int len = in_end - in_curr;
2406
2407                         if (selinux_option(in_curr, len))
2408                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2409                         else
2410                                 take_option(&nosec, in_curr, &fnosec, len);
2411
2412                         in_curr = in_end + 1;
2413                 }
2414         } while (*in_end++);
2415
2416         strcpy(in_save, nosec_save);
2417         free_page((unsigned long)nosec_save);
2418 out:
2419         return rc;
2420 }
2421
2422 static int selinux_sb_remount(struct super_block *sb, void *data)
2423 {
2424         int rc, i, *flags;
2425         struct security_mnt_opts opts;
2426         char *secdata, **mount_options;
2427         struct superblock_security_struct *sbsec = sb->s_security;
2428
2429         if (!(sbsec->flags & SE_SBINITIALIZED))
2430                 return 0;
2431
2432         if (!data)
2433                 return 0;
2434
2435         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2436                 return 0;
2437
2438         security_init_mnt_opts(&opts);
2439         secdata = alloc_secdata();
2440         if (!secdata)
2441                 return -ENOMEM;
2442         rc = selinux_sb_copy_data(data, secdata);
2443         if (rc)
2444                 goto out_free_secdata;
2445
2446         rc = selinux_parse_opts_str(secdata, &opts);
2447         if (rc)
2448                 goto out_free_secdata;
2449
2450         mount_options = opts.mnt_opts;
2451         flags = opts.mnt_opts_flags;
2452
2453         for (i = 0; i < opts.num_mnt_opts; i++) {
2454                 u32 sid;
2455                 size_t len;
2456
2457                 if (flags[i] == SE_SBLABELSUPP)
2458                         continue;
2459                 len = strlen(mount_options[i]);
2460                 rc = security_context_to_sid(mount_options[i], len, &sid);
2461                 if (rc) {
2462                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2463                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2464                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2465                         goto out_free_opts;
2466                 }
2467                 rc = -EINVAL;
2468                 switch (flags[i]) {
2469                 case FSCONTEXT_MNT:
2470                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2471                                 goto out_bad_option;
2472                         break;
2473                 case CONTEXT_MNT:
2474                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2475                                 goto out_bad_option;
2476                         break;
2477                 case ROOTCONTEXT_MNT: {
2478                         struct inode_security_struct *root_isec;
2479                         root_isec = sb->s_root->d_inode->i_security;
2480
2481                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2482                                 goto out_bad_option;
2483                         break;
2484                 }
2485                 case DEFCONTEXT_MNT:
2486                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2487                                 goto out_bad_option;
2488                         break;
2489                 default:
2490                         goto out_free_opts;
2491                 }
2492         }
2493
2494         rc = 0;
2495 out_free_opts:
2496         security_free_mnt_opts(&opts);
2497 out_free_secdata:
2498         free_secdata(secdata);
2499         return rc;
2500 out_bad_option:
2501         printk(KERN_WARNING "SELinux: unable to change security options "
2502                "during remount (dev %s, type=%s)\n", sb->s_id,
2503                sb->s_type->name);
2504         goto out_free_opts;
2505 }
2506
2507 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2508 {
2509         const struct cred *cred = current_cred();
2510         struct common_audit_data ad;
2511         int rc;
2512
2513         rc = superblock_doinit(sb, data);
2514         if (rc)
2515                 return rc;
2516
2517         /* Allow all mounts performed by the kernel */
2518         if (flags & MS_KERNMOUNT)
2519                 return 0;
2520
2521         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2522         ad.u.dentry = sb->s_root;
2523         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2524 }
2525
2526 static int selinux_sb_statfs(struct dentry *dentry)
2527 {
2528         const struct cred *cred = current_cred();
2529         struct common_audit_data ad;
2530
2531         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2532         ad.u.dentry = dentry->d_sb->s_root;
2533         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2534 }
2535
2536 static int selinux_mount(char *dev_name,
2537                          struct path *path,
2538                          char *type,
2539                          unsigned long flags,
2540                          void *data)
2541 {
2542         const struct cred *cred = current_cred();
2543
2544         if (flags & MS_REMOUNT)
2545                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2546                                            FILESYSTEM__REMOUNT, NULL);
2547         else
2548                 return path_has_perm(cred, path, FILE__MOUNTON);
2549 }
2550
2551 static int selinux_umount(struct vfsmount *mnt, int flags)
2552 {
2553         const struct cred *cred = current_cred();
2554
2555         return superblock_has_perm(cred, mnt->mnt_sb,
2556                                    FILESYSTEM__UNMOUNT, NULL);
2557 }
2558
2559 /* inode security operations */
2560
2561 static int selinux_inode_alloc_security(struct inode *inode)
2562 {
2563         return inode_alloc_security(inode);
2564 }
2565
2566 static void selinux_inode_free_security(struct inode *inode)
2567 {
2568         inode_free_security(inode);
2569 }
2570
2571 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2572                                        const struct qstr *qstr, char **name,
2573                                        void **value, size_t *len)
2574 {
2575         const struct task_security_struct *tsec = current_security();
2576         struct inode_security_struct *dsec;
2577         struct superblock_security_struct *sbsec;
2578         u32 sid, newsid, clen;
2579         int rc;
2580         char *namep = NULL, *context;
2581
2582         dsec = dir->i_security;
2583         sbsec = dir->i_sb->s_security;
2584
2585         sid = tsec->sid;
2586         newsid = tsec->create_sid;
2587
2588         if ((sbsec->flags & SE_SBINITIALIZED) &&
2589             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2590                 newsid = sbsec->mntpoint_sid;
2591         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2592                 rc = security_transition_sid(sid, dsec->sid,
2593                                              inode_mode_to_security_class(inode->i_mode),
2594                                              qstr, &newsid);
2595                 if (rc) {
2596                         printk(KERN_WARNING "%s:  "
2597                                "security_transition_sid failed, rc=%d (dev=%s "
2598                                "ino=%ld)\n",
2599                                __func__,
2600                                -rc, inode->i_sb->s_id, inode->i_ino);
2601                         return rc;
2602                 }
2603         }
2604
2605         /* Possibly defer initialization to selinux_complete_init. */
2606         if (sbsec->flags & SE_SBINITIALIZED) {
2607                 struct inode_security_struct *isec = inode->i_security;
2608                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2609                 isec->sid = newsid;
2610                 isec->initialized = 1;
2611         }
2612
2613         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2614                 return -EOPNOTSUPP;
2615
2616         if (name) {
2617                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2618                 if (!namep)
2619                         return -ENOMEM;
2620                 *name = namep;
2621         }
2622
2623         if (value && len) {
2624                 rc = security_sid_to_context_force(newsid, &context, &clen);
2625                 if (rc) {
2626                         kfree(namep);
2627                         return rc;
2628                 }
2629                 *value = context;
2630                 *len = clen;
2631         }
2632
2633         return 0;
2634 }
2635
2636 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2637 {
2638         return may_create(dir, dentry, SECCLASS_FILE);
2639 }
2640
2641 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2642 {
2643         return may_link(dir, old_dentry, MAY_LINK);
2644 }
2645
2646 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2647 {
2648         return may_link(dir, dentry, MAY_UNLINK);
2649 }
2650
2651 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2652 {
2653         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2654 }
2655
2656 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2657 {
2658         return may_create(dir, dentry, SECCLASS_DIR);
2659 }
2660
2661 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2662 {
2663         return may_link(dir, dentry, MAY_RMDIR);
2664 }
2665
2666 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2667 {
2668         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2669 }
2670
2671 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2672                                 struct inode *new_inode, struct dentry *new_dentry)
2673 {
2674         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2675 }
2676
2677 static int selinux_inode_readlink(struct dentry *dentry)
2678 {
2679         const struct cred *cred = current_cred();
2680
2681         return dentry_has_perm(cred, dentry, FILE__READ);
2682 }
2683
2684 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2685 {
2686         const struct cred *cred = current_cred();
2687
2688         return dentry_has_perm(cred, dentry, FILE__READ);
2689 }
2690
2691 static int selinux_inode_permission(struct inode *inode, int mask)
2692 {
2693         const struct cred *cred = current_cred();
2694         struct common_audit_data ad;
2695         u32 perms;
2696         bool from_access;
2697         unsigned flags = mask & MAY_NOT_BLOCK;
2698
2699         from_access = mask & MAY_ACCESS;
2700         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2701
2702         /* No permission to check.  Existence test. */
2703         if (!mask)
2704                 return 0;
2705
2706         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2707         ad.u.inode = inode;
2708
2709         if (from_access)
2710                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2711
2712         perms = file_mask_to_av(inode->i_mode, mask);
2713
2714         return inode_has_perm(cred, inode, perms, &ad, flags);
2715 }
2716
2717 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2718 {
2719         const struct cred *cred = current_cred();
2720         unsigned int ia_valid = iattr->ia_valid;
2721
2722         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2723         if (ia_valid & ATTR_FORCE) {
2724                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2725                               ATTR_FORCE);
2726                 if (!ia_valid)
2727                         return 0;
2728         }
2729
2730         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2731                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2732                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2733
2734         return dentry_has_perm(cred, dentry, FILE__WRITE);
2735 }
2736
2737 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2738 {
2739         const struct cred *cred = current_cred();
2740         struct path path;
2741
2742         path.dentry = dentry;
2743         path.mnt = mnt;
2744
2745         return path_has_perm(cred, &path, FILE__GETATTR);
2746 }
2747
2748 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2749 {
2750         const struct cred *cred = current_cred();
2751
2752         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2753                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2754                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2755                         if (!capable(CAP_SETFCAP))
2756                                 return -EPERM;
2757                 } else if (!capable(CAP_SYS_ADMIN)) {
2758                         /* A different attribute in the security namespace.
2759                            Restrict to administrator. */
2760                         return -EPERM;
2761                 }
2762         }
2763
2764         /* Not an attribute we recognize, so just check the
2765            ordinary setattr permission. */
2766         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2767 }
2768
2769 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2770                                   const void *value, size_t size, int flags)
2771 {
2772         struct inode *inode = dentry->d_inode;
2773         struct inode_security_struct *isec = inode->i_security;
2774         struct superblock_security_struct *sbsec;
2775         struct common_audit_data ad;
2776         u32 newsid, sid = current_sid();
2777         int rc = 0;
2778
2779         if (strcmp(name, XATTR_NAME_SELINUX))
2780                 return selinux_inode_setotherxattr(dentry, name);
2781
2782         sbsec = inode->i_sb->s_security;
2783         if (!(sbsec->flags & SE_SBLABELSUPP))
2784                 return -EOPNOTSUPP;
2785
2786         if (!inode_owner_or_capable(inode))
2787                 return -EPERM;
2788
2789         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2790         ad.u.dentry = dentry;
2791
2792         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2793                           FILE__RELABELFROM, &ad);
2794         if (rc)
2795                 return rc;
2796
2797         rc = security_context_to_sid(value, size, &newsid);
2798         if (rc == -EINVAL) {
2799                 if (!capable(CAP_MAC_ADMIN))
2800                         return rc;
2801                 rc = security_context_to_sid_force(value, size, &newsid);
2802         }
2803         if (rc)
2804                 return rc;
2805
2806         rc = avc_has_perm(sid, newsid, isec->sclass,
2807                           FILE__RELABELTO, &ad);
2808         if (rc)
2809                 return rc;
2810
2811         rc = security_validate_transition(isec->sid, newsid, sid,
2812                                           isec->sclass);
2813         if (rc)
2814                 return rc;
2815
2816         return avc_has_perm(newsid,
2817                             sbsec->sid,
2818                             SECCLASS_FILESYSTEM,
2819                             FILESYSTEM__ASSOCIATE,
2820                             &ad);
2821 }
2822
2823 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2824                                         const void *value, size_t size,
2825                                         int flags)
2826 {
2827         struct inode *inode = dentry->d_inode;
2828         struct inode_security_struct *isec = inode->i_security;
2829         u32 newsid;
2830         int rc;
2831
2832         if (strcmp(name, XATTR_NAME_SELINUX)) {
2833                 /* Not an attribute we recognize, so nothing to do. */
2834                 return;
2835         }
2836
2837         rc = security_context_to_sid_force(value, size, &newsid);
2838         if (rc) {
2839                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2840                        "for (%s, %lu), rc=%d\n",
2841                        inode->i_sb->s_id, inode->i_ino, -rc);
2842                 return;
2843         }
2844
2845         isec->sid = newsid;
2846         return;
2847 }
2848
2849 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2850 {
2851         const struct cred *cred = current_cred();
2852
2853         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2854 }
2855
2856 static int selinux_inode_listxattr(struct dentry *dentry)
2857 {
2858         const struct cred *cred = current_cred();
2859
2860         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2861 }
2862
2863 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2864 {
2865         if (strcmp(name, XATTR_NAME_SELINUX))
2866                 return selinux_inode_setotherxattr(dentry, name);
2867
2868         /* No one is allowed to remove a SELinux security label.
