linux/security/selinux/hooks.c
<<
>>
Prefs
   1/*
   2 *  NSA Security-Enhanced Linux (SELinux) security module
   3 *
   4 *  This file contains the SELinux hook function implementations.
   5 *
   6 *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
   7 *            Chris Vance, <cvance@nai.com>
   8 *            Wayne Salamon, <wsalamon@nai.com>
   9 *            James Morris <jmorris@redhat.com>
  10 *
  11 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  12 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  13 *                                         Eric Paris <eparis@redhat.com>
  14 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  15 *                          <dgoeddel@trustedcs.com>
  16 *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  17 *              Paul Moore <paul.moore@hp.com>
  18 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  19 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  20 *
  21 *      This program is free software; you can redistribute it and/or modify
  22 *      it under the terms of the GNU General Public License version 2,
  23 *      as published by the Free Software Foundation.
  24 */
  25
  26#include <linux/init.h>
  27#include <linux/kernel.h>
  28#include <linux/tracehook.h>
  29#include <linux/errno.h>
  30#include <linux/sched.h>
  31#include <linux/security.h>
  32#include <linux/xattr.h>
  33#include <linux/capability.h>
  34#include <linux/unistd.h>
  35#include <linux/mm.h>
  36#include <linux/mman.h>
  37#include <linux/slab.h>
  38#include <linux/pagemap.h>
  39#include <linux/swap.h>
  40#include <linux/spinlock.h>
  41#include <linux/syscalls.h>
  42#include <linux/file.h>
  43#include <linux/fdtable.h>
  44#include <linux/namei.h>
  45#include <linux/mount.h>
  46#include <linux/proc_fs.h>
  47#include <linux/netfilter_ipv4.h>
  48#include <linux/netfilter_ipv6.h>
  49#include <linux/tty.h>
  50#include <net/icmp.h>
  51#include <net/ip.h>             /* for local_port_range[] */
  52#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  53#include <net/net_namespace.h>
  54#include <net/netlabel.h>
  55#include <linux/uaccess.h>
  56#include <asm/ioctls.h>
  57#include <asm/atomic.h>
  58#include <linux/bitops.h>
  59#include <linux/interrupt.h>
  60#include <linux/netdevice.h>    /* for network interface checks */
  61#include <linux/netlink.h>
  62#include <linux/tcp.h>
  63#include <linux/udp.h>
  64#include <linux/dccp.h>
  65#include <linux/quota.h>
  66#include <linux/un.h>           /* for Unix socket types */
  67#include <net/af_unix.h>        /* for Unix socket types */
  68#include <linux/parser.h>
  69#include <linux/nfs_mount.h>
  70#include <net/ipv6.h>
  71#include <linux/hugetlb.h>
  72#include <linux/personality.h>
  73#include <linux/sysctl.h>
  74#include <linux/audit.h>
  75#include <linux/string.h>
  76#include <linux/selinux.h>
  77#include <linux/mutex.h>
  78#include <linux/posix-timers.h>
  79
  80#include "avc.h"
  81#include "objsec.h"
  82#include "netif.h"
  83#include "netnode.h"
  84#include "netport.h"
  85#include "xfrm.h"
  86#include "netlabel.h"
  87#include "audit.h"
  88
  89#define XATTR_SELINUX_SUFFIX "selinux"
  90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
  91
  92#define NUM_SEL_MNT_OPTS 4
  93
  94extern unsigned int policydb_loaded_version;
  95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
  96extern int selinux_compat_net;
  97extern struct security_operations *security_ops;
  98
  99/* SECMARK reference count */
 100atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 101
 102#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 103int selinux_enforcing;
 104
 105static int __init enforcing_setup(char *str)
 106{
 107        unsigned long enforcing;
 108        if (!strict_strtoul(str, 0, &enforcing))
 109                selinux_enforcing = enforcing ? 1 : 0;
 110        return 1;
 111}
 112__setup("enforcing=", enforcing_setup);
 113#endif
 114
 115#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 116int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 117
 118static int __init selinux_enabled_setup(char *str)
 119{
 120        unsigned long enabled;
 121        if (!strict_strtoul(str, 0, &enabled))
 122                selinux_enabled = enabled ? 1 : 0;
 123        return 1;
 124}
 125__setup("selinux=", selinux_enabled_setup);
 126#else
 127int selinux_enabled = 1;
 128#endif
 129
 130
 131/*
 132 * Minimal support for a secondary security module,
 133 * just to allow the use of the capability module.
 134 */
 135static struct security_operations *secondary_ops;
 136
 137/* Lists of inode and superblock security structures initialized
 138   before the policy was loaded. */
 139static LIST_HEAD(superblock_security_head);
 140static DEFINE_SPINLOCK(sb_security_lock);
 141
 142static struct kmem_cache *sel_inode_cache;
 143
 144/**
 145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 146 *
 147 * Description:
 148 * This function checks the SECMARK reference counter to see if any SECMARK
 149 * targets are currently configured, if the reference counter is greater than
 150 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 151 * enabled, false (0) if SECMARK is disabled.
 152 *
 153 */
 154static int selinux_secmark_enabled(void)
 155{
 156        return (atomic_read(&selinux_secmark_refcount) > 0);
 157}
 158
 159/* Allocate and free functions for each kind of security blob. */
 160
 161static int task_alloc_security(struct task_struct *task)
 162{
 163        struct task_security_struct *tsec;
 164
 165        tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
 166        if (!tsec)
 167                return -ENOMEM;
 168
 169        tsec->osid = tsec->sid = SECINITSID_UNLABELED;
 170        task->security = tsec;
 171
 172        return 0;
 173}
 174
 175static void task_free_security(struct task_struct *task)
 176{
 177        struct task_security_struct *tsec = task->security;
 178        task->security = NULL;
 179        kfree(tsec);
 180}
 181
 182static int inode_alloc_security(struct inode *inode)
 183{
 184        struct task_security_struct *tsec = current->security;
 185        struct inode_security_struct *isec;
 186
 187        isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
 188        if (!isec)
 189                return -ENOMEM;
 190
 191        mutex_init(&isec->lock);
 192        INIT_LIST_HEAD(&isec->list);
 193        isec->inode = inode;
 194        isec->sid = SECINITSID_UNLABELED;
 195        isec->sclass = SECCLASS_FILE;
 196        isec->task_sid = tsec->sid;
 197        inode->i_security = isec;
 198
 199        return 0;
 200}
 201
 202static void inode_free_security(struct inode *inode)
 203{
 204        struct inode_security_struct *isec = inode->i_security;
 205        struct superblock_security_struct *sbsec = inode->i_sb->s_security;
 206
 207        spin_lock(&sbsec->isec_lock);
 208        if (!list_empty(&isec->list))
 209                list_del_init(&isec->list);
 210        spin_unlock(&sbsec->isec_lock);
 211
 212        inode->i_security = NULL;
 213        kmem_cache_free(sel_inode_cache, isec);
 214}
 215
 216static int file_alloc_security(struct file *file)
 217{
 218        struct task_security_struct *tsec = current->security;
 219        struct file_security_struct *fsec;
 220
 221        fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
 222        if (!fsec)
 223                return -ENOMEM;
 224
 225        fsec->sid = tsec->sid;
 226        fsec->fown_sid = tsec->sid;
 227        file->f_security = fsec;
 228
 229        return 0;
 230}
 231
 232static void file_free_security(struct file *file)
 233{
 234        struct file_security_struct *fsec = file->f_security;
 235        file->f_security = NULL;
 236        kfree(fsec);
 237}
 238
 239static int superblock_alloc_security(struct super_block *sb)
 240{
 241        struct superblock_security_struct *sbsec;
 242
 243        sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 244        if (!sbsec)
 245                return -ENOMEM;
 246
 247        mutex_init(&sbsec->lock);
 248        INIT_LIST_HEAD(&sbsec->list);
 249        INIT_LIST_HEAD(&sbsec->isec_head);
 250        spin_lock_init(&sbsec->isec_lock);
 251        sbsec->sb = sb;
 252        sbsec->sid = SECINITSID_UNLABELED;
 253        sbsec->def_sid = SECINITSID_FILE;
 254        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 255        sb->s_security = sbsec;
 256
 257        return 0;
 258}
 259
 260static void superblock_free_security(struct super_block *sb)
 261{
 262        struct superblock_security_struct *sbsec = sb->s_security;
 263
 264        spin_lock(&sb_security_lock);
 265        if (!list_empty(&sbsec->list))
 266                list_del_init(&sbsec->list);
 267        spin_unlock(&sb_security_lock);
 268
 269        sb->s_security = NULL;
 270        kfree(sbsec);
 271}
 272
 273static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
 274{
 275        struct sk_security_struct *ssec;
 276
 277        ssec = kzalloc(sizeof(*ssec), priority);
 278        if (!ssec)
 279                return -ENOMEM;
 280
 281        ssec->peer_sid = SECINITSID_UNLABELED;
 282        ssec->sid = SECINITSID_UNLABELED;
 283        sk->sk_security = ssec;
 284
 285        selinux_netlbl_sk_security_reset(ssec, family);
 286
 287        return 0;
 288}
 289
 290static void sk_free_security(struct sock *sk)
 291{
 292        struct sk_security_struct *ssec = sk->sk_security;
 293
 294        sk->sk_security = NULL;
 295        selinux_netlbl_sk_security_free(ssec);
 296        kfree(ssec);
 297}
 298
 299/* The security server must be initialized before
 300   any labeling or access decisions can be provided. */
 301extern int ss_initialized;
 302
 303/* The file system's label must be initialized prior to use. */
 304
 305static char *labeling_behaviors[6] = {
 306        "uses xattr",
 307        "uses transition SIDs",
 308        "uses task SIDs",
 309        "uses genfs_contexts",
 310        "not configured for labeling",
 311        "uses mountpoint labeling",
 312};
 313
 314static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 315
 316static inline int inode_doinit(struct inode *inode)
 317{
 318        return inode_doinit_with_dentry(inode, NULL);
 319}
 320
 321enum {
 322        Opt_error = -1,
 323        Opt_context = 1,
 324        Opt_fscontext = 2,
 325        Opt_defcontext = 3,
 326        Opt_rootcontext = 4,
 327};
 328
 329static const match_table_t tokens = {
 330        {Opt_context, CONTEXT_STR "%s"},
 331        {Opt_fscontext, FSCONTEXT_STR "%s"},
 332        {Opt_defcontext, DEFCONTEXT_STR "%s"},
 333        {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
 334        {Opt_error, NULL},
 335};
 336
 337#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 338
 339static int may_context_mount_sb_relabel(u32 sid,
 340                        struct superblock_security_struct *sbsec,
 341                        struct task_security_struct *tsec)
 342{
 343        int rc;
 344
 345        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 346                          FILESYSTEM__RELABELFROM, NULL);
 347        if (rc)
 348                return rc;
 349
 350        rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
 351                          FILESYSTEM__RELABELTO, NULL);
 352        return rc;
 353}
 354
 355static int may_context_mount_inode_relabel(u32 sid,
 356                        struct superblock_security_struct *sbsec,
 357                        struct task_security_struct *tsec)
 358{
 359        int rc;
 360        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 361                          FILESYSTEM__RELABELFROM, NULL);
 362        if (rc)
 363                return rc;
 364
 365        rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
 366                          FILESYSTEM__ASSOCIATE, NULL);
 367        return rc;
 368}
 369
 370static int sb_finish_set_opts(struct super_block *sb)
 371{
 372        struct superblock_security_struct *sbsec = sb->s_security;
 373        struct dentry *root = sb->s_root;
 374        struct inode *root_inode = root->d_inode;
 375        int rc = 0;
 376
 377        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 378                /* Make sure that the xattr handler exists and that no
 379                   error other than -ENODATA is returned by getxattr on
 380                   the root directory.  -ENODATA is ok, as this may be
 381                   the first boot of the SELinux kernel before we have
 382                   assigned xattr values to the filesystem. */
 383                if (!root_inode->i_op->getxattr) {
 384                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
 385                               "xattr support\n", sb->s_id, sb->s_type->name);
 386                        rc = -EOPNOTSUPP;
 387                        goto out;
 388                }
 389                rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
 390                if (rc < 0 && rc != -ENODATA) {
 391                        if (rc == -EOPNOTSUPP)
 392                                printk(KERN_WARNING "SELinux: (dev %s, type "
 393                                       "%s) has no security xattr handler\n",
 394                                       sb->s_id, sb->s_type->name);
 395                        else
 396                                printk(KERN_WARNING "SELinux: (dev %s, type "
 397                                       "%s) getxattr errno %d\n", sb->s_id,
 398                                       sb->s_type->name, -rc);
 399                        goto out;
 400                }
 401        }
 402
 403        sbsec->initialized = 1;
 404
 405        if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 406                printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
 407                       sb->s_id, sb->s_type->name);
 408        else
 409                printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
 410                       sb->s_id, sb->s_type->name,
 411                       labeling_behaviors[sbsec->behavior-1]);
 412
 413        /* Initialize the root inode. */
 414        rc = inode_doinit_with_dentry(root_inode, root);
 415
 416        /* Initialize any other inodes associated with the superblock, e.g.
 417           inodes created prior to initial policy load or inodes created
 418           during get_sb by a pseudo filesystem that directly
 419           populates itself. */
 420        spin_lock(&sbsec->isec_lock);
 421next_inode:
 422        if (!list_empty(&sbsec->isec_head)) {
 423                struct inode_security_struct *isec =
 424                                list_entry(sbsec->isec_head.next,
 425                                           struct inode_security_struct, list);
 426                struct inode *inode = isec->inode;
 427                spin_unlock(&sbsec->isec_lock);
 428                inode = igrab(inode);
 429                if (inode) {
 430                        if (!IS_PRIVATE(inode))
 431                                inode_doinit(inode);
 432                        iput(inode);
 433                }
 434                spin_lock(&sbsec->isec_lock);
 435                list_del_init(&isec->list);
 436                goto next_inode;
 437        }
 438        spin_unlock(&sbsec->isec_lock);
 439out:
 440        return rc;
 441}
 442
 443/*
 444 * This function should allow an FS to ask what it's mount security
 445 * options were so it can use those later for submounts, displaying
 446 * mount options, or whatever.
 447 */
 448static int selinux_get_mnt_opts(const struct super_block *sb,
 449                                struct security_mnt_opts *opts)
 450{
 451        int rc = 0, i;
 452        struct superblock_security_struct *sbsec = sb->s_security;
 453        char *context = NULL;
 454        u32 len;
 455        char tmp;
 456
 457        security_init_mnt_opts(opts);
 458
 459        if (!sbsec->initialized)
 460                return -EINVAL;
 461
 462        if (!ss_initialized)
 463                return -EINVAL;
 464
 465        /*
 466         * if we ever use sbsec flags for anything other than tracking mount
 467         * settings this is going to need a mask
 468         */
 469        tmp = sbsec->flags;
 470        /* count the number of mount options for this sb */
 471        for (i = 0; i < 8; i++) {
 472                if (tmp & 0x01)
 473                        opts->num_mnt_opts++;
 474                tmp >>= 1;
 475        }
 476
 477        opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
 478        if (!opts->mnt_opts) {
 479                rc = -ENOMEM;
 480                goto out_free;
 481        }
 482
 483        opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
 484        if (!opts->mnt_opts_flags) {
 485                rc = -ENOMEM;
 486                goto out_free;
 487        }
 488
 489        i = 0;
 490        if (sbsec->flags & FSCONTEXT_MNT) {
 491                rc = security_sid_to_context(sbsec->sid, &context, &len);
 492                if (rc)
 493                        goto out_free;
 494                opts->mnt_opts[i] = context;
 495                opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
 496        }
 497        if (sbsec->flags & CONTEXT_MNT) {
 498                rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
 499                if (rc)
 500                        goto out_free;
 501                opts->mnt_opts[i] = context;
 502                opts->mnt_opts_flags[i++] = CONTEXT_MNT;
 503        }
 504        if (sbsec->flags & DEFCONTEXT_MNT) {
 505                rc = security_sid_to_context(sbsec->def_sid, &context, &len);
 506                if (rc)
 507                        goto out_free;
 508                opts->mnt_opts[i] = context;
 509                opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
 510        }
 511        if (sbsec->flags & ROOTCONTEXT_MNT) {
 512                struct inode *root = sbsec->sb->s_root->d_inode;
 513                struct inode_security_struct *isec = root->i_security;
 514
 515                rc = security_sid_to_context(isec->sid, &context, &len);
 516                if (rc)
 517                        goto out_free;
 518                opts->mnt_opts[i] = context;
 519                opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
 520        }
 521
 522        BUG_ON(i != opts->num_mnt_opts);
 523
 524        return 0;
 525
 526out_free:
 527        security_free_mnt_opts(opts);
 528        return rc;
 529}
 530
 531static int bad_option(struct superblock_security_struct *sbsec, char flag,
 532                      u32 old_sid, u32 new_sid)
 533{
 534        /* check if the old mount command had the same options */
 535        if (sbsec->initialized)
 536                if (!(sbsec->flags & flag) ||
 537                    (old_sid != new_sid))
 538                        return 1;
 539
 540        /* check if we were passed the same options twice,
 541         * aka someone passed context=a,context=b
 542         */
 543        if (!sbsec->initialized)
 544                if (sbsec->flags & flag)
 545                        return 1;
 546        return 0;
 547}
 548
 549/*
 550 * Allow filesystems with binary mount data to explicitly set mount point
 551 * labeling information.
