linux/security/selinux/hooks.c
<<
>>
Prefs
   1/*
   2 *  NSA Security-Enhanced Linux (SELinux) security module
   3 *
   4 *  This file contains the SELinux hook function implementations.
   5 *
   6 *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
   7 *            Chris Vance, <cvance@nai.com>
   8 *            Wayne Salamon, <wsalamon@nai.com>
   9 *            James Morris <jmorris@redhat.com>
  10 *
  11 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  12 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  13 *                                         Eric Paris <eparis@redhat.com>
  14 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  15 *                          <dgoeddel@trustedcs.com>
  16 *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  17 *              Paul Moore <paul.moore@hp.com>
  18 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  19 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  20 *
  21 *      This program is free software; you can redistribute it and/or modify
  22 *      it under the terms of the GNU General Public License version 2,
  23 *      as published by the Free Software Foundation.
  24 */
  25
  26#include <linux/init.h>
  27#include <linux/kernel.h>
  28#include <linux/tracehook.h>
  29#include <linux/errno.h>
  30#include <linux/sched.h>
  31#include <linux/security.h>
  32#include <linux/xattr.h>
  33#include <linux/capability.h>
  34#include <linux/unistd.h>
  35#include <linux/mm.h>
  36#include <linux/mman.h>
  37#include <linux/slab.h>
  38#include <linux/pagemap.h>
  39#include <linux/swap.h>
  40#include <linux/spinlock.h>
  41#include <linux/syscalls.h>
  42#include <linux/file.h>
  43#include <linux/fdtable.h>
  44#include <linux/namei.h>
  45#include <linux/mount.h>
  46#include <linux/proc_fs.h>
  47#include <linux/netfilter_ipv4.h>
  48#include <linux/netfilter_ipv6.h>
  49#include <linux/tty.h>
  50#include <net/icmp.h>
  51#include <net/ip.h>             /* for local_port_range[] */
  52#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  53#include <net/net_namespace.h>
  54#include <net/netlabel.h>
  55#include <linux/uaccess.h>
  56#include <asm/ioctls.h>
  57#include <asm/atomic.h>
  58#include <linux/bitops.h>
  59#include <linux/interrupt.h>
  60#include <linux/netdevice.h>    /* for network interface checks */
  61#include <linux/netlink.h>
  62#include <linux/tcp.h>
  63#include <linux/udp.h>
  64#include <linux/dccp.h>
  65#include <linux/quota.h>
  66#include <linux/un.h>           /* for Unix socket types */
  67#include <net/af_unix.h>        /* for Unix socket types */
  68#include <linux/parser.h>
  69#include <linux/nfs_mount.h>
  70#include <net/ipv6.h>
  71#include <linux/hugetlb.h>
  72#include <linux/personality.h>
  73#include <linux/sysctl.h>
  74#include <linux/audit.h>
  75#include <linux/string.h>
  76#include <linux/selinux.h>
  77#include <linux/mutex.h>
  78
  79#include "avc.h"
  80#include "objsec.h"
  81#include "netif.h"
  82#include "netnode.h"
  83#include "netport.h"
  84#include "xfrm.h"
  85#include "netlabel.h"
  86#include "audit.h"
  87
  88#define XATTR_SELINUX_SUFFIX "selinux"
  89#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
  90
  91#define NUM_SEL_MNT_OPTS 4
  92
  93extern unsigned int policydb_loaded_version;
  94extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
  95extern int selinux_compat_net;
  96extern struct security_operations *security_ops;
  97
  98/* SECMARK reference count */
  99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 100
 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 102int selinux_enforcing;
 103
 104static int __init enforcing_setup(char *str)
 105{
 106        unsigned long enforcing;
 107        if (!strict_strtoul(str, 0, &enforcing))
 108                selinux_enforcing = enforcing ? 1 : 0;
 109        return 1;
 110}
 111__setup("enforcing=", enforcing_setup);
 112#endif
 113
 114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 116
 117static int __init selinux_enabled_setup(char *str)
 118{
 119        unsigned long enabled;
 120        if (!strict_strtoul(str, 0, &enabled))
 121                selinux_enabled = enabled ? 1 : 0;
 122        return 1;
 123}
 124__setup("selinux=", selinux_enabled_setup);
 125#else
 126int selinux_enabled = 1;
 127#endif
 128
 129
 130/*
 131 * Minimal support for a secondary security module,
 132 * just to allow the use of the capability module.
 133 */
 134static struct security_operations *secondary_ops;
 135
 136/* Lists of inode and superblock security structures initialized
 137   before the policy was loaded. */
 138static LIST_HEAD(superblock_security_head);
 139static DEFINE_SPINLOCK(sb_security_lock);
 140
 141static struct kmem_cache *sel_inode_cache;
 142
 143/**
 144 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 145 *
 146 * Description:
 147 * This function checks the SECMARK reference counter to see if any SECMARK
 148 * targets are currently configured, if the reference counter is greater than
 149 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 150 * enabled, false (0) if SECMARK is disabled.
 151 *
 152 */
 153static int selinux_secmark_enabled(void)
 154{
 155        return (atomic_read(&selinux_secmark_refcount) > 0);
 156}
 157
 158/* Allocate and free functions for each kind of security blob. */
 159
 160static int task_alloc_security(struct task_struct *task)
 161{
 162        struct task_security_struct *tsec;
 163
 164        tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
 165        if (!tsec)
 166                return -ENOMEM;
 167
 168        tsec->osid = tsec->sid = SECINITSID_UNLABELED;
 169        task->security = tsec;
 170
 171        return 0;
 172}
 173
 174static void task_free_security(struct task_struct *task)
 175{
 176        struct task_security_struct *tsec = task->security;
 177        task->security = NULL;
 178        kfree(tsec);
 179}
 180
 181static int inode_alloc_security(struct inode *inode)
 182{
 183        struct task_security_struct *tsec = current->security;
 184        struct inode_security_struct *isec;
 185
 186        isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
 187        if (!isec)
 188                return -ENOMEM;
 189
 190        mutex_init(&isec->lock);
 191        INIT_LIST_HEAD(&isec->list);
 192        isec->inode = inode;
 193        isec->sid = SECINITSID_UNLABELED;
 194        isec->sclass = SECCLASS_FILE;
 195        isec->task_sid = tsec->sid;
 196        inode->i_security = isec;
 197
 198        return 0;
 199}
 200
 201static void inode_free_security(struct inode *inode)
 202{
 203        struct inode_security_struct *isec = inode->i_security;
 204        struct superblock_security_struct *sbsec = inode->i_sb->s_security;
 205
 206        spin_lock(&sbsec->isec_lock);
 207        if (!list_empty(&isec->list))
 208                list_del_init(&isec->list);
 209        spin_unlock(&sbsec->isec_lock);
 210
 211        inode->i_security = NULL;
 212        kmem_cache_free(sel_inode_cache, isec);
 213}
 214
 215static int file_alloc_security(struct file *file)
 216{
 217        struct task_security_struct *tsec = current->security;
 218        struct file_security_struct *fsec;
 219
 220        fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
 221        if (!fsec)
 222                return -ENOMEM;
 223
 224        fsec->sid = tsec->sid;
 225        fsec->fown_sid = tsec->sid;
 226        file->f_security = fsec;
 227
 228        return 0;
 229}
 230
 231static void file_free_security(struct file *file)
 232{
 233        struct file_security_struct *fsec = file->f_security;
 234        file->f_security = NULL;
 235        kfree(fsec);
 236}
 237
 238static int superblock_alloc_security(struct super_block *sb)
 239{
 240        struct superblock_security_struct *sbsec;
 241
 242        sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 243        if (!sbsec)
 244                return -ENOMEM;
 245
 246        mutex_init(&sbsec->lock);
 247        INIT_LIST_HEAD(&sbsec->list);
 248        INIT_LIST_HEAD(&sbsec->isec_head);
 249        spin_lock_init(&sbsec->isec_lock);
 250        sbsec->sb = sb;
 251        sbsec->sid = SECINITSID_UNLABELED;
 252        sbsec->def_sid = SECINITSID_FILE;
 253        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 254        sb->s_security = sbsec;
 255
 256        return 0;
 257}
 258
 259static void superblock_free_security(struct super_block *sb)
 260{
 261        struct superblock_security_struct *sbsec = sb->s_security;
 262
 263        spin_lock(&sb_security_lock);
 264        if (!list_empty(&sbsec->list))
 265                list_del_init(&sbsec->list);
 266        spin_unlock(&sb_security_lock);
 267
 268        sb->s_security = NULL;
 269        kfree(sbsec);
 270}
 271
 272static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
 273{
 274        struct sk_security_struct *ssec;
 275
 276        ssec = kzalloc(sizeof(*ssec), priority);
 277        if (!ssec)
 278                return -ENOMEM;
 279
 280        ssec->peer_sid = SECINITSID_UNLABELED;
 281        ssec->sid = SECINITSID_UNLABELED;
 282        sk->sk_security = ssec;
 283
 284        selinux_netlbl_sk_security_reset(ssec, family);
 285
 286        return 0;
 287}
 288
 289static void sk_free_security(struct sock *sk)
 290{
 291        struct sk_security_struct *ssec = sk->sk_security;
 292
 293        sk->sk_security = NULL;
 294        kfree(ssec);
 295}
 296
 297/* The security server must be initialized before
 298   any labeling or access decisions can be provided. */
 299extern int ss_initialized;
 300
 301/* The file system's label must be initialized prior to use. */
 302
 303static char *labeling_behaviors[6] = {
 304        "uses xattr",
 305        "uses transition SIDs",
 306        "uses task SIDs",
 307        "uses genfs_contexts",
 308        "not configured for labeling",
 309        "uses mountpoint labeling",
 310};
 311
 312static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 313
 314static inline int inode_doinit(struct inode *inode)
 315{
 316        return inode_doinit_with_dentry(inode, NULL);
 317}
 318
 319enum {
 320        Opt_error = -1,
 321        Opt_context = 1,
 322        Opt_fscontext = 2,
 323        Opt_defcontext = 3,
 324        Opt_rootcontext = 4,
 325};
 326
 327static match_table_t tokens = {
 328        {Opt_context, CONTEXT_STR "%s"},
 329        {Opt_fscontext, FSCONTEXT_STR "%s"},
 330        {Opt_defcontext, DEFCONTEXT_STR "%s"},
 331        {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
 332        {Opt_error, NULL},
 333};
 334
 335#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 336
 337static int may_context_mount_sb_relabel(u32 sid,
 338                        struct superblock_security_struct *sbsec,
 339                        struct task_security_struct *tsec)
 340{
 341        int rc;
 342
 343        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 344                          FILESYSTEM__RELABELFROM, NULL);
 345        if (rc)
 346                return rc;
 347
 348        rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
 349                          FILESYSTEM__RELABELTO, NULL);
 350        return rc;
 351}
 352
 353static int may_context_mount_inode_relabel(u32 sid,
 354                        struct superblock_security_struct *sbsec,
 355                        struct task_security_struct *tsec)
 356{
 357        int rc;
 358        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 359                          FILESYSTEM__RELABELFROM, NULL);
 360        if (rc)
 361                return rc;
 362
 363        rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
 364                          FILESYSTEM__ASSOCIATE, NULL);
 365        return rc;
 366}
 367
 368static int sb_finish_set_opts(struct super_block *sb)
 369{
 370        struct superblock_security_struct *sbsec = sb->s_security;
 371        struct dentry *root = sb->s_root;
 372        struct inode *root_inode = root->d_inode;
 373        int rc = 0;
 374
 375        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 376                /* Make sure that the xattr handler exists and that no
 377                   error other than -ENODATA is returned by getxattr on
 378                   the root directory.  -ENODATA is ok, as this may be
 379                   the first boot of the SELinux kernel before we have
 380                   assigned xattr values to the filesystem. */
 381                if (!root_inode->i_op->getxattr) {
 382                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
 383                               "xattr support\n", sb->s_id, sb->s_type->name);
 384                        rc = -EOPNOTSUPP;
 385                        goto out;
 386                }
 387                rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
 388                if (rc < 0 && rc != -ENODATA) {
 389                        if (rc == -EOPNOTSUPP)
 390                                printk(KERN_WARNING "SELinux: (dev %s, type "
 391                                       "%s) has no security xattr handler\n",
 392                                       sb->s_id, sb->s_type->name);
 393                        else
 394                                printk(KERN_WARNING "SELinux: (dev %s, type "
 395                                       "%s) getxattr errno %d\n", sb->s_id,
 396                                       sb->s_type->name, -rc);
 397                        goto out;
 398                }
 399        }
 400
 401        sbsec->initialized = 1;
 402
 403        if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 404                printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
 405                       sb->s_id, sb->s_type->name);
 406        else
 407                printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
 408                       sb->s_id, sb->s_type->name,
 409                       labeling_behaviors[sbsec->behavior-1]);
 410
 411        /* Initialize the root inode. */
 412        rc = inode_doinit_with_dentry(root_inode, root);
 413
 414        /* Initialize any other inodes associated with the superblock, e.g.
 415           inodes created prior to initial policy load or inodes created
 416           during get_sb by a pseudo filesystem that directly
 417           populates itself. */
 418        spin_lock(&sbsec->isec_lock);
 419next_inode:
 420        if (!list_empty(&sbsec->isec_head)) {
 421                struct inode_security_struct *isec =
 422                                list_entry(sbsec->isec_head.next,
 423                                           struct inode_security_struct, list);
 424                struct inode *inode = isec->inode;
 425                spin_unlock(&sbsec->isec_lock);
 426                inode = igrab(inode);
 427                if (inode) {
 428                        if (!IS_PRIVATE(inode))
 429                                inode_doinit(inode);
 430                        iput(inode);
 431                }
 432                spin_lock(&sbsec->isec_lock);
 433                list_del_init(&isec->list);
 434                goto next_inode;
 435        }
 436        spin_unlock(&sbsec->isec_lock);
 437out:
 438        return rc;
 439}
 440
 441/*
 442 * This function should allow an FS to ask what it's mount security
 443 * options were so it can use those later for submounts, displaying
 444 * mount options, or whatever.
 445 */
 446static int selinux_get_mnt_opts(const struct super_block *sb,
 447                                struct security_mnt_opts *opts)
 448{
 449        int rc = 0, i;
 450        struct superblock_security_struct *sbsec = sb->s_security;
 451        char *context = NULL;
 452        u32 len;
 453        char tmp;
 454
 455        security_init_mnt_opts(opts);
 456
 457        if (!sbsec->initialized)
 458                return -EINVAL;
 459
 460        if (!ss_initialized)
 461                return -EINVAL;
 462
 463        /*
 464         * if we ever use sbsec flags for anything other than tracking mount
 465         * settings this is going to need a mask
 466         */
 467        tmp = sbsec->flags;
 468        /* count the number of mount options for this sb */
 469        for (i = 0; i < 8; i++) {
 470                if (tmp & 0x01)
 471                        opts->num_mnt_opts++;
 472                tmp >>= 1;
 473        }
 474
 475        opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
 476        if (!opts->mnt_opts) {
 477                rc = -ENOMEM;
 478                goto out_free;
 479        }
 480
 481        opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
 482        if (!opts->mnt_opts_flags) {
 483                rc = -ENOMEM;
 484                goto out_free;
 485        }
 486
 487        i = 0;
 488        if (sbsec->flags & FSCONTEXT_MNT) {
 489                rc = security_sid_to_context(sbsec->sid, &context, &len);
 490                if (rc)
 491                        goto out_free;
 492                opts->mnt_opts[i] = context;
 493                opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
 494        }
 495        if (sbsec->flags & CONTEXT_MNT) {
 496                rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
 497                if (rc)
 498                        goto out_free;
 499                opts->mnt_opts[i] = context;
 500                opts->mnt_opts_flags[i++] = CONTEXT_MNT;
 501        }
 502        if (sbsec->flags & DEFCONTEXT_MNT) {
 503                rc = security_sid_to_context(sbsec->def_sid, &context, &len);
 504                if (rc)
 505                        goto out_free;
 506                opts->mnt_opts[i] = context;
 507                opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
 508        }
 509        if (sbsec->flags & ROOTCONTEXT_MNT) {
 510                struct inode *root = sbsec->sb->s_root->d_inode;
 511                struct inode_security_struct *isec = root->i_security;
 512
 513                rc = security_sid_to_context(isec->sid, &context, &len);
 514                if (rc)
 515                        goto out_free;
 516                opts->mnt_opts[i] = context;
 517                opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
 518        }
 519
 520        BUG_ON(i != opts->num_mnt_opts);
 521
 522        return 0;
 523
 524out_free:
 525        security_free_mnt_opts(opts);
 526        return rc;
 527}
 528
 529static int bad_option(struct superblock_security_struct *sbsec, char flag,
 530                      u32 old_sid, u32 new_sid)
 531{
 532        /* check if the old mount command had the same options */
 533        if (sbsec->initialized)
 534                if (!(sbsec->flags & flag) ||
 535                    (old_sid != new_sid))
 536                        return 1;
 537
 538        /* check if we were passed the same options twice,
 539         * aka someone passed context=a,context=b
 540         */
 541        if (!sbsec->initialized)
 542                if (sbsec->flags & flag)
 543                        return 1;
 544        return 0;
 545}
 546
 547/*
 548 * Allow filesystems with binary mount data to explicitly set mount point
 549 * labeling information.