2869            You can change the label, but all data must be labeled. */
2870         return -EACCES;
2871 }
2872
2873 /*
2874  * Copy the inode security context value to the user.
2875  *
2876  * Permission check is handled by selinux_inode_getxattr hook.
2877  */
2878 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2879 {
2880         u32 size;
2881         int error;
2882         char *context = NULL;
2883         struct inode_security_struct *isec = inode->i_security;
2884
2885         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2886                 return -EOPNOTSUPP;
2887
2888         /*
2889          * If the caller has CAP_MAC_ADMIN, then get the raw context
2890          * value even if it is not defined by current policy; otherwise,
2891          * use the in-core value under current policy.
2892          * Use the non-auditing forms of the permission checks since
2893          * getxattr may be called by unprivileged processes commonly
2894          * and lack of permission just means that we fall back to the
2895          * in-core context value, not a denial.
2896          */
2897         error = selinux_capable(current, current_cred(),
2898                                 &init_user_ns, CAP_MAC_ADMIN,
2899                                 SECURITY_CAP_NOAUDIT);
2900         if (!error)
2901                 error = security_sid_to_context_force(isec->sid, &context,
2902                                                       &size);
2903         else
2904                 error = security_sid_to_context(isec->sid, &context, &size);
2905         if (error)
2906                 return error;
2907         error = size;
2908         if (alloc) {
2909                 *buffer = context;
2910                 goto out_nofree;
2911         }
2912         kfree(context);
2913 out_nofree:
2914         return error;
2915 }
2916
2917 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2918                                      const void *value, size_t size, int flags)
2919 {
2920         struct inode_security_struct *isec = inode->i_security;
2921         u32 newsid;
2922         int rc;
2923
2924         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2925                 return -EOPNOTSUPP;
2926
2927         if (!value || !size)
2928                 return -EACCES;
2929
2930         rc = security_context_to_sid((void *)value, size, &newsid);
2931         if (rc)
2932                 return rc;
2933
2934         isec->sid = newsid;
2935         isec->initialized = 1;
2936         return 0;
2937 }
2938
2939 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2940 {
2941         const int len = sizeof(XATTR_NAME_SELINUX);
2942         if (buffer && len <= buffer_size)
2943                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2944         return len;
2945 }
2946
2947 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2948 {
2949         struct inode_security_struct *isec = inode->i_security;
2950         *secid = isec->sid;
2951 }
2952
2953 /* file security operations */
2954
2955 static int selinux_revalidate_file_permission(struct file *file, int mask)
2956 {
2957         const struct cred *cred = current_cred();
2958         struct inode *inode = file->f_path.dentry->d_inode;
2959
2960         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2961         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2962                 mask |= MAY_APPEND;
2963
2964         return file_has_perm(cred, file,
2965                              file_mask_to_av(inode->i_mode, mask));
2966 }
2967
2968 static int selinux_file_permission(struct file *file, int mask)
2969 {
2970         struct inode *inode = file->f_path.dentry->d_inode;
2971         struct file_security_struct *fsec = file->f_security;
2972         struct inode_security_struct *isec = inode->i_security;
2973         u32 sid = current_sid();
2974
2975         if (!mask)
2976                 /* No permission to check.  Existence test. */
2977                 return 0;
2978
2979         if (sid == fsec->sid && fsec->isid == isec->sid &&
2980             fsec->pseqno == avc_policy_seqno())
2981                 /* No change since dentry_open check. */
2982                 return 0;
2983
2984         return selinux_revalidate_file_permission(file, mask);
2985 }
2986
2987 static int selinux_file_alloc_security(struct file *file)
2988 {
2989         return file_alloc_security(file);
2990 }
2991
2992 static void selinux_file_free_security(struct file *file)
2993 {
2994         file_free_security(file);
2995 }
2996
2997 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2998                               unsigned long arg)
2999 {
3000         const struct cred *cred = current_cred();
3001         int error = 0;
3002
3003         switch (cmd) {
3004         case FIONREAD:
3005         /* fall through */
3006         case FIBMAP:
3007         /* fall through */
3008         case FIGETBSZ:
3009         /* fall through */
3010         case EXT2_IOC_GETFLAGS:
3011         /* fall through */
3012         case EXT2_IOC_GETVERSION:
3013                 error = file_has_perm(cred, file, FILE__GETATTR);
3014                 break;
3015
3016         case EXT2_IOC_SETFLAGS:
3017         /* fall through */
3018         case EXT2_IOC_SETVERSION:
3019                 error = file_has_perm(cred, file, FILE__SETATTR);
3020                 break;
3021
3022         /* sys_ioctl() checks */
3023         case FIONBIO:
3024         /* fall through */
3025         case FIOASYNC:
3026                 error = file_has_perm(cred, file, 0);
3027                 break;
3028
3029         case KDSKBENT:
3030         case KDSKBSENT:
3031                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
3032                                         SECURITY_CAP_AUDIT);
3033                 break;
3034
3035         /* default case assumes that the command will go
3036          * to the file's ioctl() function.
3037          */
3038         default:
3039                 error = file_has_perm(cred, file, FILE__IOCTL);
3040         }
3041         return error;
3042 }
3043
3044 static int default_noexec;
3045
3046 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3047 {
3048         const struct cred *cred = current_cred();
3049         int rc = 0;
3050
3051         if (default_noexec &&
3052             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3053                 /*
3054                  * We are making executable an anonymous mapping or a
3055                  * private file mapping that will also be writable.
3056                  * This has an additional check.
3057                  */
3058                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3059                 if (rc)
3060                         goto error;
3061         }
3062
3063         if (file) {
3064                 /* read access is always possible with a mapping */
3065                 u32 av = FILE__READ;
3066
3067                 /* write access only matters if the mapping is shared */
3068                 if (shared && (prot & PROT_WRITE))
3069                         av |= FILE__WRITE;
3070
3071                 if (prot & PROT_EXEC)
3072                         av |= FILE__EXECUTE;
3073
3074                 return file_has_perm(cred, file, av);
3075         }
3076
3077 error:
3078         return rc;
3079 }
3080
3081 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3082                              unsigned long prot, unsigned long flags,
3083                              unsigned long addr, unsigned long addr_only)
3084 {
3085         int rc = 0;
3086         u32 sid = current_sid();
3087
3088         /*
3089          * notice that we are intentionally putting the SELinux check before
3090          * the secondary cap_file_mmap check.  This is such a likely attempt
3091          * at bad behaviour/exploit that we always want to get the AVC, even
3092          * if DAC would have also denied the operation.
3093          */
3094         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3095                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3096                                   MEMPROTECT__MMAP_ZERO, NULL);
3097                 if (rc)
3098                         return rc;
3099         }
3100
3101         /* do DAC check on address space usage */
3102         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3103         if (rc || addr_only)
3104                 return rc;
3105
3106         if (selinux_checkreqprot)
3107                 prot = reqprot;
3108
3109         return file_map_prot_check(file, prot,
3110                                    (flags & MAP_TYPE) == MAP_SHARED);
3111 }
3112
3113 static int selinux_file_mprotect(struct vm_area_struct *vma,
3114                                  unsigned long reqprot,
3115                                  unsigned long prot)
3116 {
3117         const struct cred *cred = current_cred();
3118
3119         if (selinux_checkreqprot)
3120                 prot = reqprot;
3121
3122         if (default_noexec &&
3123             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3124                 int rc = 0;
3125                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3126                     vma->vm_end <= vma->vm_mm->brk) {
3127                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3128                 } else if (!vma->vm_file &&
3129                            vma->vm_start <= vma->vm_mm->start_stack &&
3130                            vma->vm_end >= vma->vm_mm->start_stack) {
3131                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3132                 } else if (vma->vm_file && vma->anon_vma) {
3133                         /*
3134                          * We are making executable a file mapping that has
3135                          * had some COW done. Since pages might have been
3136                          * written, check ability to execute the possibly
3137                          * modified content.  This typically should only
3138                          * occur for text relocations.
3139                          */
3140                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3141                 }
3142                 if (rc)
3143                         return rc;
3144         }
3145
3146         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3147 }
3148
3149 static int selinux_file_lock(struct file *file, unsigned int cmd)
3150 {
3151         const struct cred *cred = current_cred();
3152
3153         return file_has_perm(cred, file, FILE__LOCK);
3154 }
3155
3156 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3157                               unsigned long arg)
3158 {
3159         const struct cred *cred = current_cred();
3160         int err = 0;
3161
3162         switch (cmd) {
3163         case F_SETFL:
3164                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3165                         err = -EINVAL;
3166                         break;
3167                 }
3168
3169                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3170                         err = file_has_perm(cred, file, FILE__WRITE);
3171                         break;
3172                 }
3173                 /* fall through */
3174         case F_SETOWN:
3175         case F_SETSIG:
3176         case F_GETFL:
3177         case F_GETOWN:
3178         case F_GETSIG:
3179                 /* Just check FD__USE permission */
3180                 err = file_has_perm(cred, file, 0);
3181                 break;
3182         case F_GETLK:
3183         case F_SETLK:
3184         case F_SETLKW:
3185 #if BITS_PER_LONG == 32
3186         case F_GETLK64:
3187         case F_SETLK64:
3188         case F_SETLKW64:
3189 #endif
3190                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3191                         err = -EINVAL;
3192                         break;
3193                 }
3194                 err = file_has_perm(cred, file, FILE__LOCK);
3195                 break;
3196         }
3197
3198         return err;
3199 }
3200
3201 static int selinux_file_set_fowner(struct file *file)
3202 {
3203         struct file_security_struct *fsec;
3204
3205         fsec = file->f_security;
3206         fsec->fown_sid = current_sid();
3207
3208         return 0;
3209 }
3210
3211 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3212                                        struct fown_struct *fown, int signum)
3213 {
3214         struct file *file;
3215         u32 sid = task_sid(tsk);
3216         u32 perm;
3217         struct file_security_struct *fsec;
3218
3219         /* struct fown_struct is never outside the context of a struct file */
3220         file = container_of(fown, struct file, f_owner);
3221
3222         fsec = file->f_security;
3223
3224         if (!signum)
3225                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3226         else
3227                 perm = signal_to_av(signum);
3228
3229         return avc_has_perm(fsec->fown_sid, sid,
3230                             SECCLASS_PROCESS, perm, NULL);
3231 }
3232
3233 static int selinux_file_receive(struct file *file)
3234 {
3235         const struct cred *cred = current_cred();
3236
3237         return file_has_perm(cred, file, file_to_av(file));
3238 }
3239
3240 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3241 {
3242         struct file_security_struct *fsec;
3243         struct inode *inode;
3244         struct inode_security_struct *isec;
3245
3246         inode = file->f_path.dentry->d_inode;
3247         fsec = file->f_security;
3248         isec = inode->i_security;
3249         /*
3250          * Save inode label and policy sequence number
3251          * at open-time so that selinux_file_permission
3252          * can determine whether revalidation is necessary.
3253          * Task label is already saved in the file security
3254          * struct as its SID.
3255          */
3256         fsec->isid = isec->sid;
3257         fsec->pseqno = avc_policy_seqno();
3258         /*
3259          * Since the inode label or policy seqno may have changed
3260          * between the selinux_inode_permission check and the saving
3261          * of state above, recheck that access is still permitted.
3262          * Otherwise, access might never be revalidated against the
3263          * new inode label or new policy.
3264          * This check is not redundant - do not remove.
3265          */
3266         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3267 }
3268
3269 /* task security operations */
3270
3271 static int selinux_task_create(unsigned long clone_flags)
3272 {
3273         return current_has_perm(current, PROCESS__FORK);
3274 }
3275
3276 /*
3277  * allocate the SELinux part of blank credentials
3278  */
3279 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3280 {
3281         struct task_security_struct *tsec;
3282
3283         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3284         if (!tsec)
3285                 return -ENOMEM;
3286
3287         cred->security = tsec;
3288         return 0;
3289 }
3290
3291 /*
3292  * detach and free the LSM part of a set of credentials
3293  */
3294 static void selinux_cred_free(struct cred *cred)
3295 {
3296         struct task_security_struct *tsec = cred->security;
3297
3298         /*
3299          * cred->security == NULL if security_cred_alloc_blank() or
3300          * security_prepare_creds() returned an error.
