Merge commit 'v3.17' into next
[firefly-linux-kernel-4.4.55.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>             /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>    /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h>           /* for Unix socket types */
71 #include <net/af_unix.h>        /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!kstrtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!kstrtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
141  * policy capability is enabled, SECMARK is always considered enabled.
142  *
143  */
144 static int selinux_secmark_enabled(void)
145 {
146         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147 }
148
149 /**
150  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151  *
152  * Description:
153  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
154  * (1) if any are enabled or false (0) if neither are enabled.  If the
155  * always_check_network policy capability is enabled, peer labeling
156  * is always considered enabled.
157  *
158  */
159 static int selinux_peerlbl_enabled(void)
160 {
161         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 }
163
164 static int selinux_netcache_avc_callback(u32 event)
165 {
166         if (event == AVC_CALLBACK_RESET) {
167                 sel_netif_flush();
168                 sel_netnode_flush();
169                 sel_netport_flush();
170                 synchronize_net();
171         }
172         return 0;
173 }
174
175 /*
176  * initialise the security for the init task
177  */
178 static void cred_init_security(void)
179 {
180         struct cred *cred = (struct cred *) current->real_cred;
181         struct task_security_struct *tsec;
182
183         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
184         if (!tsec)
185                 panic("SELinux:  Failed to initialize initial task.\n");
186
187         tsec->osid = tsec->sid = SECINITSID_KERNEL;
188         cred->security = tsec;
189 }
190
191 /*
192  * get the security ID of a set of credentials
193  */
194 static inline u32 cred_sid(const struct cred *cred)
195 {
196         const struct task_security_struct *tsec;
197
198         tsec = cred->security;
199         return tsec->sid;
200 }
201
202 /*
203  * get the objective security ID of a task
204  */
205 static inline u32 task_sid(const struct task_struct *task)
206 {
207         u32 sid;
208
209         rcu_read_lock();
210         sid = cred_sid(__task_cred(task));
211         rcu_read_unlock();
212         return sid;
213 }
214
215 /*
216  * get the subjective security ID of the current task
217  */
218 static inline u32 current_sid(void)
219 {
220         const struct task_security_struct *tsec = current_security();
221
222         return tsec->sid;
223 }
224
225 /* Allocate and free functions for each kind of security blob. */
226
227 static int inode_alloc_security(struct inode *inode)
228 {
229         struct inode_security_struct *isec;
230         u32 sid = current_sid();
231
232         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
233         if (!isec)
234                 return -ENOMEM;
235
236         mutex_init(&isec->lock);
237         INIT_LIST_HEAD(&isec->list);
238         isec->inode = inode;
239         isec->sid = SECINITSID_UNLABELED;
240         isec->sclass = SECCLASS_FILE;
241         isec->task_sid = sid;
242         inode->i_security = isec;
243
244         return 0;
245 }
246
247 static void inode_free_rcu(struct rcu_head *head)
248 {
249         struct inode_security_struct *isec;
250
251         isec = container_of(head, struct inode_security_struct, rcu);
252         kmem_cache_free(sel_inode_cache, isec);
253 }
254
255 static void inode_free_security(struct inode *inode)
256 {
257         struct inode_security_struct *isec = inode->i_security;
258         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
259
260         spin_lock(&sbsec->isec_lock);
261         if (!list_empty(&isec->list))
262                 list_del_init(&isec->list);
263         spin_unlock(&sbsec->isec_lock);
264
265         /*
266          * The inode may still be referenced in a path walk and
267          * a call to selinux_inode_permission() can be made
268          * after inode_free_security() is called. Ideally, the VFS
269          * wouldn't do this, but fixing that is a much harder
270          * job. For now, simply free the i_security via RCU, and
271          * leave the current inode->i_security pointer intact.
272          * The inode will be freed after the RCU grace period too.
273          */
274         call_rcu(&isec->rcu, inode_free_rcu);
275 }
276
277 static int file_alloc_security(struct file *file)
278 {
279         struct file_security_struct *fsec;
280         u32 sid = current_sid();
281
282         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
283         if (!fsec)
284                 return -ENOMEM;
285
286         fsec->sid = sid;
287         fsec->fown_sid = sid;
288         file->f_security = fsec;
289
290         return 0;
291 }
292
293 static void file_free_security(struct file *file)
294 {
295         struct file_security_struct *fsec = file->f_security;
296         file->f_security = NULL;
297         kfree(fsec);
298 }
299
300 static int superblock_alloc_security(struct super_block *sb)
301 {
302         struct superblock_security_struct *sbsec;
303
304         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
305         if (!sbsec)
306                 return -ENOMEM;
307
308         mutex_init(&sbsec->lock);
309         INIT_LIST_HEAD(&sbsec->isec_head);
310         spin_lock_init(&sbsec->isec_lock);
311         sbsec->sb = sb;
312         sbsec->sid = SECINITSID_UNLABELED;
313         sbsec->def_sid = SECINITSID_FILE;
314         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
315         sb->s_security = sbsec;
316
317         return 0;
318 }
319
320 static void superblock_free_security(struct super_block *sb)
321 {
322         struct superblock_security_struct *sbsec = sb->s_security;
323         sb->s_security = NULL;
324         kfree(sbsec);
325 }
326
327 /* The file system's label must be initialized prior to use. */
328
329 static const char *labeling_behaviors[7] = {
330         "uses xattr",
331         "uses transition SIDs",
332         "uses task SIDs",
333         "uses genfs_contexts",
334         "not configured for labeling",
335         "uses mountpoint labeling",
336         "uses native labeling",
337 };
338
339 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
340
341 static inline int inode_doinit(struct inode *inode)
342 {
343         return inode_doinit_with_dentry(inode, NULL);
344 }
345
346 enum {
347         Opt_error = -1,
348         Opt_context = 1,
349         Opt_fscontext = 2,
350         Opt_defcontext = 3,
351         Opt_rootcontext = 4,
352         Opt_labelsupport = 5,
353         Opt_nextmntopt = 6,
354 };
355
356 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
357
358 static const match_table_t tokens = {
359         {Opt_context, CONTEXT_STR "%s"},
360         {Opt_fscontext, FSCONTEXT_STR "%s"},
361         {Opt_defcontext, DEFCONTEXT_STR "%s"},
362         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363         {Opt_labelsupport, LABELSUPP_STR},
364         {Opt_error, NULL},
365 };
366
367 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
368
369 static int may_context_mount_sb_relabel(u32 sid,
370                         struct superblock_security_struct *sbsec,
371                         const struct cred *cred)
372 {
373         const struct task_security_struct *tsec = cred->security;
374         int rc;
375
376         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
377                           FILESYSTEM__RELABELFROM, NULL);
378         if (rc)
379                 return rc;
380
381         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
382                           FILESYSTEM__RELABELTO, NULL);
383         return rc;
384 }
385
386 static int may_context_mount_inode_relabel(u32 sid,
387                         struct superblock_security_struct *sbsec,
388                         const struct cred *cred)
389 {
390         const struct task_security_struct *tsec = cred->security;
391         int rc;
392         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
393                           FILESYSTEM__RELABELFROM, NULL);
394         if (rc)
395                 return rc;
396
397         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
398                           FILESYSTEM__ASSOCIATE, NULL);
399         return rc;
400 }
401
402 static int selinux_is_sblabel_mnt(struct super_block *sb)
403 {
404         struct superblock_security_struct *sbsec = sb->s_security;
405
406         if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
407             sbsec->behavior == SECURITY_FS_USE_TRANS ||
408             sbsec->behavior == SECURITY_FS_USE_TASK)
409                 return 1;
410
411         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
412         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
413                 return 1;
414
415         /*
416          * Special handling for rootfs. Is genfs but supports
417          * setting SELinux context on in-core inodes.
418          */
419         if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
420                 return 1;
421
422         return 0;
423 }
424
425 static int sb_finish_set_opts(struct super_block *sb)
426 {
427         struct superblock_security_struct *sbsec = sb->s_security;
428         struct dentry *root = sb->s_root;
429         struct inode *root_inode = root->d_inode;
430         int rc = 0;
431
432         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
433                 /* Make sure that the xattr handler exists and that no
434                    error other than -ENODATA is returned by getxattr on
435                    the root directory.  -ENODATA is ok, as this may be
436                    the first boot of the SELinux kernel before we have
437                    assigned xattr values to the filesystem. */
438                 if (!root_inode->i_op->getxattr) {
439                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
440                                "xattr support\n", sb->s_id, sb->s_type->name);
441                         rc = -EOPNOTSUPP;
442                         goto out;
443                 }
444                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
445                 if (rc < 0 && rc != -ENODATA) {
446                         if (rc == -EOPNOTSUPP)
447                                 printk(KERN_WARNING "SELinux: (dev %s, type "
448                                        "%s) has no security xattr handler\n",
449                                        sb->s_id, sb->s_type->name);
450                         else
451                                 printk(KERN_WARNING "SELinux: (dev %s, type "
452                                        "%s) getxattr errno %d\n", sb->s_id,
453                                        sb->s_type->name, -rc);
454                         goto out;
455                 }
456         }
457
458         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
459                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
460                        sb->s_id, sb->s_type->name);
461         else
462                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
463                        sb->s_id, sb->s_type->name,
464                        labeling_behaviors[sbsec->behavior-1]);
465
466         sbsec->flags |= SE_SBINITIALIZED;
467         if (selinux_is_sblabel_mnt(sb))
468                 sbsec->flags |= SBLABEL_MNT;
469
470         /* Initialize the root inode. */
471         rc = inode_doinit_with_dentry(root_inode, root);
472
473         /* Initialize any other inodes associated with the superblock, e.g.
