linux/security/selinux/hooks.c
<<
>>
Prefs
   1/*
   2 *  NSA Security-Enhanced Linux (SELinux) security module
   3 *
   4 *  This file contains the SELinux hook function implementations.
   5 *
   6 *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
   7 *            Chris Vance, <cvance@nai.com>
   8 *            Wayne Salamon, <wsalamon@nai.com>
   9 *            James Morris <jmorris@redhat.com>
  10 *
  11 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  12 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  13 *                                         Eric Paris <eparis@redhat.com>
  14 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  15 *                          <dgoeddel@trustedcs.com>
  16 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
  17 *      Paul Moore <paul@paul-moore.com>
  18 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  19 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  20 *
  21 *      This program is free software; you can redistribute it and/or modify
  22 *      it under the terms of the GNU General Public License version 2,
  23 *      as published by the Free Software Foundation.
  24 */
  25
  26#include <linux/init.h>
  27#include <linux/kd.h>
  28#include <linux/kernel.h>
  29#include <linux/tracehook.h>
  30#include <linux/errno.h>
  31#include <linux/sched.h>
  32#include <linux/security.h>
  33#include <linux/xattr.h>
  34#include <linux/capability.h>
  35#include <linux/unistd.h>
  36#include <linux/mm.h>
  37#include <linux/mman.h>
  38#include <linux/slab.h>
  39#include <linux/pagemap.h>
  40#include <linux/proc_fs.h>
  41#include <linux/swap.h>
  42#include <linux/spinlock.h>
  43#include <linux/syscalls.h>
  44#include <linux/dcache.h>
  45#include <linux/file.h>
  46#include <linux/fdtable.h>
  47#include <linux/namei.h>
  48#include <linux/mount.h>
  49#include <linux/netfilter_ipv4.h>
  50#include <linux/netfilter_ipv6.h>
  51#include <linux/tty.h>
  52#include <net/icmp.h>
  53#include <net/ip.h>             /* for local_port_range[] */
  54#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  55#include <net/net_namespace.h>
  56#include <net/netlabel.h>
  57#include <linux/uaccess.h>
  58#include <asm/ioctls.h>
  59#include <linux/atomic.h>
  60#include <linux/bitops.h>
  61#include <linux/interrupt.h>
  62#include <linux/netdevice.h>    /* for network interface checks */
  63#include <linux/netlink.h>
  64#include <linux/tcp.h>
  65#include <linux/udp.h>
  66#include <linux/dccp.h>
  67#include <linux/quota.h>
  68#include <linux/un.h>           /* for Unix socket types */
  69#include <net/af_unix.h>        /* for Unix socket types */
  70#include <linux/parser.h>
  71#include <linux/nfs_mount.h>
  72#include <net/ipv6.h>
  73#include <linux/hugetlb.h>
  74#include <linux/personality.h>
  75#include <linux/audit.h>
  76#include <linux/string.h>
  77#include <linux/selinux.h>
  78#include <linux/mutex.h>
  79#include <linux/posix-timers.h>
  80#include <linux/syslog.h>
  81#include <linux/user_namespace.h>
  82#include <linux/export.h>
  83#include <linux/msg.h>
  84#include <linux/shm.h>
  85
  86#include "avc.h"
  87#include "objsec.h"
  88#include "netif.h"
  89#include "netnode.h"
  90#include "netport.h"
  91#include "xfrm.h"
  92#include "netlabel.h"
  93#include "audit.h"
  94#include "avc_ss.h"
  95
  96#define NUM_SEL_MNT_OPTS 5
  97
  98extern struct security_operations *security_ops;
  99
 100/* SECMARK reference count */
 101static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 102
 103#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 104int selinux_enforcing;
 105
 106static int __init enforcing_setup(char *str)
 107{
 108        unsigned long enforcing;
 109        if (!strict_strtoul(str, 0, &enforcing))
 110                selinux_enforcing = enforcing ? 1 : 0;
 111        return 1;
 112}
 113__setup("enforcing=", enforcing_setup);
 114#endif
 115
 116#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 117int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 118
 119static int __init selinux_enabled_setup(char *str)
 120{
 121        unsigned long enabled;
 122        if (!strict_strtoul(str, 0, &enabled))
 123                selinux_enabled = enabled ? 1 : 0;
 124        return 1;
 125}
 126__setup("selinux=", selinux_enabled_setup);
 127#else
 128int selinux_enabled = 1;
 129#endif
 130
 131static struct kmem_cache *sel_inode_cache;
 132
 133/**
 134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 135 *
 136 * Description:
 137 * This function checks the SECMARK reference counter to see if any SECMARK
 138 * targets are currently configured, if the reference counter is greater than
 139 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 140 * enabled, false (0) if SECMARK is disabled.
 141 *
 142 */
 143static int selinux_secmark_enabled(void)
 144{
 145        return (atomic_read(&selinux_secmark_refcount) > 0);
 146}
 147
 148/*
 149 * initialise the security for the init task
 150 */
 151static void cred_init_security(void)
 152{
 153        struct cred *cred = (struct cred *) current->real_cred;
 154        struct task_security_struct *tsec;
 155
 156        tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
 157        if (!tsec)
 158                panic("SELinux:  Failed to initialize initial task.\n");
 159
 160        tsec->osid = tsec->sid = SECINITSID_KERNEL;
 161        cred->security = tsec;
 162}
 163
 164/*
 165 * get the security ID of a set of credentials
 166 */
 167static inline u32 cred_sid(const struct cred *cred)
 168{
 169        const struct task_security_struct *tsec;
 170
 171        tsec = cred->security;
 172        return tsec->sid;
 173}
 174
 175/*
 176 * get the objective security ID of a task
 177 */
 178static inline u32 task_sid(const struct task_struct *task)
 179{
 180        u32 sid;
 181
 182        rcu_read_lock();
 183        sid = cred_sid(__task_cred(task));
 184        rcu_read_unlock();
 185        return sid;
 186}
 187
 188/*
 189 * get the subjective security ID of the current task
 190 */
 191static inline u32 current_sid(void)
 192{
 193        const struct task_security_struct *tsec = current_security();
 194
 195        return tsec->sid;
 196}
 197
 198/* Allocate and free functions for each kind of security blob. */
 199
 200static int inode_alloc_security(struct inode *inode)
 201{
 202        struct inode_security_struct *isec;
 203        u32 sid = current_sid();
 204
 205        isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
 206        if (!isec)
 207                return -ENOMEM;
 208
 209        mutex_init(&isec->lock);
 210        INIT_LIST_HEAD(&isec->list);
 211        isec->inode = inode;
 212        isec->sid = SECINITSID_UNLABELED;
 213        isec->sclass = SECCLASS_FILE;
 214        isec->task_sid = sid;
 215        inode->i_security = isec;
 216
 217        return 0;
 218}
 219
 220static void inode_free_security(struct inode *inode)
 221{
 222        struct inode_security_struct *isec = inode->i_security;
 223        struct superblock_security_struct *sbsec = inode->i_sb->s_security;
 224
 225        spin_lock(&sbsec->isec_lock);
 226        if (!list_empty(&isec->list))
 227                list_del_init(&isec->list);
 228        spin_unlock(&sbsec->isec_lock);
 229
 230        inode->i_security = NULL;
 231        kmem_cache_free(sel_inode_cache, isec);
 232}
 233
 234static int file_alloc_security(struct file *file)
 235{
 236        struct file_security_struct *fsec;
 237        u32 sid = current_sid();
 238
 239        fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
 240        if (!fsec)
 241                return -ENOMEM;
 242
 243        fsec->sid = sid;
 244        fsec->fown_sid = sid;
 245        file->f_security = fsec;
 246
 247        return 0;
 248}
 249
 250static void file_free_security(struct file *file)
 251{
 252        struct file_security_struct *fsec = file->f_security;
 253        file->f_security = NULL;
 254        kfree(fsec);
 255}
 256
 257static int superblock_alloc_security(struct super_block *sb)
 258{
 259        struct superblock_security_struct *sbsec;
 260
 261        sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 262        if (!sbsec)
 263                return -ENOMEM;
 264
 265        mutex_init(&sbsec->lock);
 266        INIT_LIST_HEAD(&sbsec->isec_head);
 267        spin_lock_init(&sbsec->isec_lock);
 268        sbsec->sb = sb;
 269        sbsec->sid = SECINITSID_UNLABELED;
 270        sbsec->def_sid = SECINITSID_FILE;
 271        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 272        sb->s_security = sbsec;
 273
 274        return 0;
 275}
 276
 277static void superblock_free_security(struct super_block *sb)
 278{
 279        struct superblock_security_struct *sbsec = sb->s_security;
 280        sb->s_security = NULL;
 281        kfree(sbsec);
 282}
 283
 284/* The file system's label must be initialized prior to use. */
 285
 286static const char *labeling_behaviors[6] = {
 287        "uses xattr",
 288        "uses transition SIDs",
 289        "uses task SIDs",
 290        "uses genfs_contexts",
 291        "not configured for labeling",
 292        "uses mountpoint labeling",
 293};
 294
 295static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 296
 297static inline int inode_doinit(struct inode *inode)
 298{
 299        return inode_doinit_with_dentry(inode, NULL);
 300}
 301
 302enum {
 303        Opt_error = -1,
 304        Opt_context = 1,
 305        Opt_fscontext = 2,
 306        Opt_defcontext = 3,
 307        Opt_rootcontext = 4,
 308        Opt_labelsupport = 5,
 309};
 310
 311static const match_table_t tokens = {
 312        {Opt_context, CONTEXT_STR "%s"},
 313        {Opt_fscontext, FSCONTEXT_STR "%s"},
 314        {Opt_defcontext, DEFCONTEXT_STR "%s"},
 315        {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
 316        {Opt_labelsupport, LABELSUPP_STR},
 317        {Opt_error, NULL},
 318};
 319
 320#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 321
 322static int may_context_mount_sb_relabel(u32 sid,
 323                        struct superblock_security_struct *sbsec,
 324                        const struct cred *cred)
 325{
 326        const struct task_security_struct *tsec = cred->security;
 327        int rc;
 328
 329        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 330                          FILESYSTEM__RELABELFROM, NULL);
 331        if (rc)
 332                return rc;
 333
 334        rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
 335                          FILESYSTEM__RELABELTO, NULL);
 336        return rc;
 337}
 338
 339static int may_context_mount_inode_relabel(u32 sid,
 340                        struct superblock_security_struct *sbsec,
 341                        const struct cred *cred)
 342{
 343        const struct task_security_struct *tsec = cred->security;
 344        int rc;
 345        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 346                          FILESYSTEM__RELABELFROM, NULL);
 347        if (rc)
 348                return rc;
 349
 350        rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
 351                          FILESYSTEM__ASSOCIATE, NULL);
 352        return rc;
 353}
 354
 355static int sb_finish_set_opts(struct super_block *sb)
 356{
 357        struct superblock_security_struct *sbsec = sb->s_security;
 358        struct dentry *root = sb->s_root;
 359        struct inode *root_inode = root->d_inode;
 360        int rc = 0;
 361
 362        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 363                /* Make sure that the xattr handler exists and that no
 364                   error other than -ENODATA is returned by getxattr on
 365                   the root directory.  -ENODATA is ok, as this may be
 366                   the first boot of the SELinux kernel before we have
 367                   assigned xattr values to the filesystem. */
 368                if (!root_inode->i_op->getxattr) {
 369                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
 370                               "xattr support\n", sb->s_id, sb->s_type->name);
 371                        rc = -EOPNOTSUPP;
 372                        goto out;
 373                }
 374                rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
 375                if (rc < 0 && rc != -ENODATA) {
 376                        if (rc == -EOPNOTSUPP)
 377                                printk(KERN_WARNING "SELinux: (dev %s, type "
 378                                       "%s) has no security xattr handler\n",
 379                                       sb->s_id, sb->s_type->name);
 380                        else
 381                                printk(KERN_WARNING "SELinux: (dev %s, type "
 382                                       "%s) getxattr errno %d\n", sb->s_id,
 383                                       sb->s_type->name, -rc);
 384                        goto out;
 385                }
 386        }
 387
 388        sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
 389
 390        if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 391                printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
 392                       sb->s_id, sb->s_type->name);
 393        else
 394                printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
 395                       sb->s_id, sb->s_type->name,
 396                       labeling_behaviors[sbsec->behavior-1]);
 397
 398        if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
 399            sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
 400            sbsec->behavior == SECURITY_FS_USE_NONE ||
 401            sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 402                sbsec->flags &= ~SE_SBLABELSUPP;
 403
 404        /* Special handling for sysfs. Is genfs but also has setxattr handler*/
 405        if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
 406                sbsec->flags |= SE_SBLABELSUPP;
 407
 408        /* Initialize the root inode. */
 409        rc = inode_doinit_with_dentry(root_inode, root);
 410
 411        /* Initialize any other inodes associated with the superblock, e.g.
 412           inodes created prior to initial policy load or inodes created
 413           during get_sb by a pseudo filesystem that directly
 414           populates itself. */
 415        spin_lock(&sbsec->isec_lock);
 416next_inode:
 417        if (!list_empty(&sbsec->isec_head)) {
 418                struct inode_security_struct *isec =
 419                                list_entry(sbsec->isec_head.next,
 420                                           struct inode_security_struct, list);
 421                struct inode *inode = isec->inode;
 422                spin_unlock(&sbsec->isec_lock);
 423                inode = igrab(inode);
 424                if (inode) {
 425                        if (!IS_PRIVATE(inode))
 426                                inode_doinit(inode);
 427                        iput(inode);
 428                }
 429                spin_lock(&sbsec->isec_lock);
 430                list_del_init(&isec->list);
 431                goto next_inode;
 432        }
 433        spin_unlock(&sbsec->isec_lock);
 434out:
 435        return rc;
 436}
 437
 438/*
 439 * This function should allow an FS to ask what it's mount security
 440 * options were so it can use those later for submounts, displaying
 441 * mount options, or whatever.
 442 */
 443static int selinux_get_mnt_opts(const struct super_block *sb,
 444                                struct security_mnt_opts *opts)
 445{
 446        int rc = 0, i;
 447        struct superblock_security_struct *sbsec = sb->s_security;
 448        char *context = NULL;
 449        u32 len;
 450        char tmp;
 451
 452        security_init_mnt_opts(opts);
 453
 454        if (!(sbsec->flags & SE_SBINITIALIZED))
 455                return -EINVAL;
 456
 457        if (!ss_initialized)
 458                return -EINVAL;
 459
 460        tmp = sbsec->flags & SE_MNTMASK;
 461        /* count the number of mount options for this sb */
 462        for (i = 0; i < 8; i++) {
 463                if (tmp & 0x01)
 464                        opts->num_mnt_opts++;
 465                tmp >>= 1;
 466        }
 467        /* Check if the Label support flag is set */
 468        if (sbsec->flags & SE_SBLABELSUPP)
 469                opts->num_mnt_opts++;
 470
 471        opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
 472        if (!opts->mnt_opts) {
 473                rc = -ENOMEM;
 474                goto out_free;
 475        }
 476
 477        opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
 478        if (!opts->mnt_opts_flags) {
 479                rc = -ENOMEM;
 480                goto out_free;
 481        }
 482
 483        i = 0;
 484        if (sbsec->flags & FSCONTEXT_MNT) {
 485                rc = security_sid_to_context(sbsec->sid, &context, &len);
 486                if (rc)
 487                        goto out_free;
 488                opts->mnt_opts[i] = context;
 489                opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
 490        }
 491        if (sbsec->flags & CONTEXT_MNT) {
 492                rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
 493                if (rc)
 494                        goto out_free;
 495                opts->mnt_opts[i] = context;
 496                opts->mnt_opts_flags[i++] = CONTEXT_MNT;
 497        }
 498        if (sbsec->flags & DEFCONTEXT_MNT) {
 499                rc = security_sid_to_context(sbsec->def_sid, &context, &len);
 500                if (rc)
 501                        goto out_free;
 502                opts->mnt_opts[i] = context;
 503                opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
 504        }
 505        if (sbsec->flags & ROOTCONTEXT_MNT) {
 506                struct inode *root = sbsec->sb->s_root->d_inode;
 507                struct inode_security_struct *isec = root->i_security;
 508
 509                rc = security_sid_to_context(isec->sid, &context, &len);
 510                if (rc)
 511                        goto out_free;
 512                opts->mnt_opts[i] = context;
 513                opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
 514        }
 515        if (sbsec->flags & SE_SBLABELSUPP) {
 516                opts->mnt_opts[i] = NULL;
 517                opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
 518        }
 519
 520        BUG_ON(i != opts->num_mnt_opts);
 521
 522        return 0;
 523
 524out_free:
 525        security_free_mnt_opts(opts);
 526        return rc;
 527}
 528
 529static int bad_option(struct superblock_security_struct *sbsec, char flag,
 530                      u32 old_sid, u32 new_sid)
 531{
 532        char mnt_flags = sbsec->flags & SE_MNTMASK;
 533
 534        /* check if the old mount command had the same options */
 535        if (sbsec->flags & SE_SBINITIALIZED)
 536                if (!(sbsec->flags & flag) ||
 537                    (old_sid != new_sid))
 538                        return 1;
 539
 540        /* check if we were passed the same options twice,
 541         * aka someone passed context=a,context=b
 542         */
 543        if (!(sbsec->flags & SE_SBINITIALIZED))
 544                if (mnt_flags & flag)
 545                        return 1;
 546        return 0;
 547}
 548
 549/*
 550 * Allow filesystems with binary mount data to explicitly set mount point
 551 * labeling information.
 552 */
 553static int selinux_set_mnt_opts(struct super_block *sb,
 554                                struct security_mnt_opts *opts)
 555{
 556        const struct cred *cred = current_cred();
 557        int rc = 0, i;
 558        struct superblock_security_struct *sbsec = sb->s_security;
 559        const char *name = sb->s_type->name;
 560        struct inode *inode = sbsec->sb->s_root->d_inode;
 561        struct inode_security_struct *root_isec = inode->i_security;
 562        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 563        u32 defcontext_sid = 0;
 564        char **mount_options = opts->mnt_opts;
 565        int *flags = opts->mnt_opts_flags;
 566        int num_opts = opts->num_mnt_opts;
 567
 568        mutex_lock(&sbsec->lock);
 569
 570        if (!ss_initialized) {
 571                if (!num_opts) {
 572                        /* Defer initialization until selinux_complete_init,
 573                           after the initial policy is loaded and the security
 574                           server is ready to handle calls. */
 575                        goto out;
 576                }
 577                rc = -EINVAL;
 578                printk(KERN_WARNING "SELinux: Unable to set superblock options "
 579                        "before the security server is initialized\n");
 580                goto out;
 581        }
 582
 583        /*
 584         * Binary mount data FS will come through this function twice.  Once
 585         * from an explicit call and once from the generic calls from the vfs.
 586         * Since the generic VFS calls will not contain any security mount data
 587         * we need to skip the double mount verification.
 588         *
 589         * This does open a hole in which we will not notice if the first
 590         * mount using this sb set explict options and a second mount using
 591         * this sb does not set any security options.  (The first options
 592         * will be used for both mounts)
 593         */
 594        if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 595            && (num_opts == 0))
 596                goto out;
 597
 598        /*
 599         * parse the mount options, check if they are valid sids.
 600         * also check if someone is trying to mount the same sb more
 601         * than once with different security options.