 550 */
 551static int selinux_set_mnt_opts(struct super_block *sb,
 552                                struct security_mnt_opts *opts)
 553{
 554        int rc = 0, i;
 555        struct task_security_struct *tsec = current->security;
 556        struct superblock_security_struct *sbsec = sb->s_security;
 557        const char *name = sb->s_type->name;
 558        struct inode *inode = sbsec->sb->s_root->d_inode;
 559        struct inode_security_struct *root_isec = inode->i_security;
 560        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 561        u32 defcontext_sid = 0;
 562        char **mount_options = opts->mnt_opts;
 563        int *flags = opts->mnt_opts_flags;
 564        int num_opts = opts->num_mnt_opts;
 565
 566        mutex_lock(&sbsec->lock);
 567
 568        if (!ss_initialized) {
 569                if (!num_opts) {
 570                        /* Defer initialization until selinux_complete_init,
 571                           after the initial policy is loaded and the security
 572                           server is ready to handle calls. */
 573                        spin_lock(&sb_security_lock);
 574                        if (list_empty(&sbsec->list))
 575                                list_add(&sbsec->list, &superblock_security_head);
 576                        spin_unlock(&sb_security_lock);
 577                        goto out;
 578                }
 579                rc = -EINVAL;
 580                printk(KERN_WARNING "SELinux: Unable to set superblock options "
 581                        "before the security server is initialized\n");
 582                goto out;
 583        }
 584
 585        /*
 586         * Binary mount data FS will come through this function twice.  Once
 587         * from an explicit call and once from the generic calls from the vfs.
 588         * Since the generic VFS calls will not contain any security mount data
 589         * we need to skip the double mount verification.
 590         *
 591         * This does open a hole in which we will not notice if the first
 592         * mount using this sb set explict options and a second mount using
 593         * this sb does not set any security options.  (The first options
 594         * will be used for both mounts)
 595         */
 596        if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 597            && (num_opts == 0))
 598                goto out;
 599
 600        /*
 601         * parse the mount options, check if they are valid sids.
 602         * also check if someone is trying to mount the same sb more
 603         * than once with different security options.
 604         */
 605        for (i = 0; i < num_opts; i++) {
 606                u32 sid;
 607                rc = security_context_to_sid(mount_options[i],
 608                                             strlen(mount_options[i]), &sid);
 609                if (rc) {
 610                        printk(KERN_WARNING "SELinux: security_context_to_sid"
 611                               "(%s) failed for (dev %s, type %s) errno=%d\n",
 612                               mount_options[i], sb->s_id, name, rc);
 613                        goto out;
 614                }
 615                switch (flags[i]) {
 616                case FSCONTEXT_MNT:
 617                        fscontext_sid = sid;
 618
 619                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 620                                        fscontext_sid))
 621                                goto out_double_mount;
 622
 623                        sbsec->flags |= FSCONTEXT_MNT;
 624                        break;
 625                case CONTEXT_MNT:
 626                        context_sid = sid;
 627
 628                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 629                                        context_sid))
 630                                goto out_double_mount;
 631
 632                        sbsec->flags |= CONTEXT_MNT;
 633                        break;
 634                case ROOTCONTEXT_MNT:
 635                        rootcontext_sid = sid;
 636
 637                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 638                                        rootcontext_sid))
 639                                goto out_double_mount;
 640
 641                        sbsec->flags |= ROOTCONTEXT_MNT;
 642
 643                        break;
 644                case DEFCONTEXT_MNT:
 645                        defcontext_sid = sid;
 646
 647                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 648                                        defcontext_sid))
 649                                goto out_double_mount;
 650
 651                        sbsec->flags |= DEFCONTEXT_MNT;
 652
 653                        break;
 654                default:
 655                        rc = -EINVAL;
 656                        goto out;
 657                }
 658        }
 659
 660        if (sbsec->initialized) {
 661                /* previously mounted with options, but not on this attempt? */
 662                if (sbsec->flags && !num_opts)
 663                        goto out_double_mount;
 664                rc = 0;
 665                goto out;
 666        }
 667
 668        if (strcmp(sb->s_type->name, "proc") == 0)
 669                sbsec->proc = 1;
 670
 671        /* Determine the labeling behavior to use for this filesystem type. */
 672        rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
 673        if (rc) {
 674                printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
 675                       __func__, sb->s_type->name, rc);
 676                goto out;
 677        }
 678
 679        /* sets the context of the superblock for the fs being mounted. */
 680        if (fscontext_sid) {
 681
 682                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
 683                if (rc)
 684                        goto out;
 685
 686                sbsec->sid = fscontext_sid;
 687        }
 688
 689        /*
 690         * Switch to using mount point labeling behavior.
 691         * sets the label used on all file below the mountpoint, and will set
 692         * the superblock context if not already set.
 693         */
 694        if (context_sid) {
 695                if (!fscontext_sid) {
 696                        rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
 697                        if (rc)
 698                                goto out;
 699                        sbsec->sid = context_sid;
 700                } else {
 701                        rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
 702                        if (rc)
 703                                goto out;
 704                }
 705                if (!rootcontext_sid)
 706                        rootcontext_sid = context_sid;
 707
 708                sbsec->mntpoint_sid = context_sid;
 709                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 710        }
 711
 712        if (rootcontext_sid) {
 713                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
 714                if (rc)
 715                        goto out;
 716
 717                root_isec->sid = rootcontext_sid;
 718                root_isec->initialized = 1;
 719        }
 720
 721        if (defcontext_sid) {
 722                if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
 723                        rc = -EINVAL;
 724                        printk(KERN_WARNING "SELinux: defcontext option is "
 725                               "invalid for this filesystem type\n");
 726                        goto out;
 727                }
 728
 729                if (defcontext_sid != sbsec->def_sid) {
 730                        rc = may_context_mount_inode_relabel(defcontext_sid,
 731                                                             sbsec, tsec);
 732                        if (rc)
 733                                goto out;
 734                }
 735
 736                sbsec->def_sid = defcontext_sid;
 737        }
 738
 739        rc = sb_finish_set_opts(sb);
 740out:
 741        mutex_unlock(&sbsec->lock);
 742        return rc;
 743out_double_mount:
 744        rc = -EINVAL;
 745        printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
 746               "security settings for (dev %s, type %s)\n", sb->s_id, name);
 747        goto out;
 748}
 749
 750static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 751                                        struct super_block *newsb)
 752{
 753        const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 754        struct superblock_security_struct *newsbsec = newsb->s_security;
 755
 756        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 757        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 758        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 759
 760        /*
 761         * if the parent was able to be mounted it clearly had no special lsm
 762         * mount options.  thus we can safely put this sb on the list and deal
 763         * with it later
 764         */
 765        if (!ss_initialized) {
 766                spin_lock(&sb_security_lock);
 767                if (list_empty(&newsbsec->list))
 768                        list_add(&newsbsec->list, &superblock_security_head);
 769                spin_unlock(&sb_security_lock);
 770                return;
 771        }
 772
 773        /* how can we clone if the old one wasn't set up?? */
 774        BUG_ON(!oldsbsec->initialized);
 775
 776        /* if fs is reusing a sb, just let its options stand... */
 777        if (newsbsec->initialized)
 778                return;
 779
 780        mutex_lock(&newsbsec->lock);
 781
 782        newsbsec->flags = oldsbsec->flags;
 783
 784        newsbsec->sid = oldsbsec->sid;
 785        newsbsec->def_sid = oldsbsec->def_sid;
 786        newsbsec->behavior = oldsbsec->behavior;
 787
 788        if (set_context) {
 789                u32 sid = oldsbsec->mntpoint_sid;
 790
 791                if (!set_fscontext)
 792                        newsbsec->sid = sid;
 793                if (!set_rootcontext) {
 794                        struct inode *newinode = newsb->s_root->d_inode;
 795                        struct inode_security_struct *newisec = newinode->i_security;
 796                        newisec->sid = sid;
 797                }
 798                newsbsec->mntpoint_sid = sid;
 799        }
 800        if (set_rootcontext) {
 801                const struct inode *oldinode = oldsb->s_root->d_inode;
 802                const struct inode_security_struct *oldisec = oldinode->i_security;
 803                struct inode *newinode = newsb->s_root->d_inode;
 804                struct inode_security_struct *newisec = newinode->i_security;
 805
 806                newisec->sid = oldisec->sid;
 807        }
 808
 809        sb_finish_set_opts(newsb);
 810        mutex_unlock(&newsbsec->lock);
 811}
 812
 813static int selinux_parse_opts_str(char *options,
 814                                  struct security_mnt_opts *opts)
 815{
 816        char *p;
 817        char *context = NULL, *defcontext = NULL;
 818        char *fscontext = NULL, *rootcontext = NULL;
 819        int rc, num_mnt_opts = 0;
 820
 821        opts->num_mnt_opts = 0;
 822
 823        /* Standard string-based options. */
 824        while ((p = strsep(&options, "|")) != NULL) {
 825                int token;
 826                substring_t args[MAX_OPT_ARGS];
 827
 828                if (!*p)
 829                        continue;
 830
 831                token = match_token(p, tokens, args);
 832
 833                switch (token) {
 834                case Opt_context:
 835                        if (context || defcontext) {
 836                                rc = -EINVAL;
 837                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 838                                goto out_err;
 839                        }
 840                        context = match_strdup(&args[0]);
 841                        if (!context) {
 842                                rc = -ENOMEM;
 843                                goto out_err;
 844                        }
 845                        break;
 846
 847                case Opt_fscontext:
 848                        if (fscontext) {
 849                                rc = -EINVAL;
 850                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 851                                goto out_err;
 852                        }
 853                        fscontext = match_strdup(&args[0]);
 854                        if (!fscontext) {
 855                                rc = -ENOMEM;
 856                                goto out_err;
 857                        }
 858                        break;
 859
 860                case Opt_rootcontext:
 861                        if (rootcontext) {
 862                                rc = -EINVAL;
 863                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 864                                goto out_err;
 865                        }
 866                        rootcontext = match_strdup(&args[0]);
 867                        if (!rootcontext) {
 868                                rc = -ENOMEM;
 869                                goto out_err;
 870                        }
 871                        break;
 872
 873                case Opt_defcontext:
 874                        if (context || defcontext) {
 875                                rc = -EINVAL;
 876                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 877                                goto out_err;
 878                        }
 879                        defcontext = match_strdup(&args[0]);
 880                        if (!defcontext) {
 881                                rc = -ENOMEM;
 882                                goto out_err;
 883                        }
 884                        break;
 885
 886                default:
 887                        rc = -EINVAL;
 888                        printk(KERN_WARNING "SELinux:  unknown mount option\n");
 889                        goto out_err;
 890
 891                }
 892        }
 893
 894        rc = -ENOMEM;
 895        opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
 896        if (!opts->mnt_opts)
 897                goto out_err;
 898
 899        opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
 900        if (!opts->mnt_opts_flags) {
 901                kfree(opts->mnt_opts);
 902                goto out_err;
 903        }
 904
 905        if (fscontext) {
 906                opts->mnt_opts[num_mnt_opts] = fscontext;
 907                opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
 908        }
 909        if (context) {
 910                opts->mnt_opts[num_mnt_opts] = context;
 911                opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
 912        }
 913        if (rootcontext) {
 914                opts->mnt_opts[num_mnt_opts] = rootcontext;
 915                opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
 916        }
 917        if (defcontext) {
 918                opts->mnt_opts[num_mnt_opts] = defcontext;
 919                opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
 920        }
 921
 922        opts->num_mnt_opts = num_mnt_opts;
 923        return 0;
 924
 925out_err:
 926        kfree(context);
 927        kfree(defcontext);
 928        kfree(fscontext);
 929        kfree(rootcontext);
 930        return rc;
 931}
 932/*
 933 * string mount options parsing and call set the sbsec
 934 */
 935static int superblock_doinit(struct super_block *sb, void *data)
 936{
 937        int rc = 0;
 938        char *options = data;
 939        struct security_mnt_opts opts;
 940
 941        security_init_mnt_opts(&opts);
 942
 943        if (!data)
 944                goto out;
 945
 946        BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
 947
 948        rc = selinux_parse_opts_str(options, &opts);
 949        if (rc)
 950                goto out_err;
 951
 952out:
 953        rc = selinux_set_mnt_opts(sb, &opts);
 954
 955out_err:
 956        security_free_mnt_opts(&opts);
 957        return rc;
 958}
 959
 960void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
 961{
 962        int i;
 963        char *prefix;
 964
 965        for (i = 0; i < opts->num_mnt_opts; i++) {
 966                char *has_comma = strchr(opts->mnt_opts[i], ',');
 967
 968                switch (opts->mnt_opts_flags[i]) {
 969                case CONTEXT_MNT:
 970                        prefix = CONTEXT_STR;
 971                        break;
 972                case FSCONTEXT_MNT:
 973                        prefix = FSCONTEXT_STR;
 974                        break;
 975                case ROOTCONTEXT_MNT:
 976                        prefix = ROOTCONTEXT_STR;
 977                        break;
 978                case DEFCONTEXT_MNT:
 979                        prefix = DEFCONTEXT_STR;
 980                        break;
 981                default:
 982                        BUG();
 983                };
 984                /* we need a comma before each option */
 985                seq_putc(m, ',');
 986                seq_puts(m, prefix);
 987                if (has_comma)
 988                        seq_putc(m, '\"');
 989                seq_puts(m, opts->mnt_opts[i]);
 990                if (has_comma)
 991                        seq_putc(m, '\"');
 992        }
 993}
 994
 995static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
 996{