 552 */
 553static int selinux_set_mnt_opts(struct super_block *sb,
 554                                struct security_mnt_opts *opts)
 555{
 556        int rc = 0, i;
 557        struct task_security_struct *tsec = current->security;
 558        struct superblock_security_struct *sbsec = sb->s_security;
 559        const char *name = sb->s_type->name;
 560        struct inode *inode = sbsec->sb->s_root->d_inode;
 561        struct inode_security_struct *root_isec = inode->i_security;
 562        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 563        u32 defcontext_sid = 0;
 564        char **mount_options = opts->mnt_opts;
 565        int *flags = opts->mnt_opts_flags;
 566        int num_opts = opts->num_mnt_opts;
 567
 568        mutex_lock(&sbsec->lock);
 569
 570        if (!ss_initialized) {
 571                if (!num_opts) {
 572                        /* Defer initialization until selinux_complete_init,
 573                           after the initial policy is loaded and the security
 574                           server is ready to handle calls. */
 575                        spin_lock(&sb_security_lock);
 576                        if (list_empty(&sbsec->list))
 577                                list_add(&sbsec->list, &superblock_security_head);
 578                        spin_unlock(&sb_security_lock);
 579                        goto out;
 580                }
 581                rc = -EINVAL;
 582                printk(KERN_WARNING "SELinux: Unable to set superblock options "
 583                        "before the security server is initialized\n");
 584                goto out;
 585        }
 586
 587        /*
 588         * Binary mount data FS will come through this function twice.  Once
 589         * from an explicit call and once from the generic calls from the vfs.
 590         * Since the generic VFS calls will not contain any security mount data
 591         * we need to skip the double mount verification.
 592         *
 593         * This does open a hole in which we will not notice if the first
 594         * mount using this sb set explict options and a second mount using
 595         * this sb does not set any security options.  (The first options
 596         * will be used for both mounts)
 597         */
 598        if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 599            && (num_opts == 0))
 600                goto out;
 601
 602        /*
 603         * parse the mount options, check if they are valid sids.
 604         * also check if someone is trying to mount the same sb more
 605         * than once with different security options.
 606         */
 607        for (i = 0; i < num_opts; i++) {
 608                u32 sid;
 609                rc = security_context_to_sid(mount_options[i],
 610                                             strlen(mount_options[i]), &sid);
 611                if (rc) {
 612                        printk(KERN_WARNING "SELinux: security_context_to_sid"
 613                               "(%s) failed for (dev %s, type %s) errno=%d\n",
 614                               mount_options[i], sb->s_id, name, rc);
 615                        goto out;
 616                }
 617                switch (flags[i]) {
 618                case FSCONTEXT_MNT:
 619                        fscontext_sid = sid;
 620
 621                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 622                                        fscontext_sid))
 623                                goto out_double_mount;
 624
 625                        sbsec->flags |= FSCONTEXT_MNT;
 626                        break;
 627                case CONTEXT_MNT:
 628                        context_sid = sid;
 629
 630                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 631                                        context_sid))
 632                                goto out_double_mount;
 633
 634                        sbsec->flags |= CONTEXT_MNT;
 635                        break;
 636                case ROOTCONTEXT_MNT:
 637                        rootcontext_sid = sid;
 638
 639                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 640                                        rootcontext_sid))
 641                                goto out_double_mount;
 642
 643                        sbsec->flags |= ROOTCONTEXT_MNT;
 644
 645                        break;
 646                case DEFCONTEXT_MNT:
 647                        defcontext_sid = sid;
 648
 649                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 650                                        defcontext_sid))
 651                                goto out_double_mount;
 652
 653                        sbsec->flags |= DEFCONTEXT_MNT;
 654
 655                        break;
 656                default:
 657                        rc = -EINVAL;
 658                        goto out;
 659                }
 660        }
 661
 662        if (sbsec->initialized) {
 663                /* previously mounted with options, but not on this attempt? */
 664                if (sbsec->flags && !num_opts)
 665                        goto out_double_mount;
 666                rc = 0;
 667                goto out;
 668        }
 669
 670        if (strcmp(sb->s_type->name, "proc") == 0)
 671                sbsec->proc = 1;
 672
 673        /* Determine the labeling behavior to use for this filesystem type. */
 674        rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
 675        if (rc) {
 676                printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
 677                       __func__, sb->s_type->name, rc);
 678                goto out;
 679        }
 680
 681        /* sets the context of the superblock for the fs being mounted. */
 682        if (fscontext_sid) {
 683
 684                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
 685                if (rc)
 686                        goto out;
 687
 688                sbsec->sid = fscontext_sid;
 689        }
 690
 691        /*
 692         * Switch to using mount point labeling behavior.
 693         * sets the label used on all file below the mountpoint, and will set
 694         * the superblock context if not already set.
 695         */
 696        if (context_sid) {
 697                if (!fscontext_sid) {
 698                        rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
 699                        if (rc)
 700                                goto out;
 701                        sbsec->sid = context_sid;
 702                } else {
 703                        rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
 704                        if (rc)
 705                                goto out;
 706                }
 707                if (!rootcontext_sid)
 708                        rootcontext_sid = context_sid;
 709
 710                sbsec->mntpoint_sid = context_sid;
 711                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 712        }
 713
 714        if (rootcontext_sid) {
 715                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
 716                if (rc)
 717                        goto out;
 718
 719                root_isec->sid = rootcontext_sid;
 720                root_isec->initialized = 1;
 721        }
 722
 723        if (defcontext_sid) {
 724                if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
 725                        rc = -EINVAL;
 726                        printk(KERN_WARNING "SELinux: defcontext option is "
 727                               "invalid for this filesystem type\n");
 728                        goto out;
 729                }
 730
 731                if (defcontext_sid != sbsec->def_sid) {
 732                        rc = may_context_mount_inode_relabel(defcontext_sid,
 733                                                             sbsec, tsec);
 734                        if (rc)
 735                                goto out;
 736                }
 737
 738                sbsec->def_sid = defcontext_sid;
 739        }
 740
 741        rc = sb_finish_set_opts(sb);
 742out:
 743        mutex_unlock(&sbsec->lock);
 744        return rc;
 745out_double_mount:
 746        rc = -EINVAL;
 747        printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
 748               "security settings for (dev %s, type %s)\n", sb->s_id, name);
 749        goto out;
 750}
 751
 752static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 753                                        struct super_block *newsb)
 754{
 755        const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 756        struct superblock_security_struct *newsbsec = newsb->s_security;
 757
 758        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 759        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 760        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 761
 762        /*
 763         * if the parent was able to be mounted it clearly had no special lsm
 764         * mount options.  thus we can safely put this sb on the list and deal
 765         * with it later
 766         */
 767        if (!ss_initialized) {
 768                spin_lock(&sb_security_lock);
 769                if (list_empty(&newsbsec->list))
 770                        list_add(&newsbsec->list, &superblock_security_head);
 771                spin_unlock(&sb_security_lock);
 772                return;
 773        }
 774
 775        /* how can we clone if the old one wasn't set up?? */
 776        BUG_ON(!oldsbsec->initialized);
 777
 778        /* if fs is reusing a sb, just let its options stand... */
 779        if (newsbsec->initialized)
 780                return;
 781
 782        mutex_lock(&newsbsec->lock);
 783
 784        newsbsec->flags = oldsbsec->flags;
 785
 786        newsbsec->sid = oldsbsec->sid;
 787        newsbsec->def_sid = oldsbsec->def_sid;
 788        newsbsec->behavior = oldsbsec->behavior;
 789
 790        if (set_context) {
 791                u32 sid = oldsbsec->mntpoint_sid;
 792
 793                if (!set_fscontext)
 794                        newsbsec->sid = sid;
 795                if (!set_rootcontext) {
 796                        struct inode *newinode = newsb->s_root->d_inode;
 797                        struct inode_security_struct *newisec = newinode->i_security;
 798                        newisec->sid = sid;
 799                }
 800                newsbsec->mntpoint_sid = sid;
 801        }
 802        if (set_rootcontext) {
 803                const struct inode *oldinode = oldsb->s_root->d_inode;
 804                const struct inode_security_struct *oldisec = oldinode->i_security;
 805                struct inode *newinode = newsb->s_root->d_inode;
 806                struct inode_security_struct *newisec = newinode->i_security;
 807
 808                newisec->sid = oldisec->sid;
 809        }
 810
 811        sb_finish_set_opts(newsb);
 812        mutex_unlock(&newsbsec->lock);
 813}
 814
 815static int selinux_parse_opts_str(char *options,
 816                                  struct security_mnt_opts *opts)
 817{
 818        char *p;
 819        char *context = NULL, *defcontext = NULL;
 820        char *fscontext = NULL, *rootcontext = NULL;
 821        int rc, num_mnt_opts = 0;
 822
 823        opts->num_mnt_opts = 0;
 824
 825        /* Standard string-based options. */
 826        while ((p = strsep(&options, "|")) != NULL) {
 827                int token;
 828                substring_t args[MAX_OPT_ARGS];
 829
 830                if (!*p)
 831                        continue;
 832
 833                token = match_token(p, tokens, args);
 834
 835                switch (token) {
 836                case Opt_context:
 837                        if (context || defcontext) {
 838                                rc = -EINVAL;
 839                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 840                                goto out_err;
 841                        }
 842                        context = match_strdup(&args[0]);
 843                        if (!context) {
 844                                rc = -ENOMEM;
 845                                goto out_err;
 846                        }
 847                        break;
 848
 849                case Opt_fscontext:
 850                        if (fscontext) {
 851                                rc = -EINVAL;
 852                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 853                                goto out_err;
 854                        }
 855                        fscontext = match_strdup(&args[0]);
 856                        if (!fscontext) {
 857                                rc = -ENOMEM;
 858                                goto out_err;
 859                        }
 860                        break;
 861
 862                case Opt_rootcontext:
 863                        if (rootcontext) {
 864                                rc = -EINVAL;
 865                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 866                                goto out_err;
 867                        }
 868                        rootcontext = match_strdup(&args[0]);
 869                        if (!rootcontext) {
 870                                rc = -ENOMEM;
 871                                goto out_err;
 872                        }
 873                        break;
 874
 875                case Opt_defcontext:
 876                        if (context || defcontext) {
 877                                rc = -EINVAL;
 878                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 879                                goto out_err;
 880                        }
 881                        defcontext = match_strdup(&args[0]);
 882                        if (!defcontext) {
 883                                rc = -ENOMEM;
 884                                goto out_err;
 885                        }
 886                        break;
 887
 888                default:
 889                        rc = -EINVAL;
 890                        printk(KERN_WARNING "SELinux:  unknown mount option\n");
 891                        goto out_err;
 892
 893                }
 894        }
 895
 896        rc = -ENOMEM;
 897        opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
 898        if (!opts->mnt_opts)
 899                goto out_err;
 900
 901        opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
 902        if (!opts->mnt_opts_flags) {
 903                kfree(opts->mnt_opts);
 904                goto out_err;
 905        }
 906
 907        if (fscontext) {
 908                opts->mnt_opts[num_mnt_opts] = fscontext;
 909                opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
 910        }
 911        if (context) {
 912                opts->mnt_opts[num_mnt_opts] = context;
 913                opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
 914        }
 915        if (rootcontext) {
 916                opts->mnt_opts[num_mnt_opts] = rootcontext;
 917                opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
 918        }
 919        if (defcontext) {
 920                opts->mnt_opts[num_mnt_opts] = defcontext;
 921                opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
 922        }
 923
 924        opts->num_mnt_opts = num_mnt_opts;
 925        return 0;
 926
 927out_err:
 928        kfree(context);
 929        kfree(defcontext);
 930        kfree(fscontext);
 931        kfree(rootcontext);
 932        return rc;
 933}
 934/*
 935 * string mount options parsing and call set the sbsec
 936 */
 937static int superblock_doinit(struct super_block *sb, void *data)
 938{
 939        int rc = 0;
 940        char *options = data;
 941        struct security_mnt_opts opts;
 942
 943        security_init_mnt_opts(&opts);
 944
 945        if (!data)
 946                goto out;
 947
 948        BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
 949
 950        rc = selinux_parse_opts_str(options, &opts);
 951        if (rc)
 952                goto out_err;
 953
 954out:
 955        rc = selinux_set_mnt_opts(sb, &opts);
 956
 957out_err:
 958        security_free_mnt_opts(&opts);
 959        return rc;
 960}
 961
 962static void selinux_write_opts(struct seq_file *m,
 963                               struct security_mnt_opts *opts)
 964{
 965        int i;
 966        char *prefix;
 967
 968        for (i = 0; i < opts->num_mnt_opts; i++) {
 969                char *has_comma = strchr(opts->mnt_opts[i], ',');
 970
 971                switch (opts->mnt_opts_flags[i]) {
 972                case CONTEXT_MNT:
 973                        prefix = CONTEXT_STR;
 974                        break;
 975                case FSCONTEXT_MNT:
 976                        prefix = FSCONTEXT_STR;
 977                        break;
 978                case ROOTCONTEXT_MNT:
 979                        prefix = ROOTCONTEXT_STR;
 980                        break;
 981                case DEFCONTEXT_MNT:
 982                        prefix = DEFCONTEXT_STR;
 983                        break;
 984                default:
 985                        BUG();
 986                };
 987                /* we need a comma before each option */
 988                seq_putc(m, ',');
 989                seq_puts(m, prefix);
 990                if (has_comma)
 991                        seq_putc(m, '\"');
 992                seq_puts(m, opts->mnt_opts[i]);
 993                if (has_comma)
 994                        seq_putc(m, '\"');
 995        }
 996}
 997
 998static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
