linux/security/selinux/hooks.c
<<
>>
Prefs
   1/*
   2 *  NSA Security-Enhanced Linux (SELinux) security module
   3 *
   4 *  This file contains the SELinux hook function implementations.
   5 *
   6 *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
   7 *            Chris Vance, <cvance@nai.com>
   8 *            Wayne Salamon, <wsalamon@nai.com>
   9 *            James Morris <jmorris@redhat.com>
  10 *
  11 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  12 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  13 *                                         Eric Paris <eparis@redhat.com>
  14 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  15 *                          <dgoeddel@trustedcs.com>
  16 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
  17 *      Paul Moore <paul.moore@hp.com>
  18 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  19 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  20 *
  21 *      This program is free software; you can redistribute it and/or modify
  22 *      it under the terms of the GNU General Public License version 2,
  23 *      as published by the Free Software Foundation.
  24 */
  25
  26#include <linux/init.h>
  27#include <linux/kd.h>
  28#include <linux/kernel.h>
  29#include <linux/tracehook.h>
  30#include <linux/errno.h>
  31#include <linux/ext2_fs.h>
  32#include <linux/sched.h>
  33#include <linux/security.h>
  34#include <linux/xattr.h>
  35#include <linux/capability.h>
  36#include <linux/unistd.h>
  37#include <linux/mm.h>
  38#include <linux/mman.h>
  39#include <linux/slab.h>
  40#include <linux/pagemap.h>
  41#include <linux/proc_fs.h>
  42#include <linux/swap.h>
  43#include <linux/spinlock.h>
  44#include <linux/syscalls.h>
  45#include <linux/dcache.h>
  46#include <linux/file.h>
  47#include <linux/fdtable.h>
  48#include <linux/namei.h>
  49#include <linux/mount.h>
  50#include <linux/netfilter_ipv4.h>
  51#include <linux/netfilter_ipv6.h>
  52#include <linux/tty.h>
  53#include <net/icmp.h>
  54#include <net/ip.h>             /* for local_port_range[] */
  55#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  56#include <net/net_namespace.h>
  57#include <net/netlabel.h>
  58#include <linux/uaccess.h>
  59#include <asm/ioctls.h>
  60#include <asm/atomic.h>
  61#include <linux/bitops.h>
  62#include <linux/interrupt.h>
  63#include <linux/netdevice.h>    /* for network interface checks */
  64#include <linux/netlink.h>
  65#include <linux/tcp.h>
  66#include <linux/udp.h>
  67#include <linux/dccp.h>
  68#include <linux/quota.h>
  69#include <linux/un.h>           /* for Unix socket types */
  70#include <net/af_unix.h>        /* for Unix socket types */
  71#include <linux/parser.h>
  72#include <linux/nfs_mount.h>
  73#include <net/ipv6.h>
  74#include <linux/hugetlb.h>
  75#include <linux/personality.h>
  76#include <linux/audit.h>
  77#include <linux/string.h>
  78#include <linux/selinux.h>
  79#include <linux/mutex.h>
  80#include <linux/posix-timers.h>
  81#include <linux/syslog.h>
  82#include <linux/user_namespace.h>
  83
  84#include "avc.h"
  85#include "objsec.h"
  86#include "netif.h"
  87#include "netnode.h"
  88#include "netport.h"
  89#include "xfrm.h"
  90#include "netlabel.h"
  91#include "audit.h"
  92
  93#define NUM_SEL_MNT_OPTS 5
  94
  95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
  96extern struct security_operations *security_ops;
  97
  98/* SECMARK reference count */
  99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 100
 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 102int selinux_enforcing;
 103
 104static int __init enforcing_setup(char *str)
 105{
 106        unsigned long enforcing;
 107        if (!strict_strtoul(str, 0, &enforcing))
 108                selinux_enforcing = enforcing ? 1 : 0;
 109        return 1;
 110}
 111__setup("enforcing=", enforcing_setup);
 112#endif
 113
 114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 116
 117static int __init selinux_enabled_setup(char *str)
 118{
 119        unsigned long enabled;
 120        if (!strict_strtoul(str, 0, &enabled))
 121                selinux_enabled = enabled ? 1 : 0;
 122        return 1;
 123}
 124__setup("selinux=", selinux_enabled_setup);
 125#else
 126int selinux_enabled = 1;
 127#endif
 128
 129static struct kmem_cache *sel_inode_cache;
 130
 131/**
 132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 133 *
 134 * Description:
 135 * This function checks the SECMARK reference counter to see if any SECMARK
 136 * targets are currently configured, if the reference counter is greater than
 137 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 138 * enabled, false (0) if SECMARK is disabled.
 139 *
 140 */
 141static int selinux_secmark_enabled(void)
 142{
 143        return (atomic_read(&selinux_secmark_refcount) > 0);
 144}
 145
 146/*
 147 * initialise the security for the init task
 148 */
 149static void cred_init_security(void)
 150{
 151        struct cred *cred = (struct cred *) current->real_cred;
 152        struct task_security_struct *tsec;
 153
 154        tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
 155        if (!tsec)
 156                panic("SELinux:  Failed to initialize initial task.\n");
 157
 158        tsec->osid = tsec->sid = SECINITSID_KERNEL;
 159        cred->security = tsec;
 160}
 161
 162/*
 163 * get the security ID of a set of credentials
 164 */
 165static inline u32 cred_sid(const struct cred *cred)
 166{
 167        const struct task_security_struct *tsec;
 168
 169        tsec = cred->security;
 170        return tsec->sid;
 171}
 172
 173/*
 174 * get the objective security ID of a task
 175 */
 176static inline u32 task_sid(const struct task_struct *task)
 177{
 178        u32 sid;
 179
 180        rcu_read_lock();
 181        sid = cred_sid(__task_cred(task));
 182        rcu_read_unlock();
 183        return sid;
 184}
 185
 186/*
 187 * get the subjective security ID of the current task
 188 */
 189static inline u32 current_sid(void)
 190{
 191        const struct task_security_struct *tsec = current_security();
 192
 193        return tsec->sid;
 194}
 195
 196/* Allocate and free functions for each kind of security blob. */
 197
 198static int inode_alloc_security(struct inode *inode)
 199{
 200        struct inode_security_struct *isec;
 201        u32 sid = current_sid();
 202
 203        isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
 204        if (!isec)
 205                return -ENOMEM;
 206
 207        mutex_init(&isec->lock);
 208        INIT_LIST_HEAD(&isec->list);
 209        isec->inode = inode;
 210        isec->sid = SECINITSID_UNLABELED;
 211        isec->sclass = SECCLASS_FILE;
 212        isec->task_sid = sid;
 213        inode->i_security = isec;
 214
 215        return 0;
 216}
 217
 218static void inode_free_security(struct inode *inode)
 219{
 220        struct inode_security_struct *isec = inode->i_security;
 221        struct superblock_security_struct *sbsec = inode->i_sb->s_security;
 222
 223        spin_lock(&sbsec->isec_lock);
 224        if (!list_empty(&isec->list))
 225                list_del_init(&isec->list);
 226        spin_unlock(&sbsec->isec_lock);
 227
 228        inode->i_security = NULL;
 229        kmem_cache_free(sel_inode_cache, isec);
 230}
 231
 232static int file_alloc_security(struct file *file)
 233{
 234        struct file_security_struct *fsec;
 235        u32 sid = current_sid();
 236
 237        fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
 238        if (!fsec)
 239                return -ENOMEM;
 240
 241        fsec->sid = sid;
 242        fsec->fown_sid = sid;
 243        file->f_security = fsec;
 244
 245        return 0;
 246}
 247
 248static void file_free_security(struct file *file)
 249{
 250        struct file_security_struct *fsec = file->f_security;
 251        file->f_security = NULL;
 252        kfree(fsec);
 253}
 254
 255static int superblock_alloc_security(struct super_block *sb)
 256{
 257        struct superblock_security_struct *sbsec;
 258
 259        sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 260        if (!sbsec)
 261                return -ENOMEM;
 262
 263        mutex_init(&sbsec->lock);
 264        INIT_LIST_HEAD(&sbsec->isec_head);
 265        spin_lock_init(&sbsec->isec_lock);
 266        sbsec->sb = sb;
 267        sbsec->sid = SECINITSID_UNLABELED;
 268        sbsec->def_sid = SECINITSID_FILE;
 269        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 270        sb->s_security = sbsec;
 271
 272        return 0;
 273}
 274
 275static void superblock_free_security(struct super_block *sb)
 276{
 277        struct superblock_security_struct *sbsec = sb->s_security;
 278        sb->s_security = NULL;
 279        kfree(sbsec);
 280}
 281
 282/* The security server must be initialized before
 283   any labeling or access decisions can be provided. */
 284extern int ss_initialized;
 285
 286/* The file system's label must be initialized prior to use. */
 287
 288static const char *labeling_behaviors[6] = {
 289        "uses xattr",
 290        "uses transition SIDs",
 291        "uses task SIDs",
 292        "uses genfs_contexts",
 293        "not configured for labeling",
 294        "uses mountpoint labeling",
 295};
 296
 297static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 298
 299static inline int inode_doinit(struct inode *inode)
 300{
 301        return inode_doinit_with_dentry(inode, NULL);
 302}
 303
 304enum {
 305        Opt_error = -1,
 306        Opt_context = 1,
 307        Opt_fscontext = 2,
 308        Opt_defcontext = 3,
 309        Opt_rootcontext = 4,
 310        Opt_labelsupport = 5,
 311};
 312
 313static const match_table_t tokens = {
 314        {Opt_context, CONTEXT_STR "%s"},
 315        {Opt_fscontext, FSCONTEXT_STR "%s"},
 316        {Opt_defcontext, DEFCONTEXT_STR "%s"},
 317        {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
 318        {Opt_labelsupport, LABELSUPP_STR},
 319        {Opt_error, NULL},
 320};
 321
 322#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 323
 324static int may_context_mount_sb_relabel(u32 sid,
 325                        struct superblock_security_struct *sbsec,
 326                        const struct cred *cred)
 327{
 328        const struct task_security_struct *tsec = cred->security;
 329        int rc;
 330
 331        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 332                          FILESYSTEM__RELABELFROM, NULL);
 333        if (rc)
 334                return rc;
 335
 336        rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
 337                          FILESYSTEM__RELABELTO, NULL);
 338        return rc;
 339}
 340
 341static int may_context_mount_inode_relabel(u32 sid,
 342                        struct superblock_security_struct *sbsec,
 343                        const struct cred *cred)
 344{
 345        const struct task_security_struct *tsec = cred->security;
 346        int rc;
 347        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 348                          FILESYSTEM__RELABELFROM, NULL);
 349        if (rc)
 350                return rc;
 351
 352        rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
 353                          FILESYSTEM__ASSOCIATE, NULL);
 354        return rc;
 355}
 356
 357static int sb_finish_set_opts(struct super_block *sb)
 358{
 359        struct superblock_security_struct *sbsec = sb->s_security;
 360        struct dentry *root = sb->s_root;
 361        struct inode *root_inode = root->d_inode;
 362        int rc = 0;
 363
 364        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 365                /* Make sure that the xattr handler exists and that no
 366                   error other than -ENODATA is returned by getxattr on
 367                   the root directory.  -ENODATA is ok, as this may be
 368                   the first boot of the SELinux kernel before we have
 369                   assigned xattr values to the filesystem. */
 370                if (!root_inode->i_op->getxattr) {
 371                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
 372                               "xattr support\n", sb->s_id, sb->s_type->name);
 373                        rc = -EOPNOTSUPP;
 374                        goto out;
 375                }
 376                rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
 377                if (rc < 0 && rc != -ENODATA) {
 378                        if (rc == -EOPNOTSUPP)
 379                                printk(KERN_WARNING "SELinux: (dev %s, type "
 380                                       "%s) has no security xattr handler\n",
 381                                       sb->s_id, sb->s_type->name);
 382                        else
 383                                printk(KERN_WARNING "SELinux: (dev %s, type "
 384                                       "%s) getxattr errno %d\n", sb->s_id,
 385                                       sb->s_type->name, -rc);
 386                        goto out;
 387                }
 388        }
 389
 390        sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
 391
 392        if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 393                printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
 394                       sb->s_id, sb->s_type->name);
 395        else
 396                printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
 397                       sb->s_id, sb->s_type->name,
 398                       labeling_behaviors[sbsec->behavior-1]);
 399
 400        if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
 401            sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
 402            sbsec->behavior == SECURITY_FS_USE_NONE ||
 403            sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 404                sbsec->flags &= ~SE_SBLABELSUPP;
 405
 406        /* Special handling for sysfs. Is genfs but also has setxattr handler*/
 407        if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
 408                sbsec->flags |= SE_SBLABELSUPP;
 409
 410        /* Initialize the root inode. */
 411        rc = inode_doinit_with_dentry(root_inode, root);
 412
 413        /* Initialize any other inodes associated with the superblock, e.g.
 414           inodes created prior to initial policy load or inodes created
 415           during get_sb by a pseudo filesystem that directly
 416           populates itself. */
 417        spin_lock(&sbsec->isec_lock);
 418next_inode:
 419        if (!list_empty(&sbsec->isec_head)) {
 420                struct inode_security_struct *isec =
 421                                list_entry(sbsec->isec_head.next,
 422                                           struct inode_security_struct, list);
 423                struct inode *inode = isec->inode;
 424                spin_unlock(&sbsec->isec_lock);
 425                inode = igrab(inode);
 426                if (inode) {
 427                        if (!IS_PRIVATE(inode))
 428                                inode_doinit(inode);
 429                        iput(inode);
 430                }
 431                spin_lock(&sbsec->isec_lock);
 432                list_del_init(&isec->list);
 433                goto next_inode;
 434        }
 435        spin_unlock(&sbsec->isec_lock);
 436out:
 437        return rc;
 438}
 439
 440/*
 441 * This function should allow an FS to ask what it's mount security
 442 * options were so it can use those later for submounts, displaying
 443 * mount options, or whatever.
 444 */
 445static int selinux_get_mnt_opts(const struct super_block *sb,
 446                                struct security_mnt_opts *opts)
 447{
 448        int rc = 0, i;
 449        struct superblock_security_struct *sbsec = sb->s_security;
 450        char *context = NULL;
 451        u32 len;
 452        char tmp;
 453
 454        security_init_mnt_opts(opts);
 455
 456        if (!(sbsec->flags & SE_SBINITIALIZED))
 457                return -EINVAL;
 458
 459        if (!ss_initialized)
 460                return -EINVAL;
 461
 462        tmp = sbsec->flags & SE_MNTMASK;
 463        /* count the number of mount options for this sb */
 464        for (i = 0; i < 8; i++) {
 465                if (tmp & 0x01)
 466                        opts->num_mnt_opts++;
 467                tmp >>= 1;
 468        }
 469        /* Check if the Label support flag is set */
 470        if (sbsec->flags & SE_SBLABELSUPP)
 471                opts->num_mnt_opts++;
 472
 473        opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
 474        if (!opts->mnt_opts) {
 475                rc = -ENOMEM;
 476                goto out_free;
 477        }
 478
 479        opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
 480        if (!opts->mnt_opts_flags) {
 481                rc = -ENOMEM;
 482                goto out_free;
 483        }
 484
 485        i = 0;
 486        if (sbsec->flags & FSCONTEXT_MNT) {
 487                rc = security_sid_to_context(sbsec->sid, &context, &len);
 488                if (rc)
 489                        goto out_free;
 490                opts->mnt_opts[i] = context;
 491                opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
 492        }
 493        if (sbsec->flags & CONTEXT_MNT) {
 494                rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
 495                if (rc)
 496                        goto out_free;
 497                opts->mnt_opts[i] = context;
 498                opts->mnt_opts_flags[i++] = CONTEXT_MNT;
 499        }
 500        if (sbsec->flags & DEFCONTEXT_MNT) {
 501                rc = security_sid_to_context(sbsec->def_sid, &context, &len);
 502                if (rc)
 503                        goto out_free;
 504                opts->mnt_opts[i] = context;
 505                opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
 506        }
 507        if (sbsec->flags & ROOTCONTEXT_MNT) {
 508                struct inode *root = sbsec->sb->s_root->d_inode;
 509                struct inode_security_struct *isec = root->i_security;
 510
 511                rc = security_sid_to_context(isec->sid, &context, &len);
 512                if (rc)
 513                        goto out_free;
 514                opts->mnt_opts[i] = context;
 515                opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
 516        }
 517        if (sbsec->flags & SE_SBLABELSUPP) {
 518                opts->mnt_opts[i] = NULL;
 519                opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
 520        }
 521
 522        BUG_ON(i != opts->num_mnt_opts);
 523
 524        return 0;
 525
 526out_free:
 527        security_free_mnt_opts(opts);
 528        return rc;
 529}
 530
 531static int bad_option(struct superblock_security_struct *sbsec, char flag,
 532                      u32 old_sid, u32 new_sid)
 533{
 534        char mnt_flags = sbsec->flags & SE_MNTMASK;
 535
 536        /* check if the old mount command had the same options */
 537        if (sbsec->flags & SE_SBINITIALIZED)
 538                if (!(sbsec->flags & flag) ||
 539                    (old_sid != new_sid))
 540                        return 1;
 541
 542        /* check if we were passed the same options twice,
 543         * aka someone passed context=a,context=b
 544         */
 545        if (!(sbsec->flags & SE_SBINITIALIZED))
 546                if (mnt_flags & flag)
 547                        return 1;
 548        return 0;
 549}
 550
 551/*
 552 * Allow filesystems with binary mount data to explicitly set mount point
 553 * labeling information.