 997        struct security_mnt_opts opts;
 998        int rc;
 999
1000        rc = selinux_get_mnt_opts(sb, &opts);
1001        if (rc) {
1002                /* before policy load we may get EINVAL, don't show anything */
1003                if (rc == -EINVAL)
1004                        rc = 0;
1005                return rc;
1006        }
1007
1008        selinux_write_opts(m, &opts);
1009
1010        security_free_mnt_opts(&opts);
1011
1012        return rc;
1013}
1014
1015static inline u16 inode_mode_to_security_class(umode_t mode)
1016{
1017        switch (mode & S_IFMT) {
1018        case S_IFSOCK:
1019                return SECCLASS_SOCK_FILE;
1020        case S_IFLNK:
1021                return SECCLASS_LNK_FILE;
1022        case S_IFREG:
1023                return SECCLASS_FILE;
1024        case S_IFBLK:
1025                return SECCLASS_BLK_FILE;
1026        case S_IFDIR:
1027                return SECCLASS_DIR;
1028        case S_IFCHR:
1029                return SECCLASS_CHR_FILE;
1030        case S_IFIFO:
1031                return SECCLASS_FIFO_FILE;
1032
1033        }
1034
1035        return SECCLASS_FILE;
1036}
1037
1038static inline int default_protocol_stream(int protocol)
1039{
1040        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1041}
1042
1043static inline int default_protocol_dgram(int protocol)
1044{
1045        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1046}
1047
1048static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1049{
1050        switch (family) {
1051        case PF_UNIX:
1052                switch (type) {
1053                case SOCK_STREAM:
1054                case SOCK_SEQPACKET:
1055                        return SECCLASS_UNIX_STREAM_SOCKET;
1056                case SOCK_DGRAM:
1057                        return SECCLASS_UNIX_DGRAM_SOCKET;
1058                }
1059                break;
1060        case PF_INET:
1061        case PF_INET6:
1062                switch (type) {
1063                case SOCK_STREAM:
1064                        if (default_protocol_stream(protocol))
1065                                return SECCLASS_TCP_SOCKET;
1066                        else
1067                                return SECCLASS_RAWIP_SOCKET;
1068                case SOCK_DGRAM:
1069                        if (default_protocol_dgram(protocol))
1070                                return SECCLASS_UDP_SOCKET;
1071                        else
1072                                return SECCLASS_RAWIP_SOCKET;
1073                case SOCK_DCCP:
1074                        return SECCLASS_DCCP_SOCKET;
1075                default:
1076                        return SECCLASS_RAWIP_SOCKET;
1077                }
1078                break;
1079        case PF_NETLINK:
1080                switch (protocol) {
1081                case NETLINK_ROUTE:
1082                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1083                case NETLINK_FIREWALL:
1084                        return SECCLASS_NETLINK_FIREWALL_SOCKET;
1085                case NETLINK_INET_DIAG:
1086                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1087                case NETLINK_NFLOG:
1088                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1089                case NETLINK_XFRM:
1090                        return SECCLASS_NETLINK_XFRM_SOCKET;
1091                case NETLINK_SELINUX:
1092                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1093                case NETLINK_AUDIT:
1094                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1095                case NETLINK_IP6_FW:
1096                        return SECCLASS_NETLINK_IP6FW_SOCKET;
1097                case NETLINK_DNRTMSG:
1098                        return SECCLASS_NETLINK_DNRT_SOCKET;
1099                case NETLINK_KOBJECT_UEVENT:
1100                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1101                default:
1102                        return SECCLASS_NETLINK_SOCKET;
1103                }
1104        case PF_PACKET:
1105                return SECCLASS_PACKET_SOCKET;
1106        case PF_KEY:
1107                return SECCLASS_KEY_SOCKET;
1108        case PF_APPLETALK:
1109                return SECCLASS_APPLETALK_SOCKET;
1110        }
1111
1112        return SECCLASS_SOCKET;
1113}
1114
1115#ifdef CONFIG_PROC_FS
1116static int selinux_proc_get_sid(struct proc_dir_entry *de,
1117                                u16 tclass,
1118                                u32 *sid)
1119{
1120        int buflen, rc;
1121        char *buffer, *path, *end;
1122
1123        buffer = (char *)__get_free_page(GFP_KERNEL);
1124        if (!buffer)
1125                return -ENOMEM;
1126
1127        buflen = PAGE_SIZE;
1128        end = buffer+buflen;
1129        *--end = '\0';
1130        buflen--;
1131        path = end-1;
1132        *path = '/';
1133        while (de && de != de->parent) {
1134                buflen -= de->namelen + 1;
1135                if (buflen < 0)
1136                        break;
1137                end -= de->namelen;
1138                memcpy(end, de->name, de->namelen);
1139                *--end = '/';
1140                path = end;
1141                de = de->parent;
1142        }
1143        rc = security_genfs_sid("proc", path, tclass, sid);
1144        free_page((unsigned long)buffer);
1145        return rc;
1146}
1147#else
1148static int selinux_proc_get_sid(struct proc_dir_entry *de,
1149                                u16 tclass,
1150                                u32 *sid)
1151{
1152        return -EINVAL;
1153}
1154#endif
1155
1156/* The inode's security attributes must be initialized before first use. */
1157static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1158{
1159        struct superblock_security_struct *sbsec = NULL;
1160        struct inode_security_struct *isec = inode->i_security;
1161        u32 sid;
1162        struct dentry *dentry;
1163#define INITCONTEXTLEN 255
1164        char *context = NULL;
1165        unsigned len = 0;
1166        int rc = 0;
1167
1168        if (isec->initialized)
1169                goto out;
1170
1171        mutex_lock(&isec->lock);
1172        if (isec->initialized)
1173                goto out_unlock;
1174
1175        sbsec = inode->i_sb->s_security;
1176        if (!sbsec->initialized) {
1177                /* Defer initialization until selinux_complete_init,
1178                   after the initial policy is loaded and the security
1179                   server is ready to handle calls. */
1180                spin_lock(&sbsec->isec_lock);
1181                if (list_empty(&isec->list))
1182                        list_add(&isec->list, &sbsec->isec_head);
1183                spin_unlock(&sbsec->isec_lock);
1184                goto out_unlock;
1185        }
1186
1187        switch (sbsec->behavior) {
1188        case SECURITY_FS_USE_XATTR:
1189                if (!inode->i_op->getxattr) {
1190                        isec->sid = sbsec->def_sid;
1191                        break;
1192                }
1193
1194                /* Need a dentry, since the xattr API requires one.
1195                   Life would be simpler if we could just pass the inode. */
1196                if (opt_dentry) {
1197                        /* Called from d_instantiate or d_splice_alias. */
1198                        dentry = dget(opt_dentry);
1199                } else {
1200                        /* Called from selinux_complete_init, try to find a dentry. */
1201                        dentry = d_find_alias(inode);
1202                }
1203                if (!dentry) {
1204                        printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1205                               "ino=%ld\n", __func__, inode->i_sb->s_id,
1206                               inode->i_ino);
1207                        goto out_unlock;
1208                }
1209
1210                len = INITCONTEXTLEN;
1211                context = kmalloc(len, GFP_NOFS);
1212                if (!context) {
1213                        rc = -ENOMEM;
1214                        dput(dentry);
1215                        goto out_unlock;
1216                }
1217                rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1218                                           context, len);
1219                if (rc == -ERANGE) {
1220                        /* Need a larger buffer.  Query for the right size. */
1221                        rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1222                                                   NULL, 0);
1223                        if (rc < 0) {
1224                                dput(dentry);
1225                                goto out_unlock;
1226                        }
1227                        kfree(context);
1228                        len = rc;
1229                        context = kmalloc(len, GFP_NOFS);
1230                        if (!context) {
1231                                rc = -ENOMEM;
1232                                dput(dentry);
1233                                goto out_unlock;
1234                        }
1235                        rc = inode->i_op->getxattr(dentry,
1236                                                   XATTR_NAME_SELINUX,
1237                                                   context, len);
1238                }
1239                dput(dentry);
1240                if (rc < 0) {
1241                        if (rc != -ENODATA) {
1242                                printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1243                                       "%d for dev=%s ino=%ld\n", __func__,
1244                                       -rc, inode->i_sb->s_id, inode->i_ino);
1245                                kfree(context);
1246                                goto out_unlock;
1247                        }
1248                        /* Map ENODATA to the default file SID */
1249                        sid = sbsec->def_sid;
1250                        rc = 0;
1251                } else {
1252                        rc = security_context_to_sid_default(context, rc, &sid,
1253                                                             sbsec->def_sid,
1254                                                             GFP_NOFS);
1255                        if (rc) {
1256                                printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1257                                       "returned %d for dev=%s ino=%ld\n",
1258                                       __func__, context, -rc,
1259                                       inode->i_sb->s_id, inode->i_ino);
1260                                kfree(context);
1261                                /* Leave with the unlabeled SID */
1262                                rc = 0;
1263                                break;
1264                        }
1265                }
1266                kfree(context);
1267                isec->sid = sid;
1268                break;
1269        case SECURITY_FS_USE_TASK:
1270                isec->sid = isec->task_sid;
1271                break;
1272        case SECURITY_FS_USE_TRANS:
1273                /* Default to the fs SID. */
1274                isec->sid = sbsec->sid;
1275
1276                /* Try to obtain a transition SID. */
1277                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1278                rc = security_transition_sid(isec->task_sid,
1279                                             sbsec->sid,
1280                                             isec->sclass,
1281                                             &sid);
1282                if (rc)
1283                        goto out_unlock;
1284                isec->sid = sid;
1285                break;
1286        case SECURITY_FS_USE_MNTPOINT:
1287                isec->sid = sbsec->mntpoint_sid;
1288                break;
1289        default:
1290                /* Default to the fs superblock SID. */
1291                isec->sid = sbsec->sid;
1292
1293                if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1294                        struct proc_inode *proci = PROC_I(inode);
1295                        if (proci->pde) {
1296                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1297                                rc = selinux_proc_get_sid(proci->pde,
1298                                                          isec->sclass,
1299                                                          &sid);
1300                                if (rc)
1301                                        goto out_unlock;
1302                                isec->sid = sid;
1303                        }
1304                }
1305                break;
1306        }
1307
1308        isec->initialized = 1;
1309
1310out_unlock:
1311        mutex_unlock(&isec->lock);
1312out:
1313        if (isec->sclass == SECCLASS_FILE)
1314                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1315        return rc;
1316}
1317
1318/* Convert a Linux signal to an access vector. */
1319static inline u32 signal_to_av(int sig)
1320{
1321        u32 perm = 0;
1322
1323        switch (sig) {
1324        case SIGCHLD:
1325                /* Commonly granted from child to parent. */
1326                perm = PROCESS__SIGCHLD;
1327                break;
1328        case SIGKILL:
1329                /* Cannot be caught or ignored */
1330                perm = PROCESS__SIGKILL;
1331                break;
1332        case SIGSTOP:
1333                /* Cannot be caught or ignored */
1334                perm = PROCESS__SIGSTOP;
1335                break;
1336        default:
1337                /* All other signals. */
1338                perm = PROCESS__SIGNAL;
1339                break;
1340        }
1341
1342        return perm;
1343}
1344
1345/* Check permission betweeen a pair of tasks, e.g. signal checks,
1346   fork check, ptrace check, etc. */
1347static int task_has_perm(struct task_struct *tsk1,
1348                         struct task_struct *tsk2,
1349                         u32 perms)
1350{
1351        struct task_security_struct *tsec1, *tsec2;
1352
1353        tsec1 = tsk1->security;
1354        tsec2 = tsk2->security;
1355        return avc_has_perm(tsec1->sid, tsec2->sid,
1356                            SECCLASS_PROCESS, perms, NULL);
1357}
1358
1359#if CAP_LAST_CAP > 63
1360#error Fix SELinux to handle capabilities > 63.
1361#endif
1362
1363/* Check whether a task is allowed to use a capability. */
1364static int task_has_capability(struct task_struct *tsk,
1365                               int cap)
1366{
1367        struct task_security_struct *tsec;
1368        struct avc_audit_data ad;
1369        u16 sclass;
1370        u32 av = CAP_TO_MASK(cap);
1371
1372        tsec = tsk->security;
1373
1374        AVC_AUDIT_DATA_INIT(&ad, CAP);
1375        ad.tsk = tsk;
1376        ad.u.cap = cap;
1377
1378        switch (CAP_TO_INDEX(cap)) {
1379        case 0:
1380                sclass = SECCLASS_CAPABILITY;
1381                break;
1382        case 1:
1383                sclass = SECCLASS_CAPABILITY2;
1384                break;
1385        default:
1386                printk(KERN_ERR
1387                       "SELinux:  out of range capability %d\n", cap);
1388                BUG();
1389        }
1390        return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1391}
1392
1393/* Check whether a task is allowed to use a system operation. */
1394static int task_has_system(struct task_struct *tsk,
1395                           u32 perms)
1396{
1397        struct task_security_struct *tsec;
1398
1399        tsec = tsk->security;
1400
1401        return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1402                            SECCLASS_SYSTEM, perms, NULL);
1403}
1404
1405/* Check whether a task has a particular permission to an inode.
1406   The 'adp' parameter is optional and allows other audit
1407   data to be passed (e.g. the dentry). */
1408static int inode_has_perm(struct task_struct *tsk,
1409                          struct inode *inode,
1410                          u32 perms,
1411                          struct avc_audit_data *adp)
1412{
1413        struct task_security_struct *tsec;
1414        struct inode_security_struct *isec;
1415        struct avc_audit_data ad;
1416
1417        if (unlikely(IS_PRIVATE(inode)))
1418                return 0;
1419
1420        tsec = tsk->security;
1421        isec = inode->i_security;
1422
1423        if (!adp) {
1424                adp = &ad;
1425                AVC_AUDIT_DATA_INIT(&ad, FS);
1426                ad.u.fs.inode = inode;
1427        }
1428
1429        return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1430}
1431
1432/* Same as inode_has_perm, but pass explicit audit data containing
1433   the dentry to help the auditing code to more easily generate the
1434   pathname if needed. */
1435static inline int dentry_has_perm(struct task_struct *tsk,
1436                                  struct vfsmount *mnt,
1437                                  struct dentry *dentry,
1438                                  u32 av)
1439{
1440        struct inode *inode = dentry->d_inode;
1441        struct avc_audit_data ad;
1442        AVC_AUDIT_DATA_INIT(&ad, FS);
1443        ad.u.fs.path.mnt = mnt;
1444        ad.u.fs.path.dentry = dentry;
1445        return inode_has_perm(tsk, inode, av, &ad);
1446}
1447
1448/* Check whether a task can use an open file descriptor to
1449   access an inode in a given way.  Check access to the
1450   descriptor itself, and then use dentry_has_perm to
1451   check a particular permission to the file.