 999{
1000        struct security_mnt_opts opts;
1001        int rc;
1002
1003        rc = selinux_get_mnt_opts(sb, &opts);
1004        if (rc) {
1005                /* before policy load we may get EINVAL, don't show anything */
1006                if (rc == -EINVAL)
1007                        rc = 0;
1008                return rc;
1009        }
1010
1011        selinux_write_opts(m, &opts);
1012
1013        security_free_mnt_opts(&opts);
1014
1015        return rc;
1016}
1017
1018static inline u16 inode_mode_to_security_class(umode_t mode)
1019{
1020        switch (mode & S_IFMT) {
1021        case S_IFSOCK:
1022                return SECCLASS_SOCK_FILE;
1023        case S_IFLNK:
1024                return SECCLASS_LNK_FILE;
1025        case S_IFREG:
1026                return SECCLASS_FILE;
1027        case S_IFBLK:
1028                return SECCLASS_BLK_FILE;
1029        case S_IFDIR:
1030                return SECCLASS_DIR;
1031        case S_IFCHR:
1032                return SECCLASS_CHR_FILE;
1033        case S_IFIFO:
1034                return SECCLASS_FIFO_FILE;
1035
1036        }
1037
1038        return SECCLASS_FILE;
1039}
1040
1041static inline int default_protocol_stream(int protocol)
1042{
1043        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1044}
1045
1046static inline int default_protocol_dgram(int protocol)
1047{
1048        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1049}
1050
1051static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1052{
1053        switch (family) {
1054        case PF_UNIX:
1055                switch (type) {
1056                case SOCK_STREAM:
1057                case SOCK_SEQPACKET:
1058                        return SECCLASS_UNIX_STREAM_SOCKET;
1059                case SOCK_DGRAM:
1060                        return SECCLASS_UNIX_DGRAM_SOCKET;
1061                }
1062                break;
1063        case PF_INET:
1064        case PF_INET6:
1065                switch (type) {
1066                case SOCK_STREAM:
1067                        if (default_protocol_stream(protocol))
1068                                return SECCLASS_TCP_SOCKET;
1069                        else
1070                                return SECCLASS_RAWIP_SOCKET;
1071                case SOCK_DGRAM:
1072                        if (default_protocol_dgram(protocol))
1073                                return SECCLASS_UDP_SOCKET;
1074                        else
1075                                return SECCLASS_RAWIP_SOCKET;
1076                case SOCK_DCCP:
1077                        return SECCLASS_DCCP_SOCKET;
1078                default:
1079                        return SECCLASS_RAWIP_SOCKET;
1080                }
1081                break;
1082        case PF_NETLINK:
1083                switch (protocol) {
1084                case NETLINK_ROUTE:
1085                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1086                case NETLINK_FIREWALL:
1087                        return SECCLASS_NETLINK_FIREWALL_SOCKET;
1088                case NETLINK_INET_DIAG:
1089                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1090                case NETLINK_NFLOG:
1091                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1092                case NETLINK_XFRM:
1093                        return SECCLASS_NETLINK_XFRM_SOCKET;
1094                case NETLINK_SELINUX:
1095                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1096                case NETLINK_AUDIT:
1097                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1098                case NETLINK_IP6_FW:
1099                        return SECCLASS_NETLINK_IP6FW_SOCKET;
1100                case NETLINK_DNRTMSG:
1101                        return SECCLASS_NETLINK_DNRT_SOCKET;
1102                case NETLINK_KOBJECT_UEVENT:
1103                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1104                default:
1105                        return SECCLASS_NETLINK_SOCKET;
1106                }
1107        case PF_PACKET:
1108                return SECCLASS_PACKET_SOCKET;
1109        case PF_KEY:
1110                return SECCLASS_KEY_SOCKET;
1111        case PF_APPLETALK:
1112                return SECCLASS_APPLETALK_SOCKET;
1113        }
1114
1115        return SECCLASS_SOCKET;
1116}
1117
1118#ifdef CONFIG_PROC_FS
1119static int selinux_proc_get_sid(struct proc_dir_entry *de,
1120                                u16 tclass,
1121                                u32 *sid)
1122{
1123        int buflen, rc;
1124        char *buffer, *path, *end;
1125
1126        buffer = (char *)__get_free_page(GFP_KERNEL);
1127        if (!buffer)
1128                return -ENOMEM;
1129
1130        buflen = PAGE_SIZE;
1131        end = buffer+buflen;
1132        *--end = '\0';
1133        buflen--;
1134        path = end-1;
1135        *path = '/';
1136        while (de && de != de->parent) {
1137                buflen -= de->namelen + 1;
1138                if (buflen < 0)
1139                        break;
1140                end -= de->namelen;
1141                memcpy(end, de->name, de->namelen);
1142                *--end = '/';
1143                path = end;
1144                de = de->parent;
1145        }
1146        rc = security_genfs_sid("proc", path, tclass, sid);
1147        free_page((unsigned long)buffer);
1148        return rc;
1149}
1150#else
1151static int selinux_proc_get_sid(struct proc_dir_entry *de,
1152                                u16 tclass,
1153                                u32 *sid)
1154{
1155        return -EINVAL;
1156}
1157#endif
1158
1159/* The inode's security attributes must be initialized before first use. */
1160static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1161{
1162        struct superblock_security_struct *sbsec = NULL;
1163        struct inode_security_struct *isec = inode->i_security;
1164        u32 sid;
1165        struct dentry *dentry;
1166#define INITCONTEXTLEN 255
1167        char *context = NULL;
1168        unsigned len = 0;
1169        int rc = 0;
1170
1171        if (isec->initialized)
1172                goto out;
1173
1174        mutex_lock(&isec->lock);
1175        if (isec->initialized)
1176                goto out_unlock;
1177
1178        sbsec = inode->i_sb->s_security;
1179        if (!sbsec->initialized) {
1180                /* Defer initialization until selinux_complete_init,
1181                   after the initial policy is loaded and the security
1182                   server is ready to handle calls. */
1183                spin_lock(&sbsec->isec_lock);
1184                if (list_empty(&isec->list))
1185                        list_add(&isec->list, &sbsec->isec_head);
1186                spin_unlock(&sbsec->isec_lock);
1187                goto out_unlock;
1188        }
1189
1190        switch (sbsec->behavior) {
1191        case SECURITY_FS_USE_XATTR:
1192                if (!inode->i_op->getxattr) {
1193                        isec->sid = sbsec->def_sid;
1194                        break;
1195                }
1196
1197                /* Need a dentry, since the xattr API requires one.
1198                   Life would be simpler if we could just pass the inode. */
1199                if (opt_dentry) {
1200                        /* Called from d_instantiate or d_splice_alias. */
1201                        dentry = dget(opt_dentry);
1202                } else {
1203                        /* Called from selinux_complete_init, try to find a dentry. */
1204                        dentry = d_find_alias(inode);
1205                }
1206                if (!dentry) {
1207                        printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1208                               "ino=%ld\n", __func__, inode->i_sb->s_id,
1209                               inode->i_ino);
1210                        goto out_unlock;
1211                }
1212
1213                len = INITCONTEXTLEN;
1214                context = kmalloc(len, GFP_NOFS);
1215                if (!context) {
1216                        rc = -ENOMEM;
1217                        dput(dentry);
1218                        goto out_unlock;
1219                }
1220                rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1221                                           context, len);
1222                if (rc == -ERANGE) {
1223                        /* Need a larger buffer.  Query for the right size. */
1224                        rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1225                                                   NULL, 0);
1226                        if (rc < 0) {
1227                                dput(dentry);
1228                                goto out_unlock;
1229                        }
1230                        kfree(context);
1231                        len = rc;
1232                        context = kmalloc(len, GFP_NOFS);
1233                        if (!context) {
1234                                rc = -ENOMEM;
1235                                dput(dentry);
1236                                goto out_unlock;
1237                        }
1238                        rc = inode->i_op->getxattr(dentry,
1239                                                   XATTR_NAME_SELINUX,
1240                                                   context, len);
1241                }
1242                dput(dentry);
1243                if (rc < 0) {
1244                        if (rc != -ENODATA) {
1245                                printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1246                                       "%d for dev=%s ino=%ld\n", __func__,
1247                                       -rc, inode->i_sb->s_id, inode->i_ino);
1248                                kfree(context);
1249                                goto out_unlock;
1250                        }
1251                        /* Map ENODATA to the default file SID */
1252                        sid = sbsec->def_sid;
1253                        rc = 0;
1254                } else {
1255                        rc = security_context_to_sid_default(context, rc, &sid,
1256                                                             sbsec->def_sid,
1257                                                             GFP_NOFS);
1258                        if (rc) {
1259                                printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1260                                       "returned %d for dev=%s ino=%ld\n",
1261                                       __func__, context, -rc,
1262                                       inode->i_sb->s_id, inode->i_ino);
1263                                kfree(context);
1264                                /* Leave with the unlabeled SID */
1265                                rc = 0;
1266                                break;
1267                        }
1268                }
1269                kfree(context);
1270                isec->sid = sid;
1271                break;
1272        case SECURITY_FS_USE_TASK:
1273                isec->sid = isec->task_sid;
1274                break;
1275        case SECURITY_FS_USE_TRANS:
1276                /* Default to the fs SID. */
1277                isec->sid = sbsec->sid;
1278
1279                /* Try to obtain a transition SID. */
1280                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1281                rc = security_transition_sid(isec->task_sid,
1282                                             sbsec->sid,
1283                                             isec->sclass,
1284                                             &sid);
1285                if (rc)
1286                        goto out_unlock;
1287                isec->sid = sid;
1288                break;
1289        case SECURITY_FS_USE_MNTPOINT:
1290                isec->sid = sbsec->mntpoint_sid;
1291                break;
1292        default:
1293                /* Default to the fs superblock SID. */
1294                isec->sid = sbsec->sid;
1295
1296                if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1297                        struct proc_inode *proci = PROC_I(inode);
1298                        if (proci->pde) {
1299                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1300                                rc = selinux_proc_get_sid(proci->pde,
1301                                                          isec->sclass,
1302                                                          &sid);
1303                                if (rc)
1304                                        goto out_unlock;
1305                                isec->sid = sid;
1306                        }
1307                }
1308                break;
1309        }
1310
1311        isec->initialized = 1;
1312
1313out_unlock:
1314        mutex_unlock(&isec->lock);
1315out:
1316        if (isec->sclass == SECCLASS_FILE)
1317                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1318        return rc;
1319}
1320
1321/* Convert a Linux signal to an access vector. */
1322static inline u32 signal_to_av(int sig)
1323{
1324        u32 perm = 0;
1325
1326        switch (sig) {
1327        case SIGCHLD:
1328                /* Commonly granted from child to parent. */
1329                perm = PROCESS__SIGCHLD;
1330                break;
1331        case SIGKILL:
1332                /* Cannot be caught or ignored */
1333                perm = PROCESS__SIGKILL;
1334                break;
1335        case SIGSTOP:
1336                /* Cannot be caught or ignored */
1337                perm = PROCESS__SIGSTOP;
1338                break;
1339        default:
1340                /* All other signals. */
1341                perm = PROCESS__SIGNAL;
1342                break;
1343        }
1344
1345        return perm;
1346}
1347
1348/* Check permission betweeen a pair of tasks, e.g. signal checks,
1349   fork check, ptrace check, etc. */
1350static int task_has_perm(struct task_struct *tsk1,
1351                         struct task_struct *tsk2,
1352                         u32 perms)
1353{
1354        struct task_security_struct *tsec1, *tsec2;
1355
1356        tsec1 = tsk1->security;
1357        tsec2 = tsk2->security;
1358        return avc_has_perm(tsec1->sid, tsec2->sid,
1359                            SECCLASS_PROCESS, perms, NULL);
1360}
1361
1362#if CAP_LAST_CAP > 63
1363#error Fix SELinux to handle capabilities > 63.
1364#endif
1365
1366/* Check whether a task is allowed to use a capability. */
1367static int task_has_capability(struct task_struct *tsk,
1368                               int cap)
1369{
1370        struct task_security_struct *tsec;
1371        struct avc_audit_data ad;
1372        u16 sclass;
1373        u32 av = CAP_TO_MASK(cap);
1374
1375        tsec = tsk->security;
1376
1377        AVC_AUDIT_DATA_INIT(&ad, CAP);
1378        ad.tsk = tsk;
1379        ad.u.cap = cap;
1380
1381        switch (CAP_TO_INDEX(cap)) {
1382        case 0:
1383                sclass = SECCLASS_CAPABILITY;
1384                break;
1385        case 1:
1386                sclass = SECCLASS_CAPABILITY2;
1387                break;
1388        default:
1389                printk(KERN_ERR
1390                       "SELinux:  out of range capability %d\n", cap);
1391                BUG();
1392        }
1393        return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1394}
1395
1396/* Check whether a task is allowed to use a system operation. */
1397static int task_has_system(struct task_struct *tsk,
1398                           u32 perms)
1399{
1400        struct task_security_struct *tsec;
1401
1402        tsec = tsk->security;
1403
1404        return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1405                            SECCLASS_SYSTEM, perms, NULL);
1406}
1407
1408/* Check whether a task has a particular permission to an inode.
1409   The 'adp' parameter is optional and allows other audit
1410   data to be passed (e.g. the dentry). */
1411static int inode_has_perm(struct task_struct *tsk,
1412                          struct inode *inode,
1413                          u32 perms,
1414                          struct avc_audit_data *adp)
1415{
1416        struct task_security_struct *tsec;
1417        struct inode_security_struct *isec;
1418        struct avc_audit_data ad;
1419
1420        if (unlikely(IS_PRIVATE(inode)))
1421                return 0;
1422
1423        tsec = tsk->security;
1424        isec = inode->i_security;
1425
1426        if (!adp) {
1427                adp = &ad;
1428                AVC_AUDIT_DATA_INIT(&ad, FS);
1429                ad.u.fs.inode = inode;
1430        }
1431
1432        return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1433}
1434
1435/* Same as inode_has_perm, but pass explicit audit data containing
1436   the dentry to help the auditing code to more easily generate the
1437   pathname if needed. */
1438static inline int dentry_has_perm(struct task_struct *tsk,
1439                                  struct vfsmount *mnt,
1440                                  struct dentry *dentry,
1441                                  u32 av)
1442{
1443        struct inode *inode = dentry->d_inode;
1444        struct avc_audit_data ad;
1445        AVC_AUDIT_DATA_INIT(&ad, FS);
1446        ad.u.fs.path.mnt = mnt;
1447        ad.u.fs.path.dentry = dentry;
1448        return inode_has_perm(tsk, inode, av, &ad);
1449}
1450
1451/* Check whether a task can use an open file descriptor to
1452   access an inode in a given way.  Check access to the
1453   descriptor itself, and then use dentry_has_perm to
1454   check a particular permission to the file.