 602         */
 603        for (i = 0; i < num_opts; i++) {
 604                u32 sid;
 605
 606                if (flags[i] == SE_SBLABELSUPP)
 607                        continue;
 608                rc = security_context_to_sid(mount_options[i],
 609                                             strlen(mount_options[i]), &sid);
 610                if (rc) {
 611                        printk(KERN_WARNING "SELinux: security_context_to_sid"
 612                               "(%s) failed for (dev %s, type %s) errno=%d\n",
 613                               mount_options[i], sb->s_id, name, rc);
 614                        goto out;
 615                }
 616                switch (flags[i]) {
 617                case FSCONTEXT_MNT:
 618                        fscontext_sid = sid;
 619
 620                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 621                                        fscontext_sid))
 622                                goto out_double_mount;
 623
 624                        sbsec->flags |= FSCONTEXT_MNT;
 625                        break;
 626                case CONTEXT_MNT:
 627                        context_sid = sid;
 628
 629                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 630                                        context_sid))
 631                                goto out_double_mount;
 632
 633                        sbsec->flags |= CONTEXT_MNT;
 634                        break;
 635                case ROOTCONTEXT_MNT:
 636                        rootcontext_sid = sid;
 637
 638                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 639                                        rootcontext_sid))
 640                                goto out_double_mount;
 641
 642                        sbsec->flags |= ROOTCONTEXT_MNT;
 643
 644                        break;
 645                case DEFCONTEXT_MNT:
 646                        defcontext_sid = sid;
 647
 648                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 649                                        defcontext_sid))
 650                                goto out_double_mount;
 651
 652                        sbsec->flags |= DEFCONTEXT_MNT;
 653
 654                        break;
 655                default:
 656                        rc = -EINVAL;
 657                        goto out;
 658                }
 659        }
 660
 661        if (sbsec->flags & SE_SBINITIALIZED) {
 662                /* previously mounted with options, but not on this attempt? */
 663                if ((sbsec->flags & SE_MNTMASK) && !num_opts)
 664                        goto out_double_mount;
 665                rc = 0;
 666                goto out;
 667        }
 668
 669        if (strcmp(sb->s_type->name, "proc") == 0)
 670                sbsec->flags |= SE_SBPROC;
 671
 672        /* Determine the labeling behavior to use for this filesystem type. */
 673        rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
 674        if (rc) {
 675                printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
 676                       __func__, sb->s_type->name, rc);
 677                goto out;
 678        }
 679
 680        /* sets the context of the superblock for the fs being mounted. */
 681        if (fscontext_sid) {
 682                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
 683                if (rc)
 684                        goto out;
 685
 686                sbsec->sid = fscontext_sid;
 687        }
 688
 689        /*
 690         * Switch to using mount point labeling behavior.
 691         * sets the label used on all file below the mountpoint, and will set
 692         * the superblock context if not already set.
 693         */
 694        if (context_sid) {
 695                if (!fscontext_sid) {
 696                        rc = may_context_mount_sb_relabel(context_sid, sbsec,
 697                                                          cred);
 698                        if (rc)
 699                                goto out;
 700                        sbsec->sid = context_sid;
 701                } else {
 702                        rc = may_context_mount_inode_relabel(context_sid, sbsec,
 703                                                             cred);
 704                        if (rc)
 705                                goto out;
 706                }
 707                if (!rootcontext_sid)
 708                        rootcontext_sid = context_sid;
 709
 710                sbsec->mntpoint_sid = context_sid;
 711                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 712        }
 713
 714        if (rootcontext_sid) {
 715                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
 716                                                     cred);
 717                if (rc)
 718                        goto out;
 719
 720                root_isec->sid = rootcontext_sid;
 721                root_isec->initialized = 1;
 722        }
 723
 724        if (defcontext_sid) {
 725                if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
 726                        rc = -EINVAL;
 727                        printk(KERN_WARNING "SELinux: defcontext option is "
 728                               "invalid for this filesystem type\n");
 729                        goto out;
 730                }
 731
 732                if (defcontext_sid != sbsec->def_sid) {
 733                        rc = may_context_mount_inode_relabel(defcontext_sid,
 734                                                             sbsec, cred);
 735                        if (rc)
 736                                goto out;
 737                }
 738
 739                sbsec->def_sid = defcontext_sid;
 740        }
 741
 742        rc = sb_finish_set_opts(sb);
 743out:
 744        mutex_unlock(&sbsec->lock);
 745        return rc;
 746out_double_mount:
 747        rc = -EINVAL;
 748        printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
 749               "security settings for (dev %s, type %s)\n", sb->s_id, name);
 750        goto out;
 751}
 752
 753static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 754                                        struct super_block *newsb)
 755{
 756        const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 757        struct superblock_security_struct *newsbsec = newsb->s_security;
 758
 759        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 760        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 761        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 762
 763        /*
 764         * if the parent was able to be mounted it clearly had no special lsm
 765         * mount options.  thus we can safely deal with this superblock later
 766         */
 767        if (!ss_initialized)
 768                return;
 769
 770        /* how can we clone if the old one wasn't set up?? */
 771        BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
 772
 773        /* if fs is reusing a sb, just let its options stand... */
 774        if (newsbsec->flags & SE_SBINITIALIZED)
 775                return;
 776
 777        mutex_lock(&newsbsec->lock);
 778
 779        newsbsec->flags = oldsbsec->flags;
 780
 781        newsbsec->sid = oldsbsec->sid;
 782        newsbsec->def_sid = oldsbsec->def_sid;
 783        newsbsec->behavior = oldsbsec->behavior;
 784
 785        if (set_context) {
 786                u32 sid = oldsbsec->mntpoint_sid;
 787
 788                if (!set_fscontext)
 789                        newsbsec->sid = sid;
 790                if (!set_rootcontext) {
 791                        struct inode *newinode = newsb->s_root->d_inode;
 792                        struct inode_security_struct *newisec = newinode->i_security;
 793                        newisec->sid = sid;
 794                }
 795                newsbsec->mntpoint_sid = sid;
 796        }
 797        if (set_rootcontext) {
 798                const struct inode *oldinode = oldsb->s_root->d_inode;
 799                const struct inode_security_struct *oldisec = oldinode->i_security;
 800                struct inode *newinode = newsb->s_root->d_inode;
 801                struct inode_security_struct *newisec = newinode->i_security;
 802
 803                newisec->sid = oldisec->sid;
 804        }
 805
 806        sb_finish_set_opts(newsb);
 807        mutex_unlock(&newsbsec->lock);
 808}
 809
 810static int selinux_parse_opts_str(char *options,
 811                                  struct security_mnt_opts *opts)
 812{
 813        char *p;
 814        char *context = NULL, *defcontext = NULL;
 815        char *fscontext = NULL, *rootcontext = NULL;
 816        int rc, num_mnt_opts = 0;
 817
 818        opts->num_mnt_opts = 0;
 819
 820        /* Standard string-based options. */
 821        while ((p = strsep(&options, "|")) != NULL) {
 822                int token;
 823                substring_t args[MAX_OPT_ARGS];
 824
 825                if (!*p)
 826                        continue;
 827
 828                token = match_token(p, tokens, args);
 829
 830                switch (token) {
 831                case Opt_context:
 832                        if (context || defcontext) {
 833                                rc = -EINVAL;
 834                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 835                                goto out_err;
 836                        }
 837                        context = match_strdup(&args[0]);
 838                        if (!context) {
 839                                rc = -ENOMEM;
 840                                goto out_err;
 841                        }
 842                        break;
 843
 844                case Opt_fscontext:
 845                        if (fscontext) {
 846                                rc = -EINVAL;
 847                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 848                                goto out_err;
 849                        }
 850                        fscontext = match_strdup(&args[0]);
 851                        if (!fscontext) {
 852                                rc = -ENOMEM;
 853                                goto out_err;
 854                        }
 855                        break;
 856
 857                case Opt_rootcontext:
 858                        if (rootcontext) {
 859                                rc = -EINVAL;
 860                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 861                                goto out_err;
 862                        }
 863                        rootcontext = match_strdup(&args[0]);
 864                        if (!rootcontext) {
 865                                rc = -ENOMEM;
 866                                goto out_err;
 867                        }
 868                        break;
 869
 870                case Opt_defcontext:
 871                        if (context || defcontext) {
 872                                rc = -EINVAL;
 873                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 874                                goto out_err;
 875                        }
 876                        defcontext = match_strdup(&args[0]);
 877                        if (!defcontext) {
 878                                rc = -ENOMEM;
 879                                goto out_err;
 880                        }
 881                        break;
 882                case Opt_labelsupport:
 883                        break;
 884                default:
 885                        rc = -EINVAL;
 886                        printk(KERN_WARNING "SELinux:  unknown mount option\n");
 887                        goto out_err;
 888
 889                }
 890        }
 891
 892        rc = -ENOMEM;
 893        opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
 894        if (!opts->mnt_opts)
 895                goto out_err;
 896
 897        opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
 898        if (!opts->mnt_opts_flags) {
 899                kfree(opts->mnt_opts);
 900                goto out_err;
 901        }
 902
 903        if (fscontext) {
 904                opts->mnt_opts[num_mnt_opts] = fscontext;
 905                opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
 906        }
 907        if (context) {
 908                opts->mnt_opts[num_mnt_opts] = context;
 909                opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
 910        }
 911        if (rootcontext) {
 912                opts->mnt_opts[num_mnt_opts] = rootcontext;
 913                opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
 914        }
 915        if (defcontext) {
 916                opts->mnt_opts[num_mnt_opts] = defcontext;
 917                opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
 918        }
 919
 920        opts->num_mnt_opts = num_mnt_opts;
 921        return 0;
 922
 923out_err:
 924        kfree(context);
 925        kfree(defcontext);
 926        kfree(fscontext);
 927        kfree(rootcontext);
 928        return rc;
 929}
 930/*
 931 * string mount options parsing and call set the sbsec
 932 */
 933static int superblock_doinit(struct super_block *sb, void *data)
 934{
 935        int rc = 0;
 936        char *options = data;
 937        struct security_mnt_opts opts;
 938
 939        security_init_mnt_opts(&opts);
 940
 941        if (!data)
 942                goto out;
 943
 944        BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
 945
 946        rc = selinux_parse_opts_str(options, &opts);
 947        if (rc)
 948                goto out_err;
 949
 950out:
 951        rc = selinux_set_mnt_opts(sb, &opts);
 952
 953out_err:
 954        security_free_mnt_opts(&opts);
 955        return rc;
 956}
 957
 958static void selinux_write_opts(struct seq_file *m,
 959                               struct security_mnt_opts *opts)
 960{
 961        int i;
 962        char *prefix;
 963
 964        for (i = 0; i < opts->num_mnt_opts; i++) {
 965                char *has_comma;
 966
 967                if (opts->mnt_opts[i])
 968                        has_comma = strchr(opts->mnt_opts[i], ',');
 969                else
 970                        has_comma = NULL;
 971
 972                switch (opts->mnt_opts_flags[i]) {
 973                case CONTEXT_MNT:
 974                        prefix = CONTEXT_STR;
 975                        break;
 976                case FSCONTEXT_MNT:
 977                        prefix = FSCONTEXT_STR;
 978                        break;
 979                case ROOTCONTEXT_MNT:
 980                        prefix = ROOTCONTEXT_STR;
 981                        break;
 982                case DEFCONTEXT_MNT:
 983                        prefix = DEFCONTEXT_STR;
 984                        break;
 985                case SE_SBLABELSUPP:
 986                        seq_putc(m, ',');
 987                        seq_puts(m, LABELSUPP_STR);
 988                        continue;
 989                default:
 990                        BUG();
 991                        return;
 992                };
 993                /* we need a comma before each option */
 994                seq_putc(m, ',');
 995                seq_puts(m, prefix);
 996                if (has_comma)
 997                        seq_putc(m, '\"');
 998                seq_puts(m, opts->mnt_opts[i]);
 999                if (has_comma)
1000                        seq_putc(m, '\"');
1001        }
1002}
1003
1004static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005{
1006        struct security_mnt_opts opts;
1007        int rc;
1008
1009        rc = selinux_get_mnt_opts(sb, &opts);
1010        if (rc) {
1011                /* before policy load we may get EINVAL, don't show anything */
1012                if (rc == -EINVAL)
1013                        rc = 0;
1014                return rc;
1015        }
1016
1017        selinux_write_opts(m, &opts);
1018
1019        security_free_mnt_opts(&opts);
1020
1021        return rc;
1022}
1023
1024static inline u16 inode_mode_to_security_class(umode_t mode)
1025{
1026        switch (mode & S_IFMT) {
1027        case S_IFSOCK:
1028                return SECCLASS_SOCK_FILE;
1029        case S_IFLNK:
1030                return SECCLASS_LNK_FILE;
1031        case S_IFREG:
1032                return SECCLASS_FILE;
1033        case S_IFBLK:
1034                return SECCLASS_BLK_FILE;
1035        case S_IFDIR:
1036                return SECCLASS_DIR;
1037        case S_IFCHR:
1038                return SECCLASS_CHR_FILE;
1039        case S_IFIFO:
1040                return SECCLASS_FIFO_FILE;
1041
1042        }
1043
1044        return SECCLASS_FILE;
1045}
1046
1047static inline int default_protocol_stream(int protocol)
1048{
1049        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050}
1051
1052static inline int default_protocol_dgram(int protocol)
1053{
1054        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055}
1056
1057static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058{
1059        switch (family) {
1060        case PF_UNIX:
1061                switch (type) {
1062                case SOCK_STREAM:
1063                case SOCK_SEQPACKET:
1064                        return SECCLASS_UNIX_STREAM_SOCKET;
1065                case SOCK_DGRAM:
1066                        return SECCLASS_UNIX_DGRAM_SOCKET;
1067                }
1068                break;
1069        case PF_INET:
1070        case PF_INET6:
1071                switch (type) {
1072                case SOCK_STREAM:
1073                        if (default_protocol_stream(protocol))
1074                                return SECCLASS_TCP_SOCKET;
1075                        else
1076                                return SECCLASS_RAWIP_SOCKET;
1077                case SOCK_DGRAM:
1078                        if (default_protocol_dgram(protocol))
1079                                return SECCLASS_UDP_SOCKET;
1080                        else
1081                                return SECCLASS_RAWIP_SOCKET;
1082                case SOCK_DCCP:
1083                        return SECCLASS_DCCP_SOCKET;
1084                default:
1085                        return SECCLASS_RAWIP_SOCKET;
1086                }
1087                break;
1088        case PF_NETLINK:
1089                switch (protocol) {
1090                case NETLINK_ROUTE:
1091                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                case NETLINK_FIREWALL:
1093                        return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                case NETLINK_SOCK_DIAG:
1095                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                case NETLINK_NFLOG:
1097                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                case NETLINK_XFRM:
1099                        return SECCLASS_NETLINK_XFRM_SOCKET;
1100                case NETLINK_SELINUX:
1101                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                case NETLINK_AUDIT:
1103                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                case NETLINK_IP6_FW:
1105                        return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                case NETLINK_DNRTMSG:
1107                        return SECCLASS_NETLINK_DNRT_SOCKET;
1108                case NETLINK_KOBJECT_UEVENT:
1109                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                default:
1111                        return SECCLASS_NETLINK_SOCKET;
1112                }
1113        case PF_PACKET:
1114                return SECCLASS_PACKET_SOCKET;
1115        case PF_KEY:
1116                return SECCLASS_KEY_SOCKET;
1117        case PF_APPLETALK:
1118                return SECCLASS_APPLETALK_SOCKET;
1119        }
1120
1121        return SECCLASS_SOCKET;
1122}
1123
1124#ifdef CONFIG_PROC_FS
1125static int selinux_proc_get_sid(struct dentry *dentry,
1126                                u16 tclass,
1127                                u32 *sid)
1128{
1129        int rc;
1130        char *buffer, *path;
1131
1132        buffer = (char *)__get_free_page(GFP_KERNEL);
1133        if (!buffer)
1134                return -ENOMEM;
1135
1136        path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137        if (IS_ERR(path))
1138                rc = PTR_ERR(path);
1139        else {
1140                /* each process gets a /proc/PID/ entry. Strip off the
1141                 * PID part to get a valid selinux labeling.
1142                 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                while (path[1] >= '0' && path[1] <= '9') {
1144                        path[1] = '/';
1145                        path++;
1146                }
1147                rc = security_genfs_sid("proc", path, tclass, sid);
1148        }
1149        free_page((unsigned long)buffer);
1150        return rc;
1151}
1152#else
1153static int selinux_proc_get_sid(struct dentry *dentry,
1154                                u16 tclass,
1155                                u32 *sid)
1156{
1157        return -EINVAL;
1158}
1159#endif
1160
1161/* The inode's security attributes must be initialized before first use. */
1162static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163{
1164        struct superblock_security_struct *sbsec = NULL;
1165        struct inode_security_struct *isec = inode->i_security;
1166        u32 sid;
1167        struct dentry *dentry;
1168#define INITCONTEXTLEN 255
1169        char *context = NULL;
1170        unsigned len = 0;
1171        int rc = 0;
1172
1173        if (isec->initialized)
1174                goto out;
1175
1176        mutex_lock(&isec->lock);
1177        if (isec->initialized)
1178                goto out_unlock;
1179
1180        sbsec = inode->i_sb->s_security;
1181        if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                /* Defer initialization until selinux_complete_init,
1183                   after the initial policy is loaded and the security
1184                   server is ready to handle calls. */
1185                spin_lock(&sbsec->isec_lock);
1186                if (list_empty(&isec->list))
1187                        list_add(&isec->list, &sbsec->isec_head);
1188                spin_unlock(&sbsec->isec_lock);
1189                goto out_unlock;
1190        }
1191
1192        switch (sbsec->behavior) {
1193        case SECURITY_FS_USE_XATTR:
1194                if (!inode->i_op->getxattr) {
1195                        isec->sid = sbsec->def_sid;
1196                        break;
1197                }
1198
1199                /* Need a dentry, since the xattr API requires one.
1200                   Life would be simpler if we could just pass the inode. */
1201                if (opt_dentry) {
1202                        /* Called from d_instantiate or d_splice_alias. */
1203                        dentry = dget(opt_dentry);
1204                } else {
1205                        /* Called from selinux_complete_init, try to find a dentry. */
1206                        dentry = d_find_alias(inode);
1207                }
1208                if (!dentry) {
1209                        /*
1210                         * this is can be hit on boot when a file is accessed
1211                         * before the policy is loaded.  When we load policy we
1212                         * may find inodes that have no dentry on the
1213                         * sbsec->isec_head list.  No reason to complain as these
1214                         * will get fixed up the next time we go through
1215                         * inode_doinit with a dentry, before these inodes could
1216                         * be used again by userspace.