 554 */
 555static int selinux_set_mnt_opts(struct super_block *sb,
 556                                struct security_mnt_opts *opts)
 557{
 558        const struct cred *cred = current_cred();
 559        int rc = 0, i;
 560        struct superblock_security_struct *sbsec = sb->s_security;
 561        const char *name = sb->s_type->name;
 562        struct inode *inode = sbsec->sb->s_root->d_inode;
 563        struct inode_security_struct *root_isec = inode->i_security;
 564        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 565        u32 defcontext_sid = 0;
 566        char **mount_options = opts->mnt_opts;
 567        int *flags = opts->mnt_opts_flags;
 568        int num_opts = opts->num_mnt_opts;
 569
 570        mutex_lock(&sbsec->lock);
 571
 572        if (!ss_initialized) {
 573                if (!num_opts) {
 574                        /* Defer initialization until selinux_complete_init,
 575                           after the initial policy is loaded and the security
 576                           server is ready to handle calls. */
 577                        goto out;
 578                }
 579                rc = -EINVAL;
 580                printk(KERN_WARNING "SELinux: Unable to set superblock options "
 581                        "before the security server is initialized\n");
 582                goto out;
 583        }
 584
 585        /*
 586         * Binary mount data FS will come through this function twice.  Once
 587         * from an explicit call and once from the generic calls from the vfs.
 588         * Since the generic VFS calls will not contain any security mount data
 589         * we need to skip the double mount verification.
 590         *
 591         * This does open a hole in which we will not notice if the first
 592         * mount using this sb set explict options and a second mount using
 593         * this sb does not set any security options.  (The first options
 594         * will be used for both mounts)
 595         */
 596        if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 597            && (num_opts == 0))
 598                goto out;
 599
 600        /*
 601         * parse the mount options, check if they are valid sids.
 602         * also check if someone is trying to mount the same sb more
 603         * than once with different security options.
 604         */
 605        for (i = 0; i < num_opts; i++) {
 606                u32 sid;
 607
 608                if (flags[i] == SE_SBLABELSUPP)
 609                        continue;
 610                rc = security_context_to_sid(mount_options[i],
 611                                             strlen(mount_options[i]), &sid);
 612                if (rc) {
 613                        printk(KERN_WARNING "SELinux: security_context_to_sid"
 614                               "(%s) failed for (dev %s, type %s) errno=%d\n",
 615                               mount_options[i], sb->s_id, name, rc);
 616                        goto out;
 617                }
 618                switch (flags[i]) {
 619                case FSCONTEXT_MNT:
 620                        fscontext_sid = sid;
 621
 622                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 623                                        fscontext_sid))
 624                                goto out_double_mount;
 625
 626                        sbsec->flags |= FSCONTEXT_MNT;
 627                        break;
 628                case CONTEXT_MNT:
 629                        context_sid = sid;
 630
 631                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 632                                        context_sid))
 633                                goto out_double_mount;
 634
 635                        sbsec->flags |= CONTEXT_MNT;
 636                        break;
 637                case ROOTCONTEXT_MNT:
 638                        rootcontext_sid = sid;
 639
 640                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 641                                        rootcontext_sid))
 642                                goto out_double_mount;
 643
 644                        sbsec->flags |= ROOTCONTEXT_MNT;
 645
 646                        break;
 647                case DEFCONTEXT_MNT:
 648                        defcontext_sid = sid;
 649
 650                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 651                                        defcontext_sid))
 652                                goto out_double_mount;
 653
 654                        sbsec->flags |= DEFCONTEXT_MNT;
 655
 656                        break;
 657                default:
 658                        rc = -EINVAL;
 659                        goto out;
 660                }
 661        }
 662
 663        if (sbsec->flags & SE_SBINITIALIZED) {
 664                /* previously mounted with options, but not on this attempt? */
 665                if ((sbsec->flags & SE_MNTMASK) && !num_opts)
 666                        goto out_double_mount;
 667                rc = 0;
 668                goto out;
 669        }
 670
 671        if (strcmp(sb->s_type->name, "proc") == 0)
 672                sbsec->flags |= SE_SBPROC;
 673
 674        /* Determine the labeling behavior to use for this filesystem type. */
 675        rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
 676        if (rc) {
 677                printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
 678                       __func__, sb->s_type->name, rc);
 679                goto out;
 680        }
 681
 682        /* sets the context of the superblock for the fs being mounted. */
 683        if (fscontext_sid) {
 684                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
 685                if (rc)
 686                        goto out;
 687
 688                sbsec->sid = fscontext_sid;
 689        }
 690
 691        /*
 692         * Switch to using mount point labeling behavior.
 693         * sets the label used on all file below the mountpoint, and will set
 694         * the superblock context if not already set.
 695         */
 696        if (context_sid) {
 697                if (!fscontext_sid) {
 698                        rc = may_context_mount_sb_relabel(context_sid, sbsec,
 699                                                          cred);
 700                        if (rc)
 701                                goto out;
 702                        sbsec->sid = context_sid;
 703                } else {
 704                        rc = may_context_mount_inode_relabel(context_sid, sbsec,
 705                                                             cred);
 706                        if (rc)
 707                                goto out;
 708                }
 709                if (!rootcontext_sid)
 710                        rootcontext_sid = context_sid;
 711
 712                sbsec->mntpoint_sid = context_sid;
 713                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 714        }
 715
 716        if (rootcontext_sid) {
 717                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
 718                                                     cred);
 719                if (rc)
 720                        goto out;
 721
 722                root_isec->sid = rootcontext_sid;
 723                root_isec->initialized = 1;
 724        }
 725
 726        if (defcontext_sid) {
 727                if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
 728                        rc = -EINVAL;
 729                        printk(KERN_WARNING "SELinux: defcontext option is "
 730                               "invalid for this filesystem type\n");
 731                        goto out;
 732                }
 733
 734                if (defcontext_sid != sbsec->def_sid) {
 735                        rc = may_context_mount_inode_relabel(defcontext_sid,
 736                                                             sbsec, cred);
 737                        if (rc)
 738                                goto out;
 739                }
 740
 741                sbsec->def_sid = defcontext_sid;
 742        }
 743
 744        rc = sb_finish_set_opts(sb);
 745out:
 746        mutex_unlock(&sbsec->lock);
 747        return rc;
 748out_double_mount:
 749        rc = -EINVAL;
 750        printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
 751               "security settings for (dev %s, type %s)\n", sb->s_id, name);
 752        goto out;
 753}
 754
 755static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 756                                        struct super_block *newsb)
 757{
 758        const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 759        struct superblock_security_struct *newsbsec = newsb->s_security;
 760
 761        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 762        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 763        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 764
 765        /*
 766         * if the parent was able to be mounted it clearly had no special lsm
 767         * mount options.  thus we can safely deal with this superblock later
 768         */
 769        if (!ss_initialized)
 770                return;
 771
 772        /* how can we clone if the old one wasn't set up?? */
 773        BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
 774
 775        /* if fs is reusing a sb, just let its options stand... */
 776        if (newsbsec->flags & SE_SBINITIALIZED)
 777                return;
 778
 779        mutex_lock(&newsbsec->lock);
 780
 781        newsbsec->flags = oldsbsec->flags;
 782
 783        newsbsec->sid = oldsbsec->sid;
 784        newsbsec->def_sid = oldsbsec->def_sid;
 785        newsbsec->behavior = oldsbsec->behavior;
 786
 787        if (set_context) {
 788                u32 sid = oldsbsec->mntpoint_sid;
 789
 790                if (!set_fscontext)
 791                        newsbsec->sid = sid;
 792                if (!set_rootcontext) {
 793                        struct inode *newinode = newsb->s_root->d_inode;
 794                        struct inode_security_struct *newisec = newinode->i_security;
 795                        newisec->sid = sid;
 796                }
 797                newsbsec->mntpoint_sid = sid;
 798        }
 799        if (set_rootcontext) {
 800                const struct inode *oldinode = oldsb->s_root->d_inode;
 801                const struct inode_security_struct *oldisec = oldinode->i_security;
 802                struct inode *newinode = newsb->s_root->d_inode;
 803                struct inode_security_struct *newisec = newinode->i_security;
 804
 805                newisec->sid = oldisec->sid;
 806        }
 807
 808        sb_finish_set_opts(newsb);
 809        mutex_unlock(&newsbsec->lock);
 810}
 811
 812static int selinux_parse_opts_str(char *options,
 813                                  struct security_mnt_opts *opts)
 814{
 815        char *p;
 816        char *context = NULL, *defcontext = NULL;
 817        char *fscontext = NULL, *rootcontext = NULL;
 818        int rc, num_mnt_opts = 0;
 819
 820        opts->num_mnt_opts = 0;
 821
 822        /* Standard string-based options. */
 823        while ((p = strsep(&options, "|")) != NULL) {
 824                int token;
 825                substring_t args[MAX_OPT_ARGS];
 826
 827                if (!*p)
 828                        continue;
 829
 830                token = match_token(p, tokens, args);
 831
 832                switch (token) {
 833                case Opt_context:
 834                        if (context || defcontext) {
 835                                rc = -EINVAL;
 836                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 837                                goto out_err;
 838                        }
 839                        context = match_strdup(&args[0]);
 840                        if (!context) {
 841                                rc = -ENOMEM;
 842                                goto out_err;
 843                        }
 844                        break;
 845
 846                case Opt_fscontext:
 847                        if (fscontext) {
 848                                rc = -EINVAL;
 849                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 850                                goto out_err;
 851                        }
 852                        fscontext = match_strdup(&args[0]);
 853                        if (!fscontext) {
 854                                rc = -ENOMEM;
 855                                goto out_err;
 856                        }
 857                        break;
 858
 859                case Opt_rootcontext:
 860                        if (rootcontext) {
 861                                rc = -EINVAL;
 862                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 863                                goto out_err;
 864                        }
 865                        rootcontext = match_strdup(&args[0]);
 866                        if (!rootcontext) {
 867                                rc = -ENOMEM;
 868                                goto out_err;
 869                        }
 870                        break;
 871
 872                case Opt_defcontext:
 873                        if (context || defcontext) {
 874                                rc = -EINVAL;
 875                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 876                                goto out_err;
 877                        }
 878                        defcontext = match_strdup(&args[0]);
 879                        if (!defcontext) {
 880                                rc = -ENOMEM;
 881                                goto out_err;
 882                        }
 883                        break;
 884                case Opt_labelsupport:
 885                        break;
 886                default:
 887                        rc = -EINVAL;
 888                        printk(KERN_WARNING "SELinux:  unknown mount option\n");
 889                        goto out_err;
 890
 891                }
 892        }
 893
 894        rc = -ENOMEM;
 895        opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
 896        if (!opts->mnt_opts)
 897                goto out_err;
 898
 899        opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
 900        if (!opts->mnt_opts_flags) {
 901                kfree(opts->mnt_opts);
 902                goto out_err;
 903        }
 904
 905        if (fscontext) {
 906                opts->mnt_opts[num_mnt_opts] = fscontext;
 907                opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
 908        }
 909        if (context) {
 910                opts->mnt_opts[num_mnt_opts] = context;
 911                opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
 912        }
 913        if (rootcontext) {
 914                opts->mnt_opts[num_mnt_opts] = rootcontext;
 915                opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
 916        }
 917        if (defcontext) {
 918                opts->mnt_opts[num_mnt_opts] = defcontext;
 919                opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
 920        }
 921
 922        opts->num_mnt_opts = num_mnt_opts;
 923        return 0;
 924
 925out_err:
 926        kfree(context);
 927        kfree(defcontext);
 928        kfree(fscontext);
 929        kfree(rootcontext);
 930        return rc;
 931}
 932/*
 933 * string mount options parsing and call set the sbsec
 934 */
 935static int superblock_doinit(struct super_block *sb, void *data)
 936{
 937        int rc = 0;
 938        char *options = data;
 939        struct security_mnt_opts opts;
 940
 941        security_init_mnt_opts(&opts);
 942
 943        if (!data)
 944                goto out;
 945
 946        BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
 947
 948        rc = selinux_parse_opts_str(options, &opts);
 949        if (rc)
 950                goto out_err;
 951
 952out:
 953        rc = selinux_set_mnt_opts(sb, &opts);
 954
 955out_err:
 956        security_free_mnt_opts(&opts);
 957        return rc;
 958}
 959
 960static void selinux_write_opts(struct seq_file *m,
 961                               struct security_mnt_opts *opts)
 962{
 963        int i;
 964        char *prefix;
 965
 966        for (i = 0; i < opts->num_mnt_opts; i++) {
 967                char *has_comma;
 968
 969                if (opts->mnt_opts[i])
 970                        has_comma = strchr(opts->mnt_opts[i], ',');
 971                else
 972                        has_comma = NULL;
 973
 974                switch (opts->mnt_opts_flags[i]) {
 975                case CONTEXT_MNT:
 976                        prefix = CONTEXT_STR;
 977                        break;
 978                case FSCONTEXT_MNT:
 979                        prefix = FSCONTEXT_STR;
 980                        break;
 981                case ROOTCONTEXT_MNT:
 982                        prefix = ROOTCONTEXT_STR;
 983                        break;
 984                case DEFCONTEXT_MNT:
 985                        prefix = DEFCONTEXT_STR;
 986                        break;
 987                case SE_SBLABELSUPP:
 988                        seq_putc(m, ',');
 989                        seq_puts(m, LABELSUPP_STR);
 990                        continue;
 991                default:
 992                        BUG();
 993                };
 994                /* we need a comma before each option */
 995                seq_putc(m, ',');
 996                seq_puts(m, prefix);
 997                if (has_comma)
 998                        seq_putc(m, '\"');
 999                seq_puts(m, opts->mnt_opts[i]);
1000                if (has_comma)
1001                        seq_putc(m, '\"');
1002        }
1003}
1004
1005static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1006{
1007        struct security_mnt_opts opts;
1008        int rc;
1009
1010        rc = selinux_get_mnt_opts(sb, &opts);
1011        if (rc) {
1012                /* before policy load we may get EINVAL, don't show anything */
1013                if (rc == -EINVAL)
1014                        rc = 0;
1015                return rc;
1016        }
1017
1018        selinux_write_opts(m, &opts);
1019
1020        security_free_mnt_opts(&opts);
1021
1022        return rc;
1023}
1024
1025static inline u16 inode_mode_to_security_class(umode_t mode)
1026{
1027        switch (mode & S_IFMT) {
1028        case S_IFSOCK:
1029                return SECCLASS_SOCK_FILE;
1030        case S_IFLNK:
1031                return SECCLASS_LNK_FILE;
1032        case S_IFREG:
1033                return SECCLASS_FILE;
1034        case S_IFBLK:
1035                return SECCLASS_BLK_FILE;
1036        case S_IFDIR:
1037                return SECCLASS_DIR;
1038        case S_IFCHR:
1039                return SECCLASS_CHR_FILE;
1040        case S_IFIFO:
1041                return SECCLASS_FIFO_FILE;
1042
1043        }
1044
1045        return SECCLASS_FILE;
1046}
1047
1048static inline int default_protocol_stream(int protocol)
1049{
1050        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1051}
1052
1053static inline int default_protocol_dgram(int protocol)
1054{
1055        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1056}
1057
1058static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1059{
1060        switch (family) {
1061        case PF_UNIX:
1062                switch (type) {
1063                case SOCK_STREAM:
1064                case SOCK_SEQPACKET:
1065                        return SECCLASS_UNIX_STREAM_SOCKET;
1066                case SOCK_DGRAM:
1067                        return SECCLASS_UNIX_DGRAM_SOCKET;
1068                }
1069                break;
1070        case PF_INET:
1071        case PF_INET6:
1072                switch (type) {
1073                case SOCK_STREAM:
1074                        if (default_protocol_stream(protocol))
1075                                return SECCLASS_TCP_SOCKET;
1076                        else
1077                                return SECCLASS_RAWIP_SOCKET;
1078                case SOCK_DGRAM:
1079                        if (default_protocol_dgram(protocol))
1080                                return SECCLASS_UDP_SOCKET;
1081                        else
1082                                return SECCLASS_RAWIP_SOCKET;
1083                case SOCK_DCCP:
1084                        return SECCLASS_DCCP_SOCKET;
1085                default:
1086                        return SECCLASS_RAWIP_SOCKET;
1087                }
1088                break;
1089        case PF_NETLINK:
1090                switch (protocol) {
1091                case NETLINK_ROUTE:
1092                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1093                case NETLINK_FIREWALL:
1094                        return SECCLASS_NETLINK_FIREWALL_SOCKET;
1095                case NETLINK_INET_DIAG:
1096                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1097                case NETLINK_NFLOG:
1098                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1099                case NETLINK_XFRM:
1100                        return SECCLASS_NETLINK_XFRM_SOCKET;
1101                case NETLINK_SELINUX:
1102                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1103                case NETLINK_AUDIT:
1104                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1105                case NETLINK_IP6_FW:
1106                        return SECCLASS_NETLINK_IP6FW_SOCKET;
1107                case NETLINK_DNRTMSG:
1108                        return SECCLASS_NETLINK_DNRT_SOCKET;
1109                case NETLINK_KOBJECT_UEVENT:
1110                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1111                default:
1112                        return SECCLASS_NETLINK_SOCKET;
1113                }
1114        case PF_PACKET:
1115                return SECCLASS_PACKET_SOCKET;
1116        case PF_KEY:
1117                return SECCLASS_KEY_SOCKET;
1118        case PF_APPLETALK:
1119                return SECCLASS_APPLETALK_SOCKET;
1120        }
1121
1122        return SECCLASS_SOCKET;
1123}
1124
1125#ifdef CONFIG_PROC_FS
1126static int selinux_proc_get_sid(struct dentry *dentry,
1127                                u16 tclass,
1128                                u32 *sid)
1129{
1130        int rc;
1131        char *buffer, *path;
1132
1133        buffer = (char *)__get_free_page(GFP_KERNEL);
1134        if (!buffer)
1135                return -ENOMEM;
1136
1137        path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1138        if (IS_ERR(path))
1139                rc = PTR_ERR(path);
1140        else {
1141                /* each process gets a /proc/PID/ entry. Strip off the
1142                 * PID part to get a valid selinux labeling.