1455   Access to the descriptor is implicitly granted if it
1456   has the same SID as the process.  If av is zero, then
1457   access to the file is not checked, e.g. for cases
1458   where only the descriptor is affected like seek. */
1459static int file_has_perm(struct task_struct *tsk,
1460                                struct file *file,
1461                                u32 av)
1462{
1463        struct task_security_struct *tsec = tsk->security;
1464        struct file_security_struct *fsec = file->f_security;
1465        struct inode *inode = file->f_path.dentry->d_inode;
1466        struct avc_audit_data ad;
1467        int rc;
1468
1469        AVC_AUDIT_DATA_INIT(&ad, FS);
1470        ad.u.fs.path = file->f_path;
1471
1472        if (tsec->sid != fsec->sid) {
1473                rc = avc_has_perm(tsec->sid, fsec->sid,
1474                                  SECCLASS_FD,
1475                                  FD__USE,
1476                                  &ad);
1477                if (rc)
1478                        return rc;
1479        }
1480
1481        /* av is zero if only checking access to the descriptor. */
1482        if (av)
1483                return inode_has_perm(tsk, inode, av, &ad);
1484
1485        return 0;
1486}
1487
1488/* Check whether a task can create a file. */
1489static int may_create(struct inode *dir,
1490                      struct dentry *dentry,
1491                      u16 tclass)
1492{
1493        struct task_security_struct *tsec;
1494        struct inode_security_struct *dsec;
1495        struct superblock_security_struct *sbsec;
1496        u32 newsid;
1497        struct avc_audit_data ad;
1498        int rc;
1499
1500        tsec = current->security;
1501        dsec = dir->i_security;
1502        sbsec = dir->i_sb->s_security;
1503
1504        AVC_AUDIT_DATA_INIT(&ad, FS);
1505        ad.u.fs.path.dentry = dentry;
1506
1507        rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1508                          DIR__ADD_NAME | DIR__SEARCH,
1509                          &ad);
1510        if (rc)
1511                return rc;
1512
1513        if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1514                newsid = tsec->create_sid;
1515        } else {
1516                rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1517                                             &newsid);
1518                if (rc)
1519                        return rc;
1520        }
1521
1522        rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1523        if (rc)
1524                return rc;
1525
1526        return avc_has_perm(newsid, sbsec->sid,
1527                            SECCLASS_FILESYSTEM,
1528                            FILESYSTEM__ASSOCIATE, &ad);
1529}
1530
1531/* Check whether a task can create a key. */
1532static int may_create_key(u32 ksid,
1533                          struct task_struct *ctx)
1534{
1535        struct task_security_struct *tsec;
1536
1537        tsec = ctx->security;
1538
1539        return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1540}
1541
1542#define MAY_LINK        0
1543#define MAY_UNLINK      1
1544#define MAY_RMDIR       2
1545
1546/* Check whether a task can link, unlink, or rmdir a file/directory. */
1547static int may_link(struct inode *dir,
1548                    struct dentry *dentry,
1549                    int kind)
1550
1551{
1552        struct task_security_struct *tsec;
1553        struct inode_security_struct *dsec, *isec;
1554        struct avc_audit_data ad;
1555        u32 av;
1556        int rc;
1557
1558        tsec = current->security;
1559        dsec = dir->i_security;
1560        isec = dentry->d_inode->i_security;
1561
1562        AVC_AUDIT_DATA_INIT(&ad, FS);
1563        ad.u.fs.path.dentry = dentry;
1564
1565        av = DIR__SEARCH;
1566        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1567        rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1568        if (rc)
1569                return rc;
1570
1571        switch (kind) {
1572        case MAY_LINK:
1573                av = FILE__LINK;
1574                break;
1575        case MAY_UNLINK:
1576                av = FILE__UNLINK;
1577                break;
1578        case MAY_RMDIR:
1579                av = DIR__RMDIR;
1580                break;
1581        default:
1582                printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1583                        __func__, kind);
1584                return 0;
1585        }
1586
1587        rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1588        return rc;
1589}
1590
1591static inline int may_rename(struct inode *old_dir,
1592                             struct dentry *old_dentry,
1593                             struct inode *new_dir,
1594                             struct dentry *new_dentry)
1595{
1596        struct task_security_struct *tsec;
1597        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1598        struct avc_audit_data ad;
1599        u32 av;
1600        int old_is_dir, new_is_dir;
1601        int rc;
1602
1603        tsec = current->security;
1604        old_dsec = old_dir->i_security;
1605        old_isec = old_dentry->d_inode->i_security;
1606        old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1607        new_dsec = new_dir->i_security;
1608
1609        AVC_AUDIT_DATA_INIT(&ad, FS);
1610
1611        ad.u.fs.path.dentry = old_dentry;
1612        rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1613                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1614        if (rc)
1615                return rc;
1616        rc = avc_has_perm(tsec->sid, old_isec->sid,
1617                          old_isec->sclass, FILE__RENAME, &ad);
1618        if (rc)
1619                return rc;
1620        if (old_is_dir && new_dir != old_dir) {
1621                rc = avc_has_perm(tsec->sid, old_isec->sid,
1622                                  old_isec->sclass, DIR__REPARENT, &ad);
1623                if (rc)
1624                        return rc;
1625        }
1626
1627        ad.u.fs.path.dentry = new_dentry;
1628        av = DIR__ADD_NAME | DIR__SEARCH;
1629        if (new_dentry->d_inode)
1630                av |= DIR__REMOVE_NAME;
1631        rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1632        if (rc)
1633                return rc;
1634        if (new_dentry->d_inode) {
1635                new_isec = new_dentry->d_inode->i_security;
1636                new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1637                rc = avc_has_perm(tsec->sid, new_isec->sid,
1638                                  new_isec->sclass,
1639                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1640                if (rc)
1641                        return rc;
1642        }
1643
1644        return 0;
1645}
1646
1647/* Check whether a task can perform a filesystem operation. */
1648static int superblock_has_perm(struct task_struct *tsk,
1649                               struct super_block *sb,
1650                               u32 perms,
1651                               struct avc_audit_data *ad)
1652{
1653        struct task_security_struct *tsec;
1654        struct superblock_security_struct *sbsec;
1655
1656        tsec = tsk->security;
1657        sbsec = sb->s_security;
1658        return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1659                            perms, ad);
1660}
1661
1662/* Convert a Linux mode and permission mask to an access vector. */
1663static inline u32 file_mask_to_av(int mode, int mask)
1664{
1665        u32 av = 0;
1666
1667        if ((mode & S_IFMT) != S_IFDIR) {
1668                if (mask & MAY_EXEC)
1669                        av |= FILE__EXECUTE;
1670                if (mask & MAY_READ)
1671                        av |= FILE__READ;
1672
1673                if (mask & MAY_APPEND)
1674                        av |= FILE__APPEND;
1675                else if (mask & MAY_WRITE)
1676                        av |= FILE__WRITE;
1677
1678        } else {
1679                if (mask & MAY_EXEC)
1680                        av |= DIR__SEARCH;
1681                if (mask & MAY_WRITE)
1682                        av |= DIR__WRITE;
1683                if (mask & MAY_READ)
1684                        av |= DIR__READ;
1685        }
1686
1687        return av;
1688}
1689
1690/*
1691 * Convert a file mask to an access vector and include the correct open
1692 * open permission.
1693 */
1694static inline u32 open_file_mask_to_av(int mode, int mask)
1695{
1696        u32 av = file_mask_to_av(mode, mask);
1697
1698        if (selinux_policycap_openperm) {
1699                /*
1700                 * lnk files and socks do not really have an 'open'
1701                 */
1702                if (S_ISREG(mode))
1703                        av |= FILE__OPEN;
1704                else if (S_ISCHR(mode))
1705                        av |= CHR_FILE__OPEN;
1706                else if (S_ISBLK(mode))
1707                        av |= BLK_FILE__OPEN;
1708                else if (S_ISFIFO(mode))
1709                        av |= FIFO_FILE__OPEN;
1710                else if (S_ISDIR(mode))
1711                        av |= DIR__OPEN;
1712                else
1713                        printk(KERN_ERR "SELinux: WARNING: inside %s with "
1714                                "unknown mode:%x\n", __func__, mode);
1715        }
1716        return av;
1717}
1718
1719/* Convert a Linux file to an access vector. */
1720static inline u32 file_to_av(struct file *file)
1721{
1722        u32 av = 0;
1723
1724        if (file->f_mode & FMODE_READ)
1725                av |= FILE__READ;
1726        if (file->f_mode & FMODE_WRITE) {
1727                if (file->f_flags & O_APPEND)
1728                        av |= FILE__APPEND;
1729                else
1730                        av |= FILE__WRITE;
1731        }
1732        if (!av) {
1733                /*
1734                 * Special file opened with flags 3 for ioctl-only use.
1735                 */
1736                av = FILE__IOCTL;
1737        }
1738
1739        return av;
1740}
1741
1742/* Hook functions begin here. */
1743
1744static int selinux_ptrace_may_access(struct task_struct *child,
1745                                     unsigned int mode)
1746{
1747        int rc;
1748
1749        rc = secondary_ops->ptrace_may_access(child, mode);
1750        if (rc)
1751                return rc;
1752
1753        if (mode == PTRACE_MODE_READ) {
1754                struct task_security_struct *tsec = current->security;
1755                struct task_security_struct *csec = child->security;
1756                return avc_has_perm(tsec->sid, csec->sid,
1757                                    SECCLASS_FILE, FILE__READ, NULL);
1758        }
1759
1760        return task_has_perm(current, child, PROCESS__PTRACE);
1761}
1762
1763static int selinux_ptrace_traceme(struct task_struct *parent)
1764{
1765        int rc;
1766
1767        rc = secondary_ops->ptrace_traceme(parent);
1768        if (rc)
1769                return rc;
1770
1771        return task_has_perm(parent, current, PROCESS__PTRACE);
1772}
1773
1774static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1775                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
1776{
1777        int error;
1778
1779        error = task_has_perm(current, target, PROCESS__GETCAP);
1780        if (error)
1781                return error;
1782
1783        return secondary_ops->capget(target, effective, inheritable, permitted);
1784}
1785
1786static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1787                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1788{
1789        int error;
1790
1791        error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1792        if (error)
1793                return error;
1794
1795        return task_has_perm(current, target, PROCESS__SETCAP);
1796}
1797
1798static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1799                               kernel_cap_t *inheritable, kernel_cap_t *permitted)
1800{
1801        secondary_ops->capset_set(target, effective, inheritable, permitted);
1802}
1803
1804static int selinux_capable(struct task_struct *tsk, int cap)
1805{
1806        int rc;
1807
1808        rc = secondary_ops->capable(tsk, cap);
1809        if (rc)
1810                return rc;
1811
1812        return task_has_capability(tsk, cap);
1813}
1814
1815static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1816{
1817        int buflen, rc;
1818        char *buffer, *path, *end;
1819
1820        rc = -ENOMEM;
1821        buffer = (char *)__get_free_page(GFP_KERNEL);
1822        if (!buffer)
1823                goto out;
1824
1825        buflen = PAGE_SIZE;
1826        end = buffer+buflen;
1827        *--end = '\0';
1828        buflen--;
1829        path = end-1;
1830        *path = '/';
1831        while (table) {
1832                const char *name = table->procname;
1833                size_t namelen = strlen(name);
1834                buflen -= namelen + 1;
1835                if (buflen < 0)
1836                        goto out_free;
1837                end -= namelen;
1838                memcpy(end, name, namelen);
1839                *--end = '/';
1840                path = end;
1841                table = table->parent;
1842        }
1843        buflen -= 4;
1844        if (buflen < 0)
1845                goto out_free;
1846        end -= 4;
1847        memcpy(end, "/sys", 4);
1848        path = end;
1849        rc = security_genfs_sid("proc", path, tclass, sid);
1850out_free:
1851        free_page((unsigned long)buffer);
1852out:
1853        return rc;
1854}
1855
1856static int selinux_sysctl(ctl_table *table, int op)
1857{
1858        int error = 0;
1859        u32 av;
1860        struct task_security_struct *tsec;
1861        u32 tsid;
1862        int rc;
1863
1864        rc = secondary_ops->sysctl(table, op);
1865        if (rc)
1866                return rc;
1867
1868        tsec = current->security;
1869
1870        rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1871                                    SECCLASS_DIR : SECCLASS_FILE, &tsid);
1872        if (rc) {
1873                /* Default to the well-defined sysctl SID. */
1874                tsid = SECINITSID_SYSCTL;
1875        }
1876
1877        /* The op values are "defined" in sysctl.c, thereby creating
1878         * a bad coupling between this module and sysctl.c */
1879        if (op == 001) {
1880                error = avc_has_perm(tsec->sid, tsid,
1881                                     SECCLASS_DIR, DIR__SEARCH, NULL);
1882        } else {
1883                av = 0;
1884                if (op & 004)
1885                        av |= FILE__READ;
1886                if (op & 002)
1887                        av |= FILE__WRITE;
1888                if (av)
1889                        error = avc_has_perm(tsec->sid, tsid,
1890                                             SECCLASS_FILE, av, NULL);
1891        }
1892
1893        return error;
1894}
1895
1896static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1897{
1898        int rc = 0;
1899
1900        if (!sb)
1901                return 0;
1902
1903        switch (cmds) {
1904        case Q_SYNC:
1905        case Q_QUOTAON:
1906        case Q_QUOTAOFF:
1907        case Q_SETINFO:
1908        case Q_SETQUOTA:
1909                rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1910                                         NULL);
1911                break;
1912        case Q_GETFMT:
1913        case Q_GETINFO:
1914        case Q_GETQUOTA:
1915                rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1916                                         NULL);
1917                break;
1918        default:
1919                rc = 0;  /* let the kernel handle invalid cmds */
1920                break;
1921        }
1922        return rc;
1923}
1924
1925static int selinux_quota_on(struct dentry *dentry)
1926{
1927        return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1928}
1929
1930static int selinux_syslog(int type)
1931{
1932        int rc;
1933
1934        rc = secondary_ops->syslog(type);
1935        if (rc)
1936                return rc;
1937
1938        switch (type) {
1939        case 3:         /* Read last kernel messages */
1940        case 10:        /* Return size of the log buffer */
1941                rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1942                break;
1943        case 6:         /* Disable logging to console */
1944        case 7:         /* Enable logging to console */
1945        case 8:         /* Set level of messages printed to console */
1946                rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1947                break;
1948        case 0:         /* Close log */
1949        case 1:         /* Open log */
1950        case 2:         /* Read from log */
1951        case 4:         /* Read/clear last kernel messages */
1952        case 5:         /* Clear ring buffer */
1953        default:
1954                rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1955                break;
1956        }
1957        return rc;
1958}
1959
1960/*
1961 * Check that a process has enough memory to allocate a new virtual
1962 * mapping. 0 means there is enough memory for the allocation to
1963 * succeed and -ENOMEM implies there is not.
1964 *
1965 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1966 * if the capability is granted, but __vm_enough_memory requires 1 if
1967 * the capability is granted.
1968 *
1969 * Do not audit the selinux permission check, as this is applied to all
1970 * processes that allocate mappings.
1971 */
1972static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1973{
1974        int rc, cap_sys_admin = 0;
1975        struct task_security_struct *tsec = current->security;
1976
1977        rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1978        if (rc == 0)
1979                rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1980                                          SECCLASS_CAPABILITY,
1981                                          CAP_TO_MASK(CAP_SYS_ADMIN),
1982                                          0,
1983                                          NULL);
1984
1985        if (rc == 0)
1986                cap_sys_admin = 1;
1987
1988        return __vm_enough_memory(mm, pages, cap_sys_admin);
1989}
1990
1991/* binprm security operations */
1992
1993static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1994{
1995        struct bprm_security_struct *bsec;
1996
1997        bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1998        if (!bsec)
1999                return -ENOMEM;
2000
2001        bsec->sid = SECINITSID_UNLABELED;
2002        bsec->set = 0;
2003
2004        bprm->security = bsec;
2005        return 0;
2006}
2007
2008static int selinux_bprm_set_security(struct linux_binprm *bprm)
2009{
2010        struct task_security_struct *tsec;
2011        struct inode *inode = bprm->file->f_path.dentry->d_inode;
2012        struct inode_security_struct *isec;
2013        struct bprm_security_struct *bsec;
2014        u32 newsid;
2015        struct avc_audit_data ad;
2016        int rc;
2017
2018        rc = secondary_ops->bprm_set_security(bprm);
2019        if (rc)
2020                return rc;
2021
2022        bsec = bprm->security;
2023
2024        if (bsec->set)
2025                return 0;
2026
2027        tsec = current->security;
2028        isec = inode->i_security;
2029
2030        /* Default to the current task SID. */
2031        bsec->sid = tsec->sid;
2032
2033        /* Reset fs, key, and sock SIDs on execve. */
2034        tsec->create_sid = 0;
2035        tsec->keycreate_sid = 0;
2036        tsec->sockcreate_sid = 0;
2037
2038        if (tsec->exec_sid) {
2039                newsid = tsec->exec_sid;
2040                /* Reset exec SID on execve. */
2041                tsec->exec_sid = 0;
2042        } else {
2043                /* Check for a default transition on this program. */
2044                rc = security_transition_sid(tsec->sid, isec->sid,
2045                                             SECCLASS_PROCESS, &newsid);
2046                if (rc)
2047                        return rc;
2048        }
2049
2050        AVC_AUDIT_DATA_INIT(&ad, FS);
2051        ad.u.fs.path = bprm->file->f_path;
2052
2053        if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2054                newsid = tsec->sid;
2055
2056        if (tsec->sid == newsid) {
2057                rc = avc_has_perm(tsec->sid, isec->sid,
2058                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2059                if (rc)
2060                        return rc;
2061        } else {
2062                /* Check permissions for the transition. */
2063                rc = avc_has_perm(tsec->sid, newsid,
2064                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2065                if (rc)
2066                        return rc;
2067
2068                rc = avc_has_perm(newsid, isec->sid,
2069                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2070                if (rc)
2071                        return rc;
2072
2073                /* Clear any possibly unsafe personality bits on exec: */
2074                current->personality &= ~PER_CLEAR_ON_SETID;
2075
2076                /* Set the security field to the new SID. */
2077                bsec->sid = newsid;
2078        }
2079
2080        bsec->set = 1;
2081        return 0;
2082}
2083
2084static int selinux_bprm_check_security(struct linux_binprm *bprm)
2085{
2086        return secondary_ops->bprm_check_security(bprm);
2087}
2088
2089
2090static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2091{
2092        struct task_security_struct *tsec = current->security;
2093        int atsecure = 0;
2094
2095        if (tsec->osid != tsec->sid) {
2096                /* Enable secure mode for SIDs transitions unless
2097                   the noatsecure permission is granted between
2098                   the two SIDs, i.e. ahp returns 0. */
2099                atsecure = avc_has_perm(tsec->osid, tsec->sid,
2100                                         SECCLASS_PROCESS,
2101                                         PROCESS__NOATSECURE, NULL);
2102        }
2103
2104        return (atsecure || secondary_ops->bprm_secureexec(bprm));
2105}
2106
2107static void selinux_bprm_free_security(struct linux_binprm *bprm)
2108{
2109        kfree(bprm->security);
2110        bprm->security = NULL;
2111}
2112
2113extern struct vfsmount *selinuxfs_mount;
2114extern struct dentry *selinux_null;
2115
2116/* Derived from fs/exec.c:flush_old_files. */
2117static inline void flush_unauthorized_files(struct files_struct *files)
2118{
2119        struct avc_audit_data ad;
2120        struct file *file, *devnull = NULL;
2121        struct tty_struct *tty;
2122        struct fdtable *fdt;
2123        long j = -1;
2124        int drop_tty = 0;
2125
2126        tty = get_current_tty();
2127        if (tty) {
2128                file_list_lock();
2129                if (!list_empty(&tty->tty_files)) {
2130                        struct inode *inode;
2131
2132                        /* Revalidate access to controlling tty.