1452   Access to the descriptor is implicitly granted if it
1453   has the same SID as the process.  If av is zero, then
1454   access to the file is not checked, e.g. for cases
1455   where only the descriptor is affected like seek. */
1456static int file_has_perm(struct task_struct *tsk,
1457                                struct file *file,
1458                                u32 av)
1459{
1460        struct task_security_struct *tsec = tsk->security;
1461        struct file_security_struct *fsec = file->f_security;
1462        struct inode *inode = file->f_path.dentry->d_inode;
1463        struct avc_audit_data ad;
1464        int rc;
1465
1466        AVC_AUDIT_DATA_INIT(&ad, FS);
1467        ad.u.fs.path = file->f_path;
1468
1469        if (tsec->sid != fsec->sid) {
1470                rc = avc_has_perm(tsec->sid, fsec->sid,
1471                                  SECCLASS_FD,
1472                                  FD__USE,
1473                                  &ad);
1474                if (rc)
1475                        return rc;
1476        }
1477
1478        /* av is zero if only checking access to the descriptor. */
1479        if (av)
1480                return inode_has_perm(tsk, inode, av, &ad);
1481
1482        return 0;
1483}
1484
1485/* Check whether a task can create a file. */
1486static int may_create(struct inode *dir,
1487                      struct dentry *dentry,
1488                      u16 tclass)
1489{
1490        struct task_security_struct *tsec;
1491        struct inode_security_struct *dsec;
1492        struct superblock_security_struct *sbsec;
1493        u32 newsid;
1494        struct avc_audit_data ad;
1495        int rc;
1496
1497        tsec = current->security;
1498        dsec = dir->i_security;
1499        sbsec = dir->i_sb->s_security;
1500
1501        AVC_AUDIT_DATA_INIT(&ad, FS);
1502        ad.u.fs.path.dentry = dentry;
1503
1504        rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1505                          DIR__ADD_NAME | DIR__SEARCH,
1506                          &ad);
1507        if (rc)
1508                return rc;
1509
1510        if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1511                newsid = tsec->create_sid;
1512        } else {
1513                rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1514                                             &newsid);
1515                if (rc)
1516                        return rc;
1517        }
1518
1519        rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1520        if (rc)
1521                return rc;
1522
1523        return avc_has_perm(newsid, sbsec->sid,
1524                            SECCLASS_FILESYSTEM,
1525                            FILESYSTEM__ASSOCIATE, &ad);
1526}
1527
1528/* Check whether a task can create a key. */
1529static int may_create_key(u32 ksid,
1530                          struct task_struct *ctx)
1531{
1532        struct task_security_struct *tsec;
1533
1534        tsec = ctx->security;
1535
1536        return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1537}
1538
1539#define MAY_LINK        0
1540#define MAY_UNLINK      1
1541#define MAY_RMDIR       2
1542
1543/* Check whether a task can link, unlink, or rmdir a file/directory. */
1544static int may_link(struct inode *dir,
1545                    struct dentry *dentry,
1546                    int kind)
1547
1548{
1549        struct task_security_struct *tsec;
1550        struct inode_security_struct *dsec, *isec;
1551        struct avc_audit_data ad;
1552        u32 av;
1553        int rc;
1554
1555        tsec = current->security;
1556        dsec = dir->i_security;
1557        isec = dentry->d_inode->i_security;
1558
1559        AVC_AUDIT_DATA_INIT(&ad, FS);
1560        ad.u.fs.path.dentry = dentry;
1561
1562        av = DIR__SEARCH;
1563        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1564        rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1565        if (rc)
1566                return rc;
1567
1568        switch (kind) {
1569        case MAY_LINK:
1570                av = FILE__LINK;
1571                break;
1572        case MAY_UNLINK:
1573                av = FILE__UNLINK;
1574                break;
1575        case MAY_RMDIR:
1576                av = DIR__RMDIR;
1577                break;
1578        default:
1579                printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1580                        __func__, kind);
1581                return 0;
1582        }
1583
1584        rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1585        return rc;
1586}
1587
1588static inline int may_rename(struct inode *old_dir,
1589                             struct dentry *old_dentry,
1590                             struct inode *new_dir,
1591                             struct dentry *new_dentry)
1592{
1593        struct task_security_struct *tsec;
1594        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1595        struct avc_audit_data ad;
1596        u32 av;
1597        int old_is_dir, new_is_dir;
1598        int rc;
1599
1600        tsec = current->security;
1601        old_dsec = old_dir->i_security;
1602        old_isec = old_dentry->d_inode->i_security;
1603        old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1604        new_dsec = new_dir->i_security;
1605
1606        AVC_AUDIT_DATA_INIT(&ad, FS);
1607
1608        ad.u.fs.path.dentry = old_dentry;
1609        rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1610                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1611        if (rc)
1612                return rc;
1613        rc = avc_has_perm(tsec->sid, old_isec->sid,
1614                          old_isec->sclass, FILE__RENAME, &ad);
1615        if (rc)
1616                return rc;
1617        if (old_is_dir && new_dir != old_dir) {
1618                rc = avc_has_perm(tsec->sid, old_isec->sid,
1619                                  old_isec->sclass, DIR__REPARENT, &ad);
1620                if (rc)
1621                        return rc;
1622        }
1623
1624        ad.u.fs.path.dentry = new_dentry;
1625        av = DIR__ADD_NAME | DIR__SEARCH;
1626        if (new_dentry->d_inode)
1627                av |= DIR__REMOVE_NAME;
1628        rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1629        if (rc)
1630                return rc;
1631        if (new_dentry->d_inode) {
1632                new_isec = new_dentry->d_inode->i_security;
1633                new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1634                rc = avc_has_perm(tsec->sid, new_isec->sid,
1635                                  new_isec->sclass,
1636                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1637                if (rc)
1638                        return rc;
1639        }
1640
1641        return 0;
1642}
1643
1644/* Check whether a task can perform a filesystem operation. */
1645static int superblock_has_perm(struct task_struct *tsk,
1646                               struct super_block *sb,
1647                               u32 perms,
1648                               struct avc_audit_data *ad)
1649{
1650        struct task_security_struct *tsec;
1651        struct superblock_security_struct *sbsec;
1652
1653        tsec = tsk->security;
1654        sbsec = sb->s_security;
1655        return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1656                            perms, ad);
1657}
1658
1659/* Convert a Linux mode and permission mask to an access vector. */
1660static inline u32 file_mask_to_av(int mode, int mask)
1661{
1662        u32 av = 0;
1663
1664        if ((mode & S_IFMT) != S_IFDIR) {
1665                if (mask & MAY_EXEC)
1666                        av |= FILE__EXECUTE;
1667                if (mask & MAY_READ)
1668                        av |= FILE__READ;
1669
1670                if (mask & MAY_APPEND)
1671                        av |= FILE__APPEND;
1672                else if (mask & MAY_WRITE)
1673                        av |= FILE__WRITE;
1674
1675        } else {
1676                if (mask & MAY_EXEC)
1677                        av |= DIR__SEARCH;
1678                if (mask & MAY_WRITE)
1679                        av |= DIR__WRITE;
1680                if (mask & MAY_READ)
1681                        av |= DIR__READ;
1682        }
1683
1684        return av;
1685}
1686
1687/*
1688 * Convert a file mask to an access vector and include the correct open
1689 * open permission.
1690 */
1691static inline u32 open_file_mask_to_av(int mode, int mask)
1692{
1693        u32 av = file_mask_to_av(mode, mask);
1694
1695        if (selinux_policycap_openperm) {
1696                /*
1697                 * lnk files and socks do not really have an 'open'
1698                 */
1699                if (S_ISREG(mode))
1700                        av |= FILE__OPEN;
1701                else if (S_ISCHR(mode))
1702                        av |= CHR_FILE__OPEN;
1703                else if (S_ISBLK(mode))
1704                        av |= BLK_FILE__OPEN;
1705                else if (S_ISFIFO(mode))
1706                        av |= FIFO_FILE__OPEN;
1707                else if (S_ISDIR(mode))
1708                        av |= DIR__OPEN;
1709                else
1710                        printk(KERN_ERR "SELinux: WARNING: inside %s with "
1711                                "unknown mode:%x\n", __func__, mode);
1712        }
1713        return av;
1714}
1715
1716/* Convert a Linux file to an access vector. */
1717static inline u32 file_to_av(struct file *file)
1718{
1719        u32 av = 0;
1720
1721        if (file->f_mode & FMODE_READ)
1722                av |= FILE__READ;
1723        if (file->f_mode & FMODE_WRITE) {
1724                if (file->f_flags & O_APPEND)
1725                        av |= FILE__APPEND;
1726                else
1727                        av |= FILE__WRITE;
1728        }
1729        if (!av) {
1730                /*
1731                 * Special file opened with flags 3 for ioctl-only use.
1732                 */
1733                av = FILE__IOCTL;
1734        }
1735
1736        return av;
1737}
1738
1739/* Hook functions begin here. */
1740
1741static int selinux_ptrace_may_access(struct task_struct *child,
1742                                     unsigned int mode)
1743{
1744        int rc;
1745
1746        rc = secondary_ops->ptrace_may_access(child, mode);
1747        if (rc)
1748                return rc;
1749
1750        if (mode == PTRACE_MODE_READ) {
1751                struct task_security_struct *tsec = current->security;
1752                struct task_security_struct *csec = child->security;
1753                return avc_has_perm(tsec->sid, csec->sid,
1754                                    SECCLASS_FILE, FILE__READ, NULL);
1755        }
1756
1757        return task_has_perm(current, child, PROCESS__PTRACE);
1758}
1759
1760static int selinux_ptrace_traceme(struct task_struct *parent)
1761{
1762        int rc;
1763
1764        rc = secondary_ops->ptrace_traceme(parent);
1765        if (rc)
1766                return rc;
1767
1768        return task_has_perm(parent, current, PROCESS__PTRACE);
1769}
1770
1771static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1772                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
1773{
1774        int error;
1775
1776        error = task_has_perm(current, target, PROCESS__GETCAP);
1777        if (error)
1778                return error;
1779
1780        return secondary_ops->capget(target, effective, inheritable, permitted);
1781}
1782
1783static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1784                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1785{
1786        int error;
1787
1788        error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1789        if (error)
1790                return error;
1791
1792        return task_has_perm(current, target, PROCESS__SETCAP);
1793}
1794
1795static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1796                               kernel_cap_t *inheritable, kernel_cap_t *permitted)
1797{
1798        secondary_ops->capset_set(target, effective, inheritable, permitted);
1799}
1800
1801static int selinux_capable(struct task_struct *tsk, int cap)
1802{
1803        int rc;
1804
1805        rc = secondary_ops->capable(tsk, cap);
1806        if (rc)
1807                return rc;
1808
1809        return task_has_capability(tsk, cap);
1810}
1811
1812static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1813{
1814        int buflen, rc;
1815        char *buffer, *path, *end;
1816
1817        rc = -ENOMEM;
1818        buffer = (char *)__get_free_page(GFP_KERNEL);
1819        if (!buffer)
1820                goto out;
1821
1822        buflen = PAGE_SIZE;
1823        end = buffer+buflen;
1824        *--end = '\0';
1825        buflen--;
1826        path = end-1;
1827        *path = '/';
1828        while (table) {
1829                const char *name = table->procname;
1830                size_t namelen = strlen(name);
1831                buflen -= namelen + 1;
1832                if (buflen < 0)
1833                        goto out_free;
1834                end -= namelen;
1835                memcpy(end, name, namelen);
1836                *--end = '/';
1837                path = end;
1838                table = table->parent;
1839        }
1840        buflen -= 4;
1841        if (buflen < 0)
1842                goto out_free;
1843        end -= 4;
1844        memcpy(end, "/sys", 4);
1845        path = end;
1846        rc = security_genfs_sid("proc", path, tclass, sid);
1847out_free:
1848        free_page((unsigned long)buffer);
1849out:
1850        return rc;
1851}
1852
1853static int selinux_sysctl(ctl_table *table, int op)
1854{
1855        int error = 0;
1856        u32 av;
1857        struct task_security_struct *tsec;
1858        u32 tsid;
1859        int rc;
1860
1861        rc = secondary_ops->sysctl(table, op);
1862        if (rc)
1863                return rc;
1864
1865        tsec = current->security;
1866
1867        rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1868                                    SECCLASS_DIR : SECCLASS_FILE, &tsid);
1869        if (rc) {
1870                /* Default to the well-defined sysctl SID. */
1871                tsid = SECINITSID_SYSCTL;
1872        }
1873
1874        /* The op values are "defined" in sysctl.c, thereby creating
1875         * a bad coupling between this module and sysctl.c */
1876        if (op == 001) {
1877                error = avc_has_perm(tsec->sid, tsid,
1878                                     SECCLASS_DIR, DIR__SEARCH, NULL);
1879        } else {
1880                av = 0;
1881                if (op & 004)
1882                        av |= FILE__READ;
1883                if (op & 002)
1884                        av |= FILE__WRITE;
1885                if (av)
1886                        error = avc_has_perm(tsec->sid, tsid,
1887                                             SECCLASS_FILE, av, NULL);
1888        }
1889
1890        return error;
1891}
1892
1893static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1894{
1895        int rc = 0;
1896
1897        if (!sb)
1898                return 0;
1899
1900        switch (cmds) {
1901        case Q_SYNC:
1902        case Q_QUOTAON:
1903        case Q_QUOTAOFF:
1904        case Q_SETINFO:
1905        case Q_SETQUOTA:
1906                rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1907                                         NULL);
1908                break;
1909        case Q_GETFMT:
1910        case Q_GETINFO:
1911        case Q_GETQUOTA:
1912                rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1913                                         NULL);
1914                break;
1915        default:
1916                rc = 0;  /* let the kernel handle invalid cmds */
1917                break;
1918        }
1919        return rc;
1920}
1921
1922static int selinux_quota_on(struct dentry *dentry)
1923{
1924        return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1925}
1926
1927static int selinux_syslog(int type)
1928{
1929        int rc;
1930
1931        rc = secondary_ops->syslog(type);
1932        if (rc)
1933                return rc;
1934
1935        switch (type) {
1936        case 3:         /* Read last kernel messages */
1937        case 10:        /* Return size of the log buffer */
1938                rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1939                break;
1940        case 6:         /* Disable logging to console */
1941        case 7:         /* Enable logging to console */
1942        case 8:         /* Set level of messages printed to console */
1943                rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1944                break;
1945        case 0:         /* Close log */
1946        case 1:         /* Open log */
1947        case 2:         /* Read from log */
1948        case 4:         /* Read/clear last kernel messages */
1949        case 5:         /* Clear ring buffer */
1950        default:
1951                rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1952                break;
1953        }
1954        return rc;
1955}
1956
1957/*
1958 * Check that a process has enough memory to allocate a new virtual
1959 * mapping. 0 means there is enough memory for the allocation to
1960 * succeed and -ENOMEM implies there is not.
1961 *
1962 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1963 * if the capability is granted, but __vm_enough_memory requires 1 if
1964 * the capability is granted.
1965 *
1966 * Do not audit the selinux permission check, as this is applied to all
1967 * processes that allocate mappings.
1968 */
1969static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1970{
1971        int rc, cap_sys_admin = 0;
1972        struct task_security_struct *tsec = current->security;
1973
1974        rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1975        if (rc == 0)
1976                rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1977                                          SECCLASS_CAPABILITY,
1978                                          CAP_TO_MASK(CAP_SYS_ADMIN),
1979                                          0,
1980                                          NULL);
1981
1982        if (rc == 0)
1983                cap_sys_admin = 1;
1984
1985        return __vm_enough_memory(mm, pages, cap_sys_admin);
1986}
1987
1988/* binprm security operations */
1989
1990static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1991{
1992        struct bprm_security_struct *bsec;
1993
1994        bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1995        if (!bsec)
1996                return -ENOMEM;
1997
1998        bsec->sid = SECINITSID_UNLABELED;
1999        bsec->set = 0;
2000
2001        bprm->security = bsec;
2002        return 0;
2003}
2004
2005static int selinux_bprm_set_security(struct linux_binprm *bprm)
2006{
2007        struct task_security_struct *tsec;
2008        struct inode *inode = bprm->file->f_path.dentry->d_inode;
2009        struct inode_security_struct *isec;
2010        struct bprm_security_struct *bsec;
2011        u32 newsid;
2012        struct avc_audit_data ad;
2013        int rc;
2014
2015        rc = secondary_ops->bprm_set_security(bprm);
2016        if (rc)
2017                return rc;
2018
2019        bsec = bprm->security;
2020
2021        if (bsec->set)
2022                return 0;
2023
2024        tsec = current->security;
2025        isec = inode->i_security;
2026
2027        /* Default to the current task SID. */
2028        bsec->sid = tsec->sid;
2029
2030        /* Reset fs, key, and sock SIDs on execve. */
2031        tsec->create_sid = 0;
2032        tsec->keycreate_sid = 0;
2033        tsec->sockcreate_sid = 0;
2034
2035        if (tsec->exec_sid) {
2036                newsid = tsec->exec_sid;
2037                /* Reset exec SID on execve. */
2038                tsec->exec_sid = 0;
2039        } else {
2040                /* Check for a default transition on this program. */
2041                rc = security_transition_sid(tsec->sid, isec->sid,
2042                                             SECCLASS_PROCESS, &newsid);
2043                if (rc)
2044                        return rc;
2045        }
2046
2047        AVC_AUDIT_DATA_INIT(&ad, FS);
2048        ad.u.fs.path = bprm->file->f_path;
2049
2050        if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2051                newsid = tsec->sid;
2052
2053        if (tsec->sid == newsid) {
2054                rc = avc_has_perm(tsec->sid, isec->sid,
2055                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2056                if (rc)
2057                        return rc;
2058        } else {
2059                /* Check permissions for the transition. */
2060                rc = avc_has_perm(tsec->sid, newsid,
2061                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2062                if (rc)
2063                        return rc;
2064
2065                rc = avc_has_perm(newsid, isec->sid,
2066                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2067                if (rc)
2068                        return rc;
2069
2070                /* Clear any possibly unsafe personality bits on exec: */
2071                current->personality &= ~PER_CLEAR_ON_SETID;
2072
2073                /* Set the security field to the new SID. */
2074                bsec->sid = newsid;
2075        }
2076
2077        bsec->set = 1;
2078        return 0;
2079}
2080
2081static int selinux_bprm_check_security(struct linux_binprm *bprm)
2082{
2083        return secondary_ops->bprm_check_security(bprm);
2084}
2085
2086
2087static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2088{
2089        struct task_security_struct *tsec = current->security;
2090        int atsecure = 0;
2091
2092        if (tsec->osid != tsec->sid) {
2093                /* Enable secure mode for SIDs transitions unless
2094                   the noatsecure permission is granted between
2095                   the two SIDs, i.e. ahp returns 0. */
2096                atsecure = avc_has_perm(tsec->osid, tsec->sid,
2097                                         SECCLASS_PROCESS,
2098                                         PROCESS__NOATSECURE, NULL);
2099        }
2100
2101        return (atsecure || secondary_ops->bprm_secureexec(bprm));
2102}
2103
2104static void selinux_bprm_free_security(struct linux_binprm *bprm)
2105{
2106        kfree(bprm->security);
2107        bprm->security = NULL;
2108}
2109
2110extern struct vfsmount *selinuxfs_mount;
2111extern struct dentry *selinux_null;
2112
2113/* Derived from fs/exec.c:flush_old_files. */
2114static inline void flush_unauthorized_files(struct files_struct *files)
2115{
2116        struct avc_audit_data ad;
2117        struct file *file, *devnull = NULL;
2118        struct tty_struct *tty;
2119        struct fdtable *fdt;
2120        long j = -1;
2121        int drop_tty = 0;
2122
2123        mutex_lock(&tty_mutex);
2124        tty = get_current_tty();
2125        if (tty) {
2126                file_list_lock();
2127                file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2128                if (file) {
2129                        /* Revalidate access to controlling tty.