1143                 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1144                while (path[1] >= '0' && path[1] <= '9') {
1145                        path[1] = '/';
1146                        path++;
1147                }
1148                rc = security_genfs_sid("proc", path, tclass, sid);
1149        }
1150        free_page((unsigned long)buffer);
1151        return rc;
1152}
1153#else
1154static int selinux_proc_get_sid(struct dentry *dentry,
1155                                u16 tclass,
1156                                u32 *sid)
1157{
1158        return -EINVAL;
1159}
1160#endif
1161
1162/* The inode's security attributes must be initialized before first use. */
1163static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1164{
1165        struct superblock_security_struct *sbsec = NULL;
1166        struct inode_security_struct *isec = inode->i_security;
1167        u32 sid;
1168        struct dentry *dentry;
1169#define INITCONTEXTLEN 255
1170        char *context = NULL;
1171        unsigned len = 0;
1172        int rc = 0;
1173
1174        if (isec->initialized)
1175                goto out;
1176
1177        mutex_lock(&isec->lock);
1178        if (isec->initialized)
1179                goto out_unlock;
1180
1181        sbsec = inode->i_sb->s_security;
1182        if (!(sbsec->flags & SE_SBINITIALIZED)) {
1183                /* Defer initialization until selinux_complete_init,
1184                   after the initial policy is loaded and the security
1185                   server is ready to handle calls. */
1186                spin_lock(&sbsec->isec_lock);
1187                if (list_empty(&isec->list))
1188                        list_add(&isec->list, &sbsec->isec_head);
1189                spin_unlock(&sbsec->isec_lock);
1190                goto out_unlock;
1191        }
1192
1193        switch (sbsec->behavior) {
1194        case SECURITY_FS_USE_XATTR:
1195                if (!inode->i_op->getxattr) {
1196                        isec->sid = sbsec->def_sid;
1197                        break;
1198                }
1199
1200                /* Need a dentry, since the xattr API requires one.
1201                   Life would be simpler if we could just pass the inode. */
1202                if (opt_dentry) {
1203                        /* Called from d_instantiate or d_splice_alias. */
1204                        dentry = dget(opt_dentry);
1205                } else {
1206                        /* Called from selinux_complete_init, try to find a dentry. */
1207                        dentry = d_find_alias(inode);
1208                }
1209                if (!dentry) {
1210                        /*
1211                         * this is can be hit on boot when a file is accessed
1212                         * before the policy is loaded.  When we load policy we
1213                         * may find inodes that have no dentry on the
1214                         * sbsec->isec_head list.  No reason to complain as these
1215                         * will get fixed up the next time we go through
1216                         * inode_doinit with a dentry, before these inodes could
1217                         * be used again by userspace.
1218                         */
1219                        goto out_unlock;
1220                }
1221
1222                len = INITCONTEXTLEN;
1223                context = kmalloc(len+1, GFP_NOFS);
1224                if (!context) {
1225                        rc = -ENOMEM;
1226                        dput(dentry);
1227                        goto out_unlock;
1228                }
1229                context[len] = '\0';
1230                rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1231                                           context, len);
1232                if (rc == -ERANGE) {
1233                        kfree(context);
1234
1235                        /* Need a larger buffer.  Query for the right size. */
1236                        rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1237                                                   NULL, 0);
1238                        if (rc < 0) {
1239                                dput(dentry);
1240                                goto out_unlock;
1241                        }
1242                        len = rc;
1243                        context = kmalloc(len+1, GFP_NOFS);
1244                        if (!context) {
1245                                rc = -ENOMEM;
1246                                dput(dentry);
1247                                goto out_unlock;
1248                        }
1249                        context[len] = '\0';
1250                        rc = inode->i_op->getxattr(dentry,
1251                                                   XATTR_NAME_SELINUX,
1252                                                   context, len);
1253                }
1254                dput(dentry);
1255                if (rc < 0) {
1256                        if (rc != -ENODATA) {
1257                                printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1258                                       "%d for dev=%s ino=%ld\n", __func__,
1259                                       -rc, inode->i_sb->s_id, inode->i_ino);
1260                                kfree(context);
1261                                goto out_unlock;
1262                        }
1263                        /* Map ENODATA to the default file SID */
1264                        sid = sbsec->def_sid;
1265                        rc = 0;
1266                } else {
1267                        rc = security_context_to_sid_default(context, rc, &sid,
1268                                                             sbsec->def_sid,
1269                                                             GFP_NOFS);
1270                        if (rc) {
1271                                char *dev = inode->i_sb->s_id;
1272                                unsigned long ino = inode->i_ino;
1273
1274                                if (rc == -EINVAL) {
1275                                        if (printk_ratelimit())
1276                                                printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1277                                                        "context=%s.  This indicates you may need to relabel the inode or the "
1278                                                        "filesystem in question.\n", ino, dev, context);
1279                                } else {
1280                                        printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1281                                               "returned %d for dev=%s ino=%ld\n",
1282                                               __func__, context, -rc, dev, ino);
1283                                }
1284                                kfree(context);
1285                                /* Leave with the unlabeled SID */
1286                                rc = 0;
1287                                break;
1288                        }
1289                }
1290                kfree(context);
1291                isec->sid = sid;
1292                break;
1293        case SECURITY_FS_USE_TASK:
1294                isec->sid = isec->task_sid;
1295                break;
1296        case SECURITY_FS_USE_TRANS:
1297                /* Default to the fs SID. */
1298                isec->sid = sbsec->sid;
1299
1300                /* Try to obtain a transition SID. */
1301                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1302                rc = security_transition_sid(isec->task_sid, sbsec->sid,
1303                                             isec->sclass, NULL, &sid);
1304                if (rc)
1305                        goto out_unlock;
1306                isec->sid = sid;
1307                break;
1308        case SECURITY_FS_USE_MNTPOINT:
1309                isec->sid = sbsec->mntpoint_sid;
1310                break;
1311        default:
1312                /* Default to the fs superblock SID. */
1313                isec->sid = sbsec->sid;
1314
1315                if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1316                        if (opt_dentry) {
1317                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1318                                rc = selinux_proc_get_sid(opt_dentry,
1319                                                          isec->sclass,
1320                                                          &sid);
1321                                if (rc)
1322                                        goto out_unlock;
1323                                isec->sid = sid;
1324                        }
1325                }
1326                break;
1327        }
1328
1329        isec->initialized = 1;
1330
1331out_unlock:
1332        mutex_unlock(&isec->lock);
1333out:
1334        if (isec->sclass == SECCLASS_FILE)
1335                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1336        return rc;
1337}
1338
1339/* Convert a Linux signal to an access vector. */
1340static inline u32 signal_to_av(int sig)
1341{
1342        u32 perm = 0;
1343
1344        switch (sig) {
1345        case SIGCHLD:
1346                /* Commonly granted from child to parent. */
1347                perm = PROCESS__SIGCHLD;
1348                break;
1349        case SIGKILL:
1350                /* Cannot be caught or ignored */
1351                perm = PROCESS__SIGKILL;
1352                break;
1353        case SIGSTOP:
1354                /* Cannot be caught or ignored */
1355                perm = PROCESS__SIGSTOP;
1356                break;
1357        default:
1358                /* All other signals. */
1359                perm = PROCESS__SIGNAL;
1360                break;
1361        }
1362
1363        return perm;
1364}
1365
1366/*
1367 * Check permission between a pair of credentials
1368 * fork check, ptrace check, etc.
1369 */
1370static int cred_has_perm(const struct cred *actor,
1371                         const struct cred *target,
1372                         u32 perms)
1373{
1374        u32 asid = cred_sid(actor), tsid = cred_sid(target);
1375
1376        return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1377}
1378
1379/*
1380 * Check permission between a pair of tasks, e.g. signal checks,
1381 * fork check, ptrace check, etc.
1382 * tsk1 is the actor and tsk2 is the target
1383 * - this uses the default subjective creds of tsk1
1384 */
1385static int task_has_perm(const struct task_struct *tsk1,
1386                         const struct task_struct *tsk2,
1387                         u32 perms)
1388{
1389        const struct task_security_struct *__tsec1, *__tsec2;
1390        u32 sid1, sid2;
1391
1392        rcu_read_lock();
1393        __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1394        __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1395        rcu_read_unlock();
1396        return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1397}
1398
1399/*
1400 * Check permission between current and another task, e.g. signal checks,
1401 * fork check, ptrace check, etc.
1402 * current is the actor and tsk2 is the target
1403 * - this uses current's subjective creds
1404 */
1405static int current_has_perm(const struct task_struct *tsk,
1406                            u32 perms)
1407{
1408        u32 sid, tsid;
1409
1410        sid = current_sid();
1411        tsid = task_sid(tsk);
1412        return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1413}
1414
1415#if CAP_LAST_CAP > 63
1416#error Fix SELinux to handle capabilities > 63.
1417#endif
1418
1419/* Check whether a task is allowed to use a capability. */
1420static int task_has_capability(struct task_struct *tsk,
1421                               const struct cred *cred,
1422                               int cap, int audit)
1423{
1424        struct common_audit_data ad;
1425        struct av_decision avd;
1426        u16 sclass;
1427        u32 sid = cred_sid(cred);
1428        u32 av = CAP_TO_MASK(cap);
1429        int rc;
1430
1431        COMMON_AUDIT_DATA_INIT(&ad, CAP);
1432        ad.tsk = tsk;
1433        ad.u.cap = cap;
1434
1435        switch (CAP_TO_INDEX(cap)) {
1436        case 0:
1437                sclass = SECCLASS_CAPABILITY;
1438                break;
1439        case 1:
1440                sclass = SECCLASS_CAPABILITY2;
1441                break;
1442        default:
1443                printk(KERN_ERR
1444                       "SELinux:  out of range capability %d\n", cap);
1445                BUG();
1446        }
1447
1448        rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1449        if (audit == SECURITY_CAP_AUDIT) {
1450                int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1451                if (rc2)
1452                        return rc2;
1453        }
1454        return rc;
1455}
1456
1457/* Check whether a task is allowed to use a system operation. */
1458static int task_has_system(struct task_struct *tsk,
1459                           u32 perms)
1460{
1461        u32 sid = task_sid(tsk);
1462
1463        return avc_has_perm(sid, SECINITSID_KERNEL,
1464                            SECCLASS_SYSTEM, perms, NULL);
1465}
1466
1467/* Check whether a task has a particular permission to an inode.
1468   The 'adp' parameter is optional and allows other audit
1469   data to be passed (e.g. the dentry). */
1470static int inode_has_perm(const struct cred *cred,
1471                          struct inode *inode,
1472                          u32 perms,
1473                          struct common_audit_data *adp,
1474                          unsigned flags)
1475{
1476        struct inode_security_struct *isec;
1477        struct common_audit_data ad;
1478        u32 sid;
1479
1480        validate_creds(cred);
1481
1482        if (unlikely(IS_PRIVATE(inode)))
1483                return 0;
1484
1485        sid = cred_sid(cred);
1486        isec = inode->i_security;
1487
1488        if (!adp) {
1489                adp = &ad;
1490                COMMON_AUDIT_DATA_INIT(&ad, FS);
1491                ad.u.fs.inode = inode;
1492        }
1493
1494        return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1495}
1496
1497/* Same as inode_has_perm, but pass explicit audit data containing
1498   the dentry to help the auditing code to more easily generate the
1499   pathname if needed. */
1500static inline int dentry_has_perm(const struct cred *cred,
1501                                  struct vfsmount *mnt,
1502                                  struct dentry *dentry,
1503                                  u32 av)
1504{
1505        struct inode *inode = dentry->d_inode;
1506        struct common_audit_data ad;
1507
1508        COMMON_AUDIT_DATA_INIT(&ad, FS);
1509        ad.u.fs.path.mnt = mnt;
1510        ad.u.fs.path.dentry = dentry;
1511        return inode_has_perm(cred, inode, av, &ad, 0);
1512}
1513
1514/* Check whether a task can use an open file descriptor to
1515   access an inode in a given way.  Check access to the
1516   descriptor itself, and then use dentry_has_perm to
1517   check a particular permission to the file.
