linux/security/selinux/hooks.c
<<
>>
Prefs
   1/*
   2 *  NSA Security-Enhanced Linux (SELinux) security module
   3 *
   4 *  This file contains the SELinux hook function implementations.
   5 *
   6 *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
   7 *            Chris Vance, <cvance@nai.com>
   8 *            Wayne Salamon, <wsalamon@nai.com>
   9 *            James Morris <jmorris@redhat.com>
  10 *
  11 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  12 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  13 *                                         Eric Paris <eparis@redhat.com>
  14 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  15 *                          <dgoeddel@trustedcs.com>
  16 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
  17 *      Paul Moore <paul.moore@hp.com>
  18 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  19 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  20 *
  21 *      This program is free software; you can redistribute it and/or modify
  22 *      it under the terms of the GNU General Public License version 2,
  23 *      as published by the Free Software Foundation.
  24 */
  25
  26#include <linux/init.h>
  27#include <linux/kernel.h>
  28#include <linux/tracehook.h>
  29#include <linux/errno.h>
  30#include <linux/sched.h>
  31#include <linux/security.h>
  32#include <linux/xattr.h>
  33#include <linux/capability.h>
  34#include <linux/unistd.h>
  35#include <linux/mm.h>
  36#include <linux/mman.h>
  37#include <linux/slab.h>
  38#include <linux/pagemap.h>
  39#include <linux/swap.h>
  40#include <linux/spinlock.h>
  41#include <linux/syscalls.h>
  42#include <linux/file.h>
  43#include <linux/fdtable.h>
  44#include <linux/namei.h>
  45#include <linux/mount.h>
  46#include <linux/proc_fs.h>
  47#include <linux/netfilter_ipv4.h>
  48#include <linux/netfilter_ipv6.h>
  49#include <linux/tty.h>
  50#include <net/icmp.h>
  51#include <net/ip.h>             /* for local_port_range[] */
  52#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  53#include <net/net_namespace.h>
  54#include <net/netlabel.h>
  55#include <linux/uaccess.h>
  56#include <asm/ioctls.h>
  57#include <asm/atomic.h>
  58#include <linux/bitops.h>
  59#include <linux/interrupt.h>
  60#include <linux/netdevice.h>    /* for network interface checks */
  61#include <linux/netlink.h>
  62#include <linux/tcp.h>
  63#include <linux/udp.h>
  64#include <linux/dccp.h>
  65#include <linux/quota.h>
  66#include <linux/un.h>           /* for Unix socket types */
  67#include <net/af_unix.h>        /* for Unix socket types */
  68#include <linux/parser.h>
  69#include <linux/nfs_mount.h>
  70#include <net/ipv6.h>
  71#include <linux/hugetlb.h>
  72#include <linux/personality.h>
  73#include <linux/sysctl.h>
  74#include <linux/audit.h>
  75#include <linux/string.h>
  76#include <linux/selinux.h>
  77#include <linux/mutex.h>
  78#include <linux/posix-timers.h>
  79#include <linux/syslog.h>
  80
  81#include "avc.h"
  82#include "objsec.h"
  83#include "netif.h"
  84#include "netnode.h"
  85#include "netport.h"
  86#include "xfrm.h"
  87#include "netlabel.h"
  88#include "audit.h"
  89
  90#define NUM_SEL_MNT_OPTS 5
  91
  92extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
  93extern struct security_operations *security_ops;
  94
  95/* SECMARK reference count */
  96atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
  97
  98#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
  99int selinux_enforcing;
 100
 101static int __init enforcing_setup(char *str)
 102{
 103        unsigned long enforcing;
 104        if (!strict_strtoul(str, 0, &enforcing))
 105                selinux_enforcing = enforcing ? 1 : 0;
 106        return 1;
 107}
 108__setup("enforcing=", enforcing_setup);
 109#endif
 110
 111#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 112int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 113
 114static int __init selinux_enabled_setup(char *str)
 115{
 116        unsigned long enabled;
 117        if (!strict_strtoul(str, 0, &enabled))
 118                selinux_enabled = enabled ? 1 : 0;
 119        return 1;
 120}
 121__setup("selinux=", selinux_enabled_setup);
 122#else
 123int selinux_enabled = 1;
 124#endif
 125
 126static struct kmem_cache *sel_inode_cache;
 127
 128/**
 129 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 130 *
 131 * Description:
 132 * This function checks the SECMARK reference counter to see if any SECMARK
 133 * targets are currently configured, if the reference counter is greater than
 134 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 135 * enabled, false (0) if SECMARK is disabled.
 136 *
 137 */
 138static int selinux_secmark_enabled(void)
 139{
 140        return (atomic_read(&selinux_secmark_refcount) > 0);
 141}
 142
 143/*
 144 * initialise the security for the init task
 145 */
 146static void cred_init_security(void)
 147{
 148        struct cred *cred = (struct cred *) current->real_cred;
 149        struct task_security_struct *tsec;
 150
 151        tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
 152        if (!tsec)
 153                panic("SELinux:  Failed to initialize initial task.\n");
 154
 155        tsec->osid = tsec->sid = SECINITSID_KERNEL;
 156        cred->security = tsec;
 157}
 158
 159/*
 160 * get the security ID of a set of credentials
 161 */
 162static inline u32 cred_sid(const struct cred *cred)
 163{
 164        const struct task_security_struct *tsec;
 165
 166        tsec = cred->security;
 167        return tsec->sid;
 168}
 169
 170/*
 171 * get the objective security ID of a task
 172 */
 173static inline u32 task_sid(const struct task_struct *task)
 174{
 175        u32 sid;
 176
 177        rcu_read_lock();
 178        sid = cred_sid(__task_cred(task));
 179        rcu_read_unlock();
 180        return sid;
 181}
 182
 183/*
 184 * get the subjective security ID of the current task
 185 */
 186static inline u32 current_sid(void)
 187{
 188        const struct task_security_struct *tsec = current_security();
 189
 190        return tsec->sid;
 191}
 192
 193/* Allocate and free functions for each kind of security blob. */
 194
 195static int inode_alloc_security(struct inode *inode)
 196{
 197        struct inode_security_struct *isec;
 198        u32 sid = current_sid();
 199
 200        isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
 201        if (!isec)
 202                return -ENOMEM;
 203
 204        mutex_init(&isec->lock);
 205        INIT_LIST_HEAD(&isec->list);
 206        isec->inode = inode;
 207        isec->sid = SECINITSID_UNLABELED;
 208        isec->sclass = SECCLASS_FILE;
 209        isec->task_sid = sid;
 210        inode->i_security = isec;
 211
 212        return 0;
 213}
 214
 215static void inode_free_security(struct inode *inode)
 216{
 217        struct inode_security_struct *isec = inode->i_security;
 218        struct superblock_security_struct *sbsec = inode->i_sb->s_security;
 219
 220        spin_lock(&sbsec->isec_lock);
 221        if (!list_empty(&isec->list))
 222                list_del_init(&isec->list);
 223        spin_unlock(&sbsec->isec_lock);
 224
 225        inode->i_security = NULL;
 226        kmem_cache_free(sel_inode_cache, isec);
 227}
 228
 229static int file_alloc_security(struct file *file)
 230{
 231        struct file_security_struct *fsec;
 232        u32 sid = current_sid();
 233
 234        fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
 235        if (!fsec)
 236                return -ENOMEM;
 237
 238        fsec->sid = sid;
 239        fsec->fown_sid = sid;
 240        file->f_security = fsec;
 241
 242        return 0;
 243}
 244
 245static void file_free_security(struct file *file)
 246{
 247        struct file_security_struct *fsec = file->f_security;
 248        file->f_security = NULL;
 249        kfree(fsec);
 250}
 251
 252static int superblock_alloc_security(struct super_block *sb)
 253{
 254        struct superblock_security_struct *sbsec;
 255
 256        sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 257        if (!sbsec)
 258                return -ENOMEM;
 259
 260        mutex_init(&sbsec->lock);
 261        INIT_LIST_HEAD(&sbsec->isec_head);
 262        spin_lock_init(&sbsec->isec_lock);
 263        sbsec->sb = sb;
 264        sbsec->sid = SECINITSID_UNLABELED;
 265        sbsec->def_sid = SECINITSID_FILE;
 266        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 267        sb->s_security = sbsec;
 268
 269        return 0;
 270}
 271
 272static void superblock_free_security(struct super_block *sb)
 273{
 274        struct superblock_security_struct *sbsec = sb->s_security;
 275        sb->s_security = NULL;
 276        kfree(sbsec);
 277}
 278
 279/* The security server must be initialized before
 280   any labeling or access decisions can be provided. */
 281extern int ss_initialized;
 282
 283/* The file system's label must be initialized prior to use. */
 284
 285static const char *labeling_behaviors[6] = {
 286        "uses xattr",
 287        "uses transition SIDs",
 288        "uses task SIDs",
 289        "uses genfs_contexts",
 290        "not configured for labeling",
 291        "uses mountpoint labeling",
 292};
 293
 294static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 295
 296static inline int inode_doinit(struct inode *inode)
 297{
 298        return inode_doinit_with_dentry(inode, NULL);
 299}
 300
 301enum {
 302        Opt_error = -1,
 303        Opt_context = 1,
 304        Opt_fscontext = 2,
 305        Opt_defcontext = 3,
 306        Opt_rootcontext = 4,
 307        Opt_labelsupport = 5,
 308};
 309
 310static const match_table_t tokens = {
 311        {Opt_context, CONTEXT_STR "%s"},
 312        {Opt_fscontext, FSCONTEXT_STR "%s"},
 313        {Opt_defcontext, DEFCONTEXT_STR "%s"},
 314        {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
 315        {Opt_labelsupport, LABELSUPP_STR},
 316        {Opt_error, NULL},
 317};
 318
 319#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 320
 321static int may_context_mount_sb_relabel(u32 sid,
 322                        struct superblock_security_struct *sbsec,
 323                        const struct cred *cred)
 324{
 325        const struct task_security_struct *tsec = cred->security;
 326        int rc;
 327
 328        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 329                          FILESYSTEM__RELABELFROM, NULL);
 330        if (rc)
 331                return rc;
 332
 333        rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
 334                          FILESYSTEM__RELABELTO, NULL);
 335        return rc;
 336}
 337
 338static int may_context_mount_inode_relabel(u32 sid,
 339                        struct superblock_security_struct *sbsec,
 340                        const struct cred *cred)
 341{
 342        const struct task_security_struct *tsec = cred->security;
 343        int rc;
 344        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 345                          FILESYSTEM__RELABELFROM, NULL);
 346        if (rc)
 347                return rc;
 348
 349        rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
 350                          FILESYSTEM__ASSOCIATE, NULL);
 351        return rc;
 352}
 353
 354static int sb_finish_set_opts(struct super_block *sb)
 355{
 356        struct superblock_security_struct *sbsec = sb->s_security;
 357        struct dentry *root = sb->s_root;
 358        struct inode *root_inode = root->d_inode;
 359        int rc = 0;
 360
 361        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 362                /* Make sure that the xattr handler exists and that no
 363                   error other than -ENODATA is returned by getxattr on
 364                   the root directory.  -ENODATA is ok, as this may be
 365                   the first boot of the SELinux kernel before we have
 366                   assigned xattr values to the filesystem. */
 367                if (!root_inode->i_op->getxattr) {
 368                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
 369                               "xattr support\n", sb->s_id, sb->s_type->name);
 370                        rc = -EOPNOTSUPP;
 371                        goto out;
 372                }
 373                rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
 374                if (rc < 0 && rc != -ENODATA) {
 375                        if (rc == -EOPNOTSUPP)
 376                                printk(KERN_WARNING "SELinux: (dev %s, type "
 377                                       "%s) has no security xattr handler\n",
 378                                       sb->s_id, sb->s_type->name);
 379                        else
 380                                printk(KERN_WARNING "SELinux: (dev %s, type "
 381                                       "%s) getxattr errno %d\n", sb->s_id,
 382                                       sb->s_type->name, -rc);
 383                        goto out;
 384                }
 385        }
 386
 387        sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
 388
 389        if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 390                printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
 391                       sb->s_id, sb->s_type->name);
 392        else
 393                printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
 394                       sb->s_id, sb->s_type->name,
 395                       labeling_behaviors[sbsec->behavior-1]);
 396
 397        if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
 398            sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
 399            sbsec->behavior == SECURITY_FS_USE_NONE ||
 400            sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 401                sbsec->flags &= ~SE_SBLABELSUPP;
 402
 403        /* Special handling for sysfs. Is genfs but also has setxattr handler*/
 404        if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
 405                sbsec->flags |= SE_SBLABELSUPP;
 406
 407        /* Initialize the root inode. */
 408        rc = inode_doinit_with_dentry(root_inode, root);
 409
 410        /* Initialize any other inodes associated with the superblock, e.g.
 411           inodes created prior to initial policy load or inodes created
 412           during get_sb by a pseudo filesystem that directly
 413           populates itself. */
 414        spin_lock(&sbsec->isec_lock);
 415next_inode:
 416        if (!list_empty(&sbsec->isec_head)) {
 417                struct inode_security_struct *isec =
 418                                list_entry(sbsec->isec_head.next,
 419                                           struct inode_security_struct, list);
 420                struct inode *inode = isec->inode;
 421                spin_unlock(&sbsec->isec_lock);
 422                inode = igrab(inode);
 423                if (inode) {
 424                        if (!IS_PRIVATE(inode))
 425                                inode_doinit(inode);
 426                        iput(inode);
 427                }
 428                spin_lock(&sbsec->isec_lock);
 429                list_del_init(&isec->list);
 430                goto next_inode;
 431        }
 432        spin_unlock(&sbsec->isec_lock);
 433out:
 434        return rc;
 435}
 436
 437/*
 438 * This function should allow an FS to ask what it's mount security
 439 * options were so it can use those later for submounts, displaying
 440 * mount options, or whatever.
 441 */
 442static int selinux_get_mnt_opts(const struct super_block *sb,
 443                                struct security_mnt_opts *opts)
 444{
 445        int rc = 0, i;
 446        struct superblock_security_struct *sbsec = sb->s_security;
 447        char *context = NULL;
 448        u32 len;
 449        char tmp;
 450
 451        security_init_mnt_opts(opts);
 452
 453        if (!(sbsec->flags & SE_SBINITIALIZED))
 454                return -EINVAL;
 455
 456        if (!ss_initialized)
 457                return -EINVAL;
 458
 459        tmp = sbsec->flags & SE_MNTMASK;
 460        /* count the number of mount options for this sb */
 461        for (i = 0; i < 8; i++) {
 462                if (tmp & 0x01)
 463                        opts->num_mnt_opts++;
 464                tmp >>= 1;
 465        }
 466        /* Check if the Label support flag is set */
 467        if (sbsec->flags & SE_SBLABELSUPP)
 468                opts->num_mnt_opts++;
 469
 470        opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
 471        if (!opts->mnt_opts) {
 472                rc = -ENOMEM;
 473                goto out_free;
 474        }
 475
 476        opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
 477        if (!opts->mnt_opts_flags) {
 478                rc = -ENOMEM;
 479                goto out_free;
 480        }
 481
 482        i = 0;
 483        if (sbsec->flags & FSCONTEXT_MNT) {
 484                rc = security_sid_to_context(sbsec->sid, &context, &len);
 485                if (rc)
 486                        goto out_free;
 487                opts->mnt_opts[i] = context;
 488                opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
 489        }
 490        if (sbsec->flags & CONTEXT_MNT) {
 491                rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
 492                if (rc)
 493                        goto out_free;
 494                opts->mnt_opts[i] = context;
 495                opts->mnt_opts_flags[i++] = CONTEXT_MNT;
 496        }
 497        if (sbsec->flags & DEFCONTEXT_MNT) {
 498                rc = security_sid_to_context(sbsec->def_sid, &context, &len);
 499                if (rc)
 500                        goto out_free;
 501                opts->mnt_opts[i] = context;
 502                opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
 503        }
 504        if (sbsec->flags & ROOTCONTEXT_MNT) {
 505                struct inode *root = sbsec->sb->s_root->d_inode;
 506                struct inode_security_struct *isec = root->i_security;
 507
 508                rc = security_sid_to_context(isec->sid, &context, &len);
 509                if (rc)
 510                        goto out_free;
 511                opts->mnt_opts[i] = context;
 512                opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
 513        }
 514        if (sbsec->flags & SE_SBLABELSUPP) {
 515                opts->mnt_opts[i] = NULL;
 516                opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
 517        }
 518
 519        BUG_ON(i != opts->num_mnt_opts);
 520
 521        return 0;
 522
 523out_free:
 524        security_free_mnt_opts(opts);
 525        return rc;
 526}
 527
 528static int bad_option(struct superblock_security_struct *sbsec, char flag,
 529                      u32 old_sid, u32 new_sid)
 530{
 531        char mnt_flags = sbsec->flags & SE_MNTMASK;
 532
 533        /* check if the old mount command had the same options */
 534        if (sbsec->flags & SE_SBINITIALIZED)
 535                if (!(sbsec->flags & flag) ||
 536                    (old_sid != new_sid))
 537                        return 1;
 538
 539        /* check if we were passed the same options twice,
 540         * aka someone passed context=a,context=b
 541         */
 542        if (!(sbsec->flags & SE_SBINITIALIZED))
 543                if (mnt_flags & flag)
 544                        return 1;
 545        return 0;
 546}
 547
 548/*
 549 * Allow filesystems with binary mount data to explicitly set mount point
 550 * labeling information.