474            inodes created prior to initial policy load or inodes created
475            during get_sb by a pseudo filesystem that directly
476            populates itself. */
477         spin_lock(&sbsec->isec_lock);
478 next_inode:
479         if (!list_empty(&sbsec->isec_head)) {
480                 struct inode_security_struct *isec =
481                                 list_entry(sbsec->isec_head.next,
482                                            struct inode_security_struct, list);
483                 struct inode *inode = isec->inode;
484                 spin_unlock(&sbsec->isec_lock);
485                 inode = igrab(inode);
486                 if (inode) {
487                         if (!IS_PRIVATE(inode))
488                                 inode_doinit(inode);
489                         iput(inode);
490                 }
491                 spin_lock(&sbsec->isec_lock);
492                 list_del_init(&isec->list);
493                 goto next_inode;
494         }
495         spin_unlock(&sbsec->isec_lock);
496 out:
497         return rc;
498 }
499
500 /*
501  * This function should allow an FS to ask what it's mount security
502  * options were so it can use those later for submounts, displaying
503  * mount options, or whatever.
504  */
505 static int selinux_get_mnt_opts(const struct super_block *sb,
506                                 struct security_mnt_opts *opts)
507 {
508         int rc = 0, i;
509         struct superblock_security_struct *sbsec = sb->s_security;
510         char *context = NULL;
511         u32 len;
512         char tmp;
513
514         security_init_mnt_opts(opts);
515
516         if (!(sbsec->flags & SE_SBINITIALIZED))
517                 return -EINVAL;
518
519         if (!ss_initialized)
520                 return -EINVAL;
521
522         /* make sure we always check enough bits to cover the mask */
523         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
524
525         tmp = sbsec->flags & SE_MNTMASK;
526         /* count the number of mount options for this sb */
527         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
528                 if (tmp & 0x01)
529                         opts->num_mnt_opts++;
530                 tmp >>= 1;
531         }
532         /* Check if the Label support flag is set */
533         if (sbsec->flags & SBLABEL_MNT)
534                 opts->num_mnt_opts++;
535
536         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
537         if (!opts->mnt_opts) {
538                 rc = -ENOMEM;
539                 goto out_free;
540         }
541
542         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
543         if (!opts->mnt_opts_flags) {
544                 rc = -ENOMEM;
545                 goto out_free;
546         }
547
548         i = 0;
549         if (sbsec->flags & FSCONTEXT_MNT) {
550                 rc = security_sid_to_context(sbsec->sid, &context, &len);
551                 if (rc)
552                         goto out_free;
553                 opts->mnt_opts[i] = context;
554                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
555         }
556         if (sbsec->flags & CONTEXT_MNT) {
557                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
558                 if (rc)
559                         goto out_free;
560                 opts->mnt_opts[i] = context;
561                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
562         }
563         if (sbsec->flags & DEFCONTEXT_MNT) {
564                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
565                 if (rc)
566                         goto out_free;
567                 opts->mnt_opts[i] = context;
568                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
569         }
570         if (sbsec->flags & ROOTCONTEXT_MNT) {
571                 struct inode *root = sbsec->sb->s_root->d_inode;
572                 struct inode_security_struct *isec = root->i_security;
573
574                 rc = security_sid_to_context(isec->sid, &context, &len);
575                 if (rc)
576                         goto out_free;
577                 opts->mnt_opts[i] = context;
578                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
579         }
580         if (sbsec->flags & SBLABEL_MNT) {
581                 opts->mnt_opts[i] = NULL;
582                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
583         }
584
585         BUG_ON(i != opts->num_mnt_opts);
586
587         return 0;
588
589 out_free:
590         security_free_mnt_opts(opts);
591         return rc;
592 }
593
594 static int bad_option(struct superblock_security_struct *sbsec, char flag,
595                       u32 old_sid, u32 new_sid)
596 {
597         char mnt_flags = sbsec->flags & SE_MNTMASK;
598
599         /* check if the old mount command had the same options */
600         if (sbsec->flags & SE_SBINITIALIZED)
601                 if (!(sbsec->flags & flag) ||
602                     (old_sid != new_sid))
603                         return 1;
604
605         /* check if we were passed the same options twice,
606          * aka someone passed context=a,context=b
607          */
608         if (!(sbsec->flags & SE_SBINITIALIZED))
609                 if (mnt_flags & flag)
610                         return 1;
611         return 0;
612 }
613
614 /*
615  * Allow filesystems with binary mount data to explicitly set mount point
616  * labeling information.
617  */
618 static int selinux_set_mnt_opts(struct super_block *sb,
619                                 struct security_mnt_opts *opts,
620                                 unsigned long kern_flags,
621                                 unsigned long *set_kern_flags)
622 {
623         const struct cred *cred = current_cred();
624         int rc = 0, i;
625         struct superblock_security_struct *sbsec = sb->s_security;
626         const char *name = sb->s_type->name;
627         struct inode *inode = sbsec->sb->s_root->d_inode;
628         struct inode_security_struct *root_isec = inode->i_security;
629         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
630         u32 defcontext_sid = 0;
631         char **mount_options = opts->mnt_opts;
632         int *flags = opts->mnt_opts_flags;
633         int num_opts = opts->num_mnt_opts;
634
635         mutex_lock(&sbsec->lock);
636
637         if (!ss_initialized) {
638                 if (!num_opts) {
639                         /* Defer initialization until selinux_complete_init,
640                            after the initial policy is loaded and the security
641                            server is ready to handle calls. */
642                         goto out;
643                 }
644                 rc = -EINVAL;
645                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
646                         "before the security server is initialized\n");
647                 goto out;
648         }
649         if (kern_flags && !set_kern_flags) {
650                 /* Specifying internal flags without providing a place to
651                  * place the results is not allowed */
652                 rc = -EINVAL;
653                 goto out;
654         }
655
656         /*
657          * Binary mount data FS will come through this function twice.  Once
658          * from an explicit call and once from the generic calls from the vfs.
659          * Since the generic VFS calls will not contain any security mount data
660          * we need to skip the double mount verification.
661          *
662          * This does open a hole in which we will not notice if the first
663          * mount using this sb set explict options and a second mount using
664          * this sb does not set any security options.  (The first options
665          * will be used for both mounts)
666          */
667         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
668             && (num_opts == 0))
669                 goto out;
670
671         /*
672          * parse the mount options, check if they are valid sids.
673          * also check if someone is trying to mount the same sb more
674          * than once with different security options.
675          */
676         for (i = 0; i < num_opts; i++) {
677                 u32 sid;
678
679                 if (flags[i] == SBLABEL_MNT)
680                         continue;
681                 rc = security_context_to_sid(mount_options[i],
682                                              strlen(mount_options[i]), &sid, GFP_KERNEL);
683                 if (rc) {
684                         printk(KERN_WARNING "SELinux: security_context_to_sid"
685                                "(%s) failed for (dev %s, type %s) errno=%d\n",
686                                mount_options[i], sb->s_id, name, rc);
687                         goto out;
688                 }
689                 switch (flags[i]) {
690                 case FSCONTEXT_MNT:
691                         fscontext_sid = sid;
692
693                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
694                                         fscontext_sid))
695                                 goto out_double_mount;
696
697                         sbsec->flags |= FSCONTEXT_MNT;
698                         break;
699                 case CONTEXT_MNT:
700                         context_sid = sid;
701
702                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
703                                         context_sid))
704                                 goto out_double_mount;
705
706                         sbsec->flags |= CONTEXT_MNT;
707                         break;
708                 case ROOTCONTEXT_MNT:
709                         rootcontext_sid = sid;
710
711                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
712                                         rootcontext_sid))
713                                 goto out_double_mount;
714
715                         sbsec->flags |= ROOTCONTEXT_MNT;
716
717                         break;
718                 case DEFCONTEXT_MNT:
719                         defcontext_sid = sid;
720
721                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
722                                         defcontext_sid))
723                                 goto out_double_mount;
724
725                         sbsec->flags |= DEFCONTEXT_MNT;
726
727                         break;
728                 default:
729                         rc = -EINVAL;
730                         goto out;
731                 }
732         }
733
734         if (sbsec->flags & SE_SBINITIALIZED) {
735                 /* previously mounted with options, but not on this attempt? */
736                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
737                         goto out_double_mount;
738                 rc = 0;
739                 goto out;
740         }
741
742         if (strcmp(sb->s_type->name, "proc") == 0)
743                 sbsec->flags |= SE_SBPROC;
744
745         if (!sbsec->behavior) {
746                 /*
747                  * Determine the labeling behavior to use for this
748                  * filesystem type.