1518   Access to the descriptor is implicitly granted if it
1519   has the same SID as the process.  If av is zero, then
1520   access to the file is not checked, e.g. for cases
1521   where only the descriptor is affected like seek. */
1522static int file_has_perm(const struct cred *cred,
1523                         struct file *file,
1524                         u32 av)
1525{
1526        struct file_security_struct *fsec = file->f_security;
1527        struct inode *inode = file->f_path.dentry->d_inode;
1528        struct common_audit_data ad;
1529        u32 sid = cred_sid(cred);
1530        int rc;
1531
1532        COMMON_AUDIT_DATA_INIT(&ad, FS);
1533        ad.u.fs.path = file->f_path;
1534
1535        if (sid != fsec->sid) {
1536                rc = avc_has_perm(sid, fsec->sid,
1537                                  SECCLASS_FD,
1538                                  FD__USE,
1539                                  &ad);
1540                if (rc)
1541                        goto out;
1542        }
1543
1544        /* av is zero if only checking access to the descriptor. */
1545        rc = 0;
1546        if (av)
1547                rc = inode_has_perm(cred, inode, av, &ad, 0);
1548
1549out:
1550        return rc;
1551}
1552
1553/* Check whether a task can create a file. */
1554static int may_create(struct inode *dir,
1555                      struct dentry *dentry,
1556                      u16 tclass)
1557{
1558        const struct task_security_struct *tsec = current_security();
1559        struct inode_security_struct *dsec;
1560        struct superblock_security_struct *sbsec;
1561        u32 sid, newsid;
1562        struct common_audit_data ad;
1563        int rc;
1564
1565        dsec = dir->i_security;
1566        sbsec = dir->i_sb->s_security;
1567
1568        sid = tsec->sid;
1569        newsid = tsec->create_sid;
1570
1571        COMMON_AUDIT_DATA_INIT(&ad, FS);
1572        ad.u.fs.path.dentry = dentry;
1573
1574        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1575                          DIR__ADD_NAME | DIR__SEARCH,
1576                          &ad);
1577        if (rc)
1578                return rc;
1579
1580        if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1581                rc = security_transition_sid(sid, dsec->sid, tclass,
1582                                             &dentry->d_name, &newsid);
1583                if (rc)
1584                        return rc;
1585        }
1586
1587        rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1588        if (rc)
1589                return rc;
1590
1591        return avc_has_perm(newsid, sbsec->sid,
1592                            SECCLASS_FILESYSTEM,
1593                            FILESYSTEM__ASSOCIATE, &ad);
1594}
1595
1596/* Check whether a task can create a key. */
1597static int may_create_key(u32 ksid,
1598                          struct task_struct *ctx)
1599{
1600        u32 sid = task_sid(ctx);
1601
1602        return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1603}
1604
1605#define MAY_LINK        0
1606#define MAY_UNLINK      1
1607#define MAY_RMDIR       2
1608
1609/* Check whether a task can link, unlink, or rmdir a file/directory. */
1610static int may_link(struct inode *dir,
1611                    struct dentry *dentry,
1612                    int kind)
1613
1614{
1615        struct inode_security_struct *dsec, *isec;
1616        struct common_audit_data ad;
1617        u32 sid = current_sid();
1618        u32 av;
1619        int rc;
1620
1621        dsec = dir->i_security;
1622        isec = dentry->d_inode->i_security;
1623
1624        COMMON_AUDIT_DATA_INIT(&ad, FS);
1625        ad.u.fs.path.dentry = dentry;
1626
1627        av = DIR__SEARCH;
1628        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1629        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1630        if (rc)
1631                return rc;
1632
1633        switch (kind) {
1634        case MAY_LINK:
1635                av = FILE__LINK;
1636                break;
1637        case MAY_UNLINK:
1638                av = FILE__UNLINK;
1639                break;
1640        case MAY_RMDIR:
1641                av = DIR__RMDIR;
1642                break;
1643        default:
1644                printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1645                        __func__, kind);
1646                return 0;
1647        }
1648
1649        rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1650        return rc;
1651}
1652
1653static inline int may_rename(struct inode *old_dir,
1654                             struct dentry *old_dentry,
1655                             struct inode *new_dir,
1656                             struct dentry *new_dentry)
1657{
1658        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1659        struct common_audit_data ad;
1660        u32 sid = current_sid();
1661        u32 av;
1662        int old_is_dir, new_is_dir;
1663        int rc;
1664
1665        old_dsec = old_dir->i_security;
1666        old_isec = old_dentry->d_inode->i_security;
1667        old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1668        new_dsec = new_dir->i_security;
1669
1670        COMMON_AUDIT_DATA_INIT(&ad, FS);
1671
1672        ad.u.fs.path.dentry = old_dentry;
1673        rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1674                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1675        if (rc)
1676                return rc;
1677        rc = avc_has_perm(sid, old_isec->sid,
1678                          old_isec->sclass, FILE__RENAME, &ad);
1679        if (rc)
1680                return rc;
1681        if (old_is_dir && new_dir != old_dir) {
1682                rc = avc_has_perm(sid, old_isec->sid,
1683                                  old_isec->sclass, DIR__REPARENT, &ad);
1684                if (rc)
1685                        return rc;
1686        }
1687
1688        ad.u.fs.path.dentry = new_dentry;
1689        av = DIR__ADD_NAME | DIR__SEARCH;
1690        if (new_dentry->d_inode)
1691                av |= DIR__REMOVE_NAME;
1692        rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1693        if (rc)
1694                return rc;
1695        if (new_dentry->d_inode) {
1696                new_isec = new_dentry->d_inode->i_security;
1697                new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1698                rc = avc_has_perm(sid, new_isec->sid,
1699                                  new_isec->sclass,
1700                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1701                if (rc)
1702                        return rc;
1703        }
1704
1705        return 0;
1706}
1707
1708/* Check whether a task can perform a filesystem operation. */
1709static int superblock_has_perm(const struct cred *cred,
1710                               struct super_block *sb,
1711                               u32 perms,
1712                               struct common_audit_data *ad)
1713{
1714        struct superblock_security_struct *sbsec;
1715        u32 sid = cred_sid(cred);
1716
1717        sbsec = sb->s_security;
1718        return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1719}
1720
1721/* Convert a Linux mode and permission mask to an access vector. */
1722static inline u32 file_mask_to_av(int mode, int mask)
1723{
1724        u32 av = 0;
1725
1726        if ((mode & S_IFMT) != S_IFDIR) {
1727                if (mask & MAY_EXEC)
1728                        av |= FILE__EXECUTE;
1729                if (mask & MAY_READ)
1730                        av |= FILE__READ;
1731
1732                if (mask & MAY_APPEND)
1733                        av |= FILE__APPEND;
1734                else if (mask & MAY_WRITE)
1735                        av |= FILE__WRITE;
1736
1737        } else {
1738                if (mask & MAY_EXEC)
1739                        av |= DIR__SEARCH;
1740                if (mask & MAY_WRITE)
1741                        av |= DIR__WRITE;
1742                if (mask & MAY_READ)
1743                        av |= DIR__READ;
1744        }
1745
1746        return av;
1747}
1748
1749/* Convert a Linux file to an access vector. */
1750static inline u32 file_to_av(struct file *file)
1751{
1752        u32 av = 0;
1753
1754        if (file->f_mode & FMODE_READ)
1755                av |= FILE__READ;
1756        if (file->f_mode & FMODE_WRITE) {
1757                if (file->f_flags & O_APPEND)
1758                        av |= FILE__APPEND;
1759                else
1760                        av |= FILE__WRITE;
1761        }
1762        if (!av) {
1763                /*
1764                 * Special file opened with flags 3 for ioctl-only use.
1765                 */
1766                av = FILE__IOCTL;
1767        }
1768
1769        return av;
1770}
1771
1772/*
1773 * Convert a file to an access vector and include the correct open
1774 * open permission.
1775 */
1776static inline u32 open_file_to_av(struct file *file)
1777{
1778        u32 av = file_to_av(file);
1779
1780        if (selinux_policycap_openperm)
1781                av |= FILE__OPEN;
1782
1783        return av;
1784}
1785
1786/* Hook functions begin here. */
1787
1788static int selinux_ptrace_access_check(struct task_struct *child,
1789                                     unsigned int mode)
1790{
1791        int rc;
1792
1793        rc = cap_ptrace_access_check(child, mode);
1794        if (rc)
1795                return rc;
1796
1797        if (mode == PTRACE_MODE_READ) {
1798                u32 sid = current_sid();
1799                u32 csid = task_sid(child);
1800                return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1801        }
1802
1803        return current_has_perm(child, PROCESS__PTRACE);
1804}
1805
1806static int selinux_ptrace_traceme(struct task_struct *parent)
1807{
1808        int rc;
1809
1810        rc = cap_ptrace_traceme(parent);
1811        if (rc)
1812                return rc;
1813
1814        return task_has_perm(parent, current, PROCESS__PTRACE);
1815}
1816
1817static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1818                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
1819{
1820        int error;
1821
1822        error = current_has_perm(target, PROCESS__GETCAP);
1823        if (error)
1824                return error;
1825
1826        return cap_capget(target, effective, inheritable, permitted);
1827}
1828
1829static int selinux_capset(struct cred *new, const struct cred *old,
1830                          const kernel_cap_t *effective,
1831                          const kernel_cap_t *inheritable,
1832                          const kernel_cap_t *permitted)
1833{
1834        int error;
1835
1836        error = cap_capset(new, old,
1837                                      effective, inheritable, permitted);
1838        if (error)
1839                return error;
1840
1841        return cred_has_perm(old, new, PROCESS__SETCAP);
1842}
1843
1844/*
1845 * (This comment used to live with the selinux_task_setuid hook,
1846 * which was removed).
1847 *
1848 * Since setuid only affects the current process, and since the SELinux
1849 * controls are not based on the Linux identity attributes, SELinux does not
1850 * need to control this operation.  However, SELinux does control the use of
1851 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1852 */
1853
1854static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1855                           struct user_namespace *ns, int cap, int audit)
1856{
1857        int rc;
1858
1859        rc = cap_capable(tsk, cred, ns, cap, audit);
1860        if (rc)
1861                return rc;
1862
1863        return task_has_capability(tsk, cred, cap, audit);
1864}
1865
1866static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1867{
1868        const struct cred *cred = current_cred();
1869        int rc = 0;
1870
1871        if (!sb)
1872                return 0;
1873
1874        switch (cmds) {
1875        case Q_SYNC:
1876        case Q_QUOTAON:
1877        case Q_QUOTAOFF:
1878        case Q_SETINFO:
1879        case Q_SETQUOTA:
1880                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1881                break;
1882        case Q_GETFMT:
1883        case Q_GETINFO:
1884        case Q_GETQUOTA:
1885                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1886                break;
1887        default:
1888                rc = 0;  /* let the kernel handle invalid cmds */
1889                break;
1890        }
1891        return rc;
1892}
1893
1894static int selinux_quota_on(struct dentry *dentry)
1895{
1896        const struct cred *cred = current_cred();
1897
1898        return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1899}
1900
1901static int selinux_syslog(int type)
1902{
1903        int rc;
1904
1905        switch (type) {
1906        case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1907        case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1908                rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1909                break;
1910        case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1911        case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1912        /* Set level of messages printed to console */
1913        case SYSLOG_ACTION_CONSOLE_LEVEL:
1914                rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1915                break;
1916        case SYSLOG_ACTION_CLOSE:       /* Close log */
1917        case SYSLOG_ACTION_OPEN:        /* Open log */
1918        case SYSLOG_ACTION_READ:        /* Read from log */
1919        case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1920        case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1921        default:
1922                rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1923                break;
1924        }
1925        return rc;
1926}
1927
1928/*
1929 * Check that a process has enough memory to allocate a new virtual
1930 * mapping. 0 means there is enough memory for the allocation to
1931 * succeed and -ENOMEM implies there is not.
1932 *
1933 * Do not audit the selinux permission check, as this is applied to all
1934 * processes that allocate mappings.
1935 */
1936static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1937{
1938        int rc, cap_sys_admin = 0;
1939
1940        rc = selinux_capable(current, current_cred(),
1941                             &init_user_ns, CAP_SYS_ADMIN,
1942                             SECURITY_CAP_NOAUDIT);
1943        if (rc == 0)
1944                cap_sys_admin = 1;
1945
1946        return __vm_enough_memory(mm, pages, cap_sys_admin);
1947}
1948
1949/* binprm security operations */
1950
1951static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1952{
1953        const struct task_security_struct *old_tsec;
1954        struct task_security_struct *new_tsec;
1955        struct inode_security_struct *isec;
1956        struct common_audit_data ad;
1957        struct inode *inode = bprm->file->f_path.dentry->d_inode;
1958        int rc;
1959
1960        rc = cap_bprm_set_creds(bprm);
1961        if (rc)
1962                return rc;
1963
1964        /* SELinux context only depends on initial program or script and not
1965         * the script interpreter */
1966        if (bprm->cred_prepared)
1967                return 0;
1968
1969        old_tsec = current_security();
1970        new_tsec = bprm->cred->security;
1971        isec = inode->i_security;
1972
1973        /* Default to the current task SID. */
1974        new_tsec->sid = old_tsec->sid;
1975        new_tsec->osid = old_tsec->sid;
1976
1977        /* Reset fs, key, and sock SIDs on execve. */
1978        new_tsec->create_sid = 0;
1979        new_tsec->keycreate_sid = 0;
1980        new_tsec->sockcreate_sid = 0;
1981
1982        if (old_tsec->exec_sid) {
1983                new_tsec->sid = old_tsec->exec_sid;
1984                /* Reset exec SID on execve. */
1985                new_tsec->exec_sid = 0;
1986        } else {
1987                /* Check for a default transition on this program. */
1988                rc = security_transition_sid(old_tsec->sid, isec->sid,
1989                                             SECCLASS_PROCESS, NULL,
1990                                             &new_tsec->sid);
1991                if (rc)
1992                        return rc;
1993        }
1994
1995        COMMON_AUDIT_DATA_INIT(&ad, FS);
1996        ad.u.fs.path = bprm->file->f_path;
1997
1998        if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1999                new_tsec->sid = old_tsec->sid;
2000
2001        if (new_tsec->sid == old_tsec->sid) {
2002                rc = avc_has_perm(old_tsec->sid, isec->sid,
2003                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2004                if (rc)
2005                        return rc;
2006        } else {
2007                /* Check permissions for the transition. */
2008                rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2009                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2010                if (rc)
2011                        return rc;
2012
2013                rc = avc_has_perm(new_tsec->sid, isec->sid,
2014                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2015                if (rc)
2016                        return rc;
2017
2018                /* Check for shared state */
2019                if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2020                        rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2021                                          SECCLASS_PROCESS, PROCESS__SHARE,
2022                                          NULL);
2023                        if (rc)
2024                                return -EPERM;
2025                }
2026
2027                /* Make sure that anyone attempting to ptrace over a task that
2028                 * changes its SID has the appropriate permit */
2029                if (bprm->unsafe &
2030                    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2031                        struct task_struct *tracer;
2032                        struct task_security_struct *sec;
2033                        u32 ptsid = 0;
2034
2035                        rcu_read_lock();
2036                        tracer = tracehook_tracer_task(current);
2037                        if (likely(tracer != NULL)) {
2038                                sec = __task_cred(tracer)->security;
2039                                ptsid = sec->sid;
2040                        }
2041                        rcu_read_unlock();
2042
2043                        if (ptsid != 0) {
2044                                rc = avc_has_perm(ptsid, new_tsec->sid,
2045                                                  SECCLASS_PROCESS,
2046                                                  PROCESS__PTRACE, NULL);
2047                                if (rc)
2048                                        return -EPERM;
2049                        }
2050                }
2051
2052                /* Clear any possibly unsafe personality bits on exec: */
2053                bprm->per_clear |= PER_CLEAR_ON_SETID;
2054        }
2055
2056        return 0;
2057}
2058
2059static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2060{
2061        const struct task_security_struct *tsec = current_security();
2062        u32 sid, osid;
2063        int atsecure = 0;
2064
2065        sid = tsec->sid;
2066        osid = tsec->osid;
2067
2068        if (osid != sid) {
2069                /* Enable secure mode for SIDs transitions unless
2070                   the noatsecure permission is granted between
2071                   the two SIDs, i.e. ahp returns 0. */
2072                atsecure = avc_has_perm(osid, sid,
2073                                        SECCLASS_PROCESS,
2074                                        PROCESS__NOATSECURE, NULL);
2075        }
2076
2077        return (atsecure || cap_bprm_secureexec(bprm));
2078}
2079
2080extern struct vfsmount *selinuxfs_mount;
2081extern struct dentry *selinux_null;
2082
2083/* Derived from fs/exec.c:flush_old_files. */
2084static inline void flush_unauthorized_files(const struct cred *cred,
2085                                            struct files_struct *files)
2086{
2087        struct common_audit_data ad;
2088        struct file *file, *devnull = NULL;
2089        struct tty_struct *tty;
2090        struct fdtable *fdt;
2091        long j = -1;
2092        int drop_tty = 0;
2093
2094        tty = get_current_tty();
2095        if (tty) {
2096                spin_lock(&tty_files_lock);
2097                if (!list_empty(&tty->tty_files)) {
2098                        struct tty_file_private *file_priv;
2099                        struct inode *inode;
2100
2101                        /* Revalidate access to controlling tty.
2102                           Use inode_has_perm on the tty inode directly rather
2103                           than using file_has_perm, as this particular open
2104                           file may belong to another process and we are only
2105                           interested in the inode-based check here. */
2106                        file_priv = list_first_entry(&tty->tty_files,
2107                                                struct tty_file_private, list);
2108                        file = file_priv->file;
2109                        inode = file->f_path.dentry->d_inode;
2110                        if (inode_has_perm(cred, inode,
2111                                           FILE__READ | FILE__WRITE, NULL, 0)) {
2112                                drop_tty = 1;
2113                        }
2114                }
2115                spin_unlock(&tty_files_lock);
2116                tty_kref_put(tty);
2117        }
2118        /* Reset controlling tty. */
2119        if (drop_tty)
2120                no_tty();
2121
2122        /* Revalidate access to inherited open files. */
2123
2124        COMMON_AUDIT_DATA_INIT(&ad, FS);
2125
2126        spin_lock(&files->file_lock);
2127        for (;;) {
2128                unsigned long set, i;
2129                int fd;
2130
2131                j++;
2132                i = j * __NFDBITS;
2133                fdt = files_fdtable(files);
2134                if (i >= fdt->max_fds)
2135                        break;
2136                set = fdt->open_fds->fds_bits[j];
2137                if (!set)
2138                        continue;
2139                spin_unlock(&files->file_lock);
2140                for ( ; set ; i++, set >>= 1) {
2141                        if (set & 1) {
2142                                file = fget(i);
2143                                if (!file)
2144                                        continue;
2145                                if (file_has_perm(cred,
2146                                                  file,
2147                                                  file_to_av(file))) {
2148                                        sys_close(i);
2149                                        fd = get_unused_fd();
2150                                        if (fd != i) {
2151                                                if (fd >= 0)
2152                                                        put_unused_fd(fd);
2153                                                fput(file);
2154                                                continue;
2155                                        }
2156                                        if (devnull) {
2157                                                get_file(devnull);
2158                                        } else {
2159                                                devnull = dentry_open(
2160                                                        dget(selinux_null),
2161                                                        mntget(selinuxfs_mount),
2162                                                        O_RDWR, cred);
2163                                                if (IS_ERR(devnull)) {
2164                                                        devnull = NULL;
2165                                                        put_unused_fd(fd);
2166                                                        fput(file);
2167                                                        continue;
2168                                                }
2169                                        }
2170                                        fd_install(fd, devnull);
2171                                }
2172                                fput(file);
2173                        }
2174                }
2175                spin_lock(&files->file_lock);
2176
2177        }
2178        spin_unlock(&files->file_lock);
2179}
2180
2181/*
2182 * Prepare a process for imminent new credential changes due to exec
2183 */
2184static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2185{
2186        struct task_security_struct *new_tsec;
2187        struct rlimit *rlim, *initrlim;
2188        int rc, i;
2189
2190        new_tsec = bprm->cred->security;
2191        if (new_tsec->sid == new_tsec->osid)
2192                return;
2193
2194        /* Close files for which the new task SID is not authorized. */
2195        flush_unauthorized_files(bprm->cred, current->files);
2196
2197        /* Always clear parent death signal on SID transitions. */
2198        current->pdeath_signal = 0;
2199
2200        /* Check whether the new SID can inherit resource limits from the old
2201         * SID.  If not, reset all soft limits to the lower of the current
2202         * task's hard limit and the init task's soft limit.