1217                         */
1218                        goto out_unlock;
1219                }
1220
1221                len = INITCONTEXTLEN;
1222                context = kmalloc(len+1, GFP_NOFS);
1223                if (!context) {
1224                        rc = -ENOMEM;
1225                        dput(dentry);
1226                        goto out_unlock;
1227                }
1228                context[len] = '\0';
1229                rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                           context, len);
1231                if (rc == -ERANGE) {
1232                        kfree(context);
1233
1234                        /* Need a larger buffer.  Query for the right size. */
1235                        rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                   NULL, 0);
1237                        if (rc < 0) {
1238                                dput(dentry);
1239                                goto out_unlock;
1240                        }
1241                        len = rc;
1242                        context = kmalloc(len+1, GFP_NOFS);
1243                        if (!context) {
1244                                rc = -ENOMEM;
1245                                dput(dentry);
1246                                goto out_unlock;
1247                        }
1248                        context[len] = '\0';
1249                        rc = inode->i_op->getxattr(dentry,
1250                                                   XATTR_NAME_SELINUX,
1251                                                   context, len);
1252                }
1253                dput(dentry);
1254                if (rc < 0) {
1255                        if (rc != -ENODATA) {
1256                                printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                       "%d for dev=%s ino=%ld\n", __func__,
1258                                       -rc, inode->i_sb->s_id, inode->i_ino);
1259                                kfree(context);
1260                                goto out_unlock;
1261                        }
1262                        /* Map ENODATA to the default file SID */
1263                        sid = sbsec->def_sid;
1264                        rc = 0;
1265                } else {
1266                        rc = security_context_to_sid_default(context, rc, &sid,
1267                                                             sbsec->def_sid,
1268                                                             GFP_NOFS);
1269                        if (rc) {
1270                                char *dev = inode->i_sb->s_id;
1271                                unsigned long ino = inode->i_ino;
1272
1273                                if (rc == -EINVAL) {
1274                                        if (printk_ratelimit())
1275                                                printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                        "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                        "filesystem in question.\n", ino, dev, context);
1278                                } else {
1279                                        printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                               "returned %d for dev=%s ino=%ld\n",
1281                                               __func__, context, -rc, dev, ino);
1282                                }
1283                                kfree(context);
1284                                /* Leave with the unlabeled SID */
1285                                rc = 0;
1286                                break;
1287                        }
1288                }
1289                kfree(context);
1290                isec->sid = sid;
1291                break;
1292        case SECURITY_FS_USE_TASK:
1293                isec->sid = isec->task_sid;
1294                break;
1295        case SECURITY_FS_USE_TRANS:
1296                /* Default to the fs SID. */
1297                isec->sid = sbsec->sid;
1298
1299                /* Try to obtain a transition SID. */
1300                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                             isec->sclass, NULL, &sid);
1303                if (rc)
1304                        goto out_unlock;
1305                isec->sid = sid;
1306                break;
1307        case SECURITY_FS_USE_MNTPOINT:
1308                isec->sid = sbsec->mntpoint_sid;
1309                break;
1310        default:
1311                /* Default to the fs superblock SID. */
1312                isec->sid = sbsec->sid;
1313
1314                if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                        if (opt_dentry) {
1316                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                rc = selinux_proc_get_sid(opt_dentry,
1318                                                          isec->sclass,
1319                                                          &sid);
1320                                if (rc)
1321                                        goto out_unlock;
1322                                isec->sid = sid;
1323                        }
1324                }
1325                break;
1326        }
1327
1328        isec->initialized = 1;
1329
1330out_unlock:
1331        mutex_unlock(&isec->lock);
1332out:
1333        if (isec->sclass == SECCLASS_FILE)
1334                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335        return rc;
1336}
1337
1338/* Convert a Linux signal to an access vector. */
1339static inline u32 signal_to_av(int sig)
1340{
1341        u32 perm = 0;
1342
1343        switch (sig) {
1344        case SIGCHLD:
1345                /* Commonly granted from child to parent. */
1346                perm = PROCESS__SIGCHLD;
1347                break;
1348        case SIGKILL:
1349                /* Cannot be caught or ignored */
1350                perm = PROCESS__SIGKILL;
1351                break;
1352        case SIGSTOP:
1353                /* Cannot be caught or ignored */
1354                perm = PROCESS__SIGSTOP;
1355                break;
1356        default:
1357                /* All other signals. */
1358                perm = PROCESS__SIGNAL;
1359                break;
1360        }
1361
1362        return perm;
1363}
1364
1365/*
1366 * Check permission between a pair of credentials
1367 * fork check, ptrace check, etc.
1368 */
1369static int cred_has_perm(const struct cred *actor,
1370                         const struct cred *target,
1371                         u32 perms)
1372{
1373        u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375        return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376}
1377
1378/*
1379 * Check permission between a pair of tasks, e.g. signal checks,
1380 * fork check, ptrace check, etc.
1381 * tsk1 is the actor and tsk2 is the target
1382 * - this uses the default subjective creds of tsk1
1383 */
1384static int task_has_perm(const struct task_struct *tsk1,
1385                         const struct task_struct *tsk2,
1386                         u32 perms)
1387{
1388        const struct task_security_struct *__tsec1, *__tsec2;
1389        u32 sid1, sid2;
1390
1391        rcu_read_lock();
1392        __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393        __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394        rcu_read_unlock();
1395        return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396}
1397
1398/*
1399 * Check permission between current and another task, e.g. signal checks,
1400 * fork check, ptrace check, etc.
1401 * current is the actor and tsk2 is the target
1402 * - this uses current's subjective creds
1403 */
1404static int current_has_perm(const struct task_struct *tsk,
1405                            u32 perms)
1406{
1407        u32 sid, tsid;
1408
1409        sid = current_sid();
1410        tsid = task_sid(tsk);
1411        return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412}
1413
1414#if CAP_LAST_CAP > 63
1415#error Fix SELinux to handle capabilities > 63.
1416#endif
1417
1418/* Check whether a task is allowed to use a capability. */
1419static int cred_has_capability(const struct cred *cred,
1420                               int cap, int audit)
1421{
1422        struct common_audit_data ad;
1423        struct av_decision avd;
1424        u16 sclass;
1425        u32 sid = cred_sid(cred);
1426        u32 av = CAP_TO_MASK(cap);
1427        int rc;
1428
1429        ad.type = LSM_AUDIT_DATA_CAP;
1430        ad.u.cap = cap;
1431
1432        switch (CAP_TO_INDEX(cap)) {
1433        case 0:
1434                sclass = SECCLASS_CAPABILITY;
1435                break;
1436        case 1:
1437                sclass = SECCLASS_CAPABILITY2;
1438                break;
1439        default:
1440                printk(KERN_ERR
1441                       "SELinux:  out of range capability %d\n", cap);
1442                BUG();
1443                return -EINVAL;
1444        }
1445
1446        rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1447        if (audit == SECURITY_CAP_AUDIT) {
1448                int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1449                if (rc2)
1450                        return rc2;
1451        }
1452        return rc;
1453}
1454
1455/* Check whether a task is allowed to use a system operation. */
1456static int task_has_system(struct task_struct *tsk,
1457                           u32 perms)
1458{
1459        u32 sid = task_sid(tsk);
1460
1461        return avc_has_perm(sid, SECINITSID_KERNEL,
1462                            SECCLASS_SYSTEM, perms, NULL);
1463}
1464
1465/* Check whether a task has a particular permission to an inode.
1466   The 'adp' parameter is optional and allows other audit
1467   data to be passed (e.g. the dentry). */
1468static int inode_has_perm(const struct cred *cred,
1469                          struct inode *inode,
1470                          u32 perms,
1471                          struct common_audit_data *adp,
1472                          unsigned flags)
1473{
1474        struct inode_security_struct *isec;
1475        u32 sid;
1476
1477        validate_creds(cred);
1478
1479        if (unlikely(IS_PRIVATE(inode)))
1480                return 0;
1481
1482        sid = cred_sid(cred);
1483        isec = inode->i_security;
1484
1485        return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1486}
1487
1488/* Same as inode_has_perm, but pass explicit audit data containing
1489   the dentry to help the auditing code to more easily generate the
1490   pathname if needed. */
1491static inline int dentry_has_perm(const struct cred *cred,
1492                                  struct dentry *dentry,
1493                                  u32 av)
1494{
1495        struct inode *inode = dentry->d_inode;
1496        struct common_audit_data ad;
1497
1498        ad.type = LSM_AUDIT_DATA_DENTRY;
1499        ad.u.dentry = dentry;
1500        return inode_has_perm(cred, inode, av, &ad, 0);
1501}
1502
1503/* Same as inode_has_perm, but pass explicit audit data containing
1504   the path to help the auditing code to more easily generate the
1505   pathname if needed. */
1506static inline int path_has_perm(const struct cred *cred,
1507                                struct path *path,
1508                                u32 av)
1509{
1510        struct inode *inode = path->dentry->d_inode;
1511        struct common_audit_data ad;
1512
1513        ad.type = LSM_AUDIT_DATA_PATH;
1514        ad.u.path = *path;
1515        return inode_has_perm(cred, inode, av, &ad, 0);
1516}
1517
1518/* Check whether a task can use an open file descriptor to
1519   access an inode in a given way.  Check access to the
1520   descriptor itself, and then use dentry_has_perm to
1521   check a particular permission to the file.
1522   Access to the descriptor is implicitly granted if it
1523   has the same SID as the process.  If av is zero, then
1524   access to the file is not checked, e.g. for cases
1525   where only the descriptor is affected like seek. */
1526static int file_has_perm(const struct cred *cred,
1527                         struct file *file,
1528                         u32 av)
1529{
1530        struct file_security_struct *fsec = file->f_security;
1531        struct inode *inode = file->f_path.dentry->d_inode;
1532        struct common_audit_data ad;
1533        u32 sid = cred_sid(cred);
1534        int rc;
1535
1536        ad.type = LSM_AUDIT_DATA_PATH;
1537        ad.u.path = file->f_path;
1538
1539        if (sid != fsec->sid) {
1540                rc = avc_has_perm(sid, fsec->sid,
1541                                  SECCLASS_FD,
1542                                  FD__USE,
1543                                  &ad);
1544                if (rc)
1545                        goto out;
1546        }
1547
1548        /* av is zero if only checking access to the descriptor. */
1549        rc = 0;
1550        if (av)
1551                rc = inode_has_perm(cred, inode, av, &ad, 0);
1552
1553out:
1554        return rc;
1555}
1556
1557/* Check whether a task can create a file. */
1558static int may_create(struct inode *dir,
1559                      struct dentry *dentry,
1560                      u16 tclass)
1561{
1562        const struct task_security_struct *tsec = current_security();
1563        struct inode_security_struct *dsec;
1564        struct superblock_security_struct *sbsec;
1565        u32 sid, newsid;
1566        struct common_audit_data ad;
1567        int rc;
1568
1569        dsec = dir->i_security;
1570        sbsec = dir->i_sb->s_security;
1571
1572        sid = tsec->sid;
1573        newsid = tsec->create_sid;
1574
1575        ad.type = LSM_AUDIT_DATA_DENTRY;
1576        ad.u.dentry = dentry;
1577
1578        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1579                          DIR__ADD_NAME | DIR__SEARCH,
1580                          &ad);
1581        if (rc)
1582                return rc;
1583
1584        if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1585                rc = security_transition_sid(sid, dsec->sid, tclass,
1586                                             &dentry->d_name, &newsid);
1587                if (rc)
1588                        return rc;
1589        }
1590
1591        rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1592        if (rc)
1593                return rc;
1594
1595        return avc_has_perm(newsid, sbsec->sid,
1596                            SECCLASS_FILESYSTEM,
1597                            FILESYSTEM__ASSOCIATE, &ad);
1598}
1599
1600/* Check whether a task can create a key. */
1601static int may_create_key(u32 ksid,
1602                          struct task_struct *ctx)
1603{
1604        u32 sid = task_sid(ctx);
1605
1606        return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1607}
1608
1609#define MAY_LINK        0
1610#define MAY_UNLINK      1
1611#define MAY_RMDIR       2
1612
1613/* Check whether a task can link, unlink, or rmdir a file/directory. */
1614static int may_link(struct inode *dir,
1615                    struct dentry *dentry,
1616                    int kind)
1617
1618{
1619        struct inode_security_struct *dsec, *isec;
1620        struct common_audit_data ad;
1621        u32 sid = current_sid();
1622        u32 av;
1623        int rc;
1624
1625        dsec = dir->i_security;
1626        isec = dentry->d_inode->i_security;
1627
1628        ad.type = LSM_AUDIT_DATA_DENTRY;
1629        ad.u.dentry = dentry;
1630
1631        av = DIR__SEARCH;
1632        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1633        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1634        if (rc)
1635                return rc;
1636
1637        switch (kind) {
1638        case MAY_LINK:
1639                av = FILE__LINK;
1640                break;
1641        case MAY_UNLINK:
1642                av = FILE__UNLINK;
1643                break;
1644        case MAY_RMDIR:
1645                av = DIR__RMDIR;
1646                break;
1647        default:
1648                printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1649                        __func__, kind);
1650                return 0;
1651        }
1652
1653        rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1654        return rc;
1655}
1656
1657static inline int may_rename(struct inode *old_dir,
1658                             struct dentry *old_dentry,
1659                             struct inode *new_dir,
1660                             struct dentry *new_dentry)
1661{
1662        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1663        struct common_audit_data ad;
1664        u32 sid = current_sid();
1665        u32 av;
1666        int old_is_dir, new_is_dir;
1667        int rc;
1668
1669        old_dsec = old_dir->i_security;
1670        old_isec = old_dentry->d_inode->i_security;
1671        old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1672        new_dsec = new_dir->i_security;
1673
1674        ad.type = LSM_AUDIT_DATA_DENTRY;
1675
1676        ad.u.dentry = old_dentry;
1677        rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1678                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1679        if (rc)
1680                return rc;
1681        rc = avc_has_perm(sid, old_isec->sid,
1682                          old_isec->sclass, FILE__RENAME, &ad);
1683        if (rc)
1684                return rc;
1685        if (old_is_dir && new_dir != old_dir) {
1686                rc = avc_has_perm(sid, old_isec->sid,
1687                                  old_isec->sclass, DIR__REPARENT, &ad);
1688                if (rc)
1689                        return rc;
1690        }
1691
1692        ad.u.dentry = new_dentry;
1693        av = DIR__ADD_NAME | DIR__SEARCH;
1694        if (new_dentry->d_inode)
1695                av |= DIR__REMOVE_NAME;
1696        rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1697        if (rc)
1698                return rc;
1699        if (new_dentry->d_inode) {
1700                new_isec = new_dentry->d_inode->i_security;
1701                new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1702                rc = avc_has_perm(sid, new_isec->sid,
1703                                  new_isec->sclass,
1704                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1705                if (rc)
1706                        return rc;
1707        }
1708
1709        return 0;
1710}
1711
1712/* Check whether a task can perform a filesystem operation. */
1713static int superblock_has_perm(const struct cred *cred,
1714                               struct super_block *sb,
1715                               u32 perms,
1716                               struct common_audit_data *ad)
1717{
1718        struct superblock_security_struct *sbsec;
1719        u32 sid = cred_sid(cred);
1720
1721        sbsec = sb->s_security;
1722        return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1723}
1724
1725/* Convert a Linux mode and permission mask to an access vector. */
1726static inline u32 file_mask_to_av(int mode, int mask)
1727{
1728        u32 av = 0;
1729
1730        if (!S_ISDIR(mode)) {
1731                if (mask & MAY_EXEC)
1732                        av |= FILE__EXECUTE;
1733                if (mask & MAY_READ)
1734                        av |= FILE__READ;
1735
1736                if (mask & MAY_APPEND)
1737                        av |= FILE__APPEND;
1738                else if (mask & MAY_WRITE)
1739                        av |= FILE__WRITE;
1740
1741        } else {
1742                if (mask & MAY_EXEC)
1743                        av |= DIR__SEARCH;
1744                if (mask & MAY_WRITE)
1745                        av |= DIR__WRITE;
1746                if (mask & MAY_READ)
1747                        av |= DIR__READ;
1748        }
1749
1750        return av;
1751}
1752
1753/* Convert a Linux file to an access vector. */
1754static inline u32 file_to_av(struct file *file)
1755{
1756        u32 av = 0;
1757
1758        if (file->f_mode & FMODE_READ)
1759                av |= FILE__READ;
1760        if (file->f_mode & FMODE_WRITE) {
1761                if (file->f_flags & O_APPEND)
1762                        av |= FILE__APPEND;
1763                else
1764                        av |= FILE__WRITE;
1765        }
1766        if (!av) {
1767                /*
1768                 * Special file opened with flags 3 for ioctl-only use.
1769                 */
1770                av = FILE__IOCTL;
1771        }
1772
1773        return av;
1774}
1775
1776/*
1777 * Convert a file to an access vector and include the correct open
1778 * open permission.
1779 */
1780static inline u32 open_file_to_av(struct file *file)
1781{
1782        u32 av = file_to_av(file);
1783
1784        if (selinux_policycap_openperm)
1785                av |= FILE__OPEN;
1786
1787        return av;
1788}
1789
1790/* Hook functions begin here. */
1791
1792static int selinux_ptrace_access_check(struct task_struct *child,
1793                                     unsigned int mode)
1794{
1795        int rc;
1796
1797        rc = cap_ptrace_access_check(child, mode);
1798        if (rc)
1799                return rc;
1800
1801        if (mode & PTRACE_MODE_READ) {
1802                u32 sid = current_sid();
1803                u32 csid = task_sid(child);
1804                return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1805        }
1806
1807        return current_has_perm(child, PROCESS__PTRACE);
1808}
1809
1810static int selinux_ptrace_traceme(struct task_struct *parent)
1811{
1812        int rc;
1813
1814        rc = cap_ptrace_traceme(parent);
1815        if (rc)
1816                return rc;
1817
1818        return task_has_perm(parent, current, PROCESS__PTRACE);
1819}
1820
1821static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1822                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
1823{
1824        int error;
1825
1826        error = current_has_perm(target, PROCESS__GETCAP);
1827        if (error)
1828                return error;
1829
1830        return cap_capget(target, effective, inheritable, permitted);
1831}
1832
1833static int selinux_capset(struct cred *new, const struct cred *old,
1834                          const kernel_cap_t *effective,
1835                          const kernel_cap_t *inheritable,
1836                          const kernel_cap_t *permitted)
1837{
1838        int error;
1839
1840        error = cap_capset(new, old,
1841                                      effective, inheritable, permitted);
1842        if (error)
1843                return error;
1844
1845        return cred_has_perm(old, new, PROCESS__SETCAP);
1846}
1847
1848/*
1849 * (This comment used to live with the selinux_task_setuid hook,
1850 * which was removed).
1851 *
1852 * Since setuid only affects the current process, and since the SELinux
1853 * controls are not based on the Linux identity attributes, SELinux does not
1854 * need to control this operation.  However, SELinux does control the use of
1855 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1856 */
1857
1858static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1859                           int cap, int audit)
1860{
1861        int rc;
1862
1863        rc = cap_capable(cred, ns, cap, audit);
1864        if (rc)
1865                return rc;
1866
1867        return cred_has_capability(cred, cap, audit);
1868}
1869
1870static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1871{
1872        const struct cred *cred = current_cred();
1873        int rc = 0;
1874
1875        if (!sb)
1876                return 0;
1877
1878        switch (cmds) {
1879        case Q_SYNC:
1880        case Q_QUOTAON:
1881        case Q_QUOTAOFF:
1882        case Q_SETINFO:
1883        case Q_SETQUOTA:
1884                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1885                break;
1886        case Q_GETFMT:
1887        case Q_GETINFO:
1888        case Q_GETQUOTA:
1889                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1890                break;
1891        default:
1892                rc = 0;  /* let the kernel handle invalid cmds */
1893                break;
1894        }
1895        return rc;
1896}
1897
1898static int selinux_quota_on(struct dentry *dentry)
1899{
1900        const struct cred *cred = current_cred();
1901
1902        return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1903}
1904
1905static int selinux_syslog(int type)
1906{
1907        int rc;
1908
1909        switch (type) {
1910        case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1911        case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1912                rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1913                break;
1914        case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1915        case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1916        /* Set level of messages printed to console */
1917        case SYSLOG_ACTION_CONSOLE_LEVEL:
1918                rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1919                break;
1920        case SYSLOG_ACTION_CLOSE:       /* Close log */
1921        case SYSLOG_ACTION_OPEN:        /* Open log */
1922        case SYSLOG_ACTION_READ:        /* Read from log */
1923        case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1924        case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1925        default:
1926                rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1927                break;
1928        }
1929        return rc;
1930}
1931
1932/*
1933 * Check that a process has enough memory to allocate a new virtual
1934 * mapping. 0 means there is enough memory for the allocation to
1935 * succeed and -ENOMEM implies there is not.