749                  */
750                 rc = security_fs_use(sb);
751                 if (rc) {
752                         printk(KERN_WARNING
753                                 "%s: security_fs_use(%s) returned %d\n",
754                                         __func__, sb->s_type->name, rc);
755                         goto out;
756                 }
757         }
758         /* sets the context of the superblock for the fs being mounted. */
759         if (fscontext_sid) {
760                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
761                 if (rc)
762                         goto out;
763
764                 sbsec->sid = fscontext_sid;
765         }
766
767         /*
768          * Switch to using mount point labeling behavior.
769          * sets the label used on all file below the mountpoint, and will set
770          * the superblock context if not already set.
771          */
772         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
773                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
774                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
775         }
776
777         if (context_sid) {
778                 if (!fscontext_sid) {
779                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
780                                                           cred);
781                         if (rc)
782                                 goto out;
783                         sbsec->sid = context_sid;
784                 } else {
785                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
786                                                              cred);
787                         if (rc)
788                                 goto out;
789                 }
790                 if (!rootcontext_sid)
791                         rootcontext_sid = context_sid;
792
793                 sbsec->mntpoint_sid = context_sid;
794                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
795         }
796
797         if (rootcontext_sid) {
798                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
799                                                      cred);
800                 if (rc)
801                         goto out;
802
803                 root_isec->sid = rootcontext_sid;
804                 root_isec->initialized = 1;
805         }
806
807         if (defcontext_sid) {
808                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
809                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
810                         rc = -EINVAL;
811                         printk(KERN_WARNING "SELinux: defcontext option is "
812                                "invalid for this filesystem type\n");
813                         goto out;
814                 }
815
816                 if (defcontext_sid != sbsec->def_sid) {
817                         rc = may_context_mount_inode_relabel(defcontext_sid,
818                                                              sbsec, cred);
819                         if (rc)
820                                 goto out;
821                 }
822
823                 sbsec->def_sid = defcontext_sid;
824         }
825
826         rc = sb_finish_set_opts(sb);
827 out:
828         mutex_unlock(&sbsec->lock);
829         return rc;
830 out_double_mount:
831         rc = -EINVAL;
832         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
833                "security settings for (dev %s, type %s)\n", sb->s_id, name);
834         goto out;
835 }
836
837 static int selinux_cmp_sb_context(const struct super_block *oldsb,
838                                     const struct super_block *newsb)
839 {
840         struct superblock_security_struct *old = oldsb->s_security;
841         struct superblock_security_struct *new = newsb->s_security;
842         char oldflags = old->flags & SE_MNTMASK;
843         char newflags = new->flags & SE_MNTMASK;
844
845         if (oldflags != newflags)
846                 goto mismatch;
847         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
848                 goto mismatch;
849         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
850                 goto mismatch;
851         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
852                 goto mismatch;
853         if (oldflags & ROOTCONTEXT_MNT) {
854                 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
855                 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
856                 if (oldroot->sid != newroot->sid)
857                         goto mismatch;
858         }
859         return 0;
860 mismatch:
861         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
862                             "different security settings for (dev %s, "
863                             "type %s)\n", newsb->s_id, newsb->s_type->name);
864         return -EBUSY;
865 }
866
867 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
868                                         struct super_block *newsb)
869 {
870         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
871         struct superblock_security_struct *newsbsec = newsb->s_security;
872
873         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
874         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
875         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
876
877         /*
878          * if the parent was able to be mounted it clearly had no special lsm
879          * mount options.  thus we can safely deal with this superblock later
880          */
881         if (!ss_initialized)
882                 return 0;
883
884         /* how can we clone if the old one wasn't set up?? */
885         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
886
887         /* if fs is reusing a sb, make sure that the contexts match */
888         if (newsbsec->flags & SE_SBINITIALIZED)
889                 return selinux_cmp_sb_context(oldsb, newsb);
890
891         mutex_lock(&newsbsec->lock);
892
893         newsbsec->flags = oldsbsec->flags;
894
895         newsbsec->sid = oldsbsec->sid;
896         newsbsec->def_sid = oldsbsec->def_sid;
897         newsbsec->behavior = oldsbsec->behavior;
898
899         if (set_context) {
900                 u32 sid = oldsbsec->mntpoint_sid;
901
902                 if (!set_fscontext)
903                         newsbsec->sid = sid;
904                 if (!set_rootcontext) {
905                         struct inode *newinode = newsb->s_root->d_inode;
906                         struct inode_security_struct *newisec = newinode->i_security;
907                         newisec->sid = sid;
908                 }
909                 newsbsec->mntpoint_sid = sid;
910         }
911         if (set_rootcontext) {
912                 const struct inode *oldinode = oldsb->s_root->d_inode;
913                 const struct inode_security_struct *oldisec = oldinode->i_security;
914                 struct inode *newinode = newsb->s_root->d_inode;
915                 struct inode_security_struct *newisec = newinode->i_security;
916
917                 newisec->sid = oldisec->sid;
918         }
919
920         sb_finish_set_opts(newsb);
921         mutex_unlock(&newsbsec->lock);
922         return 0;
923 }
924
925 static int selinux_parse_opts_str(char *options,
926                                   struct security_mnt_opts *opts)
927 {
928         char *p;
929         char *context = NULL, *defcontext = NULL;
930         char *fscontext = NULL, *rootcontext = NULL;
931         int rc, num_mnt_opts = 0;
932
933         opts->num_mnt_opts = 0;
934
935         /* Standard string-based options. */
936         while ((p = strsep(&options, "|")) != NULL) {
937                 int token;
938                 substring_t args[MAX_OPT_ARGS];
939
940                 if (!*p)
941                         continue;
942
943                 token = match_token(p, tokens, args);
944
945                 switch (token) {
946                 case Opt_context:
947                         if (context || defcontext) {
948                                 rc = -EINVAL;
949                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
950                                 goto out_err;
951                         }
952                         context = match_strdup(&args[0]);
953                         if (!context) {
954                                 rc = -ENOMEM;
955                                 goto out_err;
956                         }
957                         break;
958
959                 case Opt_fscontext:
960                         if (fscontext) {
961                                 rc = -EINVAL;
962                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
963                                 goto out_err;
964                         }
965                         fscontext = match_strdup(&args[0]);
966                         if (!fscontext) {
967                                 rc = -ENOMEM;
968                                 goto out_err;
969                         }
970                         break;
971
972                 case Opt_rootcontext:
973                         if (rootcontext) {
974                                 rc = -EINVAL;
975                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
976                                 goto out_err;
977                         }
978                         rootcontext = match_strdup(&args[0]);
979                         if (!rootcontext) {
980                                 rc = -ENOMEM;
981                                 goto out_err;
982                         }
983                         break;
984
985                 case Opt_defcontext:
986                         if (context || defcontext) {
987                                 rc = -EINVAL;
988                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
989                                 goto out_err;
990                         }
991                         defcontext = match_strdup(&args[0]);
992                         if (!defcontext) {
993                                 rc = -ENOMEM;
994                                 goto out_err;
995                         }
996                         break;
997                 case Opt_labelsupport:
998                         break;
999                 default:
1000                         rc = -EINVAL;
1001                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1002                         goto out_err;
1003
1004                 }
1005         }
1006
1007         rc = -ENOMEM;
1008         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1009         if (!opts->mnt_opts)
1010                 goto out_err;
1011
1012         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1013         if (!opts->mnt_opts_flags) {
1014                 kfree(opts->mnt_opts);
