linux/security/selinux/hooks.c
<<
>>
Prefs
   1/*
   2 *  NSA Security-Enhanced Linux (SELinux) security module
   3 *
   4 *  This file contains the SELinux hook function implementations.
   5 *
   6 *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
   7 *            Chris Vance, <cvance@nai.com>
   8 *            Wayne Salamon, <wsalamon@nai.com>
   9 *            James Morris <jmorris@redhat.com>
  10 *
  11 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  12 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  13 *                                         Eric Paris <eparis@redhat.com>
  14 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  15 *                          <dgoeddel@trustedcs.com>
  16 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
  17 *      Paul Moore <paul@paul-moore.com>
  18 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  19 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  20 *
  21 *      This program is free software; you can redistribute it and/or modify
  22 *      it under the terms of the GNU General Public License version 2,
  23 *      as published by the Free Software Foundation.
  24 */
  25
  26#include <linux/init.h>
  27#include <linux/kd.h>
  28#include <linux/kernel.h>
  29#include <linux/tracehook.h>
  30#include <linux/errno.h>
  31#include <linux/sched.h>
  32#include <linux/security.h>
  33#include <linux/xattr.h>
  34#include <linux/capability.h>
  35#include <linux/unistd.h>
  36#include <linux/mm.h>
  37#include <linux/mman.h>
  38#include <linux/slab.h>
  39#include <linux/pagemap.h>
  40#include <linux/proc_fs.h>
  41#include <linux/swap.h>
  42#include <linux/spinlock.h>
  43#include <linux/syscalls.h>
  44#include <linux/dcache.h>
  45#include <linux/file.h>
  46#include <linux/fdtable.h>
  47#include <linux/namei.h>
  48#include <linux/mount.h>
  49#include <linux/netfilter_ipv4.h>
  50#include <linux/netfilter_ipv6.h>
  51#include <linux/tty.h>
  52#include <net/icmp.h>
  53#include <net/ip.h>             /* for local_port_range[] */
  54#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  55#include <net/net_namespace.h>
  56#include <net/netlabel.h>
  57#include <linux/uaccess.h>
  58#include <asm/ioctls.h>
  59#include <linux/atomic.h>
  60#include <linux/bitops.h>
  61#include <linux/interrupt.h>
  62#include <linux/netdevice.h>    /* for network interface checks */
  63#include <linux/netlink.h>
  64#include <linux/tcp.h>
  65#include <linux/udp.h>
  66#include <linux/dccp.h>
  67#include <linux/quota.h>
  68#include <linux/un.h>           /* for Unix socket types */
  69#include <net/af_unix.h>        /* for Unix socket types */
  70#include <linux/parser.h>
  71#include <linux/nfs_mount.h>
  72#include <net/ipv6.h>
  73#include <linux/hugetlb.h>
  74#include <linux/personality.h>
  75#include <linux/audit.h>
  76#include <linux/string.h>
  77#include <linux/selinux.h>
  78#include <linux/mutex.h>
  79#include <linux/posix-timers.h>
  80#include <linux/syslog.h>
  81#include <linux/user_namespace.h>
  82#include <linux/export.h>
  83#include <linux/msg.h>
  84#include <linux/shm.h>
  85
  86#include "avc.h"
  87#include "objsec.h"
  88#include "netif.h"
  89#include "netnode.h"
  90#include "netport.h"
  91#include "xfrm.h"
  92#include "netlabel.h"
  93#include "audit.h"
  94#include "avc_ss.h"
  95
  96#define NUM_SEL_MNT_OPTS 5
  97
  98extern struct security_operations *security_ops;
  99
 100/* SECMARK reference count */
 101static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 102
 103#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 104int selinux_enforcing;
 105
 106static int __init enforcing_setup(char *str)
 107{
 108        unsigned long enforcing;
 109        if (!strict_strtoul(str, 0, &enforcing))
 110                selinux_enforcing = enforcing ? 1 : 0;
 111        return 1;
 112}
 113__setup("enforcing=", enforcing_setup);
 114#endif
 115
 116#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 117int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 118
 119static int __init selinux_enabled_setup(char *str)
 120{
 121        unsigned long enabled;
 122        if (!strict_strtoul(str, 0, &enabled))
 123                selinux_enabled = enabled ? 1 : 0;
 124        return 1;
 125}
 126__setup("selinux=", selinux_enabled_setup);
 127#else
 128int selinux_enabled = 1;
 129#endif
 130
 131static struct kmem_cache *sel_inode_cache;
 132
 133/**
 134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 135 *
 136 * Description:
 137 * This function checks the SECMARK reference counter to see if any SECMARK
 138 * targets are currently configured, if the reference counter is greater than
 139 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 140 * enabled, false (0) if SECMARK is disabled.
 141 *
 142 */
 143static int selinux_secmark_enabled(void)
 144{
 145        return (atomic_read(&selinux_secmark_refcount) > 0);
 146}
 147
 148/*
 149 * initialise the security for the init task
 150 */
 151static void cred_init_security(void)
 152{
 153        struct cred *cred = (struct cred *) current->real_cred;
 154        struct task_security_struct *tsec;
 155
 156        tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
 157        if (!tsec)
 158                panic("SELinux:  Failed to initialize initial task.\n");
 159
 160        tsec->osid = tsec->sid = SECINITSID_KERNEL;
 161        cred->security = tsec;
 162}
 163
 164/*
 165 * get the security ID of a set of credentials
 166 */
 167static inline u32 cred_sid(const struct cred *cred)
 168{
 169        const struct task_security_struct *tsec;
 170
 171        tsec = cred->security;
 172        return tsec->sid;
 173}
 174
 175/*
 176 * get the objective security ID of a task
 177 */
 178static inline u32 task_sid(const struct task_struct *task)
 179{
 180        u32 sid;
 181
 182        rcu_read_lock();
 183        sid = cred_sid(__task_cred(task));
 184        rcu_read_unlock();
 185        return sid;
 186}
 187
 188/*
 189 * get the subjective security ID of the current task
 190 */
 191static inline u32 current_sid(void)
 192{
 193        const struct task_security_struct *tsec = current_security();
 194
 195        return tsec->sid;
 196}
 197
 198/* Allocate and free functions for each kind of security blob. */
 199
 200static int inode_alloc_security(struct inode *inode)
 201{
 202        struct inode_security_struct *isec;
 203        u32 sid = current_sid();
 204
 205        isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
 206        if (!isec)
 207                return -ENOMEM;
 208
 209        mutex_init(&isec->lock);
 210        INIT_LIST_HEAD(&isec->list);
 211        isec->inode = inode;
 212        isec->sid = SECINITSID_UNLABELED;
 213        isec->sclass = SECCLASS_FILE;
 214        isec->task_sid = sid;
 215        inode->i_security = isec;
 216
 217        return 0;
 218}
 219
 220static void inode_free_security(struct inode *inode)
 221{
 222        struct inode_security_struct *isec = inode->i_security;
 223        struct superblock_security_struct *sbsec = inode->i_sb->s_security;
 224
 225        spin_lock(&sbsec->isec_lock);
 226        if (!list_empty(&isec->list))
 227                list_del_init(&isec->list);
 228        spin_unlock(&sbsec->isec_lock);
 229
 230        inode->i_security = NULL;
 231        kmem_cache_free(sel_inode_cache, isec);
 232}
 233
 234static int file_alloc_security(struct file *file)
 235{
 236        struct file_security_struct *fsec;
 237        u32 sid = current_sid();
 238
 239        fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
 240        if (!fsec)
 241                return -ENOMEM;
 242
 243        fsec->sid = sid;
 244        fsec->fown_sid = sid;
 245        file->f_security = fsec;
 246
 247        return 0;
 248}
 249
 250static void file_free_security(struct file *file)
 251{
 252        struct file_security_struct *fsec = file->f_security;
 253        file->f_security = NULL;
 254        kfree(fsec);
 255}
 256
 257static int superblock_alloc_security(struct super_block *sb)
 258{
 259        struct superblock_security_struct *sbsec;
 260
 261        sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 262        if (!sbsec)
 263                return -ENOMEM;
 264
 265        mutex_init(&sbsec->lock);
 266        INIT_LIST_HEAD(&sbsec->isec_head);
 267        spin_lock_init(&sbsec->isec_lock);
 268        sbsec->sb = sb;
 269        sbsec->sid = SECINITSID_UNLABELED;
 270        sbsec->def_sid = SECINITSID_FILE;
 271        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 272        sb->s_security = sbsec;
 273
 274        return 0;
 275}
 276
 277static void superblock_free_security(struct super_block *sb)
 278{
 279        struct superblock_security_struct *sbsec = sb->s_security;
 280        sb->s_security = NULL;
 281        kfree(sbsec);
 282}
 283
 284/* The file system's label must be initialized prior to use. */
 285
 286static const char *labeling_behaviors[6] = {
 287        "uses xattr",
 288        "uses transition SIDs",
 289        "uses task SIDs",
 290        "uses genfs_contexts",
 291        "not configured for labeling",
 292        "uses mountpoint labeling",
 293};
 294
 295static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 296
 297static inline int inode_doinit(struct inode *inode)
 298{
 299        return inode_doinit_with_dentry(inode, NULL);
 300}
 301
 302enum {
 303        Opt_error = -1,
 304        Opt_context = 1,
 305        Opt_fscontext = 2,
 306        Opt_defcontext = 3,
 307        Opt_rootcontext = 4,
 308        Opt_labelsupport = 5,
 309};
 310
 311static const match_table_t tokens = {
 312        {Opt_context, CONTEXT_STR "%s"},
 313        {Opt_fscontext, FSCONTEXT_STR "%s"},
 314        {Opt_defcontext, DEFCONTEXT_STR "%s"},
 315        {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
 316        {Opt_labelsupport, LABELSUPP_STR},
 317        {Opt_error, NULL},
 318};
 319
 320#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 321
 322static int may_context_mount_sb_relabel(u32 sid,
 323                        struct superblock_security_struct *sbsec,
 324                        const struct cred *cred)
 325{
 326        const struct task_security_struct *tsec = cred->security;
 327        int rc;
 328
 329        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 330                          FILESYSTEM__RELABELFROM, NULL);
 331        if (rc)
 332                return rc;
 333
 334        rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
 335                          FILESYSTEM__RELABELTO, NULL);
 336        return rc;
 337}
 338
 339static int may_context_mount_inode_relabel(u32 sid,
 340                        struct superblock_security_struct *sbsec,
 341                        const struct cred *cred)
 342{
 343        const struct task_security_struct *tsec = cred->security;
 344        int rc;
 345        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 346                          FILESYSTEM__RELABELFROM, NULL);
 347        if (rc)
 348                return rc;
 349
 350        rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
 351                          FILESYSTEM__ASSOCIATE, NULL);
 352        return rc;
 353}
 354
 355static int sb_finish_set_opts(struct super_block *sb)
 356{
 357        struct superblock_security_struct *sbsec = sb->s_security;
 358        struct dentry *root = sb->s_root;
 359        struct inode *root_inode = root->d_inode;
 360        int rc = 0;
 361
 362        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 363                /* Make sure that the xattr handler exists and that no
 364                   error other than -ENODATA is returned by getxattr on
 365                   the root directory.  -ENODATA is ok, as this may be
 366                   the first boot of the SELinux kernel before we have
 367                   assigned xattr values to the filesystem. */
 368                if (!root_inode->i_op->getxattr) {
 369                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
 370                               "xattr support\n", sb->s_id, sb->s_type->name);
 371                        rc = -EOPNOTSUPP;
 372                        goto out;
 373                }
 374                rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
 375                if (rc < 0 && rc != -ENODATA) {
 376                        if (rc == -EOPNOTSUPP)
 377                                printk(KERN_WARNING "SELinux: (dev %s, type "
 378                                       "%s) has no security xattr handler\n",
 379                                       sb->s_id, sb->s_type->name);
 380                        else
 381                                printk(KERN_WARNING "SELinux: (dev %s, type "
 382                                       "%s) getxattr errno %d\n", sb->s_id,
 383                                       sb->s_type->name, -rc);
 384                        goto out;
 385                }
 386        }
 387
 388        sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
 389
 390        if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 391                printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
 392                       sb->s_id, sb->s_type->name);
 393        else
 394                printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
 395                       sb->s_id, sb->s_type->name,
 396                       labeling_behaviors[sbsec->behavior-1]);
 397
 398        if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
 399            sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
 400            sbsec->behavior == SECURITY_FS_USE_NONE ||
 401            sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 402                sbsec->flags &= ~SE_SBLABELSUPP;
 403
 404        /* Special handling for sysfs. Is genfs but also has setxattr handler*/
 405        if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
 406                sbsec->flags |= SE_SBLABELSUPP;
 407
 408        /* Initialize the root inode. */
 409        rc = inode_doinit_with_dentry(root_inode, root);
 410
 411        /* Initialize any other inodes associated with the superblock, e.g.
 412           inodes created prior to initial policy load or inodes created
 413           during get_sb by a pseudo filesystem that directly
 414           populates itself. */
 415        spin_lock(&sbsec->isec_lock);
 416next_inode:
 417        if (!list_empty(&sbsec->isec_head)) {
 418                struct inode_security_struct *isec =
 419                                list_entry(sbsec->isec_head.next,
 420                                           struct inode_security_struct, list);
 421                struct inode *inode = isec->inode;
 422                spin_unlock(&sbsec->isec_lock);
 423                inode = igrab(inode);
 424                if (inode) {
 425                        if (!IS_PRIVATE(inode))
 426                                inode_doinit(inode);
 427                        iput(inode);
 428                }
 429                spin_lock(&sbsec->isec_lock);
 430                list_del_init(&isec->list);
 431                goto next_inode;
 432        }
 433        spin_unlock(&sbsec->isec_lock);
 434out:
 435        return rc;
 436}
 437
 438/*
 439 * This function should allow an FS to ask what it's mount security
 440 * options were so it can use those later for submounts, displaying
 441 * mount options, or whatever.
 442 */
 443static int selinux_get_mnt_opts(const struct super_block *sb,
 444                                struct security_mnt_opts *opts)
 445{
 446        int rc = 0, i;
 447        struct superblock_security_struct *sbsec = sb->s_security;
 448        char *context = NULL;
 449        u32 len;
 450        char tmp;
 451
 452        security_init_mnt_opts(opts);
 453
 454        if (!(sbsec->flags & SE_SBINITIALIZED))
 455                return -EINVAL;
 456
 457        if (!ss_initialized)
 458                return -EINVAL;
 459
 460        tmp = sbsec->flags & SE_MNTMASK;
 461        /* count the number of mount options for this sb */
 462        for (i = 0; i < 8; i++) {
 463                if (tmp & 0x01)
 464                        opts->num_mnt_opts++;
 465                tmp >>= 1;
 466        }
 467        /* Check if the Label support flag is set */
 468        if (sbsec->flags & SE_SBLABELSUPP)
 469                opts->num_mnt_opts++;
 470
 471        opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
 472        if (!opts->mnt_opts) {
 473                rc = -ENOMEM;
 474                goto out_free;
 475        }
 476
 477        opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
 478        if (!opts->mnt_opts_flags) {
 479                rc = -ENOMEM;
 480                goto out_free;
 481        }
 482
 483        i = 0;
 484        if (sbsec->flags & FSCONTEXT_MNT) {
 485                rc = security_sid_to_context(sbsec->sid, &context, &len);
 486                if (rc)
 487                        goto out_free;
 488                opts->mnt_opts[i] = context;
 489                opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
 490        }
 491        if (sbsec->flags & CONTEXT_MNT) {
 492                rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
 493                if (rc)
 494                        goto out_free;
 495                opts->mnt_opts[i] = context;
 496                opts->mnt_opts_flags[i++] = CONTEXT_MNT;
 497        }
 498        if (sbsec->flags & DEFCONTEXT_MNT) {
 499                rc = security_sid_to_context(sbsec->def_sid, &context, &len);
 500                if (rc)
 501                        goto out_free;
 502                opts->mnt_opts[i] = context;
 503                opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
 504        }
 505        if (sbsec->flags & ROOTCONTEXT_MNT) {
 506                struct inode *root = sbsec->sb->s_root->d_inode;
 507                struct inode_security_struct *isec = root->i_security;
 508
 509                rc = security_sid_to_context(isec->sid, &context, &len);
 510                if (rc)
 511                        goto out_free;
 512                opts->mnt_opts[i] = context;
 513                opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
 514        }
 515        if (sbsec->flags & SE_SBLABELSUPP) {
 516                opts->mnt_opts[i] = NULL;
 517                opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
 518        }
 519
 520        BUG_ON(i != opts->num_mnt_opts);
 521
 522        return 0;
 523
 524out_free:
 525        security_free_mnt_opts(opts);
 526        return rc;
 527}
 528
 529static int bad_option(struct superblock_security_struct *sbsec, char flag,
 530                      u32 old_sid, u32 new_sid)
 531{
 532        char mnt_flags = sbsec->flags & SE_MNTMASK;
 533
 534        /* check if the old mount command had the same options */
 535        if (sbsec->flags & SE_SBINITIALIZED)
 536                if (!(sbsec->flags & flag) ||
 537                    (old_sid != new_sid))
 538                        return 1;
 539
 540        /* check if we were passed the same options twice,
 541         * aka someone passed context=a,context=b
 542         */
 543        if (!(sbsec->flags & SE_SBINITIALIZED))
 544                if (mnt_flags & flag)
 545                        return 1;
 546        return 0;
 547}
 548
 549/*
 550 * Allow filesystems with binary mount data to explicitly set mount point
 551 * labeling information.
 552 */
 553static int selinux_set_mnt_opts(struct super_block *sb,
 554                                struct security_mnt_opts *opts)
 555{
 556        const struct cred *cred = current_cred();
 557        int rc = 0, i;
 558        struct superblock_security_struct *sbsec = sb->s_security;
 559        const char *name = sb->s_type->name;
 560        struct inode *inode = sbsec->sb->s_root->d_inode;
 561        struct inode_security_struct *root_isec = inode->i_security;
 562        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 563        u32 defcontext_sid = 0;
 564        char **mount_options = opts->mnt_opts;
 565        int *flags = opts->mnt_opts_flags;
 566        int num_opts = opts->num_mnt_opts;
 567
 568        mutex_lock(&sbsec->lock);
 569
 570        if (!ss_initialized) {
 571                if (!num_opts) {
 572                        /* Defer initialization until selinux_complete_init,
 573                           after the initial policy is loaded and the security
 574                           server is ready to handle calls. */
 575                        goto out;
 576                }
 577                rc = -EINVAL;
 578                printk(KERN_WARNING "SELinux: Unable to set superblock options "
 579                        "before the security server is initialized\n");
 580                goto out;
 581        }
 582
 583        /*
 584         * Binary mount data FS will come through this function twice.  Once
 585         * from an explicit call and once from the generic calls from the vfs.
 586         * Since the generic VFS calls will not contain any security mount data
 587         * we need to skip the double mount verification.
 588         *
 589         * This does open a hole in which we will not notice if the first
 590         * mount using this sb set explict options and a second mount using
 591         * this sb does not set any security options.  (The first options
 592         * will be used for both mounts)
 593         */
 594        if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 595            && (num_opts == 0))
 596                goto out;
 597
 598        /*
 599         * parse the mount options, check if they are valid sids.
 600         * also check if someone is trying to mount the same sb more
 601         * than once with different security options.