2133                           Use inode_has_perm on the tty inode directly rather
2134                           than using file_has_perm, as this particular open
2135                           file may belong to another process and we are only
2136                           interested in the inode-based check here. */
2137                        file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2138                        inode = file->f_path.dentry->d_inode;
2139                        if (inode_has_perm(current, inode,
2140                                           FILE__READ | FILE__WRITE, NULL)) {
2141                                drop_tty = 1;
2142                        }
2143                }
2144                file_list_unlock();
2145                tty_kref_put(tty);
2146        }
2147        /* Reset controlling tty. */
2148        if (drop_tty)
2149                no_tty();
2150
2151        /* Revalidate access to inherited open files. */
2152
2153        AVC_AUDIT_DATA_INIT(&ad, FS);
2154
2155        spin_lock(&files->file_lock);
2156        for (;;) {
2157                unsigned long set, i;
2158                int fd;
2159
2160                j++;
2161                i = j * __NFDBITS;
2162                fdt = files_fdtable(files);
2163                if (i >= fdt->max_fds)
2164                        break;
2165                set = fdt->open_fds->fds_bits[j];
2166                if (!set)
2167                        continue;
2168                spin_unlock(&files->file_lock);
2169                for ( ; set ; i++, set >>= 1) {
2170                        if (set & 1) {
2171                                file = fget(i);
2172                                if (!file)
2173                                        continue;
2174                                if (file_has_perm(current,
2175                                                  file,
2176                                                  file_to_av(file))) {
2177                                        sys_close(i);
2178                                        fd = get_unused_fd();
2179                                        if (fd != i) {
2180                                                if (fd >= 0)
2181                                                        put_unused_fd(fd);
2182                                                fput(file);
2183                                                continue;
2184                                        }
2185                                        if (devnull) {
2186                                                get_file(devnull);
2187                                        } else {
2188                                                devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2189                                                if (IS_ERR(devnull)) {
2190                                                        devnull = NULL;
2191                                                        put_unused_fd(fd);
2192                                                        fput(file);
2193                                                        continue;
2194                                                }
2195                                        }
2196                                        fd_install(fd, devnull);
2197                                }
2198                                fput(file);
2199                        }
2200                }
2201                spin_lock(&files->file_lock);
2202
2203        }
2204        spin_unlock(&files->file_lock);
2205}
2206
2207static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2208{
2209        struct task_security_struct *tsec;
2210        struct bprm_security_struct *bsec;
2211        u32 sid;
2212        int rc;
2213
2214        secondary_ops->bprm_apply_creds(bprm, unsafe);
2215
2216        tsec = current->security;
2217
2218        bsec = bprm->security;
2219        sid = bsec->sid;
2220
2221        tsec->osid = tsec->sid;
2222        bsec->unsafe = 0;
2223        if (tsec->sid != sid) {
2224                /* Check for shared state.  If not ok, leave SID
2225                   unchanged and kill. */
2226                if (unsafe & LSM_UNSAFE_SHARE) {
2227                        rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2228                                        PROCESS__SHARE, NULL);
2229                        if (rc) {
2230                                bsec->unsafe = 1;
2231                                return;
2232                        }
2233                }
2234
2235                /* Check for ptracing, and update the task SID if ok.
2236                   Otherwise, leave SID unchanged and kill. */
2237                if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2238                        struct task_struct *tracer;
2239                        struct task_security_struct *sec;
2240                        u32 ptsid = 0;
2241
2242                        rcu_read_lock();
2243                        tracer = tracehook_tracer_task(current);
2244                        if (likely(tracer != NULL)) {
2245                                sec = tracer->security;
2246                                ptsid = sec->sid;
2247                        }
2248                        rcu_read_unlock();
2249
2250                        if (ptsid != 0) {
2251                                rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2252                                                  PROCESS__PTRACE, NULL);
2253                                if (rc) {
2254                                        bsec->unsafe = 1;
2255                                        return;
2256                                }
2257                        }
2258                }
2259                tsec->sid = sid;
2260        }
2261}
2262
2263/*
2264 * called after apply_creds without the task lock held
2265 */
2266static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2267{
2268        struct task_security_struct *tsec;
2269        struct rlimit *rlim, *initrlim;
2270        struct itimerval itimer;
2271        struct bprm_security_struct *bsec;
2272        int rc, i;
2273
2274        tsec = current->security;
2275        bsec = bprm->security;
2276
2277        if (bsec->unsafe) {
2278                force_sig_specific(SIGKILL, current);
2279                return;
2280        }
2281        if (tsec->osid == tsec->sid)
2282                return;
2283
2284        /* Close files for which the new task SID is not authorized. */
2285        flush_unauthorized_files(current->files);
2286
2287        /* Check whether the new SID can inherit signal state
2288           from the old SID.  If not, clear itimers to avoid
2289           subsequent signal generation and flush and unblock
2290           signals. This must occur _after_ the task SID has
2291          been updated so that any kill done after the flush
2292          will be checked against the new SID. */
2293        rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2294                          PROCESS__SIGINH, NULL);
2295        if (rc) {
2296                memset(&itimer, 0, sizeof itimer);
2297                for (i = 0; i < 3; i++)
2298                        do_setitimer(i, &itimer, NULL);
2299                flush_signals(current);
2300                spin_lock_irq(&current->sighand->siglock);
2301                flush_signal_handlers(current, 1);
2302                sigemptyset(&current->blocked);
2303                recalc_sigpending();
2304                spin_unlock_irq(&current->sighand->siglock);
2305        }
2306
2307        /* Always clear parent death signal on SID transitions. */
2308        current->pdeath_signal = 0;
2309
2310        /* Check whether the new SID can inherit resource limits
2311           from the old SID.  If not, reset all soft limits to
2312           the lower of the current task's hard limit and the init
2313           task's soft limit.  Note that the setting of hard limits
2314           (even to lower them) can be controlled by the setrlimit
2315           check. The inclusion of the init task's soft limit into
2316           the computation is to avoid resetting soft limits higher
2317           than the default soft limit for cases where the default
2318           is lower than the hard limit, e.g. RLIMIT_CORE or
2319           RLIMIT_STACK.*/
2320        rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2321                          PROCESS__RLIMITINH, NULL);
2322        if (rc) {
2323                for (i = 0; i < RLIM_NLIMITS; i++) {
2324                        rlim = current->signal->rlim + i;
2325                        initrlim = init_task.signal->rlim+i;
2326                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2327                }
2328                update_rlimit_cpu(rlim->rlim_cur);
2329        }
2330
2331        /* Wake up the parent if it is waiting so that it can
2332           recheck wait permission to the new task SID. */
2333        wake_up_interruptible(&current->parent->signal->wait_chldexit);
2334}
2335
2336/* superblock security operations */
2337
2338static int selinux_sb_alloc_security(struct super_block *sb)
2339{
2340        return superblock_alloc_security(sb);
2341}
2342
2343static void selinux_sb_free_security(struct super_block *sb)
2344{
2345        superblock_free_security(sb);
2346}
2347
2348static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2349{
2350        if (plen > olen)
2351                return 0;
2352
2353        return !memcmp(prefix, option, plen);
2354}
2355
2356static inline int selinux_option(char *option, int len)
2357{
2358        return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2359                match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2360                match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2361                match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2362}
2363
2364static inline void take_option(char **to, char *from, int *first, int len)
2365{
2366        if (!*first) {
2367                **to = ',';
2368                *to += 1;
2369        } else
2370                *first = 0;
2371        memcpy(*to, from, len);
2372        *to += len;
2373}
2374
2375static inline void take_selinux_option(char **to, char *from, int *first,
2376                                       int len)
2377{
2378        int current_size = 0;
2379
2380        if (!*first) {
2381                **to = '|';
2382                *to += 1;
2383        } else
2384                *first = 0;
2385
2386        while (current_size < len) {
2387                if (*from != '"') {
2388                        **to = *from;
2389                        *to += 1;
2390                }
2391                from += 1;
2392                current_size += 1;
2393        }
2394}
2395
2396static int selinux_sb_copy_data(char *orig, char *copy)
2397{
2398        int fnosec, fsec, rc = 0;
2399        char *in_save, *in_curr, *in_end;
2400        char *sec_curr, *nosec_save, *nosec;
2401        int open_quote = 0;
2402
2403        in_curr = orig;
2404        sec_curr = copy;
2405
2406        nosec = (char *)get_zeroed_page(GFP_KERNEL);
2407        if (!nosec) {
2408                rc = -ENOMEM;
2409                goto out;
2410        }
2411
2412        nosec_save = nosec;
2413        fnosec = fsec = 1;
2414        in_save = in_end = orig;
2415
2416        do {
2417                if (*in_end == '"')
2418                        open_quote = !open_quote;
2419                if ((*in_end == ',' && open_quote == 0) ||
2420                                *in_end == '\0') {
2421                        int len = in_end - in_curr;
2422
2423                        if (selinux_option(in_curr, len))
2424                                take_selinux_option(&sec_curr, in_curr, &fsec, len);
2425                        else
2426                                take_option(&nosec, in_curr, &fnosec, len);
2427
2428                        in_curr = in_end + 1;
2429                }
2430        } while (*in_end++);
2431
2432        strcpy(in_save, nosec_save);
2433        free_page((unsigned long)nosec_save);
2434out:
2435        return rc;
2436}
2437
2438static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2439{
2440        struct avc_audit_data ad;
2441        int rc;
2442
2443        rc = superblock_doinit(sb, data);
2444        if (rc)
2445                return rc;
2446
2447        AVC_AUDIT_DATA_INIT(&ad, FS);
2448        ad.u.fs.path.dentry = sb->s_root;
2449        return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2450}
2451
2452static int selinux_sb_statfs(struct dentry *dentry)
2453{
2454        struct avc_audit_data ad;
2455
2456        AVC_AUDIT_DATA_INIT(&ad, FS);
2457        ad.u.fs.path.dentry = dentry->d_sb->s_root;
2458        return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2459}
2460
2461static int selinux_mount(char *dev_name,
2462                         struct path *path,
2463                         char *type,
2464                         unsigned long flags,
2465                         void *data)
2466{
2467        int rc;
2468
2469        rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2470        if (rc)
2471                return rc;
2472
2473        if (flags & MS_REMOUNT)
2474                return superblock_has_perm(current, path->mnt->mnt_sb,
2475                                           FILESYSTEM__REMOUNT, NULL);
2476        else
2477                return dentry_has_perm(current, path->mnt, path->dentry,
2478                                       FILE__MOUNTON);
2479}
2480
2481static int selinux_umount(struct vfsmount *mnt, int flags)
2482{
2483        int rc;
2484
2485        rc = secondary_ops->sb_umount(mnt, flags);
2486        if (rc)
2487                return rc;
2488
2489        return superblock_has_perm(current, mnt->mnt_sb,
2490                                   FILESYSTEM__UNMOUNT, NULL);
2491}
2492
2493/* inode security operations */
2494
2495static int selinux_inode_alloc_security(struct inode *inode)
2496{
2497        return inode_alloc_security(inode);
2498}
2499
2500static void selinux_inode_free_security(struct inode *inode)
2501{
2502        inode_free_security(inode);
2503}
2504
2505static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2506                                       char **name, void **value,
2507                                       size_t *len)
2508{
2509        struct task_security_struct *tsec;
2510        struct inode_security_struct *dsec;
2511        struct superblock_security_struct *sbsec;
2512        u32 newsid, clen;
2513        int rc;
2514        char *namep = NULL, *context;
2515
2516        tsec = current->security;
2517        dsec = dir->i_security;
2518        sbsec = dir->i_sb->s_security;
2519
2520        if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2521                newsid = tsec->create_sid;
2522        } else {
2523                rc = security_transition_sid(tsec->sid, dsec->sid,
2524                                             inode_mode_to_security_class(inode->i_mode),
2525                                             &newsid);
2526                if (rc) {
2527                        printk(KERN_WARNING "%s:  "
2528                               "security_transition_sid failed, rc=%d (dev=%s "
2529                               "ino=%ld)\n",
2530                               __func__,
2531                               -rc, inode->i_sb->s_id, inode->i_ino);
2532                        return rc;
2533                }
2534        }
2535
2536        /* Possibly defer initialization to selinux_complete_init. */
2537        if (sbsec->initialized) {
2538                struct inode_security_struct *isec = inode->i_security;
2539                isec->sclass = inode_mode_to_security_class(inode->i_mode);
2540                isec->sid = newsid;
2541                isec->initialized = 1;
2542        }
2543
2544        if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2545                return -EOPNOTSUPP;
2546
2547        if (name) {
2548                namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2549                if (!namep)
2550                        return -ENOMEM;
2551                *name = namep;
2552        }
2553
2554        if (value && len) {
2555                rc = security_sid_to_context_force(newsid, &context, &clen);
2556                if (rc) {
2557                        kfree(namep);
2558                        return rc;
2559                }
2560                *value = context;
2561                *len = clen;
2562        }
2563
2564        return 0;
2565}
2566
2567static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2568{
2569        return may_create(dir, dentry, SECCLASS_FILE);
2570}
2571
2572static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2573{
2574        int rc;
2575
2576        rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2577        if (rc)
2578                return rc;
2579        return may_link(dir, old_dentry, MAY_LINK);
2580}
2581
2582static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2583{
2584        int rc;
2585
2586        rc = secondary_ops->inode_unlink(dir, dentry);
2587        if (rc)
2588                return rc;
2589        return may_link(dir, dentry, MAY_UNLINK);
2590}
2591
2592static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2593{
2594        return may_create(dir, dentry, SECCLASS_LNK_FILE);
2595}
2596
2597static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2598{
2599        return may_create(dir, dentry, SECCLASS_DIR);
2600}
2601
2602static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2603{
2604        return may_link(dir, dentry, MAY_RMDIR);
2605}
2606
2607static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2608{
2609        int rc;
2610
2611        rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2612        if (rc)
2613                return rc;
2614
2615        return may_create(dir, dentry, inode_mode_to_security_class(mode));
2616}
2617
2618static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2619                                struct inode *new_inode, struct dentry *new_dentry)
2620{
2621        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2622}
2623
2624static int selinux_inode_readlink(struct dentry *dentry)
2625{
2626        return dentry_has_perm(current, NULL, dentry, FILE__READ);
2627}
2628
2629static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2630{
2631        int rc;
2632
2633        rc = secondary_ops->inode_follow_link(dentry, nameidata);
2634        if (rc)
2635                return rc;
2636        return dentry_has_perm(current, NULL, dentry, FILE__READ);
2637}
2638
2639static int selinux_inode_permission(struct inode *inode, int mask)
2640{
2641        int rc;
2642
2643        rc = secondary_ops->inode_permission(inode, mask);
2644        if (rc)
2645                return rc;
2646
2647        if (!mask) {
2648                /* No permission to check.  Existence test. */
2649                return 0;
2650        }
2651
2652        return inode_has_perm(current, inode,
2653                               open_file_mask_to_av(inode->i_mode, mask), NULL);
2654}
2655
2656static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2657{
2658        int rc;
2659
2660        rc = secondary_ops->inode_setattr(dentry, iattr);
2661        if (rc)
2662                return rc;
2663
2664        if (iattr->ia_valid & ATTR_FORCE)
2665                return 0;
2666
2667        if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2668                               ATTR_ATIME_SET | ATTR_MTIME_SET))
2669                return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2670
2671        return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2672}
2673
2674static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2675{
2676        return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2677}
2678
2679static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2680{
2681        if (!strncmp(name, XATTR_SECURITY_PREFIX,
2682                     sizeof XATTR_SECURITY_PREFIX - 1)) {
2683                if (!strcmp(name, XATTR_NAME_CAPS)) {
2684                        if (!capable(CAP_SETFCAP))
2685                                return -EPERM;
2686                } else if (!capable(CAP_SYS_ADMIN)) {
2687                        /* A different attribute in the security namespace.