1015                 goto out_err;
1016         }
1017
1018         if (fscontext) {
1019                 opts->mnt_opts[num_mnt_opts] = fscontext;
1020                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1021         }
1022         if (context) {
1023                 opts->mnt_opts[num_mnt_opts] = context;
1024                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1025         }
1026         if (rootcontext) {
1027                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1028                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1029         }
1030         if (defcontext) {
1031                 opts->mnt_opts[num_mnt_opts] = defcontext;
1032                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1033         }
1034
1035         opts->num_mnt_opts = num_mnt_opts;
1036         return 0;
1037
1038 out_err:
1039         kfree(context);
1040         kfree(defcontext);
1041         kfree(fscontext);
1042         kfree(rootcontext);
1043         return rc;
1044 }
1045 /*
1046  * string mount options parsing and call set the sbsec
1047  */
1048 static int superblock_doinit(struct super_block *sb, void *data)
1049 {
1050         int rc = 0;
1051         char *options = data;
1052         struct security_mnt_opts opts;
1053
1054         security_init_mnt_opts(&opts);
1055
1056         if (!data)
1057                 goto out;
1058
1059         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1060
1061         rc = selinux_parse_opts_str(options, &opts);
1062         if (rc)
1063                 goto out_err;
1064
1065 out:
1066         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1067
1068 out_err:
1069         security_free_mnt_opts(&opts);
1070         return rc;
1071 }
1072
1073 static void selinux_write_opts(struct seq_file *m,
1074                                struct security_mnt_opts *opts)
1075 {
1076         int i;
1077         char *prefix;
1078
1079         for (i = 0; i < opts->num_mnt_opts; i++) {
1080                 char *has_comma;
1081
1082                 if (opts->mnt_opts[i])
1083                         has_comma = strchr(opts->mnt_opts[i], ',');
1084                 else
1085                         has_comma = NULL;
1086
1087                 switch (opts->mnt_opts_flags[i]) {
1088                 case CONTEXT_MNT:
1089                         prefix = CONTEXT_STR;
1090                         break;
1091                 case FSCONTEXT_MNT:
1092                         prefix = FSCONTEXT_STR;
1093                         break;
1094                 case ROOTCONTEXT_MNT:
1095                         prefix = ROOTCONTEXT_STR;
1096                         break;
1097                 case DEFCONTEXT_MNT:
1098                         prefix = DEFCONTEXT_STR;
1099                         break;
1100                 case SBLABEL_MNT:
1101                         seq_putc(m, ',');
1102                         seq_puts(m, LABELSUPP_STR);
1103                         continue;
1104                 default:
1105                         BUG();
1106                         return;
1107                 };
1108                 /* we need a comma before each option */
1109                 seq_putc(m, ',');
1110                 seq_puts(m, prefix);
1111                 if (has_comma)
1112                         seq_putc(m, '\"');
1113                 seq_puts(m, opts->mnt_opts[i]);
1114                 if (has_comma)
1115                         seq_putc(m, '\"');
1116         }
1117 }
1118
1119 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1120 {
1121         struct security_mnt_opts opts;
1122         int rc;
1123
1124         rc = selinux_get_mnt_opts(sb, &opts);
1125         if (rc) {
1126                 /* before policy load we may get EINVAL, don't show anything */
1127                 if (rc == -EINVAL)
1128                         rc = 0;
1129                 return rc;
1130         }
1131
1132         selinux_write_opts(m, &opts);
1133
1134         security_free_mnt_opts(&opts);
1135
1136         return rc;
1137 }
1138
1139 static inline u16 inode_mode_to_security_class(umode_t mode)
1140 {
1141         switch (mode & S_IFMT) {
1142         case S_IFSOCK:
1143                 return SECCLASS_SOCK_FILE;
1144         case S_IFLNK:
1145                 return SECCLASS_LNK_FILE;
1146         case S_IFREG:
1147                 return SECCLASS_FILE;
1148         case S_IFBLK:
1149                 return SECCLASS_BLK_FILE;
1150         case S_IFDIR:
1151                 return SECCLASS_DIR;
1152         case S_IFCHR:
1153                 return SECCLASS_CHR_FILE;
1154         case S_IFIFO:
1155                 return SECCLASS_FIFO_FILE;
1156
1157         }
1158
1159         return SECCLASS_FILE;
1160 }
1161
1162 static inline int default_protocol_stream(int protocol)
1163 {
1164         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1165 }
1166
1167 static inline int default_protocol_dgram(int protocol)
1168 {
1169         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1170 }
1171
1172 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1173 {
1174         switch (family) {
1175         case PF_UNIX:
1176                 switch (type) {
1177                 case SOCK_STREAM:
1178                 case SOCK_SEQPACKET:
1179                         return SECCLASS_UNIX_STREAM_SOCKET;
1180                 case SOCK_DGRAM:
1181                         return SECCLASS_UNIX_DGRAM_SOCKET;
1182                 }
1183                 break;
1184         case PF_INET:
1185         case PF_INET6:
1186                 switch (type) {
1187                 case SOCK_STREAM:
1188                         if (default_protocol_stream(protocol))
1189                                 return SECCLASS_TCP_SOCKET;
1190                         else
1191                                 return SECCLASS_RAWIP_SOCKET;
1192                 case SOCK_DGRAM:
1193                         if (default_protocol_dgram(protocol))
1194                                 return SECCLASS_UDP_SOCKET;
1195                         else
1196                                 return SECCLASS_RAWIP_SOCKET;
1197                 case SOCK_DCCP:
1198                         return SECCLASS_DCCP_SOCKET;
1199                 default:
1200                         return SECCLASS_RAWIP_SOCKET;
1201                 }
1202                 break;
1203         case PF_NETLINK:
1204                 switch (protocol) {
1205                 case NETLINK_ROUTE:
1206                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1207                 case NETLINK_FIREWALL:
1208                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1209                 case NETLINK_SOCK_DIAG:
1210                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1211                 case NETLINK_NFLOG:
1212                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1213                 case NETLINK_XFRM:
1214                         return SECCLASS_NETLINK_XFRM_SOCKET;
1215                 case NETLINK_SELINUX:
1216                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1217                 case NETLINK_AUDIT:
1218                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1219                 case NETLINK_IP6_FW:
1220                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1221                 case NETLINK_DNRTMSG:
1222                         return SECCLASS_NETLINK_DNRT_SOCKET;
1223                 case NETLINK_KOBJECT_UEVENT:
1224                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1225                 default:
1226                         return SECCLASS_NETLINK_SOCKET;
1227                 }
1228         case PF_PACKET:
1229                 return SECCLASS_PACKET_SOCKET;
1230         case PF_KEY:
1231                 return SECCLASS_KEY_SOCKET;
1232         case PF_APPLETALK:
1233                 return SECCLASS_APPLETALK_SOCKET;
1234         }
1235
1236         return SECCLASS_SOCKET;
1237 }
1238
1239 #ifdef CONFIG_PROC_FS
1240 static int selinux_proc_get_sid(struct dentry *dentry,
1241                                 u16 tclass,
1242                                 u32 *sid)
1243 {
1244         int rc;
1245         char *buffer, *path;
1246
1247         buffer = (char *)__get_free_page(GFP_KERNEL);
1248         if (!buffer)
1249                 return -ENOMEM;
1250
1251         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1252         if (IS_ERR(path))
1253                 rc = PTR_ERR(path);
1254         else {
1255                 /* each process gets a /proc/PID/ entry. Strip off the
1256                  * PID part to get a valid selinux labeling.
1257                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1258                 while (path[1] >= '0' && path[1] <= '9') {
1259                         path[1] = '/';
1260                         path++;
1261                 }
1262                 rc = security_genfs_sid("proc", path, tclass, sid);
1263         }
1264         free_page((unsigned long)buffer);
1265         return rc;
1266 }
1267 #else
1268 static int selinux_proc_get_sid(struct dentry *dentry,
1269                                 u16 tclass,
1270                                 u32 *sid)
1271 {
1272         return -EINVAL;
1273 }
1274 #endif
1275
1276 /* The inode's security attributes must be initialized before first use. */
1277 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1278 {
1279         struct superblock_security_struct *sbsec = NULL;
1280         struct inode_security_struct *isec = inode->i_security;
1281         u32 sid;
1282         struct dentry *dentry;
1283 #define INITCONTEXTLEN 255
1284         char *context = NULL;
1285         unsigned len = 0;
1286         int rc = 0;
1287
1288         if (isec->initialized)
1289                 goto out;
1290
1291         mutex_lock(&isec->lock);
1292         if (isec->initialized)
1293                 goto out_unlock;
1294
1295         sbsec = inode->i_sb->s_security;
1296         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1297                 /* Defer initialization until selinux_complete_init,
1298                    after the initial policy is loaded and the security
1299                    server is ready to handle calls. */
1300                 spin_lock(&sbsec->isec_lock);
1301                 if (list_empty(&isec->list))
1302                         list_add(&isec->list, &sbsec->isec_head);
1303                 spin_unlock(&sbsec->isec_lock);
1304                 goto out_unlock;
1305         }
1306
1307         switch (sbsec->behavior) {
1308         case SECURITY_FS_USE_NATIVE:
1309                 break;
1310         case SECURITY_FS_USE_XATTR:
1311                 if (!inode->i_op->getxattr) {
1312                         isec->sid = sbsec->def_sid;
1313                         break;
1314                 }
1315
1316                 /* Need a dentry, since the xattr API requires one.