2203         *
2204         * Note that the setting of hard limits (even to lower them) can be
2205         * controlled by the setrlimit check.  The inclusion of the init task's
2206         * soft limit into the computation is to avoid resetting soft limits
2207         * higher than the default soft limit for cases where the default is
2208         * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2209         */
2210        rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2211                          PROCESS__RLIMITINH, NULL);
2212        if (rc) {
2213                /* protect against do_prlimit() */
2214                task_lock(current);
2215                for (i = 0; i < RLIM_NLIMITS; i++) {
2216                        rlim = current->signal->rlim + i;
2217                        initrlim = init_task.signal->rlim + i;
2218                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2219                }
2220                task_unlock(current);
2221                update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2222        }
2223}
2224
2225/*
2226 * Clean up the process immediately after the installation of new credentials
2227 * due to exec
2228 */
2229static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2230{
2231        const struct task_security_struct *tsec = current_security();
2232        struct itimerval itimer;
2233        u32 osid, sid;
2234        int rc, i;
2235
2236        osid = tsec->osid;
2237        sid = tsec->sid;
2238
2239        if (sid == osid)
2240                return;
2241
2242        /* Check whether the new SID can inherit signal state from the old SID.
2243         * If not, clear itimers to avoid subsequent signal generation and
2244         * flush and unblock signals.
2245         *
2246         * This must occur _after_ the task SID has been updated so that any
2247         * kill done after the flush will be checked against the new SID.
2248         */
2249        rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2250        if (rc) {
2251                memset(&itimer, 0, sizeof itimer);
2252                for (i = 0; i < 3; i++)
2253                        do_setitimer(i, &itimer, NULL);
2254                spin_lock_irq(&current->sighand->siglock);
2255                if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2256                        __flush_signals(current);
2257                        flush_signal_handlers(current, 1);
2258                        sigemptyset(&current->blocked);
2259                }
2260                spin_unlock_irq(&current->sighand->siglock);
2261        }
2262
2263        /* Wake up the parent if it is waiting so that it can recheck
2264         * wait permission to the new task SID. */
2265        read_lock(&tasklist_lock);
2266        __wake_up_parent(current, current->real_parent);
2267        read_unlock(&tasklist_lock);
2268}
2269
2270/* superblock security operations */
2271
2272static int selinux_sb_alloc_security(struct super_block *sb)
2273{
2274        return superblock_alloc_security(sb);
2275}
2276
2277static void selinux_sb_free_security(struct super_block *sb)
2278{
2279        superblock_free_security(sb);
2280}
2281
2282static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2283{
2284        if (plen > olen)
2285                return 0;
2286
2287        return !memcmp(prefix, option, plen);
2288}
2289
2290static inline int selinux_option(char *option, int len)
2291{
2292        return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2293                match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2294                match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2295                match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2296                match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2297}
2298
2299static inline void take_option(char **to, char *from, int *first, int len)
2300{
2301        if (!*first) {
2302                **to = ',';
2303                *to += 1;
2304        } else
2305                *first = 0;
2306        memcpy(*to, from, len);
2307        *to += len;
2308}
2309
2310static inline void take_selinux_option(char **to, char *from, int *first,
2311                                       int len)
2312{
2313        int current_size = 0;
2314
2315        if (!*first) {
2316                **to = '|';
2317                *to += 1;
2318        } else
2319                *first = 0;
2320
2321        while (current_size < len) {
2322                if (*from != '"') {
2323                        **to = *from;
2324                        *to += 1;
2325                }
2326                from += 1;
2327                current_size += 1;
2328        }
2329}
2330
2331static int selinux_sb_copy_data(char *orig, char *copy)
2332{
2333        int fnosec, fsec, rc = 0;
2334        char *in_save, *in_curr, *in_end;
2335        char *sec_curr, *nosec_save, *nosec;
2336        int open_quote = 0;
2337
2338        in_curr = orig;
2339        sec_curr = copy;
2340
2341        nosec = (char *)get_zeroed_page(GFP_KERNEL);
2342        if (!nosec) {
2343                rc = -ENOMEM;
2344                goto out;
2345        }
2346
2347        nosec_save = nosec;
2348        fnosec = fsec = 1;
2349        in_save = in_end = orig;
2350
2351        do {
2352                if (*in_end == '"')
2353                        open_quote = !open_quote;
2354                if ((*in_end == ',' && open_quote == 0) ||
2355                                *in_end == '\0') {
2356                        int len = in_end - in_curr;
2357
2358                        if (selinux_option(in_curr, len))
2359                                take_selinux_option(&sec_curr, in_curr, &fsec, len);
2360                        else
2361                                take_option(&nosec, in_curr, &fnosec, len);
2362
2363                        in_curr = in_end + 1;
2364                }
2365        } while (*in_end++);
2366
2367        strcpy(in_save, nosec_save);
2368        free_page((unsigned long)nosec_save);
2369out:
2370        return rc;
2371}
2372
2373static int selinux_sb_remount(struct super_block *sb, void *data)
2374{
2375        int rc, i, *flags;
2376        struct security_mnt_opts opts;
2377        char *secdata, **mount_options;
2378        struct superblock_security_struct *sbsec = sb->s_security;
2379
2380        if (!(sbsec->flags & SE_SBINITIALIZED))
2381                return 0;
2382
2383        if (!data)
2384                return 0;
2385
2386        if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2387                return 0;
2388
2389        security_init_mnt_opts(&opts);
2390        secdata = alloc_secdata();
2391        if (!secdata)
2392                return -ENOMEM;
2393        rc = selinux_sb_copy_data(data, secdata);
2394        if (rc)
2395                goto out_free_secdata;
2396
2397        rc = selinux_parse_opts_str(secdata, &opts);
2398        if (rc)
2399                goto out_free_secdata;
2400
2401        mount_options = opts.mnt_opts;
2402        flags = opts.mnt_opts_flags;
2403
2404        for (i = 0; i < opts.num_mnt_opts; i++) {
2405                u32 sid;
2406                size_t len;
2407
2408                if (flags[i] == SE_SBLABELSUPP)
2409                        continue;
2410                len = strlen(mount_options[i]);
2411                rc = security_context_to_sid(mount_options[i], len, &sid);
2412                if (rc) {
2413                        printk(KERN_WARNING "SELinux: security_context_to_sid"
2414                               "(%s) failed for (dev %s, type %s) errno=%d\n",
2415                               mount_options[i], sb->s_id, sb->s_type->name, rc);
2416                        goto out_free_opts;
2417                }
2418                rc = -EINVAL;
2419                switch (flags[i]) {
2420                case FSCONTEXT_MNT:
2421                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2422                                goto out_bad_option;
2423                        break;
2424                case CONTEXT_MNT:
2425                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2426                                goto out_bad_option;
2427                        break;
2428                case ROOTCONTEXT_MNT: {
2429                        struct inode_security_struct *root_isec;
2430                        root_isec = sb->s_root->d_inode->i_security;
2431
2432                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2433                                goto out_bad_option;
2434                        break;
2435                }
2436                case DEFCONTEXT_MNT:
2437                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2438                                goto out_bad_option;
2439                        break;
2440                default:
2441                        goto out_free_opts;
2442                }
2443        }
2444
2445        rc = 0;
2446out_free_opts:
2447        security_free_mnt_opts(&opts);
2448out_free_secdata:
2449        free_secdata(secdata);
2450        return rc;
2451out_bad_option:
2452        printk(KERN_WARNING "SELinux: unable to change security options "
2453               "during remount (dev %s, type=%s)\n", sb->s_id,
2454               sb->s_type->name);
2455        goto out_free_opts;
2456}
2457
2458static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2459{
2460        const struct cred *cred = current_cred();
2461        struct common_audit_data ad;
2462        int rc;
2463
2464        rc = superblock_doinit(sb, data);
2465        if (rc)
2466                return rc;
2467
2468        /* Allow all mounts performed by the kernel */
2469        if (flags & MS_KERNMOUNT)
2470                return 0;
2471
2472        COMMON_AUDIT_DATA_INIT(&ad, FS);
2473        ad.u.fs.path.dentry = sb->s_root;
2474        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2475}
2476
2477static int selinux_sb_statfs(struct dentry *dentry)
2478{
2479        const struct cred *cred = current_cred();
2480        struct common_audit_data ad;
2481
2482        COMMON_AUDIT_DATA_INIT(&ad, FS);
2483        ad.u.fs.path.dentry = dentry->d_sb->s_root;
2484        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2485}
2486
2487static int selinux_mount(char *dev_name,
2488                         struct path *path,
2489                         char *type,
2490                         unsigned long flags,
2491                         void *data)
2492{
2493        const struct cred *cred = current_cred();
2494
2495        if (flags & MS_REMOUNT)
2496                return superblock_has_perm(cred, path->mnt->mnt_sb,
2497                                           FILESYSTEM__REMOUNT, NULL);
2498        else
2499                return dentry_has_perm(cred, path->mnt, path->dentry,
2500                                       FILE__MOUNTON);
2501}
2502
2503static int selinux_umount(struct vfsmount *mnt, int flags)
2504{
2505        const struct cred *cred = current_cred();
2506
2507        return superblock_has_perm(cred, mnt->mnt_sb,
2508                                   FILESYSTEM__UNMOUNT, NULL);
2509}
2510
2511/* inode security operations */
2512
2513static int selinux_inode_alloc_security(struct inode *inode)
2514{
2515        return inode_alloc_security(inode);
2516}
2517
2518static void selinux_inode_free_security(struct inode *inode)
2519{
2520        inode_free_security(inode);
2521}
2522
2523static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2524                                       const struct qstr *qstr, char **name,
2525                                       void **value, size_t *len)
2526{
2527        const struct task_security_struct *tsec = current_security();
2528        struct inode_security_struct *dsec;
2529        struct superblock_security_struct *sbsec;
2530        u32 sid, newsid, clen;
2531        int rc;
2532        char *namep = NULL, *context;
2533
2534        dsec = dir->i_security;
2535        sbsec = dir->i_sb->s_security;
2536
2537        sid = tsec->sid;
2538        newsid = tsec->create_sid;
2539
2540        if ((sbsec->flags & SE_SBINITIALIZED) &&
2541            (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2542                newsid = sbsec->mntpoint_sid;
2543        else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2544                rc = security_transition_sid(sid, dsec->sid,
2545                                             inode_mode_to_security_class(inode->i_mode),
2546                                             qstr, &newsid);
2547                if (rc) {
2548                        printk(KERN_WARNING "%s:  "
2549                               "security_transition_sid failed, rc=%d (dev=%s "
2550                               "ino=%ld)\n",
2551                               __func__,
2552                               -rc, inode->i_sb->s_id, inode->i_ino);
2553                        return rc;
2554                }
2555        }
2556
2557        /* Possibly defer initialization to selinux_complete_init. */
2558        if (sbsec->flags & SE_SBINITIALIZED) {
2559                struct inode_security_struct *isec = inode->i_security;
2560                isec->sclass = inode_mode_to_security_class(inode->i_mode);
2561                isec->sid = newsid;
2562                isec->initialized = 1;
2563        }
2564
2565        if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2566                return -EOPNOTSUPP;
2567
2568        if (name) {
2569                namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2570                if (!namep)
2571                        return -ENOMEM;
2572                *name = namep;
2573        }
2574
2575        if (value && len) {
2576                rc = security_sid_to_context_force(newsid, &context, &clen);
2577                if (rc) {
2578                        kfree(namep);
2579                        return rc;
2580                }
2581                *value = context;
2582                *len = clen;
2583        }
2584
2585        return 0;
2586}
2587
2588static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2589{
2590        return may_create(dir, dentry, SECCLASS_FILE);
2591}
2592
2593static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2594{
2595        return may_link(dir, old_dentry, MAY_LINK);
2596}
2597
2598static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2599{
2600        return may_link(dir, dentry, MAY_UNLINK);
2601}
2602
2603static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2604{
2605        return may_create(dir, dentry, SECCLASS_LNK_FILE);
2606}
2607
2608static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2609{
2610        return may_create(dir, dentry, SECCLASS_DIR);
2611}
2612
2613static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2614{
2615        return may_link(dir, dentry, MAY_RMDIR);
2616}
2617
2618static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2619{
2620        return may_create(dir, dentry, inode_mode_to_security_class(mode));
2621}
2622
2623static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2624                                struct inode *new_inode, struct dentry *new_dentry)
2625{
2626        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2627}
2628
2629static int selinux_inode_readlink(struct dentry *dentry)
2630{
2631        const struct cred *cred = current_cred();
2632
2633        return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2634}
2635
2636static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2637{
2638        const struct cred *cred = current_cred();
2639
2640        return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2641}
2642
2643static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
2644{
2645        const struct cred *cred = current_cred();
2646        struct common_audit_data ad;
2647        u32 perms;
2648        bool from_access;
2649
2650        from_access = mask & MAY_ACCESS;
2651        mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2652
2653        /* No permission to check.  Existence test. */
2654        if (!mask)
2655                return 0;
2656
2657        COMMON_AUDIT_DATA_INIT(&ad, FS);
2658        ad.u.fs.inode = inode;
2659
2660        if (from_access)
2661                ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2662
2663        perms = file_mask_to_av(inode->i_mode, mask);
2664
2665        return inode_has_perm(cred, inode, perms, &ad, flags);
2666}
2667
2668static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2669{
2670        const struct cred *cred = current_cred();
2671        unsigned int ia_valid = iattr->ia_valid;
2672
2673        /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2674        if (ia_valid & ATTR_FORCE) {
2675                ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2676                              ATTR_FORCE);
2677                if (!ia_valid)
2678                        return 0;
2679        }
2680
2681        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2682                        ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2683                return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2684
2685        return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2686}
2687
2688static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2689{
2690        const struct cred *cred = current_cred();
2691
2692        return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2693}
2694
2695static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2696{
2697        const struct cred *cred = current_cred();
2698
2699        if (!strncmp(name, XATTR_SECURITY_PREFIX,
2700                     sizeof XATTR_SECURITY_PREFIX - 1)) {
2701                if (!strcmp(name, XATTR_NAME_CAPS)) {
2702                        if (!capable(CAP_SETFCAP))
2703                                return -EPERM;
2704                } else if (!capable(CAP_SYS_ADMIN)) {
2705                        /* A different attribute in the security namespace.