2130                           Use inode_has_perm on the tty inode directly rather
2131                           than using file_has_perm, as this particular open
2132                           file may belong to another process and we are only
2133                           interested in the inode-based check here. */
2134                        struct inode *inode = file->f_path.dentry->d_inode;
2135                        if (inode_has_perm(current, inode,
2136                                           FILE__READ | FILE__WRITE, NULL)) {
2137                                drop_tty = 1;
2138                        }
2139                }
2140                file_list_unlock();
2141        }
2142        mutex_unlock(&tty_mutex);
2143        /* Reset controlling tty. */
2144        if (drop_tty)
2145                no_tty();
2146
2147        /* Revalidate access to inherited open files. */
2148
2149        AVC_AUDIT_DATA_INIT(&ad, FS);
2150
2151        spin_lock(&files->file_lock);
2152        for (;;) {
2153                unsigned long set, i;
2154                int fd;
2155
2156                j++;
2157                i = j * __NFDBITS;
2158                fdt = files_fdtable(files);
2159                if (i >= fdt->max_fds)
2160                        break;
2161                set = fdt->open_fds->fds_bits[j];
2162                if (!set)
2163                        continue;
2164                spin_unlock(&files->file_lock);
2165                for ( ; set ; i++, set >>= 1) {
2166                        if (set & 1) {
2167                                file = fget(i);
2168                                if (!file)
2169                                        continue;
2170                                if (file_has_perm(current,
2171                                                  file,
2172                                                  file_to_av(file))) {
2173                                        sys_close(i);
2174                                        fd = get_unused_fd();
2175                                        if (fd != i) {
2176                                                if (fd >= 0)
2177                                                        put_unused_fd(fd);
2178                                                fput(file);
2179                                                continue;
2180                                        }
2181                                        if (devnull) {
2182                                                get_file(devnull);
2183                                        } else {
2184                                                devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2185                                                if (IS_ERR(devnull)) {
2186                                                        devnull = NULL;
2187                                                        put_unused_fd(fd);
2188                                                        fput(file);
2189                                                        continue;
2190                                                }
2191                                        }
2192                                        fd_install(fd, devnull);
2193                                }
2194                                fput(file);
2195                        }
2196                }
2197                spin_lock(&files->file_lock);
2198
2199        }
2200        spin_unlock(&files->file_lock);
2201}
2202
2203static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2204{
2205        struct task_security_struct *tsec;
2206        struct bprm_security_struct *bsec;
2207        u32 sid;
2208        int rc;
2209
2210        secondary_ops->bprm_apply_creds(bprm, unsafe);
2211
2212        tsec = current->security;
2213
2214        bsec = bprm->security;
2215        sid = bsec->sid;
2216
2217        tsec->osid = tsec->sid;
2218        bsec->unsafe = 0;
2219        if (tsec->sid != sid) {
2220                /* Check for shared state.  If not ok, leave SID
2221                   unchanged and kill. */
2222                if (unsafe & LSM_UNSAFE_SHARE) {
2223                        rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2224                                        PROCESS__SHARE, NULL);
2225                        if (rc) {
2226                                bsec->unsafe = 1;
2227                                return;
2228                        }
2229                }
2230
2231                /* Check for ptracing, and update the task SID if ok.
2232                   Otherwise, leave SID unchanged and kill. */
2233                if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2234                        struct task_struct *tracer;
2235                        struct task_security_struct *sec;
2236                        u32 ptsid = 0;
2237
2238                        rcu_read_lock();
2239                        tracer = tracehook_tracer_task(current);
2240                        if (likely(tracer != NULL)) {
2241                                sec = tracer->security;
2242                                ptsid = sec->sid;
2243                        }
2244                        rcu_read_unlock();
2245
2246                        if (ptsid != 0) {
2247                                rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2248                                                  PROCESS__PTRACE, NULL);
2249                                if (rc) {
2250                                        bsec->unsafe = 1;
2251                                        return;
2252                                }
2253                        }
2254                }
2255                tsec->sid = sid;
2256        }
2257}
2258
2259/*
2260 * called after apply_creds without the task lock held
2261 */
2262static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2263{
2264        struct task_security_struct *tsec;
2265        struct rlimit *rlim, *initrlim;
2266        struct itimerval itimer;
2267        struct bprm_security_struct *bsec;
2268        int rc, i;
2269
2270        tsec = current->security;
2271        bsec = bprm->security;
2272
2273        if (bsec->unsafe) {
2274                force_sig_specific(SIGKILL, current);
2275                return;
2276        }
2277        if (tsec->osid == tsec->sid)
2278                return;
2279
2280        /* Close files for which the new task SID is not authorized. */
2281        flush_unauthorized_files(current->files);
2282
2283        /* Check whether the new SID can inherit signal state
2284           from the old SID.  If not, clear itimers to avoid
2285           subsequent signal generation and flush and unblock
2286           signals. This must occur _after_ the task SID has
2287          been updated so that any kill done after the flush
2288          will be checked against the new SID. */
2289        rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2290                          PROCESS__SIGINH, NULL);
2291        if (rc) {
2292                memset(&itimer, 0, sizeof itimer);
2293                for (i = 0; i < 3; i++)
2294                        do_setitimer(i, &itimer, NULL);
2295                flush_signals(current);
2296                spin_lock_irq(&current->sighand->siglock);
2297                flush_signal_handlers(current, 1);
2298                sigemptyset(&current->blocked);
2299                recalc_sigpending();
2300                spin_unlock_irq(&current->sighand->siglock);
2301        }
2302
2303        /* Always clear parent death signal on SID transitions. */
2304        current->pdeath_signal = 0;
2305
2306        /* Check whether the new SID can inherit resource limits
2307           from the old SID.  If not, reset all soft limits to
2308           the lower of the current task's hard limit and the init
2309           task's soft limit.  Note that the setting of hard limits
2310           (even to lower them) can be controlled by the setrlimit
2311           check. The inclusion of the init task's soft limit into
2312           the computation is to avoid resetting soft limits higher
2313           than the default soft limit for cases where the default
2314           is lower than the hard limit, e.g. RLIMIT_CORE or
2315           RLIMIT_STACK.*/
2316        rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2317                          PROCESS__RLIMITINH, NULL);
2318        if (rc) {
2319                for (i = 0; i < RLIM_NLIMITS; i++) {
2320                        rlim = current->signal->rlim + i;
2321                        initrlim = init_task.signal->rlim+i;
2322                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2323                }
2324                if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2325                        /*
2326                         * This will cause RLIMIT_CPU calculations
2327                         * to be refigured.
2328                         */
2329                        current->it_prof_expires = jiffies_to_cputime(1);
2330                }
2331        }
2332
2333        /* Wake up the parent if it is waiting so that it can
2334           recheck wait permission to the new task SID. */
2335        wake_up_interruptible(&current->parent->signal->wait_chldexit);
2336}
2337
2338/* superblock security operations */
2339
2340static int selinux_sb_alloc_security(struct super_block *sb)
2341{
2342        return superblock_alloc_security(sb);
2343}
2344
2345static void selinux_sb_free_security(struct super_block *sb)
2346{
2347        superblock_free_security(sb);
2348}
2349
2350static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2351{
2352        if (plen > olen)
2353                return 0;
2354
2355        return !memcmp(prefix, option, plen);
2356}
2357
2358static inline int selinux_option(char *option, int len)
2359{
2360        return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2361                match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2362                match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2363                match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2364}
2365
2366static inline void take_option(char **to, char *from, int *first, int len)
2367{
2368        if (!*first) {
2369                **to = ',';
2370                *to += 1;
2371        } else
2372                *first = 0;
2373        memcpy(*to, from, len);
2374        *to += len;
2375}
2376
2377static inline void take_selinux_option(char **to, char *from, int *first,
2378                                       int len)
2379{
2380        int current_size = 0;
2381
2382        if (!*first) {
2383                **to = '|';
2384                *to += 1;
2385        } else
2386                *first = 0;
2387
2388        while (current_size < len) {
2389                if (*from != '"') {
2390                        **to = *from;
2391                        *to += 1;
2392                }
2393                from += 1;
2394                current_size += 1;
2395        }
2396}
2397
2398static int selinux_sb_copy_data(char *orig, char *copy)
2399{
2400        int fnosec, fsec, rc = 0;
2401        char *in_save, *in_curr, *in_end;
2402        char *sec_curr, *nosec_save, *nosec;
2403        int open_quote = 0;
2404
2405        in_curr = orig;
2406        sec_curr = copy;
2407
2408        nosec = (char *)get_zeroed_page(GFP_KERNEL);
2409        if (!nosec) {
2410                rc = -ENOMEM;
2411                goto out;
2412        }
2413
2414        nosec_save = nosec;
2415        fnosec = fsec = 1;
2416        in_save = in_end = orig;
2417
2418        do {
2419                if (*in_end == '"')
2420                        open_quote = !open_quote;
2421                if ((*in_end == ',' && open_quote == 0) ||
2422                                *in_end == '\0') {
2423                        int len = in_end - in_curr;
2424
2425                        if (selinux_option(in_curr, len))
2426                                take_selinux_option(&sec_curr, in_curr, &fsec, len);
2427                        else
2428                                take_option(&nosec, in_curr, &fnosec, len);
2429
2430                        in_curr = in_end + 1;
2431                }
2432        } while (*in_end++);
2433
2434        strcpy(in_save, nosec_save);
2435        free_page((unsigned long)nosec_save);
2436out:
2437        return rc;
2438}
2439
2440static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2441{
2442        struct avc_audit_data ad;
2443        int rc;
2444
2445        rc = superblock_doinit(sb, data);
2446        if (rc)
2447                return rc;
2448
2449        AVC_AUDIT_DATA_INIT(&ad, FS);
2450        ad.u.fs.path.dentry = sb->s_root;
2451        return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2452}
2453
2454static int selinux_sb_statfs(struct dentry *dentry)
2455{
2456        struct avc_audit_data ad;
2457
2458        AVC_AUDIT_DATA_INIT(&ad, FS);
2459        ad.u.fs.path.dentry = dentry->d_sb->s_root;
2460        return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2461}
2462
2463static int selinux_mount(char *dev_name,
2464                         struct path *path,
2465                         char *type,
2466                         unsigned long flags,
2467                         void *data)
2468{
2469        int rc;
2470
2471        rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2472        if (rc)
2473                return rc;
2474
2475        if (flags & MS_REMOUNT)
2476                return superblock_has_perm(current, path->mnt->mnt_sb,
2477                                           FILESYSTEM__REMOUNT, NULL);
2478        else
2479                return dentry_has_perm(current, path->mnt, path->dentry,
2480                                       FILE__MOUNTON);
2481}
2482
2483static int selinux_umount(struct vfsmount *mnt, int flags)
2484{
2485        int rc;
2486
2487        rc = secondary_ops->sb_umount(mnt, flags);
2488        if (rc)
2489                return rc;
2490
2491        return superblock_has_perm(current, mnt->mnt_sb,
2492                                   FILESYSTEM__UNMOUNT, NULL);
2493}
2494
2495/* inode security operations */
2496
2497static int selinux_inode_alloc_security(struct inode *inode)
2498{
2499        return inode_alloc_security(inode);
2500}
2501
2502static void selinux_inode_free_security(struct inode *inode)
2503{
2504        inode_free_security(inode);
2505}
2506
2507static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2508                                       char **name, void **value,
2509                                       size_t *len)
2510{
2511        struct task_security_struct *tsec;
2512        struct inode_security_struct *dsec;
2513        struct superblock_security_struct *sbsec;
2514        u32 newsid, clen;
2515        int rc;
2516        char *namep = NULL, *context;
2517
2518        tsec = current->security;
2519        dsec = dir->i_security;
2520        sbsec = dir->i_sb->s_security;
2521
2522        if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2523                newsid = tsec->create_sid;
2524        } else {
2525                rc = security_transition_sid(tsec->sid, dsec->sid,
2526                                             inode_mode_to_security_class(inode->i_mode),
2527                                             &newsid);
2528                if (rc) {
2529                        printk(KERN_WARNING "%s:  "
2530                               "security_transition_sid failed, rc=%d (dev=%s "
2531                               "ino=%ld)\n",
2532                               __func__,
2533                               -rc, inode->i_sb->s_id, inode->i_ino);
2534                        return rc;
2535                }
2536        }
2537
2538        /* Possibly defer initialization to selinux_complete_init. */
2539        if (sbsec->initialized) {
2540                struct inode_security_struct *isec = inode->i_security;
2541                isec->sclass = inode_mode_to_security_class(inode->i_mode);
2542                isec->sid = newsid;
2543                isec->initialized = 1;
2544        }
2545
2546        if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2547                return -EOPNOTSUPP;
2548
2549        if (name) {
2550                namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2551                if (!namep)
2552                        return -ENOMEM;
2553                *name = namep;
2554        }
2555
2556        if (value && len) {
2557                rc = security_sid_to_context_force(newsid, &context, &clen);
2558                if (rc) {
2559                        kfree(namep);
2560                        return rc;
2561                }
2562                *value = context;
2563                *len = clen;
2564        }
2565
2566        return 0;
2567}
2568
2569static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2570{
2571        return may_create(dir, dentry, SECCLASS_FILE);
2572}
2573
2574static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2575{
2576        int rc;
2577
2578        rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2579        if (rc)
2580                return rc;
2581        return may_link(dir, old_dentry, MAY_LINK);
2582}
2583
2584static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2585{
2586        int rc;
2587
2588        rc = secondary_ops->inode_unlink(dir, dentry);
2589        if (rc)
2590                return rc;
2591        return may_link(dir, dentry, MAY_UNLINK);
2592}
2593
2594static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2595{
2596        return may_create(dir, dentry, SECCLASS_LNK_FILE);
2597}
2598
2599static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2600{
2601        return may_create(dir, dentry, SECCLASS_DIR);
2602}
2603
2604static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2605{
2606        return may_link(dir, dentry, MAY_RMDIR);
2607}
2608
2609static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2610{
2611        int rc;
2612
2613        rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2614        if (rc)
2615                return rc;
2616
2617        return may_create(dir, dentry, inode_mode_to_security_class(mode));
2618}
2619
2620static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2621                                struct inode *new_inode, struct dentry *new_dentry)
2622{
2623        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2624}
2625
2626static int selinux_inode_readlink(struct dentry *dentry)
2627{
2628        return dentry_has_perm(current, NULL, dentry, FILE__READ);
2629}
2630
2631static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2632{
2633        int rc;
2634
2635        rc = secondary_ops->inode_follow_link(dentry, nameidata);
2636        if (rc)
2637                return rc;
2638        return dentry_has_perm(current, NULL, dentry, FILE__READ);
2639}
2640
2641static int selinux_inode_permission(struct inode *inode, int mask)
2642{
2643        int rc;
2644
2645        rc = secondary_ops->inode_permission(inode, mask);
2646        if (rc)
2647                return rc;
2648
2649        if (!mask) {
2650                /* No permission to check.  Existence test. */
2651                return 0;
2652        }
2653
2654        return inode_has_perm(current, inode,
2655                               open_file_mask_to_av(inode->i_mode, mask), NULL);
2656}
2657
2658static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2659{
2660        int rc;
2661
2662        rc = secondary_ops->inode_setattr(dentry, iattr);
2663        if (rc)
2664                return rc;
2665
2666        if (iattr->ia_valid & ATTR_FORCE)
2667                return 0;
2668
2669        if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2670                               ATTR_ATIME_SET | ATTR_MTIME_SET))
2671                return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2672
2673        return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2674}
2675
2676static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2677{
2678        return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2679}
2680
2681static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2682{
2683        if (!strncmp(name, XATTR_SECURITY_PREFIX,
2684                     sizeof XATTR_SECURITY_PREFIX - 1)) {
2685                if (!strcmp(name, XATTR_NAME_CAPS)) {
2686                        if (!capable(CAP_SETFCAP))
2687                                return -EPERM;
2688                } else if (!capable(CAP_SYS_ADMIN)) {
2689                        /* A different attribute in the security namespace.