1936 *
1937 * Do not audit the selinux permission check, as this is applied to all
1938 * processes that allocate mappings.
1939 */
1940static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1941{
1942        int rc, cap_sys_admin = 0;
1943
1944        rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1945                             SECURITY_CAP_NOAUDIT);
1946        if (rc == 0)
1947                cap_sys_admin = 1;
1948
1949        return __vm_enough_memory(mm, pages, cap_sys_admin);
1950}
1951
1952/* binprm security operations */
1953
1954static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1955{
1956        const struct task_security_struct *old_tsec;
1957        struct task_security_struct *new_tsec;
1958        struct inode_security_struct *isec;
1959        struct common_audit_data ad;
1960        struct inode *inode = bprm->file->f_path.dentry->d_inode;
1961        int rc;
1962
1963        rc = cap_bprm_set_creds(bprm);
1964        if (rc)
1965                return rc;
1966
1967        /* SELinux context only depends on initial program or script and not
1968         * the script interpreter */
1969        if (bprm->cred_prepared)
1970                return 0;
1971
1972        old_tsec = current_security();
1973        new_tsec = bprm->cred->security;
1974        isec = inode->i_security;
1975
1976        /* Default to the current task SID. */
1977        new_tsec->sid = old_tsec->sid;
1978        new_tsec->osid = old_tsec->sid;
1979
1980        /* Reset fs, key, and sock SIDs on execve. */
1981        new_tsec->create_sid = 0;
1982        new_tsec->keycreate_sid = 0;
1983        new_tsec->sockcreate_sid = 0;
1984
1985        if (old_tsec->exec_sid) {
1986                new_tsec->sid = old_tsec->exec_sid;
1987                /* Reset exec SID on execve. */
1988                new_tsec->exec_sid = 0;
1989
1990                /*
1991                 * Minimize confusion: if no_new_privs and a transition is
1992                 * explicitly requested, then fail the exec.
1993                 */
1994                if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
1995                        return -EPERM;
1996        } else {
1997                /* Check for a default transition on this program. */
1998                rc = security_transition_sid(old_tsec->sid, isec->sid,
1999                                             SECCLASS_PROCESS, NULL,
2000                                             &new_tsec->sid);
2001                if (rc)
2002                        return rc;
2003        }
2004
2005        ad.type = LSM_AUDIT_DATA_PATH;
2006        ad.u.path = bprm->file->f_path;
2007
2008        if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2009            (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2010                new_tsec->sid = old_tsec->sid;
2011
2012        if (new_tsec->sid == old_tsec->sid) {
2013                rc = avc_has_perm(old_tsec->sid, isec->sid,
2014                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2015                if (rc)
2016                        return rc;
2017        } else {
2018                /* Check permissions for the transition. */
2019                rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2020                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2021                if (rc)
2022                        return rc;
2023
2024                rc = avc_has_perm(new_tsec->sid, isec->sid,
2025                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2026                if (rc)
2027                        return rc;
2028
2029                /* Check for shared state */
2030                if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2031                        rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2032                                          SECCLASS_PROCESS, PROCESS__SHARE,
2033                                          NULL);
2034                        if (rc)
2035                                return -EPERM;
2036                }
2037
2038                /* Make sure that anyone attempting to ptrace over a task that
2039                 * changes its SID has the appropriate permit */
2040                if (bprm->unsafe &
2041                    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2042                        struct task_struct *tracer;
2043                        struct task_security_struct *sec;
2044                        u32 ptsid = 0;
2045
2046                        rcu_read_lock();
2047                        tracer = ptrace_parent(current);
2048                        if (likely(tracer != NULL)) {
2049                                sec = __task_cred(tracer)->security;
2050                                ptsid = sec->sid;
2051                        }
2052                        rcu_read_unlock();
2053
2054                        if (ptsid != 0) {
2055                                rc = avc_has_perm(ptsid, new_tsec->sid,
2056                                                  SECCLASS_PROCESS,
2057                                                  PROCESS__PTRACE, NULL);
2058                                if (rc)
2059                                        return -EPERM;
2060                        }
2061                }
2062
2063                /* Clear any possibly unsafe personality bits on exec: */
2064                bprm->per_clear |= PER_CLEAR_ON_SETID;
2065        }
2066
2067        return 0;
2068}
2069
2070static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2071{
2072        const struct task_security_struct *tsec = current_security();
2073        u32 sid, osid;
2074        int atsecure = 0;
2075
2076        sid = tsec->sid;
2077        osid = tsec->osid;
2078
2079        if (osid != sid) {
2080                /* Enable secure mode for SIDs transitions unless
2081                   the noatsecure permission is granted between
2082                   the two SIDs, i.e. ahp returns 0. */
2083                atsecure = avc_has_perm(osid, sid,
2084                                        SECCLASS_PROCESS,
2085                                        PROCESS__NOATSECURE, NULL);
2086        }
2087
2088        return (atsecure || cap_bprm_secureexec(bprm));
2089}
2090
2091/* Derived from fs/exec.c:flush_old_files. */
2092static inline void flush_unauthorized_files(const struct cred *cred,
2093                                            struct files_struct *files)
2094{
2095        struct file *file, *devnull = NULL;
2096        struct tty_struct *tty;
2097        struct fdtable *fdt;
2098        long j = -1;
2099        int drop_tty = 0;
2100
2101        tty = get_current_tty();
2102        if (tty) {
2103                spin_lock(&tty_files_lock);
2104                if (!list_empty(&tty->tty_files)) {
2105                        struct tty_file_private *file_priv;
2106
2107                        /* Revalidate access to controlling tty.
2108                           Use path_has_perm on the tty path directly rather
2109                           than using file_has_perm, as this particular open
2110                           file may belong to another process and we are only
2111                           interested in the inode-based check here. */
2112                        file_priv = list_first_entry(&tty->tty_files,
2113                                                struct tty_file_private, list);
2114                        file = file_priv->file;
2115                        if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2116                                drop_tty = 1;
2117                }
2118                spin_unlock(&tty_files_lock);
2119                tty_kref_put(tty);
2120        }
2121        /* Reset controlling tty. */
2122        if (drop_tty)
2123                no_tty();
2124
2125        /* Revalidate access to inherited open files. */
2126        spin_lock(&files->file_lock);
2127        for (;;) {
2128                unsigned long set, i;
2129                int fd;
2130
2131                j++;
2132                i = j * BITS_PER_LONG;
2133                fdt = files_fdtable(files);
2134                if (i >= fdt->max_fds)
2135                        break;
2136                set = fdt->open_fds[j];
2137                if (!set)
2138                        continue;
2139                spin_unlock(&files->file_lock);
2140                for ( ; set ; i++, set >>= 1) {
2141                        if (set & 1) {
2142                                file = fget(i);
2143                                if (!file)
2144                                        continue;
2145                                if (file_has_perm(cred,
2146                                                  file,
2147                                                  file_to_av(file))) {
2148                                        sys_close(i);
2149                                        fd = get_unused_fd();
2150                                        if (fd != i) {
2151                                                if (fd >= 0)
2152                                                        put_unused_fd(fd);
2153                                                fput(file);
2154                                                continue;
2155                                        }
2156                                        if (devnull) {
2157                                                get_file(devnull);
2158                                        } else {
2159                                                devnull = dentry_open(
2160                                                        &selinux_null,
2161                                                        O_RDWR, cred);
2162                                                if (IS_ERR(devnull)) {
2163                                                        devnull = NULL;
2164                                                        put_unused_fd(fd);
2165                                                        fput(file);
2166                                                        continue;
2167                                                }
2168                                        }
2169                                        fd_install(fd, devnull);
2170                                }
2171                                fput(file);
2172                        }
2173                }
2174                spin_lock(&files->file_lock);
2175
2176        }
2177        spin_unlock(&files->file_lock);
2178}
2179
2180/*
2181 * Prepare a process for imminent new credential changes due to exec
2182 */
2183static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2184{
2185        struct task_security_struct *new_tsec;
2186        struct rlimit *rlim, *initrlim;
2187        int rc, i;
2188
2189        new_tsec = bprm->cred->security;
2190        if (new_tsec->sid == new_tsec->osid)
2191                return;
2192
2193        /* Close files for which the new task SID is not authorized. */
2194        flush_unauthorized_files(bprm->cred, current->files);
2195
2196        /* Always clear parent death signal on SID transitions. */
2197        current->pdeath_signal = 0;
2198
2199        /* Check whether the new SID can inherit resource limits from the old
2200         * SID.  If not, reset all soft limits to the lower of the current
2201         * task's hard limit and the init task's soft limit.
2202         *
2203         * Note that the setting of hard limits (even to lower them) can be
2204         * controlled by the setrlimit check.  The inclusion of the init task's
2205         * soft limit into the computation is to avoid resetting soft limits
2206         * higher than the default soft limit for cases where the default is
2207         * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2208         */
2209        rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2210                          PROCESS__RLIMITINH, NULL);
2211        if (rc) {
2212                /* protect against do_prlimit() */
2213                task_lock(current);
2214                for (i = 0; i < RLIM_NLIMITS; i++) {
2215                        rlim = current->signal->rlim + i;
2216                        initrlim = init_task.signal->rlim + i;
2217                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2218                }
2219                task_unlock(current);
2220                update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2221        }
2222}
2223
2224/*
2225 * Clean up the process immediately after the installation of new credentials
2226 * due to exec
2227 */
2228static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2229{
2230        const struct task_security_struct *tsec = current_security();
2231        struct itimerval itimer;
2232        u32 osid, sid;
2233        int rc, i;
2234
2235        osid = tsec->osid;
2236        sid = tsec->sid;
2237
2238        if (sid == osid)
2239                return;
2240
2241        /* Check whether the new SID can inherit signal state from the old SID.
2242         * If not, clear itimers to avoid subsequent signal generation and
2243         * flush and unblock signals.
2244         *
2245         * This must occur _after_ the task SID has been updated so that any
2246         * kill done after the flush will be checked against the new SID.
2247         */
2248        rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2249        if (rc) {
2250                memset(&itimer, 0, sizeof itimer);
2251                for (i = 0; i < 3; i++)
2252                        do_setitimer(i, &itimer, NULL);
2253                spin_lock_irq(&current->sighand->siglock);
2254                if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2255                        __flush_signals(current);
2256                        flush_signal_handlers(current, 1);
2257                        sigemptyset(&current->blocked);
2258                }
2259                spin_unlock_irq(&current->sighand->siglock);
2260        }
2261
2262        /* Wake up the parent if it is waiting so that it can recheck
2263         * wait permission to the new task SID. */
2264        read_lock(&tasklist_lock);
2265        __wake_up_parent(current, current->real_parent);
2266        read_unlock(&tasklist_lock);
2267}
2268
2269/* superblock security operations */
2270
2271static int selinux_sb_alloc_security(struct super_block *sb)
2272{
2273        return superblock_alloc_security(sb);
2274}
2275
2276static void selinux_sb_free_security(struct super_block *sb)
2277{
2278        superblock_free_security(sb);
2279}
2280
2281static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2282{
2283        if (plen > olen)
2284                return 0;
2285
2286        return !memcmp(prefix, option, plen);
2287}
2288
2289static inline int selinux_option(char *option, int len)
2290{
2291        return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2292                match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2293                match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2294                match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2295                match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2296}
2297
2298static inline void take_option(char **to, char *from, int *first, int len)
2299{
2300        if (!*first) {
2301                **to = ',';
2302                *to += 1;
2303        } else
2304                *first = 0;
2305        memcpy(*to, from, len);
2306        *to += len;
2307}
2308
2309static inline void take_selinux_option(char **to, char *from, int *first,
2310                                       int len)
2311{
2312        int current_size = 0;
2313
2314        if (!*first) {
2315                **to = '|';
2316                *to += 1;
2317        } else
2318                *first = 0;
2319
2320        while (current_size < len) {
2321                if (*from != '"') {
2322                        **to = *from;
2323                        *to += 1;
2324                }
2325                from += 1;
2326                current_size += 1;
2327        }
2328}
2329
2330static int selinux_sb_copy_data(char *orig, char *copy)
2331{
2332        int fnosec, fsec, rc = 0;
2333        char *in_save, *in_curr, *in_end;
2334        char *sec_curr, *nosec_save, *nosec;
2335        int open_quote = 0;
2336
2337        in_curr = orig;
2338        sec_curr = copy;
2339
2340        nosec = (char *)get_zeroed_page(GFP_KERNEL);
2341        if (!nosec) {
2342                rc = -ENOMEM;
2343                goto out;
2344        }
2345
2346        nosec_save = nosec;
2347        fnosec = fsec = 1;
2348        in_save = in_end = orig;
2349
2350        do {
2351                if (*in_end == '"')
2352                        open_quote = !open_quote;
2353                if ((*in_end == ',' && open_quote == 0) ||
2354                                *in_end == '\0') {
2355                        int len = in_end - in_curr;
2356
2357                        if (selinux_option(in_curr, len))
2358                                take_selinux_option(&sec_curr, in_curr, &fsec, len);
2359                        else
2360                                take_option(&nosec, in_curr, &fnosec, len);
2361
2362                        in_curr = in_end + 1;
2363                }
2364        } while (*in_end++);
2365
2366        strcpy(in_save, nosec_save);
2367        free_page((unsigned long)nosec_save);
2368out:
2369        return rc;
2370}
2371
2372static int selinux_sb_remount(struct super_block *sb, void *data)
2373{
2374        int rc, i, *flags;
2375        struct security_mnt_opts opts;
2376        char *secdata, **mount_options;
2377        struct superblock_security_struct *sbsec = sb->s_security;
2378
2379        if (!(sbsec->flags & SE_SBINITIALIZED))
2380                return 0;
2381
2382        if (!data)
2383                return 0;
2384
2385        if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2386                return 0;
2387
2388        security_init_mnt_opts(&opts);
2389        secdata = alloc_secdata();
2390        if (!secdata)
2391                return -ENOMEM;
2392        rc = selinux_sb_copy_data(data, secdata);
2393        if (rc)
2394                goto out_free_secdata;
2395
2396        rc = selinux_parse_opts_str(secdata, &opts);
2397        if (rc)
2398                goto out_free_secdata;
2399
2400        mount_options = opts.mnt_opts;
2401        flags = opts.mnt_opts_flags;
2402
2403        for (i = 0; i < opts.num_mnt_opts; i++) {
2404                u32 sid;
2405                size_t len;
2406
2407                if (flags[i] == SE_SBLABELSUPP)
2408                        continue;
2409                len = strlen(mount_options[i]);
2410                rc = security_context_to_sid(mount_options[i], len, &sid);
2411                if (rc) {
2412                        printk(KERN_WARNING "SELinux: security_context_to_sid"
2413                               "(%s) failed for (dev %s, type %s) errno=%d\n",
2414                               mount_options[i], sb->s_id, sb->s_type->name, rc);
2415                        goto out_free_opts;
2416                }
2417                rc = -EINVAL;
2418                switch (flags[i]) {
2419                case FSCONTEXT_MNT:
2420                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2421                                goto out_bad_option;
2422                        break;
2423                case CONTEXT_MNT:
2424                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2425                                goto out_bad_option;
2426                        break;
2427                case ROOTCONTEXT_MNT: {
2428                        struct inode_security_struct *root_isec;
2429                        root_isec = sb->s_root->d_inode->i_security;
2430
2431                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2432                                goto out_bad_option;
2433                        break;
2434                }
2435                case DEFCONTEXT_MNT:
2436                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2437                                goto out_bad_option;
2438                        break;
2439                default:
2440                        goto out_free_opts;
2441                }
2442        }
2443
2444        rc = 0;
2445out_free_opts:
2446        security_free_mnt_opts(&opts);
2447out_free_secdata:
2448        free_secdata(secdata);
2449        return rc;
2450out_bad_option:
2451        printk(KERN_WARNING "SELinux: unable to change security options "
2452               "during remount (dev %s, type=%s)\n", sb->s_id,
2453               sb->s_type->name);
2454        goto out_free_opts;
2455}
2456
2457static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2458{
2459        const struct cred *cred = current_cred();
2460        struct common_audit_data ad;
2461        int rc;
2462
2463        rc = superblock_doinit(sb, data);
2464        if (rc)
2465                return rc;
2466
2467        /* Allow all mounts performed by the kernel */
2468        if (flags & MS_KERNMOUNT)
2469                return 0;
2470
2471        ad.type = LSM_AUDIT_DATA_DENTRY;
2472        ad.u.dentry = sb->s_root;
2473        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2474}
2475
2476static int selinux_sb_statfs(struct dentry *dentry)
2477{
2478        const struct cred *cred = current_cred();
2479        struct common_audit_data ad;
2480
2481        ad.type = LSM_AUDIT_DATA_DENTRY;
2482        ad.u.dentry = dentry->d_sb->s_root;
2483        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2484}
2485
2486static int selinux_mount(char *dev_name,
2487                         struct path *path,
2488                         char *type,
2489                         unsigned long flags,
2490                         void *data)
2491{
2492        const struct cred *cred = current_cred();
2493
2494        if (flags & MS_REMOUNT)
2495                return superblock_has_perm(cred, path->dentry->d_sb,
2496                                           FILESYSTEM__REMOUNT, NULL);
2497        else
2498                return path_has_perm(cred, path, FILE__MOUNTON);
2499}
2500
2501static int selinux_umount(struct vfsmount *mnt, int flags)
2502{
2503        const struct cred *cred = current_cred();
2504
2505        return superblock_has_perm(cred, mnt->mnt_sb,
2506                                   FILESYSTEM__UNMOUNT, NULL);
2507}
2508
2509/* inode security operations */
2510
2511static int selinux_inode_alloc_security(struct inode *inode)
2512{
2513        return inode_alloc_security(inode);
2514}
2515
2516static void selinux_inode_free_security(struct inode *inode)
2517{
2518        inode_free_security(inode);
2519}
2520
2521static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2522                                       const struct qstr *qstr, char **name,
2523                                       void **value, size_t *len)
2524{
2525        const struct task_security_struct *tsec = current_security();
2526        struct inode_security_struct *dsec;
2527        struct superblock_security_struct *sbsec;
2528        u32 sid, newsid, clen;
2529        int rc;
2530        char *namep = NULL, *context;
2531
2532        dsec = dir->i_security;
2533        sbsec = dir->i_sb->s_security;
2534
2535        sid = tsec->sid;
2536        newsid = tsec->create_sid;
2537
2538        if ((sbsec->flags & SE_SBINITIALIZED) &&
2539            (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2540                newsid = sbsec->mntpoint_sid;
2541        else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2542                rc = security_transition_sid(sid, dsec->sid,
2543                                             inode_mode_to_security_class(inode->i_mode),
2544                                             qstr, &newsid);
2545                if (rc) {
2546                        printk(KERN_WARNING "%s:  "
2547                               "security_transition_sid failed, rc=%d (dev=%s "
2548                               "ino=%ld)\n",
2549                               __func__,
2550                               -rc, inode->i_sb->s_id, inode->i_ino);
2551                        return rc;
2552                }
2553        }
2554
2555        /* Possibly defer initialization to selinux_complete_init. */
2556        if (sbsec->flags & SE_SBINITIALIZED) {
2557                struct inode_security_struct *isec = inode->i_security;
2558                isec->sclass = inode_mode_to_security_class(inode->i_mode);
2559                isec->sid = newsid;
2560                isec->initialized = 1;
2561        }
2562
2563        if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2564                return -EOPNOTSUPP;
2565
2566        if (name) {
2567                namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2568                if (!namep)
2569                        return -ENOMEM;
2570                *name = namep;
2571        }
2572
2573        if (value && len) {
2574                rc = security_sid_to_context_force(newsid, &context, &clen);
2575                if (rc) {
2576                        kfree(namep);
2577                        return rc;
2578                }
2579                *value = context;
2580                *len = clen;
2581        }
2582
2583        return 0;
2584}
2585
2586static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2587{
2588        return may_create(dir, dentry, SECCLASS_FILE);
2589}
2590
2591static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2592{
2593        return may_link(dir, old_dentry, MAY_LINK);
2594}
2595
2596static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2597{
2598        return may_link(dir, dentry, MAY_UNLINK);
2599}
2600
2601static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2602{
2603        return may_create(dir, dentry, SECCLASS_LNK_FILE);
2604}
2605
2606static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2607{
2608        return may_create(dir, dentry, SECCLASS_DIR);
2609}
2610
2611static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2612{
2613        return may_link(dir, dentry, MAY_RMDIR);
2614}
2615
2616static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2617{
2618        return may_create(dir, dentry, inode_mode_to_security_class(mode));
2619}
2620
2621static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2622                                struct inode *new_inode, struct dentry *new_dentry)
2623{
2624        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2625}
2626
2627static int selinux_inode_readlink(struct dentry *dentry)
2628{
2629        const struct cred *cred = current_cred();
2630
2631        return dentry_has_perm(cred, dentry, FILE__READ);
2632}
2633
2634static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2635{
2636        const struct cred *cred = current_cred();
2637
2638        return dentry_has_perm(cred, dentry, FILE__READ);
2639}
2640
2641static noinline int audit_inode_permission(struct inode *inode,
2642                                           u32 perms, u32 audited, u32 denied,
2643                                           unsigned flags)
2644{
2645        struct common_audit_data ad;
2646        struct inode_security_struct *isec = inode->i_security;
2647        int rc;
2648
2649        ad.type = LSM_AUDIT_DATA_INODE;
2650        ad.u.inode = inode;
2651
2652        rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2653                            audited, denied, &ad, flags);
2654        if (rc)
2655                return rc;
2656        return 0;
2657}
2658
2659static int selinux_inode_permission(struct inode *inode, int mask)
2660{
2661        const struct cred *cred = current_cred();
2662        u32 perms;
2663        bool from_access;
2664        unsigned flags = mask & MAY_NOT_BLOCK;
2665        struct inode_security_struct *isec;
2666        u32 sid;
2667        struct av_decision avd;
2668        int rc, rc2;
2669        u32 audited, denied;
2670
2671        from_access = mask & MAY_ACCESS;
2672        mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2673
2674        /* No permission to check.  Existence test. */
2675        if (!mask)
2676                return 0;
2677
2678        validate_creds(cred);
2679
2680        if (unlikely(IS_PRIVATE(inode)))
2681                return 0;
2682
2683        perms = file_mask_to_av(inode->i_mode, mask);
2684
2685        sid = cred_sid(cred);
2686        isec = inode->i_security;
2687
2688        rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2689        audited = avc_audit_required(perms, &avd, rc,
2690                                     from_access ? FILE__AUDIT_ACCESS : 0,
2691                                     &denied);
2692        if (likely(!audited))
2693                return rc;
2694
2695        rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2696        if (rc2)
2697                return rc2;
2698        return rc;
2699}
2700
2701static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2702{
2703        const struct cred *cred = current_cred();
2704        unsigned int ia_valid = iattr->ia_valid;
2705        __u32 av = FILE__WRITE;
2706
2707        /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2708        if (ia_valid & ATTR_FORCE) {
2709                ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2710                              ATTR_FORCE);
2711                if (!ia_valid)
2712                        return 0;
2713        }
2714
2715        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2716                        ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2717                return dentry_has_perm(cred, dentry, FILE__SETATTR);
2718
2719        if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2720                av |= FILE__OPEN;
2721
2722        return dentry_has_perm(cred, dentry, av);
2723}
2724
2725static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2726{
2727        const struct cred *cred = current_cred();
2728        struct path path;
2729
2730        path.dentry = dentry;
2731        path.mnt = mnt;
2732
2733        return path_has_perm(cred, &path, FILE__GETATTR);
2734}
2735
2736static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2737{
2738        const struct cred *cred = current_cred();
2739
2740        if (!strncmp(name, XATTR_SECURITY_PREFIX,
2741                     sizeof XATTR_SECURITY_PREFIX - 1)) {
2742                if (!strcmp(name, XATTR_NAME_CAPS)) {
2743                        if (!capable(CAP_SETFCAP))
2744                                return -EPERM;
2745                } else if (!capable(CAP_SYS_ADMIN)) {
2746                        /* A different attribute in the security namespace.