 602         */
 603        for (i = 0; i < num_opts; i++) {
 604                u32 sid;
 605
 606                if (flags[i] == SE_SBLABELSUPP)
 607                        continue;
 608                rc = security_context_to_sid(mount_options[i],
 609                                             strlen(mount_options[i]), &sid);
 610                if (rc) {
 611                        printk(KERN_WARNING "SELinux: security_context_to_sid"
 612                               "(%s) failed for (dev %s, type %s) errno=%d\n",
 613                               mount_options[i], sb->s_id, name, rc);
 614                        goto out;
 615                }
 616                switch (flags[i]) {
 617                case FSCONTEXT_MNT:
 618                        fscontext_sid = sid;
 619
 620                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 621                                        fscontext_sid))
 622                                goto out_double_mount;
 623
 624                        sbsec->flags |= FSCONTEXT_MNT;
 625                        break;
 626                case CONTEXT_MNT:
 627                        context_sid = sid;
 628
 629                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 630                                        context_sid))
 631                                goto out_double_mount;
 632
 633                        sbsec->flags |= CONTEXT_MNT;
 634                        break;
 635                case ROOTCONTEXT_MNT:
 636                        rootcontext_sid = sid;
 637
 638                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 639                                        rootcontext_sid))
 640                                goto out_double_mount;
 641
 642                        sbsec->flags |= ROOTCONTEXT_MNT;
 643
 644                        break;
 645                case DEFCONTEXT_MNT:
 646                        defcontext_sid = sid;
 647
 648                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 649                                        defcontext_sid))
 650                                goto out_double_mount;
 651
 652                        sbsec->flags |= DEFCONTEXT_MNT;
 653
 654                        break;
 655                default:
 656                        rc = -EINVAL;
 657                        goto out;
 658                }
 659        }
 660
 661        if (sbsec->flags & SE_SBINITIALIZED) {
 662                /* previously mounted with options, but not on this attempt? */
 663                if ((sbsec->flags & SE_MNTMASK) && !num_opts)
 664                        goto out_double_mount;
 665                rc = 0;
 666                goto out;
 667        }
 668
 669        if (strcmp(sb->s_type->name, "proc") == 0)
 670                sbsec->flags |= SE_SBPROC;
 671
 672        /* Determine the labeling behavior to use for this filesystem type. */
 673        rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
 674        if (rc) {
 675                printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
 676                       __func__, sb->s_type->name, rc);
 677                goto out;
 678        }
 679
 680        /* sets the context of the superblock for the fs being mounted. */
 681        if (fscontext_sid) {
 682                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
 683                if (rc)
 684                        goto out;
 685
 686                sbsec->sid = fscontext_sid;
 687        }
 688
 689        /*
 690         * Switch to using mount point labeling behavior.
 691         * sets the label used on all file below the mountpoint, and will set
 692         * the superblock context if not already set.
 693         */
 694        if (context_sid) {
 695                if (!fscontext_sid) {
 696                        rc = may_context_mount_sb_relabel(context_sid, sbsec,
 697                                                          cred);
 698                        if (rc)
 699                                goto out;
 700                        sbsec->sid = context_sid;
 701                } else {
 702                        rc = may_context_mount_inode_relabel(context_sid, sbsec,
 703                                                             cred);
 704                        if (rc)
 705                                goto out;
 706                }
 707                if (!rootcontext_sid)
 708                        rootcontext_sid = context_sid;
 709
 710                sbsec->mntpoint_sid = context_sid;
 711                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 712        }
 713
 714        if (rootcontext_sid) {
 715                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
 716                                                     cred);
 717                if (rc)
 718                        goto out;
 719
 720                root_isec->sid = rootcontext_sid;
 721                root_isec->initialized = 1;
 722        }
 723
 724        if (defcontext_sid) {
 725                if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
 726                        rc = -EINVAL;
 727                        printk(KERN_WARNING "SELinux: defcontext option is "
 728                               "invalid for this filesystem type\n");
 729                        goto out;
 730                }
 731
 732                if (defcontext_sid != sbsec->def_sid) {
 733                        rc = may_context_mount_inode_relabel(defcontext_sid,
 734                                                             sbsec, cred);
 735                        if (rc)
 736                                goto out;
 737                }
 738
 739                sbsec->def_sid = defcontext_sid;
 740        }
 741
 742        rc = sb_finish_set_opts(sb);
 743out:
 744        mutex_unlock(&sbsec->lock);
 745        return rc;
 746out_double_mount:
 747        rc = -EINVAL;
 748        printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
 749               "security settings for (dev %s, type %s)\n", sb->s_id, name);
 750        goto out;
 751}
 752
 753static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 754                                        struct super_block *newsb)
 755{
 756        const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 757        struct superblock_security_struct *newsbsec = newsb->s_security;
 758
 759        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 760        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 761        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 762
 763        /*
 764         * if the parent was able to be mounted it clearly had no special lsm
 765         * mount options.  thus we can safely deal with this superblock later
 766         */
 767        if (!ss_initialized)
 768                return;
 769
 770        /* how can we clone if the old one wasn't set up?? */
 771        BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
 772
 773        /* if fs is reusing a sb, just let its options stand... */
 774        if (newsbsec->flags & SE_SBINITIALIZED)
 775                return;
 776
 777        mutex_lock(&newsbsec->lock);
 778
 779        newsbsec->flags = oldsbsec->flags;
 780
 781        newsbsec->sid = oldsbsec->sid;
 782        newsbsec->def_sid = oldsbsec->def_sid;
 783        newsbsec->behavior = oldsbsec->behavior;
 784
 785        if (set_context) {
 786                u32 sid = oldsbsec->mntpoint_sid;
 787
 788                if (!set_fscontext)
 789                        newsbsec->sid = sid;
 790                if (!set_rootcontext) {
 791                        struct inode *newinode = newsb->s_root->d_inode;
 792                        struct inode_security_struct *newisec = newinode->i_security;
 793                        newisec->sid = sid;
 794                }
 795                newsbsec->mntpoint_sid = sid;
 796        }
 797        if (set_rootcontext) {
 798                const struct inode *oldinode = oldsb->s_root->d_inode;
 799                const struct inode_security_struct *oldisec = oldinode->i_security;
 800                struct inode *newinode = newsb->s_root->d_inode;
 801                struct inode_security_struct *newisec = newinode->i_security;
 802
 803                newisec->sid = oldisec->sid;
 804        }
 805
 806        sb_finish_set_opts(newsb);
 807        mutex_unlock(&newsbsec->lock);
 808}
 809
 810static int selinux_parse_opts_str(char *options,
 811                                  struct security_mnt_opts *opts)
 812{
 813        char *p;
 814        char *context = NULL, *defcontext = NULL;
 815        char *fscontext = NULL, *rootcontext = NULL;
 816        int rc, num_mnt_opts = 0;
 817
 818        opts->num_mnt_opts = 0;
 819
 820        /* Standard string-based options. */
 821        while ((p = strsep(&options, "|")) != NULL) {
 822                int token;
 823                substring_t args[MAX_OPT_ARGS];
 824
 825                if (!*p)
 826                        continue;
 827
 828                token = match_token(p, tokens, args);
 829
 830                switch (token) {
 831                case Opt_context:
 832                        if (context || defcontext) {
 833                                rc = -EINVAL;
 834                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 835                                goto out_err;
 836                        }
 837                        context = match_strdup(&args[0]);
 838                        if (!context) {
 839                                rc = -ENOMEM;
 840                                goto out_err;
 841                        }
 842                        break;
 843
 844                case Opt_fscontext:
 845                        if (fscontext) {
 846                                rc = -EINVAL;
 847                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 848                                goto out_err;
 849                        }
 850                        fscontext = match_strdup(&args[0]);
 851                        if (!fscontext) {
 852                                rc = -ENOMEM;
 853                                goto out_err;
 854                        }
 855                        break;
 856
 857                case Opt_rootcontext:
 858                        if (rootcontext) {
 859                                rc = -EINVAL;
 860                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 861                                goto out_err;
 862                        }
 863                        rootcontext = match_strdup(&args[0]);
 864                        if (!rootcontext) {
 865                                rc = -ENOMEM;
 866                                goto out_err;
 867                        }
 868                        break;
 869
 870                case Opt_defcontext:
 871                        if (context || defcontext) {
 872                                rc = -EINVAL;
 873                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 874                                goto out_err;
 875                        }
 876                        defcontext = match_strdup(&args[0]);
 877                        if (!defcontext) {
 878                                rc = -ENOMEM;
 879                                goto out_err;
 880                        }
 881                        break;
 882                case Opt_labelsupport:
 883                        break;
 884                default:
 885                        rc = -EINVAL;
 886                        printk(KERN_WARNING "SELinux:  unknown mount option\n");
 887                        goto out_err;
 888
 889                }
 890        }
 891
 892        rc = -ENOMEM;
 893        opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
 894        if (!opts->mnt_opts)
 895                goto out_err;
 896
 897        opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
 898        if (!opts->mnt_opts_flags) {
 899                kfree(opts->mnt_opts);
 900                goto out_err;
 901        }
 902
 903        if (fscontext) {
 904                opts->mnt_opts[num_mnt_opts] = fscontext;
 905                opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
 906        }
 907        if (context) {
 908                opts->mnt_opts[num_mnt_opts] = context;
 909                opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
 910        }
 911        if (rootcontext) {
 912                opts->mnt_opts[num_mnt_opts] = rootcontext;
 913                opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
 914        }
 915        if (defcontext) {
 916                opts->mnt_opts[num_mnt_opts] = defcontext;
 917                opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
 918        }
 919
 920        opts->num_mnt_opts = num_mnt_opts;
 921        return 0;
 922
 923out_err:
 924        kfree(context);
 925        kfree(defcontext);
 926        kfree(fscontext);
 927        kfree(rootcontext);
 928        return rc;
 929}
 930/*
 931 * string mount options parsing and call set the sbsec
 932 */
 933static int superblock_doinit(struct super_block *sb, void *data)
 934{
 935        int rc = 0;
 936        char *options = data;
 937        struct security_mnt_opts opts;
 938
 939        security_init_mnt_opts(&opts);
 940
 941        if (!data)
 942                goto out;
 943
 944        BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
 945
 946        rc = selinux_parse_opts_str(options, &opts);
 947        if (rc)
 948                goto out_err;
 949
 950out:
 951        rc = selinux_set_mnt_opts(sb, &opts);
 952
 953out_err:
 954        security_free_mnt_opts(&opts);
 955        return rc;
 956}
 957
 958static void selinux_write_opts(struct seq_file *m,
 959                               struct security_mnt_opts *opts)
 960{
 961        int i;
 962        char *prefix;
 963
 964        for (i = 0; i < opts->num_mnt_opts; i++) {
 965                char *has_comma;
 966
 967                if (opts->mnt_opts[i])
 968                        has_comma = strchr(opts->mnt_opts[i], ',');
 969                else
 970                        has_comma = NULL;
 971
 972                switch (opts->mnt_opts_flags[i]) {
 973                case CONTEXT_MNT:
 974                        prefix = CONTEXT_STR;
 975                        break;
 976                case FSCONTEXT_MNT:
 977                        prefix = FSCONTEXT_STR;
 978                        break;
 979                case ROOTCONTEXT_MNT:
 980                        prefix = ROOTCONTEXT_STR;
 981                        break;
 982                case DEFCONTEXT_MNT:
 983                        prefix = DEFCONTEXT_STR;
 984                        break;
 985                case SE_SBLABELSUPP:
 986                        seq_putc(m, ',');
 987                        seq_puts(m, LABELSUPP_STR);
 988                        continue;
 989                default:
 990                        BUG();
 991                        return;
 992                };
 993                /* we need a comma before each option */
 994                seq_putc(m, ',');
 995                seq_puts(m, prefix);
 996                if (has_comma)
 997                        seq_putc(m, '\"');
 998                seq_puts(m, opts->mnt_opts[i]);
 999                if (has_comma)
1000                        seq_putc(m, '\"');
1001        }
1002}
1003
1004static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005{
1006        struct security_mnt_opts opts;
1007        int rc;
1008
1009        rc = selinux_get_mnt_opts(sb, &opts);
1010        if (rc) {
1011                /* before policy load we may get EINVAL, don't show anything */
1012                if (rc == -EINVAL)
1013                        rc = 0;
1014                return rc;
1015        }
1016
1017        selinux_write_opts(m, &opts);
1018
1019        security_free_mnt_opts(&opts);
1020
1021        return rc;
1022}
1023
1024static inline u16 inode_mode_to_security_class(umode_t mode)
1025{
1026        switch (mode & S_IFMT) {
1027        case S_IFSOCK:
1028                return SECCLASS_SOCK_FILE;
1029        case S_IFLNK:
1030                return SECCLASS_LNK_FILE;
1031        case S_IFREG:
1032                return SECCLASS_FILE;
1033        case S_IFBLK:
1034                return SECCLASS_BLK_FILE;
1035        case S_IFDIR:
1036                return SECCLASS_DIR;
1037        case S_IFCHR:
1038                return SECCLASS_CHR_FILE;
1039        case S_IFIFO:
1040                return SECCLASS_FIFO_FILE;
1041
1042        }
1043
1044        return SECCLASS_FILE;
1045}
1046
1047static inline int default_protocol_stream(int protocol)
1048{
1049        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050}
1051
1052static inline int default_protocol_dgram(int protocol)
1053{
1054        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055}
1056
1057static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058{
1059        switch (family) {
1060        case PF_UNIX:
1061                switch (type) {
1062                case SOCK_STREAM:
1063                case SOCK_SEQPACKET:
1064                        return SECCLASS_UNIX_STREAM_SOCKET;
1065                case SOCK_DGRAM:
1066                        return SECCLASS_UNIX_DGRAM_SOCKET;
1067                }
1068                break;
1069        case PF_INET:
1070        case PF_INET6:
1071                switch (type) {
1072                case SOCK_STREAM:
1073                        if (default_protocol_stream(protocol))
1074                                return SECCLASS_TCP_SOCKET;
1075                        else
1076                                return SECCLASS_RAWIP_SOCKET;
1077                case SOCK_DGRAM:
1078                        if (default_protocol_dgram(protocol))
1079                                return SECCLASS_UDP_SOCKET;
1080                        else
1081                                return SECCLASS_RAWIP_SOCKET;
1082                case SOCK_DCCP:
1083                        return SECCLASS_DCCP_SOCKET;
1084                default:
1085                        return SECCLASS_RAWIP_SOCKET;
1086                }
1087                break;
1088        case PF_NETLINK:
1089                switch (protocol) {
1090                case NETLINK_ROUTE:
1091                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                case NETLINK_FIREWALL:
1093                        return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                case NETLINK_SOCK_DIAG:
1095                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                case NETLINK_NFLOG:
1097                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                case NETLINK_XFRM:
1099                        return SECCLASS_NETLINK_XFRM_SOCKET;
1100                case NETLINK_SELINUX:
1101                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                case NETLINK_AUDIT:
1103                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                case NETLINK_IP6_FW:
1105                        return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                case NETLINK_DNRTMSG:
1107                        return SECCLASS_NETLINK_DNRT_SOCKET;
1108                case NETLINK_KOBJECT_UEVENT:
1109                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                default:
1111                        return SECCLASS_NETLINK_SOCKET;
1112                }
1113        case PF_PACKET:
1114                return SECCLASS_PACKET_SOCKET;
1115        case PF_KEY:
1116                return SECCLASS_KEY_SOCKET;
1117        case PF_APPLETALK:
1118                return SECCLASS_APPLETALK_SOCKET;
1119        }
1120
1121        return SECCLASS_SOCKET;
1122}
1123
1124#ifdef CONFIG_PROC_FS
1125static int selinux_proc_get_sid(struct dentry *dentry,
1126                                u16 tclass,
1127                                u32 *sid)
1128{
1129        int rc;
1130        char *buffer, *path;
1131
1132        buffer = (char *)__get_free_page(GFP_KERNEL);
1133        if (!buffer)
1134                return -ENOMEM;
1135
1136        path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137        if (IS_ERR(path))
1138                rc = PTR_ERR(path);
1139        else {
1140                /* each process gets a /proc/PID/ entry. Strip off the
1141                 * PID part to get a valid selinux labeling.
1142                 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                while (path[1] >= '0' && path[1] <= '9') {
1144                        path[1] = '/';
1145                        path++;
1146                }
1147                rc = security_genfs_sid("proc", path, tclass, sid);
1148        }
1149        free_page((unsigned long)buffer);
1150        return rc;
1151}
1152#else
1153static int selinux_proc_get_sid(struct dentry *dentry,
1154                                u16 tclass,
1155                                u32 *sid)
1156{
1157        return -EINVAL;
1158}
1159#endif
1160
1161/* The inode's security attributes must be initialized before first use. */
1162static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163{
1164        struct superblock_security_struct *sbsec = NULL;
1165        struct inode_security_struct *isec = inode->i_security;
1166        u32 sid;
1167        struct dentry *dentry;
1168#define INITCONTEXTLEN 255
1169        char *context = NULL;
1170        unsigned len = 0;
1171        int rc = 0;
1172
1173        if (isec->initialized)
1174                goto out;
1175
1176        mutex_lock(&isec->lock);
1177        if (isec->initialized)
1178                goto out_unlock;
1179
1180        sbsec = inode->i_sb->s_security;
1181        if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                /* Defer initialization until selinux_complete_init,
1183                   after the initial policy is loaded and the security
1184                   server is ready to handle calls. */
1185                spin_lock(&sbsec->isec_lock);
1186                if (list_empty(&isec->list))
1187                        list_add(&isec->list, &sbsec->isec_head);
1188                spin_unlock(&sbsec->isec_lock);
1189                goto out_unlock;
1190        }
1191
1192        switch (sbsec->behavior) {
1193        case SECURITY_FS_USE_XATTR:
1194                if (!inode->i_op->getxattr) {
1195                        isec->sid = sbsec->def_sid;
1196                        break;
1197                }
1198
1199                /* Need a dentry, since the xattr API requires one.
1200                   Life would be simpler if we could just pass the inode. */
1201                if (opt_dentry) {
1202                        /* Called from d_instantiate or d_splice_alias. */
1203                        dentry = dget(opt_dentry);
1204                } else {
1205                        /* Called from selinux_complete_init, try to find a dentry. */
1206                        dentry = d_find_alias(inode);
1207                }
1208                if (!dentry) {
1209                        /*
1210                         * this is can be hit on boot when a file is accessed
1211                         * before the policy is loaded.  When we load policy we
1212                         * may find inodes that have no dentry on the
1213                         * sbsec->isec_head list.  No reason to complain as these
1214                         * will get fixed up the next time we go through
1215                         * inode_doinit with a dentry, before these inodes could
1216                         * be used again by userspace.