 551 */
 552static int selinux_set_mnt_opts(struct super_block *sb,
 553                                struct security_mnt_opts *opts)
 554{
 555        const struct cred *cred = current_cred();
 556        int rc = 0, i;
 557        struct superblock_security_struct *sbsec = sb->s_security;
 558        const char *name = sb->s_type->name;
 559        struct inode *inode = sbsec->sb->s_root->d_inode;
 560        struct inode_security_struct *root_isec = inode->i_security;
 561        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 562        u32 defcontext_sid = 0;
 563        char **mount_options = opts->mnt_opts;
 564        int *flags = opts->mnt_opts_flags;
 565        int num_opts = opts->num_mnt_opts;
 566
 567        mutex_lock(&sbsec->lock);
 568
 569        if (!ss_initialized) {
 570                if (!num_opts) {
 571                        /* Defer initialization until selinux_complete_init,
 572                           after the initial policy is loaded and the security
 573                           server is ready to handle calls. */
 574                        goto out;
 575                }
 576                rc = -EINVAL;
 577                printk(KERN_WARNING "SELinux: Unable to set superblock options "
 578                        "before the security server is initialized\n");
 579                goto out;
 580        }
 581
 582        /*
 583         * Binary mount data FS will come through this function twice.  Once
 584         * from an explicit call and once from the generic calls from the vfs.
 585         * Since the generic VFS calls will not contain any security mount data
 586         * we need to skip the double mount verification.
 587         *
 588         * This does open a hole in which we will not notice if the first
 589         * mount using this sb set explict options and a second mount using
 590         * this sb does not set any security options.  (The first options
 591         * will be used for both mounts)
 592         */
 593        if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 594            && (num_opts == 0))
 595                goto out;
 596
 597        /*
 598         * parse the mount options, check if they are valid sids.
 599         * also check if someone is trying to mount the same sb more
 600         * than once with different security options.
 601         */
 602        for (i = 0; i < num_opts; i++) {
 603                u32 sid;
 604
 605                if (flags[i] == SE_SBLABELSUPP)
 606                        continue;
 607                rc = security_context_to_sid(mount_options[i],
 608                                             strlen(mount_options[i]), &sid);
 609                if (rc) {
 610                        printk(KERN_WARNING "SELinux: security_context_to_sid"
 611                               "(%s) failed for (dev %s, type %s) errno=%d\n",
 612                               mount_options[i], sb->s_id, name, rc);
 613                        goto out;
 614                }
 615                switch (flags[i]) {
 616                case FSCONTEXT_MNT:
 617                        fscontext_sid = sid;
 618
 619                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 620                                        fscontext_sid))
 621                                goto out_double_mount;
 622
 623                        sbsec->flags |= FSCONTEXT_MNT;
 624                        break;
 625                case CONTEXT_MNT:
 626                        context_sid = sid;
 627
 628                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 629                                        context_sid))
 630                                goto out_double_mount;
 631
 632                        sbsec->flags |= CONTEXT_MNT;
 633                        break;
 634                case ROOTCONTEXT_MNT:
 635                        rootcontext_sid = sid;
 636
 637                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 638                                        rootcontext_sid))
 639                                goto out_double_mount;
 640
 641                        sbsec->flags |= ROOTCONTEXT_MNT;
 642
 643                        break;
 644                case DEFCONTEXT_MNT:
 645                        defcontext_sid = sid;
 646
 647                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 648                                        defcontext_sid))
 649                                goto out_double_mount;
 650
 651                        sbsec->flags |= DEFCONTEXT_MNT;
 652
 653                        break;
 654                default:
 655                        rc = -EINVAL;
 656                        goto out;
 657                }
 658        }
 659
 660        if (sbsec->flags & SE_SBINITIALIZED) {
 661                /* previously mounted with options, but not on this attempt? */
 662                if ((sbsec->flags & SE_MNTMASK) && !num_opts)
 663                        goto out_double_mount;
 664                rc = 0;
 665                goto out;
 666        }
 667
 668        if (strcmp(sb->s_type->name, "proc") == 0)
 669                sbsec->flags |= SE_SBPROC;
 670
 671        /* Determine the labeling behavior to use for this filesystem type. */
 672        rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
 673        if (rc) {
 674                printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
 675                       __func__, sb->s_type->name, rc);
 676                goto out;
 677        }
 678
 679        /* sets the context of the superblock for the fs being mounted. */
 680        if (fscontext_sid) {
 681                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
 682                if (rc)
 683                        goto out;
 684
 685                sbsec->sid = fscontext_sid;
 686        }
 687
 688        /*
 689         * Switch to using mount point labeling behavior.
 690         * sets the label used on all file below the mountpoint, and will set
 691         * the superblock context if not already set.
 692         */
 693        if (context_sid) {
 694                if (!fscontext_sid) {
 695                        rc = may_context_mount_sb_relabel(context_sid, sbsec,
 696                                                          cred);
 697                        if (rc)
 698                                goto out;
 699                        sbsec->sid = context_sid;
 700                } else {
 701                        rc = may_context_mount_inode_relabel(context_sid, sbsec,
 702                                                             cred);
 703                        if (rc)
 704                                goto out;
 705                }
 706                if (!rootcontext_sid)
 707                        rootcontext_sid = context_sid;
 708
 709                sbsec->mntpoint_sid = context_sid;
 710                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 711        }
 712
 713        if (rootcontext_sid) {
 714                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
 715                                                     cred);
 716                if (rc)
 717                        goto out;
 718
 719                root_isec->sid = rootcontext_sid;
 720                root_isec->initialized = 1;
 721        }
 722
 723        if (defcontext_sid) {
 724                if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
 725                        rc = -EINVAL;
 726                        printk(KERN_WARNING "SELinux: defcontext option is "
 727                               "invalid for this filesystem type\n");
 728                        goto out;
 729                }
 730
 731                if (defcontext_sid != sbsec->def_sid) {
 732                        rc = may_context_mount_inode_relabel(defcontext_sid,
 733                                                             sbsec, cred);
 734                        if (rc)
 735                                goto out;
 736                }
 737
 738                sbsec->def_sid = defcontext_sid;
 739        }
 740
 741        rc = sb_finish_set_opts(sb);
 742out:
 743        mutex_unlock(&sbsec->lock);
 744        return rc;
 745out_double_mount:
 746        rc = -EINVAL;
 747        printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
 748               "security settings for (dev %s, type %s)\n", sb->s_id, name);
 749        goto out;
 750}
 751
 752static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 753                                        struct super_block *newsb)
 754{
 755        const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 756        struct superblock_security_struct *newsbsec = newsb->s_security;
 757
 758        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 759        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 760        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 761
 762        /*
 763         * if the parent was able to be mounted it clearly had no special lsm
 764         * mount options.  thus we can safely deal with this superblock later
 765         */
 766        if (!ss_initialized)
 767                return;
 768
 769        /* how can we clone if the old one wasn't set up?? */
 770        BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
 771
 772        /* if fs is reusing a sb, just let its options stand... */
 773        if (newsbsec->flags & SE_SBINITIALIZED)
 774                return;
 775
 776        mutex_lock(&newsbsec->lock);
 777
 778        newsbsec->flags = oldsbsec->flags;
 779
 780        newsbsec->sid = oldsbsec->sid;
 781        newsbsec->def_sid = oldsbsec->def_sid;
 782        newsbsec->behavior = oldsbsec->behavior;
 783
 784        if (set_context) {
 785                u32 sid = oldsbsec->mntpoint_sid;
 786
 787                if (!set_fscontext)
 788                        newsbsec->sid = sid;
 789                if (!set_rootcontext) {
 790                        struct inode *newinode = newsb->s_root->d_inode;
 791                        struct inode_security_struct *newisec = newinode->i_security;
 792                        newisec->sid = sid;
 793                }
 794                newsbsec->mntpoint_sid = sid;
 795        }
 796        if (set_rootcontext) {
 797                const struct inode *oldinode = oldsb->s_root->d_inode;
 798                const struct inode_security_struct *oldisec = oldinode->i_security;
 799                struct inode *newinode = newsb->s_root->d_inode;
 800                struct inode_security_struct *newisec = newinode->i_security;
 801
 802                newisec->sid = oldisec->sid;
 803        }
 804
 805        sb_finish_set_opts(newsb);
 806        mutex_unlock(&newsbsec->lock);
 807}
 808
 809static int selinux_parse_opts_str(char *options,
 810                                  struct security_mnt_opts *opts)
 811{
 812        char *p;
 813        char *context = NULL, *defcontext = NULL;
 814        char *fscontext = NULL, *rootcontext = NULL;
 815        int rc, num_mnt_opts = 0;
 816
 817        opts->num_mnt_opts = 0;
 818
 819        /* Standard string-based options. */
 820        while ((p = strsep(&options, "|")) != NULL) {
 821                int token;
 822                substring_t args[MAX_OPT_ARGS];
 823
 824                if (!*p)
 825                        continue;
 826
 827                token = match_token(p, tokens, args);
 828
 829                switch (token) {
 830                case Opt_context:
 831                        if (context || defcontext) {
 832                                rc = -EINVAL;
 833                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 834                                goto out_err;
 835                        }
 836                        context = match_strdup(&args[0]);
 837                        if (!context) {
 838                                rc = -ENOMEM;
 839                                goto out_err;
 840                        }
 841                        break;
 842
 843                case Opt_fscontext:
 844                        if (fscontext) {
 845                                rc = -EINVAL;
 846                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 847                                goto out_err;
 848                        }
 849                        fscontext = match_strdup(&args[0]);
 850                        if (!fscontext) {
 851                                rc = -ENOMEM;
 852                                goto out_err;
 853                        }
 854                        break;
 855
 856                case Opt_rootcontext:
 857                        if (rootcontext) {
 858                                rc = -EINVAL;
 859                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 860                                goto out_err;
 861                        }
 862                        rootcontext = match_strdup(&args[0]);
 863                        if (!rootcontext) {
 864                                rc = -ENOMEM;
 865                                goto out_err;
 866                        }
 867                        break;
 868
 869                case Opt_defcontext:
 870                        if (context || defcontext) {
 871                                rc = -EINVAL;
 872                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 873                                goto out_err;
 874                        }
 875                        defcontext = match_strdup(&args[0]);
 876                        if (!defcontext) {
 877                                rc = -ENOMEM;
 878                                goto out_err;
 879                        }
 880                        break;
 881                case Opt_labelsupport:
 882                        break;
 883                default:
 884                        rc = -EINVAL;
 885                        printk(KERN_WARNING "SELinux:  unknown mount option\n");
 886                        goto out_err;
 887
 888                }
 889        }
 890
 891        rc = -ENOMEM;
 892        opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
 893        if (!opts->mnt_opts)
 894                goto out_err;
 895
 896        opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
 897        if (!opts->mnt_opts_flags) {
 898                kfree(opts->mnt_opts);
 899                goto out_err;
 900        }
 901
 902        if (fscontext) {
 903                opts->mnt_opts[num_mnt_opts] = fscontext;
 904                opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
 905        }
 906        if (context) {
 907                opts->mnt_opts[num_mnt_opts] = context;
 908                opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
 909        }
 910        if (rootcontext) {
 911                opts->mnt_opts[num_mnt_opts] = rootcontext;
 912                opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
 913        }
 914        if (defcontext) {
 915                opts->mnt_opts[num_mnt_opts] = defcontext;
 916                opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
 917        }
 918
 919        opts->num_mnt_opts = num_mnt_opts;
 920        return 0;
 921
 922out_err:
 923        kfree(context);
 924        kfree(defcontext);
 925        kfree(fscontext);
 926        kfree(rootcontext);
 927        return rc;
 928}
 929/*
 930 * string mount options parsing and call set the sbsec
 931 */
 932static int superblock_doinit(struct super_block *sb, void *data)
 933{
 934        int rc = 0;
 935        char *options = data;
 936        struct security_mnt_opts opts;
 937
 938        security_init_mnt_opts(&opts);
 939
 940        if (!data)
 941                goto out;
 942
 943        BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
 944
 945        rc = selinux_parse_opts_str(options, &opts);
 946        if (rc)
 947                goto out_err;
 948
 949out:
 950        rc = selinux_set_mnt_opts(sb, &opts);
 951
 952out_err:
 953        security_free_mnt_opts(&opts);
 954        return rc;
 955}
 956
 957static void selinux_write_opts(struct seq_file *m,
 958                               struct security_mnt_opts *opts)
 959{
 960        int i;
 961        char *prefix;
 962
 963        for (i = 0; i < opts->num_mnt_opts; i++) {
 964                char *has_comma;
 965
 966                if (opts->mnt_opts[i])
 967                        has_comma = strchr(opts->mnt_opts[i], ',');
 968                else
 969                        has_comma = NULL;
 970
 971                switch (opts->mnt_opts_flags[i]) {
 972                case CONTEXT_MNT:
 973                        prefix = CONTEXT_STR;
 974                        break;
 975                case FSCONTEXT_MNT:
 976                        prefix = FSCONTEXT_STR;
 977                        break;
 978                case ROOTCONTEXT_MNT:
 979                        prefix = ROOTCONTEXT_STR;
 980                        break;
 981                case DEFCONTEXT_MNT:
 982                        prefix = DEFCONTEXT_STR;
 983                        break;
 984                case SE_SBLABELSUPP:
 985                        seq_putc(m, ',');
 986                        seq_puts(m, LABELSUPP_STR);
 987                        continue;
 988                default:
 989                        BUG();
 990                };
 991                /* we need a comma before each option */
 992                seq_putc(m, ',');
 993                seq_puts(m, prefix);
 994                if (has_comma)
 995                        seq_putc(m, '\"');
 996                seq_puts(m, opts->mnt_opts[i]);
 997                if (has_comma)
 998                        seq_putc(m, '\"');
 999        }
1000}
1001
1002static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1003{
1004        struct security_mnt_opts opts;
1005        int rc;
1006
1007        rc = selinux_get_mnt_opts(sb, &opts);
1008        if (rc) {
1009                /* before policy load we may get EINVAL, don't show anything */
1010                if (rc == -EINVAL)
1011                        rc = 0;
1012                return rc;
1013        }
1014
1015        selinux_write_opts(m, &opts);
1016
1017        security_free_mnt_opts(&opts);
1018
1019        return rc;
1020}
1021
1022static inline u16 inode_mode_to_security_class(umode_t mode)
1023{
1024        switch (mode & S_IFMT) {
1025        case S_IFSOCK:
1026                return SECCLASS_SOCK_FILE;
1027        case S_IFLNK:
1028                return SECCLASS_LNK_FILE;
1029        case S_IFREG:
1030                return SECCLASS_FILE;
1031        case S_IFBLK:
1032                return SECCLASS_BLK_FILE;
1033        case S_IFDIR:
1034                return SECCLASS_DIR;
1035        case S_IFCHR:
1036                return SECCLASS_CHR_FILE;
1037        case S_IFIFO:
1038                return SECCLASS_FIFO_FILE;
1039
1040        }
1041
1042        return SECCLASS_FILE;
1043}
1044
1045static inline int default_protocol_stream(int protocol)
1046{
1047        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1048}
1049
1050static inline int default_protocol_dgram(int protocol)
1051{
1052        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1053}
1054
1055static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1056{
1057        switch (family) {
1058        case PF_UNIX:
1059                switch (type) {
1060                case SOCK_STREAM:
1061                case SOCK_SEQPACKET:
1062                        return SECCLASS_UNIX_STREAM_SOCKET;
1063                case SOCK_DGRAM:
1064                        return SECCLASS_UNIX_DGRAM_SOCKET;
1065                }
1066                break;
1067        case PF_INET:
1068        case PF_INET6:
1069                switch (type) {
1070                case SOCK_STREAM:
1071                        if (default_protocol_stream(protocol))
1072                                return SECCLASS_TCP_SOCKET;
1073                        else
1074                                return SECCLASS_RAWIP_SOCKET;
1075                case SOCK_DGRAM:
1076                        if (default_protocol_dgram(protocol))
1077                                return SECCLASS_UDP_SOCKET;
1078                        else
1079                                return SECCLASS_RAWIP_SOCKET;
1080                case SOCK_DCCP:
1081                        return SECCLASS_DCCP_SOCKET;
1082                default:
1083                        return SECCLASS_RAWIP_SOCKET;
1084                }
1085                break;
1086        case PF_NETLINK:
1087                switch (protocol) {
1088                case NETLINK_ROUTE:
1089                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1090                case NETLINK_FIREWALL:
1091                        return SECCLASS_NETLINK_FIREWALL_SOCKET;
1092                case NETLINK_INET_DIAG:
1093                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1094                case NETLINK_NFLOG:
1095                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1096                case NETLINK_XFRM:
1097                        return SECCLASS_NETLINK_XFRM_SOCKET;
1098                case NETLINK_SELINUX:
1099                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1100                case NETLINK_AUDIT:
1101                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1102                case NETLINK_IP6_FW:
1103                        return SECCLASS_NETLINK_IP6FW_SOCKET;
1104                case NETLINK_DNRTMSG:
1105                        return SECCLASS_NETLINK_DNRT_SOCKET;
1106                case NETLINK_KOBJECT_UEVENT:
1107                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1108                default:
1109                        return SECCLASS_NETLINK_SOCKET;
1110                }
1111        case PF_PACKET:
1112                return SECCLASS_PACKET_SOCKET;
1113        case PF_KEY:
1114                return SECCLASS_KEY_SOCKET;
1115        case PF_APPLETALK:
1116                return SECCLASS_APPLETALK_SOCKET;
1117        }
1118
1119        return SECCLASS_SOCKET;
1120}
1121
1122#ifdef CONFIG_PROC_FS
1123static int selinux_proc_get_sid(struct proc_dir_entry *de,
1124                                u16 tclass,
1125                                u32 *sid)
1126{
1127        int buflen, rc;
1128        char *buffer, *path, *end;
1129
1130        buffer = (char *)__get_free_page(GFP_KERNEL);
1131        if (!buffer)
1132                return -ENOMEM;
1133
1134        buflen = PAGE_SIZE;
1135        end = buffer+buflen;
1136        *--end = '\0';
1137        buflen--;
1138        path = end-1;
1139        *path = '/';
1140        while (de && de != de->parent) {
1141                buflen -= de->namelen + 1;
1142                if (buflen < 0)
1143                        break;
1144                end -= de->namelen;
1145                memcpy(end, de->name, de->namelen);
1146                *--end = '/';
1147                path = end;
1148                de = de->parent;
1149        }
1150        rc = security_genfs_sid("proc", path, tclass, sid);
1151        free_page((unsigned long)buffer);
1152        return rc;
1153}
1154#else
1155static int selinux_proc_get_sid(struct proc_dir_entry *de,
1156                                u16 tclass,
1157                                u32 *sid)
1158{
1159        return -EINVAL;
1160}
1161#endif
1162
1163/* The inode's security attributes must be initialized before first use. */
1164static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1165{
1166        struct superblock_security_struct *sbsec = NULL;
1167        struct inode_security_struct *isec = inode->i_security;
1168        u32 sid;
1169        struct dentry *dentry;
1170#define INITCONTEXTLEN 255
1171        char *context = NULL;
1172        unsigned len = 0;
1173        int rc = 0;
1174
1175        if (isec->initialized)
1176                goto out;
1177
1178        mutex_lock(&isec->lock);
1179        if (isec->initialized)
1180                goto out_unlock;
1181
1182        sbsec = inode->i_sb->s_security;
1183        if (!(sbsec->flags & SE_SBINITIALIZED)) {
1184                /* Defer initialization until selinux_complete_init,
1185                   after the initial policy is loaded and the security
1186                   server is ready to handle calls. */
1187                spin_lock(&sbsec->isec_lock);
1188                if (list_empty(&isec->list))
1189                        list_add(&isec->list, &sbsec->isec_head);
1190                spin_unlock(&sbsec->isec_lock);
1191                goto out_unlock;
1192        }
1193
1194        switch (sbsec->behavior) {
1195        case SECURITY_FS_USE_XATTR:
1196                if (!inode->i_op->getxattr) {
1197                        isec->sid = sbsec->def_sid;
1198                        break;
1199                }
1200
1201                /* Need a dentry, since the xattr API requires one.