2747                           Restrict to administrator. */
2748                        return -EPERM;
2749                }
2750        }
2751
2752        /* Not an attribute we recognize, so just check the
2753           ordinary setattr permission. */
2754        return dentry_has_perm(cred, dentry, FILE__SETATTR);
2755}
2756
2757static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2758                                  const void *value, size_t size, int flags)
2759{
2760        struct inode *inode = dentry->d_inode;
2761        struct inode_security_struct *isec = inode->i_security;
2762        struct superblock_security_struct *sbsec;
2763        struct common_audit_data ad;
2764        u32 newsid, sid = current_sid();
2765        int rc = 0;
2766
2767        if (strcmp(name, XATTR_NAME_SELINUX))
2768                return selinux_inode_setotherxattr(dentry, name);
2769
2770        sbsec = inode->i_sb->s_security;
2771        if (!(sbsec->flags & SE_SBLABELSUPP))
2772                return -EOPNOTSUPP;
2773
2774        if (!inode_owner_or_capable(inode))
2775                return -EPERM;
2776
2777        ad.type = LSM_AUDIT_DATA_DENTRY;
2778        ad.u.dentry = dentry;
2779
2780        rc = avc_has_perm(sid, isec->sid, isec->sclass,
2781                          FILE__RELABELFROM, &ad);
2782        if (rc)
2783                return rc;
2784
2785        rc = security_context_to_sid(value, size, &newsid);
2786        if (rc == -EINVAL) {
2787                if (!capable(CAP_MAC_ADMIN)) {
2788                        struct audit_buffer *ab;
2789                        size_t audit_size;
2790                        const char *str;
2791
2792                        /* We strip a nul only if it is at the end, otherwise the
2793                         * context contains a nul and we should audit that */
2794                        if (value) {
2795                                str = value;
2796                                if (str[size - 1] == '\0')
2797                                        audit_size = size - 1;
2798                                else
2799                                        audit_size = size;
2800                        } else {
2801                                str = "";
2802                                audit_size = 0;
2803                        }
2804                        ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2805                        audit_log_format(ab, "op=setxattr invalid_context=");
2806                        audit_log_n_untrustedstring(ab, value, audit_size);
2807                        audit_log_end(ab);
2808
2809                        return rc;
2810                }
2811                rc = security_context_to_sid_force(value, size, &newsid);
2812        }
2813        if (rc)
2814                return rc;
2815
2816        rc = avc_has_perm(sid, newsid, isec->sclass,
2817                          FILE__RELABELTO, &ad);
2818        if (rc)
2819                return rc;
2820
2821        rc = security_validate_transition(isec->sid, newsid, sid,
2822                                          isec->sclass);
2823        if (rc)
2824                return rc;
2825
2826        return avc_has_perm(newsid,
2827                            sbsec->sid,
2828                            SECCLASS_FILESYSTEM,
2829                            FILESYSTEM__ASSOCIATE,
2830                            &ad);
2831}
2832
2833static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2834                                        const void *value, size_t size,
2835                                        int flags)
2836{
2837        struct inode *inode = dentry->d_inode;
2838        struct inode_security_struct *isec = inode->i_security;
2839        u32 newsid;
2840        int rc;
2841
2842        if (strcmp(name, XATTR_NAME_SELINUX)) {
2843                /* Not an attribute we recognize, so nothing to do. */
2844                return;
2845        }
2846
2847        rc = security_context_to_sid_force(value, size, &newsid);
2848        if (rc) {
2849                printk(KERN_ERR "SELinux:  unable to map context to SID"
2850                       "for (%s, %lu), rc=%d\n",
2851                       inode->i_sb->s_id, inode->i_ino, -rc);
2852                return;
2853        }
2854
2855        isec->sid = newsid;
2856        return;
2857}
2858
2859static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2860{
2861        const struct cred *cred = current_cred();
2862
2863        return dentry_has_perm(cred, dentry, FILE__GETATTR);
2864}
2865
2866static int selinux_inode_listxattr(struct dentry *dentry)
2867{
2868        const struct cred *cred = current_cred();
2869
2870        return dentry_has_perm(cred, dentry, FILE__GETATTR);
2871}
2872
2873static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2874{
2875        if (strcmp(name, XATTR_NAME_SELINUX))
2876                return selinux_inode_setotherxattr(dentry, name);
2877
2878        /* No one is allowed to remove a SELinux security label.
2879           You can change the label, but all data must be labeled. */
2880        return -EACCES;
2881}
2882
2883/*
2884 * Copy the inode security context value to the user.
2885 *
2886 * Permission check is handled by selinux_inode_getxattr hook.
2887 */
2888static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2889{
2890        u32 size;
2891        int error;
2892        char *context = NULL;
2893        struct inode_security_struct *isec = inode->i_security;
2894
2895        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2896                return -EOPNOTSUPP;
2897
2898        /*
2899         * If the caller has CAP_MAC_ADMIN, then get the raw context
2900         * value even if it is not defined by current policy; otherwise,
2901         * use the in-core value under current policy.
2902         * Use the non-auditing forms of the permission checks since
2903         * getxattr may be called by unprivileged processes commonly
2904         * and lack of permission just means that we fall back to the
2905         * in-core context value, not a denial.
2906         */
2907        error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2908                                SECURITY_CAP_NOAUDIT);
2909        if (!error)
2910                error = security_sid_to_context_force(isec->sid, &context,
2911                                                      &size);
2912        else
2913                error = security_sid_to_context(isec->sid, &context, &size);
2914        if (error)
2915                return error;
2916        error = size;
2917        if (alloc) {
2918                *buffer = context;
2919                goto out_nofree;
2920        }
2921        kfree(context);
2922out_nofree:
2923        return error;
2924}
2925
2926static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2927                                     const void *value, size_t size, int flags)
2928{
2929        struct inode_security_struct *isec = inode->i_security;
2930        u32 newsid;
2931        int rc;
2932
2933        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2934                return -EOPNOTSUPP;
2935
2936        if (!value || !size)
2937                return -EACCES;
2938
2939        rc = security_context_to_sid((void *)value, size, &newsid);
2940        if (rc)
2941                return rc;
2942
2943        isec->sid = newsid;
2944        isec->initialized = 1;
2945        return 0;
2946}
2947
2948static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2949{
2950        const int len = sizeof(XATTR_NAME_SELINUX);
2951        if (buffer && len <= buffer_size)
2952                memcpy(buffer, XATTR_NAME_SELINUX, len);
2953        return len;
2954}
2955
2956static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2957{
2958        struct inode_security_struct *isec = inode->i_security;
2959        *secid = isec->sid;
2960}
2961
2962/* file security operations */
2963
2964static int selinux_revalidate_file_permission(struct file *file, int mask)
2965{
2966        const struct cred *cred = current_cred();
2967        struct inode *inode = file->f_path.dentry->d_inode;
2968
2969        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2970        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2971                mask |= MAY_APPEND;
2972
2973        return file_has_perm(cred, file,
2974                             file_mask_to_av(inode->i_mode, mask));
2975}
2976
2977static int selinux_file_permission(struct file *file, int mask)
2978{
2979        struct inode *inode = file->f_path.dentry->d_inode;
2980        struct file_security_struct *fsec = file->f_security;
2981        struct inode_security_struct *isec = inode->i_security;
2982        u32 sid = current_sid();
2983
2984        if (!mask)
2985                /* No permission to check.  Existence test. */
2986                return 0;
2987
2988        if (sid == fsec->sid && fsec->isid == isec->sid &&
2989            fsec->pseqno == avc_policy_seqno())
2990                /* No change since file_open check. */
2991                return 0;
2992
2993        return selinux_revalidate_file_permission(file, mask);
2994}
2995
2996static int selinux_file_alloc_security(struct file *file)
2997{
2998        return file_alloc_security(file);
2999}
3000
3001static void selinux_file_free_security(struct file *file)
3002{
3003        file_free_security(file);
3004}
3005
3006static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3007                              unsigned long arg)
3008{
3009        const struct cred *cred = current_cred();
3010        int error = 0;
3011
3012        switch (cmd) {
3013        case FIONREAD:
3014        /* fall through */
3015        case FIBMAP:
3016        /* fall through */
3017        case FIGETBSZ:
3018        /* fall through */
3019        case FS_IOC_GETFLAGS:
3020        /* fall through */
3021        case FS_IOC_GETVERSION:
3022                error = file_has_perm(cred, file, FILE__GETATTR);
3023                break;
3024
3025        case FS_IOC_SETFLAGS:
3026        /* fall through */
3027        case FS_IOC_SETVERSION:
3028                error = file_has_perm(cred, file, FILE__SETATTR);
3029                break;
3030
3031        /* sys_ioctl() checks */
3032        case FIONBIO:
3033        /* fall through */
3034        case FIOASYNC:
3035                error = file_has_perm(cred, file, 0);
3036                break;
3037
3038        case KDSKBENT:
3039        case KDSKBSENT:
3040                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3041                                            SECURITY_CAP_AUDIT);
3042                break;
3043
3044        /* default case assumes that the command will go
3045         * to the file's ioctl() function.
3046         */
3047        default:
3048                error = file_has_perm(cred, file, FILE__IOCTL);
3049        }
3050        return error;
3051}
3052
3053static int default_noexec;
3054
3055static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3056{
3057        const struct cred *cred = current_cred();
3058        int rc = 0;
3059
3060        if (default_noexec &&
3061            (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3062                /*
3063                 * We are making executable an anonymous mapping or a
3064                 * private file mapping that will also be writable.
3065                 * This has an additional check.
3066                 */
3067                rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3068                if (rc)
3069                        goto error;
3070        }
3071
3072        if (file) {
3073                /* read access is always possible with a mapping */
3074                u32 av = FILE__READ;
3075
3076                /* write access only matters if the mapping is shared */
3077                if (shared && (prot & PROT_WRITE))
3078                        av |= FILE__WRITE;
3079
3080                if (prot & PROT_EXEC)
3081                        av |= FILE__EXECUTE;
3082
3083                return file_has_perm(cred, file, av);
3084        }
3085
3086error:
3087        return rc;
3088}
3089
3090static int selinux_mmap_addr(unsigned long addr)
3091{
3092        int rc = 0;
3093        u32 sid = current_sid();
3094
3095        /*
3096         * notice that we are intentionally putting the SELinux check before
3097         * the secondary cap_file_mmap check.  This is such a likely attempt
3098         * at bad behaviour/exploit that we always want to get the AVC, even
3099         * if DAC would have also denied the operation.
3100         */
3101        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3102                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3103                                  MEMPROTECT__MMAP_ZERO, NULL);
3104                if (rc)
3105                        return rc;
3106        }
3107
3108        /* do DAC check on address space usage */
3109        return cap_mmap_addr(addr);
3110}
3111
3112static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3113                             unsigned long prot, unsigned long flags)
3114{
3115        if (selinux_checkreqprot)
3116                prot = reqprot;
3117
3118        return file_map_prot_check(file, prot,
3119                                   (flags & MAP_TYPE) == MAP_SHARED);
3120}
3121
3122static int selinux_file_mprotect(struct vm_area_struct *vma,
3123                                 unsigned long reqprot,
3124                                 unsigned long prot)
3125{
3126        const struct cred *cred = current_cred();
3127
3128        if (selinux_checkreqprot)
3129                prot = reqprot;
3130
3131        if (default_noexec &&
3132            (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3133                int rc = 0;
3134                if (vma->vm_start >= vma->vm_mm->start_brk &&
3135                    vma->vm_end <= vma->vm_mm->brk) {
3136                        rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3137                } else if (!vma->vm_file &&
3138                           vma->vm_start <= vma->vm_mm->start_stack &&
3139                           vma->vm_end >= vma->vm_mm->start_stack) {
3140                        rc = current_has_perm(current, PROCESS__EXECSTACK);
3141                } else if (vma->vm_file && vma->anon_vma) {
3142                        /*
3143                         * We are making executable a file mapping that has
3144                         * had some COW done. Since pages might have been
3145                         * written, check ability to execute the possibly
3146                         * modified content.  This typically should only
3147                         * occur for text relocations.
3148                         */
3149                        rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3150                }
3151                if (rc)
3152                        return rc;
3153        }
3154
3155        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3156}
3157
3158static int selinux_file_lock(struct file *file, unsigned int cmd)
3159{
3160        const struct cred *cred = current_cred();
3161
3162        return file_has_perm(cred, file, FILE__LOCK);
3163}
3164
3165static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3166                              unsigned long arg)
3167{
3168        const struct cred *cred = current_cred();
3169        int err = 0;
3170
3171        switch (cmd) {
3172        case F_SETFL:
3173                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3174                        err = -EINVAL;
3175                        break;
3176                }
3177
3178                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3179                        err = file_has_perm(cred, file, FILE__WRITE);
3180                        break;
3181                }
3182                /* fall through */
3183        case F_SETOWN:
3184        case F_SETSIG:
3185        case F_GETFL:
3186        case F_GETOWN:
3187        case F_GETSIG:
3188        case F_GETOWNER_UIDS:
3189                /* Just check FD__USE permission */
3190                err = file_has_perm(cred, file, 0);
3191                break;
3192        case F_GETLK:
3193        case F_SETLK:
3194        case F_SETLKW:
3195#if BITS_PER_LONG == 32
3196        case F_GETLK64:
3197        case F_SETLK64:
3198        case F_SETLKW64:
3199#endif
3200                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3201                        err = -EINVAL;
3202                        break;
3203                }
3204                err = file_has_perm(cred, file, FILE__LOCK);
3205                break;
3206        }
3207
3208        return err;
3209}
3210
3211static int selinux_file_set_fowner(struct file *file)
3212{
3213        struct file_security_struct *fsec;
3214
3215        fsec = file->f_security;
3216        fsec->fown_sid = current_sid();
3217
3218        return 0;
3219}
3220
3221static int selinux_file_send_sigiotask(struct task_struct *tsk,
3222                                       struct fown_struct *fown, int signum)
3223{
3224        struct file *file;
3225        u32 sid = task_sid(tsk);
3226        u32 perm;
3227        struct file_security_struct *fsec;
3228
3229        /* struct fown_struct is never outside the context of a struct file */
3230        file = container_of(fown, struct file, f_owner);
3231
3232        fsec = file->f_security;
3233
3234        if (!signum)
3235                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3236        else
3237                perm = signal_to_av(signum);
3238
3239        return avc_has_perm(fsec->fown_sid, sid,
3240                            SECCLASS_PROCESS, perm, NULL);
3241}
3242
3243static int selinux_file_receive(struct file *file)
3244{
3245        const struct cred *cred = current_cred();
3246
3247        return file_has_perm(cred, file, file_to_av(file));
3248}
3249
3250static int selinux_file_open(struct file *file, const struct cred *cred)
3251{
3252        struct file_security_struct *fsec;
3253        struct inode_security_struct *isec;
3254
3255        fsec = file->f_security;
3256        isec = file->f_path.dentry->d_inode->i_security;
3257        /*
3258         * Save inode label and policy sequence number
3259         * at open-time so that selinux_file_permission
3260         * can determine whether revalidation is necessary.