3301          */
3302         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3303         cred->security = (void *) 0x7UL;
3304         kfree(tsec);
3305 }
3306
3307 /*
3308  * prepare a new set of credentials for modification
3309  */
3310 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3311                                 gfp_t gfp)
3312 {
3313         const struct task_security_struct *old_tsec;
3314         struct task_security_struct *tsec;
3315
3316         old_tsec = old->security;
3317
3318         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3319         if (!tsec)
3320                 return -ENOMEM;
3321
3322         new->security = tsec;
3323         return 0;
3324 }
3325
3326 /*
3327  * transfer the SELinux data to a blank set of creds
3328  */
3329 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3330 {
3331         const struct task_security_struct *old_tsec = old->security;
3332         struct task_security_struct *tsec = new->security;
3333
3334         *tsec = *old_tsec;
3335 }
3336
3337 /*
3338  * set the security data for a kernel service
3339  * - all the creation contexts are set to unlabelled
3340  */
3341 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3342 {
3343         struct task_security_struct *tsec = new->security;
3344         u32 sid = current_sid();
3345         int ret;
3346
3347         ret = avc_has_perm(sid, secid,
3348                            SECCLASS_KERNEL_SERVICE,
3349                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3350                            NULL);
3351         if (ret == 0) {
3352                 tsec->sid = secid;
3353                 tsec->create_sid = 0;
3354                 tsec->keycreate_sid = 0;
3355                 tsec->sockcreate_sid = 0;
3356         }
3357         return ret;
3358 }
3359
3360 /*
3361  * set the file creation context in a security record to the same as the
3362  * objective context of the specified inode
3363  */
3364 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3365 {
3366         struct inode_security_struct *isec = inode->i_security;
3367         struct task_security_struct *tsec = new->security;
3368         u32 sid = current_sid();
3369         int ret;
3370
3371         ret = avc_has_perm(sid, isec->sid,
3372                            SECCLASS_KERNEL_SERVICE,
3373                            KERNEL_SERVICE__CREATE_FILES_AS,
3374                            NULL);
3375
3376         if (ret == 0)
3377                 tsec->create_sid = isec->sid;
3378         return ret;
3379 }
3380
3381 static int selinux_kernel_module_request(char *kmod_name)
3382 {
3383         u32 sid;
3384         struct common_audit_data ad;
3385
3386         sid = task_sid(current);
3387
3388         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3389         ad.u.kmod_name = kmod_name;
3390
3391         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3392                             SYSTEM__MODULE_REQUEST, &ad);
3393 }
3394
3395 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3396 {
3397         return current_has_perm(p, PROCESS__SETPGID);
3398 }
3399
3400 static int selinux_task_getpgid(struct task_struct *p)
3401 {
3402         return current_has_perm(p, PROCESS__GETPGID);
3403 }
3404
3405 static int selinux_task_getsid(struct task_struct *p)
3406 {
3407         return current_has_perm(p, PROCESS__GETSESSION);
3408 }
3409
3410 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3411 {
3412         *secid = task_sid(p);
3413 }
3414
3415 static int selinux_task_setnice(struct task_struct *p, int nice)
3416 {
3417         int rc;
3418
3419         rc = cap_task_setnice(p, nice);
3420         if (rc)
3421                 return rc;
3422
3423         return current_has_perm(p, PROCESS__SETSCHED);
3424 }
3425
3426 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3427 {
3428         int rc;
3429
3430         rc = cap_task_setioprio(p, ioprio);
3431         if (rc)
3432                 return rc;
3433
3434         return current_has_perm(p, PROCESS__SETSCHED);
3435 }
3436
3437 static int selinux_task_getioprio(struct task_struct *p)
3438 {
3439         return current_has_perm(p, PROCESS__GETSCHED);
3440 }
3441
3442 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3443                 struct rlimit *new_rlim)
3444 {
3445         struct rlimit *old_rlim = p->signal->rlim + resource;
3446
3447         /* Control the ability to change the hard limit (whether
3448            lowering or raising it), so that the hard limit can
3449            later be used as a safe reset point for the soft limit
3450            upon context transitions.  See selinux_bprm_committing_creds. */
3451         if (old_rlim->rlim_max != new_rlim->rlim_max)
3452                 return current_has_perm(p, PROCESS__SETRLIMIT);
3453
3454         return 0;
3455 }
3456
3457 static int selinux_task_setscheduler(struct task_struct *p)
3458 {
3459         int rc;
3460
3461         rc = cap_task_setscheduler(p);
3462         if (rc)
3463                 return rc;
3464
3465         return current_has_perm(p, PROCESS__SETSCHED);
3466 }
3467
3468 static int selinux_task_getscheduler(struct task_struct *p)
3469 {
3470         return current_has_perm(p, PROCESS__GETSCHED);
3471 }
3472
3473 static int selinux_task_movememory(struct task_struct *p)
3474 {
3475         return current_has_perm(p, PROCESS__SETSCHED);
3476 }
3477
3478 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3479                                 int sig, u32 secid)
3480 {
3481         u32 perm;
3482         int rc;
3483
3484         if (!sig)
3485                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3486         else
3487                 perm = signal_to_av(sig);
3488         if (secid)
3489                 rc = avc_has_perm(secid, task_sid(p),
3490                                   SECCLASS_PROCESS, perm, NULL);
3491         else
3492                 rc = current_has_perm(p, perm);
3493         return rc;
3494 }
3495
3496 static int selinux_task_wait(struct task_struct *p)
3497 {
3498         return task_has_perm(p, current, PROCESS__SIGCHLD);
3499 }
3500
3501 static void selinux_task_to_inode(struct task_struct *p,
3502                                   struct inode *inode)
3503 {
3504         struct inode_security_struct *isec = inode->i_security;
3505         u32 sid = task_sid(p);
3506
3507         isec->sid = sid;
3508         isec->initialized = 1;
3509 }
3510
3511 /* Returns error only if unable to parse addresses */
3512 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3513                         struct common_audit_data *ad, u8 *proto)
3514 {
3515         int offset, ihlen, ret = -EINVAL;
3516         struct iphdr _iph, *ih;
3517
3518         offset = skb_network_offset(skb);
3519         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3520         if (ih == NULL)
3521                 goto out;
3522
3523         ihlen = ih->ihl * 4;
3524         if (ihlen < sizeof(_iph))
3525                 goto out;
3526
3527         ad->u.net.v4info.saddr = ih->saddr;
3528         ad->u.net.v4info.daddr = ih->daddr;
3529         ret = 0;
3530
3531         if (proto)
3532                 *proto = ih->protocol;
3533
3534         switch (ih->protocol) {
3535         case IPPROTO_TCP: {
3536                 struct tcphdr _tcph, *th;
3537
3538                 if (ntohs(ih->frag_off) & IP_OFFSET)
3539                         break;
3540
3541                 offset += ihlen;
3542                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3543                 if (th == NULL)
3544                         break;
3545
3546                 ad->u.net.sport = th->source;
3547                 ad->u.net.dport = th->dest;
3548                 break;
3549         }
3550
3551         case IPPROTO_UDP: {
3552                 struct udphdr _udph, *uh;
3553
3554                 if (ntohs(ih->frag_off) & IP_OFFSET)
3555                         break;
3556
3557                 offset += ihlen;
3558                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3559                 if (uh == NULL)
3560                         break;
3561
3562                 ad->u.net.sport = uh->source;
3563                 ad->u.net.dport = uh->dest;
3564                 break;
3565         }
3566
3567         case IPPROTO_DCCP: {
3568                 struct dccp_hdr _dccph, *dh;
3569
3570                 if (ntohs(ih->frag_off) & IP_OFFSET)
3571                         break;
3572
3573                 offset += ihlen;
3574                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3575                 if (dh == NULL)
3576                         break;
3577
3578                 ad->u.net.sport = dh->dccph_sport;
3579                 ad->u.net.dport = dh->dccph_dport;
3580                 break;
3581         }
3582
3583         default:
3584                 break;
3585         }
3586 out:
3587         return ret;
3588 }
3589
3590 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3591
3592 /* Returns error only if unable to parse addresses */
3593 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3594                         struct common_audit_data *ad, u8 *proto)
3595 {
3596         u8 nexthdr;
3597         int ret = -EINVAL, offset;
3598         struct ipv6hdr _ipv6h, *ip6;
3599
3600         offset = skb_network_offset(skb);
3601         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3602         if (ip6 == NULL)
3603                 goto out;
3604
3605         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3606         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3607         ret = 0;
3608
3609         nexthdr = ip6->nexthdr;
3610         offset += sizeof(_ipv6h);
3611         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3612         if (offset < 0)
3613                 goto out;
3614
3615         if (proto)
3616                 *proto = nexthdr;
3617
3618         switch (nexthdr) {
3619         case IPPROTO_TCP: {
3620                 struct tcphdr _tcph, *th;
3621
3622                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3623                 if (th == NULL)
3624                         break;
3625
3626                 ad->u.net.sport = th->source;
3627                 ad->u.net.dport = th->dest;
3628                 break;
3629         }
3630
3631         case IPPROTO_UDP: {
3632                 struct udphdr _udph, *uh;
3633
3634                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3635                 if (uh == NULL)
3636                         break;
3637
3638                 ad->u.net.sport = uh->source;
3639                 ad->u.net.dport = uh->dest;
3640                 break;
3641         }
3642
3643         case IPPROTO_DCCP: {
3644                 struct dccp_hdr _dccph, *dh;
3645
3646                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3647                 if (dh == NULL)
3648                         break;
3649
3650                 ad->u.net.sport = dh->dccph_sport;
3651                 ad->u.net.dport = dh->dccph_dport;
3652                 break;
3653         }
3654
3655         /* includes fragments */
3656         default:
3657                 break;
3658         }
3659 out:
3660         return ret;
3661 }
3662
3663 #endif /* IPV6 */
3664
3665 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3666                              char **_addrp, int src, u8 *proto)
3667 {
3668         char *addrp;
3669         int ret;
3670
3671         switch (ad->u.net.family) {
3672         case PF_INET:
3673                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3674                 if (ret)
3675                         goto parse_error;
3676                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3677                                        &ad->u.net.v4info.daddr);
3678                 goto okay;
3679
3680 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3681         case PF_INET6:
3682                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3683                 if (ret)
3684                         goto parse_error;
3685                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3686                                        &ad->u.net.v6info.daddr);
3687                 goto okay;
3688 #endif  /* IPV6 */
3689         default:
3690                 addrp = NULL;
3691                 goto okay;
3692         }
3693
3694 parse_error:
3695         printk(KERN_WARNING
3696                "SELinux: failure in selinux_parse_skb(),"
3697                " unable to parse packet\n");
3698         return ret;
3699
3700 okay:
3701         if (_addrp)
3702                 *_addrp = addrp;
3703         return 0;
3704 }
3705
3706 /**
3707  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3708  * @skb: the packet
3709  * @family: protocol family
3710  * @sid: the packet's peer label SID
3711  *
3712  * Description:
3713  * Check the various different forms of network peer labeling and determine
3714  * the peer label/SID for the packet; most of the magic actually occurs in
3715  * the security server function security_net_peersid_cmp().  The function
3716  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3717  * or -EACCES if @sid is invalid due to inconsistencies with the different
3718  * peer labels.
3719  *
3720  */
3721 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3722 {
3723         int err;
3724         u32 xfrm_sid;
3725         u32 nlbl_sid;
3726         u32 nlbl_type;
3727
3728         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3729         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3730
3731         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3732         if (unlikely(err)) {
3733                 printk(KERN_WARNING
3734                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3735                        " unable to determine packet's peer label\n");
3736                 return -EACCES;
3737         }
3738
3739         return 0;
3740 }
3741
3742 /**
3743  * selinux_conn_sid - Determine the child socket label for a connection
3744  * @sk_sid: the parent socket's SID
3745  * @skb_sid: the packet's SID
3746  * @conn_sid: the resulting connection SID
3747  *
3748  * If @skb_sid is valid then the user:role:type information from @sk_sid is
3749  * combined with the MLS information from @skb_sid in order to create
3750  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
3751  * of @sk_sid.  Returns zero on success, negative values on failure.
3752  *
3753  */
3754 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3755 {
3756         int err = 0;
3757
3758         if (skb_sid != SECSID_NULL)
3759                 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3760         else
3761                 *conn_sid = sk_sid;
3762
3763         return err;
3764 }
3765
3766 /* socket security operations */
3767
3768 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3769                                  u16 secclass, u32 *socksid)
3770 {
3771         if (tsec->sockcreate_sid > SECSID_NULL) {
3772                 *socksid = tsec->sockcreate_sid;
3773                 return 0;
3774         }
3775
3776         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3777                                        socksid);
3778 }
3779
3780 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3781 {
3782         struct sk_security_struct *sksec = sk->sk_security;
3783         struct common_audit_data ad;
3784         u32 tsid = task_sid(task);
3785
3786         if (sksec->sid == SECINITSID_KERNEL)
3787                 return 0;
3788
3789         COMMON_AUDIT_DATA_INIT(&ad, NET);
3790         ad.u.net.sk = sk;
3791
3792         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3793 }
3794
3795 static int selinux_socket_create(int family, int type,
3796                                  int protocol, int kern)
3797 {
3798         const struct task_security_struct *tsec = current_security();
3799         u32 newsid;
3800         u16 secclass;
3801         int rc;
3802
3803         if (kern)
3804                 return 0;
3805
3806         secclass = socket_type_to_security_class(family, type, protocol);
3807         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3808         if (rc)
3809                 return rc;
3810
3811         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3812 }
3813
3814 static int selinux_socket_post_create(struct socket *sock, int family,
3815                                       int type, int protocol, int kern)
3816 {
3817         const struct task_security_struct *tsec = current_security();
3818         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3819         struct sk_security_struct *sksec;
3820         int err = 0;
3821
3822         isec->sclass = socket_type_to_security_class(family, type, protocol);
3823
3824         if (kern)
3825                 isec->sid = SECINITSID_KERNEL;
3826         else {
3827                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3828                 if (err)
3829                         return err;
3830         }
3831
3832         isec->initialized = 1;
3833
3834         if (sock->sk) {
3835                 sksec = sock->sk->sk_security;
3836                 sksec->sid = isec->sid;
3837                 sksec->sclass = isec->sclass;
3838                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3839         }
3840
3841         return err;
3842 }
3843
3844 /* Range of port numbers used to automatically bind.