2706                           Restrict to administrator. */
2707                        return -EPERM;
2708                }
2709        }
2710
2711        /* Not an attribute we recognize, so just check the
2712           ordinary setattr permission. */
2713        return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2714}
2715
2716static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2717                                  const void *value, size_t size, int flags)
2718{
2719        struct inode *inode = dentry->d_inode;
2720        struct inode_security_struct *isec = inode->i_security;
2721        struct superblock_security_struct *sbsec;
2722        struct common_audit_data ad;
2723        u32 newsid, sid = current_sid();
2724        int rc = 0;
2725
2726        if (strcmp(name, XATTR_NAME_SELINUX))
2727                return selinux_inode_setotherxattr(dentry, name);
2728
2729        sbsec = inode->i_sb->s_security;
2730        if (!(sbsec->flags & SE_SBLABELSUPP))
2731                return -EOPNOTSUPP;
2732
2733        if (!inode_owner_or_capable(inode))
2734                return -EPERM;
2735
2736        COMMON_AUDIT_DATA_INIT(&ad, FS);
2737        ad.u.fs.path.dentry = dentry;
2738
2739        rc = avc_has_perm(sid, isec->sid, isec->sclass,
2740                          FILE__RELABELFROM, &ad);
2741        if (rc)
2742                return rc;
2743
2744        rc = security_context_to_sid(value, size, &newsid);
2745        if (rc == -EINVAL) {
2746                if (!capable(CAP_MAC_ADMIN))
2747                        return rc;
2748                rc = security_context_to_sid_force(value, size, &newsid);
2749        }
2750        if (rc)
2751                return rc;
2752
2753        rc = avc_has_perm(sid, newsid, isec->sclass,
2754                          FILE__RELABELTO, &ad);
2755        if (rc)
2756                return rc;
2757
2758        rc = security_validate_transition(isec->sid, newsid, sid,
2759                                          isec->sclass);
2760        if (rc)
2761                return rc;
2762
2763        return avc_has_perm(newsid,
2764                            sbsec->sid,
2765                            SECCLASS_FILESYSTEM,
2766                            FILESYSTEM__ASSOCIATE,
2767                            &ad);
2768}
2769
2770static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2771                                        const void *value, size_t size,
2772                                        int flags)
2773{
2774        struct inode *inode = dentry->d_inode;
2775        struct inode_security_struct *isec = inode->i_security;
2776        u32 newsid;
2777        int rc;
2778
2779        if (strcmp(name, XATTR_NAME_SELINUX)) {
2780                /* Not an attribute we recognize, so nothing to do. */
2781                return;
2782        }
2783
2784        rc = security_context_to_sid_force(value, size, &newsid);
2785        if (rc) {
2786                printk(KERN_ERR "SELinux:  unable to map context to SID"
2787                       "for (%s, %lu), rc=%d\n",
2788                       inode->i_sb->s_id, inode->i_ino, -rc);
2789                return;
2790        }
2791
2792        isec->sid = newsid;
2793        return;
2794}
2795
2796static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2797{
2798        const struct cred *cred = current_cred();
2799
2800        return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2801}
2802
2803static int selinux_inode_listxattr(struct dentry *dentry)
2804{
2805        const struct cred *cred = current_cred();
2806
2807        return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2808}
2809
2810static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2811{
2812        if (strcmp(name, XATTR_NAME_SELINUX))
2813                return selinux_inode_setotherxattr(dentry, name);
2814
2815        /* No one is allowed to remove a SELinux security label.
2816           You can change the label, but all data must be labeled. */
2817        return -EACCES;
2818}
2819
2820/*
2821 * Copy the inode security context value to the user.
2822 *
2823 * Permission check is handled by selinux_inode_getxattr hook.
2824 */
2825static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2826{
2827        u32 size;
2828        int error;
2829        char *context = NULL;
2830        struct inode_security_struct *isec = inode->i_security;
2831
2832        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2833                return -EOPNOTSUPP;
2834
2835        /*
2836         * If the caller has CAP_MAC_ADMIN, then get the raw context
2837         * value even if it is not defined by current policy; otherwise,
2838         * use the in-core value under current policy.
2839         * Use the non-auditing forms of the permission checks since
2840         * getxattr may be called by unprivileged processes commonly
2841         * and lack of permission just means that we fall back to the
2842         * in-core context value, not a denial.
2843         */
2844        error = selinux_capable(current, current_cred(),
2845                                &init_user_ns, CAP_MAC_ADMIN,
2846                                SECURITY_CAP_NOAUDIT);
2847        if (!error)
2848                error = security_sid_to_context_force(isec->sid, &context,
2849                                                      &size);
2850        else
2851                error = security_sid_to_context(isec->sid, &context, &size);
2852        if (error)
2853                return error;
2854        error = size;
2855        if (alloc) {
2856                *buffer = context;
2857                goto out_nofree;
2858        }
2859        kfree(context);
2860out_nofree:
2861        return error;
2862}
2863
2864static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2865                                     const void *value, size_t size, int flags)
2866{
2867        struct inode_security_struct *isec = inode->i_security;
2868        u32 newsid;
2869        int rc;
2870
2871        if (strcmp(name, XATTR_SELINUX_SUFFIX))
2872                return -EOPNOTSUPP;
2873
2874        if (!value || !size)
2875                return -EACCES;
2876
2877        rc = security_context_to_sid((void *)value, size, &newsid);
2878        if (rc)
2879                return rc;
2880
2881        isec->sid = newsid;
2882        isec->initialized = 1;
2883        return 0;
2884}
2885
2886static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2887{
2888        const int len = sizeof(XATTR_NAME_SELINUX);
2889        if (buffer && len <= buffer_size)
2890                memcpy(buffer, XATTR_NAME_SELINUX, len);
2891        return len;
2892}
2893
2894static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2895{
2896        struct inode_security_struct *isec = inode->i_security;
2897        *secid = isec->sid;
2898}
2899
2900/* file security operations */
2901
2902static int selinux_revalidate_file_permission(struct file *file, int mask)
2903{
2904        const struct cred *cred = current_cred();
2905        struct inode *inode = file->f_path.dentry->d_inode;
2906
2907        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2908        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2909                mask |= MAY_APPEND;
2910
2911        return file_has_perm(cred, file,
2912                             file_mask_to_av(inode->i_mode, mask));
2913}
2914
2915static int selinux_file_permission(struct file *file, int mask)
2916{
2917        struct inode *inode = file->f_path.dentry->d_inode;
2918        struct file_security_struct *fsec = file->f_security;
2919        struct inode_security_struct *isec = inode->i_security;
2920        u32 sid = current_sid();
2921
2922        if (!mask)
2923                /* No permission to check.  Existence test. */
2924                return 0;
2925
2926        if (sid == fsec->sid && fsec->isid == isec->sid &&
2927            fsec->pseqno == avc_policy_seqno())
2928                /* No change since dentry_open check. */
2929                return 0;
2930
2931        return selinux_revalidate_file_permission(file, mask);
2932}
2933
2934static int selinux_file_alloc_security(struct file *file)
2935{
2936        return file_alloc_security(file);
2937}
2938
2939static void selinux_file_free_security(struct file *file)
2940{
2941        file_free_security(file);
2942}
2943
2944static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2945                              unsigned long arg)
2946{
2947        const struct cred *cred = current_cred();
2948        int error = 0;
2949
2950        switch (cmd) {
2951        case FIONREAD:
2952        /* fall through */
2953        case FIBMAP:
2954        /* fall through */
2955        case FIGETBSZ:
2956        /* fall through */
2957        case EXT2_IOC_GETFLAGS:
2958        /* fall through */
2959        case EXT2_IOC_GETVERSION:
2960                error = file_has_perm(cred, file, FILE__GETATTR);
2961                break;
2962
2963        case EXT2_IOC_SETFLAGS:
2964        /* fall through */
2965        case EXT2_IOC_SETVERSION:
2966                error = file_has_perm(cred, file, FILE__SETATTR);
2967                break;
2968
2969        /* sys_ioctl() checks */
2970        case FIONBIO:
2971        /* fall through */
2972        case FIOASYNC:
2973                error = file_has_perm(cred, file, 0);
2974                break;
2975
2976        case KDSKBENT:
2977        case KDSKBSENT:
2978                error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2979                                        SECURITY_CAP_AUDIT);
2980                break;
2981
2982        /* default case assumes that the command will go
2983         * to the file's ioctl() function.
2984         */
2985        default:
2986                error = file_has_perm(cred, file, FILE__IOCTL);
2987        }
2988        return error;
2989}
2990
2991static int default_noexec;
2992
2993static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2994{
2995        const struct cred *cred = current_cred();
2996        int rc = 0;
2997
2998        if (default_noexec &&
2999            (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3000                /*
3001                 * We are making executable an anonymous mapping or a
3002                 * private file mapping that will also be writable.
3003                 * This has an additional check.
3004                 */
3005                rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3006                if (rc)
3007                        goto error;
3008        }
3009
3010        if (file) {
3011                /* read access is always possible with a mapping */
3012                u32 av = FILE__READ;
3013
3014                /* write access only matters if the mapping is shared */
3015                if (shared && (prot & PROT_WRITE))
3016                        av |= FILE__WRITE;
3017
3018                if (prot & PROT_EXEC)
3019                        av |= FILE__EXECUTE;
3020
3021                return file_has_perm(cred, file, av);
3022        }
3023
3024error:
3025        return rc;
3026}
3027
3028static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3029                             unsigned long prot, unsigned long flags,
3030                             unsigned long addr, unsigned long addr_only)
3031{
3032        int rc = 0;
3033        u32 sid = current_sid();
3034
3035        /*
3036         * notice that we are intentionally putting the SELinux check before
3037         * the secondary cap_file_mmap check.  This is such a likely attempt
3038         * at bad behaviour/exploit that we always want to get the AVC, even
3039         * if DAC would have also denied the operation.
3040         */
3041        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3042                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3043                                  MEMPROTECT__MMAP_ZERO, NULL);
3044                if (rc)
3045                        return rc;
3046        }
3047
3048        /* do DAC check on address space usage */
3049        rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3050        if (rc || addr_only)
3051                return rc;
3052
3053        if (selinux_checkreqprot)
3054                prot = reqprot;
3055
3056        return file_map_prot_check(file, prot,
3057                                   (flags & MAP_TYPE) == MAP_SHARED);
3058}
3059
3060static int selinux_file_mprotect(struct vm_area_struct *vma,
3061                                 unsigned long reqprot,
3062                                 unsigned long prot)
3063{
3064        const struct cred *cred = current_cred();
3065
3066        if (selinux_checkreqprot)
3067                prot = reqprot;
3068
3069        if (default_noexec &&
3070            (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3071                int rc = 0;
3072                if (vma->vm_start >= vma->vm_mm->start_brk &&
3073                    vma->vm_end <= vma->vm_mm->brk) {
3074                        rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3075                } else if (!vma->vm_file &&
3076                           vma->vm_start <= vma->vm_mm->start_stack &&
3077                           vma->vm_end >= vma->vm_mm->start_stack) {
3078                        rc = current_has_perm(current, PROCESS__EXECSTACK);
3079                } else if (vma->vm_file && vma->anon_vma) {
3080                        /*
3081                         * We are making executable a file mapping that has
3082                         * had some COW done. Since pages might have been
3083                         * written, check ability to execute the possibly
3084                         * modified content.  This typically should only
3085                         * occur for text relocations.
3086                         */
3087                        rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3088                }
3089                if (rc)
3090                        return rc;
3091        }
3092
3093        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3094}
3095
3096static int selinux_file_lock(struct file *file, unsigned int cmd)
3097{
3098        const struct cred *cred = current_cred();
3099
3100        return file_has_perm(cred, file, FILE__LOCK);
3101}
3102
3103static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3104                              unsigned long arg)
3105{
3106        const struct cred *cred = current_cred();
3107        int err = 0;
3108
3109        switch (cmd) {
3110        case F_SETFL:
3111                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3112                        err = -EINVAL;
3113                        break;
3114                }
3115
3116                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3117                        err = file_has_perm(cred, file, FILE__WRITE);
3118                        break;
3119                }
3120                /* fall through */
3121        case F_SETOWN:
3122        case F_SETSIG:
3123        case F_GETFL:
3124        case F_GETOWN:
3125        case F_GETSIG:
3126                /* Just check FD__USE permission */
3127                err = file_has_perm(cred, file, 0);
3128                break;
3129        case F_GETLK:
3130        case F_SETLK:
3131        case F_SETLKW:
3132#if BITS_PER_LONG == 32
3133        case F_GETLK64:
3134        case F_SETLK64:
3135        case F_SETLKW64:
3136#endif
3137                if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3138                        err = -EINVAL;
3139                        break;
3140                }
3141                err = file_has_perm(cred, file, FILE__LOCK);
3142                break;
3143        }
3144
3145        return err;
3146}
3147
3148static int selinux_file_set_fowner(struct file *file)
3149{
3150        struct file_security_struct *fsec;
3151
3152        fsec = file->f_security;
3153        fsec->fown_sid = current_sid();
3154
3155        return 0;
3156}
3157
3158static int selinux_file_send_sigiotask(struct task_struct *tsk,
3159                                       struct fown_struct *fown, int signum)
3160{
3161        struct file *file;
3162        u32 sid = task_sid(tsk);
3163        u32 perm;
3164        struct file_security_struct *fsec;
3165
3166        /* struct fown_struct is never outside the context of a struct file */
3167        file = container_of(fown, struct file, f_owner);
3168
3169        fsec = file->f_security;
3170
3171        if (!signum)
3172                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3173        else
3174                perm = signal_to_av(signum);
3175
3176        return avc_has_perm(fsec->fown_sid, sid,
3177                            SECCLASS_PROCESS, perm, NULL);
3178}
3179
3180static int selinux_file_receive(struct file *file)
3181{
3182        const struct cred *cred = current_cred();
3183
3184        return file_has_perm(cred, file, file_to_av(file));
3185}
3186
3187static int selinux_dentry_open(struct file *file, const struct cred *cred)
3188{
3189        struct file_security_struct *fsec;
3190        struct inode *inode;
3191        struct inode_security_struct *isec;
3192
3193        inode = file->f_path.dentry->d_inode;
3194        fsec = file->f_security;
3195        isec = inode->i_security;
3196        /*
3197         * Save inode label and policy sequence number
3198         * at open-time so that selinux_file_permission
3199         * can determine whether revalidation is necessary.
3200         * Task label is already saved in the file security
3201         * struct as its SID.
3202         */
3203        fsec->isid = isec->sid;
3204        fsec->pseqno = avc_policy_seqno();
3205        /*
3206         * Since the inode label or policy seqno may have changed
3207         * between the selinux_inode_permission check and the saving
3208         * of state above, recheck that access is still permitted.
3209         * Otherwise, access might never be revalidated against the
3210         * new inode label or new policy.
3211         * This check is not redundant - do not remove.
3212         */
3213        return inode_has_perm(cred, inode, open_file_to_av(file), NULL, 0);
3214}
3215
3216/* task security operations */
3217
3218static int selinux_task_create(unsigned long clone_flags)
3219{
3220        return current_has_perm(current, PROCESS__FORK);
3221}
3222
3223/*
3224 * allocate the SELinux part of blank credentials
3225 */
3226static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3227{
3228        struct task_security_struct *tsec;
3229
3230        tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3231        if (!tsec)
3232                return -ENOMEM;
3233
3234        cred->security = tsec;
3235        return 0;
3236}
3237
3238/*
3239 * detach and free the LSM part of a set of credentials
3240 */
3241static void selinux_cred_free(struct cred *cred)
3242{
3243        struct task_security_struct *tsec = cred->security;
3244
3245        /*
3246         * cred->security == NULL if security_cred_alloc_blank() or
3247         * security_prepare_creds() returned an error.