1202                   Life would be simpler if we could just pass the inode. */
1203                if (opt_dentry) {
1204                        /* Called from d_instantiate or d_splice_alias. */
1205                        dentry = dget(opt_dentry);
1206                } else {
1207                        /* Called from selinux_complete_init, try to find a dentry. */
1208                        dentry = d_find_alias(inode);
1209                }
1210                if (!dentry) {
1211                        /*
1212                         * this is can be hit on boot when a file is accessed
1213                         * before the policy is loaded.  When we load policy we
1214                         * may find inodes that have no dentry on the
1215                         * sbsec->isec_head list.  No reason to complain as these
1216                         * will get fixed up the next time we go through
1217                         * inode_doinit with a dentry, before these inodes could
1218                         * be used again by userspace.
1219                         */
1220                        goto out_unlock;
1221                }
1222
1223                len = INITCONTEXTLEN;
1224                context = kmalloc(len+1, GFP_NOFS);
1225                if (!context) {
1226                        rc = -ENOMEM;
1227                        dput(dentry);
1228                        goto out_unlock;
1229                }
1230                context[len] = '\0';
1231                rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1232                                           context, len);
1233                if (rc == -ERANGE) {
1234                        kfree(context);
1235
1236                        /* Need a larger buffer.  Query for the right size. */
1237                        rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1238                                                   NULL, 0);
1239                        if (rc < 0) {
1240                                dput(dentry);
1241                                goto out_unlock;
1242                        }
1243                        len = rc;
1244                        context = kmalloc(len+1, GFP_NOFS);
1245                        if (!context) {
1246                                rc = -ENOMEM;
1247                                dput(dentry);
1248                                goto out_unlock;
1249                        }
1250                        context[len] = '\0';
1251                        rc = inode->i_op->getxattr(dentry,
1252                                                   XATTR_NAME_SELINUX,
1253                                                   context, len);
1254                }
1255                dput(dentry);
1256                if (rc < 0) {
1257                        if (rc != -ENODATA) {
1258                                printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1259                                       "%d for dev=%s ino=%ld\n", __func__,
1260                                       -rc, inode->i_sb->s_id, inode->i_ino);
1261                                kfree(context);
1262                                goto out_unlock;
1263                        }
1264                        /* Map ENODATA to the default file SID */
1265                        sid = sbsec->def_sid;
1266                        rc = 0;
1267                } else {
1268                        rc = security_context_to_sid_default(context, rc, &sid,
1269                                                             sbsec->def_sid,
1270                                                             GFP_NOFS);
1271                        if (rc) {
1272                                char *dev = inode->i_sb->s_id;
1273                                unsigned long ino = inode->i_ino;
1274
1275                                if (rc == -EINVAL) {
1276                                        if (printk_ratelimit())
1277                                                printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1278                                                        "context=%s.  This indicates you may need to relabel the inode or the "
1279                                                        "filesystem in question.\n", ino, dev, context);
1280                                } else {
1281                                        printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1282                                               "returned %d for dev=%s ino=%ld\n",
1283                                               __func__, context, -rc, dev, ino);
1284                                }
1285                                kfree(context);
1286                                /* Leave with the unlabeled SID */
1287                                rc = 0;
1288                                break;
1289                        }
1290                }
1291                kfree(context);
1292                isec->sid = sid;
1293                break;
1294        case SECURITY_FS_USE_TASK:
1295                isec->sid = isec->task_sid;
1296                break;
1297        case SECURITY_FS_USE_TRANS:
1298                /* Default to the fs SID. */
1299                isec->sid = sbsec->sid;
1300
1301                /* Try to obtain a transition SID. */
1302                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1303                rc = security_transition_sid(isec->task_sid,
1304                                             sbsec->sid,
1305                                             isec->sclass,
1306                                             &sid);
1307                if (rc)
1308                        goto out_unlock;
1309                isec->sid = sid;
1310                break;
1311        case SECURITY_FS_USE_MNTPOINT:
1312                isec->sid = sbsec->mntpoint_sid;
1313                break;
1314        default:
1315                /* Default to the fs superblock SID. */
1316                isec->sid = sbsec->sid;
1317
1318                if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1319                        struct proc_inode *proci = PROC_I(inode);
1320                        if (proci->pde) {
1321                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1322                                rc = selinux_proc_get_sid(proci->pde,
1323                                                          isec->sclass,
1324                                                          &sid);
1325                                if (rc)
1326                                        goto out_unlock;
1327                                isec->sid = sid;
1328                        }
1329                }
1330                break;
1331        }
1332
1333        isec->initialized = 1;
1334
1335out_unlock:
1336        mutex_unlock(&isec->lock);
1337out:
1338        if (isec->sclass == SECCLASS_FILE)
1339                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1340        return rc;
1341}
1342
1343/* Convert a Linux signal to an access vector. */
1344static inline u32 signal_to_av(int sig)
1345{
1346        u32 perm = 0;
1347
1348        switch (sig) {
1349        case SIGCHLD:
1350                /* Commonly granted from child to parent. */
1351                perm = PROCESS__SIGCHLD;
1352                break;
1353        case SIGKILL:
1354                /* Cannot be caught or ignored */
1355                perm = PROCESS__SIGKILL;
1356                break;
1357        case SIGSTOP:
1358                /* Cannot be caught or ignored */
1359                perm = PROCESS__SIGSTOP;
1360                break;
1361        default:
1362                /* All other signals. */
1363                perm = PROCESS__SIGNAL;
1364                break;
1365        }
1366
1367        return perm;
1368}
1369
1370/*
1371 * Check permission between a pair of credentials
1372 * fork check, ptrace check, etc.
1373 */
1374static int cred_has_perm(const struct cred *actor,
1375                         const struct cred *target,
1376                         u32 perms)
1377{
1378        u32 asid = cred_sid(actor), tsid = cred_sid(target);
1379
1380        return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1381}
1382
1383/*
1384 * Check permission between a pair of tasks, e.g. signal checks,
1385 * fork check, ptrace check, etc.
1386 * tsk1 is the actor and tsk2 is the target
1387 * - this uses the default subjective creds of tsk1
1388 */
1389static int task_has_perm(const struct task_struct *tsk1,
1390                         const struct task_struct *tsk2,
1391                         u32 perms)
1392{
1393        const struct task_security_struct *__tsec1, *__tsec2;
1394        u32 sid1, sid2;
1395
1396        rcu_read_lock();
1397        __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1398        __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1399        rcu_read_unlock();
1400        return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1401}
1402
1403/*
1404 * Check permission between current and another task, e.g. signal checks,
1405 * fork check, ptrace check, etc.
1406 * current is the actor and tsk2 is the target
1407 * - this uses current's subjective creds
1408 */
1409static int current_has_perm(const struct task_struct *tsk,
1410                            u32 perms)
1411{
1412        u32 sid, tsid;
1413
1414        sid = current_sid();
1415        tsid = task_sid(tsk);
1416        return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1417}
1418
1419#if CAP_LAST_CAP > 63
1420#error Fix SELinux to handle capabilities > 63.
1421#endif
1422
1423/* Check whether a task is allowed to use a capability. */
1424static int task_has_capability(struct task_struct *tsk,
1425                               const struct cred *cred,
1426                               int cap, int audit)
1427{
1428        struct common_audit_data ad;
1429        struct av_decision avd;
1430        u16 sclass;
1431        u32 sid = cred_sid(cred);
1432        u32 av = CAP_TO_MASK(cap);
1433        int rc;
1434
1435        COMMON_AUDIT_DATA_INIT(&ad, CAP);
1436        ad.tsk = tsk;
1437        ad.u.cap = cap;
1438
1439        switch (CAP_TO_INDEX(cap)) {
1440        case 0:
1441                sclass = SECCLASS_CAPABILITY;
1442                break;
1443        case 1:
1444                sclass = SECCLASS_CAPABILITY2;
1445                break;
1446        default:
1447                printk(KERN_ERR
1448                       "SELinux:  out of range capability %d\n", cap);
1449                BUG();
1450        }
1451
1452        rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1453        if (audit == SECURITY_CAP_AUDIT)
1454                avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1455        return rc;
1456}
1457
1458/* Check whether a task is allowed to use a system operation. */
1459static int task_has_system(struct task_struct *tsk,
1460                           u32 perms)
1461{
1462        u32 sid = task_sid(tsk);
1463
1464        return avc_has_perm(sid, SECINITSID_KERNEL,
1465                            SECCLASS_SYSTEM, perms, NULL);
1466}
1467
1468/* Check whether a task has a particular permission to an inode.
1469   The 'adp' parameter is optional and allows other audit
1470   data to be passed (e.g. the dentry). */
1471static int inode_has_perm(const struct cred *cred,
1472                          struct inode *inode,
1473                          u32 perms,
1474                          struct common_audit_data *adp)
1475{
1476        struct inode_security_struct *isec;
1477        struct common_audit_data ad;
1478        u32 sid;
1479
1480        validate_creds(cred);
1481
1482        if (unlikely(IS_PRIVATE(inode)))
1483                return 0;
1484
1485        sid = cred_sid(cred);
1486        isec = inode->i_security;
1487
1488        if (!adp) {
1489                adp = &ad;
1490                COMMON_AUDIT_DATA_INIT(&ad, FS);
1491                ad.u.fs.inode = inode;
1492        }
1493
1494        return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1495}
1496
1497/* Same as inode_has_perm, but pass explicit audit data containing
1498   the dentry to help the auditing code to more easily generate the
1499   pathname if needed. */
1500static inline int dentry_has_perm(const struct cred *cred,
1501                                  struct vfsmount *mnt,
1502                                  struct dentry *dentry,
1503                                  u32 av)
1504{
1505        struct inode *inode = dentry->d_inode;
1506        struct common_audit_data ad;
1507
1508        COMMON_AUDIT_DATA_INIT(&ad, FS);
1509        ad.u.fs.path.mnt = mnt;
1510        ad.u.fs.path.dentry = dentry;
1511        return inode_has_perm(cred, inode, av, &ad);
1512}
1513
1514/* Check whether a task can use an open file descriptor to
1515   access an inode in a given way.  Check access to the
1516   descriptor itself, and then use dentry_has_perm to
1517   check a particular permission to the file.