3845    Need to determine whether we should perform a name_bind
3846    permission check between the socket and the port number. */
3847
3848 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3849 {
3850         struct sock *sk = sock->sk;
3851         u16 family;
3852         int err;
3853
3854         err = sock_has_perm(current, sk, SOCKET__BIND);
3855         if (err)
3856                 goto out;
3857
3858         /*
3859          * If PF_INET or PF_INET6, check name_bind permission for the port.
3860          * Multiple address binding for SCTP is not supported yet: we just
3861          * check the first address now.
3862          */
3863         family = sk->sk_family;
3864         if (family == PF_INET || family == PF_INET6) {
3865                 char *addrp;
3866                 struct sk_security_struct *sksec = sk->sk_security;
3867                 struct common_audit_data ad;
3868                 struct sockaddr_in *addr4 = NULL;
3869                 struct sockaddr_in6 *addr6 = NULL;
3870                 unsigned short snum;
3871                 u32 sid, node_perm;
3872
3873                 if (family == PF_INET) {
3874                         addr4 = (struct sockaddr_in *)address;
3875                         snum = ntohs(addr4->sin_port);
3876                         addrp = (char *)&addr4->sin_addr.s_addr;
3877                 } else {
3878                         addr6 = (struct sockaddr_in6 *)address;
3879                         snum = ntohs(addr6->sin6_port);
3880                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3881                 }
3882
3883                 if (snum) {
3884                         int low, high;
3885
3886                         inet_get_local_port_range(&low, &high);
3887
3888                         if (snum < max(PROT_SOCK, low) || snum > high) {
3889                                 err = sel_netport_sid(sk->sk_protocol,
3890                                                       snum, &sid);
3891                                 if (err)
3892                                         goto out;
3893                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3894                                 ad.u.net.sport = htons(snum);
3895                                 ad.u.net.family = family;
3896                                 err = avc_has_perm(sksec->sid, sid,
3897                                                    sksec->sclass,
3898                                                    SOCKET__NAME_BIND, &ad);
3899                                 if (err)
3900                                         goto out;
3901                         }
3902                 }
3903
3904                 switch (sksec->sclass) {
3905                 case SECCLASS_TCP_SOCKET:
3906                         node_perm = TCP_SOCKET__NODE_BIND;
3907                         break;
3908
3909                 case SECCLASS_UDP_SOCKET:
3910                         node_perm = UDP_SOCKET__NODE_BIND;
3911                         break;
3912
3913                 case SECCLASS_DCCP_SOCKET:
3914                         node_perm = DCCP_SOCKET__NODE_BIND;
3915                         break;
3916
3917                 default:
3918                         node_perm = RAWIP_SOCKET__NODE_BIND;
3919                         break;
3920                 }
3921
3922                 err = sel_netnode_sid(addrp, family, &sid);
3923                 if (err)
3924                         goto out;
3925
3926                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3927                 ad.u.net.sport = htons(snum);
3928                 ad.u.net.family = family;
3929
3930                 if (family == PF_INET)
3931                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3932                 else
3933                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3934
3935                 err = avc_has_perm(sksec->sid, sid,
3936                                    sksec->sclass, node_perm, &ad);
3937                 if (err)
3938                         goto out;
3939         }
3940 out:
3941         return err;
3942 }
3943
3944 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3945 {
3946         struct sock *sk = sock->sk;
3947         struct sk_security_struct *sksec = sk->sk_security;
3948         int err;
3949
3950         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3951         if (err)
3952                 return err;
3953
3954         /*
3955          * If a TCP or DCCP socket, check name_connect permission for the port.
3956          */
3957         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3958             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3959                 struct common_audit_data ad;
3960                 struct sockaddr_in *addr4 = NULL;
3961                 struct sockaddr_in6 *addr6 = NULL;
3962                 unsigned short snum;
3963                 u32 sid, perm;
3964
3965                 if (sk->sk_family == PF_INET) {
3966                         addr4 = (struct sockaddr_in *)address;
3967                         if (addrlen < sizeof(struct sockaddr_in))
3968                                 return -EINVAL;
3969                         snum = ntohs(addr4->sin_port);
3970                 } else {
3971                         addr6 = (struct sockaddr_in6 *)address;
3972                         if (addrlen < SIN6_LEN_RFC2133)
3973                                 return -EINVAL;
3974                         snum = ntohs(addr6->sin6_port);
3975                 }
3976
3977                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3978                 if (err)
3979                         goto out;
3980
3981                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3982                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3983
3984                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3985                 ad.u.net.dport = htons(snum);
3986                 ad.u.net.family = sk->sk_family;
3987                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3988                 if (err)
3989                         goto out;
3990         }
3991
3992         err = selinux_netlbl_socket_connect(sk, address);
3993
3994 out:
3995         return err;
3996 }
3997
3998 static int selinux_socket_listen(struct socket *sock, int backlog)
3999 {
4000         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4001 }
4002
4003 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4004 {
4005         int err;
4006         struct inode_security_struct *isec;
4007         struct inode_security_struct *newisec;
4008
4009         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4010         if (err)
4011                 return err;
4012
4013         newisec = SOCK_INODE(newsock)->i_security;
4014
4015         isec = SOCK_INODE(sock)->i_security;
4016         newisec->sclass = isec->sclass;
4017         newisec->sid = isec->sid;
4018         newisec->initialized = 1;
4019
4020         return 0;
4021 }
4022
4023 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4024                                   int size)
4025 {
4026         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4027 }
4028
4029 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4030                                   int size, int flags)
4031 {
4032         return sock_has_perm(current, sock->sk, SOCKET__READ);
4033 }
4034
4035 static int selinux_socket_getsockname(struct socket *sock)
4036 {
4037         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4038 }
4039
4040 static int selinux_socket_getpeername(struct socket *sock)
4041 {
4042         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4043 }
4044
4045 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4046 {
4047         int err;
4048
4049         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4050         if (err)
4051                 return err;
4052
4053         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4054 }
4055
4056 static int selinux_socket_getsockopt(struct socket *sock, int level,
4057                                      int optname)
4058 {
4059         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4060 }
4061
4062 static int selinux_socket_shutdown(struct socket *sock, int how)
4063 {
4064         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4065 }
4066
4067 static int selinux_socket_unix_stream_connect(struct sock *sock,
4068                                               struct sock *other,
4069                                               struct sock *newsk)
4070 {
4071         struct sk_security_struct *sksec_sock = sock->sk_security;
4072         struct sk_security_struct *sksec_other = other->sk_security;
4073         struct sk_security_struct *sksec_new = newsk->sk_security;
4074         struct common_audit_data ad;
4075         int err;
4076
4077         COMMON_AUDIT_DATA_INIT(&ad, NET);
4078         ad.u.net.sk = other;
4079
4080         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4081                            sksec_other->sclass,
4082                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4083         if (err)
4084                 return err;
4085
4086         /* server child socket */
4087         sksec_new->peer_sid = sksec_sock->sid;
4088         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4089                                     &sksec_new->sid);
4090         if (err)
4091                 return err;
4092
4093         /* connecting socket */
4094         sksec_sock->peer_sid = sksec_new->sid;
4095
4096         return 0;
4097 }
4098
4099 static int selinux_socket_unix_may_send(struct socket *sock,
4100                                         struct socket *other)
4101 {
4102         struct sk_security_struct *ssec = sock->sk->sk_security;
4103         struct sk_security_struct *osec = other->sk->sk_security;
4104         struct common_audit_data ad;
4105
4106         COMMON_AUDIT_DATA_INIT(&ad, NET);
4107         ad.u.net.sk = other->sk;
4108
4109         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4110                             &ad);
4111 }
4112
4113 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4114                                     u32 peer_sid,
4115                                     struct common_audit_data *ad)
4116 {
4117         int err;
4118         u32 if_sid;
4119         u32 node_sid;
4120
4121         err = sel_netif_sid(ifindex, &if_sid);
4122         if (err)
4123                 return err;
4124         err = avc_has_perm(peer_sid, if_sid,
4125                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4126         if (err)
4127                 return err;
4128
4129         err = sel_netnode_sid(addrp, family, &node_sid);
4130         if (err)
4131                 return err;
4132         return avc_has_perm(peer_sid, node_sid,
4133                             SECCLASS_NODE, NODE__RECVFROM, ad);
4134 }
4135
4136 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4137                                        u16 family)
4138 {
4139         int err = 0;
4140         struct sk_security_struct *sksec = sk->sk_security;
4141         u32 sk_sid = sksec->sid;
4142         struct common_audit_data ad;
4143         char *addrp;
4144
4145         COMMON_AUDIT_DATA_INIT(&ad, NET);
4146         ad.u.net.netif = skb->skb_iif;
4147         ad.u.net.family = family;
4148         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4149         if (err)
4150                 return err;
4151
4152         if (selinux_secmark_enabled()) {
4153                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4154                                    PACKET__RECV, &ad);
4155                 if (err)
4156                         return err;
4157         }
4158
4159         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4160         if (err)
4161                 return err;
4162         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4163
4164         return err;
4165 }
4166
4167 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4168 {
4169         int err;
4170         struct sk_security_struct *sksec = sk->sk_security;
4171         u16 family = sk->sk_family;
4172         u32 sk_sid = sksec->sid;
4173         struct common_audit_data ad;
4174         char *addrp;
4175         u8 secmark_active;
4176         u8 peerlbl_active;
4177
4178         if (family != PF_INET && family != PF_INET6)
4179                 return 0;
4180
4181         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4182         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4183                 family = PF_INET;
4184
4185         /* If any sort of compatibility mode is enabled then handoff processing
4186          * to the selinux_sock_rcv_skb_compat() function to deal with the
4187          * special handling.  We do this in an attempt to keep this function
4188          * as fast and as clean as possible. */
4189         if (!selinux_policycap_netpeer)
4190                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4191
4192         secmark_active = selinux_secmark_enabled();
4193         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4194         if (!secmark_active && !peerlbl_active)
4195                 return 0;
4196
4197         COMMON_AUDIT_DATA_INIT(&ad, NET);
4198         ad.u.net.netif = skb->skb_iif;
4199         ad.u.net.family = family;
4200         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4201         if (err)
4202                 return err;
4203
4204         if (peerlbl_active) {
4205                 u32 peer_sid;
4206
4207                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4208                 if (err)
4209                         return err;
4210                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4211                                                peer_sid, &ad);
4212                 if (err) {
4213                         selinux_netlbl_err(skb, err, 0);
4214                         return err;
4215                 }
4216                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4217                                    PEER__RECV, &ad);
4218                 if (err) {
4219                         selinux_netlbl_err(skb, err, 0);
4220                         return err;
4221                 }
4222         }
4223
4224         if (secmark_active) {
4225                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4226                                    PACKET__RECV, &ad);
4227                 if (err)
4228                         return err;
4229         }
4230
4231         return err;
4232 }
4233
4234 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4235                                             int __user *optlen, unsigned len)
4236 {
4237         int err = 0;
4238         char *scontext;
4239         u32 scontext_len;
4240         struct sk_security_struct *sksec = sock->sk->sk_security;
4241         u32 peer_sid = SECSID_NULL;
4242
4243         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4244             sksec->sclass == SECCLASS_TCP_SOCKET)
4245                 peer_sid = sksec->peer_sid;
4246         if (peer_sid == SECSID_NULL)
4247                 return -ENOPROTOOPT;
4248
4249         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4250         if (err)
4251                 return err;
4252
4253         if (scontext_len > len) {
4254                 err = -ERANGE;
4255                 goto out_len;
4256         }
4257
4258         if (copy_to_user(optval, scontext, scontext_len))
4259                 err = -EFAULT;
4260
4261 out_len:
4262         if (put_user(scontext_len, optlen))
4263                 err = -EFAULT;
4264         kfree(scontext);
4265         return err;
4266 }
4267
4268 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4269 {
4270         u32 peer_secid = SECSID_NULL;
4271         u16 family;
4272
4273         if (skb && skb->protocol == htons(ETH_P_IP))
4274                 family = PF_INET;
4275         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4276                 family = PF_INET6;
4277         else if (sock)
4278                 family = sock->sk->sk_family;
4279         else
4280                 goto out;
4281
4282         if (sock && family == PF_UNIX)
4283                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4284         else if (skb)
4285                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4286
4287 out:
4288         *secid = peer_secid;
4289         if (peer_secid == SECSID_NULL)
4290                 return -EINVAL;
4291         return 0;
4292 }
4293
4294 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4295 {
4296         struct sk_security_struct *sksec;
4297
4298         sksec = kzalloc(sizeof(*sksec), priority);
4299         if (!sksec)
4300                 return -ENOMEM;
4301
4302         sksec->peer_sid = SECINITSID_UNLABELED;
4303         sksec->sid = SECINITSID_UNLABELED;
4304         selinux_netlbl_sk_security_reset(sksec);
4305         sk->sk_security = sksec;
4306
4307         return 0;
4308 }
4309
4310 static void selinux_sk_free_security(struct sock *sk)
4311 {
4312         struct sk_security_struct *sksec = sk->sk_security;
4313
4314         sk->sk_security = NULL;
4315         selinux_netlbl_sk_security_free(sksec);
4316         kfree(sksec);
4317 }
4318
4319 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4320 {
4321         struct sk_security_struct *sksec = sk->sk_security;
4322         struct sk_security_struct *newsksec = newsk->sk_security;
4323
4324         newsksec->sid = sksec->sid;
4325         newsksec->peer_sid = sksec->peer_sid;
4326         newsksec->sclass = sksec->sclass;
4327
4328         selinux_netlbl_sk_security_reset(newsksec);
4329 }
4330
4331 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4332 {
4333         if (!sk)
4334                 *secid = SECINITSID_ANY_SOCKET;
4335         else {
4336                 struct sk_security_struct *sksec = sk->sk_security;
4337
4338                 *secid = sksec->sid;
4339         }
4340 }
4341
4342 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4343 {
4344         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4345         struct sk_security_struct *sksec = sk->sk_security;
4346
4347         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4348             sk->sk_family == PF_UNIX)
4349                 isec->sid = sksec->sid;
4350         sksec->sclass = isec->sclass;
4351 }
4352
4353 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4354                                      struct request_sock *req)
4355 {
4356         struct sk_security_struct *sksec = sk->sk_security;
4357         int err;
4358         u16 family = sk->sk_family;
4359         u32 connsid;
4360         u32 peersid;
4361
4362         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4363         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4364                 family = PF_INET;
4365
4366         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4367         if (err)
4368                 return err;
4369         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4370         if (err)
4371                 return err;
4372         req->secid = connsid;
4373         req->peer_secid = peersid;
4374
4375         return selinux_netlbl_inet_conn_request(req, family);
4376 }
4377
4378 static void selinux_inet_csk_clone(struct sock *newsk,
4379                                    const struct request_sock *req)
4380 {
4381         struct sk_security_struct *newsksec = newsk->sk_security;
4382
4383         newsksec->sid = req->secid;
4384         newsksec->peer_sid = req->peer_secid;
4385         /* NOTE: Ideally, we should also get the isec->sid for the
4386            new socket in sync, but we don't have the isec available yet.