2690                           Restrict to administrator. */
2691                        return -EPERM;
2692                }
2693        }
2694
2695        /* Not an attribute we recognize, so just check the
2696           ordinary setattr permission. */
2697        return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2698}
2699
2700static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2701                                  const void *value, size_t size, int flags)
2702{
2703        struct task_security_struct *tsec = current->security;
2704        struct inode *inode = dentry->d_inode;
2705        struct inode_security_struct *isec = inode->i_security;
2706        struct superblock_security_struct *sbsec;
2707        struct avc_audit_data ad;
2708        u32 newsid;
2709        int rc = 0;
2710
2711        if (strcmp(name, XATTR_NAME_SELINUX))
2712                return selinux_inode_setotherxattr(dentry, name);
2713
2714        sbsec = inode->i_sb->s_security;
2715        if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2716                return -EOPNOTSUPP;
2717
2718        if (!is_owner_or_cap(inode))
2719                return -EPERM;
2720
2721        AVC_AUDIT_DATA_INIT(&ad, FS);
2722        ad.u.fs.path.dentry = dentry;
2723
2724        rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2725                          FILE__RELABELFROM, &ad);
2726        if (rc)
2727                return rc;
2728
2729        rc = security_context_to_sid(value, size, &newsid);
2730        if (rc == -EINVAL) {
2731                if (!capable(CAP_MAC_ADMIN))
2732                        return rc;
2733                rc = security_context_to_sid_force(value, size, &newsid);
2734        }
2735        if (rc)
2736                return rc;
2737
2738        rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2739                          FILE__RELABELTO, &ad);
2740        if (rc)
2741                return rc;
2742
2743        rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2744                                          isec->sclass);
2745        if (rc)
2746                return rc;
2747
2748        return avc_has_perm(newsid,
2749                            sbsec->sid,
2750                            SECCLASS_FILESYSTEM,
2751                            FILESYSTEM__ASSOCIATE,
2752                            &ad);
2753}
2754
2755static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2756                                        const void *value, size_t size,
2757                                        int flags)
2758{
2759        struct inode *inode = dentry->d_inode;
2760        struct inode_security_struct *isec = inode->i_security;
2761        u32 newsid;
2762        int rc;
2763
2764        if (strcmp(name, XATTR_NAME_SELINUX)) {
2765                /* Not an attribute we recognize, so nothing to do. */
2766                return;
2767        }
2768
2769        rc = security_context_to_sid_force(value, size, &newsid);
2770        if (rc) {
2771                printk(KERN_ERR "SELinux:  unable to map context to SID"
2772                       "for (%s, %lu), rc=%d\n",
2773                       inode->i_sb->s_id, inode->i_ino, -rc);
2774                return;
2775        }
2776
2777        isec->sid = newsid;
2778        return;
2779}
2780
2781static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2782{
2783        return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2784}
2785
2786static int selinux_inode_listxattr(struct dentry *dentry)
2787{
2788        return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2789}
2790
2791static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2792{
2793        if (strcmp(name, XATTR_NAME_SELINUX))
2794                return selinux_inode_setotherxattr(dentry, name);
2795
2796        /* No one is allowed to remove a SELinux security label.
2797           You can change the label, but all data must be labeled. */
2798        return -EACCES;
2799}
2800
2801/*
2802 * Copy the inode security context value to the user.
2803 *
2804 * Permission check is handled by selinux_inode_getxattr hook.
2805 */
2806static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2807{
2808        u32 size;
2809        int error;
2810        char *context = NULL;
2811        struct task_security_struct *tsec = current->security;
2812        struct inode_security_struct *isec = inode->i_security;
2813
2814        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2815                return -EOPNOTSUPP;
2816
2817        /*
2818         * If the caller has CAP_MAC_ADMIN, then get the raw context
2819         * value even if it is not defined by current policy; otherwise,
2820         * use the in-core value under current policy.
2821         * Use the non-auditing forms of the permission checks since
2822         * getxattr may be called by unprivileged processes commonly
2823         * and lack of permission just means that we fall back to the
2824         * in-core context value, not a denial.
2825         */
2826        error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2827        if (!error)
2828                error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2829                                             SECCLASS_CAPABILITY2,
2830                                             CAPABILITY2__MAC_ADMIN,
2831                                             0,
2832                                             NULL);
2833        if (!error)
2834                error = security_sid_to_context_force(isec->sid, &context,
2835                                                      &size);
2836        else
2837                error = security_sid_to_context(isec->sid, &context, &size);
2838        if (error)
2839                return error;
2840        error = size;
2841        if (alloc) {
2842                *buffer = context;
2843                goto out_nofree;
2844        }
2845        kfree(context);
2846out_nofree:
2847        return error;
2848}
2849
2850static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2851                                     const void *value, size_t size, int flags)
2852{
2853        struct inode_security_struct *isec = inode->i_security;
2854        u32 newsid;
2855        int rc;
2856
2857        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2858                return -EOPNOTSUPP;
2859
2860        if (!value || !size)
2861                return -EACCES;
2862
2863        rc = security_context_to_sid((void *)value, size, &newsid);
2864        if (rc)
2865                return rc;
2866
2867        isec->sid = newsid;
2868        return 0;
2869}
2870
2871static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2872{
2873        const int len = sizeof(XATTR_NAME_SELINUX);
2874        if (buffer && len <= buffer_size)
2875                memcpy(buffer, XATTR_NAME_SELINUX, len);
2876        return len;
2877}
2878
2879static int selinux_inode_need_killpriv(struct dentry *dentry)
2880{
2881        return secondary_ops->inode_need_killpriv(dentry);
2882}
2883
2884static int selinux_inode_killpriv(struct dentry *dentry)
2885{
2886        return secondary_ops->inode_killpriv(dentry);
2887}
2888
2889static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2890{
2891        struct inode_security_struct *isec = inode->i_security;
2892        *secid = isec->sid;
2893}
2894
2895/* file security operations */
2896
2897static int selinux_revalidate_file_permission(struct file *file, int mask)
2898{
2899        int rc;
2900        struct inode *inode = file->f_path.dentry->d_inode;
2901
2902        if (!mask) {
2903                /* No permission to check.  Existence test. */
2904                return 0;
2905        }
2906
2907        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2908        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2909                mask |= MAY_APPEND;
2910
2911        rc = file_has_perm(current, file,
2912                           file_mask_to_av(inode->i_mode, mask));
2913        if (rc)
2914                return rc;
2915
2916        return selinux_netlbl_inode_permission(inode, mask);
2917}
2918
2919static int selinux_file_permission(struct file *file, int mask)
2920{
2921        struct inode *inode = file->f_path.dentry->d_inode;
2922        struct task_security_struct *tsec = current->security;
2923        struct file_security_struct *fsec = file->f_security;
2924        struct inode_security_struct *isec = inode->i_security;
2925
2926        if (!mask) {
2927                /* No permission to check.  Existence test. */
2928                return 0;
2929        }
2930
2931        if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2932            && fsec->pseqno == avc_policy_seqno())
2933                return selinux_netlbl_inode_permission(inode, mask);
2934
2935        return selinux_revalidate_file_permission(file, mask);
2936}
2937
2938static int selinux_file_alloc_security(struct file *file)
2939{
2940        return file_alloc_security(file);
2941}
2942
2943static void selinux_file_free_security(struct file *file)
2944{
2945        file_free_security(file);
2946}
2947
2948static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2949                              unsigned long arg)
2950{
2951        u32 av = 0;
2952
2953        if (_IOC_DIR(cmd) & _IOC_WRITE)
2954                av |= FILE__WRITE;
2955        if (_IOC_DIR(cmd) & _IOC_READ)
2956                av |= FILE__READ;
2957        if (!av)
2958                av = FILE__IOCTL;
2959
2960        return file_has_perm(current, file, av);
2961}
2962
2963static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2964{
2965#ifndef CONFIG_PPC32
2966        if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2967                /*
2968                 * We are making executable an anonymous mapping or a
2969                 * private file mapping that will also be writable.
2970                 * This has an additional check.
2971                 */
2972                int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2973                if (rc)
2974                        return rc;
2975        }
2976#endif
2977
2978        if (file) {
2979                /* read access is always possible with a mapping */
2980                u32 av = FILE__READ;
2981
2982                /* write access only matters if the mapping is shared */
2983                if (shared && (prot & PROT_WRITE))
2984                        av |= FILE__WRITE;
2985
2986                if (prot & PROT_EXEC)
2987                        av |= FILE__EXECUTE;
2988
2989                return file_has_perm(current, file, av);
2990        }
2991        return 0;
2992}
2993
2994static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2995                             unsigned long prot, unsigned long flags,
2996                             unsigned long addr, unsigned long addr_only)
2997{
2998        int rc = 0;
2999        u32 sid = ((struct task_security_struct *)(current->security))->sid;
3000
3001        if (addr < mmap_min_addr)
3002                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3003                                  MEMPROTECT__MMAP_ZERO, NULL);
3004        if (rc || addr_only)
3005                return rc;
3006
3007        if (selinux_checkreqprot)
3008                prot = reqprot;
3009
3010        return file_map_prot_check(file, prot,
3011                                   (flags & MAP_TYPE) == MAP_SHARED);
3012}
3013
3014static int selinux_file_mprotect(struct vm_area_struct *vma,
3015                                 unsigned long reqprot,
3016                                 unsigned long prot)
3017{
3018        int rc;
3019
3020        rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3021        if (rc)
3022                return rc;
3023
3024        if (selinux_checkreqprot)
3025                prot = reqprot;
3026
3027#ifndef CONFIG_PPC32
3028        if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3029                rc = 0;
3030                if (vma->vm_start >= vma->vm_mm->start_brk &&
3031                    vma->vm_end <= vma->vm_mm->brk) {
3032                        rc = task_has_perm(current, current,
3033                                           PROCESS__EXECHEAP);
3034                } else if (!vma->vm_file &&
3035                           vma->vm_start <= vma->vm_mm->start_stack &&
3036                           vma->vm_end >= vma->vm_mm->start_stack) {
3037                        rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3038                } else if (vma->vm_file && vma->anon_vma) {
3039                        /*
3040                         * We are making executable a file mapping that has
3041                         * had some COW done. Since pages might have been
3042                         * written, check ability to execute the possibly
3043                         * modified content.  This typically should only
3044                         * occur for text relocations.
3045                         */
3046                        rc = file_has_perm(current, vma->vm_file,
3047                                           FILE__EXECMOD);
3048                }
3049                if (rc)
3050                        return rc;
3051        }
3052#endif
3053
3054        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3055}
3056
3057static int selinux_file_lock(struct file *file, unsigned int cmd)
3058{
3059        return file_has_perm(current, file, FILE__LOCK);
3060}
3061
3062static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3063                              unsigned long arg)
3064{
3065        int err = 0;
3066
3067        switch (cmd) {
3068        case F_SETFL:
3069                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3070                        err = -EINVAL;
3071                        break;
3072                }
3073
3074                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3075                        err = file_has_perm(current, file, FILE__WRITE);
3076                        break;
3077                }
3078                /* fall through */
3079        case F_SETOWN:
3080        case F_SETSIG:
3081        case F_GETFL:
3082        case F_GETOWN:
3083        case F_GETSIG:
3084                /* Just check FD__USE permission */
3085                err = file_has_perm(current, file, 0);
3086                break;
3087        case F_GETLK:
3088        case F_SETLK:
3089        case F_SETLKW:
3090#if BITS_PER_LONG == 32
3091        case F_GETLK64:
3092        case F_SETLK64:
3093        case F_SETLKW64:
3094#endif
3095                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3096                        err = -EINVAL;
3097                        break;
3098                }
3099                err = file_has_perm(current, file, FILE__LOCK);
3100                break;
3101        }
3102
3103        return err;
3104}
3105
3106static int selinux_file_set_fowner(struct file *file)
3107{
3108        struct task_security_struct *tsec;
3109        struct file_security_struct *fsec;
3110
3111        tsec = current->security;
3112        fsec = file->f_security;
3113        fsec->fown_sid = tsec->sid;
3114
3115        return 0;
3116}
3117
3118static int selinux_file_send_sigiotask(struct task_struct *tsk,
3119                                       struct fown_struct *fown, int signum)
3120{
3121        struct file *file;
3122        u32 perm;
3123        struct task_security_struct *tsec;
3124        struct file_security_struct *fsec;
3125
3126        /* struct fown_struct is never outside the context of a struct file */
3127        file = container_of(fown, struct file, f_owner);
3128
3129        tsec = tsk->security;
3130        fsec = file->f_security;
3131
3132        if (!signum)
3133                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3134        else
3135                perm = signal_to_av(signum);
3136
3137        return avc_has_perm(fsec->fown_sid, tsec->sid,
3138                            SECCLASS_PROCESS, perm, NULL);
3139}
3140
3141static int selinux_file_receive(struct file *file)
3142{
3143        return file_has_perm(current, file, file_to_av(file));
3144}
3145
3146static int selinux_dentry_open(struct file *file)
3147{
3148        struct file_security_struct *fsec;
3149        struct inode *inode;
3150        struct inode_security_struct *isec;
3151        inode = file->f_path.dentry->d_inode;
3152        fsec = file->f_security;
3153        isec = inode->i_security;
3154        /*
3155         * Save inode label and policy sequence number
3156         * at open-time so that selinux_file_permission
3157         * can determine whether revalidation is necessary.
3158         * Task label is already saved in the file security
3159         * struct as its SID.
3160         */
3161        fsec->isid = isec->sid;
3162        fsec->pseqno = avc_policy_seqno();
3163        /*
3164         * Since the inode label or policy seqno may have changed
3165         * between the selinux_inode_permission check and the saving
3166         * of state above, recheck that access is still permitted.
3167         * Otherwise, access might never be revalidated against the
3168         * new inode label or new policy.
3169         * This check is not redundant - do not remove.