1317                    Life would be simpler if we could just pass the inode. */
1318                 if (opt_dentry) {
1319                         /* Called from d_instantiate or d_splice_alias. */
1320                         dentry = dget(opt_dentry);
1321                 } else {
1322                         /* Called from selinux_complete_init, try to find a dentry. */
1323                         dentry = d_find_alias(inode);
1324                 }
1325                 if (!dentry) {
1326                         /*
1327                          * this is can be hit on boot when a file is accessed
1328                          * before the policy is loaded.  When we load policy we
1329                          * may find inodes that have no dentry on the
1330                          * sbsec->isec_head list.  No reason to complain as these
1331                          * will get fixed up the next time we go through
1332                          * inode_doinit with a dentry, before these inodes could
1333                          * be used again by userspace.
1334                          */
1335                         goto out_unlock;
1336                 }
1337
1338                 len = INITCONTEXTLEN;
1339                 context = kmalloc(len+1, GFP_NOFS);
1340                 if (!context) {
1341                         rc = -ENOMEM;
1342                         dput(dentry);
1343                         goto out_unlock;
1344                 }
1345                 context[len] = '\0';
1346                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1347                                            context, len);
1348                 if (rc == -ERANGE) {
1349                         kfree(context);
1350
1351                         /* Need a larger buffer.  Query for the right size. */
1352                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1353                                                    NULL, 0);
1354                         if (rc < 0) {
1355                                 dput(dentry);
1356                                 goto out_unlock;
1357                         }
1358                         len = rc;
1359                         context = kmalloc(len+1, GFP_NOFS);
1360                         if (!context) {
1361                                 rc = -ENOMEM;
1362                                 dput(dentry);
1363                                 goto out_unlock;
1364                         }
1365                         context[len] = '\0';
1366                         rc = inode->i_op->getxattr(dentry,
1367                                                    XATTR_NAME_SELINUX,
1368                                                    context, len);
1369                 }
1370                 dput(dentry);
1371                 if (rc < 0) {
1372                         if (rc != -ENODATA) {
1373                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1374                                        "%d for dev=%s ino=%ld\n", __func__,
1375                                        -rc, inode->i_sb->s_id, inode->i_ino);
1376                                 kfree(context);
1377                                 goto out_unlock;
1378                         }
1379                         /* Map ENODATA to the default file SID */
1380                         sid = sbsec->def_sid;
1381                         rc = 0;
1382                 } else {
1383                         rc = security_context_to_sid_default(context, rc, &sid,
1384                                                              sbsec->def_sid,
1385                                                              GFP_NOFS);
1386                         if (rc) {
1387                                 char *dev = inode->i_sb->s_id;
1388                                 unsigned long ino = inode->i_ino;
1389
1390                                 if (rc == -EINVAL) {
1391                                         if (printk_ratelimit())
1392                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1393                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1394                                                         "filesystem in question.\n", ino, dev, context);
1395                                 } else {
1396                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1397                                                "returned %d for dev=%s ino=%ld\n",
1398                                                __func__, context, -rc, dev, ino);
1399                                 }
1400                                 kfree(context);
1401                                 /* Leave with the unlabeled SID */
1402                                 rc = 0;
1403                                 break;
1404                         }
1405                 }
1406                 kfree(context);
1407                 isec->sid = sid;
1408                 break;
1409         case SECURITY_FS_USE_TASK:
1410                 isec->sid = isec->task_sid;
1411                 break;
1412         case SECURITY_FS_USE_TRANS:
1413                 /* Default to the fs SID. */
1414                 isec->sid = sbsec->sid;
1415
1416                 /* Try to obtain a transition SID. */
1417                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1418                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1419                                              isec->sclass, NULL, &sid);
1420                 if (rc)
1421                         goto out_unlock;
1422                 isec->sid = sid;
1423                 break;
1424         case SECURITY_FS_USE_MNTPOINT:
1425                 isec->sid = sbsec->mntpoint_sid;
1426                 break;
1427         default:
1428                 /* Default to the fs superblock SID. */
1429                 isec->sid = sbsec->sid;
1430
1431                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1432                         /* We must have a dentry to determine the label on
1433                          * procfs inodes */
1434                         if (opt_dentry)
1435                                 /* Called from d_instantiate or
1436                                  * d_splice_alias. */
1437                                 dentry = dget(opt_dentry);
1438                         else
1439                                 /* Called from selinux_complete_init, try to
1440                                  * find a dentry. */
1441                                 dentry = d_find_alias(inode);
1442                         /*
1443                          * This can be hit on boot when a file is accessed
1444                          * before the policy is loaded.  When we load policy we
1445                          * may find inodes that have no dentry on the
1446                          * sbsec->isec_head list.  No reason to complain as
1447                          * these will get fixed up the next time we go through
1448                          * inode_doinit() with a dentry, before these inodes
1449                          * could be used again by userspace.
1450                          */
1451                         if (!dentry)
1452                                 goto out_unlock;
1453                         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1454                         rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1455                         dput(dentry);
1456                         if (rc)
1457                                 goto out_unlock;
1458                         isec->sid = sid;
1459                 }
1460                 break;
1461         }
1462
1463         isec->initialized = 1;
1464
1465 out_unlock:
1466         mutex_unlock(&isec->lock);
1467 out:
1468         if (isec->sclass == SECCLASS_FILE)
1469                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1470         return rc;
1471 }
1472
1473 /* Convert a Linux signal to an access vector. */
1474 static inline u32 signal_to_av(int sig)
1475 {
1476         u32 perm = 0;
1477
1478         switch (sig) {
1479         case SIGCHLD:
1480                 /* Commonly granted from child to parent. */
1481                 perm = PROCESS__SIGCHLD;
1482                 break;
1483         case SIGKILL:
1484                 /* Cannot be caught or ignored */
1485                 perm = PROCESS__SIGKILL;
1486                 break;
1487         case SIGSTOP:
1488                 /* Cannot be caught or ignored */
1489                 perm = PROCESS__SIGSTOP;
1490                 break;
1491         default:
1492                 /* All other signals. */
1493                 perm = PROCESS__SIGNAL;
1494                 break;
1495         }
1496
1497         return perm;
1498 }
1499
1500 /*
1501  * Check permission between a pair of credentials
1502  * fork check, ptrace check, etc.
1503  */
1504 static int cred_has_perm(const struct cred *actor,
1505                          const struct cred *target,
1506                          u32 perms)
1507 {
1508         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1509
1510         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1511 }
1512
1513 /*
1514  * Check permission between a pair of tasks, e.g. signal checks,
1515  * fork check, ptrace check, etc.
1516  * tsk1 is the actor and tsk2 is the target
1517  * - this uses the default subjective creds of tsk1
1518  */
1519 static int task_has_perm(const struct task_struct *tsk1,
1520                          const struct task_struct *tsk2,
1521                          u32 perms)
1522 {
1523         const struct task_security_struct *__tsec1, *__tsec2;
1524         u32 sid1, sid2;
1525
1526         rcu_read_lock();
1527         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1528         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1529         rcu_read_unlock();
1530         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1531 }
1532
1533 /*
1534  * Check permission between current and another task, e.g. signal checks,
1535  * fork check, ptrace check, etc.
1536  * current is the actor and tsk2 is the target
1537  * - this uses current's subjective creds
1538  */
1539 static int current_has_perm(const struct task_struct *tsk,
1540                             u32 perms)
1541 {
1542         u32 sid, tsid;
1543
1544         sid = current_sid();
1545         tsid = task_sid(tsk);
1546         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1547 }
1548
1549 #if CAP_LAST_CAP > 63
1550 #error Fix SELinux to handle capabilities > 63.
1551 #endif
1552
1553 /* Check whether a task is allowed to use a capability. */
1554 static int cred_has_capability(const struct cred *cred,
1555                                int cap, int audit)
1556 {
1557         struct common_audit_data ad;
1558         struct av_decision avd;
1559         u16 sclass;
1560         u32 sid = cred_sid(cred);
1561         u32 av = CAP_TO_MASK(cap);
1562         int rc;
1563
1564         ad.type = LSM_AUDIT_DATA_CAP;
1565         ad.u.cap = cap;
1566
1567         switch (CAP_TO_INDEX(cap)) {
1568         case 0:
1569                 sclass = SECCLASS_CAPABILITY;
1570                 break;
1571         case 1:
1572                 sclass = SECCLASS_CAPABILITY2;
1573                 break;
1574         default:
1575                 printk(KERN_ERR
1576                        "SELinux:  out of range capability %d\n", cap);
1577                 BUG();
1578                 return -EINVAL;
1579         }
1580
1581         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1582         if (audit == SECURITY_CAP_AUDIT) {
1583                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1584                 if (rc2)
1585                         return rc2;
1586         }
1587         return rc;
1588 }
1589
1590 /* Check whether a task is allowed to use a system operation. */
1591 static int task_has_system(struct task_struct *tsk,
1592                            u32 perms)
1593 {
1594         u32 sid = task_sid(tsk);
1595
1596         return avc_has_perm(sid, SECINITSID_KERNEL,
1597                             SECCLASS_SYSTEM, perms, NULL);
1598 }
1599
1600 /* Check whether a task has a particular permission to an inode.