2688                           Restrict to administrator. */
2689                        return -EPERM;
2690                }
2691        }
2692
2693        /* Not an attribute we recognize, so just check the
2694           ordinary setattr permission. */
2695        return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2696}
2697
2698static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2699                                  const void *value, size_t size, int flags)
2700{
2701        struct task_security_struct *tsec = current->security;
2702        struct inode *inode = dentry->d_inode;
2703        struct inode_security_struct *isec = inode->i_security;
2704        struct superblock_security_struct *sbsec;
2705        struct avc_audit_data ad;
2706        u32 newsid;
2707        int rc = 0;
2708
2709        if (strcmp(name, XATTR_NAME_SELINUX))
2710                return selinux_inode_setotherxattr(dentry, name);
2711
2712        sbsec = inode->i_sb->s_security;
2713        if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2714                return -EOPNOTSUPP;
2715
2716        if (!is_owner_or_cap(inode))
2717                return -EPERM;
2718
2719        AVC_AUDIT_DATA_INIT(&ad, FS);
2720        ad.u.fs.path.dentry = dentry;
2721
2722        rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2723                          FILE__RELABELFROM, &ad);
2724        if (rc)
2725                return rc;
2726
2727        rc = security_context_to_sid(value, size, &newsid);
2728        if (rc == -EINVAL) {
2729                if (!capable(CAP_MAC_ADMIN))
2730                        return rc;
2731                rc = security_context_to_sid_force(value, size, &newsid);
2732        }
2733        if (rc)
2734                return rc;
2735
2736        rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2737                          FILE__RELABELTO, &ad);
2738        if (rc)
2739                return rc;
2740
2741        rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2742                                          isec->sclass);
2743        if (rc)
2744                return rc;
2745
2746        return avc_has_perm(newsid,
2747                            sbsec->sid,
2748                            SECCLASS_FILESYSTEM,
2749                            FILESYSTEM__ASSOCIATE,
2750                            &ad);
2751}
2752
2753static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2754                                        const void *value, size_t size,
2755                                        int flags)
2756{
2757        struct inode *inode = dentry->d_inode;
2758        struct inode_security_struct *isec = inode->i_security;
2759        u32 newsid;
2760        int rc;
2761
2762        if (strcmp(name, XATTR_NAME_SELINUX)) {
2763                /* Not an attribute we recognize, so nothing to do. */
2764                return;
2765        }
2766
2767        rc = security_context_to_sid_force(value, size, &newsid);
2768        if (rc) {
2769                printk(KERN_ERR "SELinux:  unable to map context to SID"
2770                       "for (%s, %lu), rc=%d\n",
2771                       inode->i_sb->s_id, inode->i_ino, -rc);
2772                return;
2773        }
2774
2775        isec->sid = newsid;
2776        return;
2777}
2778
2779static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2780{
2781        return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2782}
2783
2784static int selinux_inode_listxattr(struct dentry *dentry)
2785{
2786        return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2787}
2788
2789static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2790{
2791        if (strcmp(name, XATTR_NAME_SELINUX))
2792                return selinux_inode_setotherxattr(dentry, name);
2793
2794        /* No one is allowed to remove a SELinux security label.
2795           You can change the label, but all data must be labeled. */
2796        return -EACCES;
2797}
2798
2799/*
2800 * Copy the inode security context value to the user.
2801 *
2802 * Permission check is handled by selinux_inode_getxattr hook.
2803 */
2804static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2805{
2806        u32 size;
2807        int error;
2808        char *context = NULL;
2809        struct task_security_struct *tsec = current->security;
2810        struct inode_security_struct *isec = inode->i_security;
2811
2812        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2813                return -EOPNOTSUPP;
2814
2815        /*
2816         * If the caller has CAP_MAC_ADMIN, then get the raw context
2817         * value even if it is not defined by current policy; otherwise,
2818         * use the in-core value under current policy.
2819         * Use the non-auditing forms of the permission checks since
2820         * getxattr may be called by unprivileged processes commonly
2821         * and lack of permission just means that we fall back to the
2822         * in-core context value, not a denial.
2823         */
2824        error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2825        if (!error)
2826                error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2827                                             SECCLASS_CAPABILITY2,
2828                                             CAPABILITY2__MAC_ADMIN,
2829                                             0,
2830                                             NULL);
2831        if (!error)
2832                error = security_sid_to_context_force(isec->sid, &context,
2833                                                      &size);
2834        else
2835                error = security_sid_to_context(isec->sid, &context, &size);
2836        if (error)
2837                return error;
2838        error = size;
2839        if (alloc) {
2840                *buffer = context;
2841                goto out_nofree;
2842        }
2843        kfree(context);
2844out_nofree:
2845        return error;
2846}
2847
2848static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2849                                     const void *value, size_t size, int flags)
2850{
2851        struct inode_security_struct *isec = inode->i_security;
2852        u32 newsid;
2853        int rc;
2854
2855        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2856                return -EOPNOTSUPP;
2857
2858        if (!value || !size)
2859                return -EACCES;
2860
2861        rc = security_context_to_sid((void *)value, size, &newsid);
2862        if (rc)
2863                return rc;
2864
2865        isec->sid = newsid;
2866        return 0;
2867}
2868
2869static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2870{
2871        const int len = sizeof(XATTR_NAME_SELINUX);
2872        if (buffer && len <= buffer_size)
2873                memcpy(buffer, XATTR_NAME_SELINUX, len);
2874        return len;
2875}
2876
2877static int selinux_inode_need_killpriv(struct dentry *dentry)
2878{
2879        return secondary_ops->inode_need_killpriv(dentry);
2880}
2881
2882static int selinux_inode_killpriv(struct dentry *dentry)
2883{
2884        return secondary_ops->inode_killpriv(dentry);
2885}
2886
2887static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2888{
2889        struct inode_security_struct *isec = inode->i_security;
2890        *secid = isec->sid;
2891}
2892
2893/* file security operations */
2894
2895static int selinux_revalidate_file_permission(struct file *file, int mask)
2896{
2897        int rc;
2898        struct inode *inode = file->f_path.dentry->d_inode;
2899
2900        if (!mask) {
2901                /* No permission to check.  Existence test. */
2902                return 0;
2903        }
2904
2905        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2906        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2907                mask |= MAY_APPEND;
2908
2909        rc = file_has_perm(current, file,
2910                           file_mask_to_av(inode->i_mode, mask));
2911        if (rc)
2912                return rc;
2913
2914        return selinux_netlbl_inode_permission(inode, mask);
2915}
2916
2917static int selinux_file_permission(struct file *file, int mask)
2918{
2919        struct inode *inode = file->f_path.dentry->d_inode;
2920        struct task_security_struct *tsec = current->security;
2921        struct file_security_struct *fsec = file->f_security;
2922        struct inode_security_struct *isec = inode->i_security;
2923
2924        if (!mask) {
2925                /* No permission to check.  Existence test. */
2926                return 0;
2927        }
2928
2929        if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2930            && fsec->pseqno == avc_policy_seqno())
2931                return selinux_netlbl_inode_permission(inode, mask);
2932
2933        return selinux_revalidate_file_permission(file, mask);
2934}
2935
2936static int selinux_file_alloc_security(struct file *file)
2937{
2938        return file_alloc_security(file);
2939}
2940
2941static void selinux_file_free_security(struct file *file)
2942{
2943        file_free_security(file);
2944}
2945
2946static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2947                              unsigned long arg)
2948{
2949        u32 av = 0;
2950
2951        if (_IOC_DIR(cmd) & _IOC_WRITE)
2952                av |= FILE__WRITE;
2953        if (_IOC_DIR(cmd) & _IOC_READ)
2954                av |= FILE__READ;
2955        if (!av)
2956                av = FILE__IOCTL;
2957
2958        return file_has_perm(current, file, av);
2959}
2960
2961static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2962{
2963#ifndef CONFIG_PPC32
2964        if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2965                /*
2966                 * We are making executable an anonymous mapping or a
2967                 * private file mapping that will also be writable.
2968                 * This has an additional check.
2969                 */
2970                int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2971                if (rc)
2972                        return rc;
2973        }
2974#endif
2975
2976        if (file) {
2977                /* read access is always possible with a mapping */
2978                u32 av = FILE__READ;
2979
2980                /* write access only matters if the mapping is shared */
2981                if (shared && (prot & PROT_WRITE))
2982                        av |= FILE__WRITE;
2983
2984                if (prot & PROT_EXEC)
2985                        av |= FILE__EXECUTE;
2986
2987                return file_has_perm(current, file, av);
2988        }
2989        return 0;
2990}
2991
2992static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2993                             unsigned long prot, unsigned long flags,
2994                             unsigned long addr, unsigned long addr_only)
2995{
2996        int rc = 0;
2997        u32 sid = ((struct task_security_struct *)(current->security))->sid;
2998
2999        if (addr < mmap_min_addr)
3000                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3001                                  MEMPROTECT__MMAP_ZERO, NULL);
3002        if (rc || addr_only)
3003                return rc;
3004
3005        if (selinux_checkreqprot)
3006                prot = reqprot;
3007
3008        return file_map_prot_check(file, prot,
3009                                   (flags & MAP_TYPE) == MAP_SHARED);
3010}
3011
3012static int selinux_file_mprotect(struct vm_area_struct *vma,
3013                                 unsigned long reqprot,
3014                                 unsigned long prot)
3015{
3016        int rc;
3017
3018        rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3019        if (rc)
3020                return rc;
3021
3022        if (selinux_checkreqprot)
3023                prot = reqprot;
3024
3025#ifndef CONFIG_PPC32
3026        if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3027                rc = 0;
3028                if (vma->vm_start >= vma->vm_mm->start_brk &&
3029                    vma->vm_end <= vma->vm_mm->brk) {
3030                        rc = task_has_perm(current, current,
3031                                           PROCESS__EXECHEAP);
3032                } else if (!vma->vm_file &&
3033                           vma->vm_start <= vma->vm_mm->start_stack &&
3034                           vma->vm_end >= vma->vm_mm->start_stack) {
3035                        rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3036                } else if (vma->vm_file && vma->anon_vma) {
3037                        /*
3038                         * We are making executable a file mapping that has
3039                         * had some COW done. Since pages might have been
3040                         * written, check ability to execute the possibly
3041                         * modified content.  This typically should only
3042                         * occur for text relocations.
3043                         */
3044                        rc = file_has_perm(current, vma->vm_file,
3045                                           FILE__EXECMOD);
3046                }
3047                if (rc)
3048                        return rc;
3049        }
3050#endif
3051
3052        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3053}
3054
3055static int selinux_file_lock(struct file *file, unsigned int cmd)
3056{
3057        return file_has_perm(current, file, FILE__LOCK);
3058}
3059
3060static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3061                              unsigned long arg)
3062{
3063        int err = 0;
3064
3065        switch (cmd) {
3066        case F_SETFL:
3067                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3068                        err = -EINVAL;
3069                        break;
3070                }
3071
3072                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3073                        err = file_has_perm(current, file, FILE__WRITE);
3074                        break;
3075                }
3076                /* fall through */
3077        case F_SETOWN:
3078        case F_SETSIG:
3079        case F_GETFL:
3080        case F_GETOWN:
3081        case F_GETSIG:
3082                /* Just check FD__USE permission */
3083                err = file_has_perm(current, file, 0);
3084                break;
3085        case F_GETLK:
3086        case F_SETLK:
3087        case F_SETLKW:
3088#if BITS_PER_LONG == 32
3089        case F_GETLK64:
3090        case F_SETLK64:
3091        case F_SETLKW64:
3092#endif
3093                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3094                        err = -EINVAL;
3095                        break;
3096                }
3097                err = file_has_perm(current, file, FILE__LOCK);
3098                break;
3099        }
3100
3101        return err;
3102}
3103
3104static int selinux_file_set_fowner(struct file *file)
3105{
3106        struct task_security_struct *tsec;
3107        struct file_security_struct *fsec;
3108
3109        tsec = current->security;
3110        fsec = file->f_security;
3111        fsec->fown_sid = tsec->sid;
3112
3113        return 0;
3114}
3115
3116static int selinux_file_send_sigiotask(struct task_struct *tsk,
3117                                       struct fown_struct *fown, int signum)
3118{
3119        struct file *file;
3120        u32 perm;
3121        struct task_security_struct *tsec;
3122        struct file_security_struct *fsec;
3123
3124        /* struct fown_struct is never outside the context of a struct file */
3125        file = container_of(fown, struct file, f_owner);
3126
3127        tsec = tsk->security;
3128        fsec = file->f_security;
3129
3130        if (!signum)
3131                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3132        else
3133                perm = signal_to_av(signum);
3134
3135        return avc_has_perm(fsec->fown_sid, tsec->sid,
3136                            SECCLASS_PROCESS, perm, NULL);
3137}
3138
3139static int selinux_file_receive(struct file *file)
3140{
3141        return file_has_perm(current, file, file_to_av(file));
3142}
3143
3144static int selinux_dentry_open(struct file *file)
3145{
3146        struct file_security_struct *fsec;
3147        struct inode *inode;
3148        struct inode_security_struct *isec;
3149        inode = file->f_path.dentry->d_inode;
3150        fsec = file->f_security;
3151        isec = inode->i_security;
3152        /*
3153         * Save inode label and policy sequence number
3154         * at open-time so that selinux_file_permission
3155         * can determine whether revalidation is necessary.
3156         * Task label is already saved in the file security
3157         * struct as its SID.
3158         */
3159        fsec->isid = isec->sid;
3160        fsec->pseqno = avc_policy_seqno();
3161        /*
3162         * Since the inode label or policy seqno may have changed
3163         * between the selinux_inode_permission check and the saving
3164         * of state above, recheck that access is still permitted.
3165         * Otherwise, access might never be revalidated against the
3166         * new inode label or new policy.
3167         * This check is not redundant - do not remove.