4387            So we will wait until sock_graft to do it, by which
4388            time it will have been created and available. */
4389
4390         /* We don't need to take any sort of lock here as we are the only
4391          * thread with access to newsksec */
4392         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4393 }
4394
4395 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4396 {
4397         u16 family = sk->sk_family;
4398         struct sk_security_struct *sksec = sk->sk_security;
4399
4400         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4401         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4402                 family = PF_INET;
4403
4404         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4405 }
4406
4407 static int selinux_secmark_relabel_packet(u32 sid)
4408 {
4409         const struct task_security_struct *__tsec;
4410         u32 tsid;
4411
4412         __tsec = current_security();
4413         tsid = __tsec->sid;
4414
4415         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4416 }
4417
4418 static void selinux_secmark_refcount_inc(void)
4419 {
4420         atomic_inc(&selinux_secmark_refcount);
4421 }
4422
4423 static void selinux_secmark_refcount_dec(void)
4424 {
4425         atomic_dec(&selinux_secmark_refcount);
4426 }
4427
4428 static void selinux_req_classify_flow(const struct request_sock *req,
4429                                       struct flowi *fl)
4430 {
4431         fl->flowi_secid = req->secid;
4432 }
4433
4434 static int selinux_tun_dev_create(void)
4435 {
4436         u32 sid = current_sid();
4437
4438         /* we aren't taking into account the "sockcreate" SID since the socket
4439          * that is being created here is not a socket in the traditional sense,
4440          * instead it is a private sock, accessible only to the kernel, and
4441          * representing a wide range of network traffic spanning multiple
4442          * connections unlike traditional sockets - check the TUN driver to
4443          * get a better understanding of why this socket is special */
4444
4445         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4446                             NULL);
4447 }
4448
4449 static void selinux_tun_dev_post_create(struct sock *sk)
4450 {
4451         struct sk_security_struct *sksec = sk->sk_security;
4452
4453         /* we don't currently perform any NetLabel based labeling here and it
4454          * isn't clear that we would want to do so anyway; while we could apply
4455          * labeling without the support of the TUN user the resulting labeled
4456          * traffic from the other end of the connection would almost certainly
4457          * cause confusion to the TUN user that had no idea network labeling
4458          * protocols were being used */
4459
4460         /* see the comments in selinux_tun_dev_create() about why we don't use
4461          * the sockcreate SID here */
4462
4463         sksec->sid = current_sid();
4464         sksec->sclass = SECCLASS_TUN_SOCKET;
4465 }
4466
4467 static int selinux_tun_dev_attach(struct sock *sk)
4468 {
4469         struct sk_security_struct *sksec = sk->sk_security;
4470         u32 sid = current_sid();
4471         int err;
4472
4473         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4474                            TUN_SOCKET__RELABELFROM, NULL);
4475         if (err)
4476                 return err;
4477         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4478                            TUN_SOCKET__RELABELTO, NULL);
4479         if (err)
4480                 return err;
4481
4482         sksec->sid = sid;
4483
4484         return 0;
4485 }
4486
4487 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4488 {
4489         int err = 0;
4490         u32 perm;
4491         struct nlmsghdr *nlh;
4492         struct sk_security_struct *sksec = sk->sk_security;
4493
4494         if (skb->len < NLMSG_SPACE(0)) {
4495                 err = -EINVAL;
4496                 goto out;
4497         }
4498         nlh = nlmsg_hdr(skb);
4499
4500         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4501         if (err) {
4502                 if (err == -EINVAL) {
4503                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4504                                   "SELinux:  unrecognized netlink message"
4505                                   " type=%hu for sclass=%hu\n",
4506                                   nlh->nlmsg_type, sksec->sclass);
4507                         if (!selinux_enforcing || security_get_allow_unknown())
4508                                 err = 0;
4509                 }
4510
4511                 /* Ignore */
4512                 if (err == -ENOENT)
4513                         err = 0;
4514                 goto out;
4515         }
4516
4517         err = sock_has_perm(current, sk, perm);
4518 out:
4519         return err;
4520 }
4521
4522 #ifdef CONFIG_NETFILTER
4523
4524 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4525                                        u16 family)
4526 {
4527         int err;
4528         char *addrp;
4529         u32 peer_sid;
4530         struct common_audit_data ad;
4531         u8 secmark_active;
4532         u8 netlbl_active;
4533         u8 peerlbl_active;
4534
4535         if (!selinux_policycap_netpeer)
4536                 return NF_ACCEPT;
4537
4538         secmark_active = selinux_secmark_enabled();
4539         netlbl_active = netlbl_enabled();
4540         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4541         if (!secmark_active && !peerlbl_active)
4542                 return NF_ACCEPT;
4543
4544         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4545                 return NF_DROP;
4546
4547         COMMON_AUDIT_DATA_INIT(&ad, NET);
4548         ad.u.net.netif = ifindex;
4549         ad.u.net.family = family;
4550         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4551                 return NF_DROP;
4552
4553         if (peerlbl_active) {
4554                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4555                                                peer_sid, &ad);
4556                 if (err) {
4557                         selinux_netlbl_err(skb, err, 1);
4558                         return NF_DROP;
4559                 }
4560         }
4561
4562         if (secmark_active)
4563                 if (avc_has_perm(peer_sid, skb->secmark,
4564                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4565                         return NF_DROP;
4566
4567         if (netlbl_active)
4568                 /* we do this in the FORWARD path and not the POST_ROUTING
4569                  * path because we want to make sure we apply the necessary
4570                  * labeling before IPsec is applied so we can leverage AH
4571                  * protection */
4572                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4573                         return NF_DROP;
4574
4575         return NF_ACCEPT;
4576 }
4577
4578 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4579                                          struct sk_buff *skb,
4580                                          const struct net_device *in,
4581                                          const struct net_device *out,
4582                                          int (*okfn)(struct sk_buff *))
4583 {
4584         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4585 }
4586
4587 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4588 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4589                                          struct sk_buff *skb,
4590                                          const struct net_device *in,
4591                                          const struct net_device *out,
4592                                          int (*okfn)(struct sk_buff *))
4593 {
4594         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4595 }
4596 #endif  /* IPV6 */
4597
4598 static unsigned int selinux_ip_output(struct sk_buff *skb,
4599                                       u16 family)
4600 {
4601         struct sock *sk;
4602         u32 sid;
4603
4604         if (!netlbl_enabled())
4605                 return NF_ACCEPT;
4606
4607         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4608          * because we want to make sure we apply the necessary labeling
4609          * before IPsec is applied so we can leverage AH protection */
4610         sk = skb->sk;
4611         if (sk) {
4612                 struct sk_security_struct *sksec;
4613
4614                 if (sk->sk_state == TCP_LISTEN)
4615                         /* if the socket is the listening state then this
4616                          * packet is a SYN-ACK packet which means it needs to
4617                          * be labeled based on the connection/request_sock and
4618                          * not the parent socket.  unfortunately, we can't
4619                          * lookup the request_sock yet as it isn't queued on
4620                          * the parent socket until after the SYN-ACK is sent.
4621                          * the "solution" is to simply pass the packet as-is
4622                          * as any IP option based labeling should be copied
4623                          * from the initial connection request (in the IP
4624                          * layer).  it is far from ideal, but until we get a
4625                          * security label in the packet itself this is the
4626                          * best we can do. */
4627                         return NF_ACCEPT;
4628
4629                 /* standard practice, label using the parent socket */
4630                 sksec = sk->sk_security;
4631                 sid = sksec->sid;
4632         } else
4633                 sid = SECINITSID_KERNEL;
4634         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4635                 return NF_DROP;
4636
4637         return NF_ACCEPT;
4638 }
4639
4640 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4641                                         struct sk_buff *skb,
4642                                         const struct net_device *in,
4643                                         const struct net_device *out,
4644                                         int (*okfn)(struct sk_buff *))
4645 {
4646         return selinux_ip_output(skb, PF_INET);
4647 }
4648
4649 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4650                                                 int ifindex,
4651                                                 u16 family)
4652 {
4653         struct sock *sk = skb->sk;
4654         struct sk_security_struct *sksec;
4655         struct common_audit_data ad;
4656         char *addrp;
4657         u8 proto;
4658
4659         if (sk == NULL)
4660                 return NF_ACCEPT;
4661         sksec = sk->sk_security;
4662
4663         COMMON_AUDIT_DATA_INIT(&ad, NET);
4664         ad.u.net.netif = ifindex;
4665         ad.u.net.family = family;
4666         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4667                 return NF_DROP;
4668
4669         if (selinux_secmark_enabled())
4670                 if (avc_has_perm(sksec->sid, skb->secmark,
4671                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4672                         return NF_DROP_ERR(-ECONNREFUSED);
4673
4674         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4675                 return NF_DROP_ERR(-ECONNREFUSED);
4676
4677         return NF_ACCEPT;
4678 }
4679
4680 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4681                                          u16 family)
4682 {
4683         u32 secmark_perm;
4684         u32 peer_sid;
4685         struct sock *sk;
4686         struct common_audit_data ad;
4687         char *addrp;
4688         u8 secmark_active;
4689         u8 peerlbl_active;
4690
4691         /* If any sort of compatibility mode is enabled then handoff processing
4692          * to the selinux_ip_postroute_compat() function to deal with the
4693          * special handling.  We do this in an attempt to keep this function
4694          * as fast and as clean as possible. */
4695         if (!selinux_policycap_netpeer)
4696                 return selinux_ip_postroute_compat(skb, ifindex, family);
4697
4698         secmark_active = selinux_secmark_enabled();
4699         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4700         if (!secmark_active && !peerlbl_active)
4701                 return NF_ACCEPT;
4702
4703         sk = skb->sk;
4704
4705 #ifdef CONFIG_XFRM
4706         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4707          * packet transformation so allow the packet to pass without any checks
4708          * since we'll have another chance to perform access control checks
4709          * when the packet is on it's final way out.