1518   Access to the descriptor is implicitly granted if it
1519   has the same SID as the process.  If av is zero, then
1520   access to the file is not checked, e.g. for cases
1521   where only the descriptor is affected like seek. */
1522static int file_has_perm(const struct cred *cred,
1523                         struct file *file,
1524                         u32 av)
1525{
1526        struct file_security_struct *fsec = file->f_security;
1527        struct inode *inode = file->f_path.dentry->d_inode;
1528        struct common_audit_data ad;
1529        u32 sid = cred_sid(cred);
1530        int rc;
1531
1532        COMMON_AUDIT_DATA_INIT(&ad, FS);
1533        ad.u.fs.path = file->f_path;
1534
1535        if (sid != fsec->sid) {
1536                rc = avc_has_perm(sid, fsec->sid,
1537                                  SECCLASS_FD,
1538                                  FD__USE,
1539                                  &ad);
1540                if (rc)
1541                        goto out;
1542        }
1543
1544        /* av is zero if only checking access to the descriptor. */
1545        rc = 0;
1546        if (av)
1547                rc = inode_has_perm(cred, inode, av, &ad);
1548
1549out:
1550        return rc;
1551}
1552
1553/* Check whether a task can create a file. */
1554static int may_create(struct inode *dir,
1555                      struct dentry *dentry,
1556                      u16 tclass)
1557{
1558        const struct task_security_struct *tsec = current_security();
1559        struct inode_security_struct *dsec;
1560        struct superblock_security_struct *sbsec;
1561        u32 sid, newsid;
1562        struct common_audit_data ad;
1563        int rc;
1564
1565        dsec = dir->i_security;
1566        sbsec = dir->i_sb->s_security;
1567
1568        sid = tsec->sid;
1569        newsid = tsec->create_sid;
1570
1571        COMMON_AUDIT_DATA_INIT(&ad, FS);
1572        ad.u.fs.path.dentry = dentry;
1573
1574        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1575                          DIR__ADD_NAME | DIR__SEARCH,
1576                          &ad);
1577        if (rc)
1578                return rc;
1579
1580        if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1581                rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1582                if (rc)
1583                        return rc;
1584        }
1585
1586        rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1587        if (rc)
1588                return rc;
1589
1590        return avc_has_perm(newsid, sbsec->sid,
1591                            SECCLASS_FILESYSTEM,
1592                            FILESYSTEM__ASSOCIATE, &ad);
1593}
1594
1595/* Check whether a task can create a key. */
1596static int may_create_key(u32 ksid,
1597                          struct task_struct *ctx)
1598{
1599        u32 sid = task_sid(ctx);
1600
1601        return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1602}
1603
1604#define MAY_LINK        0
1605#define MAY_UNLINK      1
1606#define MAY_RMDIR       2
1607
1608/* Check whether a task can link, unlink, or rmdir a file/directory. */
1609static int may_link(struct inode *dir,
1610                    struct dentry *dentry,
1611                    int kind)
1612
1613{
1614        struct inode_security_struct *dsec, *isec;
1615        struct common_audit_data ad;
1616        u32 sid = current_sid();
1617        u32 av;
1618        int rc;
1619
1620        dsec = dir->i_security;
1621        isec = dentry->d_inode->i_security;
1622
1623        COMMON_AUDIT_DATA_INIT(&ad, FS);
1624        ad.u.fs.path.dentry = dentry;
1625
1626        av = DIR__SEARCH;
1627        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1628        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1629        if (rc)
1630                return rc;
1631
1632        switch (kind) {
1633        case MAY_LINK:
1634                av = FILE__LINK;
1635                break;
1636        case MAY_UNLINK:
1637                av = FILE__UNLINK;
1638                break;
1639        case MAY_RMDIR:
1640                av = DIR__RMDIR;
1641                break;
1642        default:
1643                printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1644                        __func__, kind);
1645                return 0;
1646        }
1647
1648        rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1649        return rc;
1650}
1651
1652static inline int may_rename(struct inode *old_dir,
1653                             struct dentry *old_dentry,
1654                             struct inode *new_dir,
1655                             struct dentry *new_dentry)
1656{
1657        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1658        struct common_audit_data ad;
1659        u32 sid = current_sid();
1660        u32 av;
1661        int old_is_dir, new_is_dir;
1662        int rc;
1663
1664        old_dsec = old_dir->i_security;
1665        old_isec = old_dentry->d_inode->i_security;
1666        old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1667        new_dsec = new_dir->i_security;
1668
1669        COMMON_AUDIT_DATA_INIT(&ad, FS);
1670
1671        ad.u.fs.path.dentry = old_dentry;
1672        rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1673                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1674        if (rc)
1675                return rc;
1676        rc = avc_has_perm(sid, old_isec->sid,
1677                          old_isec->sclass, FILE__RENAME, &ad);
1678        if (rc)
1679                return rc;
1680        if (old_is_dir && new_dir != old_dir) {
1681                rc = avc_has_perm(sid, old_isec->sid,
1682                                  old_isec->sclass, DIR__REPARENT, &ad);
1683                if (rc)
1684                        return rc;
1685        }
1686
1687        ad.u.fs.path.dentry = new_dentry;
1688        av = DIR__ADD_NAME | DIR__SEARCH;
1689        if (new_dentry->d_inode)
1690                av |= DIR__REMOVE_NAME;
1691        rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1692        if (rc)
1693                return rc;
1694        if (new_dentry->d_inode) {
1695                new_isec = new_dentry->d_inode->i_security;
1696                new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1697                rc = avc_has_perm(sid, new_isec->sid,
1698                                  new_isec->sclass,
1699                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1700                if (rc)
1701                        return rc;
1702        }
1703
1704        return 0;
1705}
1706
1707/* Check whether a task can perform a filesystem operation. */
1708static int superblock_has_perm(const struct cred *cred,
1709                               struct super_block *sb,
1710                               u32 perms,
1711                               struct common_audit_data *ad)
1712{
1713        struct superblock_security_struct *sbsec;
1714        u32 sid = cred_sid(cred);
1715
1716        sbsec = sb->s_security;
1717        return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1718}
1719
1720/* Convert a Linux mode and permission mask to an access vector. */
1721static inline u32 file_mask_to_av(int mode, int mask)
1722{
1723        u32 av = 0;
1724
1725        if ((mode & S_IFMT) != S_IFDIR) {
1726                if (mask & MAY_EXEC)
1727                        av |= FILE__EXECUTE;
1728                if (mask & MAY_READ)
1729                        av |= FILE__READ;
1730
1731                if (mask & MAY_APPEND)
1732                        av |= FILE__APPEND;
1733                else if (mask & MAY_WRITE)
1734                        av |= FILE__WRITE;
1735
1736        } else {
1737                if (mask & MAY_EXEC)
1738                        av |= DIR__SEARCH;
1739                if (mask & MAY_WRITE)
1740                        av |= DIR__WRITE;
1741                if (mask & MAY_READ)
1742                        av |= DIR__READ;
1743        }
1744
1745        return av;
1746}
1747
1748/* Convert a Linux file to an access vector. */
1749static inline u32 file_to_av(struct file *file)
1750{
1751        u32 av = 0;
1752
1753        if (file->f_mode & FMODE_READ)
1754                av |= FILE__READ;
1755        if (file->f_mode & FMODE_WRITE) {
1756                if (file->f_flags & O_APPEND)
1757                        av |= FILE__APPEND;
1758                else
1759                        av |= FILE__WRITE;
1760        }
1761        if (!av) {
1762                /*
1763                 * Special file opened with flags 3 for ioctl-only use.
1764                 */
1765                av = FILE__IOCTL;
1766        }
1767
1768        return av;
1769}
1770
1771/*
1772 * Convert a file to an access vector and include the correct open
1773 * open permission.
1774 */
1775static inline u32 open_file_to_av(struct file *file)
1776{
1777        u32 av = file_to_av(file);
1778
1779        if (selinux_policycap_openperm)
1780                av |= FILE__OPEN;
1781
1782        return av;
1783}
1784
1785/* Hook functions begin here. */
1786
1787static int selinux_ptrace_access_check(struct task_struct *child,
1788                                     unsigned int mode)
1789{
1790        int rc;
1791
1792        rc = cap_ptrace_access_check(child, mode);
1793        if (rc)
1794                return rc;
1795
1796        if (mode == PTRACE_MODE_READ) {
1797                u32 sid = current_sid();
1798                u32 csid = task_sid(child);
1799                return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1800        }
1801
1802        return current_has_perm(child, PROCESS__PTRACE);
1803}
1804
1805static int selinux_ptrace_traceme(struct task_struct *parent)
1806{
1807        int rc;
1808
1809        rc = cap_ptrace_traceme(parent);
1810        if (rc)
1811                return rc;
1812
1813        return task_has_perm(parent, current, PROCESS__PTRACE);
1814}
1815
1816static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1817                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
1818{
1819        int error;
1820
1821        error = current_has_perm(target, PROCESS__GETCAP);
1822        if (error)
1823                return error;
1824
1825        return cap_capget(target, effective, inheritable, permitted);
1826}
1827
1828static int selinux_capset(struct cred *new, const struct cred *old,
1829                          const kernel_cap_t *effective,
1830                          const kernel_cap_t *inheritable,
1831                          const kernel_cap_t *permitted)
1832{
1833        int error;
1834
1835        error = cap_capset(new, old,
1836                                      effective, inheritable, permitted);
1837        if (error)
1838                return error;
1839
1840        return cred_has_perm(old, new, PROCESS__SETCAP);
1841}
1842
1843/*
1844 * (This comment used to live with the selinux_task_setuid hook,
1845 * which was removed).
1846 *
1847 * Since setuid only affects the current process, and since the SELinux
1848 * controls are not based on the Linux identity attributes, SELinux does not
1849 * need to control this operation.  However, SELinux does control the use of
1850 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1851 */
1852
1853static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1854                           int cap, int audit)
1855{
1856        int rc;
1857
1858        rc = cap_capable(tsk, cred, cap, audit);
1859        if (rc)
1860                return rc;
1861
1862        return task_has_capability(tsk, cred, cap, audit);
1863}
1864
1865static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1866{
1867        int buflen, rc;
1868        char *buffer, *path, *end;
1869
1870        rc = -ENOMEM;
1871        buffer = (char *)__get_free_page(GFP_KERNEL);
1872        if (!buffer)
1873                goto out;
1874
1875        buflen = PAGE_SIZE;
1876        end = buffer+buflen;
1877        *--end = '\0';
1878        buflen--;
1879        path = end-1;
1880        *path = '/';
1881        while (table) {
1882                const char *name = table->procname;
1883                size_t namelen = strlen(name);
1884                buflen -= namelen + 1;
1885                if (buflen < 0)
1886                        goto out_free;
1887                end -= namelen;
1888                memcpy(end, name, namelen);
1889                *--end = '/';
1890                path = end;
1891                table = table->parent;
1892        }
1893        buflen -= 4;
1894        if (buflen < 0)
1895                goto out_free;
1896        end -= 4;
1897        memcpy(end, "/sys", 4);
1898        path = end;
1899        rc = security_genfs_sid("proc", path, tclass, sid);
1900out_free:
1901        free_page((unsigned long)buffer);
1902out:
1903        return rc;
1904}
1905
1906static int selinux_sysctl(ctl_table *table, int op)
1907{
1908        int error = 0;
1909        u32 av;
1910        u32 tsid, sid;
1911        int rc;
1912
1913        sid = current_sid();
1914
1915        rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1916                                    SECCLASS_DIR : SECCLASS_FILE, &tsid);
1917        if (rc) {
1918                /* Default to the well-defined sysctl SID. */
1919                tsid = SECINITSID_SYSCTL;
1920        }
1921
1922        /* The op values are "defined" in sysctl.c, thereby creating
1923         * a bad coupling between this module and sysctl.c */
1924        if (op == 001) {
1925                error = avc_has_perm(sid, tsid,
1926                                     SECCLASS_DIR, DIR__SEARCH, NULL);
1927        } else {
1928                av = 0;
1929                if (op & 004)
1930                        av |= FILE__READ;
1931                if (op & 002)
1932                        av |= FILE__WRITE;
1933                if (av)
1934                        error = avc_has_perm(sid, tsid,
1935                                             SECCLASS_FILE, av, NULL);
1936        }
1937
1938        return error;
1939}
1940
1941static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1942{
1943        const struct cred *cred = current_cred();
1944        int rc = 0;
1945
1946        if (!sb)
1947                return 0;
1948
1949        switch (cmds) {
1950        case Q_SYNC:
1951        case Q_QUOTAON:
1952        case Q_QUOTAOFF:
1953        case Q_SETINFO:
1954        case Q_SETQUOTA:
1955                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1956                break;
1957        case Q_GETFMT:
1958        case Q_GETINFO:
1959        case Q_GETQUOTA:
1960                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1961                break;
1962        default:
1963                rc = 0;  /* let the kernel handle invalid cmds */
1964                break;
1965        }
1966        return rc;
1967}
1968
1969static int selinux_quota_on(struct dentry *dentry)
1970{
1971        const struct cred *cred = current_cred();
1972
1973        return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1974}
1975
1976static int selinux_syslog(int type)
1977{
1978        int rc;
1979
1980        switch (type) {
1981        case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1982        case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1983                rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1984                break;
1985        case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1986        case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1987        /* Set level of messages printed to console */
1988        case SYSLOG_ACTION_CONSOLE_LEVEL:
1989                rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1990                break;
1991        case SYSLOG_ACTION_CLOSE:       /* Close log */
1992        case SYSLOG_ACTION_OPEN:        /* Open log */
1993        case SYSLOG_ACTION_READ:        /* Read from log */
1994        case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1995        case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1996        default:
1997                rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1998                break;
1999        }
2000        return rc;
2001}
2002
2003/*
2004 * Check that a process has enough memory to allocate a new virtual
2005 * mapping. 0 means there is enough memory for the allocation to
2006 * succeed and -ENOMEM implies there is not.
2007 *
2008 * Do not audit the selinux permission check, as this is applied to all
2009 * processes that allocate mappings.
2010 */
2011static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2012{
2013        int rc, cap_sys_admin = 0;
2014
2015        rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2016                             SECURITY_CAP_NOAUDIT);
2017        if (rc == 0)
2018                cap_sys_admin = 1;
2019
2020        return __vm_enough_memory(mm, pages, cap_sys_admin);
2021}
2022
2023/* binprm security operations */
2024
2025static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2026{
2027        const struct task_security_struct *old_tsec;
2028        struct task_security_struct *new_tsec;
2029        struct inode_security_struct *isec;
2030        struct common_audit_data ad;
2031        struct inode *inode = bprm->file->f_path.dentry->d_inode;
2032        int rc;
2033
2034        rc = cap_bprm_set_creds(bprm);
2035        if (rc)
2036                return rc;
2037
2038        /* SELinux context only depends on initial program or script and not
2039         * the script interpreter */
2040        if (bprm->cred_prepared)
2041                return 0;
2042
2043        old_tsec = current_security();
2044        new_tsec = bprm->cred->security;
2045        isec = inode->i_security;
2046
2047        /* Default to the current task SID. */
2048        new_tsec->sid = old_tsec->sid;
2049        new_tsec->osid = old_tsec->sid;
2050
2051        /* Reset fs, key, and sock SIDs on execve. */
2052        new_tsec->create_sid = 0;
2053        new_tsec->keycreate_sid = 0;
2054        new_tsec->sockcreate_sid = 0;
2055
2056        if (old_tsec->exec_sid) {
2057                new_tsec->sid = old_tsec->exec_sid;
2058                /* Reset exec SID on execve. */
2059                new_tsec->exec_sid = 0;
2060        } else {
2061                /* Check for a default transition on this program. */
2062                rc = security_transition_sid(old_tsec->sid, isec->sid,
2063                                             SECCLASS_PROCESS, &new_tsec->sid);
2064                if (rc)
2065                        return rc;
2066        }
2067
2068        COMMON_AUDIT_DATA_INIT(&ad, FS);
2069        ad.u.fs.path = bprm->file->f_path;
2070
2071        if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2072                new_tsec->sid = old_tsec->sid;
2073
2074        if (new_tsec->sid == old_tsec->sid) {
2075                rc = avc_has_perm(old_tsec->sid, isec->sid,
2076                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2077                if (rc)
2078                        return rc;
2079        } else {
2080                /* Check permissions for the transition. */
2081                rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2082                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2083                if (rc)
2084                        return rc;
2085
2086                rc = avc_has_perm(new_tsec->sid, isec->sid,
2087                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2088                if (rc)
2089                        return rc;
2090
2091                /* Check for shared state */
2092                if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2093                        rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2094                                          SECCLASS_PROCESS, PROCESS__SHARE,
2095                                          NULL);
2096                        if (rc)
2097                                return -EPERM;
2098                }
2099
2100                /* Make sure that anyone attempting to ptrace over a task that
2101                 * changes its SID has the appropriate permit */
2102                if (bprm->unsafe &
2103                    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2104                        struct task_struct *tracer;
2105                        struct task_security_struct *sec;
2106                        u32 ptsid = 0;
2107
2108                        rcu_read_lock();
2109                        tracer = tracehook_tracer_task(current);
2110                        if (likely(tracer != NULL)) {
2111                                sec = __task_cred(tracer)->security;
2112                                ptsid = sec->sid;
2113                        }
2114                        rcu_read_unlock();
2115
2116                        if (ptsid != 0) {
2117                                rc = avc_has_perm(ptsid, new_tsec->sid,
2118                                                  SECCLASS_PROCESS,
2119                                                  PROCESS__PTRACE, NULL);
2120                                if (rc)
2121                                        return -EPERM;
2122                        }
2123                }
2124
2125                /* Clear any possibly unsafe personality bits on exec: */
2126                bprm->per_clear |= PER_CLEAR_ON_SETID;
2127        }
2128
2129        return 0;
2130}
2131
2132static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2133{
2134        const struct task_security_struct *tsec = current_security();
2135        u32 sid, osid;
2136        int atsecure = 0;
2137
2138        sid = tsec->sid;
2139        osid = tsec->osid;
2140
2141        if (osid != sid) {
2142                /* Enable secure mode for SIDs transitions unless
2143                   the noatsecure permission is granted between
2144                   the two SIDs, i.e. ahp returns 0. */
2145                atsecure = avc_has_perm(osid, sid,
2146                                        SECCLASS_PROCESS,
2147                                        PROCESS__NOATSECURE, NULL);
2148        }
2149
2150        return (atsecure || cap_bprm_secureexec(bprm));
2151}
2152
2153extern struct vfsmount *selinuxfs_mount;
2154extern struct dentry *selinux_null;
2155
2156/* Derived from fs/exec.c:flush_old_files. */
2157static inline void flush_unauthorized_files(const struct cred *cred,
2158                                            struct files_struct *files)
2159{
2160        struct common_audit_data ad;
2161        struct file *file, *devnull = NULL;
2162        struct tty_struct *tty;
2163        struct fdtable *fdt;
2164        long j = -1;
2165        int drop_tty = 0;
2166
2167        tty = get_current_tty();
2168        if (tty) {
2169                spin_lock(&tty_files_lock);
2170                if (!list_empty(&tty->tty_files)) {
2171                        struct tty_file_private *file_priv;
2172                        struct inode *inode;
2173
2174                        /* Revalidate access to controlling tty.