3261         * Task label is already saved in the file security
3262         * struct as its SID.
3263         */
3264        fsec->isid = isec->sid;
3265        fsec->pseqno = avc_policy_seqno();
3266        /*
3267         * Since the inode label or policy seqno may have changed
3268         * between the selinux_inode_permission check and the saving
3269         * of state above, recheck that access is still permitted.
3270         * Otherwise, access might never be revalidated against the
3271         * new inode label or new policy.
3272         * This check is not redundant - do not remove.
3273         */
3274        return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3275}
3276
3277/* task security operations */
3278
3279static int selinux_task_create(unsigned long clone_flags)
3280{
3281        return current_has_perm(current, PROCESS__FORK);
3282}
3283
3284/*
3285 * allocate the SELinux part of blank credentials
3286 */
3287static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3288{
3289        struct task_security_struct *tsec;
3290
3291        tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3292        if (!tsec)
3293                return -ENOMEM;
3294
3295        cred->security = tsec;
3296        return 0;
3297}
3298
3299/*
3300 * detach and free the LSM part of a set of credentials
3301 */
3302static void selinux_cred_free(struct cred *cred)
3303{
3304        struct task_security_struct *tsec = cred->security;
3305
3306        /*
3307         * cred->security == NULL if security_cred_alloc_blank() or
3308         * security_prepare_creds() returned an error.
3309         */
3310        BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3311        cred->security = (void *) 0x7UL;
3312        kfree(tsec);
3313}
3314
3315/*
3316 * prepare a new set of credentials for modification
3317 */
3318static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3319                                gfp_t gfp)
3320{
3321        const struct task_security_struct *old_tsec;
3322        struct task_security_struct *tsec;
3323
3324        old_tsec = old->security;
3325
3326        tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3327        if (!tsec)
3328                return -ENOMEM;
3329
3330        new->security = tsec;
3331        return 0;
3332}
3333
3334/*
3335 * transfer the SELinux data to a blank set of creds
3336 */
3337static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3338{
3339        const struct task_security_struct *old_tsec = old->security;
3340        struct task_security_struct *tsec = new->security;
3341
3342        *tsec = *old_tsec;
3343}
3344
3345/*
3346 * set the security data for a kernel service
3347 * - all the creation contexts are set to unlabelled
3348 */
3349static int selinux_kernel_act_as(struct cred *new, u32 secid)
3350{
3351        struct task_security_struct *tsec = new->security;
3352        u32 sid = current_sid();
3353        int ret;
3354
3355        ret = avc_has_perm(sid, secid,
3356                           SECCLASS_KERNEL_SERVICE,
3357                           KERNEL_SERVICE__USE_AS_OVERRIDE,
3358                           NULL);
3359        if (ret == 0) {
3360                tsec->sid = secid;
3361                tsec->create_sid = 0;
3362                tsec->keycreate_sid = 0;
3363                tsec->sockcreate_sid = 0;
3364        }
3365        return ret;
3366}
3367
3368/*
3369 * set the file creation context in a security record to the same as the
3370 * objective context of the specified inode
3371 */
3372static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3373{
3374        struct inode_security_struct *isec = inode->i_security;
3375        struct task_security_struct *tsec = new->security;
3376        u32 sid = current_sid();
3377        int ret;
3378
3379        ret = avc_has_perm(sid, isec->sid,
3380                           SECCLASS_KERNEL_SERVICE,
3381                           KERNEL_SERVICE__CREATE_FILES_AS,
3382                           NULL);
3383
3384        if (ret == 0)
3385                tsec->create_sid = isec->sid;
3386        return ret;
3387}
3388
3389static int selinux_kernel_module_request(char *kmod_name)
3390{
3391        u32 sid;
3392        struct common_audit_data ad;
3393
3394        sid = task_sid(current);
3395
3396        ad.type = LSM_AUDIT_DATA_KMOD;
3397        ad.u.kmod_name = kmod_name;
3398
3399        return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3400                            SYSTEM__MODULE_REQUEST, &ad);
3401}
3402
3403static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3404{
3405        return current_has_perm(p, PROCESS__SETPGID);
3406}
3407
3408static int selinux_task_getpgid(struct task_struct *p)
3409{
3410        return current_has_perm(p, PROCESS__GETPGID);
3411}
3412
3413static int selinux_task_getsid(struct task_struct *p)
3414{
3415        return current_has_perm(p, PROCESS__GETSESSION);
3416}
3417
3418static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3419{
3420        *secid = task_sid(p);
3421}
3422
3423static int selinux_task_setnice(struct task_struct *p, int nice)
3424{
3425        int rc;
3426
3427        rc = cap_task_setnice(p, nice);
3428        if (rc)
3429                return rc;
3430
3431        return current_has_perm(p, PROCESS__SETSCHED);
3432}
3433
3434static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3435{
3436        int rc;
3437
3438        rc = cap_task_setioprio(p, ioprio);
3439        if (rc)
3440                return rc;
3441
3442        return current_has_perm(p, PROCESS__SETSCHED);
3443}
3444
3445static int selinux_task_getioprio(struct task_struct *p)
3446{
3447        return current_has_perm(p, PROCESS__GETSCHED);
3448}
3449
3450static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3451                struct rlimit *new_rlim)
3452{
3453        struct rlimit *old_rlim = p->signal->rlim + resource;
3454
3455        /* Control the ability to change the hard limit (whether
3456           lowering or raising it), so that the hard limit can
3457           later be used as a safe reset point for the soft limit
3458           upon context transitions.  See selinux_bprm_committing_creds. */
3459        if (old_rlim->rlim_max != new_rlim->rlim_max)
3460                return current_has_perm(p, PROCESS__SETRLIMIT);
3461
3462        return 0;
3463}
3464
3465static int selinux_task_setscheduler(struct task_struct *p)
3466{
3467        int rc;
3468
3469        rc = cap_task_setscheduler(p);
3470        if (rc)
3471                return rc;
3472
3473        return current_has_perm(p, PROCESS__SETSCHED);
3474}
3475
3476static int selinux_task_getscheduler(struct task_struct *p)
3477{
3478        return current_has_perm(p, PROCESS__GETSCHED);
3479}
3480
3481static int selinux_task_movememory(struct task_struct *p)
3482{
3483        return current_has_perm(p, PROCESS__SETSCHED);
3484}
3485
3486static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3487                                int sig, u32 secid)
3488{
3489        u32 perm;
3490        int rc;
3491
3492        if (!sig)
3493                perm = PROCESS__SIGNULL; /* null signal; existence test */
3494        else
3495                perm = signal_to_av(sig);
3496        if (secid)
3497                rc = avc_has_perm(secid, task_sid(p),
3498                                  SECCLASS_PROCESS, perm, NULL);
3499        else
3500                rc = current_has_perm(p, perm);
3501        return rc;
3502}
3503
3504static int selinux_task_wait(struct task_struct *p)
3505{
3506        return task_has_perm(p, current, PROCESS__SIGCHLD);
3507}
3508
3509static void selinux_task_to_inode(struct task_struct *p,
3510                                  struct inode *inode)
3511{
3512        struct inode_security_struct *isec = inode->i_security;
3513        u32 sid = task_sid(p);
3514
3515        isec->sid = sid;
3516        isec->initialized = 1;
3517}
3518
3519/* Returns error only if unable to parse addresses */
3520static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3521                        struct common_audit_data *ad, u8 *proto)
3522{
3523        int offset, ihlen, ret = -EINVAL;
3524        struct iphdr _iph, *ih;
3525
3526        offset = skb_network_offset(skb);
3527        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3528        if (ih == NULL)
3529                goto out;
3530
3531        ihlen = ih->ihl * 4;
3532        if (ihlen < sizeof(_iph))
3533                goto out;
3534
3535        ad->u.net->v4info.saddr = ih->saddr;
3536        ad->u.net->v4info.daddr = ih->daddr;
3537        ret = 0;
3538
3539        if (proto)
3540                *proto = ih->protocol;
3541
3542        switch (ih->protocol) {
3543        case IPPROTO_TCP: {
3544                struct tcphdr _tcph, *th;
3545
3546                if (ntohs(ih->frag_off) & IP_OFFSET)
3547                        break;
3548
3549                offset += ihlen;
3550                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3551                if (th == NULL)
3552                        break;
3553
3554                ad->u.net->sport = th->source;
3555                ad->u.net->dport = th->dest;
3556                break;
3557        }
3558
3559        case IPPROTO_UDP: {
3560                struct udphdr _udph, *uh;
3561
3562                if (ntohs(ih->frag_off) & IP_OFFSET)
3563                        break;
3564
3565                offset += ihlen;
3566                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3567                if (uh == NULL)
3568                        break;
3569
3570                ad->u.net->sport = uh->source;
3571                ad->u.net->dport = uh->dest;
3572                break;
3573        }
3574
3575        case IPPROTO_DCCP: {
3576                struct dccp_hdr _dccph, *dh;
3577
3578                if (ntohs(ih->frag_off) & IP_OFFSET)
3579                        break;
3580
3581                offset += ihlen;
3582                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3583                if (dh == NULL)
3584                        break;
3585
3586                ad->u.net->sport = dh->dccph_sport;
3587                ad->u.net->dport = dh->dccph_dport;
3588                break;
3589        }
3590
3591        default:
3592                break;
3593        }
3594out:
3595        return ret;
3596}
3597
3598#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3599
3600/* Returns error only if unable to parse addresses */
3601static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3602                        struct common_audit_data *ad, u8 *proto)
3603{
3604        u8 nexthdr;
3605        int ret = -EINVAL, offset;
3606        struct ipv6hdr _ipv6h, *ip6;
3607        __be16 frag_off;
3608
3609        offset = skb_network_offset(skb);
3610        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3611        if (ip6 == NULL)
3612                goto out;
3613
3614        ad->u.net->v6info.saddr = ip6->saddr;
3615        ad->u.net->v6info.daddr = ip6->daddr;
3616        ret = 0;
3617
3618        nexthdr = ip6->nexthdr;
3619        offset += sizeof(_ipv6h);
3620        offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3621        if (offset < 0)
3622                goto out;
3623
3624        if (proto)
3625                *proto = nexthdr;
3626
3627        switch (nexthdr) {
3628        case IPPROTO_TCP: {
3629                struct tcphdr _tcph, *th;
3630
3631                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3632                if (th == NULL)
3633                        break;
3634
3635                ad->u.net->sport = th->source;
3636                ad->u.net->dport = th->dest;
3637                break;
3638        }
3639
3640        case IPPROTO_UDP: {
3641                struct udphdr _udph, *uh;
3642
3643                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3644                if (uh == NULL)
3645                        break;
3646
3647                ad->u.net->sport = uh->source;
3648                ad->u.net->dport = uh->dest;
3649                break;
3650        }
3651
3652        case IPPROTO_DCCP: {
3653                struct dccp_hdr _dccph, *dh;
3654
3655                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3656                if (dh == NULL)
3657                        break;
3658
3659                ad->u.net->sport = dh->dccph_sport;
3660                ad->u.net->dport = dh->dccph_dport;
3661                break;
3662        }
3663
3664        /* includes fragments */
3665        default:
3666                break;
3667        }
3668out:
3669        return ret;
3670}
3671
3672#endif /* IPV6 */
3673
3674static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3675                             char **_addrp, int src, u8 *proto)
3676{
3677        char *addrp;
3678        int ret;
3679
3680        switch (ad->u.net->family) {
3681        case PF_INET:
3682                ret = selinux_parse_skb_ipv4(skb, ad, proto);
3683                if (ret)
3684                        goto parse_error;
3685                addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3686                                       &ad->u.net->v4info.daddr);
3687                goto okay;
3688
3689#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3690        case PF_INET6:
3691                ret = selinux_parse_skb_ipv6(skb, ad, proto);
3692                if (ret)
3693                        goto parse_error;
3694                addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3695                                       &ad->u.net->v6info.daddr);
3696                goto okay;
3697#endif  /* IPV6 */
3698        default:
3699                addrp = NULL;
3700                goto okay;
3701        }
3702
3703parse_error:
3704        printk(KERN_WARNING
3705               "SELinux: failure in selinux_parse_skb(),"
3706               " unable to parse packet\n");
3707        return ret;
3708
3709okay:
3710        if (_addrp)
3711                *_addrp = addrp;
3712        return 0;
3713}
3714
3715/**
3716 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3717 * @skb: the packet
3718 * @family: protocol family
3719 * @sid: the packet's peer label SID
3720 *
3721 * Description:
3722 * Check the various different forms of network peer labeling and determine
3723 * the peer label/SID for the packet; most of the magic actually occurs in
3724 * the security server function security_net_peersid_cmp().  The function
3725 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3726 * or -EACCES if @sid is invalid due to inconsistencies with the different
3727 * peer labels.
3728 *
3729 */
3730static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3731{
3732        int err;
3733        u32 xfrm_sid;
3734        u32 nlbl_sid;
3735        u32 nlbl_type;
3736
3737        selinux_skb_xfrm_sid(skb, &xfrm_sid);
3738        selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3739
3740        err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3741        if (unlikely(err)) {
3742                printk(KERN_WARNING
3743                       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3744                       " unable to determine packet's peer label\n");
3745                return -EACCES;
3746        }
3747
3748        return 0;
3749}
3750
3751/* socket security operations */
3752
3753static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3754                                 u16 secclass, u32 *socksid)
3755{
3756        if (tsec->sockcreate_sid > SECSID_NULL) {
3757                *socksid = tsec->sockcreate_sid;
3758                return 0;
3759        }
3760
3761        return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3762                                       socksid);
3763}
3764
3765static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3766{
3767        struct sk_security_struct *sksec = sk->sk_security;
3768        struct common_audit_data ad;
3769        struct lsm_network_audit net = {0,};
3770        u32 tsid = task_sid(task);
3771
3772        if (sksec->sid == SECINITSID_KERNEL)
3773                return 0;
3774
3775        ad.type = LSM_AUDIT_DATA_NET;
3776        ad.u.net = &net;
3777        ad.u.net->sk = sk;
3778
3779        return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3780}
3781
3782static int selinux_socket_create(int family, int type,
3783                                 int protocol, int kern)
3784{
3785        const struct task_security_struct *tsec = current_security();
3786        u32 newsid;
3787        u16 secclass;
3788        int rc;
3789
3790        if (kern)
3791                return 0;
3792
3793        secclass = socket_type_to_security_class(family, type, protocol);
3794        rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3795        if (rc)
3796                return rc;
3797
3798        return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3799}
3800
3801static int selinux_socket_post_create(struct socket *sock, int family,
3802                                      int type, int protocol, int kern)
3803{
3804        const struct task_security_struct *tsec = current_security();
3805        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3806        struct sk_security_struct *sksec;
3807        int err = 0;
3808
3809        isec->sclass = socket_type_to_security_class(family, type, protocol);
3810
3811        if (kern)
3812                isec->sid = SECINITSID_KERNEL;
3813        else {
3814                err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3815                if (err)
3816                        return err;
3817        }
3818
3819        isec->initialized = 1;
3820
3821        if (sock->sk) {
3822                sksec = sock->sk->sk_security;
3823                sksec->sid = isec->sid;
3824                sksec->sclass = isec->sclass;
3825                err = selinux_netlbl_socket_post_create(sock->sk, family);
3826        }
3827
3828        return err;
3829}
3830
3831/* Range of port numbers used to automatically bind.
3832   Need to determine whether we should perform a name_bind
3833   permission check between the socket and the port number. */
3834
3835static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3836{
3837        struct sock *sk = sock->sk;
3838        u16 family;
3839        int err;
3840
3841        err = sock_has_perm(current, sk, SOCKET__BIND);
3842        if (err)
3843                goto out;
3844
3845        /*
3846         * If PF_INET or PF_INET6, check name_bind permission for the port.
3847         * Multiple address binding for SCTP is not supported yet: we just
3848         * check the first address now.
3849         */
3850        family = sk->sk_family;
3851        if (family == PF_INET || family == PF_INET6) {
3852                char *addrp;
3853                struct sk_security_struct *sksec = sk->sk_security;
3854                struct common_audit_data ad;
3855                struct lsm_network_audit net = {0,};
3856                struct sockaddr_in *addr4 = NULL;
3857                struct sockaddr_in6 *addr6 = NULL;
3858                unsigned short snum;
3859                u32 sid, node_perm;
3860
3861                if (family == PF_INET) {
3862                        addr4 = (struct sockaddr_in *)address;
3863                        snum = ntohs(addr4->sin_port);
3864                        addrp = (char *)&addr4->sin_addr.s_addr;
3865                } else {
3866                        addr6 = (struct sockaddr_in6 *)address;
3867                        snum = ntohs(addr6->sin6_port);
3868                        addrp = (char *)&addr6->sin6_addr.s6_addr;
3869                }
3870
3871                if (snum) {
3872                        int low, high;
3873
3874                        inet_get_local_port_range(&low, &high);
3875
3876                        if (snum < max(PROT_SOCK, low) || snum > high) {
3877                                err = sel_netport_sid(sk->sk_protocol,
3878                                                      snum, &sid);
3879                                if (err)
3880                                        goto out;
3881                                ad.type = LSM_AUDIT_DATA_NET;
3882                                ad.u.net = &net;
3883                                ad.u.net->sport = htons(snum);
3884                                ad.u.net->family = family;
3885                                err = avc_has_perm(sksec->sid, sid,
3886                                                   sksec->sclass,
3887                                                   SOCKET__NAME_BIND, &ad);
3888                                if (err)
3889                                        goto out;
3890                        }
3891                }
3892
3893                switch (sksec->sclass) {
3894                case SECCLASS_TCP_SOCKET:
3895                        node_perm = TCP_SOCKET__NODE_BIND;
3896                        break;
3897
3898                case SECCLASS_UDP_SOCKET:
3899                        node_perm = UDP_SOCKET__NODE_BIND;
3900                        break;
3901
3902                case SECCLASS_DCCP_SOCKET:
3903                        node_perm = DCCP_SOCKET__NODE_BIND;
3904                        break;
3905
3906                default:
3907                        node_perm = RAWIP_SOCKET__NODE_BIND;
3908                        break;
3909                }
3910
3911                err = sel_netnode_sid(addrp, family, &sid);
3912                if (err)
3913                        goto out;
3914
3915                ad.type = LSM_AUDIT_DATA_NET;
3916                ad.u.net = &net;
3917                ad.u.net->sport = htons(snum);
3918                ad.u.net->family = family;
3919
3920                if (family == PF_INET)
3921                        ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3922                else
3923                        ad.u.net->v6info.saddr = addr6->sin6_addr;
3924
3925                err = avc_has_perm(sksec->sid, sid,
3926                                   sksec->sclass, node_perm, &ad);
3927                if (err)
3928                        goto out;
3929        }
3930out:
3931        return err;
3932}
3933
3934static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3935{
3936        struct sock *sk = sock->sk;
3937        struct sk_security_struct *sksec = sk->sk_security;
3938        int err;
3939
3940        err = sock_has_perm(current, sk, SOCKET__CONNECT);
3941        if (err)
3942                return err;
3943
3944        /*
3945         * If a TCP or DCCP socket, check name_connect permission for the port.