3168         */
3169        return inode_has_perm(current, inode, file_to_av(file), NULL);
3170}
3171
3172/* task security operations */
3173
3174static int selinux_task_create(unsigned long clone_flags)
3175{
3176        int rc;
3177
3178        rc = secondary_ops->task_create(clone_flags);
3179        if (rc)
3180                return rc;
3181
3182        return task_has_perm(current, current, PROCESS__FORK);
3183}
3184
3185static int selinux_task_alloc_security(struct task_struct *tsk)
3186{
3187        struct task_security_struct *tsec1, *tsec2;
3188        int rc;
3189
3190        tsec1 = current->security;
3191
3192        rc = task_alloc_security(tsk);
3193        if (rc)
3194                return rc;
3195        tsec2 = tsk->security;
3196
3197        tsec2->osid = tsec1->osid;
3198        tsec2->sid = tsec1->sid;
3199
3200        /* Retain the exec, fs, key, and sock SIDs across fork */
3201        tsec2->exec_sid = tsec1->exec_sid;
3202        tsec2->create_sid = tsec1->create_sid;
3203        tsec2->keycreate_sid = tsec1->keycreate_sid;
3204        tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3205
3206        return 0;
3207}
3208
3209static void selinux_task_free_security(struct task_struct *tsk)
3210{
3211        task_free_security(tsk);
3212}
3213
3214static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3215{
3216        /* Since setuid only affects the current process, and
3217           since the SELinux controls are not based on the Linux
3218           identity attributes, SELinux does not need to control
3219           this operation.  However, SELinux does control the use
3220           of the CAP_SETUID and CAP_SETGID capabilities using the
3221           capable hook. */
3222        return 0;
3223}
3224
3225static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3226{
3227        return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3228}
3229
3230static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3231{
3232        /* See the comment for setuid above. */
3233        return 0;
3234}
3235
3236static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3237{
3238        return task_has_perm(current, p, PROCESS__SETPGID);
3239}
3240
3241static int selinux_task_getpgid(struct task_struct *p)
3242{
3243        return task_has_perm(current, p, PROCESS__GETPGID);
3244}
3245
3246static int selinux_task_getsid(struct task_struct *p)
3247{
3248        return task_has_perm(current, p, PROCESS__GETSESSION);
3249}
3250
3251static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3252{
3253        struct task_security_struct *tsec = p->security;
3254        *secid = tsec->sid;
3255}
3256
3257static int selinux_task_setgroups(struct group_info *group_info)
3258{
3259        /* See the comment for setuid above. */
3260        return 0;
3261}
3262
3263static int selinux_task_setnice(struct task_struct *p, int nice)
3264{
3265        int rc;
3266
3267        rc = secondary_ops->task_setnice(p, nice);
3268        if (rc)
3269                return rc;
3270
3271        return task_has_perm(current, p, PROCESS__SETSCHED);
3272}
3273
3274static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3275{
3276        int rc;
3277
3278        rc = secondary_ops->task_setioprio(p, ioprio);
3279        if (rc)
3280                return rc;
3281
3282        return task_has_perm(current, p, PROCESS__SETSCHED);
3283}
3284
3285static int selinux_task_getioprio(struct task_struct *p)
3286{
3287        return task_has_perm(current, p, PROCESS__GETSCHED);
3288}
3289
3290static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3291{
3292        struct rlimit *old_rlim = current->signal->rlim + resource;
3293        int rc;
3294
3295        rc = secondary_ops->task_setrlimit(resource, new_rlim);
3296        if (rc)
3297                return rc;
3298
3299        /* Control the ability to change the hard limit (whether
3300           lowering or raising it), so that the hard limit can
3301           later be used as a safe reset point for the soft limit
3302           upon context transitions. See selinux_bprm_apply_creds. */
3303        if (old_rlim->rlim_max != new_rlim->rlim_max)
3304                return task_has_perm(current, current, PROCESS__SETRLIMIT);
3305
3306        return 0;
3307}
3308
3309static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3310{
3311        int rc;
3312
3313        rc = secondary_ops->task_setscheduler(p, policy, lp);
3314        if (rc)
3315                return rc;
3316
3317        return task_has_perm(current, p, PROCESS__SETSCHED);
3318}
3319
3320static int selinux_task_getscheduler(struct task_struct *p)
3321{
3322        return task_has_perm(current, p, PROCESS__GETSCHED);
3323}
3324
3325static int selinux_task_movememory(struct task_struct *p)
3326{
3327        return task_has_perm(current, p, PROCESS__SETSCHED);
3328}
3329
3330static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3331                                int sig, u32 secid)
3332{
3333        u32 perm;
3334        int rc;
3335        struct task_security_struct *tsec;
3336
3337        rc = secondary_ops->task_kill(p, info, sig, secid);
3338        if (rc)
3339                return rc;
3340
3341        if (!sig)
3342                perm = PROCESS__SIGNULL; /* null signal; existence test */
3343        else
3344                perm = signal_to_av(sig);
3345        tsec = p->security;
3346        if (secid)
3347                rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3348        else
3349                rc = task_has_perm(current, p, perm);
3350        return rc;
3351}
3352
3353static int selinux_task_prctl(int option,
3354                              unsigned long arg2,
3355                              unsigned long arg3,
3356                              unsigned long arg4,
3357                              unsigned long arg5,
3358                              long *rc_p)
3359{
3360        /* The current prctl operations do not appear to require
3361           any SELinux controls since they merely observe or modify
3362           the state of the current process. */
3363        return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3364}
3365
3366static int selinux_task_wait(struct task_struct *p)
3367{
3368        return task_has_perm(p, current, PROCESS__SIGCHLD);
3369}
3370
3371static void selinux_task_reparent_to_init(struct task_struct *p)
3372{
3373        struct task_security_struct *tsec;
3374
3375        secondary_ops->task_reparent_to_init(p);
3376
3377        tsec = p->security;
3378        tsec->osid = tsec->sid;
3379        tsec->sid = SECINITSID_KERNEL;
3380        return;
3381}
3382
3383static void selinux_task_to_inode(struct task_struct *p,
3384                                  struct inode *inode)
3385{
3386        struct task_security_struct *tsec = p->security;
3387        struct inode_security_struct *isec = inode->i_security;
3388
3389        isec->sid = tsec->sid;
3390        isec->initialized = 1;
3391        return;
3392}
3393
3394/* Returns error only if unable to parse addresses */
3395static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3396                        struct avc_audit_data *ad, u8 *proto)
3397{
3398        int offset, ihlen, ret = -EINVAL;
3399        struct iphdr _iph, *ih;
3400
3401        offset = skb_network_offset(skb);
3402        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3403        if (ih == NULL)
3404                goto out;
3405
3406        ihlen = ih->ihl * 4;
3407        if (ihlen < sizeof(_iph))
3408                goto out;
3409
3410        ad->u.net.v4info.saddr = ih->saddr;
3411        ad->u.net.v4info.daddr = ih->daddr;
3412        ret = 0;
3413
3414        if (proto)
3415                *proto = ih->protocol;
3416
3417        switch (ih->protocol) {
3418        case IPPROTO_TCP: {
3419                struct tcphdr _tcph, *th;
3420
3421                if (ntohs(ih->frag_off) & IP_OFFSET)
3422                        break;
3423
3424                offset += ihlen;
3425                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3426                if (th == NULL)
3427                        break;
3428
3429                ad->u.net.sport = th->source;
3430                ad->u.net.dport = th->dest;
3431                break;
3432        }
3433
3434        case IPPROTO_UDP: {
3435                struct udphdr _udph, *uh;
3436
3437                if (ntohs(ih->frag_off) & IP_OFFSET)
3438                        break;
3439
3440                offset += ihlen;
3441                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3442                if (uh == NULL)
3443                        break;
3444
3445                ad->u.net.sport = uh->source;
3446                ad->u.net.dport = uh->dest;
3447                break;
3448        }
3449
3450        case IPPROTO_DCCP: {
3451                struct dccp_hdr _dccph, *dh;
3452
3453                if (ntohs(ih->frag_off) & IP_OFFSET)
3454                        break;
3455
3456                offset += ihlen;
3457                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3458                if (dh == NULL)
3459                        break;
3460
3461                ad->u.net.sport = dh->dccph_sport;
3462                ad->u.net.dport = dh->dccph_dport;
3463                break;
3464        }
3465
3466        default:
3467                break;
3468        }
3469out:
3470        return ret;
3471}
3472
3473#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3474
3475/* Returns error only if unable to parse addresses */
3476static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3477                        struct avc_audit_data *ad, u8 *proto)
3478{
3479        u8 nexthdr;
3480        int ret = -EINVAL, offset;
3481        struct ipv6hdr _ipv6h, *ip6;
3482
3483        offset = skb_network_offset(skb);
3484        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3485        if (ip6 == NULL)
3486                goto out;
3487
3488        ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3489        ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3490        ret = 0;
3491
3492        nexthdr = ip6->nexthdr;
3493        offset += sizeof(_ipv6h);
3494        offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3495        if (offset < 0)
3496                goto out;
3497
3498        if (proto)
3499                *proto = nexthdr;
3500
3501        switch (nexthdr) {
3502        case IPPROTO_TCP: {
3503                struct tcphdr _tcph, *th;
3504
3505                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3506                if (th == NULL)
3507                        break;
3508
3509                ad->u.net.sport = th->source;
3510                ad->u.net.dport = th->dest;
3511                break;
3512        }
3513
3514        case IPPROTO_UDP: {
3515                struct udphdr _udph, *uh;
3516
3517                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3518                if (uh == NULL)
3519                        break;
3520
3521                ad->u.net.sport = uh->source;
3522                ad->u.net.dport = uh->dest;
3523                break;
3524        }
3525
3526        case IPPROTO_DCCP: {
3527                struct dccp_hdr _dccph, *dh;
3528
3529                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3530                if (dh == NULL)
3531                        break;
3532
3533                ad->u.net.sport = dh->dccph_sport;
3534                ad->u.net.dport = dh->dccph_dport;
3535                break;
3536        }
3537
3538        /* includes fragments */
3539        default:
3540                break;
3541        }
3542out:
3543        return ret;
3544}
3545
3546#endif /* IPV6 */
3547
3548static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3549                             char **_addrp, int src, u8 *proto)
3550{
3551        char *addrp;
3552        int ret;
3553
3554        switch (ad->u.net.family) {
3555        case PF_INET:
3556                ret = selinux_parse_skb_ipv4(skb, ad, proto);
3557                if (ret)
3558                        goto parse_error;
3559                addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3560                                       &ad->u.net.v4info.daddr);
3561                goto okay;
3562
3563#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3564        case PF_INET6:
3565                ret = selinux_parse_skb_ipv6(skb, ad, proto);
3566                if (ret)
3567                        goto parse_error;
3568                addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3569                                       &ad->u.net.v6info.daddr);
3570                goto okay;
3571#endif  /* IPV6 */
3572        default:
3573                addrp = NULL;
3574                goto okay;
3575        }
3576
3577parse_error:
3578        printk(KERN_WARNING
3579               "SELinux: failure in selinux_parse_skb(),"
3580               " unable to parse packet\n");
3581        return ret;
3582
3583okay:
3584        if (_addrp)
3585                *_addrp = addrp;
3586        return 0;
3587}
3588
3589/**
3590 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3591 * @skb: the packet
3592 * @family: protocol family
3593 * @sid: the packet's peer label SID
3594 *
3595 * Description:
3596 * Check the various different forms of network peer labeling and determine
3597 * the peer label/SID for the packet; most of the magic actually occurs in
3598 * the security server function security_net_peersid_cmp().  The function
3599 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3600 * or -EACCES if @sid is invalid due to inconsistencies with the different
3601 * peer labels.
3602 *
3603 */
3604static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3605{
3606        int err;
3607        u32 xfrm_sid;
3608        u32 nlbl_sid;
3609        u32 nlbl_type;
3610
3611        selinux_skb_xfrm_sid(skb, &xfrm_sid);
3612        selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3613
3614        err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3615        if (unlikely(err)) {
3616                printk(KERN_WARNING
3617                       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3618                       " unable to determine packet's peer label\n");
3619                return -EACCES;
3620        }
3621
3622        return 0;
3623}
3624
3625/* socket security operations */
3626static int socket_has_perm(struct task_struct *task, struct socket *sock,
3627                           u32 perms)
3628{
3629        struct inode_security_struct *isec;
3630        struct task_security_struct *tsec;
3631        struct avc_audit_data ad;
3632        int err = 0;
3633
3634        tsec = task->security;
3635        isec = SOCK_INODE(sock)->i_security;
3636
3637        if (isec->sid == SECINITSID_KERNEL)
3638                goto out;
3639
3640        AVC_AUDIT_DATA_INIT(&ad, NET);
3641        ad.u.net.sk = sock->sk;
3642        err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3643
3644out:
3645        return err;
3646}
3647
3648static int selinux_socket_create(int family, int type,
3649                                 int protocol, int kern)
3650{
3651        int err = 0;
3652        struct task_security_struct *tsec;
3653        u32 newsid;
3654
3655        if (kern)
3656                goto out;
3657
3658        tsec = current->security;
3659        newsid = tsec->sockcreate_sid ? : tsec->sid;
3660        err = avc_has_perm(tsec->sid, newsid,
3661                           socket_type_to_security_class(family, type,
3662                           protocol), SOCKET__CREATE, NULL);
3663
3664out:
3665        return err;
3666}
3667
3668static int selinux_socket_post_create(struct socket *sock, int family,
3669                                      int type, int protocol, int kern)
3670{
3671        int err = 0;
3672        struct inode_security_struct *isec;
3673        struct task_security_struct *tsec;
3674        struct sk_security_struct *sksec;
3675        u32 newsid;
3676
3677        isec = SOCK_INODE(sock)->i_security;
3678
3679        tsec = current->security;
3680        newsid = tsec->sockcreate_sid ? : tsec->sid;
3681        isec->sclass = socket_type_to_security_class(family, type, protocol);
3682        isec->sid = kern ? SECINITSID_KERNEL : newsid;
3683        isec->initialized = 1;
3684
3685        if (sock->sk) {
3686                sksec = sock->sk->sk_security;
3687                sksec->sid = isec->sid;
3688                sksec->sclass = isec->sclass;
3689                err = selinux_netlbl_socket_post_create(sock);
3690        }
3691
3692        return err;
3693}
3694
3695/* Range of port numbers used to automatically bind.
3696   Need to determine whether we should perform a name_bind
3697   permission check between the socket and the port number. */
3698
3699static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3700{
3701        u16 family;
3702        int err;
3703
3704        err = socket_has_perm(current, sock, SOCKET__BIND);
3705        if (err)
3706                goto out;
3707
3708        /*
3709         * If PF_INET or PF_INET6, check name_bind permission for the port.
3710         * Multiple address binding for SCTP is not supported yet: we just
3711         * check the first address now.
3712         */
3713        family = sock->sk->sk_family;
3714        if (family == PF_INET || family == PF_INET6) {
3715                char *addrp;
3716                struct inode_security_struct *isec;
3717                struct task_security_struct *tsec;
3718                struct avc_audit_data ad;
3719                struct sockaddr_in *addr4 = NULL;
3720                struct sockaddr_in6 *addr6 = NULL;
3721                unsigned short snum;
3722                struct sock *sk = sock->sk;
3723                u32 sid, node_perm;
3724
3725                tsec = current->security;
3726                isec = SOCK_INODE(sock)->i_security;
3727
3728                if (family == PF_INET) {
3729                        addr4 = (struct sockaddr_in *)address;
3730                        snum = ntohs(addr4->sin_port);
3731                        addrp = (char *)&addr4->sin_addr.s_addr;
3732                } else {
3733                        addr6 = (struct sockaddr_in6 *)address;
3734                        snum = ntohs(addr6->sin6_port);
3735                        addrp = (char *)&addr6->sin6_addr.s6_addr;
3736                }
3737
3738                if (snum) {
3739                        int low, high;
3740
3741                        inet_get_local_port_range(&low, &high);
3742
3743                        if (snum < max(PROT_SOCK, low) || snum > high) {
3744                                err = sel_netport_sid(sk->sk_protocol,
3745                                                      snum, &sid);
3746                                if (err)
3747                                        goto out;
3748                                AVC_AUDIT_DATA_INIT(&ad, NET);
3749                                ad.u.net.sport = htons(snum);
3750                                ad.u.net.family = family;
3751                                err = avc_has_perm(isec->sid, sid,
3752                                                   isec->sclass,
3753                                                   SOCKET__NAME_BIND, &ad);
3754                                if (err)
3755                                        goto out;
3756                        }
3757                }
3758
3759                switch (isec->sclass) {
3760                case SECCLASS_TCP_SOCKET:
3761                        node_perm = TCP_SOCKET__NODE_BIND;
3762                        break;
3763
3764                case SECCLASS_UDP_SOCKET:
3765                        node_perm = UDP_SOCKET__NODE_BIND;
3766                        break;
3767
3768                case SECCLASS_DCCP_SOCKET:
3769                        node_perm = DCCP_SOCKET__NODE_BIND;
3770                        break;
3771
3772                default:
3773                        node_perm = RAWIP_SOCKET__NODE_BIND;
3774                        break;
3775                }
3776
3777                err = sel_netnode_sid(addrp, family, &sid);
3778                if (err)
3779                        goto out;
3780
3781                AVC_AUDIT_DATA_INIT(&ad, NET);
3782                ad.u.net.sport = htons(snum);
3783                ad.u.net.family = family;
3784
3785                if (family == PF_INET)
3786                        ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3787                else
3788                        ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3789
3790                err = avc_has_perm(isec->sid, sid,
3791                                   isec->sclass, node_perm, &ad);
3792                if (err)
3793                        goto out;
3794        }
3795out:
3796        return err;
3797}
3798
3799static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3800{
3801        struct sock *sk = sock->sk;
3802        struct inode_security_struct *isec;
3803        int err;
3804
3805        err = socket_has_perm(current, sock, SOCKET__CONNECT);
3806        if (err)
3807                return err;
3808
3809        /*
3810         * If a TCP or DCCP socket, check name_connect permission for the port.