3170         */
3171        return inode_has_perm(current, inode, file_to_av(file), NULL);
3172}
3173
3174/* task security operations */
3175
3176static int selinux_task_create(unsigned long clone_flags)
3177{
3178        int rc;
3179
3180        rc = secondary_ops->task_create(clone_flags);
3181        if (rc)
3182                return rc;
3183
3184        return task_has_perm(current, current, PROCESS__FORK);
3185}
3186
3187static int selinux_task_alloc_security(struct task_struct *tsk)
3188{
3189        struct task_security_struct *tsec1, *tsec2;
3190        int rc;
3191
3192        tsec1 = current->security;
3193
3194        rc = task_alloc_security(tsk);
3195        if (rc)
3196                return rc;
3197        tsec2 = tsk->security;
3198
3199        tsec2->osid = tsec1->osid;
3200        tsec2->sid = tsec1->sid;
3201
3202        /* Retain the exec, fs, key, and sock SIDs across fork */
3203        tsec2->exec_sid = tsec1->exec_sid;
3204        tsec2->create_sid = tsec1->create_sid;
3205        tsec2->keycreate_sid = tsec1->keycreate_sid;
3206        tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3207
3208        return 0;
3209}
3210
3211static void selinux_task_free_security(struct task_struct *tsk)
3212{
3213        task_free_security(tsk);
3214}
3215
3216static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3217{
3218        /* Since setuid only affects the current process, and
3219           since the SELinux controls are not based on the Linux
3220           identity attributes, SELinux does not need to control
3221           this operation.  However, SELinux does control the use
3222           of the CAP_SETUID and CAP_SETGID capabilities using the
3223           capable hook. */
3224        return 0;
3225}
3226
3227static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3228{
3229        return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3230}
3231
3232static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3233{
3234        /* See the comment for setuid above. */
3235        return 0;
3236}
3237
3238static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3239{
3240        return task_has_perm(current, p, PROCESS__SETPGID);
3241}
3242
3243static int selinux_task_getpgid(struct task_struct *p)
3244{
3245        return task_has_perm(current, p, PROCESS__GETPGID);
3246}
3247
3248static int selinux_task_getsid(struct task_struct *p)
3249{
3250        return task_has_perm(current, p, PROCESS__GETSESSION);
3251}
3252
3253static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3254{
3255        struct task_security_struct *tsec = p->security;
3256        *secid = tsec->sid;
3257}
3258
3259static int selinux_task_setgroups(struct group_info *group_info)
3260{
3261        /* See the comment for setuid above. */
3262        return 0;
3263}
3264
3265static int selinux_task_setnice(struct task_struct *p, int nice)
3266{
3267        int rc;
3268
3269        rc = secondary_ops->task_setnice(p, nice);
3270        if (rc)
3271                return rc;
3272
3273        return task_has_perm(current, p, PROCESS__SETSCHED);
3274}
3275
3276static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3277{
3278        int rc;
3279
3280        rc = secondary_ops->task_setioprio(p, ioprio);
3281        if (rc)
3282                return rc;
3283
3284        return task_has_perm(current, p, PROCESS__SETSCHED);
3285}
3286
3287static int selinux_task_getioprio(struct task_struct *p)
3288{
3289        return task_has_perm(current, p, PROCESS__GETSCHED);
3290}
3291
3292static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3293{
3294        struct rlimit *old_rlim = current->signal->rlim + resource;
3295        int rc;
3296
3297        rc = secondary_ops->task_setrlimit(resource, new_rlim);
3298        if (rc)
3299                return rc;
3300
3301        /* Control the ability to change the hard limit (whether
3302           lowering or raising it), so that the hard limit can
3303           later be used as a safe reset point for the soft limit
3304           upon context transitions. See selinux_bprm_apply_creds. */
3305        if (old_rlim->rlim_max != new_rlim->rlim_max)
3306                return task_has_perm(current, current, PROCESS__SETRLIMIT);
3307
3308        return 0;
3309}
3310
3311static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3312{
3313        int rc;
3314
3315        rc = secondary_ops->task_setscheduler(p, policy, lp);
3316        if (rc)
3317                return rc;
3318
3319        return task_has_perm(current, p, PROCESS__SETSCHED);
3320}
3321
3322static int selinux_task_getscheduler(struct task_struct *p)
3323{
3324        return task_has_perm(current, p, PROCESS__GETSCHED);
3325}
3326
3327static int selinux_task_movememory(struct task_struct *p)
3328{
3329        return task_has_perm(current, p, PROCESS__SETSCHED);
3330}
3331
3332static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3333                                int sig, u32 secid)
3334{
3335        u32 perm;
3336        int rc;
3337        struct task_security_struct *tsec;
3338
3339        rc = secondary_ops->task_kill(p, info, sig, secid);
3340        if (rc)
3341                return rc;
3342
3343        if (!sig)
3344                perm = PROCESS__SIGNULL; /* null signal; existence test */
3345        else
3346                perm = signal_to_av(sig);
3347        tsec = p->security;
3348        if (secid)
3349                rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3350        else
3351                rc = task_has_perm(current, p, perm);
3352        return rc;
3353}
3354
3355static int selinux_task_prctl(int option,
3356                              unsigned long arg2,
3357                              unsigned long arg3,
3358                              unsigned long arg4,
3359                              unsigned long arg5,
3360                              long *rc_p)
3361{
3362        /* The current prctl operations do not appear to require
3363           any SELinux controls since they merely observe or modify
3364           the state of the current process. */
3365        return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3366}
3367
3368static int selinux_task_wait(struct task_struct *p)
3369{
3370        return task_has_perm(p, current, PROCESS__SIGCHLD);
3371}
3372
3373static void selinux_task_reparent_to_init(struct task_struct *p)
3374{
3375        struct task_security_struct *tsec;
3376
3377        secondary_ops->task_reparent_to_init(p);
3378
3379        tsec = p->security;
3380        tsec->osid = tsec->sid;
3381        tsec->sid = SECINITSID_KERNEL;
3382        return;
3383}
3384
3385static void selinux_task_to_inode(struct task_struct *p,
3386                                  struct inode *inode)
3387{
3388        struct task_security_struct *tsec = p->security;
3389        struct inode_security_struct *isec = inode->i_security;
3390
3391        isec->sid = tsec->sid;
3392        isec->initialized = 1;
3393        return;
3394}
3395
3396/* Returns error only if unable to parse addresses */
3397static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3398                        struct avc_audit_data *ad, u8 *proto)
3399{
3400        int offset, ihlen, ret = -EINVAL;
3401        struct iphdr _iph, *ih;
3402
3403        offset = skb_network_offset(skb);
3404        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3405        if (ih == NULL)
3406                goto out;
3407
3408        ihlen = ih->ihl * 4;
3409        if (ihlen < sizeof(_iph))
3410                goto out;
3411
3412        ad->u.net.v4info.saddr = ih->saddr;
3413        ad->u.net.v4info.daddr = ih->daddr;
3414        ret = 0;
3415
3416        if (proto)
3417                *proto = ih->protocol;
3418
3419        switch (ih->protocol) {
3420        case IPPROTO_TCP: {
3421                struct tcphdr _tcph, *th;
3422
3423                if (ntohs(ih->frag_off) & IP_OFFSET)
3424                        break;
3425
3426                offset += ihlen;
3427                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3428                if (th == NULL)
3429                        break;
3430
3431                ad->u.net.sport = th->source;
3432                ad->u.net.dport = th->dest;
3433                break;
3434        }
3435
3436        case IPPROTO_UDP: {
3437                struct udphdr _udph, *uh;
3438
3439                if (ntohs(ih->frag_off) & IP_OFFSET)
3440                        break;
3441
3442                offset += ihlen;
3443                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3444                if (uh == NULL)
3445                        break;
3446
3447                ad->u.net.sport = uh->source;
3448                ad->u.net.dport = uh->dest;
3449                break;
3450        }
3451
3452        case IPPROTO_DCCP: {
3453                struct dccp_hdr _dccph, *dh;
3454
3455                if (ntohs(ih->frag_off) & IP_OFFSET)
3456                        break;
3457
3458                offset += ihlen;
3459                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3460                if (dh == NULL)
3461                        break;
3462
3463                ad->u.net.sport = dh->dccph_sport;
3464                ad->u.net.dport = dh->dccph_dport;
3465                break;
3466        }
3467
3468        default:
3469                break;
3470        }
3471out:
3472        return ret;
3473}
3474
3475#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3476
3477/* Returns error only if unable to parse addresses */
3478static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3479                        struct avc_audit_data *ad, u8 *proto)
3480{
3481        u8 nexthdr;
3482        int ret = -EINVAL, offset;
3483        struct ipv6hdr _ipv6h, *ip6;
3484
3485        offset = skb_network_offset(skb);
3486        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3487        if (ip6 == NULL)
3488                goto out;
3489
3490        ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3491        ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3492        ret = 0;
3493
3494        nexthdr = ip6->nexthdr;
3495        offset += sizeof(_ipv6h);
3496        offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3497        if (offset < 0)
3498                goto out;
3499
3500        if (proto)
3501                *proto = nexthdr;
3502
3503        switch (nexthdr) {
3504        case IPPROTO_TCP: {
3505                struct tcphdr _tcph, *th;
3506
3507                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3508                if (th == NULL)
3509                        break;
3510
3511                ad->u.net.sport = th->source;
3512                ad->u.net.dport = th->dest;
3513                break;
3514        }
3515
3516        case IPPROTO_UDP: {
3517                struct udphdr _udph, *uh;
3518
3519                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3520                if (uh == NULL)
3521                        break;
3522
3523                ad->u.net.sport = uh->source;
3524                ad->u.net.dport = uh->dest;
3525                break;
3526        }
3527
3528        case IPPROTO_DCCP: {
3529                struct dccp_hdr _dccph, *dh;
3530
3531                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3532                if (dh == NULL)
3533                        break;
3534
3535                ad->u.net.sport = dh->dccph_sport;
3536                ad->u.net.dport = dh->dccph_dport;
3537                break;
3538        }
3539
3540        /* includes fragments */
3541        default:
3542                break;
3543        }
3544out:
3545        return ret;
3546}
3547
3548#endif /* IPV6 */
3549
3550static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3551                             char **addrp, int src, u8 *proto)
3552{
3553        int ret = 0;
3554
3555        switch (ad->u.net.family) {
3556        case PF_INET:
3557                ret = selinux_parse_skb_ipv4(skb, ad, proto);
3558                if (ret || !addrp)
3559                        break;
3560                *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3561                                        &ad->u.net.v4info.daddr);
3562                break;
3563
3564#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3565        case PF_INET6:
3566                ret = selinux_parse_skb_ipv6(skb, ad, proto);
3567                if (ret || !addrp)
3568                        break;
3569                *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3570                                        &ad->u.net.v6info.daddr);
3571                break;
3572#endif  /* IPV6 */
3573        default:
3574                break;
3575        }
3576
3577        if (unlikely(ret))
3578                printk(KERN_WARNING
3579                       "SELinux: failure in selinux_parse_skb(),"
3580                       " unable to parse packet\n");
3581
3582        return ret;
3583}
3584
3585/**
3586 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3587 * @skb: the packet
3588 * @family: protocol family
3589 * @sid: the packet's peer label SID
3590 *
3591 * Description:
3592 * Check the various different forms of network peer labeling and determine
3593 * the peer label/SID for the packet; most of the magic actually occurs in
3594 * the security server function security_net_peersid_cmp().  The function
3595 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3596 * or -EACCES if @sid is invalid due to inconsistencies with the different
3597 * peer labels.
3598 *
3599 */
3600static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3601{
3602        int err;
3603        u32 xfrm_sid;
3604        u32 nlbl_sid;
3605        u32 nlbl_type;
3606
3607        selinux_skb_xfrm_sid(skb, &xfrm_sid);
3608        selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3609
3610        err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3611        if (unlikely(err)) {
3612                printk(KERN_WARNING
3613                       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3614                       " unable to determine packet's peer label\n");
3615                return -EACCES;
3616        }
3617
3618        return 0;
3619}
3620
3621/* socket security operations */
3622static int socket_has_perm(struct task_struct *task, struct socket *sock,
3623                           u32 perms)
3624{
3625        struct inode_security_struct *isec;
3626        struct task_security_struct *tsec;
3627        struct avc_audit_data ad;
3628        int err = 0;
3629
3630        tsec = task->security;
3631        isec = SOCK_INODE(sock)->i_security;
3632
3633        if (isec->sid == SECINITSID_KERNEL)
3634                goto out;
3635
3636        AVC_AUDIT_DATA_INIT(&ad, NET);
3637        ad.u.net.sk = sock->sk;
3638        err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3639
3640out:
3641        return err;
3642}
3643
3644static int selinux_socket_create(int family, int type,
3645                                 int protocol, int kern)
3646{
3647        int err = 0;
3648        struct task_security_struct *tsec;
3649        u32 newsid;
3650
3651        if (kern)
3652                goto out;
3653
3654        tsec = current->security;
3655        newsid = tsec->sockcreate_sid ? : tsec->sid;
3656        err = avc_has_perm(tsec->sid, newsid,
3657                           socket_type_to_security_class(family, type,
3658                           protocol), SOCKET__CREATE, NULL);
3659
3660out:
3661        return err;
3662}
3663
3664static int selinux_socket_post_create(struct socket *sock, int family,
3665                                      int type, int protocol, int kern)
3666{
3667        int err = 0;
3668        struct inode_security_struct *isec;
3669        struct task_security_struct *tsec;
3670        struct sk_security_struct *sksec;
3671        u32 newsid;
3672
3673        isec = SOCK_INODE(sock)->i_security;
3674
3675        tsec = current->security;
3676        newsid = tsec->sockcreate_sid ? : tsec->sid;
3677        isec->sclass = socket_type_to_security_class(family, type, protocol);
3678        isec->sid = kern ? SECINITSID_KERNEL : newsid;
3679        isec->initialized = 1;
3680
3681        if (sock->sk) {
3682                sksec = sock->sk->sk_security;
3683                sksec->sid = isec->sid;
3684                sksec->sclass = isec->sclass;
3685                err = selinux_netlbl_socket_post_create(sock);
3686        }
3687
3688        return err;
3689}
3690
3691/* Range of port numbers used to automatically bind.
3692   Need to determine whether we should perform a name_bind
3693   permission check between the socket and the port number. */
3694
3695static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3696{
3697        u16 family;
3698        int err;
3699
3700        err = socket_has_perm(current, sock, SOCKET__BIND);
3701        if (err)
3702                goto out;
3703
3704        /*
3705         * If PF_INET or PF_INET6, check name_bind permission for the port.
3706         * Multiple address binding for SCTP is not supported yet: we just
3707         * check the first address now.
3708         */
3709        family = sock->sk->sk_family;
3710        if (family == PF_INET || family == PF_INET6) {
3711                char *addrp;
3712                struct inode_security_struct *isec;
3713                struct task_security_struct *tsec;
3714                struct avc_audit_data ad;
3715                struct sockaddr_in *addr4 = NULL;
3716                struct sockaddr_in6 *addr6 = NULL;
3717                unsigned short snum;
3718                struct sock *sk = sock->sk;
3719                u32 sid, node_perm;
3720
3721                tsec = current->security;
3722                isec = SOCK_INODE(sock)->i_security;
3723
3724                if (family == PF_INET) {
3725                        addr4 = (struct sockaddr_in *)address;
3726                        snum = ntohs(addr4->sin_port);
3727                        addrp = (char *)&addr4->sin_addr.s_addr;
3728                } else {
3729                        addr6 = (struct sockaddr_in6 *)address;
3730                        snum = ntohs(addr6->sin6_port);
3731                        addrp = (char *)&addr6->sin6_addr.s6_addr;
3732                }
3733
3734                if (snum) {
3735                        int low, high;
3736
3737                        inet_get_local_port_range(&low, &high);
3738
3739                        if (snum < max(PROT_SOCK, low) || snum > high) {
3740                                err = sel_netport_sid(sk->sk_protocol,
3741                                                      snum, &sid);
3742                                if (err)
3743                                        goto out;
3744                                AVC_AUDIT_DATA_INIT(&ad, NET);
3745                                ad.u.net.sport = htons(snum);
3746                                ad.u.net.family = family;
3747                                err = avc_has_perm(isec->sid, sid,
3748                                                   isec->sclass,
3749                                                   SOCKET__NAME_BIND, &ad);
3750                                if (err)
3751                                        goto out;
3752                        }
3753                }
3754
3755                switch (isec->sclass) {
3756                case SECCLASS_TCP_SOCKET:
3757                        node_perm = TCP_SOCKET__NODE_BIND;
3758                        break;
3759
3760                case SECCLASS_UDP_SOCKET:
3761                        node_perm = UDP_SOCKET__NODE_BIND;
3762                        break;
3763
3764                case SECCLASS_DCCP_SOCKET:
3765                        node_perm = DCCP_SOCKET__NODE_BIND;
3766                        break;
3767
3768                default:
3769                        node_perm = RAWIP_SOCKET__NODE_BIND;
3770                        break;
3771                }
3772
3773                err = sel_netnode_sid(addrp, family, &sid);
3774                if (err)
3775                        goto out;
3776
3777                AVC_AUDIT_DATA_INIT(&ad, NET);
3778                ad.u.net.sport = htons(snum);
3779                ad.u.net.family = family;
3780
3781                if (family == PF_INET)
3782                        ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3783                else
3784                        ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3785
3786                err = avc_has_perm(isec->sid, sid,
3787                                   isec->sclass, node_perm, &ad);
3788                if (err)
3789                        goto out;
3790        }
3791out:
3792        return err;
3793}
3794
3795static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3796{
3797        struct inode_security_struct *isec;
3798        int err;
3799
3800        err = socket_has_perm(current, sock, SOCKET__CONNECT);
3801        if (err)
3802                return err;
3803
3804        /*
3805         * If a TCP or DCCP socket, check name_connect permission for the port.