1601    The 'adp' parameter is optional and allows other audit
1602    data to be passed (e.g. the dentry). */
1603 static int inode_has_perm(const struct cred *cred,
1604                           struct inode *inode,
1605                           u32 perms,
1606                           struct common_audit_data *adp)
1607 {
1608         struct inode_security_struct *isec;
1609         u32 sid;
1610
1611         validate_creds(cred);
1612
1613         if (unlikely(IS_PRIVATE(inode)))
1614                 return 0;
1615
1616         sid = cred_sid(cred);
1617         isec = inode->i_security;
1618
1619         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1620 }
1621
1622 /* Same as inode_has_perm, but pass explicit audit data containing
1623    the dentry to help the auditing code to more easily generate the
1624    pathname if needed. */
1625 static inline int dentry_has_perm(const struct cred *cred,
1626                                   struct dentry *dentry,
1627                                   u32 av)
1628 {
1629         struct inode *inode = dentry->d_inode;
1630         struct common_audit_data ad;
1631
1632         ad.type = LSM_AUDIT_DATA_DENTRY;
1633         ad.u.dentry = dentry;
1634         return inode_has_perm(cred, inode, av, &ad);
1635 }
1636
1637 /* Same as inode_has_perm, but pass explicit audit data containing
1638    the path to help the auditing code to more easily generate the
1639    pathname if needed. */
1640 static inline int path_has_perm(const struct cred *cred,
1641                                 struct path *path,
1642                                 u32 av)
1643 {
1644         struct inode *inode = path->dentry->d_inode;
1645         struct common_audit_data ad;
1646
1647         ad.type = LSM_AUDIT_DATA_PATH;
1648         ad.u.path = *path;
1649         return inode_has_perm(cred, inode, av, &ad);
1650 }
1651
1652 /* Same as path_has_perm, but uses the inode from the file struct. */
1653 static inline int file_path_has_perm(const struct cred *cred,
1654                                      struct file *file,
1655                                      u32 av)
1656 {
1657         struct common_audit_data ad;
1658
1659         ad.type = LSM_AUDIT_DATA_PATH;
1660         ad.u.path = file->f_path;
1661         return inode_has_perm(cred, file_inode(file), av, &ad);
1662 }
1663
1664 /* Check whether a task can use an open file descriptor to
1665    access an inode in a given way.  Check access to the
1666    descriptor itself, and then use dentry_has_perm to
1667    check a particular permission to the file.
1668    Access to the descriptor is implicitly granted if it
1669    has the same SID as the process.  If av is zero, then
1670    access to the file is not checked, e.g. for cases
1671    where only the descriptor is affected like seek. */
1672 static int file_has_perm(const struct cred *cred,
1673                          struct file *file,
1674                          u32 av)
1675 {
1676         struct file_security_struct *fsec = file->f_security;
1677         struct inode *inode = file_inode(file);
1678         struct common_audit_data ad;
1679         u32 sid = cred_sid(cred);
1680         int rc;
1681
1682         ad.type = LSM_AUDIT_DATA_PATH;
1683         ad.u.path = file->f_path;
1684
1685         if (sid != fsec->sid) {
1686                 rc = avc_has_perm(sid, fsec->sid,
1687                                   SECCLASS_FD,
1688                                   FD__USE,
1689                                   &ad);
1690                 if (rc)
1691                         goto out;
1692         }
1693
1694         /* av is zero if only checking access to the descriptor. */
1695         rc = 0;
1696         if (av)
1697                 rc = inode_has_perm(cred, inode, av, &ad);
1698
1699 out:
1700         return rc;
1701 }
1702
1703 /* Check whether a task can create a file. */
1704 static int may_create(struct inode *dir,
1705                       struct dentry *dentry,
1706                       u16 tclass)
1707 {
1708         const struct task_security_struct *tsec = current_security();
1709         struct inode_security_struct *dsec;
1710         struct superblock_security_struct *sbsec;
1711         u32 sid, newsid;
1712         struct common_audit_data ad;
1713         int rc;
1714
1715         dsec = dir->i_security;
1716         sbsec = dir->i_sb->s_security;
1717
1718         sid = tsec->sid;
1719         newsid = tsec->create_sid;
1720
1721         ad.type = LSM_AUDIT_DATA_DENTRY;
1722         ad.u.dentry = dentry;
1723
1724         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1725                           DIR__ADD_NAME | DIR__SEARCH,
1726                           &ad);
1727         if (rc)
1728                 return rc;
1729
1730         if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1731                 rc = security_transition_sid(sid, dsec->sid, tclass,
1732                                              &dentry->d_name, &newsid);
1733                 if (rc)
1734                         return rc;
1735         }
1736
1737         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1738         if (rc)
1739                 return rc;
1740
1741         return avc_has_perm(newsid, sbsec->sid,
1742                             SECCLASS_FILESYSTEM,
1743                             FILESYSTEM__ASSOCIATE, &ad);
1744 }
1745
1746 /* Check whether a task can create a key. */
1747 static int may_create_key(u32 ksid,
1748                           struct task_struct *ctx)
1749 {
1750         u32 sid = task_sid(ctx);
1751
1752         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1753 }
1754
1755 #define MAY_LINK        0
1756 #define MAY_UNLINK      1
1757 #define MAY_RMDIR       2
1758
1759 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1760 static int may_link(struct inode *dir,
1761                     struct dentry *dentry,
1762                     int kind)
1763
1764 {
1765         struct inode_security_struct *dsec, *isec;
1766         struct common_audit_data ad;
1767         u32 sid = current_sid();
1768         u32 av;
1769         int rc;
1770
1771         dsec = dir->i_security;
1772         isec = dentry->d_inode->i_security;
1773
1774         ad.type = LSM_AUDIT_DATA_DENTRY;
1775         ad.u.dentry = dentry;
1776
1777         av = DIR__SEARCH;
1778         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1779         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1780         if (rc)
1781                 return rc;
1782
1783         switch (kind) {
1784         case MAY_LINK:
1785                 av = FILE__LINK;
1786                 break;
1787         case MAY_UNLINK:
1788                 av = FILE__UNLINK;
1789                 break;
1790         case MAY_RMDIR:
1791                 av = DIR__RMDIR;
1792                 break;
1793         default:
1794                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1795                         __func__, kind);
1796                 return 0;
1797         }
1798
1799         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1800         return rc;
1801 }
1802
1803 static inline int may_rename(struct inode *old_dir,
1804                              struct dentry *old_dentry,
1805                              struct inode *new_dir,
1806                              struct dentry *new_dentry)
1807 {
1808         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1809         struct common_audit_data ad;
1810         u32 sid = current_sid();
1811         u32 av;
1812         int old_is_dir, new_is_dir;
1813         int rc;
1814
1815         old_dsec = old_dir->i_security;
1816         old_isec = old_dentry->d_inode->i_security;
1817         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1818         new_dsec = new_dir->i_security;
1819
1820         ad.type = LSM_AUDIT_DATA_DENTRY;
1821
1822         ad.u.dentry = old_dentry;
1823         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1824                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1825         if (rc)
1826                 return rc;
1827         rc = avc_has_perm(sid, old_isec->sid,
1828                           old_isec->sclass, FILE__RENAME, &ad);
1829         if (rc)
1830                 return rc;
1831         if (old_is_dir && new_dir != old_dir) {
1832                 rc = avc_has_perm(sid, old_isec->sid,
1833                                   old_isec->sclass, DIR__REPARENT, &ad);
1834                 if (rc)
1835                         return rc;
1836         }
1837
1838         ad.u.dentry = new_dentry;
1839         av = DIR__ADD_NAME | DIR__SEARCH;
1840         if (new_dentry->d_inode)
1841                 av |= DIR__REMOVE_NAME;
1842         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1843         if (rc)
1844                 return rc;
1845         if (new_dentry->d_inode) {
1846                 new_isec = new_dentry->d_inode->i_security;
1847                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1848                 rc = avc_has_perm(sid, new_isec->sid,
1849                                   new_isec->sclass,
1850                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1851                 if (rc)
1852                         return rc;
1853         }
1854
1855         return 0;
1856 }
1857
1858 /* Check whether a task can perform a filesystem operation. */
1859 static int superblock_has_perm(const struct cred *cred,
1860                                struct super_block *sb,
1861                                u32 perms,
1862                                struct common_audit_data *ad)
1863 {
1864         struct superblock_security_struct *sbsec;
1865         u32 sid = cred_sid(cred);
1866
1867         sbsec = sb->s_security;
1868         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1869 }
1870
1871 /* Convert a Linux mode and permission mask to an access vector. */
1872 static inline u32 file_mask_to_av(int mode, int mask)
1873 {
1874         u32 av = 0;
1875
1876         if (!S_ISDIR(mode)) {
1877                 if (mask & MAY_EXEC)
1878                         av |= FILE__EXECUTE;
1879                 if (mask & MAY_READ)
1880                         av |= FILE__READ;
1881
1882                 if (mask & MAY_APPEND)
1883                         av |= FILE__APPEND;
1884                 else if (mask & MAY_WRITE)
1885                         av |= FILE__WRITE;
1886
1887         } else {
1888                 if (mask & MAY_EXEC)
1889                         av |= DIR__SEARCH;
1890                 if (mask & MAY_WRITE)
1891                         av |= DIR__WRITE;
1892                 if (mask & MAY_READ)
1893                         av |= DIR__READ;
1894         }
1895
1896         return av;
1897 }
1898
1899 /* Convert a Linux file to an access vector. */
1900 static inline u32 file_to_av(struct file *file)
1901 {
1902         u32 av = 0;
1903
1904         if (file->f_mode & FMODE_READ)
1905                 av |= FILE__READ;
1906         if (file->f_mode & FMODE_WRITE) {
1907                 if (file->f_flags & O_APPEND)
1908                         av |= FILE__APPEND;
1909                 else
1910                         av |= FILE__WRITE;
1911         }
1912         if (!av) {
1913                 /*
1914                  * Special file opened with flags 3 for ioctl-only use.