3946         */
3947        if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3948            sksec->sclass == SECCLASS_DCCP_SOCKET) {
3949                struct common_audit_data ad;
3950                struct lsm_network_audit net = {0,};
3951                struct sockaddr_in *addr4 = NULL;
3952                struct sockaddr_in6 *addr6 = NULL;
3953                unsigned short snum;
3954                u32 sid, perm;
3955
3956                if (sk->sk_family == PF_INET) {
3957                        addr4 = (struct sockaddr_in *)address;
3958                        if (addrlen < sizeof(struct sockaddr_in))
3959                                return -EINVAL;
3960                        snum = ntohs(addr4->sin_port);
3961                } else {
3962                        addr6 = (struct sockaddr_in6 *)address;
3963                        if (addrlen < SIN6_LEN_RFC2133)
3964                                return -EINVAL;
3965                        snum = ntohs(addr6->sin6_port);
3966                }
3967
3968                err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3969                if (err)
3970                        goto out;
3971
3972                perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3973                       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3974
3975                ad.type = LSM_AUDIT_DATA_NET;
3976                ad.u.net = &net;
3977                ad.u.net->dport = htons(snum);
3978                ad.u.net->family = sk->sk_family;
3979                err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3980                if (err)
3981                        goto out;
3982        }
3983
3984        err = selinux_netlbl_socket_connect(sk, address);
3985
3986out:
3987        return err;
3988}
3989
3990static int selinux_socket_listen(struct socket *sock, int backlog)
3991{
3992        return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3993}
3994
3995static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3996{
3997        int err;
3998        struct inode_security_struct *isec;
3999        struct inode_security_struct *newisec;
4000
4001        err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4002        if (err)
4003                return err;
4004
4005        newisec = SOCK_INODE(newsock)->i_security;
4006
4007        isec = SOCK_INODE(sock)->i_security;
4008        newisec->sclass = isec->sclass;
4009        newisec->sid = isec->sid;
4010        newisec->initialized = 1;
4011
4012        return 0;
4013}
4014
4015static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4016                                  int size)
4017{
4018        return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4019}
4020
4021static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4022                                  int size, int flags)
4023{
4024        return sock_has_perm(current, sock->sk, SOCKET__READ);
4025}
4026
4027static int selinux_socket_getsockname(struct socket *sock)
4028{
4029        return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4030}
4031
4032static int selinux_socket_getpeername(struct socket *sock)
4033{
4034        return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4035}
4036
4037static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4038{
4039        int err;
4040
4041        err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4042        if (err)
4043                return err;
4044
4045        return selinux_netlbl_socket_setsockopt(sock, level, optname);
4046}
4047
4048static int selinux_socket_getsockopt(struct socket *sock, int level,
4049                                     int optname)
4050{
4051        return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4052}
4053
4054static int selinux_socket_shutdown(struct socket *sock, int how)
4055{
4056        return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4057}
4058
4059static int selinux_socket_unix_stream_connect(struct sock *sock,
4060                                              struct sock *other,
4061                                              struct sock *newsk)
4062{
4063        struct sk_security_struct *sksec_sock = sock->sk_security;
4064        struct sk_security_struct *sksec_other = other->sk_security;
4065        struct sk_security_struct *sksec_new = newsk->sk_security;
4066        struct common_audit_data ad;
4067        struct lsm_network_audit net = {0,};
4068        int err;
4069
4070        ad.type = LSM_AUDIT_DATA_NET;
4071        ad.u.net = &net;
4072        ad.u.net->sk = other;
4073
4074        err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4075                           sksec_other->sclass,
4076                           UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4077        if (err)
4078                return err;
4079
4080        /* server child socket */
4081        sksec_new->peer_sid = sksec_sock->sid;
4082        err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4083                                    &sksec_new->sid);
4084        if (err)
4085                return err;
4086
4087        /* connecting socket */
4088        sksec_sock->peer_sid = sksec_new->sid;
4089
4090        return 0;
4091}
4092
4093static int selinux_socket_unix_may_send(struct socket *sock,
4094                                        struct socket *other)
4095{
4096        struct sk_security_struct *ssec = sock->sk->sk_security;
4097        struct sk_security_struct *osec = other->sk->sk_security;
4098        struct common_audit_data ad;
4099        struct lsm_network_audit net = {0,};
4100
4101        ad.type = LSM_AUDIT_DATA_NET;
4102        ad.u.net = &net;
4103        ad.u.net->sk = other->sk;
4104
4105        return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4106                            &ad);
4107}
4108
4109static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4110                                    u32 peer_sid,
4111                                    struct common_audit_data *ad)
4112{
4113        int err;
4114        u32 if_sid;
4115        u32 node_sid;
4116
4117        err = sel_netif_sid(ifindex, &if_sid);
4118        if (err)
4119                return err;
4120        err = avc_has_perm(peer_sid, if_sid,
4121                           SECCLASS_NETIF, NETIF__INGRESS, ad);
4122        if (err)
4123                return err;
4124
4125        err = sel_netnode_sid(addrp, family, &node_sid);
4126        if (err)
4127                return err;
4128        return avc_has_perm(peer_sid, node_sid,
4129                            SECCLASS_NODE, NODE__RECVFROM, ad);
4130}
4131
4132static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4133                                       u16 family)
4134{
4135        int err = 0;
4136        struct sk_security_struct *sksec = sk->sk_security;
4137        u32 sk_sid = sksec->sid;
4138        struct common_audit_data ad;
4139        struct lsm_network_audit net = {0,};
4140        char *addrp;
4141
4142        ad.type = LSM_AUDIT_DATA_NET;
4143        ad.u.net = &net;
4144        ad.u.net->netif = skb->skb_iif;
4145        ad.u.net->family = family;
4146        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4147        if (err)
4148                return err;
4149
4150        if (selinux_secmark_enabled()) {
4151                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4152                                   PACKET__RECV, &ad);
4153                if (err)
4154                        return err;
4155        }
4156
4157        err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4158        if (err)
4159                return err;
4160        err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4161
4162        return err;
4163}
4164
4165static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4166{
4167        int err;
4168        struct sk_security_struct *sksec = sk->sk_security;
4169        u16 family = sk->sk_family;
4170        u32 sk_sid = sksec->sid;
4171        struct common_audit_data ad;
4172        struct lsm_network_audit net = {0,};
4173        char *addrp;
4174        u8 secmark_active;
4175        u8 peerlbl_active;
4176
4177        if (family != PF_INET && family != PF_INET6)
4178                return 0;
4179
4180        /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4181        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4182                family = PF_INET;
4183
4184        /* If any sort of compatibility mode is enabled then handoff processing
4185         * to the selinux_sock_rcv_skb_compat() function to deal with the
4186         * special handling.  We do this in an attempt to keep this function
4187         * as fast and as clean as possible. */
4188        if (!selinux_policycap_netpeer)
4189                return selinux_sock_rcv_skb_compat(sk, skb, family);
4190
4191        secmark_active = selinux_secmark_enabled();
4192        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4193        if (!secmark_active && !peerlbl_active)
4194                return 0;
4195
4196        ad.type = LSM_AUDIT_DATA_NET;
4197        ad.u.net = &net;
4198        ad.u.net->netif = skb->skb_iif;
4199        ad.u.net->family = family;
4200        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4201        if (err)
4202                return err;
4203
4204        if (peerlbl_active) {
4205                u32 peer_sid;
4206
4207                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4208                if (err)
4209                        return err;
4210                err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4211                                               peer_sid, &ad);
4212                if (err) {
4213                        selinux_netlbl_err(skb, err, 0);
4214                        return err;
4215                }
4216                err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4217                                   PEER__RECV, &ad);
4218                if (err)
4219                        selinux_netlbl_err(skb, err, 0);
4220        }
4221
4222        if (secmark_active) {
4223                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4224                                   PACKET__RECV, &ad);
4225                if (err)
4226                        return err;
4227        }
4228
4229        return err;
4230}
4231
4232static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4233                                            int __user *optlen, unsigned len)
4234{
4235        int err = 0;
4236        char *scontext;
4237        u32 scontext_len;
4238        struct sk_security_struct *sksec = sock->sk->sk_security;
4239        u32 peer_sid = SECSID_NULL;
4240
4241        if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4242            sksec->sclass == SECCLASS_TCP_SOCKET)
4243                peer_sid = sksec->peer_sid;
4244        if (peer_sid == SECSID_NULL)
4245                return -ENOPROTOOPT;
4246
4247        err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4248        if (err)
4249                return err;
4250
4251        if (scontext_len > len) {
4252                err = -ERANGE;
4253                goto out_len;
4254        }
4255
4256        if (copy_to_user(optval, scontext, scontext_len))
4257                err = -EFAULT;
4258
4259out_len:
4260        if (put_user(scontext_len, optlen))
4261                err = -EFAULT;
4262        kfree(scontext);
4263        return err;
4264}
4265
4266static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4267{
4268        u32 peer_secid = SECSID_NULL;
4269        u16 family;
4270
4271        if (skb && skb->protocol == htons(ETH_P_IP))
4272                family = PF_INET;
4273        else if (skb && skb->protocol == htons(ETH_P_IPV6))
4274                family = PF_INET6;
4275        else if (sock)
4276                family = sock->sk->sk_family;
4277        else
4278                goto out;
4279
4280        if (sock && family == PF_UNIX)
4281                selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4282        else if (skb)
4283                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4284
4285out:
4286        *secid = peer_secid;
4287        if (peer_secid == SECSID_NULL)
4288                return -EINVAL;
4289        return 0;
4290}
4291
4292static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4293{
4294        struct sk_security_struct *sksec;
4295
4296        sksec = kzalloc(sizeof(*sksec), priority);
4297        if (!sksec)
4298                return -ENOMEM;
4299
4300        sksec->peer_sid = SECINITSID_UNLABELED;
4301        sksec->sid = SECINITSID_UNLABELED;
4302        selinux_netlbl_sk_security_reset(sksec);
4303        sk->sk_security = sksec;
4304
4305        return 0;
4306}
4307
4308static void selinux_sk_free_security(struct sock *sk)
4309{
4310        struct sk_security_struct *sksec = sk->sk_security;
4311
4312        sk->sk_security = NULL;
4313        selinux_netlbl_sk_security_free(sksec);
4314        kfree(sksec);
4315}
4316
4317static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4318{
4319        struct sk_security_struct *sksec = sk->sk_security;
4320        struct sk_security_struct *newsksec = newsk->sk_security;
4321
4322        newsksec->sid = sksec->sid;
4323        newsksec->peer_sid = sksec->peer_sid;
4324        newsksec->sclass = sksec->sclass;
4325
4326        selinux_netlbl_sk_security_reset(newsksec);
4327}
4328
4329static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4330{
4331        if (!sk)
4332                *secid = SECINITSID_ANY_SOCKET;
4333        else {
4334                struct sk_security_struct *sksec = sk->sk_security;
4335
4336                *secid = sksec->sid;
4337        }
4338}
4339
4340static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4341{
4342        struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4343        struct sk_security_struct *sksec = sk->sk_security;
4344
4345        if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4346            sk->sk_family == PF_UNIX)
4347                isec->sid = sksec->sid;
4348        sksec->sclass = isec->sclass;
4349}
4350
4351static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4352                                     struct request_sock *req)
4353{
4354        struct sk_security_struct *sksec = sk->sk_security;
4355        int err;
4356        u16 family = sk->sk_family;
4357        u32 newsid;
4358        u32 peersid;
4359
4360        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4361        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4362                family = PF_INET;
4363
4364        err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4365        if (err)
4366                return err;
4367        if (peersid == SECSID_NULL) {
4368                req->secid = sksec->sid;
4369                req->peer_secid = SECSID_NULL;
4370        } else {
4371                err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4372                if (err)
4373                        return err;
4374                req->secid = newsid;
4375                req->peer_secid = peersid;
4376        }
4377
4378        return selinux_netlbl_inet_conn_request(req, family);
4379}
4380
4381static void selinux_inet_csk_clone(struct sock *newsk,
4382                                   const struct request_sock *req)
4383{
4384        struct sk_security_struct *newsksec = newsk->sk_security;
4385
4386        newsksec->sid = req->secid;
4387        newsksec->peer_sid = req->peer_secid;
4388        /* NOTE: Ideally, we should also get the isec->sid for the
4389           new socket in sync, but we don't have the isec available yet.
4390           So we will wait until sock_graft to do it, by which
4391           time it will have been created and available. */
4392
4393        /* We don't need to take any sort of lock here as we are the only
4394         * thread with access to newsksec */
4395        selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4396}
4397
4398static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4399{
4400        u16 family = sk->sk_family;
4401        struct sk_security_struct *sksec = sk->sk_security;
4402
4403        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4404        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4405                family = PF_INET;
4406
4407        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4408}
4409
4410static int selinux_secmark_relabel_packet(u32 sid)
4411{
4412        const struct task_security_struct *__tsec;
4413        u32 tsid;
4414
4415        __tsec = current_security();
4416        tsid = __tsec->sid;
4417
4418        return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4419}
4420
4421static void selinux_secmark_refcount_inc(void)
4422{
4423        atomic_inc(&selinux_secmark_refcount);
4424}
4425
4426static void selinux_secmark_refcount_dec(void)
4427{
4428        atomic_dec(&selinux_secmark_refcount);
4429}
4430
4431static void selinux_req_classify_flow(const struct request_sock *req,
4432                                      struct flowi *fl)
4433{
4434        fl->flowi_secid = req->secid;
4435}
4436
4437static int selinux_tun_dev_create(void)
4438{
4439        u32 sid = current_sid();
4440
4441        /* we aren't taking into account the "sockcreate" SID since the socket
4442         * that is being created here is not a socket in the traditional sense,
4443         * instead it is a private sock, accessible only to the kernel, and
4444         * representing a wide range of network traffic spanning multiple
4445         * connections unlike traditional sockets - check the TUN driver to
4446         * get a better understanding of why this socket is special */
4447
4448        return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4449                            NULL);
4450}
4451
4452static void selinux_tun_dev_post_create(struct sock *sk)
4453{
4454        struct sk_security_struct *sksec = sk->sk_security;
4455
4456        /* we don't currently perform any NetLabel based labeling here and it
4457         * isn't clear that we would want to do so anyway; while we could apply
4458         * labeling without the support of the TUN user the resulting labeled
4459         * traffic from the other end of the connection would almost certainly
4460         * cause confusion to the TUN user that had no idea network labeling
4461         * protocols were being used */
4462
4463        /* see the comments in selinux_tun_dev_create() about why we don't use
4464         * the sockcreate SID here */
4465
4466        sksec->sid = current_sid();
4467        sksec->sclass = SECCLASS_TUN_SOCKET;
4468}
4469
4470static int selinux_tun_dev_attach(struct sock *sk)
4471{
4472        struct sk_security_struct *sksec = sk->sk_security;
4473        u32 sid = current_sid();
4474        int err;
4475
4476        err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4477                           TUN_SOCKET__RELABELFROM, NULL);
4478        if (err)
4479                return err;
4480        err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4481                           TUN_SOCKET__RELABELTO, NULL);
4482        if (err)
4483                return err;
4484
4485        sksec->sid = sid;
4486
4487        return 0;
4488}
4489
4490static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4491{
4492        int err = 0;
4493        u32 perm;
4494        struct nlmsghdr *nlh;
4495        struct sk_security_struct *sksec = sk->sk_security;
4496
4497        if (skb->len < NLMSG_SPACE(0)) {
4498                err = -EINVAL;
4499                goto out;
4500        }
4501        nlh = nlmsg_hdr(skb);
4502
4503        err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4504        if (err) {
4505                if (err == -EINVAL) {
4506                        audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4507                                  "SELinux:  unrecognized netlink message"
4508                                  " type=%hu for sclass=%hu\n",
4509                                  nlh->nlmsg_type, sksec->sclass);
4510                        if (!selinux_enforcing || security_get_allow_unknown())
4511                                err = 0;
4512                }
4513
4514                /* Ignore */
4515                if (err == -ENOENT)
4516                        err = 0;
4517                goto out;
4518        }
4519
4520        err = sock_has_perm(current, sk, perm);
4521out:
4522        return err;
4523}
4524
4525#ifdef CONFIG_NETFILTER
4526
4527static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4528                                       u16 family)
4529{
4530        int err;
4531        char *addrp;
4532        u32 peer_sid;
4533        struct common_audit_data ad;
4534        struct lsm_network_audit net = {0,};
4535        u8 secmark_active;
4536        u8 netlbl_active;
4537        u8 peerlbl_active;
4538
4539        if (!selinux_policycap_netpeer)
4540                return NF_ACCEPT;
4541
4542        secmark_active = selinux_secmark_enabled();
4543        netlbl_active = netlbl_enabled();
4544        peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4545        if (!secmark_active && !peerlbl_active)
4546                return NF_ACCEPT;
4547
4548        if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4549                return NF_DROP;
4550
4551        ad.type = LSM_AUDIT_DATA_NET;
4552        ad.u.net = &net;
4553        ad.u.net->netif = ifindex;
4554        ad.u.net->family = family;
4555        if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4556                return NF_DROP;
4557
4558        if (peerlbl_active) {
4559                err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4560                                               peer_sid, &ad);
4561                if (err) {
4562                        selinux_netlbl_err(skb, err, 1);
4563                        return NF_DROP;
4564                }
4565        }
4566
4567        if (secmark_active)
4568                if (avc_has_perm(peer_sid, skb->secmark,
4569                                 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4570                        return NF_DROP;
4571
4572        if (netlbl_active)
4573                /* we do this in the FORWARD path and not the POST_ROUTING
4574                 * path because we want to make sure we apply the necessary
4575                 * labeling before IPsec is applied so we can leverage AH
4576                 * protection */
4577                if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4578                        return NF_DROP;
4579
4580        return NF_ACCEPT;
4581}
4582
4583static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4584                                         struct sk_buff *skb,
4585                                         const struct net_device *in,
4586                                         const struct net_device *out,
4587                                         int (*okfn)(struct sk_buff *))
4588{
4589        return selinux_ip_forward(skb, in->ifindex, PF_INET);
4590}
4591
4592#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4593static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4594                                         struct sk_buff *skb,
4595                                         const struct net_device *in,
4596                                         const struct net_device *out,
4597                                         int (*okfn)(struct sk_buff *))
4598{
4599        return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4600}
4601#endif  /* IPV6 */
4602
4603static unsigned int selinux_ip_output(struct sk_buff *skb,
4604                                      u16 family)
4605{
4606        u32 sid;
4607
4608        if (!netlbl_enabled())
4609                return NF_ACCEPT;
4610
4611        /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4612         * because we want to make sure we apply the necessary labeling
4613         * before IPsec is applied so we can leverage AH protection */
4614        if (skb->sk) {
4615                struct sk_security_struct *sksec = skb->sk->sk_security;
4616                sid = sksec->sid;
4617        } else
4618                sid = SECINITSID_KERNEL;
4619        if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4620                return NF_DROP;
4621
4622        return NF_ACCEPT;
4623}
4624
4625static unsigned int selinux_ipv4_output(unsigned int hooknum,
4626                                        struct sk_buff *skb,
4627                                        const struct net_device *in,
4628                                        const struct net_device *out,
4629                                        int (*okfn)(struct sk_buff *))
4630{
4631        return selinux_ip_output(skb, PF_INET);
4632}
4633
4634static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4635                                                int ifindex,
4636                                                u16 family)
4637{
4638        struct sock *sk = skb->sk;
4639        struct sk_security_struct *sksec;
4640        struct common_audit_data ad;
4641        struct lsm_network_audit net = {0,};
4642        char *addrp;
4643        u8 proto;
4644
4645        if (sk == NULL)
4646                return NF_ACCEPT;
4647        sksec = sk->sk_security;
4648
4649        ad.type = LSM_AUDIT_DATA_NET;
4650        ad.u.net = &net;
4651        ad.u.net->netif = ifindex;
4652        ad.u.net->family = family;
4653        if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4654                return NF_DROP;
4655
4656        if (selinux_secmark_enabled())
4657                if (avc_has_perm(sksec->sid, skb->secmark,
4658                                 SECCLASS_PACKET, PACKET__SEND, &ad))
4659                        return NF_DROP_ERR(-ECONNREFUSED);
4660
4661        if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4662                return NF_DROP_ERR(-ECONNREFUSED);
4663
4664        return NF_ACCEPT;
4665}
4666
4667static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4668                                         u16 family)
4669{
4670        u32 secmark_perm;
4671        u32 peer_sid;
4672        struct sock *sk;
4673        struct common_audit_data ad;
4674        struct lsm_network_audit net = {0,};
4675        char *addrp;
4676        u8 secmark_active;
4677        u8 peerlbl_active;
4678
4679        /* If any sort of compatibility mode is enabled then handoff processing
4680         * to the selinux_ip_postroute_compat() function to deal with the
4681         * special handling.  We do this in an attempt to keep this function
4682         * as fast and as clean as possible. */
4683        if (!selinux_policycap_netpeer)
4684                return selinux_ip_postroute_compat(skb, ifindex, family);
4685#ifdef CONFIG_XFRM
4686        /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4687         * packet transformation so allow the packet to pass without any checks
4688         * since we'll have another chance to perform access control checks
4689         * when the packet is on it's final way out.