2175                           Use inode_has_perm on the tty inode directly rather
2176                           than using file_has_perm, as this particular open
2177                           file may belong to another process and we are only
2178                           interested in the inode-based check here. */
2179                        file_priv = list_first_entry(&tty->tty_files,
2180                                                struct tty_file_private, list);
2181                        file = file_priv->file;
2182                        inode = file->f_path.dentry->d_inode;
2183                        if (inode_has_perm(cred, inode,
2184                                           FILE__READ | FILE__WRITE, NULL)) {
2185                                drop_tty = 1;
2186                        }
2187                }
2188                spin_unlock(&tty_files_lock);
2189                tty_kref_put(tty);
2190        }
2191        /* Reset controlling tty. */
2192        if (drop_tty)
2193                no_tty();
2194
2195        /* Revalidate access to inherited open files. */
2196
2197        COMMON_AUDIT_DATA_INIT(&ad, FS);
2198
2199        spin_lock(&files->file_lock);
2200        for (;;) {
2201                unsigned long set, i;
2202                int fd;
2203
2204                j++;
2205                i = j * __NFDBITS;
2206                fdt = files_fdtable(files);
2207                if (i >= fdt->max_fds)
2208                        break;
2209                set = fdt->open_fds->fds_bits[j];
2210                if (!set)
2211                        continue;
2212                spin_unlock(&files->file_lock);
2213                for ( ; set ; i++, set >>= 1) {
2214                        if (set & 1) {
2215                                file = fget(i);
2216                                if (!file)
2217                                        continue;
2218                                if (file_has_perm(cred,
2219                                                  file,
2220                                                  file_to_av(file))) {
2221                                        sys_close(i);
2222                                        fd = get_unused_fd();
2223                                        if (fd != i) {
2224                                                if (fd >= 0)
2225                                                        put_unused_fd(fd);
2226                                                fput(file);
2227                                                continue;
2228                                        }
2229                                        if (devnull) {
2230                                                get_file(devnull);
2231                                        } else {
2232                                                devnull = dentry_open(
2233                                                        dget(selinux_null),
2234                                                        mntget(selinuxfs_mount),
2235                                                        O_RDWR, cred);
2236                                                if (IS_ERR(devnull)) {
2237                                                        devnull = NULL;
2238                                                        put_unused_fd(fd);
2239                                                        fput(file);
2240                                                        continue;
2241                                                }
2242                                        }
2243                                        fd_install(fd, devnull);
2244                                }
2245                                fput(file);
2246                        }
2247                }
2248                spin_lock(&files->file_lock);
2249
2250        }
2251        spin_unlock(&files->file_lock);
2252}
2253
2254/*
2255 * Prepare a process for imminent new credential changes due to exec
2256 */
2257static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2258{
2259        struct task_security_struct *new_tsec;
2260        struct rlimit *rlim, *initrlim;
2261        int rc, i;
2262
2263        new_tsec = bprm->cred->security;
2264        if (new_tsec->sid == new_tsec->osid)
2265                return;
2266
2267        /* Close files for which the new task SID is not authorized. */
2268        flush_unauthorized_files(bprm->cred, current->files);
2269
2270        /* Always clear parent death signal on SID transitions. */
2271        current->pdeath_signal = 0;
2272
2273        /* Check whether the new SID can inherit resource limits from the old
2274         * SID.  If not, reset all soft limits to the lower of the current
2275         * task's hard limit and the init task's soft limit.
2276         *
2277         * Note that the setting of hard limits (even to lower them) can be
2278         * controlled by the setrlimit check.  The inclusion of the init task's
2279         * soft limit into the computation is to avoid resetting soft limits
2280         * higher than the default soft limit for cases where the default is
2281         * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2282         */
2283        rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2284                          PROCESS__RLIMITINH, NULL);
2285        if (rc) {
2286                /* protect against do_prlimit() */
2287                task_lock(current);
2288                for (i = 0; i < RLIM_NLIMITS; i++) {
2289                        rlim = current->signal->rlim + i;
2290                        initrlim = init_task.signal->rlim + i;
2291                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2292                }
2293                task_unlock(current);
2294                update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2295        }
2296}
2297
2298/*
2299 * Clean up the process immediately after the installation of new credentials
2300 * due to exec
2301 */
2302static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2303{
2304        const struct task_security_struct *tsec = current_security();
2305        struct itimerval itimer;
2306        u32 osid, sid;
2307        int rc, i;
2308
2309        osid = tsec->osid;
2310        sid = tsec->sid;
2311
2312        if (sid == osid)
2313                return;
2314
2315        /* Check whether the new SID can inherit signal state from the old SID.
2316         * If not, clear itimers to avoid subsequent signal generation and
2317         * flush and unblock signals.
2318         *
2319         * This must occur _after_ the task SID has been updated so that any
2320         * kill done after the flush will be checked against the new SID.
2321         */
2322        rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2323        if (rc) {
2324                memset(&itimer, 0, sizeof itimer);
2325                for (i = 0; i < 3; i++)
2326                        do_setitimer(i, &itimer, NULL);
2327                spin_lock_irq(&current->sighand->siglock);
2328                if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2329                        __flush_signals(current);
2330                        flush_signal_handlers(current, 1);
2331                        sigemptyset(&current->blocked);
2332                }
2333                spin_unlock_irq(&current->sighand->siglock);
2334        }
2335
2336        /* Wake up the parent if it is waiting so that it can recheck
2337         * wait permission to the new task SID. */
2338        read_lock(&tasklist_lock);
2339        __wake_up_parent(current, current->real_parent);
2340        read_unlock(&tasklist_lock);
2341}
2342
2343/* superblock security operations */
2344
2345static int selinux_sb_alloc_security(struct super_block *sb)
2346{
2347        return superblock_alloc_security(sb);
2348}
2349
2350static void selinux_sb_free_security(struct super_block *sb)
2351{
2352        superblock_free_security(sb);
2353}
2354
2355static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2356{
2357        if (plen > olen)
2358                return 0;
2359
2360        return !memcmp(prefix, option, plen);
2361}
2362
2363static inline int selinux_option(char *option, int len)
2364{
2365        return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2366                match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2367                match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2368                match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2369                match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2370}
2371
2372static inline void take_option(char **to, char *from, int *first, int len)
2373{
2374        if (!*first) {
2375                **to = ',';
2376                *to += 1;
2377        } else
2378                *first = 0;
2379        memcpy(*to, from, len);
2380        *to += len;
2381}
2382
2383static inline void take_selinux_option(char **to, char *from, int *first,
2384                                       int len)
2385{
2386        int current_size = 0;
2387
2388        if (!*first) {
2389                **to = '|';
2390                *to += 1;
2391        } else
2392                *first = 0;
2393
2394        while (current_size < len) {
2395                if (*from != '"') {
2396                        **to = *from;
2397                        *to += 1;
2398                }
2399                from += 1;
2400                current_size += 1;
2401        }
2402}
2403
2404static int selinux_sb_copy_data(char *orig, char *copy)
2405{
2406        int fnosec, fsec, rc = 0;
2407        char *in_save, *in_curr, *in_end;
2408        char *sec_curr, *nosec_save, *nosec;
2409        int open_quote = 0;
2410
2411        in_curr = orig;
2412        sec_curr = copy;
2413
2414        nosec = (char *)get_zeroed_page(GFP_KERNEL);
2415        if (!nosec) {
2416                rc = -ENOMEM;
2417                goto out;
2418        }
2419
2420        nosec_save = nosec;
2421        fnosec = fsec = 1;
2422        in_save = in_end = orig;
2423
2424        do {
2425                if (*in_end == '"')
2426                        open_quote = !open_quote;
2427                if ((*in_end == ',' && open_quote == 0) ||
2428                                *in_end == '\0') {
2429                        int len = in_end - in_curr;
2430
2431                        if (selinux_option(in_curr, len))
2432                                take_selinux_option(&sec_curr, in_curr, &fsec, len);
2433                        else
2434                                take_option(&nosec, in_curr, &fnosec, len);
2435
2436                        in_curr = in_end + 1;
2437                }
2438        } while (*in_end++);
2439
2440        strcpy(in_save, nosec_save);
2441        free_page((unsigned long)nosec_save);
2442out:
2443        return rc;
2444}
2445
2446static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2447{
2448        const struct cred *cred = current_cred();
2449        struct common_audit_data ad;
2450        int rc;
2451
2452        rc = superblock_doinit(sb, data);
2453        if (rc)
2454                return rc;
2455
2456        /* Allow all mounts performed by the kernel */
2457        if (flags & MS_KERNMOUNT)
2458                return 0;
2459
2460        COMMON_AUDIT_DATA_INIT(&ad, FS);
2461        ad.u.fs.path.dentry = sb->s_root;
2462        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2463}
2464
2465static int selinux_sb_statfs(struct dentry *dentry)
2466{
2467        const struct cred *cred = current_cred();
2468        struct common_audit_data ad;
2469
2470        COMMON_AUDIT_DATA_INIT(&ad, FS);
2471        ad.u.fs.path.dentry = dentry->d_sb->s_root;
2472        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2473}
2474
2475static int selinux_mount(char *dev_name,
2476                         struct path *path,
2477                         char *type,
2478                         unsigned long flags,
2479                         void *data)
2480{
2481        const struct cred *cred = current_cred();
2482
2483        if (flags & MS_REMOUNT)
2484                return superblock_has_perm(cred, path->mnt->mnt_sb,
2485                                           FILESYSTEM__REMOUNT, NULL);
2486        else
2487                return dentry_has_perm(cred, path->mnt, path->dentry,
2488                                       FILE__MOUNTON);
2489}
2490
2491static int selinux_umount(struct vfsmount *mnt, int flags)
2492{
2493        const struct cred *cred = current_cred();
2494
2495        return superblock_has_perm(cred, mnt->mnt_sb,
2496                                   FILESYSTEM__UNMOUNT, NULL);
2497}
2498
2499/* inode security operations */
2500
2501static int selinux_inode_alloc_security(struct inode *inode)
2502{
2503        return inode_alloc_security(inode);
2504}
2505
2506static void selinux_inode_free_security(struct inode *inode)
2507{
2508        inode_free_security(inode);
2509}
2510
2511static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2512                                       char **name, void **value,
2513                                       size_t *len)
2514{
2515        const struct task_security_struct *tsec = current_security();
2516        struct inode_security_struct *dsec;
2517        struct superblock_security_struct *sbsec;
2518        u32 sid, newsid, clen;
2519        int rc;
2520        char *namep = NULL, *context;
2521
2522        dsec = dir->i_security;
2523        sbsec = dir->i_sb->s_security;
2524
2525        sid = tsec->sid;
2526        newsid = tsec->create_sid;
2527
2528        if ((sbsec->flags & SE_SBINITIALIZED) &&
2529            (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2530                newsid = sbsec->mntpoint_sid;
2531        else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2532                rc = security_transition_sid(sid, dsec->sid,
2533                                             inode_mode_to_security_class(inode->i_mode),
2534                                             &newsid);
2535                if (rc) {
2536                        printk(KERN_WARNING "%s:  "
2537                               "security_transition_sid failed, rc=%d (dev=%s "
2538                               "ino=%ld)\n",
2539                               __func__,
2540                               -rc, inode->i_sb->s_id, inode->i_ino);
2541                        return rc;
2542                }
2543        }
2544
2545        /* Possibly defer initialization to selinux_complete_init. */
2546        if (sbsec->flags & SE_SBINITIALIZED) {
2547                struct inode_security_struct *isec = inode->i_security;
2548                isec->sclass = inode_mode_to_security_class(inode->i_mode);
2549                isec->sid = newsid;
2550                isec->initialized = 1;
2551        }
2552
2553        if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2554                return -EOPNOTSUPP;
2555
2556        if (name) {
2557                namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2558                if (!namep)
2559                        return -ENOMEM;
2560                *name = namep;
2561        }
2562
2563        if (value && len) {
2564                rc = security_sid_to_context_force(newsid, &context, &clen);
2565                if (rc) {
2566                        kfree(namep);
2567                        return rc;
2568                }
2569                *value = context;
2570                *len = clen;
2571        }
2572
2573        return 0;
2574}
2575
2576static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2577{
2578        return may_create(dir, dentry, SECCLASS_FILE);
2579}
2580
2581static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2582{
2583        return may_link(dir, old_dentry, MAY_LINK);
2584}
2585
2586static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2587{
2588        return may_link(dir, dentry, MAY_UNLINK);
2589}
2590
2591static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2592{
2593        return may_create(dir, dentry, SECCLASS_LNK_FILE);
2594}
2595
2596static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2597{
2598        return may_create(dir, dentry, SECCLASS_DIR);
2599}
2600
2601static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2602{
2603        return may_link(dir, dentry, MAY_RMDIR);
2604}
2605
2606static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2607{
2608        return may_create(dir, dentry, inode_mode_to_security_class(mode));
2609}
2610
2611static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2612                                struct inode *new_inode, struct dentry *new_dentry)
2613{
2614        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2615}
2616
2617static int selinux_inode_readlink(struct dentry *dentry)
2618{
2619        const struct cred *cred = current_cred();
2620
2621        return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2622}
2623
2624static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2625{
2626        const struct cred *cred = current_cred();
2627
2628        return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2629}
2630
2631static int selinux_inode_permission(struct inode *inode, int mask)
2632{
2633        const struct cred *cred = current_cred();
2634        struct common_audit_data ad;
2635        u32 perms;
2636        bool from_access;
2637
2638        from_access = mask & MAY_ACCESS;
2639        mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2640
2641        /* No permission to check.  Existence test. */
2642        if (!mask)
2643                return 0;
2644
2645        COMMON_AUDIT_DATA_INIT(&ad, FS);
2646        ad.u.fs.inode = inode;
2647
2648        if (from_access)
2649                ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2650
2651        perms = file_mask_to_av(inode->i_mode, mask);
2652
2653        return inode_has_perm(cred, inode, perms, &ad);
2654}
2655
2656static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2657{
2658        const struct cred *cred = current_cred();
2659        unsigned int ia_valid = iattr->ia_valid;
2660
2661        /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2662        if (ia_valid & ATTR_FORCE) {
2663                ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2664                              ATTR_FORCE);
2665                if (!ia_valid)
2666                        return 0;
2667        }
2668
2669        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2670                        ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2671                return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2672
2673        return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2674}
2675
2676static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2677{
2678        const struct cred *cred = current_cred();
2679
2680        return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2681}
2682
2683static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2684{
2685        const struct cred *cred = current_cred();
2686
2687        if (!strncmp(name, XATTR_SECURITY_PREFIX,
2688                     sizeof XATTR_SECURITY_PREFIX - 1)) {
2689                if (!strcmp(name, XATTR_NAME_CAPS)) {
2690                        if (!capable(CAP_SETFCAP))
2691                                return -EPERM;
2692                } else if (!capable(CAP_SYS_ADMIN)) {
2693                        /* A different attribute in the security namespace.