1217                         */
1218                        goto out_unlock;
1219                }
1220
1221                len = INITCONTEXTLEN;
1222                context = kmalloc(len+1, GFP_NOFS);
1223                if (!context) {
1224                        rc = -ENOMEM;
1225                        dput(dentry);
1226                        goto out_unlock;
1227                }
1228                context[len] = '\0';
1229                rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                           context, len);
1231                if (rc == -ERANGE) {
1232                        kfree(context);
1233
1234                        /* Need a larger buffer.  Query for the right size. */
1235                        rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                   NULL, 0);
1237                        if (rc < 0) {
1238                                dput(dentry);
1239                                goto out_unlock;
1240                        }
1241                        len = rc;
1242                        context = kmalloc(len+1, GFP_NOFS);
1243                        if (!context) {
1244                                rc = -ENOMEM;
1245                                dput(dentry);
1246                                goto out_unlock;
1247                        }
1248                        context[len] = '\0';
1249                        rc = inode->i_op->getxattr(dentry,
1250                                                   XATTR_NAME_SELINUX,
1251                                                   context, len);
1252                }
1253                dput(dentry);
1254                if (rc < 0) {
1255                        if (rc != -ENODATA) {
1256                                printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                       "%d for dev=%s ino=%ld\n", __func__,
1258                                       -rc, inode->i_sb->s_id, inode->i_ino);
1259                                kfree(context);
1260                                goto out_unlock;
1261                        }
1262                        /* Map ENODATA to the default file SID */
1263                        sid = sbsec->def_sid;
1264                        rc = 0;
1265                } else {
1266                        rc = security_context_to_sid_default(context, rc, &sid,
1267                                                             sbsec->def_sid,
1268                                                             GFP_NOFS);
1269                        if (rc) {
1270                                char *dev = inode->i_sb->s_id;
1271                                unsigned long ino = inode->i_ino;
1272
1273                                if (rc == -EINVAL) {
1274                                        if (printk_ratelimit())
1275                                                printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                        "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                        "filesystem in question.\n", ino, dev, context);
1278                                } else {
1279                                        printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                               "returned %d for dev=%s ino=%ld\n",
1281                                               __func__, context, -rc, dev, ino);
1282                                }
1283                                kfree(context);
1284                                /* Leave with the unlabeled SID */
1285                                rc = 0;
1286                                break;
1287                        }
1288                }
1289                kfree(context);
1290                isec->sid = sid;
1291                break;
1292        case SECURITY_FS_USE_TASK:
1293                isec->sid = isec->task_sid;
1294                break;
1295        case SECURITY_FS_USE_TRANS:
1296                /* Default to the fs SID. */
1297                isec->sid = sbsec->sid;
1298
1299                /* Try to obtain a transition SID. */
1300                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                             isec->sclass, NULL, &sid);
1303                if (rc)
1304                        goto out_unlock;
1305                isec->sid = sid;
1306                break;
1307        case SECURITY_FS_USE_MNTPOINT:
1308                isec->sid = sbsec->mntpoint_sid;
1309                break;
1310        default:
1311                /* Default to the fs superblock SID. */
1312                isec->sid = sbsec->sid;
1313
1314                if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                        if (opt_dentry) {
1316                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                rc = selinux_proc_get_sid(opt_dentry,
1318                                                          isec->sclass,
1319                                                          &sid);
1320                                if (rc)
1321                                        goto out_unlock;
1322                                isec->sid = sid;
1323                        }
1324                }
1325                break;
1326        }
1327
1328        isec->initialized = 1;
1329
1330out_unlock:
1331        mutex_unlock(&isec->lock);
1332out:
1333        if (isec->sclass == SECCLASS_FILE)
1334                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335        return rc;
1336}
1337
1338/* Convert a Linux signal to an access vector. */
1339static inline u32 signal_to_av(int sig)
1340{
1341        u32 perm = 0;
1342
1343        switch (sig) {
1344        case SIGCHLD:
1345                /* Commonly granted from child to parent. */
1346                perm = PROCESS__SIGCHLD;
1347                break;
1348        case SIGKILL:
1349                /* Cannot be caught or ignored */
1350                perm = PROCESS__SIGKILL;
1351                break;
1352        case SIGSTOP:
1353                /* Cannot be caught or ignored */
1354                perm = PROCESS__SIGSTOP;
1355                break;
1356        default:
1357                /* All other signals. */
1358                perm = PROCESS__SIGNAL;
1359                break;
1360        }
1361
1362        return perm;
1363}
1364
1365/*
1366 * Check permission between a pair of credentials
1367 * fork check, ptrace check, etc.
1368 */
1369static int cred_has_perm(const struct cred *actor,
1370                         const struct cred *target,
1371                         u32 perms)
1372{
1373        u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375        return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376}
1377
1378/*
1379 * Check permission between a pair of tasks, e.g. signal checks,
1380 * fork check, ptrace check, etc.
1381 * tsk1 is the actor and tsk2 is the target
1382 * - this uses the default subjective creds of tsk1
1383 */
1384static int task_has_perm(const struct task_struct *tsk1,
1385                         const struct task_struct *tsk2,
1386                         u32 perms)
1387{
1388        const struct task_security_struct *__tsec1, *__tsec2;
1389        u32 sid1, sid2;
1390
1391        rcu_read_lock();
1392        __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393        __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394        rcu_read_unlock();
1395        return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396}
1397
1398/*
1399 * Check permission between current and another task, e.g. signal checks,
1400 * fork check, ptrace check, etc.
1401 * current is the actor and tsk2 is the target
1402 * - this uses current's subjective creds
1403 */
1404static int current_has_perm(const struct task_struct *tsk,
1405                            u32 perms)
1406{
1407        u32 sid, tsid;
1408
1409        sid = current_sid();
1410        tsid = task_sid(tsk);
1411        return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412}
1413
1414#if CAP_LAST_CAP > 63
1415#error Fix SELinux to handle capabilities > 63.
1416#endif
1417
1418/* Check whether a task is allowed to use a capability. */
1419static int cred_has_capability(const struct cred *cred,
1420                               int cap, int audit)
1421{
1422        struct common_audit_data ad;
1423        struct av_decision avd;
1424        u16 sclass;
1425        u32 sid = cred_sid(cred);
1426        u32 av = CAP_TO_MASK(cap);
1427        int rc;
1428
1429        ad.type = LSM_AUDIT_DATA_CAP;
1430        ad.u.cap = cap;
1431
1432        switch (CAP_TO_INDEX(cap)) {
1433        case 0:
1434                sclass = SECCLASS_CAPABILITY;
1435                break;
1436        case 1:
1437                sclass = SECCLASS_CAPABILITY2;
1438                break;
1439        default:
1440                printk(KERN_ERR
1441                       "SELinux:  out of range capability %d\n", cap);
1442                BUG();
1443                return -EINVAL;
1444        }
1445
1446        rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1447        if (audit == SECURITY_CAP_AUDIT) {
1448                int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1449                if (rc2)
1450                        return rc2;
1451        }
1452        return rc;
1453}
1454
1455/* Check whether a task is allowed to use a system operation. */
1456static int task_has_system(struct task_struct *tsk,
1457                           u32 perms)
1458{
1459        u32 sid = task_sid(tsk);
1460
1461        return avc_has_perm(sid, SECINITSID_KERNEL,
1462                            SECCLASS_SYSTEM, perms, NULL);
1463}
1464
1465/* Check whether a task has a particular permission to an inode.
1466   The 'adp' parameter is optional and allows other audit
1467   data to be passed (e.g. the dentry). */
1468static int inode_has_perm(const struct cred *cred,
1469                          struct inode *inode,
1470                          u32 perms,
1471                          struct common_audit_data *adp,
1472                          unsigned flags)
1473{
1474        struct inode_security_struct *isec;
1475        u32 sid;
1476
1477        validate_creds(cred);
1478
1479        if (unlikely(IS_PRIVATE(inode)))
1480                return 0;
1481
1482        sid = cred_sid(cred);
1483        isec = inode->i_security;
1484
1485        return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1486}
1487
1488/* Same as inode_has_perm, but pass explicit audit data containing
1489   the dentry to help the auditing code to more easily generate the
1490   pathname if needed. */
1491static inline int dentry_has_perm(const struct cred *cred,
1492                                  struct dentry *dentry,
1493                                  u32 av)
1494{
1495        struct inode *inode = dentry->d_inode;
1496        struct common_audit_data ad;
1497
1498        ad.type = LSM_AUDIT_DATA_DENTRY;
1499        ad.u.dentry = dentry;
1500        return inode_has_perm(cred, inode, av, &ad, 0);
1501}
1502
1503/* Same as inode_has_perm, but pass explicit audit data containing
1504   the path to help the auditing code to more easily generate the
1505   pathname if needed. */
1506static inline int path_has_perm(const struct cred *cred,
1507                                struct path *path,
1508                                u32 av)
1509{
1510        struct inode *inode = path->dentry->d_inode;
1511        struct common_audit_data ad;
1512
1513        ad.type = LSM_AUDIT_DATA_PATH;
1514        ad.u.path = *path;
1515        return inode_has_perm(cred, inode, av, &ad, 0);
1516}
1517
1518/* Check whether a task can use an open file descriptor to
1519   access an inode in a given way.  Check access to the
1520   descriptor itself, and then use dentry_has_perm to
1521   check a particular permission to the file.
1522   Access to the descriptor is implicitly granted if it
1523   has the same SID as the process.  If av is zero, then
1524   access to the file is not checked, e.g. for cases
1525   where only the descriptor is affected like seek. */
1526static int file_has_perm(const struct cred *cred,
1527                         struct file *file,
1528                         u32 av)
1529{
1530        struct file_security_struct *fsec = file->f_security;
1531        struct inode *inode = file->f_path.dentry->d_inode;
1532        struct common_audit_data ad;
1533        u32 sid = cred_sid(cred);
1534        int rc;
1535
1536        ad.type = LSM_AUDIT_DATA_PATH;
1537        ad.u.path = file->f_path;
1538
1539        if (sid != fsec->sid) {
1540                rc = avc_has_perm(sid, fsec->sid,
1541                                  SECCLASS_FD,
1542                                  FD__USE,
1543                                  &ad);
1544                if (rc)
1545                        goto out;
1546        }
1547
1548        /* av is zero if only checking access to the descriptor. */
1549        rc = 0;
1550        if (av)
1551                rc = inode_has_perm(cred, inode, av, &ad, 0);
1552
1553out:
1554        return rc;
1555}
1556
1557/* Check whether a task can create a file. */
1558static int may_create(struct inode *dir,
1559                      struct dentry *dentry,
1560                      u16 tclass)
1561{
1562        const struct task_security_struct *tsec = current_security();
1563        struct inode_security_struct *dsec;
1564        struct superblock_security_struct *sbsec;
1565        u32 sid, newsid;
1566        struct common_audit_data ad;
1567        int rc;
1568
1569        dsec = dir->i_security;
1570        sbsec = dir->i_sb->s_security;
1571
1572        sid = tsec->sid;
1573        newsid = tsec->create_sid;
1574
1575        ad.type = LSM_AUDIT_DATA_DENTRY;
1576        ad.u.dentry = dentry;
1577
1578        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1579                          DIR__ADD_NAME | DIR__SEARCH,
1580                          &ad);
1581        if (rc)
1582                return rc;
1583
1584        if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1585                rc = security_transition_sid(sid, dsec->sid, tclass,
1586                                             &dentry->d_name, &newsid);
1587                if (rc)
1588                        return rc;
1589        }
1590
1591        rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1592        if (rc)
1593                return rc;
1594
1595        return avc_has_perm(newsid, sbsec->sid,
1596                            SECCLASS_FILESYSTEM,
1597                            FILESYSTEM__ASSOCIATE, &ad);
1598}
1599
1600/* Check whether a task can create a key. */
1601static int may_create_key(u32 ksid,
1602                          struct task_struct *ctx)
1603{
1604        u32 sid = task_sid(ctx);
1605
1606        return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1607}
1608
1609#define MAY_LINK        0
1610#define MAY_UNLINK      1
1611#define MAY_RMDIR       2
1612
1613/* Check whether a task can link, unlink, or rmdir a file/directory. */
1614static int may_link(struct inode *dir,
1615                    struct dentry *dentry,
1616                    int kind)
1617
1618{
1619        struct inode_security_struct *dsec, *isec;
1620        struct common_audit_data ad;
1621        u32 sid = current_sid();
1622        u32 av;
1623        int rc;
1624
1625        dsec = dir->i_security;
1626        isec = dentry->d_inode->i_security;
1627
1628        ad.type = LSM_AUDIT_DATA_DENTRY;
1629        ad.u.dentry = dentry;
1630
1631        av = DIR__SEARCH;
1632        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1633        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1634        if (rc)
1635                return rc;
1636
1637        switch (kind) {
1638        case MAY_LINK:
1639                av = FILE__LINK;
1640                break;
1641        case MAY_UNLINK:
1642                av = FILE__UNLINK;
1643                break;
1644        case MAY_RMDIR:
1645                av = DIR__RMDIR;
1646                break;
1647        default:
1648                printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1649                        __func__, kind);
1650                return 0;
1651        }
1652
1653        rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1654        return rc;
1655}
1656
1657static inline int may_rename(struct inode *old_dir,
1658                             struct dentry *old_dentry,
1659                             struct inode *new_dir,
1660                             struct dentry *new_dentry)
1661{
1662        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1663        struct common_audit_data ad;
1664        u32 sid = current_sid();
1665        u32 av;
1666        int old_is_dir, new_is_dir;
1667        int rc;
1668
1669        old_dsec = old_dir->i_security;
1670        old_isec = old_dentry->d_inode->i_security;
1671        old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1672        new_dsec = new_dir->i_security;
1673
1674        ad.type = LSM_AUDIT_DATA_DENTRY;
1675
1676        ad.u.dentry = old_dentry;
1677        rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1678                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1679        if (rc)
1680                return rc;
1681        rc = avc_has_perm(sid, old_isec->sid,
1682                          old_isec->sclass, FILE__RENAME, &ad);
1683        if (rc)
1684                return rc;
1685        if (old_is_dir && new_dir != old_dir) {
1686                rc = avc_has_perm(sid, old_isec->sid,
1687                                  old_isec->sclass, DIR__REPARENT, &ad);
1688                if (rc)
1689                        return rc;
1690        }
1691
1692        ad.u.dentry = new_dentry;
1693        av = DIR__ADD_NAME | DIR__SEARCH;
1694        if (new_dentry->d_inode)
1695                av |= DIR__REMOVE_NAME;
1696        rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1697        if (rc)
1698                return rc;
1699        if (new_dentry->d_inode) {
1700                new_isec = new_dentry->d_inode->i_security;
1701                new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1702                rc = avc_has_perm(sid, new_isec->sid,
1703                                  new_isec->sclass,
1704                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1705                if (rc)
1706                        return rc;
1707        }
1708
1709        return 0;
1710}
1711
1712/* Check whether a task can perform a filesystem operation. */
1713static int superblock_has_perm(const struct cred *cred,
1714                               struct super_block *sb,
1715                               u32 perms,
1716                               struct common_audit_data *ad)
1717{
1718        struct superblock_security_struct *sbsec;
1719        u32 sid = cred_sid(cred);
1720
1721        sbsec = sb->s_security;
1722        return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1723}
1724
1725/* Convert a Linux mode and permission mask to an access vector. */
1726static inline u32 file_mask_to_av(int mode, int mask)
1727{
1728        u32 av = 0;
1729
1730        if (!S_ISDIR(mode)) {
1731                if (mask & MAY_EXEC)
1732                        av |= FILE__EXECUTE;
1733                if (mask & MAY_READ)
1734                        av |= FILE__READ;
1735
1736                if (mask & MAY_APPEND)
1737                        av |= FILE__APPEND;
1738                else if (mask & MAY_WRITE)
1739                        av |= FILE__WRITE;
1740
1741        } else {
1742                if (mask & MAY_EXEC)
1743                        av |= DIR__SEARCH;
1744                if (mask & MAY_WRITE)
1745                        av |= DIR__WRITE;
1746                if (mask & MAY_READ)
1747                        av |= DIR__READ;
1748        }
1749
1750        return av;
1751}
1752
1753/* Convert a Linux file to an access vector. */
1754static inline u32 file_to_av(struct file *file)
1755{
1756        u32 av = 0;
1757
1758        if (file->f_mode & FMODE_READ)
1759                av |= FILE__READ;
1760        if (file->f_mode & FMODE_WRITE) {
1761                if (file->f_flags & O_APPEND)
1762                        av |= FILE__APPEND;
1763                else
1764                        av |= FILE__WRITE;
1765        }
1766        if (!av) {
1767                /*
1768                 * Special file opened with flags 3 for ioctl-only use.
1769                 */
1770                av = FILE__IOCTL;
1771        }
1772
1773        return av;
1774}
1775
1776/*
1777 * Convert a file to an access vector and include the correct open
1778 * open permission.
1779 */
1780static inline u32 open_file_to_av(struct file *file)
1781{
1782        u32 av = file_to_av(file);
1783
1784        if (selinux_policycap_openperm)
1785                av |= FILE__OPEN;
1786
1787        return av;
1788}
1789
1790/* Hook functions begin here. */
1791
1792static int selinux_ptrace_access_check(struct task_struct *child,
1793                                     unsigned int mode)
1794{
1795        int rc;
1796
1797        rc = cap_ptrace_access_check(child, mode);
1798        if (rc)
1799                return rc;
1800
1801        if (mode & PTRACE_MODE_READ) {
1802                u32 sid = current_sid();
1803                u32 csid = task_sid(child);
1804                return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1805        }
1806
1807        return current_has_perm(child, PROCESS__PTRACE);
1808}
1809
1810static int selinux_ptrace_traceme(struct task_struct *parent)
1811{
1812        int rc;
1813
1814        rc = cap_ptrace_traceme(parent);
1815        if (rc)
1816                return rc;
1817
1818        return task_has_perm(parent, current, PROCESS__PTRACE);
1819}
1820
1821static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1822                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
1823{
1824        int error;
1825
1826        error = current_has_perm(target, PROCESS__GETCAP);
1827        if (error)
1828                return error;
1829
1830        return cap_capget(target, effective, inheritable, permitted);
1831}
1832
1833static int selinux_capset(struct cred *new, const struct cred *old,
1834                          const kernel_cap_t *effective,
1835                          const kernel_cap_t *inheritable,
1836                          const kernel_cap_t *permitted)
1837{
1838        int error;
1839
1840        error = cap_capset(new, old,
1841                                      effective, inheritable, permitted);
1842        if (error)
1843                return error;
1844
1845        return cred_has_perm(old, new, PROCESS__SETCAP);
1846}
1847
1848/*
1849 * (This comment used to live with the selinux_task_setuid hook,
1850 * which was removed).
1851 *
1852 * Since setuid only affects the current process, and since the SELinux
1853 * controls are not based on the Linux identity attributes, SELinux does not
1854 * need to control this operation.  However, SELinux does control the use of
1855 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1856 */
1857
1858static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1859                           int cap, int audit)
1860{
1861        int rc;
1862
1863        rc = cap_capable(cred, ns, cap, audit);
1864        if (rc)
1865                return rc;
1866
1867        return cred_has_capability(cred, cap, audit);
1868}
1869
1870static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1871{
1872        const struct cred *cred = current_cred();
1873        int rc = 0;
1874
1875        if (!sb)
1876                return 0;
1877
1878        switch (cmds) {
1879        case Q_SYNC:
1880        case Q_QUOTAON:
1881        case Q_QUOTAOFF:
1882        case Q_SETINFO:
1883        case Q_SETQUOTA:
1884                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1885                break;
1886        case Q_GETFMT:
1887        case Q_GETINFO:
1888        case Q_GETQUOTA:
1889                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1890                break;
1891        default:
1892                rc = 0;  /* let the kernel handle invalid cmds */
1893                break;
1894        }
1895        return rc;
1896}
1897
1898static int selinux_quota_on(struct dentry *dentry)
1899{
1900        const struct cred *cred = current_cred();
1901
1902        return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1903}
1904
1905static int selinux_syslog(int type)
1906{
1907        int rc;
1908
1909        switch (type) {
1910        case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1911        case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1912                rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1913                break;
1914        case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1915        case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1916        /* Set level of messages printed to console */
1917        case SYSLOG_ACTION_CONSOLE_LEVEL:
1918                rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1919                break;
1920        case SYSLOG_ACTION_CLOSE:       /* Close log */
1921        case SYSLOG_ACTION_OPEN:        /* Open log */
1922        case SYSLOG_ACTION_READ:        /* Read from log */
1923        case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1924        case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1925        default:
1926                rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1927                break;
1928        }
1929        return rc;
1930}
1931
1932/*
1933 * Check that a process has enough memory to allocate a new virtual
1934 * mapping. 0 means there is enough memory for the allocation to
1935 * succeed and -ENOMEM implies there is not.