4710          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4711          *       is NULL, in this case go ahead and apply access control.
4712          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4713          *       TCP listening state we cannot wait until the XFRM processing
4714          *       is done as we will miss out on the SA label if we do;
4715          *       unfortunately, this means more work, but it is only once per
4716          *       connection. */
4717         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4718             !(sk != NULL && sk->sk_state == TCP_LISTEN))
4719                 return NF_ACCEPT;
4720 #endif
4721
4722         if (sk == NULL) {
4723                 /* Without an associated socket the packet is either coming
4724                  * from the kernel or it is being forwarded; check the packet
4725                  * to determine which and if the packet is being forwarded
4726                  * query the packet directly to determine the security label. */
4727                 if (skb->skb_iif) {
4728                         secmark_perm = PACKET__FORWARD_OUT;
4729                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4730                                 return NF_DROP;
4731                 } else {
4732                         secmark_perm = PACKET__SEND;
4733                         peer_sid = SECINITSID_KERNEL;
4734                 }
4735         } else if (sk->sk_state == TCP_LISTEN) {
4736                 /* Locally generated packet but the associated socket is in the
4737                  * listening state which means this is a SYN-ACK packet.  In
4738                  * this particular case the correct security label is assigned
4739                  * to the connection/request_sock but unfortunately we can't
4740                  * query the request_sock as it isn't queued on the parent
4741                  * socket until after the SYN-ACK packet is sent; the only
4742                  * viable choice is to regenerate the label like we do in
4743                  * selinux_inet_conn_request().  See also selinux_ip_output()
4744                  * for similar problems. */
4745                 u32 skb_sid;
4746                 struct sk_security_struct *sksec = sk->sk_security;
4747                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4748                         return NF_DROP;
4749                 /* At this point, if the returned skb peerlbl is SECSID_NULL
4750                  * and the packet has been through at least one XFRM
4751                  * transformation then we must be dealing with the "final"
4752                  * form of labeled IPsec packet; since we've already applied
4753                  * all of our access controls on this packet we can safely
4754                  * pass the packet. */
4755                 if (skb_sid == SECSID_NULL) {
4756                         switch (family) {
4757                         case PF_INET:
4758                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4759                                         return NF_ACCEPT;
4760                                 break;
4761                         case PF_INET6:
4762                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4763                                         return NF_ACCEPT;
4764                         default:
4765                                 return NF_DROP_ERR(-ECONNREFUSED);
4766                         }
4767                 }
4768                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4769                         return NF_DROP;
4770                 secmark_perm = PACKET__SEND;
4771         } else {
4772                 /* Locally generated packet, fetch the security label from the
4773                  * associated socket. */
4774                 struct sk_security_struct *sksec = sk->sk_security;
4775                 peer_sid = sksec->sid;
4776                 secmark_perm = PACKET__SEND;
4777         }
4778
4779         COMMON_AUDIT_DATA_INIT(&ad, NET);
4780         ad.u.net.netif = ifindex;
4781         ad.u.net.family = family;
4782         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4783                 return NF_DROP;
4784
4785         if (secmark_active)
4786                 if (avc_has_perm(peer_sid, skb->secmark,
4787                                  SECCLASS_PACKET, secmark_perm, &ad))
4788                         return NF_DROP_ERR(-ECONNREFUSED);
4789
4790         if (peerlbl_active) {
4791                 u32 if_sid;
4792                 u32 node_sid;
4793
4794                 if (sel_netif_sid(ifindex, &if_sid))
4795                         return NF_DROP;
4796                 if (avc_has_perm(peer_sid, if_sid,
4797                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4798                         return NF_DROP_ERR(-ECONNREFUSED);
4799
4800                 if (sel_netnode_sid(addrp, family, &node_sid))
4801                         return NF_DROP;
4802                 if (avc_has_perm(peer_sid, node_sid,
4803                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4804                         return NF_DROP_ERR(-ECONNREFUSED);
4805         }
4806
4807         return NF_ACCEPT;
4808 }
4809
4810 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4811                                            struct sk_buff *skb,
4812                                            const struct net_device *in,
4813                                            const struct net_device *out,
4814                                            int (*okfn)(struct sk_buff *))
4815 {
4816         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4817 }
4818
4819 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4820 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4821                                            struct sk_buff *skb,
4822                                            const struct net_device *in,
4823                                            const struct net_device *out,
4824                                            int (*okfn)(struct sk_buff *))
4825 {
4826         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4827 }
4828 #endif  /* IPV6 */
4829
4830 #endif  /* CONFIG_NETFILTER */
4831
4832 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4833 {
4834         int err;
4835
4836         err = cap_netlink_send(sk, skb);
4837         if (err)
4838                 return err;
4839
4840         return selinux_nlmsg_perm(sk, skb);
4841 }
4842
4843 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4844 {
4845         int err;
4846         struct common_audit_data ad;
4847         u32 sid;
4848
4849         err = cap_netlink_recv(skb, capability);
4850         if (err)
4851                 return err;
4852
4853         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4854         ad.u.cap = capability;
4855
4856         security_task_getsecid(current, &sid);
4857         return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4858                             CAP_TO_MASK(capability), &ad);
4859 }
4860
4861 static int ipc_alloc_security(struct task_struct *task,
4862                               struct kern_ipc_perm *perm,
4863                               u16 sclass)
4864 {
4865         struct ipc_security_struct *isec;
4866         u32 sid;
4867
4868         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4869         if (!isec)
4870                 return -ENOMEM;
4871
4872         sid = task_sid(task);
4873         isec->sclass = sclass;
4874         isec->sid = sid;
4875         perm->security = isec;
4876
4877         return 0;
4878 }
4879
4880 static void ipc_free_security(struct kern_ipc_perm *perm)
4881 {
4882         struct ipc_security_struct *isec = perm->security;
4883         perm->security = NULL;
4884         kfree(isec);
4885 }
4886
4887 static int msg_msg_alloc_security(struct msg_msg *msg)
4888 {
4889         struct msg_security_struct *msec;
4890
4891         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4892         if (!msec)
4893                 return -ENOMEM;
4894
4895         msec->sid = SECINITSID_UNLABELED;
4896         msg->security = msec;
4897
4898         return 0;
4899 }
4900
4901 static void msg_msg_free_security(struct msg_msg *msg)
4902 {
4903         struct msg_security_struct *msec = msg->security;
4904
4905         msg->security = NULL;
4906         kfree(msec);
4907 }
4908
4909 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4910                         u32 perms)
4911 {
4912         struct ipc_security_struct *isec;
4913         struct common_audit_data ad;
4914         u32 sid = current_sid();
4915
4916         isec = ipc_perms->security;
4917
4918         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4919         ad.u.ipc_id = ipc_perms->key;
4920
4921         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4922 }
4923
4924 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4925 {
4926         return msg_msg_alloc_security(msg);
4927 }
4928
4929 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4930 {
4931         msg_msg_free_security(msg);
4932 }
4933
4934 /* message queue security operations */
4935 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4936 {
4937         struct ipc_security_struct *isec;
4938         struct common_audit_data ad;
4939         u32 sid = current_sid();
4940         int rc;
4941
4942         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4943         if (rc)
4944                 return rc;
4945
4946         isec = msq->q_perm.security;
4947
4948         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4949         ad.u.ipc_id = msq->q_perm.key;
4950
4951         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4952                           MSGQ__CREATE, &ad);
4953         if (rc) {
4954                 ipc_free_security(&msq->q_perm);
4955                 return rc;
4956         }
4957         return 0;
4958 }
4959
4960 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4961 {
4962         ipc_free_security(&msq->q_perm);
4963 }
4964
4965 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4966 {
4967         struct ipc_security_struct *isec;
4968         struct common_audit_data ad;
4969         u32 sid = current_sid();
4970
4971         isec = msq->q_perm.security;
4972
4973         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4974         ad.u.ipc_id = msq->q_perm.key;
4975
4976         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4977                             MSGQ__ASSOCIATE, &ad);
4978 }
4979
4980 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4981 {
4982         int err;
4983         int perms;
4984
4985         switch (cmd) {
4986         case IPC_INFO:
4987         case MSG_INFO:
4988                 /* No specific object, just general system-wide information. */
4989                 return task_has_system(current, SYSTEM__IPC_INFO);
4990         case IPC_STAT:
4991         case MSG_STAT:
4992                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4993                 break;
4994         case IPC_SET:
4995                 perms = MSGQ__SETATTR;
4996                 break;
4997         case IPC_RMID:
4998                 perms = MSGQ__DESTROY;
4999                 break;
5000         default:
5001                 return 0;
5002         }
5003
5004         err = ipc_has_perm(&msq->q_perm, perms);
5005         return err;
5006 }
5007
5008 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5009 {
5010         struct ipc_security_struct *isec;
5011         struct msg_security_struct *msec;
5012         struct common_audit_data ad;
5013         u32 sid = current_sid();
5014         int rc;
5015
5016         isec = msq->q_perm.security;
5017         msec = msg->security;
5018
5019         /*
5020          * First time through, need to assign label to the message
5021          */
5022         if (msec->sid == SECINITSID_UNLABELED) {
5023                 /*
5024                  * Compute new sid based on current process and
5025                  * message queue this message will be stored in
5026                  */
5027                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5028                                              NULL, &msec->sid);
5029                 if (rc)
5030                         return rc;
5031         }
5032
5033         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5034         ad.u.ipc_id = msq->q_perm.key;
5035
5036         /* Can this process write to the queue? */
5037         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5038                           MSGQ__WRITE, &ad);
5039         if (!rc)
5040                 /* Can this process send the message */
5041                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5042                                   MSG__SEND, &ad);
5043         if (!rc)
5044                 /* Can the message be put in the queue? */
5045                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5046                                   MSGQ__ENQUEUE, &ad);
5047
5048         return rc;
5049 }
5050
5051 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5052                                     struct task_struct *target,
5053                                     long type, int mode)
5054 {
5055         struct ipc_security_struct *isec;
5056         struct msg_security_struct *msec;
5057         struct common_audit_data ad;
5058         u32 sid = task_sid(target);
5059         int rc;
5060
5061         isec = msq->q_perm.security;
5062         msec = msg->security;
5063
5064         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5065         ad.u.ipc_id = msq->q_perm.key;
5066
5067         rc = avc_has_perm(sid, isec->sid,
5068                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5069         if (!rc)
5070                 rc = avc_has_perm(sid, msec->sid,
5071                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5072         return rc;
5073 }
5074
5075 /* Shared Memory security operations */
5076 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5077 {
5078         struct ipc_security_struct *isec;
5079         struct common_audit_data ad;
5080         u32 sid = current_sid();
5081         int rc;
5082
5083         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5084         if (rc)
5085                 return rc;
5086
5087         isec = shp->shm_perm.security;
5088
5089         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5090         ad.u.ipc_id = shp->shm_perm.key;
5091
5092         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5093                           SHM__CREATE, &ad);
5094         if (rc) {
5095                 ipc_free_security(&shp->shm_perm);
5096                 return rc;
5097         }
5098         return 0;
5099 }
5100
5101 static void selinux_shm_free_security(struct shmid_kernel *shp)
5102 {
5103         ipc_free_security(&shp->shm_perm);
5104 }
5105
5106 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5107 {
5108         struct ipc_security_struct *isec;
5109         struct common_audit_data ad;
5110         u32 sid = current_sid();
5111
5112         isec = shp->shm_perm.security;
5113
5114         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5115         ad.u.ipc_id = shp->shm_perm.key;
5116
5117         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5118                             SHM__ASSOCIATE, &ad);
5119 }
5120
5121 /* Note, at this point, shp is locked down */
5122 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5123 {
5124         int perms;
5125         int err;
5126
5127         switch (cmd) {
5128         case IPC_INFO:
5129         case SHM_INFO:
5130                 /* No specific object, just general system-wide information. */
5131                 return task_has_system(current, SYSTEM__IPC_INFO);
5132         case IPC_STAT:
5133         case SHM_STAT:
5134                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5135                 break;
5136         case IPC_SET:
5137                 perms = SHM__SETATTR;
5138                 break;
5139         case SHM_LOCK:
5140         case SHM_UNLOCK:
5141                 perms = SHM__LOCK;
5142                 break;
5143         case IPC_RMID:
5144                 perms = SHM__DESTROY;
5145                 break;
5146         default:
5147                 return 0;
5148         }
5149
5150         err = ipc_has_perm(&shp->shm_perm, perms);
5151         return err;
5152 }
5153
5154 static int selinux_shm_shmat(struct shmid_kernel *shp,
5155                              char __user *shmaddr, int shmflg)
5156 {
5157         u32 perms;
5158
5159         if (shmflg & SHM_RDONLY)
5160                 perms = SHM__READ;
5161         else
5162                 perms = SHM__READ | SHM__WRITE;
5163
5164         return ipc_has_perm(&shp->shm_perm, perms);
5165 }
5166
5167 /* Semaphore security operations */
5168 static int selinux_sem_alloc_security(struct sem_array *sma)
5169 {
5170         struct ipc_security_struct *isec;
5171         struct common_audit_data ad;
5172         u32 sid = current_sid();
5173         int rc;
5174
5175         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5176         if (rc)
5177                 return rc;
5178
5179         isec = sma->sem_perm.security;
5180
5181         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5182         ad.u.ipc_id = sma->sem_perm.key;
5183
5184         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5185                           SEM__CREATE, &ad);
5186         if (rc) {
5187                 ipc_free_security(&sma->sem_perm);
5188                 return rc;
5189         }
5190         return 0;
5191 }
5192
5193 static void selinux_sem_free_security(struct sem_array *sma)
5194 {
5195         ipc_free_security(&sma->sem_perm);
5196 }
5197
5198 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5199 {
5200         struct ipc_security_struct *isec;
5201         struct common_audit_data ad;
5202         u32 sid = current_sid();
5203
5204         isec = sma->sem_perm.security;
5205
5206         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5207         ad.u.ipc_id = sma->sem_perm.key;
5208
5209         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5210                             SEM__ASSOCIATE, &ad);
5211 }
5212
5213 /* Note, at this point, sma is locked down */
5214 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5215 {
5216         int err;
5217         u32 perms;
5218
5219         switch (cmd) {
5220         case IPC_INFO:
5221         case SEM_INFO:
5222                 /* No specific object, just general system-wide information. */
5223                 return task_has_system(current, SYSTEM__IPC_INFO);
5224         case GETPID:
5225         case GETNCNT:
5226         case GETZCNT:
5227                 perms = SEM__GETATTR;
5228                 break;
5229         case GETVAL:
5230         case GETALL:
5231                 perms = SEM__READ;
5232                 break;
5233         case SETVAL:
5234         case SETALL:
5235                 perms = SEM__WRITE;
5236                 break;
5237         case IPC_RMID:
5238                 perms = SEM__DESTROY;
5239                 break;
5240         case IPC_SET:
5241                 perms = SEM__SETATTR;
5242                 break;
5243         case IPC_STAT:
5244         case SEM_STAT:
5245                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5246                 break;
5247         default:
5248                 return 0;
5249         }
5250
5251         err = ipc_has_perm(&sma->sem_perm, perms);
5252         return err;
5253 }
5254
5255 static int selinux_sem_semop(struct sem_array *sma,
5256                              struct sembuf *sops, unsigned nsops, int alter)
5257 {
5258         u32 perms;
5259
5260         if (alter)
5261                 perms = SEM__READ | SEM__WRITE;
5262         else
5263                 perms = SEM__READ;
5264
5265         return ipc_has_perm(&sma->sem_perm, perms);
5266 }
5267
5268 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5269 {
5270         u32 av = 0;
5271
5272         av = 0;
5273         if (flag & S_IRUGO)
5274                 av |= IPC__UNIX_READ;
5275         if (flag & S_IWUGO)
5276                 av |= IPC__UNIX_WRITE;
5277
5278         if (av == 0)
5279                 return 0;
5280
5281         return ipc_has_perm(ipcp, av);
5282 }
5283
5284 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5285 {
5286         struct ipc_security_struct *isec = ipcp->security;
5287         *secid = isec->sid;
5288 }
5289
5290 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5291 {
5292         if (inode)
5293                 inode_doinit_with_dentry(inode, dentry);
5294 }
5295
5296 static int selinux_getprocattr(struct task_struct *p,
5297                                char *name, char **value)
5298 {
5299         const struct task_security_struct *__tsec;
5300         u32 sid;
5301         int error;
5302         unsigned len;
5303
5304         if (current != p) {
5305                 error = current_has_perm(p, PROCESS__GETATTR);
5306                 if (error)
5307                         return error;
5308         }
5309
5310         rcu_read_lock();
5311         __tsec = __task_cred(p)->security;
5312
5313         if (!strcmp(name, "current"))
5314                 sid = __tsec->sid;
5315         else if (!strcmp(name, "prev"))
5316                 sid = __tsec->osid;
5317         else if (!strcmp(name, "exec"))
5318                 sid = __tsec->exec_sid;
5319         else if (!strcmp(name, "fscreate"))
5320                 sid = __tsec->create_sid;
5321         else if (!strcmp(name, "keycreate"))
5322                 sid = __tsec->keycreate_sid;
5323         else if (!strcmp(name, "sockcreate"))
5324                 sid = __tsec->sockcreate_sid;
5325         else
5326                 goto invalid;
5327         rcu_read_unlock();
5328
5329         if (!sid)
5330                 return 0;
5331
5332         error = security_sid_to_context(sid, value, &len);
5333         if (error)
5334                 return error;
5335         return len;
5336
5337 invalid:
5338         rcu_read_unlock();
5339         return -EINVAL;
5340 }
5341
5342 static int selinux_setprocattr(struct task_struct *p,
5343                                char *name, void *value, size_t size)
5344 {
5345         struct task_security_struct *tsec;
5346         struct task_struct *tracer;
5347         struct cred *new;
5348         u32 sid = 0, ptsid;
5349         int error;
5350         char *str = value;
5351
5352         if (current != p) {
5353                 /* SELinux only allows a process to change its own
5354                    security attributes. */
5355                 return -EACCES;
5356         }
5357
5358         /*
5359          * Basic control over ability to set these attributes at all.
5360          * current == p, but we'll pass them separately in case the
5361          * above restriction is ever removed.
5362          */
5363         if (!strcmp(name, "exec"))
5364                 error = current_has_perm(p, PROCESS__SETEXEC);
5365         else if (!strcmp(name, "fscreate"))
5366                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5367         else if (!strcmp(name, "keycreate"))
5368                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5369         else if (!strcmp(name, "sockcreate"))
5370                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5371         else if (!strcmp(name, "current"))
5372                 error = current_has_perm(p, PROCESS__SETCURRENT);
5373         else
5374                 error = -EINVAL;
5375         if (error)
5376                 return error;
5377
5378         /* Obtain a SID for the context, if one was specified. */
5379         if (size && str[1] && str[1] != '\n') {
5380                 if (str[size-1] == '\n') {
5381                         str[size-1] = 0;
5382                         size--;
5383                 }
5384                 error = security_context_to_sid(value, size, &sid);
5385                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5386                         if (!capable(CAP_MAC_ADMIN))
5387                                 return error;
5388                         error = security_context_to_sid_force(value, size,
5389                                                               &sid);
5390                 }
5391                 if (error)
5392                         return error;
5393         }
5394
5395         new = prepare_creds();
5396         if (!new)
5397                 return -ENOMEM;
5398
5399         /* Permission checking based on the specified context is
5400            performed during the actual operation (execve,
5401            open/mkdir/...), when we know the full context of the
5402            operation.  See selinux_bprm_set_creds for the execve
5403            checks and may_create for the file creation checks. The
5404            operation will then fail if the context is not permitted. */
5405         tsec = new->security;
5406         if (!strcmp(name, "exec")) {
5407                 tsec->exec_sid = sid;
5408         } else if (!strcmp(name, "fscreate")) {
5409                 tsec->create_sid = sid;
5410         } else if (!strcmp(name, "keycreate")) {
5411                 error = may_create_key(sid, p);
5412                 if (error)
5413                         goto abort_change;
5414                 tsec->keycreate_sid = sid;
5415         } else if (!strcmp(name, "sockcreate")) {
5416                 tsec->sockcreate_sid = sid;
5417         } else if (!strcmp(name, "current")) {
5418                 error = -EINVAL;
5419                 if (sid == 0)
5420                         goto abort_change;
5421
5422                 /* Only allow single threaded processes to change context */
5423                 error = -EPERM;
5424                 if (!current_is_single_threaded()) {
5425                         error = security_bounded_transition(tsec->sid, sid);
5426                         if (error)
5427                                 goto abort_change;
5428                 }
5429
5430                 /* Check permissions for the transition. */
5431                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5432                                      PROCESS__DYNTRANSITION, NULL);
5433                 if (error)
5434                         goto abort_change;
5435
5436                 /* Check for ptracing, and update the task SID if ok.
5437                    Otherwise, leave SID unchanged and fail. */
5438                 ptsid = 0;
5439                 rcu_read_lock();
5440                 tracer = ptrace_parent(p);
5441                 if (tracer)
5442                         ptsid = task_sid(tracer);
5443                 rcu_read_unlock();
5444
5445                 if (tracer) {
5446                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5447                                              PROCESS__PTRACE, NULL);
5448                         if (error)
5449                                 goto abort_change;
5450                 }
5451
5452                 tsec->sid = sid;
5453         } else {
5454                 error = -EINVAL;
5455                 goto abort_change;
5456         }
5457
5458         commit_creds(new);
5459         return size;
5460
5461 abort_change:
5462         abort_creds(new);
5463         return error;
5464 }
5465
5466 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5467 {
5468         return security_sid_to_context(secid, secdata, seclen);
5469 }
5470
5471 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5472 {
5473         return security_context_to_sid(secdata, seclen, secid);
5474 }
5475
5476 static void selinux_release_secctx(char *secdata, u32 seclen)
5477 {
5478         kfree(secdata);
5479 }
5480
5481 /*
5482  *      called with inode->i_mutex locked
5483  */
5484 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5485 {
5486         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5487 }
5488
5489 /*
5490  *      called with inode->i_mutex locked
5491  */
5492 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5493 {
5494         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5495 }
5496
5497 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5498 {
5499         int len = 0;
5500         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5501                                                 ctx, true);
5502         if (len < 0)
5503                 return len;
5504         *ctxlen = len;
5505         return 0;
5506 }
5507 #ifdef CONFIG_KEYS
5508
5509 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5510                              unsigned long flags)
5511 {
5512         const struct task_security_struct *tsec;
5513         struct key_security_struct *ksec;
5514
5515         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5516         if (!ksec)
5517                 return -ENOMEM;
5518
5519         tsec = cred->security;
5520         if (tsec->keycreate_sid)
5521                 ksec->sid = tsec->keycreate_sid;
5522         else
5523                 ksec->sid = tsec->sid;
5524
5525         k->security = ksec;
5526         return 0;
5527 }
5528
5529 static void selinux_key_free(struct key *k)
5530 {
5531         struct key_security_struct *ksec = k->security;
5532
5533         k->security = NULL;
5534         kfree(ksec);
5535 }
5536
5537 static int selinux_key_permission(key_ref_t key_ref,
5538                                   const struct cred *cred,
5539                                   key_perm_t perm)
5540 {
5541         struct key *key;
5542         struct key_security_struct *ksec;
5543         u32 sid;
5544
5545         /* if no specific permissions are requested, we skip the
5546            permission check. No serious, additional covert channels
5547            appear to be created. */
5548         if (perm == 0)
5549                 return 0;
5550
5551         sid = cred_sid(cred);
5552
5553         key = key_ref_to_ptr(key_ref);
5554         ksec = key->security;
5555
5556         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5557 }
5558
5559 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5560 {
5561         struct key_security_struct *ksec = key->security;
5562         char *context = NULL;
5563         unsigned len;
5564         int rc;
5565
5566         rc = security_sid_to_context(ksec->sid, &context, &len);
5567         if (!rc)
5568                 rc = len;
5569         *_buffer = context;
5570         return rc;
5571 }
5572
5573 #endif
5574
5575 static struct security_operations selinux_ops = {
5576         .name =                         "selinux",
5577
5578         .ptrace_access_check =          selinux_ptrace_access_check,
5579         .ptrace_traceme =               selinux_ptrace_traceme,
5580         .capget =                       selinux_capget,
5581         .capset =                       selinux_capset,
5582         .capable =                      selinux_capable,
5583         .quotactl =                     selinux_quotactl,
5584         .quota_on =                     selinux_quota_on,
5585         .syslog =                       selinux_syslog,
5586         .vm_enough_memory =             selinux_vm_enough_memory,
5587
5588         .netlink_send =                 selinux_netlink_send,
5589         .netlink_recv =                 selinux_netlink_recv,
5590
5591         .bprm_set_creds =               selinux_bprm_set_creds,
5592         .bprm_committing_creds =        selinux_bprm_committing_creds,
5593         .bprm_committed_creds =         selinux_bprm_committed_creds,
5594         .bprm_secureexec =              selinux_bprm_secureexec,
5595
5596         .sb_alloc_security =            selinux_sb_alloc_security,
5597         .sb_free_security =             selinux_sb_free_security,
5598         .sb_copy_data =                 selinux_sb_copy_data,
5599         .sb_remount =                   selinux_sb_remount,
5600         .sb_kern_mount =                selinux_sb_kern_mount,
5601         .sb_show_options =              selinux_sb_show_options,