3811         */
3812        isec = SOCK_INODE(sock)->i_security;
3813        if (isec->sclass == SECCLASS_TCP_SOCKET ||
3814            isec->sclass == SECCLASS_DCCP_SOCKET) {
3815                struct avc_audit_data ad;
3816                struct sockaddr_in *addr4 = NULL;
3817                struct sockaddr_in6 *addr6 = NULL;
3818                unsigned short snum;
3819                u32 sid, perm;
3820
3821                if (sk->sk_family == PF_INET) {
3822                        addr4 = (struct sockaddr_in *)address;
3823                        if (addrlen < sizeof(struct sockaddr_in))
3824                                return -EINVAL;
3825                        snum = ntohs(addr4->sin_port);
3826                } else {
3827                        addr6 = (struct sockaddr_in6 *)address;
3828                        if (addrlen < SIN6_LEN_RFC2133)
3829                                return -EINVAL;
3830                        snum = ntohs(addr6->sin6_port);
3831                }
3832
3833                err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3834                if (err)
3835                        goto out;
3836
3837                perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3838                       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3839
3840                AVC_AUDIT_DATA_INIT(&ad, NET);
3841                ad.u.net.dport = htons(snum);
3842                ad.u.net.family = sk->sk_family;
3843                err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3844                if (err)
3845                        goto out;
3846        }
3847
3848        err = selinux_netlbl_socket_connect(sk, address);
3849
3850out:
3851        return err;
3852}
3853
3854static int selinux_socket_listen(struct socket *sock, int backlog)
3855{
3856        return socket_has_perm(current, sock, SOCKET__LISTEN);
3857}
3858
3859static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3860{
3861        int err;
3862        struct inode_security_struct *isec;
3863        struct inode_security_struct *newisec;
3864
3865        err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3866        if (err)
3867                return err;
3868
3869        newisec = SOCK_INODE(newsock)->i_security;
3870
3871        isec = SOCK_INODE(sock)->i_security;
3872        newisec->sclass = isec->sclass;
3873        newisec->sid = isec->sid;
3874        newisec->initialized = 1;
3875
3876        return 0;
3877}
3878
3879static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3880                                  int size)
3881{
3882        int rc;
3883
3884        rc = socket_has_perm(current, sock, SOCKET__WRITE);
3885        if (rc)
3886                return rc;
3887
3888        return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3889}
3890
3891static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3892                                  int size, int flags)
3893{
3894        return socket_has_perm(current, sock, SOCKET__READ);
3895}
3896
3897static int selinux_socket_getsockname(struct socket *sock)
3898{
3899        return socket_has_perm(current, sock, SOCKET__GETATTR);
3900}
3901
3902static int selinux_socket_getpeername(struct socket *sock)
3903{
3904        return socket_has_perm(current, sock, SOCKET__GETATTR);
3905}
3906
3907static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3908{
3909        int err;
3910
3911        err = socket_has_perm(current, sock, SOCKET__SETOPT);
3912        if (err)
3913                return err;
3914
3915        return selinux_netlbl_socket_setsockopt(sock, level, optname);
3916}
3917
3918static int selinux_socket_getsockopt(struct socket *sock, int level,
3919                                     int optname)
3920{
3921        return socket_has_perm(current, sock, SOCKET__GETOPT);
3922}
3923
3924static int selinux_socket_shutdown(struct socket *sock, int how)
3925{
3926        return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3927}
3928
3929static int selinux_socket_unix_stream_connect(struct socket *sock,
3930                                              struct socket *other,
3931                                              struct sock *newsk)
3932{
3933        struct sk_security_struct *ssec;
3934        struct inode_security_struct *isec;
3935        struct inode_security_struct *other_isec;
3936        struct avc_audit_data ad;
3937        int err;
3938
3939        err = secondary_ops->unix_stream_connect(sock, other, newsk);
3940        if (err)
3941                return err;
3942
3943        isec = SOCK_INODE(sock)->i_security;
3944        other_isec = SOCK_INODE(other)->i_security;
3945
3946        AVC_AUDIT_DATA_INIT(&ad, NET);
3947        ad.u.net.sk = other->sk;
3948
3949        err = avc_has_perm(isec->sid, other_isec->sid,
3950                           isec->sclass,
3951                           UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3952        if (err)
3953                return err;
3954
3955        /* connecting socket */
3956        ssec = sock->sk->sk_security;
3957        ssec->peer_sid = other_isec->sid;
3958
3959        /* server child socket */
3960        ssec = newsk->sk_security;
3961        ssec->peer_sid = isec->sid;
3962        err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3963
3964        return err;
3965}
3966
3967static int selinux_socket_unix_may_send(struct socket *sock,
3968                                        struct socket *other)
3969{
3970        struct inode_security_struct *isec;
3971        struct inode_security_struct *other_isec;
3972        struct avc_audit_data ad;
3973        int err;
3974
3975        isec = SOCK_INODE(sock)->i_security;
3976        other_isec = SOCK_INODE(other)->i_security;
3977
3978        AVC_AUDIT_DATA_INIT(&ad, NET);
3979        ad.u.net.sk = other->sk;
3980
3981        err = avc_has_perm(isec->sid, other_isec->sid,
3982                           isec->sclass, SOCKET__SENDTO, &ad);
3983        if (err)
3984                return err;
3985
3986        return 0;
3987}
3988
3989static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3990                                    u32 peer_sid,
3991                                    struct avc_audit_data *ad)
3992{
3993        int err;
3994        u32 if_sid;
3995        u32 node_sid;
3996
3997        err = sel_netif_sid(ifindex, &if_sid);
3998        if (err)
3999                return err;
4000        err = avc_has_perm(peer_sid, if_sid,
4001                           SECCLASS_NETIF, NETIF__INGRESS, ad);
4002        if (err)
4003                return err;
4004
4005        err = sel_netnode_sid(addrp, family, &node_sid);
4006        if (err)
4007                return err;
4008        return avc_has_perm(peer_sid, node_sid,
4009                            SECCLASS_NODE, NODE__RECVFROM, ad);
4010}
4011
4012static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4013                                                struct sk_buff *skb,
4014                                                struct avc_audit_data *ad,
4015                                                u16 family,
4016                                                char *addrp)
4017{
4018        int err;
4019        struct sk_security_struct *sksec = sk->sk_security;
4020        u16 sk_class;
4021        u32 netif_perm, node_perm, recv_perm;
4022        u32 port_sid, node_sid, if_sid, sk_sid;
4023
4024        sk_sid = sksec->sid;
4025        sk_class = sksec->sclass;
4026
4027        switch (sk_class) {
4028        case SECCLASS_UDP_SOCKET:
4029                netif_perm = NETIF__UDP_RECV;
4030                node_perm = NODE__UDP_RECV;
4031                recv_perm = UDP_SOCKET__RECV_MSG;
4032                break;
4033        case SECCLASS_TCP_SOCKET:
4034                netif_perm = NETIF__TCP_RECV;
4035                node_perm = NODE__TCP_RECV;
4036                recv_perm = TCP_SOCKET__RECV_MSG;
4037                break;
4038        case SECCLASS_DCCP_SOCKET:
4039                netif_perm = NETIF__DCCP_RECV;
4040                node_perm = NODE__DCCP_RECV;
4041                recv_perm = DCCP_SOCKET__RECV_MSG;
4042                break;
4043        default:
4044                netif_perm = NETIF__RAWIP_RECV;
4045                node_perm = NODE__RAWIP_RECV;
4046                recv_perm = 0;
4047                break;
4048        }
4049
4050        err = sel_netif_sid(skb->iif, &if_sid);
4051        if (err)
4052                return err;
4053        err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4054        if (err)
4055                return err;
4056
4057        err = sel_netnode_sid(addrp, family, &node_sid);
4058        if (err)
4059                return err;
4060        err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4061        if (err)
4062                return err;
4063
4064        if (!recv_perm)
4065                return 0;
4066        err = sel_netport_sid(sk->sk_protocol,
4067                              ntohs(ad->u.net.sport), &port_sid);
4068        if (unlikely(err)) {
4069                printk(KERN_WARNING
4070                       "SELinux: failure in"
4071                       " selinux_sock_rcv_skb_iptables_compat(),"
4072                       " network port label not found\n");
4073                return err;
4074        }
4075        return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4076}
4077
4078static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4079                                       u16 family)
4080{
4081        int err;
4082        struct sk_security_struct *sksec = sk->sk_security;
4083        u32 peer_sid;
4084        u32 sk_sid = sksec->sid;
4085        struct avc_audit_data ad;
4086        char *addrp;
4087
4088        AVC_AUDIT_DATA_INIT(&ad, NET);
4089        ad.u.net.netif = skb->iif;
4090        ad.u.net.family = family;
4091        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4092        if (err)
4093                return err;
4094
4095        if (selinux_compat_net)
4096                err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4097                                                           family, addrp);
4098        else
4099                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4100                                   PACKET__RECV, &ad);
4101        if (err)
4102                return err;
4103
4104        if (selinux_policycap_netpeer) {
4105                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4106                if (err)
4107                        return err;
4108                err = avc_has_perm(sk_sid, peer_sid,
4109                                   SECCLASS_PEER, PEER__RECV, &ad);
4110                if (err)
4111                        selinux_netlbl_err(skb, err, 0);
4112        } else {
4113                err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4114                if (err)
4115                        return err;
4116                err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4117        }
4118
4119        return err;
4120}
4121
4122static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4123{
4124        int err;
4125        struct sk_security_struct *sksec = sk->sk_security;
4126        u16 family = sk->sk_family;
4127        u32 sk_sid = sksec->sid;
4128        struct avc_audit_data ad;
4129        char *addrp;
4130        u8 secmark_active;
4131        u8 peerlbl_active;
4132
4133        if (family != PF_INET && family != PF_INET6)
4134                return 0;
4135
4136        /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4137        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4138                family = PF_INET;
4139
4140        /* If any sort of compatibility mode is enabled then handoff processing
4141         * to the selinux_sock_rcv_skb_compat() function to deal with the
4142         * special handling.  We do this in an attempt to keep this function
4143         * as fast and as clean as possible. */
4144        if (selinux_compat_net || !selinux_policycap_netpeer)
4145                return selinux_sock_rcv_skb_compat(sk, skb, family);
4146
4147        secmark_active = selinux_secmark_enabled();
4148        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4149        if (!secmark_active && !peerlbl_active)
4150                return 0;
4151
4152        AVC_AUDIT_DATA_INIT(&ad, NET);
4153        ad.u.net.netif = skb->iif;
4154        ad.u.net.family = family;
4155        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4156        if (err)
4157                return err;
4158
4159        if (peerlbl_active) {
4160                u32 peer_sid;
4161
4162                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4163                if (err)
4164                        return err;
4165                err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4166                                               peer_sid, &ad);
4167                if (err) {
4168                        selinux_netlbl_err(skb, err, 0);
4169                        return err;
4170                }
4171                err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4172                                   PEER__RECV, &ad);
4173                if (err)
4174                        selinux_netlbl_err(skb, err, 0);
4175        }
4176
4177        if (secmark_active) {
4178                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4179                                   PACKET__RECV, &ad);
4180                if (err)
4181                        return err;
4182        }
4183
4184        return err;
4185}
4186
4187static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4188                                            int __user *optlen, unsigned len)
4189{
4190        int err = 0;
4191        char *scontext;
4192        u32 scontext_len;
4193        struct sk_security_struct *ssec;
4194        struct inode_security_struct *isec;
4195        u32 peer_sid = SECSID_NULL;
4196
4197        isec = SOCK_INODE(sock)->i_security;
4198
4199        if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4200            isec->sclass == SECCLASS_TCP_SOCKET) {
4201                ssec = sock->sk->sk_security;
4202                peer_sid = ssec->peer_sid;
4203        }
4204        if (peer_sid == SECSID_NULL) {
4205                err = -ENOPROTOOPT;
4206                goto out;
4207        }
4208
4209        err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4210
4211        if (err)
4212                goto out;
4213
4214        if (scontext_len > len) {
4215                err = -ERANGE;
4216                goto out_len;
4217        }
4218
4219        if (copy_to_user(optval, scontext, scontext_len))
4220                err = -EFAULT;
4221
4222out_len:
4223        if (put_user(scontext_len, optlen))
4224                err = -EFAULT;
4225
4226        kfree(scontext);
4227out:
4228        return err;
4229}
4230
4231static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4232{
4233        u32 peer_secid = SECSID_NULL;
4234        u16 family;
4235
4236        if (skb && skb->protocol == htons(ETH_P_IP))
4237                family = PF_INET;
4238        else if (skb && skb->protocol == htons(ETH_P_IPV6))
4239                family = PF_INET6;
4240        else if (sock)
4241                family = sock->sk->sk_family;
4242        else
4243                goto out;
4244
4245        if (sock && family == PF_UNIX)
4246                selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4247        else if (skb)
4248                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4249
4250out:
4251        *secid = peer_secid;
4252        if (peer_secid == SECSID_NULL)
4253                return -EINVAL;
4254        return 0;
4255}
4256
4257static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4258{
4259        return sk_alloc_security(sk, family, priority);
4260}
4261
4262static void selinux_sk_free_security(struct sock *sk)
4263{
4264        sk_free_security(sk);
4265}
4266
4267static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4268{
4269        struct sk_security_struct *ssec = sk->sk_security;
4270        struct sk_security_struct *newssec = newsk->sk_security;
4271
4272        newssec->sid = ssec->sid;
4273        newssec->peer_sid = ssec->peer_sid;
4274        newssec->sclass = ssec->sclass;
4275
4276        selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4277}
4278
4279static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4280{
4281        if (!sk)
4282                *secid = SECINITSID_ANY_SOCKET;
4283        else {
4284                struct sk_security_struct *sksec = sk->sk_security;
4285
4286                *secid = sksec->sid;
4287        }
4288}
4289
4290static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4291{
4292        struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4293        struct sk_security_struct *sksec = sk->sk_security;
4294
4295        if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4296            sk->sk_family == PF_UNIX)
4297                isec->sid = sksec->sid;
4298        sksec->sclass = isec->sclass;
4299}
4300
4301static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4302                                     struct request_sock *req)
4303{
4304        struct sk_security_struct *sksec = sk->sk_security;
4305        int err;
4306        u16 family = sk->sk_family;
4307        u32 newsid;
4308        u32 peersid;
4309
4310        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4311        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4312                family = PF_INET;
4313
4314        err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4315        if (err)
4316                return err;
4317        if (peersid == SECSID_NULL) {
4318                req->secid = sksec->sid;
4319                req->peer_secid = SECSID_NULL;
4320                return 0;
4321        }
4322
4323        err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4324        if (err)
4325                return err;
4326
4327        req->secid = newsid;
4328        req->peer_secid = peersid;
4329        return 0;
4330}
4331
4332static void selinux_inet_csk_clone(struct sock *newsk,
4333                                   const struct request_sock *req)
4334{
4335        struct sk_security_struct *newsksec = newsk->sk_security;
4336
4337        newsksec->sid = req->secid;
4338        newsksec->peer_sid = req->peer_secid;
4339        /* NOTE: Ideally, we should also get the isec->sid for the
4340           new socket in sync, but we don't have the isec available yet.
4341           So we will wait until sock_graft to do it, by which
4342           time it will have been created and available. */
4343
4344        /* We don't need to take any sort of lock here as we are the only
4345         * thread with access to newsksec */
4346        selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4347}
4348
4349static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4350{
4351        u16 family = sk->sk_family;
4352        struct sk_security_struct *sksec = sk->sk_security;
4353
4354        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4355        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4356                family = PF_INET;
4357
4358        selinux_skb_