1936 *
1937 * Do not audit the selinux permission check, as this is applied to all
1938 * processes that allocate mappings.
1939 */
1940static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1941{
1942        int rc, cap_sys_admin = 0;
1943
1944        rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1945                             SECURITY_CAP_NOAUDIT);
1946        if (rc == 0)
1947                cap_sys_admin = 1;
1948
1949        return __vm_enough_memory(mm, pages, cap_sys_admin);
1950}
1951
1952/* binprm security operations */
1953
1954static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1955{
1956        const struct task_security_struct *old_tsec;
1957        struct task_security_struct *new_tsec;
1958        struct inode_security_struct *isec;
1959        struct common_audit_data ad;
1960        struct inode *inode = bprm->file->f_path.dentry->d_inode;
1961        int rc;
1962
1963        rc = cap_bprm_set_creds(bprm);
1964        if (rc)
1965                return rc;
1966
1967        /* SELinux context only depends on initial program or script and not
1968         * the script interpreter */
1969        if (bprm->cred_prepared)
1970                return 0;
1971
1972        old_tsec = current_security();
1973        new_tsec = bprm->cred->security;
1974        isec = inode->i_security;
1975
1976        /* Default to the current task SID. */
1977        new_tsec->sid = old_tsec->sid;
1978        new_tsec->osid = old_tsec->sid;
1979
1980        /* Reset fs, key, and sock SIDs on execve. */
1981        new_tsec->create_sid = 0;
1982        new_tsec->keycreate_sid = 0;
1983        new_tsec->sockcreate_sid = 0;
1984
1985        if (old_tsec->exec_sid) {
1986                new_tsec->sid = old_tsec->exec_sid;
1987                /* Reset exec SID on execve. */
1988                new_tsec->exec_sid = 0;
1989
1990                /*
1991                 * Minimize confusion: if no_new_privs and a transition is
1992                 * explicitly requested, then fail the exec.
1993                 */
1994                if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
1995                        return -EPERM;
1996        } else {
1997                /* Check for a default transition on this program. */
1998                rc = security_transition_sid(old_tsec->sid, isec->sid,
1999                                             SECCLASS_PROCESS, NULL,
2000                                             &new_tsec->sid);
2001                if (rc)
2002                        return rc;
2003        }
2004
2005        ad.type = LSM_AUDIT_DATA_PATH;
2006        ad.u.path = bprm->file->f_path;
2007
2008        if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2009            (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2010                new_tsec->sid = old_tsec->sid;
2011
2012        if (new_tsec->sid == old_tsec->sid) {
2013                rc = avc_has_perm(old_tsec->sid, isec->sid,
2014                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2015                if (rc)
2016                        return rc;
2017        } else {
2018                /* Check permissions for the transition. */
2019                rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2020                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2021                if (rc)
2022                        return rc;
2023
2024                rc = avc_has_perm(new_tsec->sid, isec->sid,
2025                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2026                if (rc)
2027                        return rc;
2028
2029                /* Check for shared state */
2030                if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2031                        rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2032                                          SECCLASS_PROCESS, PROCESS__SHARE,
2033                                          NULL);
2034                        if (rc)
2035                                return -EPERM;
2036                }
2037
2038                /* Make sure that anyone attempting to ptrace over a task that
2039                 * changes its SID has the appropriate permit */
2040                if (bprm->unsafe &
2041                    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2042                        struct task_struct *tracer;
2043                        struct task_security_struct *sec;
2044                        u32 ptsid = 0;
2045
2046                        rcu_read_lock();
2047                        tracer = ptrace_parent(current);
2048                        if (likely(tracer != NULL)) {
2049                                sec = __task_cred(tracer)->security;
2050                                ptsid = sec->sid;
2051                        }
2052                        rcu_read_unlock();
2053
2054                        if (ptsid != 0) {
2055                                rc = avc_has_perm(ptsid, new_tsec->sid,
2056                                                  SECCLASS_PROCESS,
2057                                                  PROCESS__PTRACE, NULL);
2058                                if (rc)
2059                                        return -EPERM;
2060                        }
2061                }
2062
2063                /* Clear any possibly unsafe personality bits on exec: */
2064                bprm->per_clear |= PER_CLEAR_ON_SETID;
2065        }
2066
2067        return 0;
2068}
2069
2070static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2071{
2072        const struct task_security_struct *tsec = current_security();
2073        u32 sid, osid;
2074        int atsecure = 0;
2075
2076        sid = tsec->sid;
2077        osid = tsec->osid;
2078
2079        if (osid != sid) {
2080                /* Enable secure mode for SIDs transitions unless
2081                   the noatsecure permission is granted between
2082                   the two SIDs, i.e. ahp returns 0. */
2083                atsecure = avc_has_perm(osid, sid,
2084                                        SECCLASS_PROCESS,
2085                                        PROCESS__NOATSECURE, NULL);
2086        }
2087
2088        return (atsecure || cap_bprm_secureexec(bprm));
2089}
2090
2091static int match_file(const void *p, struct file *file, unsigned fd)
2092{
2093        return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2094}
2095
2096/* Derived from fs/exec.c:flush_old_files. */
2097static inline void flush_unauthorized_files(const struct cred *cred,
2098                                            struct files_struct *files)
2099{
2100        struct file *file, *devnull = NULL;
2101        struct tty_struct *tty;
2102        int drop_tty = 0;
2103        unsigned n;
2104
2105        tty = get_current_tty();
2106        if (tty) {
2107                spin_lock(&tty_files_lock);
2108                if (!list_empty(&tty->tty_files)) {
2109                        struct tty_file_private *file_priv;
2110
2111                        /* Revalidate access to controlling tty.
2112                           Use path_has_perm on the tty path directly rather
2113                           than using file_has_perm, as this particular open
2114                           file may belong to another process and we are only
2115                           interested in the inode-based check here. */
2116                        file_priv = list_first_entry(&tty->tty_files,
2117                                                struct tty_file_private, list);
2118                        file = file_priv->file;
2119                        if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2120                                drop_tty = 1;
2121                }
2122                spin_unlock(&tty_files_lock);
2123                tty_kref_put(tty);
2124        }
2125        /* Reset controlling tty. */
2126        if (drop_tty)
2127                no_tty();
2128
2129        /* Revalidate access to inherited open files. */
2130        n = iterate_fd(files, 0, match_file, cred);
2131        if (!n) /* none found? */
2132                return;
2133
2134        devnull = dentry_open(&selinux_null, O_RDWR, cred);
2135        if (IS_ERR(devnull))
2136                devnull = NULL;
2137        /* replace all the matching ones with this */
2138        do {
2139                replace_fd(n - 1, devnull, 0);
2140        } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2141        if (devnull)
2142                fput(devnull);
2143}
2144
2145/*
2146 * Prepare a process for imminent new credential changes due to exec
2147 */
2148static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2149{
2150        struct task_security_struct *new_tsec;
2151        struct rlimit *rlim, *initrlim;
2152        int rc, i;
2153
2154        new_tsec = bprm->cred->security;
2155        if (new_tsec->sid == new_tsec->osid)
2156                return;
2157
2158        /* Close files for which the new task SID is not authorized. */
2159        flush_unauthorized_files(bprm->cred, current->files);
2160
2161        /* Always clear parent death signal on SID transitions. */
2162        current->pdeath_signal = 0;
2163
2164        /* Check whether the new SID can inherit resource limits from the old
2165         * SID.  If not, reset all soft limits to the lower of the current
2166         * task's hard limit and the init task's soft limit.
2167         *
2168         * Note that the setting of hard limits (even to lower them) can be
2169         * controlled by the setrlimit check.  The inclusion of the init task's
2170         * soft limit into the computation is to avoid resetting soft limits
2171         * higher than the default soft limit for cases where the default is
2172         * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2173         */
2174        rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2175                          PROCESS__RLIMITINH, NULL);
2176        if (rc) {
2177                /* protect against do_prlimit() */
2178                task_lock(current);
2179                for (i = 0; i < RLIM_NLIMITS; i++) {
2180                        rlim = current->signal->rlim + i;
2181                        initrlim = init_task.signal->rlim + i;
2182                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2183                }
2184                task_unlock(current);
2185                update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2186        }
2187}
2188
2189/*
2190 * Clean up the process immediately after the installation of new credentials
2191 * due to exec
2192 */
2193static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2194{
2195        const struct task_security_struct *tsec = current_security();
2196        struct itimerval itimer;
2197        u32 osid, sid;
2198        int rc, i;
2199
2200        osid = tsec->osid;
2201        sid = tsec->sid;
2202
2203        if (sid == osid)
2204                return;
2205
2206        /* Check whether the new SID can inherit signal state from the old SID.
2207         * If not, clear itimers to avoid subsequent signal generation and
2208         * flush and unblock signals.
2209         *
2210         * This must occur _after_ the task SID has been updated so that any
2211         * kill done after the flush will be checked against the new SID.
2212         */
2213        rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2214        if (rc) {
2215                memset(&itimer, 0, sizeof itimer);
2216                for (i = 0; i < 3; i++)
2217                        do_setitimer(i, &itimer, NULL);
2218                spin_lock_irq(&current->sighand->siglock);
2219                if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2220                        __flush_signals(current);
2221                        flush_signal_handlers(current, 1);
2222                        sigemptyset(&current->blocked);
2223                }
2224                spin_unlock_irq(&current->sighand->siglock);
2225        }
2226
2227        /* Wake up the parent if it is waiting so that it can recheck
2228         * wait permission to the new task SID. */
2229        read_lock(&tasklist_lock);
2230        __wake_up_parent(current, current->real_parent);
2231        read_unlock(&tasklist_lock);
2232}
2233
2234/* superblock security operations */
2235
2236static int selinux_sb_alloc_security(struct super_block *sb)
2237{
2238        return superblock_alloc_security(sb);
2239}
2240
2241static void selinux_sb_free_security(struct super_block *sb)
2242{
2243        superblock_free_security(sb);
2244}
2245
2246static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2247{
2248        if (plen > olen)
2249                return 0;
2250
2251        return !memcmp(prefix, option, plen);
2252}
2253
2254static inline int selinux_option(char *option, int len)
2255{
2256        return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2257                match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2258                match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2259                match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2260                match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2261}
2262
2263static inline void take_option(char **to, char *from, int *first, int len)
2264{
2265        if (!*first) {
2266                **to = ',';
2267                *to += 1;
2268        } else
2269                *first = 0;
2270        memcpy(*to, from, len);
2271        *to += len;
2272}
2273
2274static inline void take_selinux_option(char **to, char *from, int *first,
2275                                       int len)
2276{
2277        int current_size = 0;
2278
2279        if (!*first) {
2280                **to = '|';
2281                *to += 1;
2282        } else
2283                *first = 0;
2284
2285        while (current_size < len) {
2286                if (*from != '"') {
2287                        **to = *from;
2288                        *to += 1;
2289                }
2290                from += 1;
2291                current_size += 1;
2292        }
2293}
2294
2295static int selinux_sb_copy_data(char *orig, char *copy)
2296{
2297        int fnosec, fsec, rc = 0;
2298        char *in_save, *in_curr, *in_end;
2299        char *sec_curr, *nosec_save, *nosec;
2300        int open_quote = 0;
2301
2302        in_curr = orig;
2303        sec_curr = copy;
2304
2305        nosec = (char *)get_zeroed_page(GFP_KERNEL);
2306        if (!nosec) {
2307                rc = -ENOMEM;
2308                goto out;
2309        }
2310
2311        nosec_save = nosec;
2312        fnosec = fsec = 1;
2313        in_save = in_end = orig;
2314
2315        do {
2316                if (*in_end == '"')
2317                        open_quote = !open_quote;
2318                if ((*in_end == ',' && open_quote == 0) ||
2319                                *in_end == '\0') {
2320                        int len = in_end - in_curr;
2321
2322                        if (selinux_option(in_curr, len))
2323                                take_selinux_option(&sec_curr, in_curr, &fsec, len);
2324                        else
2325                                take_option(&nosec, in_curr, &fnosec, len);
2326
2327                        in_curr = in_end + 1;
2328                }
2329        } while (*in_end++);
2330
2331        strcpy(in_save, nosec_save);
2332        free_page((unsigned long)nosec_save);
2333out:
2334        return rc;
2335}
2336
2337static int selinux_sb_remount(struct super_block *sb, void *data)
2338{
2339        int rc, i, *flags;
2340        struct security_mnt_opts opts;
2341        char *secdata, **mount_options;
2342        struct superblock_security_struct *sbsec = sb->s_security;
2343
2344        if (!(sbsec->flags & SE_SBINITIALIZED))
2345                return 0;
2346
2347        if (!data)
2348                return 0;
2349
2350        if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2351                return 0;
2352
2353        security_init_mnt_opts(&opts);
2354        secdata = alloc_secdata();
2355        if (!secdata)
2356                return -ENOMEM;
2357        rc = selinux_sb_copy_data(data, secdata);
2358        if (rc)
2359                goto out_free_secdata;
2360
2361        rc = selinux_parse_opts_str(secdata, &opts);
2362        if (rc)
2363                goto out_free_secdata;
2364
2365        mount_options = opts.mnt_opts;
2366        flags = opts.mnt_opts_flags;
2367
2368        for (i = 0; i < opts.num_mnt_opts; i++) {
2369                u32 sid;
2370                size_t len;
2371
2372                if (flags[i] == SE_SBLABELSUPP)
2373                        continue;
2374                len = strlen(mount_options[i]);
2375                rc = security_context_to_sid(mount_options[i], len, &sid);
2376                if (rc) {
2377                        printk(KERN_WARNING "SELinux: security_context_to_sid"
2378                               "(%s) failed for (dev %s, type %s) errno=%d\n",
2379                               mount_options[i], sb->s_id, sb->s_type->name, rc);
2380                        goto out_free_opts;
2381                }
2382                rc = -EINVAL;
2383                switch (flags[i]) {
2384                case FSCONTEXT_MNT:
2385                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2386                                goto out_bad_option;
2387                        break;
2388                case CONTEXT_MNT:
2389                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2390                                goto out_bad_option;
2391                        break;
2392                case ROOTCONTEXT_MNT: {
2393                        struct inode_security_struct *root_isec;
2394                        root_isec = sb->s_root->d_inode->i_security;
2395
2396                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2397                                goto out_bad_option;
2398                        break;
2399                }
2400                case DEFCONTEXT_MNT:
2401                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2402                                goto out_bad_option;
2403                        break;
2404                default:
2405                        goto out_free_opts;
2406                }
2407        }
2408
2409        rc = 0;
2410out_free_opts:
2411        security_free_mnt_opts(&opts);
2412out_free_secdata:
2413        free_secdata(secdata);
2414        return rc;
2415out_bad_option:
2416        printk(KERN_WARNING "SELinux: unable to change security options "
2417               "during remount (dev %s, type=%s)\n", sb->s_id,
2418               sb->s_type->name);
2419        goto out_free_opts;
2420}
2421
2422static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2423{
2424        const struct cred *cred = current_cred();
2425        struct common_audit_data ad;
2426        int rc;
2427
2428        rc = superblock_doinit(sb, data);
2429        if (rc)
2430                return rc;
2431
2432        /* Allow all mounts performed by the kernel */
2433        if (flags & MS_KERNMOUNT)
2434                return 0;
2435
2436        ad.type = LSM_AUDIT_DATA_DENTRY;
2437        ad.u.dentry = sb->s_root;
2438        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2439}
2440
2441static int selinux_sb_statfs(struct dentry *dentry)
2442{
2443        const struct cred *cred = current_cred();
2444        struct common_audit_data ad;
2445
2446        ad.type = LSM_AUDIT_DATA_DENTRY;
2447        ad.u.dentry = dentry->d_sb->s_root;
2448        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2449}
2450
2451static int selinux_mount(const char *dev_name,
2452                         struct path *path,
2453                         const char *type,
2454                         unsigned long flags,
2455                         void *data)
2456{
2457        const struct cred *cred = current_cred();
2458
2459        if (flags & MS_REMOUNT)
2460                return superblock_has_perm(cred, path->dentry->d_sb,
2461                                           FILESYSTEM__REMOUNT, NULL);
2462        else
2463                return path_has_perm(cred, path, FILE__MOUNTON);
2464}
2465
2466static int selinux_umount(struct vfsmount *mnt, int flags)
2467{
2468        const struct cred *cred = current_cred();
2469
2470        return superblock_has_perm(cred, mnt->mnt_sb,
2471                                   FILESYSTEM__UNMOUNT, NULL);
2472}
2473
2474/* inode security operations */
2475
2476static int selinux_inode_alloc_security(struct inode *inode)
2477{
2478        return inode_alloc_security(inode);
2479}
2480
2481static void selinux_inode_free_security(struct inode *inode)
2482{
2483        inode_free_security(inode);
2484}
2485
2486static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2487                                       const struct qstr *qstr, char **name,
2488                                       void **value, size_t *len)
2489{
2490        const struct task_security_struct *tsec = current_security();
2491        struct inode_security_struct *dsec;
2492        struct superblock_security_struct *sbsec;
2493        u32 sid, newsid, clen;
2494        int rc;
2495        char *namep = NULL, *context;
2496
2497        dsec = dir->i_security;
2498        sbsec = dir->i_sb->s_security;
2499
2500        sid = tsec->sid;
2501        newsid = tsec->create_sid;
2502
2503        if ((sbsec->flags & SE_SBINITIALIZED) &&
2504            (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2505                newsid = sbsec->mntpoint_sid;
2506        else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2507                rc = security_transition_sid(sid, dsec->sid,
2508                                             inode_mode_to_security_class(inode->i_mode),
2509                                             qstr, &newsid);
2510                if (rc) {
2511                        printk(KERN_WARNING "%s:  "
2512                               "security_transition_sid failed, rc=%d (dev=%s "
2513                               "ino=%ld)\n",
2514                               __func__,
2515                               -rc, inode->i_sb->s_id, inode->i_ino);
2516                        return rc;
2517                }
2518        }
2519
2520        /* Possibly defer initialization to selinux_complete_init. */
2521        if (sbsec->flags & SE_SBINITIALIZED) {
2522                struct inode_security_struct *isec = inode->i_security;
2523                isec->sclass = inode_mode_to_security_class(inode->i_mode);
2524                isec->sid = newsid;
2525                isec->initialized = 1;
2526        }
2527
2528        if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2529                return -EOPNOTSUPP;
2530
2531        if (name) {
2532                namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2533                if (!namep)
2534                        return -ENOMEM;
2535                *name = namep;
2536        }
2537
2538        if (value && len) {
2539                rc = security_sid_to_context_force(newsid, &context, &clen);
2540                if (rc) {
2541                        kfree(namep);
2542                        return rc;
2543                }
2544                *value = context;
2545                *len = clen;
2546        }
2547
2548        return 0;
2549}
2550
2551static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2552{
2553        return may_create(dir, dentry, SECCLASS_FILE);
2554}
2555
2556static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2557{
2558        return may_link(dir, old_dentry, MAY_LINK);
2559}
2560
2561static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2562{
2563        return may_link(dir, dentry, MAY_UNLINK);
2564}
2565
2566static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2567{
2568        return may_create(dir, dentry, SECCLASS_LNK_FILE);
2569}
2570
2571static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2572{
2573        return may_create(dir, dentry, SECCLASS_DIR);
2574}
2575
2576static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2577{
2578        return may_link(dir, dentry, MAY_RMDIR);
2579}
2580
2581static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2582{
2583        return may_create(dir, dentry, inode_mode_to_security_class(mode));
2584}
2585
2586static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2587                                struct inode *new_inode, struct dentry *new_dentry)
2588{
2589        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2590}
2591
2592static int selinux_inode_readlink(struct dentry *dentry)
2593{
2594        const struct cred *cred = current_cred();
2595
2596        return dentry_has_perm(cred, dentry, FILE__READ);
2597}
2598
2599static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2600{
2601        const struct cred *cred = current_cred();
2602
2603        return dentry_has_perm(cred, dentry, FILE__READ);
2604}
2605
2606static noinline int audit_inode_permission(struct inode *inode,
2607                                           u32 perms, u32 audited, u32 denied,
2608                                           unsigned flags)
2609{
2610        struct common_audit_data ad;
2611        struct inode_security_struct *isec = inode->i_security;
2612        int rc;
2613
2614        ad.type = LSM_AUDIT_DATA_INODE;
2615        ad.u.inode = inode;
2616
2617        rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2618                            audited, denied, &ad, flags);
2619        if (rc)
2620                return rc;
2621        return 0;
2622}
2623
2624static int selinux_inode_permission(struct inode *inode, int mask)
2625{
2626        const struct cred *cred = current_cred();
2627        u32 perms;
2628        bool from_access;
2629        unsigned flags = mask & MAY_NOT_BLOCK;
2630        struct inode_security_struct *isec;
2631        u32 sid;
2632        struct av_decision avd;
2633        int rc, rc2;
2634        u32 audited, denied;
2635
2636        from_access = mask & MAY_ACCESS;
2637        mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2638
2639        /* No permission to check.  Existence test. */
2640        if (!mask)
2641                return 0;
2642
2643        validate_creds(cred);
2644
2645        if (unlikely(IS_PRIVATE(inode)))
2646                return 0;
2647
2648        perms = file_mask_to_av(inode->i_mode, mask);
2649
2650        sid = cred_sid(cred);
2651        isec = inode->i_security;
2652
2653        rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2654        audited = avc_audit_required(perms, &avd, rc,
2655                                     from_access ? FILE__AUDIT_ACCESS : 0,
2656                                     &denied);
2657        if (likely(!audited))
2658                return rc;
2659
2660        rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2661        if (rc2)
2662                return rc2;
2663        return rc;
2664}
2665
2666static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2667{
2668        const struct cred *cred = current_cred();
2669        unsigned int ia_valid = iattr->ia_valid;
2670        __u32 av = FILE__WRITE;
2671
2672        /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2673        if (ia_valid & ATTR_FORCE) {
2674                ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2675                              ATTR_FORCE);
2676                if (!ia_valid)
2677                        return 0;
2678        }
2679
2680        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2681                        ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2682                return dentry_has_perm(cred, dentry, FILE__SETATTR);
2683
2684        if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2685                av |= FILE__OPEN;
2686
2687        return dentry_has_perm(cred, dentry, av);
2688}
2689
2690static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2691{
2692        const struct cred *cred = current_cred();
2693        struct path path;
2694
2695        path.dentry = dentry;
2696        path.mnt = mnt;
2697
2698        return path_has_perm(cred, &path, FILE__GETATTR);
2699}
2700
2701static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2702{
2703        const struct cred *cred = current_cred();
2704
2705        if (!strncmp(name, XATTR_SECURITY_PREFIX,
2706                     sizeof XATTR_SECURITY_PREFIX - 1)) {
2707                if (!strcmp(name, XATTR_NAME_CAPS)) {
2708                        if (!capable(CAP_SETFCAP))
2709                                return -EPERM;
2710                } else if (!capable(CAP_SYS_ADMIN)) {
2711                        /* A different attribute in the security namespace.