1915                  */
1916                 av = FILE__IOCTL;
1917         }
1918
1919         return av;
1920 }
1921
1922 /*
1923  * Convert a file to an access vector and include the correct open
1924  * open permission.
1925  */
1926 static inline u32 open_file_to_av(struct file *file)
1927 {
1928         u32 av = file_to_av(file);
1929
1930         if (selinux_policycap_openperm)
1931                 av |= FILE__OPEN;
1932
1933         return av;
1934 }
1935
1936 /* Hook functions begin here. */
1937
1938 static int selinux_ptrace_access_check(struct task_struct *child,
1939                                      unsigned int mode)
1940 {
1941         int rc;
1942
1943         rc = cap_ptrace_access_check(child, mode);
1944         if (rc)
1945                 return rc;
1946
1947         if (mode & PTRACE_MODE_READ) {
1948                 u32 sid = current_sid();
1949                 u32 csid = task_sid(child);
1950                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1951         }
1952
1953         return current_has_perm(child, PROCESS__PTRACE);
1954 }
1955
1956 static int selinux_ptrace_traceme(struct task_struct *parent)
1957 {
1958         int rc;
1959
1960         rc = cap_ptrace_traceme(parent);
1961         if (rc)
1962                 return rc;
1963
1964         return task_has_perm(parent, current, PROCESS__PTRACE);
1965 }
1966
1967 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1968                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1969 {
1970         int error;
1971
1972         error = current_has_perm(target, PROCESS__GETCAP);
1973         if (error)
1974                 return error;
1975
1976         return cap_capget(target, effective, inheritable, permitted);
1977 }
1978
1979 static int selinux_capset(struct cred *new, const struct cred *old,
1980                           const kernel_cap_t *effective,
1981                           const kernel_cap_t *inheritable,
1982                           const kernel_cap_t *permitted)
1983 {
1984         int error;
1985
1986         error = cap_capset(new, old,
1987                                       effective, inheritable, permitted);
1988         if (error)
1989                 return error;
1990
1991         return cred_has_perm(old, new, PROCESS__SETCAP);
1992 }
1993
1994 /*
1995  * (This comment used to live with the selinux_task_setuid hook,
1996  * which was removed).
1997  *
1998  * Since setuid only affects the current process, and since the SELinux
1999  * controls are not based on the Linux identity attributes, SELinux does not
2000  * need to control this operation.  However, SELinux does control the use of
2001  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2002  */
2003
2004 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2005                            int cap, int audit)
2006 {
2007         int rc;
2008
2009         rc = cap_capable(cred, ns, cap, audit);
2010         if (rc)
2011                 return rc;
2012
2013         return cred_has_capability(cred, cap, audit);
2014 }
2015
2016 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2017 {
2018         const struct cred *cred = current_cred();
2019         int rc = 0;
2020
2021         if (!sb)
2022                 return 0;
2023
2024         switch (cmds) {
2025         case Q_SYNC:
2026         case Q_QUOTAON:
2027         case Q_QUOTAOFF:
2028         case Q_SETINFO:
2029         case Q_SETQUOTA:
2030                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2031                 break;
2032         case Q_GETFMT:
2033         case Q_GETINFO:
2034         case Q_GETQUOTA:
2035                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2036                 break;
2037         default:
2038                 rc = 0;  /* let the kernel handle invalid cmds */
2039                 break;
2040         }
2041         return rc;
2042 }
2043
2044 static int selinux_quota_on(struct dentry *dentry)
2045 {
2046         const struct cred *cred = current_cred();
2047
2048         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2049 }
2050
2051 static int selinux_syslog(int type)
2052 {
2053         int rc;
2054
2055         switch (type) {
2056         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2057         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2058                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2059                 break;
2060         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2061         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2062         /* Set level of messages printed to console */
2063         case SYSLOG_ACTION_CONSOLE_LEVEL:
2064                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2065                 break;
2066         case SYSLOG_ACTION_CLOSE:       /* Close log */
2067         case SYSLOG_ACTION_OPEN:        /* Open log */
2068         case SYSLOG_ACTION_READ:        /* Read from log */
2069         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
2070         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
2071         default:
2072                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2073                 break;
2074         }
2075         return rc;
2076 }
2077
2078 /*
2079  * Check that a process has enough memory to allocate a new virtual
2080  * mapping. 0 means there is enough memory for the allocation to
2081  * succeed and -ENOMEM implies there is not.
2082  *
2083  * Do not audit the selinux permission check, as this is applied to all
2084  * processes that allocate mappings.
2085  */
2086 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2087 {
2088         int rc, cap_sys_admin = 0;
2089
2090         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2091                              SECURITY_CAP_NOAUDIT);
2092         if (rc == 0)
2093                 cap_sys_admin = 1;
2094
2095         return __vm_enough_memory(mm, pages, cap_sys_admin);
2096 }
2097
2098 /* binprm security operations */
2099
2100 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2101                             const struct task_security_struct *old_tsec,
2102                             const struct task_security_struct *new_tsec)
2103 {
2104         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2105         int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2106         int rc;
2107
2108         if (!nnp && !nosuid)
2109                 return 0; /* neither NNP nor nosuid */
2110
2111         if (new_tsec->sid == old_tsec->sid)
2112                 return 0; /* No change in credentials */
2113
2114         /*
2115          * The only transitions we permit under NNP or nosuid
2116          * are transitions to bounded SIDs, i.e. SIDs that are
2117          * guaranteed to only be allowed a subset of the permissions
2118          * of the current SID.
2119          */
2120         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2121         if (rc) {
2122                 /*
2123                  * On failure, preserve the errno values for NNP vs nosuid.
2124                  * NNP:  Operation not permitted for caller.
2125                  * nosuid:  Permission denied to file.
2126                  */
2127                 if (nnp)
2128                         return -EPERM;
2129                 else
2130                         return -EACCES;
2131         }
2132         return 0;
2133 }
2134
2135 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2136 {
2137         const struct task_security_struct *old_tsec;
2138         struct task_security_struct *new_tsec;
2139         struct inode_security_struct *isec;
2140         struct common_audit_data ad;
2141         struct inode *inode = file_inode(bprm->file);
2142         int rc;
2143
2144         rc = cap_bprm_set_creds(bprm);
2145         if (rc)
2146                 return rc;
2147
2148         /* SELinux context only depends on initial program or script and not
2149          * the script interpreter */
2150         if (bprm->cred_prepared)
2151                 return 0;
2152
2153         old_tsec = current_security();
2154         new_tsec = bprm->cred->security;
2155         isec = inode->i_security;
2156
2157         /* Default to the current task SID. */
2158         new_tsec->sid = old_tsec->sid;
2159         new_tsec->osid = old_tsec->sid;
2160
2161         /* Reset fs, key, and sock SIDs on execve. */
2162         new_tsec->create_sid = 0;
2163         new_tsec->keycreate_sid = 0;
2164         new_tsec->sockcreate_sid = 0;
2165
2166         if (old_tsec->exec_sid) {
2167                 new_tsec->sid = old_tsec->exec_sid;
2168                 /* Reset exec SID on execve. */
2169                 new_tsec->exec_sid = 0;
2170
2171                 /* Fail on NNP or nosuid if not an allowed transition. */
2172                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2173                 if (rc)
2174                         return rc;
2175         } else {
2176                 /* Check for a default transition on this program. */
2177                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2178                                              SECCLASS_PROCESS, NULL,
2179                                              &new_tsec->sid);
2180                 if (rc)
2181                         return rc;
2182
2183                 /*
2184                  * Fallback to old SID on NNP or nosuid if not an allowed
2185                  * transition.