2694                           Restrict to administrator. */
2695                        return -EPERM;
2696                }
2697        }
2698
2699        /* Not an attribute we recognize, so just check the
2700           ordinary setattr permission. */
2701        return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2702}
2703
2704static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2705                                  const void *value, size_t size, int flags)
2706{
2707        struct inode *inode = dentry->d_inode;
2708        struct inode_security_struct *isec = inode->i_security;
2709        struct superblock_security_struct *sbsec;
2710        struct common_audit_data ad;
2711        u32 newsid, sid = current_sid();
2712        int rc = 0;
2713
2714        if (strcmp(name, XATTR_NAME_SELINUX))
2715                return selinux_inode_setotherxattr(dentry, name);
2716
2717        sbsec = inode->i_sb->s_security;
2718        if (!(sbsec->flags & SE_SBLABELSUPP))
2719                return -EOPNOTSUPP;
2720
2721        if (!is_owner_or_cap(inode))
2722                return -EPERM;
2723
2724        COMMON_AUDIT_DATA_INIT(&ad, FS);
2725        ad.u.fs.path.dentry = dentry;
2726
2727        rc = avc_has_perm(sid, isec->sid, isec->sclass,
2728                          FILE__RELABELFROM, &ad);
2729        if (rc)
2730                return rc;
2731
2732        rc = security_context_to_sid(value, size, &newsid);
2733        if (rc == -EINVAL) {
2734                if (!capable(CAP_MAC_ADMIN))
2735                        return rc;
2736                rc = security_context_to_sid_force(value, size, &newsid);
2737        }
2738        if (rc)
2739                return rc;
2740
2741        rc = avc_has_perm(sid, newsid, isec->sclass,
2742                          FILE__RELABELTO, &ad);
2743        if (rc)
2744                return rc;
2745
2746        rc = security_validate_transition(isec->sid, newsid, sid,
2747                                          isec->sclass);
2748        if (rc)
2749                return rc;
2750
2751        return avc_has_perm(newsid,
2752                            sbsec->sid,
2753                            SECCLASS_FILESYSTEM,
2754                            FILESYSTEM__ASSOCIATE,
2755                            &ad);
2756}
2757
2758static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2759                                        const void *value, size_t size,
2760                                        int flags)
2761{
2762        struct inode *inode = dentry->d_inode;
2763        struct inode_security_struct *isec = inode->i_security;
2764        u32 newsid;
2765        int rc;
2766
2767        if (strcmp(name, XATTR_NAME_SELINUX)) {
2768                /* Not an attribute we recognize, so nothing to do. */
2769                return;
2770        }
2771
2772        rc = security_context_to_sid_force(value, size, &newsid);
2773        if (rc) {
2774                printk(KERN_ERR "SELinux:  unable to map context to SID"
2775                       "for (%s, %lu), rc=%d\n",
2776                       inode->i_sb->s_id, inode->i_ino, -rc);
2777                return;
2778        }
2779
2780        isec->sid = newsid;
2781        return;
2782}
2783
2784static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2785{
2786        const struct cred *cred = current_cred();
2787
2788        return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2789}
2790
2791static int selinux_inode_listxattr(struct dentry *dentry)
2792{
2793        const struct cred *cred = current_cred();
2794
2795        return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2796}
2797
2798static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2799{
2800        if (strcmp(name, XATTR_NAME_SELINUX))
2801                return selinux_inode_setotherxattr(dentry, name);
2802
2803        /* No one is allowed to remove a SELinux security label.
2804           You can change the label, but all data must be labeled. */
2805        return -EACCES;
2806}
2807
2808/*
2809 * Copy the inode security context value to the user.
2810 *
2811 * Permission check is handled by selinux_inode_getxattr hook.
2812 */
2813static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2814{
2815        u32 size;
2816        int error;
2817        char *context = NULL;
2818        struct inode_security_struct *isec = inode->i_security;
2819
2820        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2821                return -EOPNOTSUPP;
2822
2823        /*
2824         * If the caller has CAP_MAC_ADMIN, then get the raw context
2825         * value even if it is not defined by current policy; otherwise,
2826         * use the in-core value under current policy.
2827         * Use the non-auditing forms of the permission checks since
2828         * getxattr may be called by unprivileged processes commonly
2829         * and lack of permission just means that we fall back to the
2830         * in-core context value, not a denial.
2831         */
2832        error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2833                                SECURITY_CAP_NOAUDIT);
2834        if (!error)
2835                error = security_sid_to_context_force(isec->sid, &context,
2836                                                      &size);
2837        else
2838                error = security_sid_to_context(isec->sid, &context, &size);
2839        if (error)
2840                return error;
2841        error = size;
2842        if (alloc) {
2843                *buffer = context;
2844                goto out_nofree;
2845        }
2846        kfree(context);
2847out_nofree:
2848        return error;
2849}
2850
2851static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2852                                     const void *value, size_t size, int flags)
2853{
2854        struct inode_security_struct *isec = inode->i_security;
2855        u32 newsid;
2856        int rc;
2857
2858        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2859                return -EOPNOTSUPP;
2860
2861        if (!value || !size)
2862                return -EACCES;
2863
2864        rc = security_context_to_sid((void *)value, size, &newsid);
2865        if (rc)
2866                return rc;
2867
2868        isec->sid = newsid;
2869        isec->initialized = 1;
2870        return 0;
2871}
2872
2873static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2874{
2875        const int len = sizeof(XATTR_NAME_SELINUX);
2876        if (buffer && len <= buffer_size)
2877                memcpy(buffer, XATTR_NAME_SELINUX, len);
2878        return len;
2879}
2880
2881static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2882{
2883        struct inode_security_struct *isec = inode->i_security;
2884        *secid = isec->sid;
2885}
2886
2887/* file security operations */
2888
2889static int selinux_revalidate_file_permission(struct file *file, int mask)
2890{
2891        const struct cred *cred = current_cred();
2892        struct inode *inode = file->f_path.dentry->d_inode;
2893
2894        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2895        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2896                mask |= MAY_APPEND;
2897
2898        return file_has_perm(cred, file,
2899                             file_mask_to_av(inode->i_mode, mask));
2900}
2901
2902static int selinux_file_permission(struct file *file, int mask)
2903{
2904        struct inode *inode = file->f_path.dentry->d_inode;
2905        struct file_security_struct *fsec = file->f_security;
2906        struct inode_security_struct *isec = inode->i_security;
2907        u32 sid = current_sid();
2908
2909        if (!mask)
2910                /* No permission to check.  Existence test. */
2911                return 0;
2912
2913        if (sid == fsec->sid && fsec->isid == isec->sid &&
2914            fsec->pseqno == avc_policy_seqno())
2915                /* No change since dentry_open check. */
2916                return 0;
2917
2918        return selinux_revalidate_file_permission(file, mask);
2919}
2920
2921static int selinux_file_alloc_security(struct file *file)
2922{
2923        return file_alloc_security(file);
2924}
2925
2926static void selinux_file_free_security(struct file *file)
2927{
2928        file_free_security(file);
2929}
2930
2931static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2932                              unsigned long arg)
2933{
2934        const struct cred *cred = current_cred();
2935        u32 av = 0;
2936
2937        if (_IOC_DIR(cmd) & _IOC_WRITE)
2938                av |= FILE__WRITE;
2939        if (_IOC_DIR(cmd) & _IOC_READ)
2940                av |= FILE__READ;
2941        if (!av)
2942                av = FILE__IOCTL;
2943
2944        return file_has_perm(cred, file, av);
2945}
2946
2947static int default_noexec;
2948
2949static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2950{
2951        const struct cred *cred = current_cred();
2952        int rc = 0;
2953
2954        if (default_noexec &&
2955            (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2956                /*
2957                 * We are making executable an anonymous mapping or a
2958                 * private file mapping that will also be writable.
2959                 * This has an additional check.
2960                 */
2961                rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2962                if (rc)
2963                        goto error;
2964        }
2965
2966        if (file) {
2967                /* read access is always possible with a mapping */
2968                u32 av = FILE__READ;
2969
2970                /* write access only matters if the mapping is shared */
2971                if (shared && (prot & PROT_WRITE))
2972                        av |= FILE__WRITE;
2973
2974                if (prot & PROT_EXEC)
2975                        av |= FILE__EXECUTE;
2976
2977                return file_has_perm(cred, file, av);
2978        }
2979
2980error:
2981        return rc;
2982}
2983
2984static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2985                             unsigned long prot, unsigned long flags,
2986                             unsigned long addr, unsigned long addr_only)
2987{
2988        int rc = 0;
2989        u32 sid = current_sid();
2990
2991        /*
2992         * notice that we are intentionally putting the SELinux check before
2993         * the secondary cap_file_mmap check.  This is such a likely attempt
2994         * at bad behaviour/exploit that we always want to get the AVC, even
2995         * if DAC would have also denied the operation.
2996         */
2997        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
2998                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2999                                  MEMPROTECT__MMAP_ZERO, NULL);
3000                if (rc)
3001                        return rc;
3002        }
3003
3004        /* do DAC check on address space usage */
3005        rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3006        if (rc || addr_only)
3007                return rc;
3008
3009        if (selinux_checkreqprot)
3010                prot = reqprot;
3011
3012        return file_map_prot_check(file, prot,
3013                                   (flags & MAP_TYPE) == MAP_SHARED);
3014}
3015
3016static int selinux_file_mprotect(struct vm_area_struct *vma,
3017                                 unsigned long reqprot,
3018                                 unsigned long prot)
3019{
3020        const struct cred *cred = current_cred();
3021
3022        if (selinux_checkreqprot)
3023                prot = reqprot;
3024
3025        if (default_noexec &&
3026            (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3027                int rc = 0;
3028                if (vma->vm_start >= vma->vm_mm->start_brk &&
3029                    vma->vm_end <= vma->vm_mm->brk) {
3030                        rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3031                } else if (!vma->vm_file &&
3032                           vma->vm_start <= vma->vm_mm->start_stack &&
3033                           vma->vm_end >= vma->vm_mm->start_stack) {
3034                        rc = current_has_perm(current, PROCESS__EXECSTACK);
3035                } else if (vma->vm_file && vma->anon_vma) {
3036                        /*
3037                         * We are making executable a file mapping that has
3038                         * had some COW done. Since pages might have been
3039                         * written, check ability to execute the possibly
3040                         * modified content.  This typically should only
3041                         * occur for text relocations.
3042                         */
3043                        rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3044                }
3045                if (rc)
3046                        return rc;
3047        }
3048
3049        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3050}
3051
3052static int selinux_file_lock(struct file *file, unsigned int cmd)
3053{
3054        const struct cred *cred = current_cred();
3055
3056        return file_has_perm(cred, file, FILE__LOCK);
3057}
3058
3059static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3060                              unsigned long arg)
3061{
3062        const struct cred *cred = current_cred();
3063        int err = 0;
3064
3065        switch (cmd) {
3066        case F_SETFL:
3067                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3068                        err = -EINVAL;
3069                        break;
3070                }
3071
3072                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3073                        err = file_has_perm(cred, file, FILE__WRITE);
3074                        break;
3075                }
3076                /* fall through */
3077        case F_SETOWN:
3078        case F_SETSIG:
3079        case F_GETFL:
3080        case F_GETOWN:
3081        case F_GETSIG:
3082                /* Just check FD__USE permission */
3083                err = file_has_perm(cred, file, 0);
3084                break;
3085        case F_GETLK:
3086        case F_SETLK:
3087        case F_SETLKW:
3088#if BITS_PER_LONG == 32
3089        case F_GETLK64:
3090        case F_SETLK64:
3091        case F_SETLKW64:
3092#endif
3093                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3094                        err = -EINVAL;
3095                        break;
3096                }
3097                err = file_has_perm(cred, file, FILE__LOCK);
3098                break;
3099        }
3100
3101        return err;
3102}
3103
3104static int selinux_file_set_fowner(struct file *file)
3105{
3106        struct file_security_struct *fsec;
3107
3108        fsec = file->f_security;
3109        fsec->fown_sid = current_sid();
3110
3111        return 0;
3112}
3113
3114static int selinux_file_send_sigiotask(struct task_struct *tsk,
3115                                       struct fown_struct *fown, int signum)
3116{
3117        struct file *file;
3118        u32 sid = task_sid(tsk);
3119        u32 perm;
3120        struct file_security_struct *fsec;
3121
3122        /* struct fown_struct is never outside the context of a struct file */
3123        file = container_of(fown, struct file, f_owner);
3124
3125        fsec = file->f_security;
3126
3127        if (!signum)
3128                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3129        else
3130                perm = signal_to_av(signum);
3131
3132        return avc_has_perm(fsec->fown_sid, sid,
3133                            SECCLASS_PROCESS, perm, NULL);
3134}
3135
3136static int selinux_file_receive(struct file *file)
3137{
3138        const struct cred *cred = current_cred();
3139
3140        return file_has_perm(cred, file, file_to_av(file));
3141}
3142
3143static int selinux_dentry_open(struct file *file, const struct cred *cred)
3144{
3145        struct file_security_struct *fsec;
3146        struct inode *inode;
3147        struct inode_security_struct *isec;
3148
3149        inode = file->f_path.dentry->d_inode;
3150        fsec = file->f_security;
3151        isec = inode->i_security;
3152        /*
3153         * Save inode label and policy sequence number
3154         * at open-time so that selinux_file_permission
3155         * can determine whether revalidation is necessary.
3156         * Task label is already saved in the file security
3157         * struct as its SID.
3158         */
3159        fsec->isid = isec->sid;
3160        fsec->pseqno = avc_policy_seqno();
3161        /*
3162         * Since the inode label or policy seqno may have changed
3163         * between the selinux_inode_permission check and the saving
3164         * of state above, recheck that access is still permitted.
3165         * Otherwise, access might never be revalidated against the
3166         * new inode label or new policy.
3167         * This check is not redundant - do not remove.
3168         */
3169        return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3170}
3171
3172/* task security operations */
3173
3174static int selinux_task_create(unsigned long clone_flags)
3175{
3176        return current_has_perm(current, PROCESS__FORK);
3177}
3178
3179/*
3180 * allocate the SELinux part of blank credentials
3181 */
3182static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3183{
3184        struct task_security_struct *tsec;
3185
3186        tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3187        if (!tsec)
3188                return -ENOMEM;
3189
3190        cred->security = tsec;
3191        return 0;
3192}
3193
3194/*
3195 * detach and free the LSM part of a set of credentials
3196 */
3197static void selinux_cred_free(struct cred *cred)
3198{
3199        struct task_security_struct *tsec = cred->security;
3200
3201        /*
3202         * cred->security == NULL if security_cred_alloc_blank() or
3203         * security_prepare_creds() returned an error.