2712                           Restrict to administrator. */
2713                        return -EPERM;
2714                }
2715        }
2716
2717        /* Not an attribute we recognize, so just check the
2718           ordinary setattr permission. */
2719        return dentry_has_perm(cred, dentry, FILE__SETATTR);
2720}
2721
2722static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2723                                  const void *value, size_t size, int flags)
2724{
2725        struct inode *inode = dentry->d_inode;
2726        struct inode_security_struct *isec = inode->i_security;
2727        struct superblock_security_struct *sbsec;
2728        struct common_audit_data ad;
2729        u32 newsid, sid = current_sid();
2730        int rc = 0;
2731
2732        if (strcmp(name, XATTR_NAME_SELINUX))
2733                return selinux_inode_setotherxattr(dentry, name);
2734
2735        sbsec = inode->i_sb->s_security;
2736        if (!(sbsec->flags & SE_SBLABELSUPP))
2737                return -EOPNOTSUPP;
2738
2739        if (!inode_owner_or_capable(inode))
2740                return -EPERM;
2741
2742        ad.type = LSM_AUDIT_DATA_DENTRY;
2743        ad.u.dentry = dentry;
2744
2745        rc = avc_has_perm(sid, isec->sid, isec->sclass,
2746                          FILE__RELABELFROM, &ad);
2747        if (rc)
2748                return rc;
2749
2750        rc = security_context_to_sid(value, size, &newsid);
2751        if (rc == -EINVAL) {
2752                if (!capable(CAP_MAC_ADMIN)) {
2753                        struct audit_buffer *ab;
2754                        size_t audit_size;
2755                        const char *str;
2756
2757                        /* We strip a nul only if it is at the end, otherwise the
2758                         * context contains a nul and we should audit that */
2759                        if (value) {
2760                                str = value;
2761                                if (str[size - 1] == '\0')
2762                                        audit_size = size - 1;
2763                                else
2764                                        audit_size = size;
2765                        } else {
2766                                str = "";
2767                                audit_size = 0;
2768                        }
2769                        ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2770                        audit_log_format(ab, "op=setxattr invalid_context=");
2771                        audit_log_n_untrustedstring(ab, value, audit_size);
2772                        audit_log_end(ab);
2773
2774                        return rc;
2775                }
2776                rc = security_context_to_sid_force(value, size, &newsid);
2777        }
2778        if (rc)
2779                return rc;
2780
2781        rc = avc_has_perm(sid, newsid, isec->sclass,
2782                          FILE__RELABELTO, &ad);
2783        if (rc)
2784                return rc;
2785
2786        rc = security_validate_transition(isec->sid, newsid, sid,
2787                                          isec->sclass);
2788        if (rc)
2789                return rc;
2790
2791        return avc_has_perm(newsid,
2792                            sbsec->sid,
2793                            SECCLASS_FILESYSTEM,
2794                            FILESYSTEM__ASSOCIATE,
2795                            &ad);
2796}
2797
2798static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2799                                        const void *value, size_t size,
2800                                        int flags)
2801{
2802        struct inode *inode = dentry->d_inode;
2803        struct inode_security_struct *isec = inode->i_security;
2804        u32 newsid;
2805        int rc;
2806
2807        if (strcmp(name, XATTR_NAME_SELINUX)) {
2808                /* Not an attribute we recognize, so nothing to do. */
2809                return;
2810        }
2811
2812        rc = security_context_to_sid_force(value, size, &newsid);
2813        if (rc) {
2814                printk(KERN_ERR "SELinux:  unable to map context to SID"
2815                       "for (%s, %lu), rc=%d\n",
2816                       inode->i_sb->s_id, inode->i_ino, -rc);
2817                return;
2818        }
2819
2820        isec->sid = newsid;
2821        return;
2822}
2823
2824static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2825{
2826        const struct cred *cred = current_cred();
2827
2828        return dentry_has_perm(cred, dentry, FILE__GETATTR);
2829}
2830
2831static int selinux_inode_listxattr(struct dentry *dentry)
2832{
2833        const struct cred *cred = current_cred();
2834
2835        return dentry_has_perm(cred, dentry, FILE__GETATTR);
2836}
2837
2838static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2839{
2840        if (strcmp(name, XATTR_NAME_SELINUX))
2841                return selinux_inode_setotherxattr(dentry, name);
2842
2843        /* No one is allowed to remove a SELinux security label.
2844           You can change the label, but all data must be labeled. */
2845        return -EACCES;
2846}
2847
2848/*
2849 * Copy the inode security context value to the user.
2850 *
2851 * Permission check is handled by selinux_inode_getxattr hook.
2852 */
2853static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2854{
2855        u32 size;
2856        int error;
2857        char *context = NULL;
2858        struct inode_security_struct *isec = inode->i_security;
2859
2860        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2861                return -EOPNOTSUPP;
2862
2863        /*
2864         * If the caller has CAP_MAC_ADMIN, then get the raw context
2865         * value even if it is not defined by current policy; otherwise,
2866         * use the in-core value under current policy.
2867         * Use the non-auditing forms of the permission checks since
2868         * getxattr may be called by unprivileged processes commonly
2869         * and lack of permission just means that we fall back to the
2870         * in-core context value, not a denial.
2871         */
2872        error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2873                                SECURITY_CAP_NOAUDIT);
2874        if (!error)
2875                error = security_sid_to_context_force(isec->sid, &context,
2876                                                      &size);
2877        else
2878                error = security_sid_to_context(isec->sid, &context, &size);
2879        if (error)
2880                return error;
2881        error = size;
2882        if (alloc) {
2883                *buffer = context;
2884                goto out_nofree;
2885        }
2886        kfree(context);
2887out_nofree:
2888        return error;
2889}
2890
2891static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2892                                     const void *value, size_t size, int flags)
2893{
2894        struct inode_security_struct *isec = inode->i_security;
2895        u32 newsid;
2896        int rc;
2897
2898        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2899                return -EOPNOTSUPP;
2900
2901        if (!value || !size)
2902                return -EACCES;
2903
2904        rc = security_context_to_sid((void *)value, size, &newsid);
2905        if (rc)
2906                return rc;
2907
2908        isec->sid = newsid;
2909        isec->initialized = 1;
2910        return 0;
2911}
2912
2913static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2914{
2915        const int len = sizeof(XATTR_NAME_SELINUX);
2916        if (buffer && len <= buffer_size)
2917                memcpy(buffer, XATTR_NAME_SELINUX, len);
2918        return len;
2919}
2920
2921static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2922{
2923        struct inode_security_struct *isec = inode->i_security;
2924        *secid = isec->sid;
2925}
2926
2927/* file security operations */
2928
2929static int selinux_revalidate_file_permission(struct file *file, int mask)
2930{
2931        const struct cred *cred = current_cred();
2932        struct inode *inode = file->f_path.dentry->d_inode;
2933
2934        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2935        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2936                mask |= MAY_APPEND;
2937
2938        return file_has_perm(cred, file,
2939                             file_mask_to_av(inode->i_mode, mask));
2940}
2941
2942static int selinux_file_permission(struct file *file, int mask)
2943{
2944        struct inode *inode = file->f_path.dentry->d_inode;
2945        struct file_security_struct *fsec = file->f_security;
2946        struct inode_security_struct *isec = inode->i_security;
2947        u32 sid = current_sid();
2948
2949        if (!mask)
2950                /* No permission to check.  Existence test. */
2951                return 0;
2952
2953        if (sid == fsec->sid && fsec->isid == isec->sid &&
2954            fsec->pseqno == avc_policy_seqno())
2955                /* No change since file_open check. */
2956                return 0;
2957
2958        return selinux_revalidate_file_permission(file, mask);
2959}
2960
2961static int selinux_file_alloc_security(struct file *file)
2962{
2963        return file_alloc_security(file);
2964}
2965
2966static void selinux_file_free_security(struct file *file)
2967{
2968        file_free_security(file);
2969}
2970
2971static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2972                              unsigned long arg)
2973{
2974        const struct cred *cred = current_cred();
2975        int error = 0;
2976
2977        switch (cmd) {
2978        case FIONREAD:
2979        /* fall through */
2980        case FIBMAP:
2981        /* fall through */
2982        case FIGETBSZ:
2983        /* fall through */
2984        case FS_IOC_GETFLAGS:
2985        /* fall through */
2986        case FS_IOC_GETVERSION:
2987                error = file_has_perm(cred, file, FILE__GETATTR);
2988                break;
2989
2990        case FS_IOC_SETFLAGS:
2991        /* fall through */
2992        case FS_IOC_SETVERSION:
2993                error = file_has_perm(cred, file, FILE__SETATTR);
2994                break;
2995
2996        /* sys_ioctl() checks */
2997        case FIONBIO:
2998        /* fall through */
2999        case FIOASYNC:
3000                error = file_has_perm(cred, file, 0);
3001                break;
3002
3003        case KDSKBENT:
3004        case KDSKBSENT:
3005                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3006                                            SECURITY_CAP_AUDIT);
3007                break;
3008
3009        /* default case assumes that the command will go
3010         * to the file's ioctl() function.
3011         */
3012        default:
3013                error = file_has_perm(cred, file, FILE__IOCTL);
3014        }
3015        return error;
3016}
3017
3018static int default_noexec;
3019
3020static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3021{
3022        const struct cred *cred = current_cred();
3023        int rc = 0;
3024
3025        if (default_noexec &&
3026            (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3027                /*
3028                 * We are making executable an anonymous mapping or a
3029                 * private file mapping that will also be writable.
3030                 * This has an additional check.
3031                 */
3032                rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3033                if (rc)
3034                        goto error;
3035        }
3036
3037        if (file) {
3038                /* read access is always possible with a mapping */
3039                u32 av = FILE__READ;
3040
3041                /* write access only matters if the mapping is shared */
3042                if (shared && (prot & PROT_WRITE))
3043                        av |= FILE__WRITE;
3044
3045                if (prot & PROT_EXEC)
3046                        av |= FILE__EXECUTE;
3047
3048                return file_has_perm(cred, file, av);
3049        }
3050
3051error:
3052        return rc;
3053}
3054
3055static int selinux_mmap_addr(unsigned long addr)
3056{
3057        int rc = 0;
3058        u32 sid = current_sid();
3059
3060        /*
3061         * notice that we are intentionally putting the SELinux check before
3062         * the secondary cap_file_mmap check.  This is such a likely attempt
3063         * at bad behaviour/exploit that we always want to get the AVC, even
3064         * if DAC would have also denied the operation.
3065         */
3066        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3067                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3068                                  MEMPROTECT__MMAP_ZERO, NULL);
3069                if (rc)
3070                        return rc;
3071        }
3072
3073        /* do DAC check on address space usage */
3074        return cap_mmap_addr(addr);
3075}
3076
3077static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3078                             unsigned long prot, unsigned long flags)
3079{
3080        if (selinux_checkreqprot)
3081                prot = reqprot;
3082
3083        return file_map_prot_check(file, prot,
3084                                   (flags & MAP_TYPE) == MAP_SHARED);
3085}
3086
3087static int selinux_file_mprotect(struct vm_area_struct *vma,
3088                                 unsigned long reqprot,
3089                                 unsigned long prot)
3090{
3091        const struct cred *cred = current_cred();
3092
3093        if (selinux_checkreqprot)
3094                prot = reqprot;
3095
3096        if (default_noexec &&
3097            (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3098                int rc = 0;
3099                if (vma->vm_start >= vma->vm_mm->start_brk &&
3100                    vma->vm_end <= vma->vm_mm->brk) {
3101                        rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3102                } else if (!vma->vm_file &&
3103                           vma->vm_start <= vma->vm_mm->start_stack &&
3104                           vma->vm_end >= vma->vm_mm->start_stack) {
3105                        rc = current_has_perm(current, PROCESS__EXECSTACK);
3106                } else if (vma->vm_file && vma->anon_vma) {
3107                        /*
3108                         * We are making executable a file mapping that has
3109                         * had some COW done. Since pages might have been
3110                         * written, check ability to execute the possibly
3111                         * modified content.  This typically should only
3112                         * occur for text relocations.
3113                         */
3114                        rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3115                }
3116                if (rc)
3117                        return rc;
3118        }
3119
3120        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3121}
3122
3123static int selinux_file_lock(struct file *file, unsigned int cmd)
3124{
3125        const struct cred *cred = current_cred();
3126
3127        return file_has_perm(cred, file, FILE__LOCK);
3128}
3129
3130static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3131                              unsigned long arg)
3132{
3133        const struct cred *cred = current_cred();
3134        int err = 0;
3135
3136        switch (cmd) {
3137        case F_SETFL:
3138                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3139                        err = -EINVAL;
3140                        break;
3141                }
3142
3143                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3144                        err = file_has_perm(cred, file, FILE__WRITE);
3145                        break;
3146                }
3147                /* fall through */
3148        case F_SETOWN:
3149        case F_SETSIG:
3150        case F_GETFL:
3151        case F_GETOWN:
3152        case F_GETSIG:
3153        case F_GETOWNER_UIDS:
3154                /* Just check FD__USE permission */
3155                err = file_has_perm(cred, file, 0);
3156                break;
3157        case F_GETLK:
3158        case F_SETLK:
3159        case F_SETLKW:
3160#if BITS_PER_LONG == 32
3161        case F_GETLK64:
3162        case F_SETLK64:
3163        case F_SETLKW64:
3164#endif
3165                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3166                        err = -EINVAL;
3167                        break;
3168                }
3169                err = file_has_perm(cred, file, FILE__LOCK);
3170                break;
3171        }
3172
3173        return err;
3174}
3175
3176static int selinux_file_set_fowner(struct file *file)
3177{
3178        struct file_security_struct *fsec;
3179
3180        fsec = file->f_security;
3181        fsec->fown_sid = current_sid();
3182
3183        return 0;
3184}
3185
3186static int selinux_file_send_sigiotask(struct task_struct *tsk,
3187                                       struct fown_struct *fown, int signum)
3188{
3189        struct file *file;
3190        u32 sid = task_sid(tsk);
3191        u32 perm;
3192        struct file_security_struct *fsec;
3193
3194        /* struct fown_struct is never outside the context of a struct file */
3195        file = container_of(fown, struct file, f_owner);
3196
3197        fsec = file->f_security;
3198
3199        if (!signum)
3200                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3201        else
3202                perm = signal_to_av(signum);
3203
3204        return avc_has_perm(fsec->fown_sid, sid,
3205                            SECCLASS_PROCESS, perm, NULL);
3206}
3207
3208static int selinux_file_receive(struct file *file)
3209{
3210        const struct cred *cred = current_cred();
3211
3212        return file_has_perm(cred, file, file_to_av(file));
3213}
3214
3215static int selinux_file_open(struct file *file, const struct cred *cred)
3216{
3217        struct file_security_struct *fsec;
3218        struct inode_security_struct *isec;
3219
3220        fsec = file->f_security;
3221        isec = file->f_path.dentry->d_inode->i_security;
3222        /*
3223         * Save inode label and policy sequence number
3224         * at open-time so that selinux_file_permission
3225         * can determine whether revalidation is necessary.
3226         * Task label is already saved in the file security
3227         * struct as its SID.
3228         */
3229        fsec->isid = isec->sid;
3230        fsec->pseqno = avc_policy_seqno();
3231        /*
3232         * Since the inode label or policy seqno may have changed
3233         * between the selinux_inode_permission check and the saving
3234         * of state above, recheck that access is still permitted.