3248         */
3249        BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3250        cred->security = (void *) 0x7UL;
3251        kfree(tsec);
3252}
3253
3254/*
3255 * prepare a new set of credentials for modification
3256 */
3257static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3258                                gfp_t gfp)
3259{
3260        const struct task_security_struct *old_tsec;
3261        struct task_security_struct *tsec;
3262
3263        old_tsec = old->security;
3264
3265        tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3266        if (!tsec)
3267                return -ENOMEM;
3268
3269        new->security = tsec;
3270        return 0;
3271}
3272
3273/*
3274 * transfer the SELinux data to a blank set of creds
3275 */
3276static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3277{
3278        const struct task_security_struct *old_tsec = old->security;
3279        struct task_security_struct *tsec = new->security;
3280
3281        *tsec = *old_tsec;
3282}
3283
3284/*
3285 * set the security data for a kernel service
3286 * - all the creation contexts are set to unlabelled
3287 */
3288static int selinux_kernel_act_as(struct cred *new, u32 secid)
3289{
3290        struct task_security_struct *tsec = new->security;
3291        u32 sid = current_sid();
3292        int ret;
3293
3294        ret = avc_has_perm(sid, secid,
3295                           SECCLASS_KERNEL_SERVICE,
3296                           KERNEL_SERVICE__USE_AS_OVERRIDE,
3297                           NULL);
3298        if (ret == 0) {
3299                tsec->sid = secid;
3300                tsec->create_sid = 0;
3301                tsec->keycreate_sid = 0;
3302                tsec->sockcreate_sid = 0;
3303        }
3304        return ret;
3305}
3306
3307/*
3308 * set the file creation context in a security record to the same as the
3309 * objective context of the specified inode
3310 */
3311static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3312{
3313        struct inode_security_struct *isec = inode->i_security;
3314        struct task_security_struct *tsec = new->security;
3315        u32 sid = current_sid();
3316        int ret;
3317
3318        ret = avc_has_perm(sid, isec->sid,
3319                           SECCLASS_KERNEL_SERVICE,
3320                           KERNEL_SERVICE__CREATE_FILES_AS,
3321                           NULL);
3322
3323        if (ret == 0)
3324                tsec->create_sid = isec->sid;
3325        return ret;
3326}
3327
3328static int selinux_kernel_module_request(char *kmod_name)
3329{
3330        u32 sid;
3331        struct common_audit_data ad;
3332
3333        sid = task_sid(current);
3334
3335        COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3336        ad.u.kmod_name = kmod_name;
3337
3338        return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3339                            SYSTEM__MODULE_REQUEST, &ad);
3340}
3341
3342static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3343{
3344        return current_has_perm(p, PROCESS__SETPGID);
3345}
3346
3347static int selinux_task_getpgid(struct task_struct *p)
3348{
3349        return current_has_perm(p, PROCESS__GETPGID);
3350}
3351
3352static int selinux_task_getsid(struct task_struct *p)
3353{
3354        return current_has_perm(p, PROCESS__GETSESSION);
3355}
3356
3357static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3358{
3359        *secid = task_sid(p);
3360}
3361
3362static int selinux_task_setnice(struct task_struct *p, int nice)
3363{
3364        int rc;
3365
3366        rc = cap_task_setnice(p, nice);
3367        if (rc)
3368                return rc;
3369
3370        return current_has_perm(p, PROCESS__SETSCHED);
3371}
3372
3373static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3374{
3375        int rc;
3376
3377        rc = cap_task_setioprio(p, ioprio);
3378        if (rc)
3379                return rc;
3380
3381        return current_has_perm(p, PROCESS__SETSCHED);
3382}
3383
3384static int selinux_task_getioprio(struct task_struct *p)
3385{
3386        return current_has_perm(p, PROCESS__GETSCHED);
3387}
3388
3389static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3390                struct rlimit *new_rlim)
3391{
3392        struct rlimit *old_rlim = p->signal->rlim + resource;
3393
3394        /* Control the ability to change the hard limit (whether
3395           lowering or raising it), so that the hard limit can
3396           later be used as a safe reset point for the soft limit
3397           upon context transitions.  See selinux_bprm_committing_creds. */
3398        if (old_rlim->rlim_max != new_rlim->rlim_max)
3399                return current_has_perm(p, PROCESS__SETRLIMIT);
3400
3401        return 0;
3402}
3403
3404static int selinux_task_setscheduler(struct task_struct *p)
3405{
3406        int rc;
3407
3408        rc = cap_task_setscheduler(p);
3409        if (rc)
3410                return rc;
3411
3412        return current_has_perm(p, PROCESS__SETSCHED);
3413}
3414
3415static int selinux_task_getscheduler(struct task_struct *p)
3416{
3417        return current_has_perm(p, PROCESS__GETSCHED);
3418}
3419
3420static int selinux_task_movememory(struct task_struct *p)
3421{
3422        return current_has_perm(p, PROCESS__SETSCHED);
3423}
3424
3425static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3426                                int sig, u32 secid)
3427{
3428        u32 perm;
3429        int rc;
3430
3431        if (!sig)
3432                perm = PROCESS__SIGNULL; /* null signal; existence test */
3433        else
3434                perm = signal_to_av(sig);
3435        if (secid)
3436                rc = avc_has_perm(secid, task_sid(p),
3437                                  SECCLASS_PROCESS, perm, NULL);
3438        else
3439                rc = current_has_perm(p, perm);
3440        return rc;
3441}
3442
3443static int selinux_task_wait(struct task_struct *p)
3444{
3445        return task_has_perm(p, current, PROCESS__SIGCHLD);
3446}
3447
3448static void selinux_task_to_inode(struct task_struct *p,
3449                                  struct inode *inode)
3450{
3451        struct inode_security_struct *isec = inode->i_security;
3452        u32 sid = task_sid(p);
3453
3454        isec->sid = sid;
3455        isec->initialized = 1;
3456}
3457
3458/* Returns error only if unable to parse addresses */
3459static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3460                        struct common_audit_data *ad, u8 *proto)
3461{
3462        int offset, ihlen, ret = -EINVAL;
3463        struct iphdr _iph, *ih;
3464
3465        offset = skb_network_offset(skb);
3466        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3467        if (ih == NULL)
3468                goto out;
3469
3470        ihlen = ih->ihl * 4;
3471        if (ihlen < sizeof(_iph))
3472                goto out;
3473
3474        ad->u.net.v4info.saddr = ih->saddr;
3475        ad->u.net.v4info.daddr = ih->daddr;
3476        ret = 0;
3477
3478        if (proto)
3479                *proto = ih->protocol;
3480
3481        switch (ih->protocol) {
3482        case IPPROTO_TCP: {
3483                struct tcphdr _tcph, *th;
3484
3485                if (ntohs(ih->frag_off) & IP_OFFSET)
3486                        break;
3487
3488                offset += ihlen;
3489                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3490                if (th == NULL)
3491                        break;
3492
3493                ad->u.net.sport = th->source;
3494                ad->u.net.dport = th->dest;
3495                break;
3496        }
3497
3498        case IPPROTO_UDP: {
3499                struct udphdr _udph, *uh;
3500
3501                if (ntohs(ih->frag_off) & IP_OFFSET)
3502                        break;
3503
3504                offset += ihlen;
3505                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3506                if (uh == NULL)
3507                        break;
3508
3509                ad->u.net.sport = uh->source;
3510                ad->u.net.dport = uh->dest;
3511                break;
3512        }
3513
3514        case IPPROTO_DCCP: {
3515                struct dccp_hdr _dccph, *dh;
3516
3517                if (ntohs(ih->frag_off) & IP_OFFSET)
3518                        break;
3519
3520                offset += ihlen;
3521                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3522                if (dh == NULL)
3523                        break;
3524
3525                ad->u.net.sport = dh->dccph_sport;
3526                ad->u.net.dport = dh->dccph_dport;
3527                break;
3528        }
3529
3530        default:
3531                break;
3532        }
3533out:
3534        return ret;
3535}
3536
3537#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3538
3539/* Returns error only if unable to parse addresses */
3540static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3541                        struct common_audit_data *ad, u8 *proto)
3542{
3543        u8 nexthdr;
3544        int ret = -EINVAL, offset;
3545        struct ipv6hdr _ipv6h, *ip6;
3546
3547        offset = skb_network_offset(skb);
3548        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3549        if (ip6 == NULL)
3550                goto out;
3551
3552        ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3553        ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3554        ret = 0;
3555
3556        nexthdr = ip6->nexthdr;
3557        offset += sizeof(_ipv6h);
3558        offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3559        if (offset < 0)
3560                goto out;
3561
3562        if (proto)
3563                *proto = nexthdr;
3564
3565        switch (nexthdr) {
3566        case IPPROTO_TCP: {
3567                struct tcphdr _tcph, *th;
3568
3569                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3570                if (th == NULL)
3571                        break;
3572
3573                ad->u.net.sport = th->source;
3574                ad->u.net.dport = th->dest;
3575                break;
3576        }
3577
3578        case IPPROTO_UDP: {
3579                struct udphdr _udph, *uh;
3580
3581                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3582                if (uh == NULL)
3583                        break;
3584
3585                ad->u.net.sport = uh->source;
3586                ad->u.net.dport = uh->dest;
3587                break;
3588        }
3589
3590        case IPPROTO_DCCP: {
3591                struct dccp_hdr _dccph, *dh;
3592
3593                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3594                if (dh == NULL)
3595                        break;
3596
3597                ad->u.net.sport = dh->dccph_sport;
3598                ad->u.net.dport = dh->dccph_dport;
3599                break;
3600        }
3601
3602        /* includes fragments */
3603        default:
3604                break;
3605        }
3606out:
3607        return ret;
3608}
3609
3610#endif /* IPV6 */
3611
3612static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3613                             char **_addrp, int src, u8 *proto)
3614{
3615        char *addrp;
3616        int ret;
3617
3618        switch (ad->u.net.family) {
3619        case PF_INET:
3620                ret = selinux_parse_skb_ipv4(skb, ad, proto);
3621                if (ret)
3622                        goto parse_error;
3623                addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3624                                       &ad->u.net.v4info.daddr);
3625                goto okay;
3626
3627#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3628        case PF_INET6:
3629                ret = selinux_parse_skb_ipv6(skb, ad, proto);
3630                if (ret)
3631                        goto parse_error;
3632                addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3633                                       &ad->u.net.v6info.daddr);
3634                goto okay;
3635#endif  /* IPV6 */
3636        default:
3637                addrp = NULL;
3638                goto okay;
3639        }
3640
3641parse_error:
3642        printk(KERN_WARNING
3643               "SELinux: failure in selinux_parse_skb(),"
3644               " unable to parse packet\n");
3645        return ret;
3646
3647okay:
3648        if (_addrp)
3649                *_addrp = addrp;
3650        return 0;
3651}
3652
3653/**
3654 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3655 * @skb: the packet
3656 * @family: protocol family
3657 * @sid: the packet's peer label SID
3658 *
3659 * Description:
3660 * Check the various different forms of network peer labeling and determine
3661 * the peer label/SID for the packet; most of the magic actually occurs in
3662 * the security server function security_net_peersid_cmp().  The function
3663 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3664 * or -EACCES if @sid is invalid due to inconsistencies with the different
3665 * peer labels.
3666 *
3667 */
3668static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3669{
3670        int err;
3671        u32 xfrm_sid;
3672        u32 nlbl_sid;
3673        u32 nlbl_type;
3674
3675        selinux_skb_xfrm_sid(skb, &xfrm_sid);
3676        selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3677
3678        err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3679        if (unlikely(err)) {
3680                printk(KERN_WARNING
3681                       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3682                       " unable to determine packet's peer label\n");
3683                return -EACCES;
3684        }
3685
3686        return 0;
3687}
3688
3689/* socket security operations */
3690
3691static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3692                                 u16 secclass, u32 *socksid)
3693{
3694        if (tsec->sockcreate_sid > SECSID_NULL) {
3695                *socksid = tsec->sockcreate_sid;
3696                return 0;
3697        }
3698
3699        return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3700                                       socksid);
3701}
3702
3703static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3704{
3705        struct sk_security_struct *sksec = sk->sk_security;
3706        struct common_audit_data ad;
3707        u32 tsid = task_sid(task);
3708
3709        if (sksec->sid == SECINITSID_KERNEL)
3710                return 0;
3711
3712        COMMON_AUDIT_DATA_INIT(&ad, NET);
3713        ad.u.net.sk = sk;
3714
3715        return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3716}
3717
3718static int selinux_socket_create(int family, int type,
3719                                 int protocol, int kern)
3720{
3721        const struct task_security_struct *tsec = current_security();
3722        u32 newsid;
3723        u16 secclass;
3724        int rc;
3725
3726        if (kern)
3727                return 0;
3728
3729        secclass = socket_type_to_security_class(family, type, protocol);
3730        rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3731        if (rc)
3732                return rc;
3733
3734        return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3735}
3736
3737static int selinux_socket_post_create(struct socket *sock, int family,
3738                                      int type, int protocol, int kern)
3739{
3740        const struct task_security_struct *tsec = current_security();
3741        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3742        struct sk_security_struct *sksec;
3743        int err = 0;
3744
3745        isec->sclass = socket_type_to_security_class(family, type, protocol);
3746
3747        if (kern)
3748                isec->sid = SECINITSID_KERNEL;
3749        else {
3750                err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3751                if (err)
3752                        return err;
3753        }
3754
3755        isec->initialized = 1;
3756
3757        if (sock->sk) {
3758                sksec = sock->sk->sk_security;
3759                sksec->sid = isec->sid;
3760                sksec->sclass = isec->sclass;
3761                err = selinux_netlbl_socket_post_create(sock->sk, family);
3762        }
3763
3764        return err;
3765}
3766
3767/* Range of port numbers used to automatically bind.
3768   Need to determine whether we should perform a name_bind
3769   permission check between the socket and the port number. */
3770
3771static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3772{
3773        struct sock *sk = sock->sk;
3774        u16 family;
3775        int err;
3776
3777        err = sock_has_perm(current, sk, SOCKET__BIND);
3778        if (err)
3779                goto out;
3780
3781        /*
3782         * If PF_INET or PF_INET6, check name_bind permission for the port.
3783         * Multiple address binding for SCTP is not supported yet: we just
3784         * check the first address now.
3785         */
3786        family = sk->sk_family;
3787        if (family == PF_INET || family == PF_INET6) {
3788                char *addrp;
3789                struct sk_security_struct *sksec = sk->sk_security;
3790                struct common_audit_data ad;
3791                struct sockaddr_in *addr4 = NULL;
3792                struct sockaddr_in6 *addr6 = NULL;
3793                unsigned short snum;
3794                u32 sid, node_perm;
3795
3796                if (family == PF_INET) {
3797                        addr4 = (struct sockaddr_in *)address;
3798                        snum = ntohs(addr4->sin_port);
3799                        addrp = (char *)&addr4->sin_addr.s_addr;
3800                } else {
3801                        addr6 = (struct sockaddr_in6 *)address;
3802                        snum = ntohs(addr6->sin6_port);
3803                        addrp = (char *)&addr6->sin6_addr.s6_addr;
3804                }
3805
3806                if (snum) {
3807                        int low, high;
3808
3809                        inet_get_local_port_range(&low, &high);
3810
3811                        if (snum < max(PROT_SOCK, low) || snum > high) {
3812                                err = sel_netport_sid(sk->sk_protocol,
3813                                                      snum, &sid);
3814                                if (err)
3815                                        goto out;
3816                                COMMON_AUDIT_DATA_INIT(&ad, NET);
3817                                ad.u.net.sport = htons(snum);
3818                                ad.u.net.family = family;
3819                                err = avc_has_perm(sksec->sid, sid,
3820                                                   sksec->sclass,
3821                                                   SOCKET__NAME_BIND, &ad);
3822                                if (err)
3823                                        goto out;
3824                        }
3825                }
3826
3827                switch (sksec->sclass) {
3828                case SECCLASS_TCP_SOCKET:
3829                        node_perm = TCP_SOCKET__NODE_BIND;
3830                        break;
3831
3832                case SECCLASS_UDP_SOCKET:
3833                        node_perm = UDP_SOCKET__NODE_BIND;
3834                        break;
3835
3836                case SECCLASS_DCCP_SOCKET:
3837                        node_perm = DCCP_SOCKET__NODE_BIND;
3838                        break;
3839
3840                default:
3841                        node_perm = RAWIP_SOCKET__NODE_BIND;
3842                        break;
3843                }
3844
3845                err = sel_netnode_sid(addrp, family, &sid);
3846                if (err)
3847                        goto out;
3848
3849                COMMON_AUDIT_DATA_INIT(&ad, NET);
3850                ad.u.net.sport = htons(snum);
3851                ad.u.net.family = family;
3852
3853                if (family == PF_INET)
3854                        ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3855                else
3856                        ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3857
3858                err = avc_has_perm(sksec->sid, sid,
3859                                   sksec->sclass, node_perm, &ad);
3860                if (err)
3861                        goto out;
3862        }
3863out:
3864        return err;
3865}
3866
3867static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3868{
3869        struct sock *sk = sock->sk;
3870        struct sk_security_struct *sksec = sk->sk_security;
3871        int err;
3872
3873        err = sock_has_perm(current, sk, SOCKET__CONNECT);
3874        if (err)
3875                return err;
3876
3877        /*
3878         * If a TCP or DCCP socket, check name_connect permission for the port.