3204         */
3205        BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3206        cred->security = (void *) 0x7UL;
3207        kfree(tsec);
3208}
3209
3210/*
3211 * prepare a new set of credentials for modification
3212 */
3213static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3214                                gfp_t gfp)
3215{
3216        const struct task_security_struct *old_tsec;
3217        struct task_security_struct *tsec;
3218
3219        old_tsec = old->security;
3220
3221        tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3222        if (!tsec)
3223                return -ENOMEM;
3224
3225        new->security = tsec;
3226        return 0;
3227}
3228
3229/*
3230 * transfer the SELinux data to a blank set of creds
3231 */
3232static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3233{
3234        const struct task_security_struct *old_tsec = old->security;
3235        struct task_security_struct *tsec = new->security;
3236
3237        *tsec = *old_tsec;
3238}
3239
3240/*
3241 * set the security data for a kernel service
3242 * - all the creation contexts are set to unlabelled
3243 */
3244static int selinux_kernel_act_as(struct cred *new, u32 secid)
3245{
3246        struct task_security_struct *tsec = new->security;
3247        u32 sid = current_sid();
3248        int ret;
3249
3250        ret = avc_has_perm(sid, secid,
3251                           SECCLASS_KERNEL_SERVICE,
3252                           KERNEL_SERVICE__USE_AS_OVERRIDE,
3253                           NULL);
3254        if (ret == 0) {
3255                tsec->sid = secid;
3256                tsec->create_sid = 0;
3257                tsec->keycreate_sid = 0;
3258                tsec->sockcreate_sid = 0;
3259        }
3260        return ret;
3261}
3262
3263/*
3264 * set the file creation context in a security record to the same as the
3265 * objective context of the specified inode
3266 */
3267static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3268{
3269        struct inode_security_struct *isec = inode->i_security;
3270        struct task_security_struct *tsec = new->security;
3271        u32 sid = current_sid();
3272        int ret;
3273
3274        ret = avc_has_perm(sid, isec->sid,
3275                           SECCLASS_KERNEL_SERVICE,
3276                           KERNEL_SERVICE__CREATE_FILES_AS,
3277                           NULL);
3278
3279        if (ret == 0)
3280                tsec->create_sid = isec->sid;
3281        return ret;
3282}
3283
3284static int selinux_kernel_module_request(char *kmod_name)
3285{
3286        u32 sid;
3287        struct common_audit_data ad;
3288
3289        sid = task_sid(current);
3290
3291        COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3292        ad.u.kmod_name = kmod_name;
3293
3294        return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3295                            SYSTEM__MODULE_REQUEST, &ad);
3296}
3297
3298static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3299{
3300        return current_has_perm(p, PROCESS__SETPGID);
3301}
3302
3303static int selinux_task_getpgid(struct task_struct *p)
3304{
3305        return current_has_perm(p, PROCESS__GETPGID);
3306}
3307
3308static int selinux_task_getsid(struct task_struct *p)
3309{
3310        return current_has_perm(p, PROCESS__GETSESSION);
3311}
3312
3313static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3314{
3315        *secid = task_sid(p);
3316}
3317
3318static int selinux_task_setnice(struct task_struct *p, int nice)
3319{
3320        int rc;
3321
3322        rc = cap_task_setnice(p, nice);
3323        if (rc)
3324                return rc;
3325
3326        return current_has_perm(p, PROCESS__SETSCHED);
3327}
3328
3329static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3330{
3331        int rc;
3332
3333        rc = cap_task_setioprio(p, ioprio);
3334        if (rc)
3335                return rc;
3336
3337        return current_has_perm(p, PROCESS__SETSCHED);
3338}
3339
3340static int selinux_task_getioprio(struct task_struct *p)
3341{
3342        return current_has_perm(p, PROCESS__GETSCHED);
3343}
3344
3345static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3346                struct rlimit *new_rlim)
3347{
3348        struct rlimit *old_rlim = p->signal->rlim + resource;
3349
3350        /* Control the ability to change the hard limit (whether
3351           lowering or raising it), so that the hard limit can
3352           later be used as a safe reset point for the soft limit
3353           upon context transitions.  See selinux_bprm_committing_creds. */
3354        if (old_rlim->rlim_max != new_rlim->rlim_max)
3355                return current_has_perm(p, PROCESS__SETRLIMIT);
3356
3357        return 0;
3358}
3359
3360static int selinux_task_setscheduler(struct task_struct *p)
3361{
3362        int rc;
3363
3364        rc = cap_task_setscheduler(p);
3365        if (rc)
3366                return rc;
3367
3368        return current_has_perm(p, PROCESS__SETSCHED);
3369}
3370
3371static int selinux_task_getscheduler(struct task_struct *p)
3372{
3373        return current_has_perm(p, PROCESS__GETSCHED);
3374}
3375
3376static int selinux_task_movememory(struct task_struct *p)
3377{
3378        return current_has_perm(p, PROCESS__SETSCHED);
3379}
3380
3381static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3382                                int sig, u32 secid)
3383{
3384        u32 perm;
3385        int rc;
3386
3387        if (!sig)
3388                perm = PROCESS__SIGNULL; /* null signal; existence test */
3389        else
3390                perm = signal_to_av(sig);
3391        if (secid)
3392                rc = avc_has_perm(secid, task_sid(p),
3393                                  SECCLASS_PROCESS, perm, NULL);
3394        else
3395                rc = current_has_perm(p, perm);
3396        return rc;
3397}
3398
3399static int selinux_task_wait(struct task_struct *p)
3400{
3401        return task_has_perm(p, current, PROCESS__SIGCHLD);
3402}
3403
3404static void selinux_task_to_inode(struct task_struct *p,
3405                                  struct inode *inode)
3406{
3407        struct inode_security_struct *isec = inode->i_security;
3408        u32 sid = task_sid(p);
3409
3410        isec->sid = sid;
3411        isec->initialized = 1;
3412}
3413
3414/* Returns error only if unable to parse addresses */
3415static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3416                        struct common_audit_data *ad, u8 *proto)
3417{
3418        int offset, ihlen, ret = -EINVAL;
3419        struct iphdr _iph, *ih;
3420
3421        offset = skb_network_offset(skb);
3422        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3423        if (ih == NULL)
3424                goto out;
3425
3426        ihlen = ih->ihl * 4;
3427        if (ihlen < sizeof(_iph))
3428                goto out;
3429
3430        ad->u.net.v4info.saddr = ih->saddr;
3431        ad->u.net.v4info.daddr = ih->daddr;
3432        ret = 0;
3433
3434        if (proto)
3435                *proto = ih->protocol;
3436
3437        switch (ih->protocol) {
3438        case IPPROTO_TCP: {
3439                struct tcphdr _tcph, *th;
3440
3441                if (ntohs(ih->frag_off) & IP_OFFSET)
3442                        break;
3443
3444                offset += ihlen;
3445                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3446                if (th == NULL)
3447                        break;
3448
3449                ad->u.net.sport = th->source;
3450                ad->u.net.dport = th->dest;
3451                break;
3452        }
3453
3454        case IPPROTO_UDP: {
3455                struct udphdr _udph, *uh;
3456
3457                if (ntohs(ih->frag_off) & IP_OFFSET)
3458                        break;
3459
3460                offset += ihlen;
3461                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3462                if (uh == NULL)
3463                        break;
3464
3465                ad->u.net.sport = uh->source;
3466                ad->u.net.dport = uh->dest;
3467                break;
3468        }
3469
3470        case IPPROTO_DCCP: {
3471                struct dccp_hdr _dccph, *dh;
3472
3473                if (ntohs(ih->frag_off) & IP_OFFSET)
3474                        break;
3475
3476                offset += ihlen;
3477                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3478                if (dh == NULL)
3479                        break;
3480
3481                ad->u.net.sport = dh->dccph_sport;
3482                ad->u.net.dport = dh->dccph_dport;
3483                break;
3484        }
3485
3486        default:
3487                break;
3488        }
3489out:
3490        return ret;
3491}
3492
3493#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3494
3495/* Returns error only if unable to parse addresses */
3496static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3497                        struct common_audit_data *ad, u8 *proto)
3498{
3499        u8 nexthdr;
3500        int ret = -EINVAL, offset;
3501        struct ipv6hdr _ipv6h, *ip6;
3502
3503        offset = skb_network_offset(skb);
3504        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3505        if (ip6 == NULL)
3506                goto out;
3507
3508        ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3509        ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3510        ret = 0;
3511
3512        nexthdr = ip6->nexthdr;
3513        offset += sizeof(_ipv6h);
3514        offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3515        if (offset < 0)
3516                goto out;
3517
3518        if (proto)
3519                *proto = nexthdr;
3520
3521        switch (nexthdr) {
3522        case IPPROTO_TCP: {
3523                struct tcphdr _tcph, *th;
3524
3525                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3526                if (th == NULL)
3527                        break;
3528
3529                ad->u.net.sport = th->source;
3530                ad->u.net.dport = th->dest;
3531                break;
3532        }
3533
3534        case IPPROTO_UDP: {
3535                struct udphdr _udph, *uh;
3536
3537                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3538                if (uh == NULL)
3539                        break;
3540
3541                ad->u.net.sport = uh->source;
3542                ad->u.net.dport = uh->dest;
3543                break;
3544        }
3545
3546        case IPPROTO_DCCP: {
3547                struct dccp_hdr _dccph, *dh;
3548
3549                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3550                if (dh == NULL)
3551                        break;
3552
3553                ad->u.net.sport = dh->dccph_sport;
3554                ad->u.net.dport = dh->dccph_dport;
3555                break;
3556        }
3557
3558        /* includes fragments */
3559        default:
3560                break;
3561        }
3562out:
3563        return ret;
3564}
3565
3566#endif /* IPV6 */
3567
3568static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3569                             char **_addrp, int src, u8 *proto)
3570{
3571        char *addrp;
3572        int ret;
3573
3574        switch (ad->u.net.family) {
3575        case PF_INET:
3576                ret = selinux_parse_skb_ipv4(skb, ad, proto);
3577                if (ret)
3578                        goto parse_error;
3579                addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3580                                       &ad->u.net.v4info.daddr);
3581                goto okay;
3582
3583#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3584        case PF_INET6:
3585                ret = selinux_parse_skb_ipv6(skb, ad, proto);
3586                if (ret)
3587                        goto parse_error;
3588                addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3589                                       &ad->u.net.v6info.daddr);
3590                goto okay;
3591#endif  /* IPV6 */
3592        default:
3593                addrp = NULL;
3594                goto okay;
3595        }
3596
3597parse_error:
3598        printk(KERN_WARNING
3599               "SELinux: failure in selinux_parse_skb(),"
3600               " unable to parse packet\n");
3601        return ret;
3602
3603okay:
3604        if (_addrp)
3605                *_addrp = addrp;
3606        return 0;
3607}
3608
3609/**
3610 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3611 * @skb: the packet
3612 * @family: protocol family
3613 * @sid: the packet's peer label SID
3614 *
3615 * Description:
3616 * Check the various different forms of network peer labeling and determine
3617 * the peer label/SID for the packet; most of the magic actually occurs in
3618 * the security server function security_net_peersid_cmp().  The function
3619 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3620 * or -EACCES if @sid is invalid due to inconsistencies with the different
3621 * peer labels.
3622 *
3623 */
3624static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3625{
3626        int err;
3627        u32 xfrm_sid;
3628        u32 nlbl_sid;
3629        u32 nlbl_type;
3630
3631        selinux_skb_xfrm_sid(skb, &xfrm_sid);
3632        selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3633
3634        err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3635        if (unlikely(err)) {
3636                printk(KERN_WARNING
3637                       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3638                       " unable to determine packet's peer label\n");
3639                return -EACCES;
3640        }
3641
3642        return 0;
3643}
3644
3645/* socket security operations */
3646
3647static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
3648{
3649        return tsec->sockcreate_sid ? : tsec->sid;
3650}
3651
3652static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3653{
3654        struct sk_security_struct *sksec = sk->sk_security;
3655        struct common_audit_data ad;
3656        u32 tsid = task_sid(task);
3657
3658        if (sksec->sid == SECINITSID_KERNEL)
3659                return 0;
3660
3661        COMMON_AUDIT_DATA_INIT(&ad, NET);
3662        ad.u.net.sk = sk;
3663
3664        return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3665}
3666
3667static int selinux_socket_create(int family, int type,
3668                                 int protocol, int kern)
3669{
3670        const struct task_security_struct *tsec = current_security();
3671        u32 newsid;
3672        u16 secclass;
3673
3674        if (kern)
3675                return 0;
3676
3677        newsid = socket_sockcreate_sid(tsec);
3678        secclass = socket_type_to_security_class(family, type, protocol);
3679        return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3680}
3681
3682static int selinux_socket_post_create(struct socket *sock, int family,
3683                                      int type, int protocol, int kern)
3684{
3685        const struct task_security_struct *tsec = current_security();
3686        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3687        struct sk_security_struct *sksec;
3688        int err = 0;
3689
3690        if (kern)
3691                isec->sid = SECINITSID_KERNEL;
3692        else
3693                isec->sid = socket_sockcreate_sid(tsec);
3694
3695        isec->sclass = socket_type_to_security_class(family, type, protocol);
3696        isec->initialized = 1;
3697
3698        if (sock->sk) {
3699                sksec = sock->sk->sk_security;
3700                sksec->sid = isec->sid;
3701                sksec->sclass = isec->sclass;
3702                err = selinux_netlbl_socket_post_create(sock->sk, family);
3703        }
3704
3705        return err;
3706}
3707
3708/* Range of port numbers used to automatically bind.
3709   Need to determine whether we should perform a name_bind
3710   permission check between the socket and the port number. */
3711
3712static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3713{
3714        struct sock *sk = sock->sk;
3715        u16 family;
3716        int err;
3717
3718        err = sock_has_perm(current, sk, SOCKET__BIND);
3719        if (err)
3720                goto out;
3721
3722        /*
3723         * If PF_INET or PF_INET6, check name_bind permission for the port.
3724         * Multiple address binding for SCTP is not supported yet: we just
3725         * check the first address now.
3726         */
3727        family = sk->sk_family;
3728        if (family == PF_INET || family == PF_INET6) {
3729                char *addrp;
3730                struct sk_security_struct *sksec = sk->sk_security;
3731                struct common_audit_data ad;
3732                struct sockaddr_in *addr4 = NULL;
3733                struct sockaddr_in6 *addr6 = NULL;
3734                unsigned short snum;
3735                u32 sid, node_perm;
3736
3737                if (family == PF_INET) {
3738                        addr4 = (struct sockaddr_in *)address;
3739                        snum = ntohs(addr4->sin_port);
3740                        addrp = (char *)&addr4->sin_addr.s_addr;
3741                } else {
3742                        addr6 = (struct sockaddr_in6 *)address;
3743                        snum = ntohs(addr6->sin6_port);
3744                        addrp = (char *)&addr6->sin6_addr.s6_addr;
3745                }
3746
3747                if (snum) {
3748                        int low, high;
3749
3750                        inet_get_local_port_range(&low, &high);
3751
3752                        if (snum < max(PROT_SOCK, low) || snum > high) {
3753                                err = sel_netport_sid(sk->sk_protocol,
3754                                                      snum, &sid);
3755                                if (err)
3756                                        goto out;
3757                                COMMON_AUDIT_DATA_INIT(&ad, NET);
3758                                ad.u.net.sport = htons(snum);
3759                                ad.u.net.family = family;
3760                                err = avc_has_perm(sksec->sid, sid,
3761                                                   sksec->sclass,
3762                                                   SOCKET__NAME_BIND, &ad);
3763                                if (err)
3764                                        goto out;
3765                        }
3766                }
3767
3768                switch (sksec->sclass) {
3769                case SECCLASS_TCP_SOCKET:
3770                        node_perm = TCP_SOCKET__NODE_BIND;
3771                        break;
3772
3773                case SECCLASS_UDP_SOCKET:
3774                        node_perm = UDP_SOCKET__NODE_BIND;
3775                        break;
3776
3777                case SECCLASS_DCCP_SOCKET:
3778                        node_perm = DCCP_SOCKET__NODE_BIND;
3779                        break;
3780
3781                default:
3782                        node_perm = RAWIP_SOCKET__NODE_BIND;
3783                        break;
3784                }
3785
3786                err = sel_netnode_sid(addrp, family, &sid);
3787                if (err)
3788                        goto out;
3789
3790                COMMON_AUDIT_DATA_INIT(&ad, NET);
3791                ad.u.net.sport = htons(snum);
3792                ad.u.net.family = family;
3793
3794                if (family == PF_INET)
3795                        ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3796                else
3797                        ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3798
3799                err = avc_has_perm(sksec->sid, sid,
3800                                   sksec->sclass, node_perm, &ad);
3801                if (err)
3802                        goto out;
3803        }
3804out:
3805        return err;
3806}
3807
3808static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3809{
3810        struct sock *sk = sock->sk;
3811        struct sk_security_struct *sksec = sk->sk_security;
3812        int err;
3813
3814        err = sock_has_perm(current, sk, SOCKET__CONNECT);
3815        if (err)
3816                return err;
3817
3818        /*
3819         * If a TCP or DCCP socket, check name_connect permission for the port.