4690         * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4691         *       is NULL, in this case go ahead and apply access control. */
4692        if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4693                return NF_ACCEPT;
4694#endif
4695        secmark_active = selinux_secmark_enabled();
4696        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4697        if (!secmark_active && !peerlbl_active)
4698                return NF_ACCEPT;
4699
4700        /* if the packet is being forwarded then get the peer label from the
4701         * packet itself; otherwise check to see if it is from a local
4702         * application or the kernel, if from an application get the peer label
4703         * from the sending socket, otherwise use the kernel's sid */
4704        sk = skb->sk;
4705        if (sk == NULL) {
4706                if (skb->skb_iif) {
4707                        secmark_perm = PACKET__FORWARD_OUT;
4708                        if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4709                                return NF_DROP;
4710                } else {
4711                        secmark_perm = PACKET__SEND;
4712                        peer_sid = SECINITSID_KERNEL;
4713                }
4714        } else {
4715                struct sk_security_struct *sksec = sk->sk_security;
4716                peer_sid = sksec->sid;
4717                secmark_perm = PACKET__SEND;
4718        }
4719
4720        ad.type = LSM_AUDIT_DATA_NET;
4721        ad.u.net = &net;
4722        ad.u.net->netif = ifindex;
4723        ad.u.net->family = family;
4724        if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4725                return NF_DROP;
4726
4727        if (secmark_active)
4728                if (avc_has_perm(peer_sid, skb->secmark,
4729                                 SECCLASS_PACKET, secmark_perm, &ad))
4730                        return NF_DROP_ERR(-ECONNREFUSED);
4731
4732        if (peerlbl_active) {
4733                u32 if_sid;
4734                u32 node_sid;
4735
4736                if (sel_netif_sid(ifindex, &if_sid))
4737                        return NF_DROP;
4738                if (avc_has_perm(peer_sid, if_sid,
4739                                 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4740                        return NF_DROP_ERR(-ECONNREFUSED);
4741
4742                if (sel_netnode_sid(addrp, family, &node_sid))
4743                        return NF_DROP;
4744                if (avc_has_perm(peer_sid, node_sid,
4745                                 SECCLASS_NODE, NODE__SENDTO, &ad))
4746                        return NF_DROP_ERR(-ECONNREFUSED);
4747        }
4748
4749        return NF_ACCEPT;
4750}
4751
4752static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4753                                           struct sk_buff *skb,
4754                                           const struct net_device *in,
4755                                           const struct net_device *out,
4756                                           int (*okfn)(struct sk_buff *))
4757{
4758        return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4759}
4760
4761#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4762static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4763                                           struct sk_buff *skb,
4764                                           const struct net_device *in,
4765                                           const struct net_device *out,
4766                                           int (*okfn)(struct sk_buff *))
4767{
4768        return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4769}
4770#endif  /* IPV6 */
4771
4772#endif  /* CONFIG_NETFILTER */
4773
4774static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4775{
4776        int err;
4777
4778        err = cap_netlink_send(sk, skb);
4779        if (err)
4780                return err;
4781
4782        return selinux_nlmsg_perm(sk, skb);
4783}
4784
4785static int ipc_alloc_security(struct task_struct *task,
4786                              struct kern_ipc_perm *perm,
4787                              u16 sclass)
4788{
4789        struct ipc_security_struct *isec;
4790        u32 sid;
4791
4792        isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4793        if (!isec)
4794                return -ENOMEM;
4795
4796        sid = task_sid(task);
4797        isec->sclass = sclass;
4798        isec->sid = sid;
4799        perm->security = isec;
4800
4801        return 0;
4802}
4803
4804static void ipc_free_security(struct kern_ipc_perm *perm)
4805{
4806        struct ipc_security_struct *isec = perm->security;
4807        perm->security = NULL;
4808        kfree(isec);
4809}
4810
4811static int msg_msg_alloc_security(struct msg_msg *msg)
4812{
4813        struct msg_security_struct *msec;
4814
4815        msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4816        if (!msec)
4817                return -ENOMEM;
4818
4819        msec->sid = SECINITSID_UNLABELED;
4820        msg->security = msec;
4821
4822        return 0;
4823}
4824
4825static void msg_msg_free_security(struct msg_msg *msg)
4826{
4827        struct msg_security_struct *msec = msg->security;
4828
4829        msg->security = NULL;
4830        kfree(msec);
4831}
4832
4833static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4834                        u32 perms)
4835{
4836        struct ipc_security_struct *isec;
4837        struct common_audit_data ad;
4838        u32 sid = current_sid();
4839
4840        isec = ipc_perms->security;
4841
4842        ad.type = LSM_AUDIT_DATA_IPC;
4843        ad.u.ipc_id = ipc_perms->key;
4844
4845        return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4846}
4847
4848static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4849{
4850        return msg_msg_alloc_security(msg);
4851}
4852
4853static void selinux_msg_msg_free_security(struct msg_msg *msg)
4854{
4855        msg_msg_free_security(msg);
4856}
4857
4858/* message queue security operations */
4859static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4860{
4861        struct ipc_security_struct *isec;
4862        struct common_audit_data ad;
4863        u32 sid = current_sid();
4864        int rc;
4865
4866        rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4867        if (rc)
4868                return rc;
4869
4870        isec = msq->q_perm.security;
4871
4872        ad.type = LSM_AUDIT_DATA_IPC;
4873        ad.u.ipc_id = msq->q_perm.key;
4874
4875        rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4876                          MSGQ__CREATE, &ad);
4877        if (rc) {
4878                ipc_free_security(&msq->q_perm);
4879                return rc;
4880        }
4881        return 0;
4882}
4883
4884static void selinux_msg_queue_free_security(struct msg_queue *msq)
4885{
4886        ipc_free_security(&msq->q_perm);
4887}
4888
4889static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4890{
4891        struct ipc_security_struct *isec;
4892        struct common_audit_data ad;
4893        u32 sid = current_sid();
4894
4895        isec = msq->q_perm.security;
4896
4897        ad.type = LSM_AUDIT_DATA_IPC;
4898        ad.u.ipc_id = msq->q_perm.key;
4899
4900        return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4901                            MSGQ__ASSOCIATE, &ad);
4902}
4903
4904static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4905{
4906        int err;
4907        int perms;
4908
4909        switch (cmd) {
4910        case IPC_INFO:
4911        case MSG_INFO:
4912                /* No specific object, just general system-wide information. */
4913                return task_has_system(current, SYSTEM__IPC_INFO);
4914        case IPC_STAT:
4915        case MSG_STAT:
4916                perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4917                break;
4918        case IPC_SET:
4919                perms = MSGQ__SETATTR;
4920                break;
4921        case IPC_RMID:
4922                perms = MSGQ__DESTROY;
4923                break;
4924        default:
4925                return 0;
4926        }
4927
4928        err = ipc_has_perm(&msq->q_perm, perms);
4929        return err;
4930}
4931
4932static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4933{
4934        struct ipc_security_struct *isec;
4935        struct msg_security_struct *msec;
4936        struct common_audit_data ad;
4937        u32 sid = current_sid();
4938        int rc;
4939
4940        isec = msq->q_perm.security;
4941        msec = msg->security;
4942
4943        /*
4944         * First time through, need to assign label to the message
4945         */
4946        if (msec->sid == SECINITSID_UNLABELED) {
4947                /*
4948                 * Compute new sid based on current process and
4949                 * message queue this message will be stored in
4950                 */
4951                rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4952                                             NULL, &msec->sid);
4953                if (rc)
4954                        return rc;
4955        }
4956
4957        ad.type = LSM_AUDIT_DATA_IPC;
4958        ad.u.ipc_id = msq->q_perm.key;
4959
4960        /* Can this process write to the queue? */
4961        rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4962                          MSGQ__WRITE, &ad);
4963        if (!rc)
4964                /* Can this process send the message */
4965                rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4966                                  MSG__SEND, &ad);
4967        if (!rc)
4968                /* Can the message be put in the queue? */
4969                rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4970                                  MSGQ__ENQUEUE, &ad);
4971
4972        return rc;
4973}
4974
4975static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4976                                    struct task_struct *target,
4977                                    long type, int mode)
4978{
4979        struct ipc_security_struct *isec;
4980        struct msg_security_struct *msec;
4981        struct common_audit_data ad;
4982        u32 sid = task_sid(target);
4983        int rc;
4984
4985        isec = msq->q_perm.security;
4986        msec = msg->security;
4987
4988        ad.type = LSM_AUDIT_DATA_IPC;
4989        ad.u.ipc_id = msq->q_perm.key;
4990
4991        rc = avc_has_perm(sid, isec->sid,
4992                          SECCLASS_MSGQ, MSGQ__READ, &ad);
4993        if (!rc)
4994                rc = avc_has_perm(sid, msec->sid,
4995                                  SECCLASS_MSG, MSG__RECEIVE, &ad);
4996        return rc;
4997}
4998
4999/* Shared Memory security operations */
5000static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5001{
5002        struct ipc_security_struct *isec;
5003        struct common_audit_data ad;
5004        u32 sid = current_sid();
5005        int rc;
5006
5007        rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5008        if (rc)
5009                return rc;
5010
5011        isec = shp->shm_perm.security;
5012
5013        ad.type = LSM_AUDIT_DATA_IPC;
5014        ad.u.ipc_id = shp->shm_perm.key;
5015
5016        rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5017                          SHM__CREATE, &ad);
5018        if (rc) {
5019                ipc_free_security(&shp->shm_perm);
5020                return rc;
5021        }
5022        return 0;
5023}
5024
5025static void selinux_shm_free_security(struct shmid_kernel *shp)
5026{
5027        ipc_free_security(&shp->shm_perm);
5028}
5029
5030static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5031{
5032        struct ipc_security_struct *isec;
5033        struct common_audit_data ad;
5034        u32 sid = current_sid();
5035
5036        isec = shp->shm_perm.security;
5037
5038        ad.type = LSM_AUDIT_DATA_IPC;
5039        ad.u.ipc_id = shp->shm_perm.key;
5040
5041        return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5042                            SHM__ASSOCIATE, &ad);
5043}
5044
5045/* Note, at this point, shp is locked down */
5046static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5047{
5048        int perms;
5049        int err;
5050
5051        switch (cmd) {
5052        case IPC_INFO:
5053        case SHM_INFO:
5054                /* No specific object, just general system-wide information. */
5055                return task_has_system(current, SYSTEM__IPC_INFO);
5056        case IPC_STAT:
5057        case SHM_STAT:
5058                perms = SHM__GETATTR | SHM__ASSOCIATE;
5059                break;
5060        case IPC_SET:
5061                perms = SHM__SETATTR;
5062                break;
5063        case SHM_LOCK:
5064        case SHM_UNLOCK:
5065                perms = SHM__LOCK;
5066                break;
5067        case IPC_RMID:
5068                perms = SHM__DESTROY;
5069                break;
5070        default:
5071                return 0;
5072        }
5073
5074        err = ipc_has_perm(&shp->shm_perm, perms);
5075        return err;
5076}
5077
5078static int selinux_shm_shmat(struct shmid_kernel *shp,
5079                             char __user *shmaddr, int shmflg)
5080{
5081        u32 perms;
5082
5083        if (shmflg & SHM_RDONLY)
5084                perms = SHM__READ;
5085        else
5086                perms = SHM__READ | SHM__WRITE;
5087
5088        return ipc_has_perm(&shp->shm_perm, perms);
5089}
5090
5091/* Semaphore security operations */
5092static int selinux_sem_alloc_security(struct sem_array *sma)
5093{
5094        struct ipc_security_struct *isec;
5095        struct common_audit_data ad;
5096        u32 sid = current_sid();
5097        int rc;
5098
5099        rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5100        if (rc)
5101                return rc;
5102
5103        isec = sma->sem_perm.security;
5104
5105        ad.type = LSM_AUDIT_DATA_IPC;
5106        ad.u.ipc_id = sma->sem_perm.key;
5107
5108        rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5109                          SEM__CREATE, &ad);
5110        if (rc) {
5111                ipc_free_security(&sma->sem_perm);
5112                return rc;
5113        }
5114        return 0;
5115}
5116
5117static void selinux_sem_free_security(struct sem_array *sma)
5118{
5119        ipc_free_security(&sma->sem_perm);
5120}
5121
5122static int selinux_sem_associate(struct sem_array *sma, int semflg)
5123{
5124        struct ipc_security_struct *isec;
5125        struct common_audit_data ad;
5126        u32 sid = current_sid();
5127
5128        isec = sma->sem_perm.security;
5129
5130        ad.type = LSM_AUDIT_DATA_IPC;
5131        ad.u.ipc_id = sma->sem_perm.key;
5132
5133        return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5134                            SEM__ASSOCIATE, &ad);
5135}
5136
5137/* Note, at this point, sma is locked down */
5138static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5139{
5140        int err;
5141        u32 perms;
5142
5143        switch (cmd) {
5144        case IPC_INFO:
5145        case SEM_INFO:
5146                /* No specific object, just general system-wide information. */
5147                return task_has_system(current, SYSTEM__IPC_INFO);
5148        case GETPID:
5149        case GETNCNT:
5150        case GETZCNT:
5151                perms = SEM__GETATTR;
5152                break;
5153        case GETVAL:
5154        case GETALL:
5155                perms = SEM__READ;
5156                break;
5157        case SETVAL:
5158        case SETALL:
5159                perms = SEM__WRITE;
5160                break;
5161        case IPC_RMID:
5162                perms = SEM__DESTROY;
5163                break;
5164        case IPC_SET:
5165                perms = SEM__SETATTR;
5166                break;
5167        case IPC_STAT:
5168        case SEM_STAT:
5169                perms = SEM__GETATTR | SEM__ASSOCIATE;
5170                break;
5171        default:
5172                return 0;
5173        }
5174
5175        err = ipc_has_perm(&sma->sem_perm, perms);
5176        return err;
5177}
5178
5179static int selinux_sem_semop(struct sem_array *sma,
5180                             struct sembuf *sops, unsigned nsops, int alter)
5181{
5182        u32 perms;
5183
5184        if (alter)
5185                perms = SEM__READ | SEM__WRITE;
5186        else
5187                perms = SEM__READ;
5188
5189        return ipc_has_perm(&sma->sem_perm, perms);
5190}
5191
5192static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5193{
5194        u32 av = 0;
5195
5196        av = 0;
5197        if (flag & S_IRUGO)
5198                av |= IPC__UNIX_READ;
5199        if (flag & S_IWUGO)
5200                av |= IPC__UNIX_WRITE;
5201
5202        if (av == 0)
5203                return 0;
5204
5205        return ipc_has_perm(ipcp, av);
5206}
5207
5208static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5209{
5210        struct ipc_security_struct *isec = ipcp->security;
5211        *secid = isec->sid;
5212}
5213
5214static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5215{
5216        if (inode)
5217                inode_doinit_with_dentry(inode, dentry);
5218}
5219
5220static int selinux_getprocattr(struct task_struct *p,
5221                               char *name, char **value)
5222{
5223        const struct task_security_struct *__tsec;
5224        u32 sid;
5225        int error;
5226        unsigned len;
5227
5228        if (current != p) {
5229                error = current_has_perm(p, PROCESS__GETATTR);
5230                if (error)
5231                        return error;
5232        }
5233
5234        rcu_read_lock();
5235        __tsec = __task_cred(p)->security;
5236
5237        if (!strcmp(name, "current"))
5238                sid = __tsec->sid;
5239        else if (!strcmp(name, "prev"))
5240                sid = __tsec->osid;
5241        else if (!strcmp(name, "exec"))
5242                sid = __tsec->exec_sid;
5243        else if (!strcmp(name, "fscreate"))
5244                sid = __tsec->create_sid;
5245        else if (!strcmp(name, "keycreate"))
5246                sid = __tsec->keycreate_sid;
5247        else if (!strcmp(name, "sockcreate"))
5248                sid = __tsec->sockcreate_sid;
5249        else
5250                goto invalid;
5251        rcu_read_unlock();
5252
5253        if (!sid)
5254                return 0;
5255
5256        error = security_sid_to_context(sid, value, &len);
5257        if (error)
5258                return error;
5259        return len;
5260
5261invalid:
5262        rcu_read_unlock();
5263        return -EINVAL;
5264}
5265
5266static int selinux_setprocattr(struct task_struct *p,
5267                               char *name, void *value, size_t size)
5268{
5269        struct task_security_struct *tsec;
5270        struct task_struct *tracer;
5271        struct cred *new;
5272        u32 sid = 0, ptsid;
5273        int error;
5274        char *str = value;
5275
5276        if (current != p) {
5277                /* SELinux only allows a process to change its own
5278                   security attributes. */
5279                return -EACCES;
5280        }
5281
5282        /*
5283         * Basic control over ability to set these attributes at all.
5284         * current == p, but we'll pass them separately in case the
5285         * above restriction is ever removed.
5286         */
5287        if (!strcmp(name, "exec"))
5288                error = current_has_perm(p, PROCESS__SETEXEC);
5289        else if (!strcmp(name, "fscreate"))
5290                error = current_has_perm(p, PROCESS__SETFSCREATE);
5291        else if (!strcmp(name, "keycreate"))
5292                error = current_has_perm(p, PROCESS__SETKEYCREATE);
5293        else if (!strcmp(name, "sockcreate"))
5294                error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5295        else if (!strcmp(name, "current"))
5296                error = current_has_perm(p, PROCESS__SETCURRENT);
5297        else
5298                error = -EINVAL;
5299        if (error)
5300                return error;
5301
5302        /* Obtain a SID for the context, if one was specified. */
5303        if (size && str[1] && str[1] != '\n') {
5304                if (str[size-1] == '\n') {
5305                        str[size-1] = 0;
5306                        size--;
5307                }
5308                error = security_context_to_sid(value, size, &sid);
5309                if (error == -EINVAL && !strcmp(name, "fscreate")) {
5310                        if (!capable(CAP_MAC_ADMIN)) {
5311                                struct audit_buffer *ab;
5312                                size_t audit_size;
5313
5314                                /* We strip a nul only if it is at the end, otherwise the
5315                                 * context contains a nul and we should audit that */