3235         * Otherwise, access might never be revalidated against the
3236         * new inode label or new policy.
3237         * This check is not redundant - do not remove.
3238         */
3239        return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3240}
3241
3242/* task security operations */
3243
3244static int selinux_task_create(unsigned long clone_flags)
3245{
3246        return current_has_perm(current, PROCESS__FORK);
3247}
3248
3249/*
3250 * allocate the SELinux part of blank credentials
3251 */
3252static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3253{
3254        struct task_security_struct *tsec;
3255
3256        tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3257        if (!tsec)
3258                return -ENOMEM;
3259
3260        cred->security = tsec;
3261        return 0;
3262}
3263
3264/*
3265 * detach and free the LSM part of a set of credentials
3266 */
3267static void selinux_cred_free(struct cred *cred)
3268{
3269        struct task_security_struct *tsec = cred->security;
3270
3271        /*
3272         * cred->security == NULL if security_cred_alloc_blank() or
3273         * security_prepare_creds() returned an error.
3274         */
3275        BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3276        cred->security = (void *) 0x7UL;
3277        kfree(tsec);
3278}
3279
3280/*
3281 * prepare a new set of credentials for modification
3282 */
3283static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3284                                gfp_t gfp)
3285{
3286        const struct task_security_struct *old_tsec;
3287        struct task_security_struct *tsec;
3288
3289        old_tsec = old->security;
3290
3291        tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3292        if (!tsec)
3293                return -ENOMEM;
3294
3295        new->security = tsec;
3296        return 0;
3297}
3298
3299/*
3300 * transfer the SELinux data to a blank set of creds
3301 */
3302static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3303{
3304        const struct task_security_struct *old_tsec = old->security;
3305        struct task_security_struct *tsec = new->security;
3306
3307        *tsec = *old_tsec;
3308}
3309
3310/*
3311 * set the security data for a kernel service
3312 * - all the creation contexts are set to unlabelled
3313 */
3314static int selinux_kernel_act_as(struct cred *new, u32 secid)
3315{
3316        struct task_security_struct *tsec = new->security;
3317        u32 sid = current_sid();
3318        int ret;
3319
3320        ret = avc_has_perm(sid, secid,
3321                           SECCLASS_KERNEL_SERVICE,
3322                           KERNEL_SERVICE__USE_AS_OVERRIDE,
3323                           NULL);
3324        if (ret == 0) {
3325                tsec->sid = secid;
3326                tsec->create_sid = 0;
3327                tsec->keycreate_sid = 0;
3328                tsec->sockcreate_sid = 0;
3329        }
3330        return ret;
3331}
3332
3333/*
3334 * set the file creation context in a security record to the same as the
3335 * objective context of the specified inode
3336 */
3337static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3338{
3339        struct inode_security_struct *isec = inode->i_security;
3340        struct task_security_struct *tsec = new->security;
3341        u32 sid = current_sid();
3342        int ret;
3343
3344        ret = avc_has_perm(sid, isec->sid,
3345                           SECCLASS_KERNEL_SERVICE,
3346                           KERNEL_SERVICE__CREATE_FILES_AS,
3347                           NULL);
3348
3349        if (ret == 0)
3350                tsec->create_sid = isec->sid;
3351        return ret;
3352}
3353
3354static int selinux_kernel_module_request(char *kmod_name)
3355{
3356        u32 sid;
3357        struct common_audit_data ad;
3358
3359        sid = task_sid(current);
3360
3361        ad.type = LSM_AUDIT_DATA_KMOD;
3362        ad.u.kmod_name = kmod_name;
3363
3364        return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3365                            SYSTEM__MODULE_REQUEST, &ad);
3366}
3367
3368static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3369{
3370        return current_has_perm(p, PROCESS__SETPGID);
3371}
3372
3373static int selinux_task_getpgid(struct task_struct *p)
3374{
3375        return current_has_perm(p, PROCESS__GETPGID);
3376}
3377
3378static int selinux_task_getsid(struct task_struct *p)
3379{
3380        return current_has_perm(p, PROCESS__GETSESSION);
3381}
3382
3383static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3384{
3385        *secid = task_sid(p);
3386}
3387
3388static int selinux_task_setnice(struct task_struct *p, int nice)
3389{
3390        int rc;
3391
3392        rc = cap_task_setnice(p, nice);
3393        if (rc)
3394                return rc;
3395
3396        return current_has_perm(p, PROCESS__SETSCHED);
3397}
3398
3399static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3400{
3401        int rc;
3402
3403        rc = cap_task_setioprio(p, ioprio);
3404        if (rc)
3405                return rc;
3406
3407        return current_has_perm(p, PROCESS__SETSCHED);
3408}
3409
3410static int selinux_task_getioprio(struct task_struct *p)
3411{
3412        return current_has_perm(p, PROCESS__GETSCHED);
3413}
3414
3415static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3416                struct rlimit *new_rlim)
3417{
3418        struct rlimit *old_rlim = p->signal->rlim + resource;
3419
3420        /* Control the ability to change the hard limit (whether
3421           lowering or raising it), so that the hard limit can
3422           later be used as a safe reset point for the soft limit
3423           upon context transitions.  See selinux_bprm_committing_creds. */
3424        if (old_rlim->rlim_max != new_rlim->rlim_max)
3425                return current_has_perm(p, PROCESS__SETRLIMIT);
3426
3427        return 0;
3428}
3429
3430static int selinux_task_setscheduler(struct task_struct *p)
3431{
3432        int rc;
3433
3434        rc = cap_task_setscheduler(p);
3435        if (rc)
3436                return rc;
3437
3438        return current_has_perm(p, PROCESS__SETSCHED);
3439}
3440
3441static int selinux_task_getscheduler(struct task_struct *p)
3442{
3443        return current_has_perm(p, PROCESS__GETSCHED);
3444}
3445
3446static int selinux_task_movememory(struct task_struct *p)
3447{
3448        return current_has_perm(p, PROCESS__SETSCHED);
3449}
3450
3451static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3452                                int sig, u32 secid)
3453{
3454        u32 perm;
3455        int rc;
3456
3457        if (!sig)
3458                perm = PROCESS__SIGNULL; /* null signal; existence test */
3459        else
3460                perm = signal_to_av(sig);
3461        if (secid)
3462                rc = avc_has_perm(secid, task_sid(p),
3463                                  SECCLASS_PROCESS, perm, NULL);
3464        else
3465                rc = current_has_perm(p, perm);
3466        return rc;
3467}
3468
3469static int selinux_task_wait(struct task_struct *p)
3470{
3471        return task_has_perm(p, current, PROCESS__SIGCHLD);
3472}
3473
3474static void selinux_task_to_inode(struct task_struct *p,
3475                                  struct inode *inode)
3476{
3477        struct inode_security_struct *isec = inode->i_security;
3478        u32 sid = task_sid(p);
3479
3480        isec->sid = sid;
3481        isec->initialized = 1;
3482}
3483
3484/* Returns error only if unable to parse addresses */
3485static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3486                        struct common_audit_data *ad, u8 *proto)
3487{
3488        int offset, ihlen, ret = -EINVAL;
3489        struct iphdr _iph, *ih;
3490
3491        offset = skb_network_offset(skb);
3492        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3493        if (ih == NULL)
3494                goto out;
3495
3496        ihlen = ih->ihl * 4;
3497        if (ihlen < sizeof(_iph))
3498                goto out;
3499
3500        ad->u.net->v4info.saddr = ih->saddr;
3501        ad->u.net->v4info.daddr = ih->daddr;
3502        ret = 0;
3503
3504        if (proto)
3505                *proto = ih->protocol;
3506
3507        switch (ih->protocol) {
3508        case IPPROTO_TCP: {
3509                struct tcphdr _tcph, *th;
3510
3511                if (ntohs(ih->frag_off) & IP_OFFSET)
3512                        break;
3513
3514                offset += ihlen;
3515                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3516                if (th == NULL)
3517                        break;
3518
3519                ad->u.net->sport = th->source;
3520                ad->u.net->dport = th->dest;
3521                break;
3522        }
3523
3524        case IPPROTO_UDP: {
3525                struct udphdr _udph, *uh;
3526
3527                if (ntohs(ih->frag_off) & IP_OFFSET)
3528                        break;
3529
3530                offset += ihlen;
3531                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3532                if (uh == NULL)
3533                        break;
3534
3535                ad->u.net->sport = uh->source;
3536                ad->u.net->dport = uh->dest;
3537                break;
3538        }
3539
3540        case IPPROTO_DCCP: {
3541                struct dccp_hdr _dccph, *dh;
3542
3543                if (ntohs(ih->frag_off) & IP_OFFSET)
3544                        break;
3545
3546                offset += ihlen;
3547                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3548                if (dh == NULL)
3549                        break;
3550
3551                ad->u.net->sport = dh->dccph_sport;
3552                ad->u.net->dport = dh->dccph_dport;
3553                break;
3554        }
3555
3556        default:
3557                break;
3558        }
3559out:
3560        return ret;
3561}
3562
3563#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3564
3565/* Returns error only if unable to parse addresses */
3566static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3567                        struct common_audit_data *ad, u8 *proto)
3568{
3569        u8 nexthdr;
3570        int ret = -EINVAL, offset;
3571        struct ipv6hdr _ipv6h, *ip6;
3572        __be16 frag_off;
3573
3574        offset = skb_network_offset(skb);
3575        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3576        if (ip6 == NULL)
3577                goto out;
3578
3579        ad->u.net->v6info.saddr = ip6->saddr;
3580        ad->u.net->v6info.daddr = ip6->daddr;
3581        ret = 0;
3582
3583        nexthdr = ip6->nexthdr;
3584        offset += sizeof(_ipv6h);
3585        offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3586        if (offset < 0)
3587                goto out;
3588
3589        if (proto)
3590                *proto = nexthdr;
3591
3592        switch (nexthdr) {
3593        case IPPROTO_TCP: {
3594                struct tcphdr _tcph, *th;
3595
3596                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3597                if (th == NULL)
3598                        break;
3599
3600                ad->u.net->sport = th->source;
3601                ad->u.net->dport = th->dest;
3602                break;
3603        }
3604
3605        case IPPROTO_UDP: {
3606                struct udphdr _udph, *uh;
3607
3608                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3609                if (uh == NULL)
3610                        break;
3611
3612                ad->u.net->sport = uh->source;
3613                ad->u.net->dport = uh->dest;
3614                break;
3615        }
3616
3617        case IPPROTO_DCCP: {
3618                struct dccp_hdr _dccph, *dh;
3619
3620                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3621                if (dh == NULL)
3622                        break;
3623
3624                ad->u.net->sport = dh->dccph_sport;
3625                ad->u.net->dport = dh->dccph_dport;
3626                break;
3627        }
3628
3629        /* includes fragments */
3630        default:
3631                break;
3632        }
3633out:
3634        return ret;
3635}
3636
3637#endif /* IPV6 */
3638
3639static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3640                             char **_addrp, int src, u8 *proto)
3641{
3642        char *addrp;
3643        int ret;
3644
3645        switch (ad->u.net->family) {
3646        case PF_INET:
3647                ret = selinux_parse_skb_ipv4(skb, ad, proto);
3648                if (ret)
3649                        goto parse_error;
3650                addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3651                                       &ad->u.net->v4info.daddr);
3652                goto okay;
3653
3654#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3655        case PF_INET6:
3656                ret = selinux_parse_skb_ipv6(skb, ad, proto);
3657                if (ret)
3658                        goto parse_error;
3659                addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3660                                       &ad->u.net->v6info.daddr);
3661                goto okay;
3662#endif  /* IPV6 */
3663        default:
3664                addrp = NULL;
3665                goto okay;
3666        }
3667
3668parse_error:
3669        printk(KERN_WARNING
3670               "SELinux: failure in selinux_parse_skb(),"
3671               " unable to parse packet\n");
3672        return ret;
3673
3674okay:
3675        if (_addrp)
3676                *_addrp = addrp;
3677        return 0;
3678}
3679
3680/**
3681 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3682 * @skb: the packet
3683 * @family: protocol family
3684 * @sid: the packet's peer label SID
3685 *
3686 * Description:
3687 * Check the various different forms of network peer labeling and determine
3688 * the peer label/SID for the packet; most of the magic actually occurs in
3689 * the security server function security_net_peersid_cmp().  The function
3690 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3691 * or -EACCES if @sid is invalid due to inconsistencies with the different
3692 * peer labels.
3693 *
3694 */
3695static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3696{
3697        int err;
3698        u32 xfrm_sid;
3699        u32 nlbl_sid;
3700        u32 nlbl_type;
3701
3702        selinux_skb_xfrm_sid(skb, &xfrm_sid);
3703        selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3704
3705        err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3706        if (unlikely(err)) {
3707                printk(KERN_WARNING
3708                       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3709                       " unable to determine packet's peer label\n");
3710                return -EACCES;
3711        }
3712
3713        return 0;
3714}
3715
3716/* socket security operations */
3717
3718static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3719                                 u16 secclass, u32 *socksid)
3720{
3721        if (tsec->sockcreate_sid > SECSID_NULL) {
3722                *socksid = tsec->sockcreate_sid;
3723                return 0;
3724        }
3725
3726        return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3727                                       socksid);
3728}
3729
3730static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3731{
3732        struct sk_security_struct *sksec = sk->sk_security;
3733        struct common_audit_data ad;
3734        struct lsm_network_audit net = {0,};
3735        u32 tsid = task_sid(task);
3736
3737        if (sksec->sid == SECINITSID_KERNEL)
3738                return 0;
3739
3740        ad.type = LSM_AUDIT_DATA_NET;
3741        ad.u.net = &net;
3742        ad.u.net->sk = sk;
3743
3744        return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3745}
3746
3747static int selinux_socket_create(int family, int type,
3748                                 int protocol, int kern)
3749{
3750        const struct task_security_struct *tsec = current_security();
3751        u32 newsid;
3752        u16 secclass;
3753        int rc;
3754
3755        if (kern)
3756                return 0;
3757
3758        secclass = socket_type_to_security_class(family, type, protocol);
3759        rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3760        if (rc)
3761                return rc;
3762
3763        return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3764}
3765
3766static int selinux_socket_post_create(struct socket *sock, int family,
3767                                      int type, int protocol, int kern)
3768{
3769        const struct task_security_struct *tsec = current_security();
3770        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3771        struct sk_security_struct *sksec;
3772        int err = 0;
3773
3774        isec->sclass = socket_type_to_security_class(family, type, protocol);
3775
3776        if (kern)
3777                isec->sid = SECINITSID_KERNEL;
3778        else {
3779                err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3780                if (err)
3781                        return err;
3782        }
3783
3784        isec->initialized = 1;
3785
3786        if (sock->sk) {
3787                sksec = sock->sk->sk_security;
3788                sksec->sid = isec->sid;
3789                sksec->sclass = isec->sclass;
3790                err = selinux_netlbl_socket_post_create(sock->sk, family);
3791        }
3792
3793        return err;
3794}
3795
3796/* Range of port numbers used to automatically bind.
3797   Need to determine whether we should perform a name_bind
3798   permission check between the socket and the port number. */
3799
3800static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3801{
3802        struct sock *sk = sock->sk;
3803        u16 family;
3804        int err;
3805
3806        err = sock_has_perm(current, sk, SOCKET__BIND);
3807        if (err)
3808                goto out;
3809
3810        /*
3811         * If PF_INET or PF_INET6, check name_bind permission for the port.
3812         * Multiple address binding for SCTP is not supported yet: we just
3813         * check the first address now.
3814         */
3815        family = sk->sk_family;
3816        if (family == PF_INET || family == PF_INET6) {
3817                char *addrp;
3818                struct sk_security_struct *sksec = sk->sk_security;
3819                struct common_audit_data ad;
3820                struct lsm_network_audit net = {0,};
3821                struct sockaddr_in *addr4 = NULL;
3822                struct sockaddr_in6 *addr6 = NULL;
3823                unsigned short snum;
3824                u32 sid, node_perm;
3825
3826                if (family == PF_INET) {
3827                        addr4 = (struct sockaddr_in *)address;
3828                        snum = ntohs(addr4->sin_port);
3829                        addrp = (char *)&addr4->sin_addr.s_addr;
3830                } else {
3831                        addr6 = (struct sockaddr_in6 *)address;
3832                        snum = ntohs(addr6->sin6_port);
3833                        addrp = (char *)&addr6->sin6_addr.s6_addr;
3834                }
3835
3836                if (snum) {
3837                        int low, high;
3838
3839                        inet_get_local_port_range(&low, &high);
3840
3841                        if (snum < max(PROT_SOCK, low) || snum > high) {
3842                                err = sel_netport_sid(sk->sk_protocol,
3843                                                      snum, &sid);
3844                                if (err)
3845                                        goto out;
3846                                ad.type = LSM_AUDIT_DATA_NET;
3847                                ad.u.net = &net;
3848                                ad.u.net->sport = htons(snum);
3849                                ad.u.net->family = family;
3850                                err = avc_has_perm(sksec->sid, sid,
3851                                                   sksec->sclass,
3852                                                   SOCKET__NAME_BIND, &ad);
3853                                if (err)
3854                                        goto out;
3855                        }
3856                }
3857
3858                switch (sksec->sclass) {
3859                case SECCLASS_TCP_SOCKET:
3860                        node_perm = TCP_SOCKET__NODE_BIND;
3861                        break;
3862
3863                case SECCLASS_UDP_SOCKET:
3864                        node_perm = UDP_SOCKET__NODE_BIND;
3865                        break;
3866
3867                case SECCLASS_DCCP_SOCKET:
3868                        node_perm = DCCP_SOCKET__NODE_BIND;
3869                        break;
3870
3871                default:
3872                        node_perm = RAWIP_SOCKET__NODE_BIND;
3873                        break;
3874                }
3875
3876                err = sel_netnode_sid(addrp, family, &sid);
3877                if (err)
3878                        goto out;
3879
3880                ad.type = LSM_AUDIT_DATA_NET;
3881                ad.u.net = &net;
3882                ad.u.net->sport = htons(snum);
3883                ad.u.net->family = family;
3884
3885                if (family == PF_INET)
3886                        ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3887                else
3888                        ad.u.net->v6info.saddr = addr6->sin6_addr;
3889
3890                err = avc_has_perm(sksec->sid, sid,
3891                                   sksec->sclass, node_perm, &ad);
3892                if (err)
3893                        goto out;
3894        }
3895out:
3896        return err;
3897}
3898
3899static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3900{
3901        struct sock *sk = sock->sk;
3902        struct sk_security_struct *sksec = sk->sk_security;
3903        int err;
3904
3905        err = sock_has_perm(current, sk, SOCKET__CONNECT);
3906        if (err)
3907                return err;
3908
3909        /*
3910         * If a TCP or DCCP socket, check name_connect permission for the port.