3806         */
3807        isec = SOCK_INODE(sock)->i_security;
3808        if (isec->sclass == SECCLASS_TCP_SOCKET ||
3809            isec->sclass == SECCLASS_DCCP_SOCKET) {
3810                struct sock *sk = sock->sk;
3811                struct avc_audit_data ad;
3812                struct sockaddr_in *addr4 = NULL;
3813                struct sockaddr_in6 *addr6 = NULL;
3814                unsigned short snum;
3815                u32 sid, perm;
3816
3817                if (sk->sk_family == PF_INET) {
3818                        addr4 = (struct sockaddr_in *)address;
3819                        if (addrlen < sizeof(struct sockaddr_in))
3820                                return -EINVAL;
3821                        snum = ntohs(addr4->sin_port);
3822                } else {
3823                        addr6 = (struct sockaddr_in6 *)address;
3824                        if (addrlen < SIN6_LEN_RFC2133)
3825                                return -EINVAL;
3826                        snum = ntohs(addr6->sin6_port);
3827                }
3828
3829                err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3830                if (err)
3831                        goto out;
3832
3833                perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3834                       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3835
3836                AVC_AUDIT_DATA_INIT(&ad, NET);
3837                ad.u.net.dport = htons(snum);
3838                ad.u.net.family = sk->sk_family;
3839                err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3840                if (err)
3841                        goto out;
3842        }
3843
3844out:
3845        return err;
3846}
3847
3848static int selinux_socket_listen(struct socket *sock, int backlog)
3849{
3850        return socket_has_perm(current, sock, SOCKET__LISTEN);
3851}
3852
3853static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3854{
3855        int err;
3856        struct inode_security_struct *isec;
3857        struct inode_security_struct *newisec;
3858
3859        err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3860        if (err)
3861                return err;
3862
3863        newisec = SOCK_INODE(newsock)->i_security;
3864
3865        isec = SOCK_INODE(sock)->i_security;
3866        newisec->sclass = isec->sclass;
3867        newisec->sid = isec->sid;
3868        newisec->initialized = 1;
3869
3870        return 0;
3871}
3872
3873static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3874                                  int size)
3875{
3876        int rc;
3877
3878        rc = socket_has_perm(current, sock, SOCKET__WRITE);
3879        if (rc)
3880                return rc;
3881
3882        return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3883}
3884
3885static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3886                                  int size, int flags)
3887{
3888        return socket_has_perm(current, sock, SOCKET__READ);
3889}
3890
3891static int selinux_socket_getsockname(struct socket *sock)
3892{
3893        return socket_has_perm(current, sock, SOCKET__GETATTR);
3894}
3895
3896static int selinux_socket_getpeername(struct socket *sock)
3897{
3898        return socket_has_perm(current, sock, SOCKET__GETATTR);
3899}
3900
3901static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3902{
3903        int err;
3904
3905        err = socket_has_perm(current, sock, SOCKET__SETOPT);
3906        if (err)
3907                return err;
3908
3909        return selinux_netlbl_socket_setsockopt(sock, level, optname);
3910}
3911
3912static int selinux_socket_getsockopt(struct socket *sock, int level,
3913                                     int optname)
3914{
3915        return socket_has_perm(current, sock, SOCKET__GETOPT);
3916}
3917
3918static int selinux_socket_shutdown(struct socket *sock, int how)
3919{
3920        return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3921}
3922
3923static int selinux_socket_unix_stream_connect(struct socket *sock,
3924                                              struct socket *other,
3925                                              struct sock *newsk)
3926{
3927        struct sk_security_struct *ssec;
3928        struct inode_security_struct *isec;
3929        struct inode_security_struct *other_isec;
3930        struct avc_audit_data ad;
3931        int err;
3932
3933        err = secondary_ops->unix_stream_connect(sock, other, newsk);
3934        if (err)
3935                return err;
3936
3937        isec = SOCK_INODE(sock)->i_security;
3938        other_isec = SOCK_INODE(other)->i_security;
3939
3940        AVC_AUDIT_DATA_INIT(&ad, NET);
3941        ad.u.net.sk = other->sk;
3942
3943        err = avc_has_perm(isec->sid, other_isec->sid,
3944                           isec->sclass,
3945                           UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3946        if (err)
3947                return err;
3948
3949        /* connecting socket */
3950        ssec = sock->sk->sk_security;
3951        ssec->peer_sid = other_isec->sid;
3952
3953        /* server child socket */
3954        ssec = newsk->sk_security;
3955        ssec->peer_sid = isec->sid;
3956        err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3957
3958        return err;
3959}
3960
3961static int selinux_socket_unix_may_send(struct socket *sock,
3962                                        struct socket *other)
3963{
3964        struct inode_security_struct *isec;
3965        struct inode_security_struct *other_isec;
3966        struct avc_audit_data ad;
3967        int err;
3968
3969        isec = SOCK_INODE(sock)->i_security;
3970        other_isec = SOCK_INODE(other)->i_security;
3971
3972        AVC_AUDIT_DATA_INIT(&ad, NET);
3973        ad.u.net.sk = other->sk;
3974
3975        err = avc_has_perm(isec->sid, other_isec->sid,
3976                           isec->sclass, SOCKET__SENDTO, &ad);
3977        if (err)
3978                return err;
3979
3980        return 0;
3981}
3982
3983static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3984                                    u32 peer_sid,
3985                                    struct avc_audit_data *ad)
3986{
3987        int err;
3988        u32 if_sid;
3989        u32 node_sid;
3990
3991        err = sel_netif_sid(ifindex, &if_sid);
3992        if (err)
3993                return err;
3994        err = avc_has_perm(peer_sid, if_sid,
3995                           SECCLASS_NETIF, NETIF__INGRESS, ad);
3996        if (err)
3997                return err;
3998
3999        err = sel_netnode_sid(addrp, family, &node_sid);
4000        if (err)
4001                return err;
4002        return avc_has_perm(peer_sid, node_sid,
4003                            SECCLASS_NODE, NODE__RECVFROM, ad);
4004}
4005
4006static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4007                                                struct sk_buff *skb,
4008                                                struct avc_audit_data *ad,
4009                                                u16 family,
4010                                                char *addrp)
4011{
4012        int err;
4013        struct sk_security_struct *sksec = sk->sk_security;
4014        u16 sk_class;
4015        u32 netif_perm, node_perm, recv_perm;
4016        u32 port_sid, node_sid, if_sid, sk_sid;
4017
4018        sk_sid = sksec->sid;
4019        sk_class = sksec->sclass;
4020
4021        switch (sk_class) {
4022        case SECCLASS_UDP_SOCKET:
4023                netif_perm = NETIF__UDP_RECV;
4024                node_perm = NODE__UDP_RECV;
4025                recv_perm = UDP_SOCKET__RECV_MSG;
4026                break;
4027        case SECCLASS_TCP_SOCKET:
4028                netif_perm = NETIF__TCP_RECV;
4029                node_perm = NODE__TCP_RECV;
4030                recv_perm = TCP_SOCKET__RECV_MSG;
4031                break;
4032        case SECCLASS_DCCP_SOCKET:
4033                netif_perm = NETIF__DCCP_RECV;
4034                node_perm = NODE__DCCP_RECV;
4035                recv_perm = DCCP_SOCKET__RECV_MSG;
4036                break;
4037        default:
4038                netif_perm = NETIF__RAWIP_RECV;
4039                node_perm = NODE__RAWIP_RECV;
4040                recv_perm = 0;
4041                break;
4042        }
4043
4044        err = sel_netif_sid(skb->iif, &if_sid);
4045        if (err)
4046                return err;
4047        err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4048        if (err)
4049                return err;
4050
4051        err = sel_netnode_sid(addrp, family, &node_sid);
4052        if (err)
4053                return err;
4054        err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4055        if (err)
4056                return err;
4057
4058        if (!recv_perm)
4059                return 0;
4060        err = sel_netport_sid(sk->sk_protocol,
4061                              ntohs(ad->u.net.sport), &port_sid);
4062        if (unlikely(err)) {
4063                printk(KERN_WARNING
4064                       "SELinux: failure in"
4065                       " selinux_sock_rcv_skb_iptables_compat(),"
4066                       " network port label not found\n");
4067                return err;
4068        }
4069        return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4070}
4071
4072static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4073                                       struct avc_audit_data *ad,
4074                                       u16 family, char *addrp)
4075{
4076        int err;
4077        struct sk_security_struct *sksec = sk->sk_security;
4078        u32 peer_sid;
4079        u32 sk_sid = sksec->sid;
4080
4081        if (selinux_compat_net)
4082                err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4083                                                           family, addrp);
4084        else
4085                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4086                                   PACKET__RECV, ad);
4087        if (err)
4088                return err;
4089
4090        if (selinux_policycap_netpeer) {
4091                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4092                if (err)
4093                        return err;
4094                err = avc_has_perm(sk_sid, peer_sid,
4095                                   SECCLASS_PEER, PEER__RECV, ad);
4096        } else {
4097                err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4098                if (err)
4099                        return err;
4100                err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4101        }
4102
4103        return err;
4104}
4105
4106static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4107{
4108        int err;
4109        struct sk_security_struct *sksec = sk->sk_security;
4110        u16 family = sk->sk_family;
4111        u32 sk_sid = sksec->sid;
4112        struct avc_audit_data ad;
4113        char *addrp;
4114
4115        if (family != PF_INET && family != PF_INET6)
4116                return 0;
4117
4118        /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4119        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4120                family = PF_INET;
4121
4122        AVC_AUDIT_DATA_INIT(&ad, NET);
4123        ad.u.net.netif = skb->iif;
4124        ad.u.net.family = family;
4125        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4126        if (err)
4127                return err;
4128
4129        /* If any sort of compatibility mode is enabled then handoff processing
4130         * to the selinux_sock_rcv_skb_compat() function to deal with the
4131         * special handling.  We do this in an attempt to keep this function
4132         * as fast and as clean as possible. */
4133        if (selinux_compat_net || !selinux_policycap_netpeer)
4134                return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4135                                                   family, addrp);
4136
4137        if (netlbl_enabled() || selinux_xfrm_enabled()) {
4138                u32 peer_sid;
4139
4140                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4141                if (err)
4142                        return err;
4143                err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4144                                               peer_sid, &ad);
4145                if (err)
4146                        return err;
4147                err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4148                                   PEER__RECV, &ad);
4149        }
4150
4151        if (selinux_secmark_enabled()) {
4152                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4153                                   PACKET__RECV, &ad);
4154                if (err)
4155                        return err;
4156        }
4157
4158        return err;
4159}
4160
4161static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4162                                            int __user *optlen, unsigned len)
4163{
4164        int err = 0;
4165        char *scontext;
4166        u32 scontext_len;
4167        struct sk_security_struct *ssec;
4168        struct inode_security_struct *isec;
4169        u32 peer_sid = SECSID_NULL;
4170
4171        isec = SOCK_INODE(sock)->i_security;
4172
4173        if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4174            isec->sclass == SECCLASS_TCP_SOCKET) {
4175                ssec = sock->sk->sk_security;
4176                peer_sid = ssec->peer_sid;
4177        }
4178        if (peer_sid == SECSID_NULL) {
4179                err = -ENOPROTOOPT;
4180                goto out;
4181        }
4182
4183        err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4184
4185        if (err)
4186                goto out;
4187
4188        if (scontext_len > len) {
4189                err = -ERANGE;
4190                goto out_len;
4191        }
4192
4193        if (copy_to_user(optval, scontext, scontext_len))
4194                err = -EFAULT;
4195
4196out_len:
4197        if (put_user(scontext_len, optlen))
4198                err = -EFAULT;
4199
4200        kfree(scontext);
4201out:
4202        return err;
4203}
4204
4205static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4206{
4207        u32 peer_secid = SECSID_NULL;
4208        u16 family;
4209
4210        if (sock)
4211                family = sock->sk->sk_family;
4212        else if (skb && skb->sk)
4213                family = skb->sk->sk_family;
4214        else
4215                goto out;
4216
4217        if (sock && family == PF_UNIX)
4218                selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4219        else if (skb)
4220                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4221
4222out:
4223        *secid = peer_secid;
4224        if (peer_secid == SECSID_NULL)
4225                return -EINVAL;
4226        return 0;
4227}
4228
4229static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4230{
4231        return sk_alloc_security(sk, family, priority);
4232}
4233
4234static void selinux_sk_free_security(struct sock *sk)
4235{
4236        sk_free_security(sk);
4237}
4238
4239static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4240{
4241        struct sk_security_struct *ssec = sk->sk_security;
4242        struct sk_security_struct *newssec = newsk->sk_security;
4243
4244        newssec->sid = ssec->sid;
4245        newssec->peer_sid = ssec->peer_sid;
4246        newssec->sclass = ssec->sclass;
4247
4248        selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4249}
4250
4251static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4252{
4253        if (!sk)
4254                *secid = SECINITSID_ANY_SOCKET;
4255        else {
4256                struct sk_security_struct *sksec = sk->sk_security;
4257
4258                *secid = sksec->sid;
4259        }
4260}
4261
4262static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4263{
4264        struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4265        struct sk_security_struct *sksec = sk->sk_security;
4266
4267        if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4268            sk->sk_family == PF_UNIX)
4269                isec->sid = sksec->sid;
4270        sksec->sclass = isec->sclass;
4271
4272        selinux_netlbl_sock_graft(sk, parent);
4273}
4274
4275static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4276                                     struct request_sock *req)
4277{
4278        struct sk_security_struct *sksec = sk->sk_security;
4279        int err;
4280        u32 newsid;
4281        u32 peersid;
4282
4283        err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4284        if (err)
4285                return err;
4286        if (peersid == SECSID_NULL) {
4287                req->secid = sksec->sid;
4288                req->peer_secid = SECSID_NULL;
4289                return 0;
4290        }
4291
4292        err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4293        if (err)
4294                return err;
4295
4296        req->secid = newsid;
4297        req->peer_secid = peersid;
4298        return 0;
4299}
4300
4301static void selinux_inet_csk_clone(struct sock *newsk,
4302                                   const struct request_sock *req)
4303{
4304        struct sk_security_struct *newsksec = newsk->sk_security;
4305
4306        newsksec->sid = req->secid;
4307        newsksec->peer_sid = req->peer_secid;
4308        /* NOTE: Ideally, we should also get the isec->sid for the
4309           new socket in sync, but we don't have the isec available yet.
4310           So we will wait until sock_graft to do it, by which
4311           time it will have been created and available. */
4312
4313        /* We don't need to take any sort of lock here as we are the only
4314         * thread with access to newsksec */
4315        selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4316}
4317
4318static void selinux_inet_conn_established(struct sock *sk,
4319                                struct sk_buff *skb)
4320{
4321        struct sk_security_struct *sksec = sk->sk_security;
4322
4323        selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4324}
4325
4326static void selinux_req_classify_flow(const struct request_sock *req,
4327                                      struct flowi *fl)
4328{
4329        fl->secid = req->secid;
4330}
4331
4332static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4333{
4334        int err = 0;
4335        u32 perm;
4336        struct nlmsghdr *nlh;
4337        struct socket *sock = sk->sk_socket;
4338        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4339
4340        if (skb->len < NLMSG_SPACE(0)) {
4341                err = -EINVAL;
4342                goto out;
4343        }
4344        nlh = nlmsg_hdr(skb);
4345
4346        err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4347        if (err) {
4348                if (err == -EINVAL) {
4349                        audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4350                                  "SELinux:  unrecognized netlink message"
4351                                  " type=%hu for sclass=%hu\n",
4352                                  nlh->nlmsg_type, isec->sclass);
4353                        if (!selinux_enforcing)
4354                                err = 0;
4355                }
4356
4357                /* Ignore */
4358                if (err == -ENOENT)
4359                        err = 0;