5602         .sb_statfs =                    selinux_sb_statfs,
5603         .sb_mount =                     selinux_mount,
5604         .sb_umount =                    selinux_umount,
5605         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5606         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5607         .sb_parse_opts_str =            selinux_parse_opts_str,
5608
5609
5610         .inode_alloc_security =         selinux_inode_alloc_security,
5611         .inode_free_security =          selinux_inode_free_security,
5612         .inode_init_security =          selinux_inode_init_security,
5613         .inode_create =                 selinux_inode_create,
5614         .inode_link =                   selinux_inode_link,
5615         .inode_unlink =                 selinux_inode_unlink,
5616         .inode_symlink =                selinux_inode_symlink,
5617         .inode_mkdir =                  selinux_inode_mkdir,
5618         .inode_rmdir =                  selinux_inode_rmdir,
5619         .inode_mknod =                  selinux_inode_mknod,
5620         .inode_rename =                 selinux_inode_rename,
5621         .inode_readlink =               selinux_inode_readlink,
5622         .inode_follow_link =            selinux_inode_follow_link,
5623         .inode_permission =             selinux_inode_permission,
5624         .inode_setattr =                selinux_inode_setattr,
5625         .inode_getattr =                selinux_inode_getattr,
5626         .inode_setxattr =               selinux_inode_setxattr,
5627         .inode_post_setxattr =          selinux_inode_post_setxattr,
5628         .inode_getxattr =               selinux_inode_getxattr,
5629         .inode_listxattr =              selinux_inode_listxattr,
5630         .inode_removexattr =            selinux_inode_removexattr,
5631         .inode_getsecurity =            selinux_inode_getsecurity,
5632         .inode_setsecurity =            selinux_inode_setsecurity,
5633         .inode_listsecurity =           selinux_inode_listsecurity,
5634         .inode_getsecid =               selinux_inode_getsecid,
5635
5636         .file_permission =              selinux_file_permission,
5637         .file_alloc_security =          selinux_file_alloc_security,
5638         .file_free_security =           selinux_file_free_security,
5639         .file_ioctl =                   selinux_file_ioctl,
5640         .file_mmap =                    selinux_file_mmap,
5641         .file_mprotect =                selinux_file_mprotect,
5642         .file_lock =                    selinux_file_lock,
5643         .file_fcntl =                   selinux_file_fcntl,
5644         .file_set_fowner =              selinux_file_set_fowner,
5645         .file_send_sigiotask =          selinux_file_send_sigiotask,
5646         .file_receive =                 selinux_file_receive,
5647
5648         .dentry_open =                  selinux_dentry_open,
5649
5650         .task_create =                  selinux_task_create,
5651         .cred_alloc_blank =             selinux_cred_alloc_blank,
5652         .cred_free =                    selinux_cred_free,
5653         .cred_prepare =                 selinux_cred_prepare,
5654         .cred_transfer =                selinux_cred_transfer,
5655         .kernel_act_as =                selinux_kernel_act_as,
5656         .kernel_create_files_as =       selinux_kernel_create_files_as,
5657         .kernel_module_request =        selinux_kernel_module_request,
5658         .task_setpgid =                 selinux_task_setpgid,
5659         .task_getpgid =                 selinux_task_getpgid,
5660         .task_getsid =                  selinux_task_getsid,
5661         .task_getsecid =                selinux_task_getsecid,
5662         .task_setnice =                 selinux_task_setnice,
5663         .task_setioprio =               selinux_task_setioprio,
5664         .task_getioprio =               selinux_task_getioprio,
5665         .task_setrlimit =               selinux_task_setrlimit,
5666         .task_setscheduler =            selinux_task_setscheduler,
5667         .task_getscheduler =            selinux_task_getscheduler,
5668         .task_movememory =              selinux_task_movememory,
5669         .task_kill =                    selinux_task_kill,
5670         .task_wait =                    selinux_task_wait,
5671         .task_to_inode =                selinux_task_to_inode,
5672
5673         .ipc_permission =               selinux_ipc_permission,
5674         .ipc_getsecid =                 selinux_ipc_getsecid,
5675
5676         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5677         .msg_msg_free_security =        selinux_msg_msg_free_security,
5678
5679         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5680         .msg_queue_free_security =      selinux_msg_queue_free_security,
5681         .msg_queue_associate =          selinux_msg_queue_associate,
5682         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5683         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5684         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5685
5686         .shm_alloc_security =           selinux_shm_alloc_security,
5687         .shm_free_security =            selinux_shm_free_security,
5688         .shm_associate =                selinux_shm_associate,
5689         .shm_shmctl =                   selinux_shm_shmctl,
5690         .shm_shmat =                    selinux_shm_shmat,
5691
5692         .sem_alloc_security =           selinux_sem_alloc_security,
5693         .sem_free_security =            selinux_sem_free_security,
5694         .sem_associate =                selinux_sem_associate,
5695         .sem_semctl =                   selinux_sem_semctl,
5696         .sem_semop =                    selinux_sem_semop,
5697
5698         .d_instantiate =                selinux_d_instantiate,
5699
5700         .getprocattr =                  selinux_getprocattr,
5701         .setprocattr =                  selinux_setprocattr,
5702
5703         .secid_to_secctx =              selinux_secid_to_secctx,
5704         .secctx_to_secid =              selinux_secctx_to_secid,
5705         .release_secctx =               selinux_release_secctx,
5706         .inode_notifysecctx =           selinux_inode_notifysecctx,
5707         .inode_setsecctx =              selinux_inode_setsecctx,
5708         .inode_getsecctx =              selinux_inode_getsecctx,
5709
5710         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5711         .unix_may_send =                selinux_socket_unix_may_send,
5712
5713         .socket_create =                selinux_socket_create,
5714         .socket_post_create =           selinux_socket_post_create,
5715         .socket_bind =                  selinux_socket_bind,
5716         .socket_connect =               selinux_socket_connect,
5717         .socket_listen =                selinux_socket_listen,
5718         .socket_accept =                selinux_socket_accept,
5719         .socket_sendmsg =               selinux_socket_sendmsg,
5720         .socket_recvmsg =               selinux_socket_recvmsg,
5721         .socket_getsockname =           selinux_socket_getsockname,
5722         .socket_getpeername =           selinux_socket_getpeername,
5723         .socket_getsockopt =            selinux_socket_getsockopt,
5724         .socket_setsockopt =            selinux_socket_setsockopt,
5725         .socket_shutdown =              selinux_socket_shutdown,
5726         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5727         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5728         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5729         .sk_alloc_security =            selinux_sk_alloc_security,
5730         .sk_free_security =             selinux_sk_free_security,
5731         .sk_clone_security =            selinux_sk_clone_security,
5732         .sk_getsecid =                  selinux_sk_getsecid,
5733         .sock_graft =                   selinux_sock_graft,
5734         .inet_conn_request =            selinux_inet_conn_request,
5735         .inet_csk_clone =               selinux_inet_csk_clone,
5736         .inet_conn_established =        selinux_inet_conn_established,
5737         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5738         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5739         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5740         .req_classify_flow =            selinux_req_classify_flow,
5741         .tun_dev_create =               selinux_tun_dev_create,
5742         .tun_dev_post_create =          selinux_tun_dev_post_create,
5743         .tun_dev_attach =               selinux_tun_dev_attach,
5744
5745 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5746         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5747         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5748         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5749         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5750         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5751         .xfrm_state_free_security =     selinux_xfrm_state_free,
5752         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5753         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5754         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5755         .xfrm_decode_session =          selinux_xfrm_decode_session,
5756 #endif
5757
5758 #ifdef CONFIG_KEYS
5759         .key_alloc =                    selinux_key_alloc,
5760         .key_free =                     selinux_key_free,
5761         .key_permission =               selinux_key_permission,
5762         .key_getsecurity =              selinux_key_getsecurity,
5763 #endif
5764
5765 #ifdef CONFIG_AUDIT
5766         .audit_rule_init =              selinux_audit_rule_init,
5767         .audit_rule_known =             selinux_audit_rule_known,
5768         .audit_rule_match =             selinux_audit_rule_match,
5769         .audit_rule_free =              selinux_audit_rule_free,
5770 #endif
5771 };
5772
5773 static __init int selinux_init(void)
5774 {
5775         if (!security_module_enable(&selinux_ops)) {
5776                 selinux_enabled = 0;
5777                 return 0;
5778         }
5779
5780         if (!selinux_enabled) {
5781                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5782                 return 0;
5783         }
5784
5785         printk(KERN_INFO "SELinux:  Initializing.\n");
5786
5787         /* Set the security state for the initial task. */
5788         cred_init_security();
5789
5790         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5791
5792         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5793                                             sizeof(struct inode_security_struct),
5794                                             0, SLAB_PANIC, NULL);
5795         avc_init();
5796
5797         if (register_security(&selinux_ops))
5798                 panic("SELinux: Unable to register with kernel.\n");
5799
5800         if (selinux_enforcing)
5801                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5802         else
5803                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5804
5805         return 0;
5806 }
5807
5808 static void delayed_superblock_init(struct super_block *sb, void *unused)
5809 {
5810         superblock_doinit(sb, NULL);
5811 }
5812
5813 void selinux_complete_init(void)
5814 {
5815         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5816
5817         /* Set up any superblocks initialized prior to the policy load. */
5818         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5819         iterate_supers(delayed_superblock_init, NULL);
5820 }
5821
5822 /* SELinux requires early initialization in order to label
5823    all processes and objects when they are created. */
5824 security_initcall(selinux_init);
5825
5826 #if defined(CONFIG_NETFILTER)
5827
5828 static struct nf_hook_ops selinux_ipv4_ops[] = {
5829         {
5830                 .hook =         selinux_ipv4_postroute,
5831                 .owner =        THIS_MODULE,
5832                 .pf =           PF_INET,
5833                 .hooknum =      NF_INET_POST_ROUTING,
5834                 .priority =     NF_IP_PRI_SELINUX_LAST,
5835         },
5836         {
5837                 .hook =         selinux_ipv4_forward,
5838                 .owner =        THIS_MODULE,
5839                 .pf =           PF_INET,
5840                 .hooknum =      NF_INET_FORWARD,
5841                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5842         },
5843         {
5844                 .hook =         selinux_ipv4_output,
5845                 .owner =        THIS_MODULE,
5846                 .pf =           PF_INET,
5847                 .hooknum =      NF_INET_LOCAL_OUT,
5848                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5849         }
5850 };
5851
5852 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5853
5854 static struct nf_hook_ops selinux_ipv6_ops[] = {
5855         {
5856                 .hook =         selinux_ipv6_postroute,
5857                 .owner =        THIS_MODULE,
5858                 .pf =           PF_INET6,
5859                 .hooknum =      NF_INET_POST_ROUTING,
5860                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5861         },
5862         {
5863                 .hook =         selinux_ipv6_forward,
5864                 .owner =        THIS_MODULE,
5865                 .pf =           PF_INET6,
5866                 .hooknum =      NF_INET_FORWARD,
5867                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5868         }
5869 };
5870
5871 #endif  /* IPV6 */
5872
5873 static int __init selinux_nf_ip_init(void)
5874 {
5875         int err = 0;
5876
5877         if (!selinux_enabled)
5878                 goto out;
5879
5880         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5881
5882         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5883         if (err)
5884                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5885
5886 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5887         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5888         if (err)
5889                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5890 #endif  /* IPV6 */
5891
5892 out:
5893         return err;
5894 }
5895
5896 __initcall(selinux_nf_ip_init);
5897
5898 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5899 static void selinux_nf_ip_exit(void)
5900 {
5901         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5902
5903         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5904 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5905         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5906 #endif  /* IPV6 */
5907 }
5908 #endif
5909
5910 #else /* CONFIG_NETFILTER */
5911
5912 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5913 #define selinux_nf_ip_exit()
5914 #endif
5915
5916 #endif /* CONFIG_NETFILTER */
5917
5918 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5919 static int selinux_disabled;
5920
5921 int selinux_disable(void)
5922 {
5923         if (ss_initialized) {
5924                 /* Not permitted after initial policy load. */
5925                 return -EINVAL;
5926         }
5927
5928         if (selinux_disabled) {
5929                 /* Only do this once. */
5930                 return -EINVAL;
5931         }
5932
5933         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5934
5935         selinux_disabled = 1;
5936         selinux_enabled = 0;
5937
5938         reset_security_ops();
5939
5940         /* Try to destroy the avc node cache */
5941         avc_disable();
5942
5943         /* Unregister netfilter hooks. */
5944         selinux_nf_ip_exit();
5945
5946         /* Unregister selinuxfs. */
5947         exit_sel_fs();
5948
5949         return 0;
5950 }
5951 #endif