3911         */
3912        if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3913            sksec->sclass == SECCLASS_DCCP_SOCKET) {
3914                struct common_audit_data ad;
3915                struct lsm_network_audit net = {0,};
3916                struct sockaddr_in *addr4 = NULL;
3917                struct sockaddr_in6 *addr6 = NULL;
3918                unsigned short snum;
3919                u32 sid, perm;
3920
3921                if (sk->sk_family == PF_INET) {
3922                        addr4 = (struct sockaddr_in *)address;
3923                        if (addrlen < sizeof(struct sockaddr_in))
3924                                return -EINVAL;
3925                        snum = ntohs(addr4->sin_port);
3926                } else {
3927                        addr6 = (struct sockaddr_in6 *)address;
3928                        if (addrlen < SIN6_LEN_RFC2133)
3929                                return -EINVAL;
3930                        snum = ntohs(addr6->sin6_port);
3931                }
3932
3933                err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3934                if (err)
3935                        goto out;
3936
3937                perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3938                       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3939
3940                ad.type = LSM_AUDIT_DATA_NET;
3941                ad.u.net = &net;
3942                ad.u.net->dport = htons(snum);
3943                ad.u.net->family = sk->sk_family;
3944                err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3945                if (err)
3946                        goto out;
3947        }
3948
3949        err = selinux_netlbl_socket_connect(sk, address);
3950
3951out:
3952        return err;
3953}
3954
3955static int selinux_socket_listen(struct socket *sock, int backlog)
3956{
3957        return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3958}
3959
3960static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3961{
3962        int err;
3963        struct inode_security_struct *isec;
3964        struct inode_security_struct *newisec;
3965
3966        err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3967        if (err)
3968                return err;
3969
3970        newisec = SOCK_INODE(newsock)->i_security;
3971
3972        isec = SOCK_INODE(sock)->i_security;
3973        newisec->sclass = isec->sclass;
3974        newisec->sid = isec->sid;
3975        newisec->initialized = 1;
3976
3977        return 0;
3978}
3979
3980static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3981                                  int size)
3982{
3983        return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3984}
3985
3986static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3987                                  int size, int flags)
3988{
3989        return sock_has_perm(current, sock->sk, SOCKET__READ);
3990}
3991
3992static int selinux_socket_getsockname(struct socket *sock)
3993{
3994        return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3995}
3996
3997static int selinux_socket_getpeername(struct socket *sock)
3998{
3999        return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4000}
4001
4002static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4003{
4004        int err;
4005
4006        err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4007        if (err)
4008                return err;
4009
4010        return selinux_netlbl_socket_setsockopt(sock, level, optname);
4011}
4012
4013static int selinux_socket_getsockopt(struct socket *sock, int level,
4014                                     int optname)
4015{
4016        return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4017}
4018
4019static int selinux_socket_shutdown(struct socket *sock, int how)
4020{
4021        return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4022}
4023
4024static int selinux_socket_unix_stream_connect(struct sock *sock,
4025                                              struct sock *other,
4026                                              struct sock *newsk)
4027{
4028        struct sk_security_struct *sksec_sock = sock->sk_security;
4029        struct sk_security_struct *sksec_other = other->sk_security;
4030        struct sk_security_struct *sksec_new = newsk->sk_security;
4031        struct common_audit_data ad;
4032        struct lsm_network_audit net = {0,};
4033        int err;
4034
4035        ad.type = LSM_AUDIT_DATA_NET;
4036        ad.u.net = &net;
4037        ad.u.net->sk = other;
4038
4039        err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4040                           sksec_other->sclass,
4041                           UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4042        if (err)
4043                return err;
4044
4045        /* server child socket */
4046        sksec_new->peer_sid = sksec_sock->sid;
4047        err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4048                                    &sksec_new->sid);
4049        if (err)
4050                return err;
4051
4052        /* connecting socket */
4053        sksec_sock->peer_sid = sksec_new->sid;
4054
4055        return 0;
4056}
4057
4058static int selinux_socket_unix_may_send(struct socket *sock,
4059                                        struct socket *other)
4060{
4061        struct sk_security_struct *ssec = sock->sk->sk_security;
4062        struct sk_security_struct *osec = other->sk->sk_security;
4063        struct common_audit_data ad;
4064        struct lsm_network_audit net = {0,};
4065
4066        ad.type = LSM_AUDIT_DATA_NET;
4067        ad.u.net = &net;
4068        ad.u.net->sk = other->sk;
4069
4070        return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4071                            &ad);
4072}
4073
4074static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4075                                    u32 peer_sid,
4076                                    struct common_audit_data *ad)
4077{
4078        int err;
4079        u32 if_sid;
4080        u32 node_sid;
4081
4082        err = sel_netif_sid(ifindex, &if_sid);
4083        if (err)
4084                return err;
4085        err = avc_has_perm(peer_sid, if_sid,
4086                           SECCLASS_NETIF, NETIF__INGRESS, ad);
4087        if (err)
4088                return err;
4089
4090        err = sel_netnode_sid(addrp, family, &node_sid);
4091        if (err)
4092                return err;
4093        return avc_has_perm(peer_sid, node_sid,
4094                            SECCLASS_NODE, NODE__RECVFROM, ad);
4095}
4096
4097static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4098                                       u16 family)
4099{
4100        int err = 0;
4101        struct sk_security_struct *sksec = sk->sk_security;
4102        u32 sk_sid = sksec->sid;
4103        struct common_audit_data ad;
4104        struct lsm_network_audit net = {0,};
4105        char *addrp;
4106
4107        ad.type = LSM_AUDIT_DATA_NET;
4108        ad.u.net = &net;
4109        ad.u.net->netif = skb->skb_iif;
4110        ad.u.net->family = family;
4111        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4112        if (err)
4113                return err;
4114
4115        if (selinux_secmark_enabled()) {
4116                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4117                                   PACKET__RECV, &ad);
4118                if (err)
4119                        return err;
4120        }
4121
4122        err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4123        if (err)
4124                return err;
4125        err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4126
4127        return err;
4128}
4129
4130static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4131{
4132        int err;
4133        struct sk_security_struct *sksec = sk->sk_security;
4134        u16 family = sk->sk_family;
4135        u32 sk_sid = sksec->sid;
4136        struct common_audit_data ad;
4137        struct lsm_network_audit net = {0,};
4138        char *addrp;
4139        u8 secmark_active;
4140        u8 peerlbl_active;
4141
4142        if (family != PF_INET && family != PF_INET6)
4143                return 0;
4144
4145        /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4146        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4147                family = PF_INET;
4148
4149        /* If any sort of compatibility mode is enabled then handoff processing
4150         * to the selinux_sock_rcv_skb_compat() function to deal with the
4151         * special handling.  We do this in an attempt to keep this function
4152         * as fast and as clean as possible. */
4153        if (!selinux_policycap_netpeer)
4154                return selinux_sock_rcv_skb_compat(sk, skb, family);
4155
4156        secmark_active = selinux_secmark_enabled();
4157        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4158        if (!secmark_active && !peerlbl_active)
4159                return 0;
4160
4161        ad.type = LSM_AUDIT_DATA_NET;
4162        ad.u.net = &net;
4163        ad.u.net->netif = skb->skb_iif;
4164        ad.u.net->family = family;
4165        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4166        if (err)
4167                return err;
4168
4169        if (peerlbl_active) {
4170                u32 peer_sid;
4171
4172                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4173                if (err)
4174                        return err;
4175                err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4176                                               peer_sid, &ad);
4177                if (err) {
4178                        selinux_netlbl_err(skb, err, 0);
4179                        return err;
4180                }
4181                err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4182                                   PEER__RECV, &ad);
4183                if (err)
4184                        selinux_netlbl_err(skb, err, 0);
4185        }
4186
4187        if (secmark_active) {
4188                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4189                                   PACKET__RECV, &ad);
4190                if (err)
4191                        return err;
4192        }
4193
4194        return err;
4195}
4196
4197static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4198                                            int __user *optlen, unsigned len)
4199{
4200        int err = 0;
4201        char *scontext;
4202        u32 scontext_len;
4203        struct sk_security_struct *sksec = sock->sk->sk_security;
4204        u32 peer_sid = SECSID_NULL;
4205
4206        if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4207            sksec->sclass == SECCLASS_TCP_SOCKET)
4208                peer_sid = sksec->peer_sid;
4209        if (peer_sid == SECSID_NULL)
4210                return -ENOPROTOOPT;
4211
4212        err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4213        if (err)
4214                return err;
4215
4216        if (scontext_len > len) {
4217                err = -ERANGE;
4218                goto out_len;
4219        }
4220
4221        if (copy_to_user(optval, scontext, scontext_len))
4222                err = -EFAULT;
4223
4224out_len:
4225        if (put_user(scontext_len, optlen))
4226                err = -EFAULT;
4227        kfree(scontext);
4228        return err;
4229}
4230
4231static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4232{
4233        u32 peer_secid = SECSID_NULL;
4234        u16 family;
4235
4236        if (skb && skb->protocol == htons(ETH_P_IP))
4237                family = PF_INET;
4238        else if (skb && skb->protocol == htons(ETH_P_IPV6))
4239                family = PF_INET6;
4240        else if (sock)
4241                family = sock->sk->sk_family;
4242        else
4243                goto out;
4244
4245        if (sock && family == PF_UNIX)
4246                selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4247        else if (skb)
4248                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4249
4250out:
4251        *secid = peer_secid;
4252        if (peer_secid == SECSID_NULL)
4253                return -EINVAL;
4254        return 0;
4255}
4256
4257static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4258{
4259        struct sk_security_struct *sksec;
4260
4261        sksec = kzalloc(sizeof(*sksec), priority);
4262        if (!sksec)
4263                return -ENOMEM;
4264
4265        sksec->peer_sid = SECINITSID_UNLABELED;
4266        sksec->sid = SECINITSID_UNLABELED;
4267        selinux_netlbl_sk_security_reset(sksec);
4268        sk->sk_security = sksec;
4269
4270        return 0;
4271}
4272
4273static void selinux_sk_free_security(struct sock *sk)
4274{
4275        struct sk_security_struct *sksec = sk->sk_security;
4276
4277        sk->sk_security = NULL;
4278        selinux_netlbl_sk_security_free(sksec);
4279        kfree(sksec);
4280}
4281
4282static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4283{
4284        struct sk_security_struct *sksec = sk->sk_security;
4285        struct sk_security_struct *newsksec = newsk->sk_security;
4286
4287        newsksec->sid = sksec->sid;
4288        newsksec->peer_sid = sksec->peer_sid;
4289        newsksec->sclass = sksec->sclass;
4290
4291        selinux_netlbl_sk_security_reset(newsksec);
4292}
4293
4294static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4295{
4296        if (!sk)
4297                *secid = SECINITSID_ANY_SOCKET;
4298        else {
4299                struct sk_security_struct *sksec = sk->sk_security;
4300
4301                *secid = sksec->sid;
4302        }
4303}
4304
4305static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4306{
4307        struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4308        struct sk_security_struct *sksec = sk->sk_security;
4309
4310        if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4311            sk->sk_family == PF_UNIX)
4312                isec->sid = sksec->sid;
4313        sksec->sclass = isec->sclass;
4314}
4315
4316static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4317                                     struct request_sock *req)
4318{
4319        struct sk_security_struct *sksec = sk->sk_security;
4320        int err;
4321        u16 family = sk->sk_family;
4322        u32 newsid;
4323        u32 peersid;
4324
4325        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4326        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4327                family = PF_INET;
4328
4329        err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4330        if (err)
4331                return err;
4332        if (peersid == SECSID_NULL) {
4333                req->secid = sksec->sid;
4334                req->peer_secid = SECSID_NULL;
4335        } else {
4336                err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4337                if (err)
4338                        return err;
4339                req->secid = newsid;
4340                req->peer_secid = peersid;
4341        }
4342
4343        return selinux_netlbl_inet_conn_request(req, family);
4344}
4345
4346static void selinux_inet_csk_clone(struct sock *newsk,
4347                                   const struct request_sock *req)
4348{
4349        struct sk_security_struct *newsksec = newsk->sk_security;
4350
4351        newsksec->sid = req->secid;
4352        newsksec->peer_sid = req->peer_secid;
4353        /* NOTE: Ideally, we should also get the isec->sid for the
4354           new socket in sync, but we don't have the isec available yet.
4355           So we will wait until sock_graft to do it, by which
4356           time it will have been created and available. */
4357
4358        /* We don't need to take any sort of lock here as we are the only
4359         * thread with access to newsksec */
4360        selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4361}
4362
4363static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4364{
4365        u16 family = sk->sk_family;
4366        struct sk_security_struct *sksec = sk->sk_security;
4367
4368        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4369        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4370                family = PF_INET;
4371
4372        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4373}
4374
4375static int selinux_secmark_relabel_packet(u32 sid)
4376{
4377        const struct task_security_struct *__tsec;
4378        u32 tsid;
4379
4380        __tsec = current_security();
4381        tsid = __tsec->sid;
4382
4383        return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4384}
4385
4386static void selinux_secmark_refcount_inc(void)
4387{
4388        atomic_inc(&selinux_secmark_refcount);
4389}
4390
4391static void selinux_secmark_refcount_dec(void)
4392{
4393        atomic_dec(&selinux_secmark_refcount);
4394}
4395
4396static void selinux_req_classify_flow(const struct request_sock *req,
4397                                      struct flowi *fl)
4398{
4399        fl->flowi_secid = req->secid;
4400}
4401
4402static int selinux_tun_dev_create(void)
4403{
4404        u32 sid = current_sid();
4405
4406        /* we aren't taking into account the "sockcreate" SID since the socket
4407         * that is being created here is not a socket in the traditional sense,
4408         * instead it is a private sock, accessible only to the kernel, and
4409         * representing a wide range of network traffic spanning multiple
4410         * connections unlike traditional sockets - check the TUN driver to
4411         * get a better understanding of why this socket is special */
4412
4413        return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4414                            NULL);
4415}
4416
4417static void selinux_tun_dev_post_create(struct sock *sk)
4418{
4419        struct sk_security_struct *sksec = sk->sk_security;
4420
4421        /* we don't currently perform any NetLabel based labeling here and it
4422         * isn't clear that we would want to do so anyway; while we could apply
4423         * labeling without the support of the TUN user the resulting labeled
4424         * traffic from the other end of the connection would almost certainly
4425         * cause confusion to the TUN user that had no idea network labeling
4426         * protocols were being used */
4427
4428        /* see the comments in selinux_tun_dev_create() about why we don't use
4429         * the sockcreate SID here */
4430
4431        sksec->sid = current_sid();
4432        sksec->sclass = SECCLASS_TUN_SOCKET;
4433}
4434
4435static int selinux_tun_dev_attach(struct sock *sk)
4436{
4437        struct sk_security_struct *sksec = sk->sk_security;
4438        u32 sid = current_sid();
4439        int err;
4440
4441        err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4442                           TUN_SOCKET__RELABELFROM, NULL);
4443        if (err)
4444                return err;
4445        err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4446                           TUN_SOCKET__RELABELTO, NULL);
4447        if (err)
4448                return err;
4449
4450        sksec->sid = sid;
4451
4452        return 0;
4453}
4454
4455static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4456{
4457        int err = 0;
4458        u32 perm;
4459        struct nlmsghdr *nlh;
4460        struct sk_security_struct *sksec = sk->sk_security;
4461
4462        if (skb->len < NLMSG_SPACE(0)) {
4463                err = -EINVAL;
4464                goto out;
4465        }
4466        nlh = nlmsg_hdr(skb);
4467
4468        err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4469        if (err) {
4470                if (err == -EINVAL) {
4471                        audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4472                                  "SELinux:  unrecognized netlink message"
4473                                  " type=%hu for sclass=%hu\n",
4474                                  nlh->nlmsg_type, sksec->sclass);
4475                        if (!selinux_enforcing || security_get_allow_unknown())
4476                                err = 0;
4477                }
4478
4479                /* Ignore */
4480                if (err == -ENOENT)
4481                        err = 0;
4482                goto out;
4483        }
4484
4485        err = sock_has_perm(current, sk, perm);
4486out:
4487        return err;
4488}
4489
4490#ifdef CONFIG_NETFILTER
4491
4492static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4493                                       u16 family)
4494{
4495        int err;
4496        char *addrp;
4497        u32 peer_sid;
4498        struct common_audit_data ad;
4499        struct lsm_network_audit net = {0,};
4500        u8 secmark_active;
4501        u8 netlbl_active;
4502        u8 peerlbl_active;
4503
4504        if (!selinux_policycap_netpeer)
4505                return NF_ACCEPT;
4506
4507        secmark_active = selinux_secmark_enabled();
4508        netlbl_active = netlbl_enabled();
4509        peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4510        if (!secmark_active && !peerlbl_active)
4511                return NF_ACCEPT;
4512
4513        if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4514                return NF_DROP;
4515
4516        ad.type = LSM_AUDIT_DATA_NET;
4517        ad.u.net = &net;
4518        ad.u.net->netif = ifindex;
4519        ad.u.net->family = family;
4520        if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4521                return NF_DROP;
4522
4523        if (peerlbl_active) {
4524                err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4525                                               peer_sid, &ad);
4526                if (err) {
4527                        selinux_netlbl_err(skb, err, 1);
4528                        return NF_DROP;
4529                }
4530        }
4531
4532        if (secmark_active)
4533                if (avc_has_perm(peer_sid, skb->secmark,
4534                                 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4535                        return NF_DROP;
4536
4537        if (netlbl_active)
4538                /* we do this in the FORWARD path and not the POST_ROUTING
4539                 * path because we want to make sure we apply the necessary
4540                 * labeling before IPsec is applied so we can leverage AH
4541                 * protection */
4542                if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4543                        return NF_DROP;
4544
4545        return NF_ACCEPT;
4546}
4547
4548static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4549                                         struct sk_buff *skb,
4550                                         const struct net_device *in,
4551                                         const struct net_device *out,
4552                                         int (*okfn)(struct sk_buff *))
4553{
4554        return selinux_ip_forward(skb, in->ifindex, PF_INET);
4555}
4556
4557#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4558static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4559                                         struct sk_buff *skb,
4560                                         const struct net_device *in,
4561                                         const struct net_device *out,
4562                                         int (*okfn)(struct sk_buff *))
4563{
4564        return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4565}
4566#endif  /* IPV6 */
4567
4568static unsigned int selinux_ip_output(struct sk_buff *skb,
4569                                      u16 family)
4570{
4571        u32 sid;
4572
4573        if (!netlbl_enabled())
4574                return NF_ACCEPT;
4575
4576        /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4577         * because we want to make sure we apply the necessary labeling
4578         * before IPsec is applied so we can leverage AH protection */
4579        if (skb->sk) {
4580                struct sk_security_struct *sksec = skb->sk->sk_security;
4581                sid = sksec->sid;
4582        } else
4583                sid = SECINITSID_KERNEL;
4584        if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4585                return NF_DROP;
4586
4587        return NF_ACCEPT;
4588}
4589
4590static unsigned int selinux_ipv4_output(unsigned int hooknum,
4591                                        struct sk_buff *skb,
4592                                        const struct net_device *in,
4593                                        const struct net_device *out,
4594                                        int (*okfn)(struct sk_buff *))
4595{
4596        return selinux_ip_output(skb, PF_INET);
4597}
4598
4599static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4600                                                int ifindex,
4601                                                u16 family)
4602{
4603        struct sock *sk = skb->sk;
4604        struct sk_security_struct *sksec;
4605        struct common_audit_data ad;
4606        struct lsm_network_audit net = {0,};
4607        char *addrp;
4608        u8 proto;
4609
4610        if (sk == NULL)
4611                return NF_ACCEPT;
4612        sksec = sk->sk_security;
4613
4614        ad.type = LSM_AUDIT_DATA_NET;
4615        ad.u.net = &net;
4616        ad.u.net->netif = ifindex;
4617        ad.u.net->family = family;
4618        if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4619                return NF_DROP;
4620
4621        if (selinux_secmark_enabled())
4622                if (avc_has_perm(sksec->sid, skb->secmark,
4623                                 SECCLASS_PACKET, PACKET__SEND, &ad))
4624                        return NF_DROP_ERR(-ECONNREFUSED);
4625
4626        if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4627                return NF_DROP_ERR(-ECONNREFUSED);
4628
4629        return NF_ACCEPT;
4630}
4631
4632static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4633                                         u16 family)
4634{
4635        u32 secmark_perm;
4636        u32 peer_sid;
4637        struct sock *sk;
4638        struct common_audit_data ad;
4639        struct lsm_network_audit net = {0,};
4640        char *addrp;
4641        u8 secmark_active;
4642        u8 peerlbl_active;
4643
4644        /* If any sort of compatibility mode is enabled then handoff processing
4645         * to the selinux_ip_postroute_compat() function to deal with the
4646         * special handling.  We do this in an attempt to keep this function
4647         * as fast and as clean as possible. */
4648        if (!selinux_policycap_netpeer)
4649                return selinux_ip_postroute_compat(skb, ifindex, family);
4650#ifdef CONFIG_XFRM
4651        /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4652         * packet transformation so allow the packet to pass without any checks
4653         * since we'll have another chance to perform access control checks
4654         * when the packet is on it's final way out.