3879         */
3880        if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3881            sksec->sclass == SECCLASS_DCCP_SOCKET) {
3882                struct common_audit_data ad;
3883                struct sockaddr_in *addr4 = NULL;
3884                struct sockaddr_in6 *addr6 = NULL;
3885                unsigned short snum;
3886                u32 sid, perm;
3887
3888                if (sk->sk_family == PF_INET) {
3889                        addr4 = (struct sockaddr_in *)address;
3890                        if (addrlen < sizeof(struct sockaddr_in))
3891                                return -EINVAL;
3892                        snum = ntohs(addr4->sin_port);
3893                } else {
3894                        addr6 = (struct sockaddr_in6 *)address;
3895                        if (addrlen < SIN6_LEN_RFC2133)
3896                                return -EINVAL;
3897                        snum = ntohs(addr6->sin6_port);
3898                }
3899
3900                err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3901                if (err)
3902                        goto out;
3903
3904                perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3905                       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3906
3907                COMMON_AUDIT_DATA_INIT(&ad, NET);
3908                ad.u.net.dport = htons(snum);
3909                ad.u.net.family = sk->sk_family;
3910                err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3911                if (err)
3912                        goto out;
3913        }
3914
3915        err = selinux_netlbl_socket_connect(sk, address);
3916
3917out:
3918        return err;
3919}
3920
3921static int selinux_socket_listen(struct socket *sock, int backlog)
3922{
3923        return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3924}
3925
3926static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3927{
3928        int err;
3929        struct inode_security_struct *isec;
3930        struct inode_security_struct *newisec;
3931
3932        err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3933        if (err)
3934                return err;
3935
3936        newisec = SOCK_INODE(newsock)->i_security;
3937
3938        isec = SOCK_INODE(sock)->i_security;
3939        newisec->sclass = isec->sclass;
3940        newisec->sid = isec->sid;
3941        newisec->initialized = 1;
3942
3943        return 0;
3944}
3945
3946static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3947                                  int size)
3948{
3949        return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3950}
3951
3952static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3953                                  int size, int flags)
3954{
3955        return sock_has_perm(current, sock->sk, SOCKET__READ);
3956}
3957
3958static int selinux_socket_getsockname(struct socket *sock)
3959{
3960        return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3961}
3962
3963static int selinux_socket_getpeername(struct socket *sock)
3964{
3965        return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3966}
3967
3968static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3969{
3970        int err;
3971
3972        err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3973        if (err)
3974                return err;
3975
3976        return selinux_netlbl_socket_setsockopt(sock, level, optname);
3977}
3978
3979static int selinux_socket_getsockopt(struct socket *sock, int level,
3980                                     int optname)
3981{
3982        return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3983}
3984
3985static int selinux_socket_shutdown(struct socket *sock, int how)
3986{
3987        return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3988}
3989
3990static int selinux_socket_unix_stream_connect(struct sock *sock,
3991                                              struct sock *other,
3992                                              struct sock *newsk)
3993{
3994        struct sk_security_struct *sksec_sock = sock->sk_security;
3995        struct sk_security_struct *sksec_other = other->sk_security;
3996        struct sk_security_struct *sksec_new = newsk->sk_security;
3997        struct common_audit_data ad;
3998        int err;
3999
4000        COMMON_AUDIT_DATA_INIT(&ad, NET);
4001        ad.u.net.sk = other;
4002
4003        err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4004                           sksec_other->sclass,
4005                           UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4006        if (err)
4007                return err;
4008
4009        /* server child socket */
4010        sksec_new->peer_sid = sksec_sock->sid;
4011        err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4012                                    &sksec_new->sid);
4013        if (err)
4014                return err;
4015
4016        /* connecting socket */
4017        sksec_sock->peer_sid = sksec_new->sid;
4018
4019        return 0;
4020}
4021
4022static int selinux_socket_unix_may_send(struct socket *sock,
4023                                        struct socket *other)
4024{
4025        struct sk_security_struct *ssec = sock->sk->sk_security;
4026        struct sk_security_struct *osec = other->sk->sk_security;
4027        struct common_audit_data ad;
4028
4029        COMMON_AUDIT_DATA_INIT(&ad, NET);
4030        ad.u.net.sk = other->sk;
4031
4032        return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4033                            &ad);
4034}
4035
4036static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4037                                    u32 peer_sid,
4038                                    struct common_audit_data *ad)
4039{
4040        int err;
4041        u32 if_sid;
4042        u32 node_sid;
4043
4044        err = sel_netif_sid(ifindex, &if_sid);
4045        if (err)
4046                return err;
4047        err = avc_has_perm(peer_sid, if_sid,
4048                           SECCLASS_NETIF, NETIF__INGRESS, ad);
4049        if (err)
4050                return err;
4051
4052        err = sel_netnode_sid(addrp, family, &node_sid);
4053        if (err)
4054                return err;
4055        return avc_has_perm(peer_sid, node_sid,
4056                            SECCLASS_NODE, NODE__RECVFROM, ad);
4057}
4058
4059static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4060                                       u16 family)
4061{
4062        int err = 0;
4063        struct sk_security_struct *sksec = sk->sk_security;
4064        u32 sk_sid = sksec->sid;
4065        struct common_audit_data ad;
4066        char *addrp;
4067
4068        COMMON_AUDIT_DATA_INIT(&ad, NET);
4069        ad.u.net.netif = skb->skb_iif;
4070        ad.u.net.family = family;
4071        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4072        if (err)
4073                return err;
4074
4075        if (selinux_secmark_enabled()) {
4076                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4077                                   PACKET__RECV, &ad);
4078                if (err)
4079                        return err;
4080        }
4081
4082        err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4083        if (err)
4084                return err;
4085        err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4086
4087        return err;
4088}
4089
4090static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4091{
4092        int err;
4093        struct sk_security_struct *sksec = sk->sk_security;
4094        u16 family = sk->sk_family;
4095        u32 sk_sid = sksec->sid;
4096        struct common_audit_data ad;
4097        char *addrp;
4098        u8 secmark_active;
4099        u8 peerlbl_active;
4100
4101        if (family != PF_INET && family != PF_INET6)
4102                return 0;
4103
4104        /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4105        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4106                family = PF_INET;
4107
4108        /* If any sort of compatibility mode is enabled then handoff processing
4109         * to the selinux_sock_rcv_skb_compat() function to deal with the
4110         * special handling.  We do this in an attempt to keep this function
4111         * as fast and as clean as possible. */
4112        if (!selinux_policycap_netpeer)
4113                return selinux_sock_rcv_skb_compat(sk, skb, family);
4114
4115        secmark_active = selinux_secmark_enabled();
4116        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4117        if (!secmark_active && !peerlbl_active)
4118                return 0;
4119
4120        COMMON_AUDIT_DATA_INIT(&ad, NET);
4121        ad.u.net.netif = skb->skb_iif;
4122        ad.u.net.family = family;
4123        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4124        if (err)
4125                return err;
4126
4127        if (peerlbl_active) {
4128                u32 peer_sid;
4129
4130                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4131                if (err)
4132                        return err;
4133                err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4134                                               peer_sid, &ad);
4135                if (err) {
4136                        selinux_netlbl_err(skb, err, 0);
4137                        return err;
4138                }
4139                err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4140                                   PEER__RECV, &ad);
4141                if (err)
4142                        selinux_netlbl_err(skb, err, 0);
4143        }
4144
4145        if (secmark_active) {
4146                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4147                                   PACKET__RECV, &ad);
4148                if (err)
4149                        return err;
4150        }
4151
4152        return err;
4153}
4154
4155static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4156                                            int __user *optlen, unsigned len)
4157{
4158        int err = 0;
4159        char *scontext;
4160        u32 scontext_len;
4161        struct sk_security_struct *sksec = sock->sk->sk_security;
4162        u32 peer_sid = SECSID_NULL;
4163
4164        if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4165            sksec->sclass == SECCLASS_TCP_SOCKET)
4166                peer_sid = sksec->peer_sid;
4167        if (peer_sid == SECSID_NULL)
4168                return -ENOPROTOOPT;
4169
4170        err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4171        if (err)
4172                return err;
4173
4174        if (scontext_len > len) {
4175                err = -ERANGE;
4176                goto out_len;
4177        }
4178
4179        if (copy_to_user(optval, scontext, scontext_len))
4180                err = -EFAULT;
4181
4182out_len:
4183        if (put_user(scontext_len, optlen))
4184                err = -EFAULT;
4185        kfree(scontext);
4186        return err;
4187}
4188
4189static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4190{
4191        u32 peer_secid = SECSID_NULL;
4192        u16 family;
4193
4194        if (skb && skb->protocol == htons(ETH_P_IP))
4195                family = PF_INET;
4196        else if (skb && skb->protocol == htons(ETH_P_IPV6))
4197                family = PF_INET6;
4198        else if (sock)
4199                family = sock->sk->sk_family;
4200        else
4201                goto out;
4202
4203        if (sock && family == PF_UNIX)
4204                selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4205        else if (skb)
4206                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4207
4208out:
4209        *secid = peer_secid;
4210        if (peer_secid == SECSID_NULL)
4211                return -EINVAL;
4212        return 0;
4213}
4214
4215static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4216{
4217        struct sk_security_struct *sksec;
4218
4219        sksec = kzalloc(sizeof(*sksec), priority);
4220        if (!sksec)
4221                return -ENOMEM;
4222
4223        sksec->peer_sid = SECINITSID_UNLABELED;
4224        sksec->sid = SECINITSID_UNLABELED;
4225        selinux_netlbl_sk_security_reset(sksec);
4226        sk->sk_security = sksec;
4227
4228        return 0;
4229}
4230
4231static void selinux_sk_free_security(struct sock *sk)
4232{
4233        struct sk_security_struct *sksec = sk->sk_security;
4234
4235        sk->sk_security = NULL;
4236        selinux_netlbl_sk_security_free(sksec);
4237        kfree(sksec);
4238}
4239
4240static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4241{
4242        struct sk_security_struct *sksec = sk->sk_security;
4243        struct sk_security_struct *newsksec = newsk->sk_security;
4244
4245        newsksec->sid = sksec->sid;
4246        newsksec->peer_sid = sksec->peer_sid;
4247        newsksec->sclass = sksec->sclass;
4248
4249        selinux_netlbl_sk_security_reset(newsksec);
4250}
4251
4252static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4253{
4254        if (!sk)
4255                *secid = SECINITSID_ANY_SOCKET;
4256        else {
4257                struct sk_security_struct *sksec = sk->sk_security;
4258
4259                *secid = sksec->sid;
4260        }
4261}
4262
4263static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4264{
4265        struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4266        struct sk_security_struct *sksec = sk->sk_security;
4267
4268        if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4269            sk->sk_family == PF_UNIX)
4270                isec->sid = sksec->sid;
4271        sksec->sclass = isec->sclass;
4272}
4273
4274static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4275                                     struct request_sock *req)
4276{
4277        struct sk_security_struct *sksec = sk->sk_security;
4278        int err;
4279        u16 family = sk->sk_family;
4280        u32 newsid;
4281        u32 peersid;
4282
4283        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4284        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4285                family = PF_INET;
4286
4287        err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4288        if (err)
4289                return err;
4290        if (peersid == SECSID_NULL) {
4291                req->secid = sksec->sid;
4292                req->peer_secid = SECSID_NULL;
4293        } else {
4294                err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4295                if (err)
4296                        return err;
4297                req->secid = newsid;
4298                req->peer_secid = peersid;
4299        }
4300
4301        return selinux_netlbl_inet_conn_request(req, family);
4302}
4303
4304static void selinux_inet_csk_clone(struct sock *newsk,
4305                                   const struct request_sock *req)
4306{
4307        struct sk_security_struct *newsksec = newsk->sk_security;
4308
4309        newsksec->sid = req->secid;
4310        newsksec->peer_sid = req->peer_secid;
4311        /* NOTE: Ideally, we should also get the isec->sid for the
4312           new socket in sync, but we don't have the isec available yet.
4313           So we will wait until sock_graft to do it, by which
4314           time it will have been created and available. */
4315
4316        /* We don't need to take any sort of lock here as we are the only
4317         * thread with access to newsksec */
4318        selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4319}
4320
4321static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4322{
4323        u16 family = sk->sk_family;
4324        struct sk_security_struct *sksec = sk->sk_security;
4325
4326        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4327        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4328                family = PF_INET;
4329
4330        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4331}
4332
4333static int selinux_secmark_relabel_packet(u32 sid)
4334{
4335        const struct task_security_struct *__tsec;
4336        u32 tsid;
4337
4338        __tsec = current_security();
4339        tsid = __tsec->sid;
4340
4341        return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4342}
4343
4344static void selinux_secmark_refcount_inc(void)
4345{
4346        atomic_inc(&selinux_secmark_refcount);
4347}
4348
4349static void selinux_secmark_refcount_dec(void)
4350{
4351        atomic_dec(&selinux_secmark_refcount);
4352}
4353
4354static void selinux_req_classify_flow(const struct request_sock *req,
4355                                      struct flowi *fl)
4356{
4357        fl->flowi_secid = req->secid;
4358}
4359
4360static int selinux_tun_dev_create(void)
4361{
4362        u32 sid = current_sid();
4363
4364        /* we aren't taking into account the "sockcreate" SID since the socket
4365         * that is being created here is not a socket in the traditional sense,
4366         * instead it is a private sock, accessible only to the kernel, and
4367         * representing a wide range of network traffic spanning multiple
4368         * connections unlike traditional sockets - check the TUN driver to
4369         * get a better understanding of why this socket is special */
4370
4371        return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4372                            NULL);
4373}
4374
4375static void selinux_tun_dev_post_create(struct sock *sk)
4376{
4377        struct sk_security_struct *sksec = sk->sk_security;
4378
4379        /* we don't currently perform any NetLabel based labeling here and it
4380         * isn't clear that we would want to do so anyway; while we could apply
4381         * labeling without the support of the TUN user the resulting labeled
4382         * traffic from the other end of the connection would almost certainly
4383         * cause confusion to the TUN user that had no idea network labeling
4384         * protocols were being used */
4385
4386        /* see the comments in selinux_tun_dev_create() about why we don't use
4387         * the sockcreate SID here */
4388
4389        sksec->sid = current_sid();
4390        sksec->sclass = SECCLASS_TUN_SOCKET;
4391}
4392
4393static int selinux_tun_dev_attach(struct sock *sk)
4394{
4395        struct sk_security_struct *sksec = sk->sk_security;
4396        u32 sid = current_sid();
4397        int err;
4398
4399        err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4400                           TUN_SOCKET__RELABELFROM, NULL);
4401        if (err)
4402                return err;
4403        err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4404                           TUN_SOCKET__RELABELTO, NULL);
4405        if (err)
4406                return err;
4407
4408        sksec->sid = sid;
4409
4410        return 0;
4411}
4412
4413static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4414{
4415        int err = 0;
4416        u32 perm;
4417        struct nlmsghdr *nlh;
4418        struct sk_security_struct *sksec = sk->sk_security;
4419
4420        if (skb->len < NLMSG_SPACE(0)) {
4421                err = -EINVAL;
4422                goto out;
4423        }
4424        nlh = nlmsg_hdr(skb);
4425
4426        err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4427        if (err) {
4428                if (err == -EINVAL) {
4429                        audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4430                                  "SELinux:  unrecognized netlink message"
4431                                  " type=%hu for sclass=%hu\n",
4432                                  nlh->nlmsg_type, sksec->sclass);
4433                        if (!selinux_enforcing || security_get_allow_unknown())
4434                                err = 0;
4435                }
4436
4437                /* Ignore */
4438                if (err == -ENOENT)
4439                        err = 0;
4440                goto out;
4441        }
4442
4443        err = sock_has_perm(current, sk, perm);
4444out:
4445        return err;
4446}
4447
4448#ifdef CONFIG_NETFILTER
4449
4450static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4451                                       u16 family)
4452{
4453        int err;
4454        char *addrp;
4455        u32 peer_sid;
4456        struct common_audit_data ad;
4457        u8 secmark_active;
4458        u8 netlbl_active;
4459        u8 peerlbl_active;
4460
4461        if (!selinux_policycap_netpeer)
4462                return NF_ACCEPT;
4463
4464        secmark_active = selinux_secmark_enabled();
4465        netlbl_active = netlbl_enabled();
4466        peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4467        if (!secmark_active && !peerlbl_active)
4468                return NF_ACCEPT;
4469
4470        if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4471                return NF_DROP;
4472
4473        COMMON_AUDIT_DATA_INIT(&ad, NET);
4474        ad.u.net.netif = ifindex;
4475        ad.u.net.family = family;
4476        if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4477                return NF_DROP;
4478
4479        if (peerlbl_active) {
4480                err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4481                                               peer_sid, &ad);
4482                if (err) {
4483                        selinux_netlbl_err(skb, err, 1);
4484                        return NF_DROP;
4485                }
4486        }
4487
4488        if (secmark_active)
4489                if (avc_has_perm(peer_sid, skb->secmark,
4490                                 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4491                        return NF_DROP;
4492
4493        if (netlbl_active)
4494                /* we do this in the FORWARD path and not the POST_ROUTING
4495                 * path because we want to make sure we apply the necessary
4496                 * labeling before IPsec is applied so we can leverage AH
4497                 * protection */
4498                if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4499                        return NF_DROP;
4500
4501        return NF_ACCEPT;
4502}
4503
4504static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4505                                         struct sk_buff *skb,
4506                                         const struct net_device *in,
4507                                         const struct net_device *out,
4508                                         int (*okfn)(struct sk_buff *))
4509{
4510        return selinux_ip_forward(skb, in->ifindex, PF_INET);
4511}
4512
4513#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4514static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4515                                         struct sk_buff *skb,
4516                                         const struct net_device *in,
4517                                         const struct net_device *out,
4518                                         int (*okfn)(struct sk_buff *))
4519{
4520        return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4521}
4522#endif  /* IPV6 */
4523
4524static unsigned int selinux_ip_output(struct sk_buff *skb,
4525                                      u16 family)
4526{
4527        u32 sid;
4528
4529        if (!netlbl_enabled())
4530                return NF_ACCEPT;
4531
4532        /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4533         * because we want to make sure we apply the necessary labeling
4534         * before IPsec is applied so we can leverage AH protection */
4535        if (skb->sk) {
4536                struct sk_security_struct *sksec = skb->sk->sk_security;
4537                sid = sksec->sid;
4538        } else
4539                sid = SECINITSID_KERNEL;
4540        if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4541                return NF_DROP;
4542
4543        return NF_ACCEPT;
4544}
4545
4546static unsigned int selinux_ipv4_output(unsigned int hooknum,
4547                                        struct sk_buff *skb,
4548                                        const struct net_device *in,
4549                                        const struct net_device *out,
4550                                        int (*okfn)(struct sk_buff *))
4551{
4552        return selinux_ip_output(skb, PF_INET);
4553}
4554