3820         */
3821        if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3822            sksec->sclass == SECCLASS_DCCP_SOCKET) {
3823                struct common_audit_data ad;
3824                struct sockaddr_in *addr4 = NULL;
3825                struct sockaddr_in6 *addr6 = NULL;
3826                unsigned short snum;
3827                u32 sid, perm;
3828
3829                if (sk->sk_family == PF_INET) {
3830                        addr4 = (struct sockaddr_in *)address;
3831                        if (addrlen < sizeof(struct sockaddr_in))
3832                                return -EINVAL;
3833                        snum = ntohs(addr4->sin_port);
3834                } else {
3835                        addr6 = (struct sockaddr_in6 *)address;
3836                        if (addrlen < SIN6_LEN_RFC2133)
3837                                return -EINVAL;
3838                        snum = ntohs(addr6->sin6_port);
3839                }
3840
3841                err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3842                if (err)
3843                        goto out;
3844
3845                perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3846                       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3847
3848                COMMON_AUDIT_DATA_INIT(&ad, NET);
3849                ad.u.net.dport = htons(snum);
3850                ad.u.net.family = sk->sk_family;
3851                err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3852                if (err)
3853                        goto out;
3854        }
3855
3856        err = selinux_netlbl_socket_connect(sk, address);
3857
3858out:
3859        return err;
3860}
3861
3862static int selinux_socket_listen(struct socket *sock, int backlog)
3863{
3864        return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3865}
3866
3867static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3868{
3869        int err;
3870        struct inode_security_struct *isec;
3871        struct inode_security_struct *newisec;
3872
3873        err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3874        if (err)
3875                return err;
3876
3877        newisec = SOCK_INODE(newsock)->i_security;
3878
3879        isec = SOCK_INODE(sock)->i_security;
3880        newisec->sclass = isec->sclass;
3881        newisec->sid = isec->sid;
3882        newisec->initialized = 1;
3883
3884        return 0;
3885}
3886
3887static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3888                                  int size)
3889{
3890        return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3891}
3892
3893static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3894                                  int size, int flags)
3895{
3896        return sock_has_perm(current, sock->sk, SOCKET__READ);
3897}
3898
3899static int selinux_socket_getsockname(struct socket *sock)
3900{
3901        return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3902}
3903
3904static int selinux_socket_getpeername(struct socket *sock)
3905{
3906        return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3907}
3908
3909static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3910{
3911        int err;
3912
3913        err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3914        if (err)
3915                return err;
3916
3917        return selinux_netlbl_socket_setsockopt(sock, level, optname);
3918}
3919
3920static int selinux_socket_getsockopt(struct socket *sock, int level,
3921                                     int optname)
3922{
3923        return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3924}
3925
3926static int selinux_socket_shutdown(struct socket *sock, int how)
3927{
3928        return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3929}
3930
3931static int selinux_socket_unix_stream_connect(struct sock *sock,
3932                                              struct sock *other,
3933                                              struct sock *newsk)
3934{
3935        struct sk_security_struct *sksec_sock = sock->sk_security;
3936        struct sk_security_struct *sksec_other = other->sk_security;
3937        struct sk_security_struct *sksec_new = newsk->sk_security;
3938        struct common_audit_data ad;
3939        int err;
3940
3941        COMMON_AUDIT_DATA_INIT(&ad, NET);
3942        ad.u.net.sk = other;
3943
3944        err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3945                           sksec_other->sclass,
3946                           UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3947        if (err)
3948                return err;
3949
3950        /* server child socket */
3951        sksec_new->peer_sid = sksec_sock->sid;
3952        err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
3953                                    &sksec_new->sid);
3954        if (err)
3955                return err;
3956
3957        /* connecting socket */
3958        sksec_sock->peer_sid = sksec_new->sid;
3959
3960        return 0;
3961}
3962
3963static int selinux_socket_unix_may_send(struct socket *sock,
3964                                        struct socket *other)
3965{
3966        struct sk_security_struct *ssec = sock->sk->sk_security;
3967        struct sk_security_struct *osec = other->sk->sk_security;
3968        struct common_audit_data ad;
3969
3970        COMMON_AUDIT_DATA_INIT(&ad, NET);
3971        ad.u.net.sk = other->sk;
3972
3973        return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
3974                            &ad);
3975}
3976
3977static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3978                                    u32 peer_sid,
3979                                    struct common_audit_data *ad)
3980{
3981        int err;
3982        u32 if_sid;
3983        u32 node_sid;
3984
3985        err = sel_netif_sid(ifindex, &if_sid);
3986        if (err)
3987                return err;
3988        err = avc_has_perm(peer_sid, if_sid,
3989                           SECCLASS_NETIF, NETIF__INGRESS, ad);
3990        if (err)
3991                return err;
3992
3993        err = sel_netnode_sid(addrp, family, &node_sid);
3994        if (err)
3995                return err;
3996        return avc_has_perm(peer_sid, node_sid,
3997                            SECCLASS_NODE, NODE__RECVFROM, ad);
3998}
3999
4000static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4001                                       u16 family)
4002{
4003        int err = 0;
4004        struct sk_security_struct *sksec = sk->sk_security;
4005        u32 peer_sid;
4006        u32 sk_sid = sksec->sid;
4007        struct common_audit_data ad;
4008        char *addrp;
4009
4010        COMMON_AUDIT_DATA_INIT(&ad, NET);
4011        ad.u.net.netif = skb->skb_iif;
4012        ad.u.net.family = family;
4013        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4014        if (err)
4015                return err;
4016
4017        if (selinux_secmark_enabled()) {
4018                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4019                                   PACKET__RECV, &ad);
4020                if (err)
4021                        return err;
4022        }
4023
4024        if (selinux_policycap_netpeer) {
4025                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4026                if (err)
4027                        return err;
4028                err = avc_has_perm(sk_sid, peer_sid,
4029                                   SECCLASS_PEER, PEER__RECV, &ad);
4030                if (err)
4031                        selinux_netlbl_err(skb, err, 0);
4032        } else {
4033                err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4034                if (err)
4035                        return err;
4036                err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4037        }
4038
4039        return err;
4040}
4041
4042static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4043{
4044        int err;
4045        struct sk_security_struct *sksec = sk->sk_security;
4046        u16 family = sk->sk_family;
4047        u32 sk_sid = sksec->sid;
4048        struct common_audit_data ad;
4049        char *addrp;
4050        u8 secmark_active;
4051        u8 peerlbl_active;
4052
4053        if (family != PF_INET && family != PF_INET6)
4054                return 0;
4055
4056        /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4057        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4058                family = PF_INET;
4059
4060        /* If any sort of compatibility mode is enabled then handoff processing
4061         * to the selinux_sock_rcv_skb_compat() function to deal with the
4062         * special handling.  We do this in an attempt to keep this function
4063         * as fast and as clean as possible. */
4064        if (!selinux_policycap_netpeer)
4065                return selinux_sock_rcv_skb_compat(sk, skb, family);
4066
4067        secmark_active = selinux_secmark_enabled();
4068        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4069        if (!secmark_active && !peerlbl_active)
4070                return 0;
4071
4072        COMMON_AUDIT_DATA_INIT(&ad, NET);
4073        ad.u.net.netif = skb->skb_iif;
4074        ad.u.net.family = family;
4075        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4076        if (err)
4077                return err;
4078
4079        if (peerlbl_active) {
4080                u32 peer_sid;
4081
4082                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4083                if (err)
4084                        return err;
4085                err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4086                                               peer_sid, &ad);
4087                if (err) {
4088                        selinux_netlbl_err(skb, err, 0);
4089                        return err;
4090                }
4091                err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4092                                   PEER__RECV, &ad);
4093                if (err)
4094                        selinux_netlbl_err(skb, err, 0);
4095        }
4096
4097        if (secmark_active) {
4098                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4099                                   PACKET__RECV, &ad);
4100                if (err)
4101                        return err;
4102        }
4103
4104        return err;
4105}
4106
4107static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4108                                            int __user *optlen, unsigned len)
4109{
4110        int err = 0;
4111        char *scontext;
4112        u32 scontext_len;
4113        struct sk_security_struct *sksec = sock->sk->sk_security;
4114        u32 peer_sid = SECSID_NULL;
4115
4116        if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4117            sksec->sclass == SECCLASS_TCP_SOCKET)
4118                peer_sid = sksec->peer_sid;
4119        if (peer_sid == SECSID_NULL)
4120                return -ENOPROTOOPT;
4121
4122        err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4123        if (err)
4124                return err;
4125
4126        if (scontext_len > len) {
4127                err = -ERANGE;
4128                goto out_len;
4129        }
4130
4131        if (copy_to_user(optval, scontext, scontext_len))
4132                err = -EFAULT;
4133
4134out_len:
4135        if (put_user(scontext_len, optlen))
4136                err = -EFAULT;
4137        kfree(scontext);
4138        return err;
4139}
4140
4141static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4142{
4143        u32 peer_secid = SECSID_NULL;
4144        u16 family;
4145
4146        if (skb && skb->protocol == htons(ETH_P_IP))
4147                family = PF_INET;
4148        else if (skb && skb->protocol == htons(ETH_P_IPV6))
4149                family = PF_INET6;
4150        else if (sock)
4151                family = sock->sk->sk_family;
4152        else
4153                goto out;
4154
4155        if (sock && family == PF_UNIX)
4156                selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4157        else if (skb)
4158                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4159
4160out:
4161        *secid = peer_secid;
4162        if (peer_secid == SECSID_NULL)
4163                return -EINVAL;
4164        return 0;
4165}
4166
4167static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4168{
4169        struct sk_security_struct *sksec;
4170
4171        sksec = kzalloc(sizeof(*sksec), priority);
4172        if (!sksec)
4173                return -ENOMEM;
4174
4175        sksec->peer_sid = SECINITSID_UNLABELED;
4176        sksec->sid = SECINITSID_UNLABELED;
4177        selinux_netlbl_sk_security_reset(sksec);
4178        sk->sk_security = sksec;
4179
4180        return 0;
4181}
4182
4183static void selinux_sk_free_security(struct sock *sk)
4184{
4185        struct sk_security_struct *sksec = sk->sk_security;
4186
4187        sk->sk_security = NULL;
4188        selinux_netlbl_sk_security_free(sksec);
4189        kfree(sksec);
4190}
4191
4192static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4193{
4194        struct sk_security_struct *sksec = sk->sk_security;
4195        struct sk_security_struct *newsksec = newsk->sk_security;
4196
4197        newsksec->sid = sksec->sid;
4198        newsksec->peer_sid = sksec->peer_sid;
4199        newsksec->sclass = sksec->sclass;
4200
4201        selinux_netlbl_sk_security_reset(newsksec);
4202}
4203
4204static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4205{
4206        if (!sk)
4207                *secid = SECINITSID_ANY_SOCKET;
4208        else {
4209                struct sk_security_struct *sksec = sk->sk_security;
4210
4211                *secid = sksec->sid;
4212        }
4213}
4214
4215static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4216{
4217        struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4218        struct sk_security_struct *sksec = sk->sk_security;
4219
4220        if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4221            sk->sk_family == PF_UNIX)
4222                isec->sid = sksec->sid;
4223        sksec->sclass = isec->sclass;
4224}
4225
4226static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4227                                     struct request_sock *req)
4228{
4229        struct sk_security_struct *sksec = sk->sk_security;
4230        int err;
4231        u16 family = sk->sk_family;
4232        u32 newsid;
4233        u32 peersid;
4234
4235        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4236        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4237                family = PF_INET;
4238
4239        err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4240        if (err)
4241                return err;
4242        if (peersid == SECSID_NULL) {
4243                req->secid = sksec->sid;
4244                req->peer_secid = SECSID_NULL;
4245        } else {
4246                err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4247                if (err)
4248                        return err;
4249                req->secid = newsid;
4250                req->peer_secid = peersid;
4251        }
4252
4253        return selinux_netlbl_inet_conn_request(req, family);
4254}
4255
4256static void selinux_inet_csk_clone(struct sock *newsk,
4257                                   const struct request_sock *req)
4258{
4259        struct sk_security_struct *newsksec = newsk->sk_security;
4260
4261        newsksec->sid = req->secid;
4262        newsksec->peer_sid = req->peer_secid;
4263        /* NOTE: Ideally, we should also get the isec->sid for the
4264           new socket in sync, but we don't have the isec available yet.
4265           So we will wait until sock_graft to do it, by which
4266           time it will have been created and available. */
4267
4268        /* We don't need to take any sort of lock here as we are the only
4269         * thread with access to newsksec */
4270        selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4271}
4272
4273static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4274{
4275        u16 family = sk->sk_family;
4276        struct sk_security_struct *sksec = sk->sk_security;
4277
4278        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4279        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4280                family = PF_INET;
4281
4282        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4283}
4284
4285static int selinux_secmark_relabel_packet(u32 sid)
4286{
4287        const struct task_security_struct *__tsec;
4288        u32 tsid;
4289
4290        __tsec = current_security();
4291        tsid = __tsec->sid;
4292
4293        return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4294}
4295
4296static void selinux_secmark_refcount_inc(void)
4297{
4298        atomic_inc(&selinux_secmark_refcount);
4299}
4300
4301static void selinux_secmark_refcount_dec(void)
4302{
4303        atomic_dec(&selinux_secmark_refcount);
4304}
4305
4306static void selinux_req_classify_flow(const struct request_sock *req,
4307                                      struct flowi *fl)
4308{
4309        fl->secid = req->secid;
4310}
4311
4312static int selinux_tun_dev_create(void)
4313{
4314        u32 sid = current_sid();
4315
4316        /* we aren't taking into account the "sockcreate" SID since the socket
4317         * that is being created here is not a socket in the traditional sense,
4318         * instead it is a private sock, accessible only to the kernel, and
4319         * representing a wide range of network traffic spanning multiple
4320         * connections unlike traditional sockets - check the TUN driver to
4321         * get a better understanding of why this socket is special */
4322
4323        return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4324                            NULL);
4325}
4326
4327static void selinux_tun_dev_post_create(struct sock *sk)
4328{
4329        struct sk_security_struct *sksec = sk->sk_security;
4330
4331        /* we don't currently perform any NetLabel based labeling here and it
4332         * isn't clear that we would want to do so anyway; while we could apply
4333         * labeling without the support of the TUN user the resulting labeled
4334         * traffic from the other end of the connection would almost certainly
4335         * cause confusion to the TUN user that had no idea network labeling
4336         * protocols were being used */
4337
4338        /* see the comments in selinux_tun_dev_create() about why we don't use
4339         * the sockcreate SID here */
4340
4341        sksec->sid = current_sid();
4342        sksec->sclass = SECCLASS_TUN_SOCKET;
4343}
4344
4345static int selinux_tun_dev_attach(struct sock *sk)
4346{
4347        struct sk_security_struct *sksec = sk->sk_security;
4348        u32 sid = current_sid();
4349        int err;
4350
4351        err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4352                           TUN_SOCKET__RELABELFROM, NULL);
4353        if (err)
4354                return err;
4355        err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4356                           TUN_SOCKET__RELABELTO, NULL);
4357        if (err)
4358                return err;
4359
4360        sksec->sid = sid;
4361
4362        return 0;
4363}
4364
4365static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4366{
4367        int err = 0;
4368        u32 perm;
4369        struct nlmsghdr *nlh;
4370        struct sk_security_struct *sksec = sk->sk_security;
4371
4372        if (skb->len < NLMSG_SPACE(0)) {
4373                err = -EINVAL;
4374                goto out;
4375        }
4376        nlh = nlmsg_hdr(skb);
4377
4378        err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4379        if (err) {
4380                if (err == -EINVAL) {
4381                        audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4382                                  "SELinux:  unrecognized netlink message"
4383                                  " type=%hu for sclass=%hu\n",
4384                                  nlh->nlmsg_type, sksec->sclass);
4385                        if (!selinux_enforcing || security_get_allow_unknown())
4386                                err = 0;
4387                }
4388
4389                /* Ignore */
4390                if (err == -ENOENT)
4391                        err = 0;
4392                goto out;
4393        }
4394
4395        err = sock_has_perm(current, sk, perm);
4396out:
4397        return err;
4398}
4399
4400#ifdef CONFIG_NETFILTER
4401
4402static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4403                                       u16 family)
4404{
4405        int err;
4406        char *addrp;
4407        u32 peer_sid;
4408        struct common_audit_data ad;
4409        u8 secmark_active;
4410        u8 netlbl_active;
4411        u8 peerlbl_active;
4412
4413        if (!selinux_policycap_netpeer)
4414                return NF_ACCEPT;
4415
4416        secmark_active = selinux_secmark_enabled();
4417        netlbl_active = netlbl_enabled();
4418        peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4419        if (!secmark_active && !peerlbl_active)
4420                return NF_ACCEPT;
4421
4422        if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4423                return NF_DROP;
4424
4425        COMMON_AUDIT_DATA_INIT(&ad, NET);
4426        ad.u.net.netif = ifindex;
4427        ad.u.net.family = family;
4428        if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4429                return NF_DROP;
4430
4431        if (peerlbl_active) {
4432                err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4433                                               peer_sid, &ad);
4434                if (err) {
4435                        selinux_netlbl_err(skb, err, 1);
4436                        return NF_DROP;
4437                }
4438        }
4439
4440        if (secmark_active)
4441                if (avc_has_perm(peer_sid, skb->secmark,
4442                                 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4443                        return NF_DROP;
4444
4445        if (netlbl_active)
4446                /* we do this in the FORWARD path and not the POST_ROUTING
4447                 * path because we want to make sure we apply the necessary
4448                 * labeling before IPsec is applied so we can leverage AH
4449                 * protection */
4450                if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4451                        return NF_DROP;
4452
4453        return NF_ACCEPT;
4454}
4455
4456static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4457                                         struct sk_buff *skb,
4458                                         const struct net_device *in,
4459                                         const struct net_device *out,
4460                                         int (*okfn)(struct sk_buff *))
4461{
4462        return selinux_ip_forward(skb, in->ifindex, PF_INET);
4463}
4464
4465#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4466static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4467                                         struct sk_buff *skb,
4468                                         const struct net_device *in,
4469                                         const struct net_device *out,
4470                                         int (*okfn)(struct sk_buff *))
4471{
4472        return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4473}
4474#endif  /* IPV6 */
4475
4476static unsigned int selinux_ip_output(struct sk_buff *skb,