4655         * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4656         *       is NULL, in this case go ahead and apply access control. */
4657        if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4658                return NF_ACCEPT;
4659#endif
4660        secmark_active = selinux_secmark_enabled();
4661        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4662        if (!secmark_active && !peerlbl_active)
4663                return NF_ACCEPT;
4664
4665        /* if the packet is being forwarded then get the peer label from the
4666         * packet itself; otherwise check to see if it is from a local
4667         * application or the kernel, if from an application get the peer label
4668         * from the sending socket, otherwise use the kernel's sid */
4669        sk = skb->sk;
4670        if (sk == NULL) {
4671                if (skb->skb_iif) {
4672                        secmark_perm = PACKET__FORWARD_OUT;
4673                        if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4674                                return NF_DROP;
4675                } else {
4676                        secmark_perm = PACKET__SEND;
4677                        peer_sid = SECINITSID_KERNEL;
4678                }
4679        } else {
4680                struct sk_security_struct *sksec = sk->sk_security;
4681                peer_sid = sksec->sid;
4682                secmark_perm = PACKET__SEND;
4683        }
4684
4685        ad.type = LSM_AUDIT_DATA_NET;
4686        ad.u.net = &net;
4687        ad.u.net->netif = ifindex;
4688        ad.u.net->family = family;
4689        if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4690                return NF_DROP;
4691
4692        if (secmark_active)
4693                if (avc_has_perm(peer_sid, skb->secmark,
4694                                 SECCLASS_PACKET, secmark_perm, &ad))
4695                        return NF_DROP_ERR(-ECONNREFUSED);
4696
4697        if (peerlbl_active) {
4698                u32 if_sid;
4699                u32 node_sid;
4700
4701                if (sel_netif_sid(ifindex, &if_sid))
4702                        return NF_DROP;
4703                if (avc_has_perm(peer_sid, if_sid,
4704                                 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4705                        return NF_DROP_ERR(-ECONNREFUSED);
4706
4707                if (sel_netnode_sid(addrp, family, &node_sid))
4708                        return NF_DROP;
4709                if (avc_has_perm(peer_sid, node_sid,
4710                                 SECCLASS_NODE, NODE__SENDTO, &ad))
4711                        return NF_DROP_ERR(-ECONNREFUSED);
4712        }
4713
4714        return NF_ACCEPT;
4715}
4716
4717static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4718                                           struct sk_buff *skb,
4719                                           const struct net_device *in,
4720                                           const struct net_device *out,
4721                                           int (*okfn)(struct sk_buff *))
4722{
4723        return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4724}
4725
4726#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4727static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4728                                           struct sk_buff *skb,
4729                                           const struct net_device *in,
4730                                           const struct net_device *out,
4731                                           int (*okfn)(struct sk_buff *))
4732{
4733        return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4734}
4735#endif  /* IPV6 */
4736
4737#endif  /* CONFIG_NETFILTER */
4738
4739static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4740{
4741        int err;
4742
4743        err = cap_netlink_send(sk, skb);
4744        if (err)
4745                return err;
4746
4747        return selinux_nlmsg_perm(sk, skb);
4748}
4749
4750static int ipc_alloc_security(struct task_struct *task,
4751                              struct kern_ipc_perm *perm,
4752                              u16 sclass)
4753{
4754        struct ipc_security_struct *isec;
4755        u32 sid;
4756
4757        isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4758        if (!isec)
4759                return -ENOMEM;
4760
4761        sid = task_sid(task);
4762        isec->sclass = sclass;
4763        isec->sid = sid;
4764        perm->security = isec;
4765
4766        return 0;
4767}
4768
4769static void ipc_free_security(struct kern_ipc_perm *perm)
4770{
4771        struct ipc_security_struct *isec = perm->security;
4772        perm->security = NULL;
4773        kfree(isec);
4774}
4775
4776static int msg_msg_alloc_security(struct msg_msg *msg)
4777{
4778        struct msg_security_struct *msec;
4779
4780        msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4781        if (!msec)
4782                return -ENOMEM;
4783
4784        msec->sid = SECINITSID_UNLABELED;
4785        msg->security = msec;
4786
4787        return 0;
4788}
4789
4790static void msg_msg_free_security(struct msg_msg *msg)
4791{
4792        struct msg_security_struct *msec = msg->security;
4793
4794        msg->security = NULL;
4795        kfree(msec);
4796}
4797
4798static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4799                        u32 perms)
4800{
4801        struct ipc_security_struct *isec;
4802        struct common_audit_data ad;
4803        u32 sid = current_sid();
4804
4805        isec = ipc_perms->security;
4806
4807        ad.type = LSM_AUDIT_DATA_IPC;
4808        ad.u.ipc_id = ipc_perms->key;
4809
4810        return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4811}
4812
4813static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4814{
4815        return msg_msg_alloc_security(msg);
4816}
4817
4818static void selinux_msg_msg_free_security(struct msg_msg *msg)
4819{
4820        msg_msg_free_security(msg);
4821}
4822
4823/* message queue security operations */
4824static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4825{
4826        struct ipc_security_struct *isec;
4827        struct common_audit_data ad;
4828        u32 sid = current_sid();
4829        int rc;
4830
4831        rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4832        if (rc)
4833                return rc;
4834
4835        isec = msq->q_perm.security;
4836
4837        ad.type = LSM_AUDIT_DATA_IPC;
4838        ad.u.ipc_id = msq->q_perm.key;
4839
4840        rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4841                          MSGQ__CREATE, &ad);
4842        if (rc) {
4843                ipc_free_security(&msq->q_perm);
4844                return rc;
4845        }
4846        return 0;
4847}
4848
4849static void selinux_msg_queue_free_security(struct msg_queue *msq)
4850{
4851        ipc_free_security(&msq->q_perm);
4852}
4853
4854static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4855{
4856        struct ipc_security_struct *isec;
4857        struct common_audit_data ad;
4858        u32 sid = current_sid();
4859
4860        isec = msq->q_perm.security;
4861
4862        ad.type = LSM_AUDIT_DATA_IPC;
4863        ad.u.ipc_id = msq->q_perm.key;
4864
4865        return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4866                            MSGQ__ASSOCIATE, &ad);
4867}
4868
4869static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4870{
4871        int err;
4872        int perms;
4873
4874        switch (cmd) {
4875        case IPC_INFO:
4876        case MSG_INFO:
4877                /* No specific object, just general system-wide information. */
4878                return task_has_system(current, SYSTEM__IPC_INFO);
4879        case IPC_STAT:
4880        case MSG_STAT:
4881                perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4882                break;
4883        case IPC_SET:
4884                perms = MSGQ__SETATTR;
4885                break;
4886        case IPC_RMID:
4887                perms = MSGQ__DESTROY;
4888                break;
4889        default:
4890                return 0;
4891        }
4892
4893        err = ipc_has_perm(&msq->q_perm, perms);
4894        return err;
4895}
4896
4897static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4898{
4899        struct ipc_security_struct *isec;
4900        struct msg_security_struct *msec;
4901        struct common_audit_data ad;
4902        u32 sid = current_sid();
4903        int rc;
4904
4905        isec = msq->q_perm.security;
4906        msec = msg->security;
4907
4908        /*
4909         * First time through, need to assign label to the message
4910         */
4911        if (msec->sid == SECINITSID_UNLABELED) {
4912                /*
4913                 * Compute new sid based on current process and
4914                 * message queue this message will be stored in
4915                 */
4916                rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4917                                             NULL, &msec->sid);
4918                if (rc)
4919                        return rc;
4920        }
4921
4922        ad.type = LSM_AUDIT_DATA_IPC;
4923        ad.u.ipc_id = msq->q_perm.key;
4924
4925        /* Can this process write to the queue? */
4926        rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4927                          MSGQ__WRITE, &ad);
4928        if (!rc)
4929                /* Can this process send the message */
4930                rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4931                                  MSG__SEND, &ad);
4932        if (!rc)
4933                /* Can the message be put in the queue? */
4934                rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4935                                  MSGQ__ENQUEUE, &ad);
4936
4937        return rc;
4938}
4939
4940static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4941                                    struct task_struct *target,
4942                                    long type, int mode)
4943{
4944        struct ipc_security_struct *isec;
4945        struct msg_security_struct *msec;
4946        struct common_audit_data ad;
4947        u32 sid = task_sid(target);
4948        int rc;
4949
4950        isec = msq->q_perm.security;
4951        msec = msg->security;
4952
4953        ad.type = LSM_AUDIT_DATA_IPC;
4954        ad.u.ipc_id = msq->q_perm.key;
4955
4956        rc = avc_has_perm(sid, isec->sid,
4957                          SECCLASS_MSGQ, MSGQ__READ, &ad);
4958        if (!rc)
4959                rc = avc_has_perm(sid, msec->sid,
4960                                  SECCLASS_MSG, MSG__RECEIVE, &ad);
4961        return rc;
4962}
4963
4964/* Shared Memory security operations */
4965static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4966{
4967        struct ipc_security_struct *isec;
4968        struct common_audit_data ad;
4969        u32 sid = current_sid();
4970        int rc;
4971
4972        rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4973        if (rc)
4974                return rc;
4975
4976        isec = shp->shm_perm.security;
4977
4978        ad.type = LSM_AUDIT_DATA_IPC;
4979        ad.u.ipc_id = shp->shm_perm.key;
4980
4981        rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4982                          SHM__CREATE, &ad);
4983        if (rc) {
4984                ipc_free_security(&shp->shm_perm);
4985                return rc;
4986        }
4987        return 0;
4988}
4989
4990static void selinux_shm_free_security(struct shmid_kernel *shp)
4991{
4992        ipc_free_security(&shp->shm_perm);
4993}
4994
4995static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4996{
4997        struct ipc_security_struct *isec;
4998        struct common_audit_data ad;
4999        u32 sid = current_sid();
5000
5001        isec = shp->shm_perm.security;
5002
5003        ad.type = LSM_AUDIT_DATA_IPC;
5004        ad.u.ipc_id = shp->shm_perm.key;
5005
5006        return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5007                            SHM__ASSOCIATE, &ad);
5008}
5009
5010/* Note, at this point, shp is locked down */
5011static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5012{
5013        int perms;
5014        int err;
5015
5016        switch (cmd) {
5017        case IPC_INFO:
5018        case SHM_INFO:
5019                /* No specific object, just general system-wide information. */
5020                return task_has_system(current, SYSTEM__IPC_INFO);
5021        case IPC_STAT:
5022        case SHM_STAT:
5023                perms = SHM__GETATTR | SHM__ASSOCIATE;
5024                break;
5025        case IPC_SET:
5026                perms = SHM__SETATTR;
5027                break;
5028        case SHM_LOCK:
5029        case SHM_UNLOCK:
5030                perms = SHM__LOCK;
5031                break;
5032        case IPC_RMID:
5033                perms = SHM__DESTROY;
5034                break;
5035        default:
5036                return 0;
5037        }
5038
5039        err = ipc_has_perm(&shp->shm_perm, perms);
5040        return err;
5041}
5042
5043static int selinux_shm_shmat(struct shmid_kernel *shp,
5044                             char __user *shmaddr, int shmflg)
5045{
5046        u32 perms;
5047
5048        if (shmflg & SHM_RDONLY)
5049                perms = SHM__READ;
5050        else
5051                perms = SHM__READ | SHM__WRITE;
5052
5053        return ipc_has_perm(&shp->shm_perm, perms);
5054}
5055
5056/* Semaphore security operations */
5057static int selinux_sem_alloc_security(struct sem_array *sma)
5058{
5059        struct ipc_security_struct *isec;
5060        struct common_audit_data ad;
5061        u32 sid = current_sid();
5062        int rc;
5063
5064        rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5065        if (rc)
5066                return rc;
5067
5068        isec = sma->sem_perm.security;
5069
5070        ad.type = LSM_AUDIT_DATA_IPC;
5071        ad.u.ipc_id = sma->sem_perm.key;
5072
5073        rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5074                          SEM__CREATE, &ad);
5075        if (rc) {
5076                ipc_free_security(&sma->sem_perm);
5077                return rc;
5078        }
5079        return 0;
5080}
5081
5082static void selinux_sem_free_security(struct sem_array *sma)
5083{
5084        ipc_free_security(&sma->sem_perm);
5085}
5086
5087static int selinux_sem_associate(struct sem_array *sma, int semflg)
5088{
5089        struct ipc_security_struct *isec;
5090        struct common_audit_data ad;
5091        u32 sid = current_sid();
5092
5093        isec = sma->sem_perm.security;
5094
5095        ad.type = LSM_AUDIT_DATA_IPC;
5096        ad.u.ipc_id = sma->sem_perm.key;
5097
5098        return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5099                            SEM__ASSOCIATE, &ad);
5100}
5101
5102/* Note, at this point, sma is locked down */
5103static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5104{
5105        int err;
5106        u32 perms;
5107
5108        switch (cmd) {
5109        case IPC_INFO:
5110        case SEM_INFO:
5111                /* No specific object, just general system-wide information. */
5112                return task_has_system(current, SYSTEM__IPC_INFO);
5113        case GETPID:
5114        case GETNCNT:
5115        case GETZCNT:
5116                perms = SEM__GETATTR;
5117                break;
5118        case GETVAL:
5119        case GETALL:
5120                perms = SEM__READ;
5121                break;
5122        case SETVAL:
5123        case SETALL:
5124                perms = SEM__WRITE;
5125                break;
5126        case IPC_RMID:
5127                perms = SEM__DESTROY;
5128                break;
5129        case IPC_SET:
5130                perms = SEM__SETATTR;
5131                break;
5132        case IPC_STAT:
5133        case SEM_STAT:
5134                perms = SEM__GETATTR | SEM__ASSOCIATE;
5135                break;
5136        default:
5137                return 0;
5138        }
5139
5140        err = ipc_has_perm(&sma->sem_perm, perms);
5141        return err;
5142}
5143
5144static int selinux_sem_semop(struct sem_array *sma,
5145                             struct sembuf *sops, unsigned nsops, int alter)
5146{
5147        u32 perms;
5148
5149        if (alter)
5150                perms = SEM__READ | SEM__WRITE;
5151        else
5152                perms = SEM__READ;
5153
5154        return ipc_has_perm(&sma->sem_perm, perms);
5155}
5156
5157static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5158{
5159        u32 av = 0;
5160
5161        av = 0;
5162        if (flag & S_IRUGO)
5163                av |= IPC__UNIX_READ;
5164        if (flag & S_IWUGO)
5165                av |= IPC__UNIX_WRITE;
5166
5167        if (av == 0)
5168                return 0;
5169
5170        return ipc_has_perm(ipcp, av);
5171}
5172
5173static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5174{
5175        struct ipc_security_struct *isec = ipcp->security;
5176        *secid = isec->sid;
5177}
5178
5179static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5180{
5181        if (inode)
5182                inode_doinit_with_dentry(inode, dentry);
5183}
5184
5185static int selinux_getprocattr(struct task_struct *p,
5186                               char *name, char **value)
5187{
5188        const struct task_security_struct *__tsec;
5189        u32 sid;
5190        int error;
5191        unsigned len;
5192
5193        if (current != p) {
5194                error = current_has_perm(p, PROCESS__GETATTR);
5195                if (error)
5196                        return error;
5197        }
5198
5199        rcu_read_lock();
5200        __tsec = __task_cred(p)->security;
5201
5202        if (!strcmp(name, "current"))
5203                sid = __tsec->sid;
5204        else if (!strcmp(name, "prev"))
5205                sid = __tsec->osid;
5206        else if (!strcmp(name, "exec"))
5207                sid = __tsec->exec_sid;
5208        else if (!strcmp(name, "fscreate"))
5209                sid = __tsec->create_sid;
5210        else if (!strcmp(name, "keycreate"))
5211                sid = __tsec->keycreate_sid;
5212        else if (!strcmp(name, "sockcreate"))
5213                sid = __tsec->sockcreate_sid;
5214        else
5215                goto invalid;
5216        rcu_read_unlock();
5217
5218        if (!sid)
5219                return 0;
5220
5221        error = security_sid_to_context(sid, value, &len);
5222        if (error)
5223                return error;
5224        return len;
5225
5226invalid:
5227        rcu_read_unlock();
5228        return -EINVAL;
5229}
5230
5231static int selinux_setprocattr(struct task_struct *p,
5232                               char *name, void *value, size_t size)
5233{
5234        struct task_security_struct *tsec;
5235        struct task_struct *tracer;
5236        struct cred *new;
5237        u32 sid = 0, ptsid;
5238        int error;
5239        char *str = value;
5240
5241        if (current != p) {
5242                /* SELinux only allows a process to change its own
5243                   security attributes. */
5244                return -EACCES;
5245        }
5246
5247        /*
5248         * Basic control over ability to set these attributes at all.
5249         * current == p, but we'll pass them separately in case the
5250         * above restriction is ever removed.
5251         */
5252        if (!strcmp(name, "exec"))
5253                error = current_has_perm(p, PROCESS__SETEXEC);
5254        else if (!strcmp(name, "fscreate"))
5255                error = current_has_perm(p, PROCESS__SETFSCREATE);
5256        else if (!strcmp(name, "keycreate"))
5257                error = current_has_perm(p, PROCESS__SETKEYCREATE);
5258        else if (!strcmp(name, "sockcreate"))
5259                error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5260        else if (!strcmp(name, "current"))
5261                error = current_has_perm(p, PROCESS__SETCURRENT);
5262        else
5263                error = -EINVAL;
5264        if (error)
5265                return error;
5266
5267        /* Obtain a SID for the context, if one was specified. */
5268        if (size && str[1] && str[1] != '\n') {
5269                if (str[size-1] == '\n') {
5270                        str[size-1] = 0;
5271                        size--;
5272                }
5273                error = security_context_to_sid(value, size, &sid);
5274                if (error == -EINVAL && !strcmp(name, "fscreate")) {
5275                        if (!capable(CAP_MAC_ADMIN)) {
5276                                struct audit_buffer *ab;
5277                                size_t audit_size;
5278
5279                                /* We strip a nul only if it is at the end, otherwise the
5280                                 * context contains a nul and we should audit that */
5281                                if (str[size - 1] == '\0')
5282                                        audit_size = size - 1;
5283                                else
5284                                        audit_size = size;
5285                                ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5286                                audit_log_format(ab, "op=fscreate invalid_context=");