2186                  */
2187                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2188                 if (rc)
2189                         new_tsec->sid = old_tsec->sid;
2190         }
2191
2192         ad.type = LSM_AUDIT_DATA_PATH;
2193         ad.u.path = bprm->file->f_path;
2194
2195         if (new_tsec->sid == old_tsec->sid) {
2196                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2197                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2198                 if (rc)
2199                         return rc;
2200         } else {
2201                 /* Check permissions for the transition. */
2202                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2203                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2204                 if (rc)
2205                         return rc;
2206
2207                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2208                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2209                 if (rc)
2210                         return rc;
2211
2212                 /* Check for shared state */
2213                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2214                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2215                                           SECCLASS_PROCESS, PROCESS__SHARE,
2216                                           NULL);
2217                         if (rc)
2218                                 return -EPERM;
2219                 }
2220
2221                 /* Make sure that anyone attempting to ptrace over a task that
2222                  * changes its SID has the appropriate permit */
2223                 if (bprm->unsafe &
2224                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2225                         struct task_struct *tracer;
2226                         struct task_security_struct *sec;
2227                         u32 ptsid = 0;
2228
2229                         rcu_read_lock();
2230                         tracer = ptrace_parent(current);
2231                         if (likely(tracer != NULL)) {
2232                                 sec = __task_cred(tracer)->security;
2233                                 ptsid = sec->sid;
2234                         }
2235                         rcu_read_unlock();
2236
2237                         if (ptsid != 0) {
2238                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2239                                                   SECCLASS_PROCESS,
2240                                                   PROCESS__PTRACE, NULL);
2241                                 if (rc)
2242                                         return -EPERM;
2243                         }
2244                 }
2245
2246                 /* Clear any possibly unsafe personality bits on exec: */
2247                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2248         }
2249
2250         return 0;
2251 }
2252
2253 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2254 {
2255         const struct task_security_struct *tsec = current_security();
2256         u32 sid, osid;
2257         int atsecure = 0;
2258
2259         sid = tsec->sid;
2260         osid = tsec->osid;
2261
2262         if (osid != sid) {
2263                 /* Enable secure mode for SIDs transitions unless
2264                    the noatsecure permission is granted between
2265                    the two SIDs, i.e. ahp returns 0. */
2266                 atsecure = avc_has_perm(osid, sid,
2267                                         SECCLASS_PROCESS,
2268                                         PROCESS__NOATSECURE, NULL);
2269         }
2270
2271         return (atsecure || cap_bprm_secureexec(bprm));
2272 }
2273
2274 static int match_file(const void *p, struct file *file, unsigned fd)
2275 {
2276         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2277 }
2278
2279 /* Derived from fs/exec.c:flush_old_files. */
2280 static inline void flush_unauthorized_files(const struct cred *cred,
2281                                             struct files_struct *files)
2282 {
2283         struct file *file, *devnull = NULL;
2284         struct tty_struct *tty;
2285         int drop_tty = 0;
2286         unsigned n;
2287
2288         tty = get_current_tty();
2289         if (tty) {
2290                 spin_lock(&tty_files_lock);
2291                 if (!list_empty(&tty->tty_files)) {
2292                         struct tty_file_private *file_priv;
2293
2294                         /* Revalidate access to controlling tty.
2295                            Use file_path_has_perm on the tty path directly
2296                            rather than using file_has_perm, as this particular
2297                            open file may belong to another process and we are
2298                            only interested in the inode-based check here. */
2299                         file_priv = list_first_entry(&tty->tty_files,
2300                                                 struct tty_file_private, list);
2301                         file = file_priv->file;
2302                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2303                                 drop_tty = 1;
2304                 }
2305                 spin_unlock(&tty_files_lock);
2306                 tty_kref_put(tty);
2307         }
2308         /* Reset controlling tty. */
2309         if (drop_tty)
2310                 no_tty();
2311
2312         /* Revalidate access to inherited open files. */
2313         n = iterate_fd(files, 0, match_file, cred);
2314         if (!n) /* none found? */
2315                 return;
2316
2317         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2318         if (IS_ERR(devnull))
2319                 devnull = NULL;
2320         /* replace all the matching ones with this */
2321         do {
2322                 replace_fd(n - 1, devnull, 0);
2323         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2324         if (devnull)
2325                 fput(devnull);
2326 }
2327
2328 /*
2329  * Prepare a process for imminent new credential changes due to exec
2330  */
2331 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2332 {
2333         struct task_security_struct *new_tsec;
2334         struct rlimit *rlim, *initrlim;
2335         int rc, i;
2336
2337         new_tsec = bprm->cred->security;
2338         if (new_tsec->sid == new_tsec->osid)
2339                 return;
2340
2341         /* Close files for which the new task SID is not authorized. */
2342         flush_unauthorized_files(bprm->cred, current->files);
2343
2344         /* Always clear parent death signal on SID transitions. */
2345         current->pdeath_signal = 0;
2346
2347         /* Check whether the new SID can inherit resource limits from the old
2348          * SID.  If not, reset all soft limits to the lower of the current
2349          * task's hard limit and the init task's soft limit.
2350          *
2351          * Note that the setting of hard limits (even to lower them) can be
2352          * controlled by the setrlimit check.  The inclusion of the init task's
2353          * soft limit into the computation is to avoid resetting soft limits
2354          * higher than the default soft limit for cases where the default is
2355          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2356          */
2357         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2358                           PROCESS__RLIMITINH, NULL);
2359         if (rc) {
2360                 /* protect against do_prlimit() */
2361                 task_lock(current);
2362                 for (i = 0; i < RLIM_NLIMITS; i++) {
2363                         rlim = current->signal->rlim + i;
2364                         initrlim = init_task.signal->rlim + i;
2365                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2366                 }
2367                 task_unlock(current);
2368                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2369         }
2370 }
2371
2372 /*
2373  * Clean up the process immediately after the installation of new credentials
2374  * due to exec
2375  */
2376 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2377 {
2378         const struct task_security_struct *tsec = current_security();
2379         struct itimerval itimer;
2380         u32 osid, sid;
2381         int rc, i;
2382
2383         osid = tsec->osid;
2384         sid = tsec->sid;
2385
2386         if (sid == osid)
2387                 return;
2388
2389         /* Check whether the new SID can inherit signal state from the old SID.
2390          * If not, clear itimers to avoid subsequent signal generation and
2391          * flush and unblock signals.
2392          *
2393          * This must occur _after_ the task SID has been updated so that any
2394          * kill done after the flush will be checked against the new SID.
2395          */
2396         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2397         if (rc) {
2398                 memset(&itimer, 0, sizeof itimer);
2399                 for (i = 0; i < 3; i++)
2400                         do_setitimer(i, &itimer, NULL);
2401                 spin_lock_irq(&current->sighand->siglock);
2402                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2403                         __flush_signals(current);
2404                         flush_signal_handlers(current, 1);
2405                         sigemptyset(&current->blocked);
2406                 }
2407                 spin_unlock_irq(&current->sighand->siglock);
2408         }
2409
2410         /* Wake up the parent if it is waiting so that it can recheck
2411          * wait permission to the new task SID. */
2412         read_lock(&tasklist_lock);
2413         __wake_up_parent(current, current->real_parent);
2414         read_unlock(&tasklist_lock);
2415 }
2416
2417 /* superblock security operations */
2418
2419 static int selinux_sb_alloc_security(struct super_block *sb)
2420 {
2421         return superblock_alloc_security(sb);
2422 }
2423
2424 static void selinux_sb_free_security(struct super_block *sb)
2425 {
2426         superblock_free_security(sb);
2427 }
2428
2429 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2430 {
2431         if (plen > olen)
2432                 return 0;
2433
2434         return !memcmp(prefix, option, plen);
2435 }
2436
2437 static inline int selinux_option(char *option, int len)
2438 {
2439         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2440                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2441                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2442                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2443                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2444 }
2445
2446 static inline void take_option(char **to, char *from, int *first, int len)
2447 {
2448         if (!*first) {
2449                 **to = ',';
2450                 *to += 1;
2451         } else
2452                 *first = 0;
2453         memcpy(*to, from, len);
2454         *to += len;
2455 }
2456
2457 static inline void take_selinux_option(char **to, char *from, int *first,
2458                                        int len)
2459 {
2460         int current_size = 0;
2461
2462         if (!*first) {
2463                 **to = '|';
2464                 *to += 1;
2465         } else
2466                 *first = 0;
2467
2468         while (current_size < len) {
2469                 if (*from != '"') {
2470                         **to = *from;
2471                         *to += 1;
2472                 }
2473                 from += 1;
2474                 current_size += 1;
2475         }
2476 }
2477
2478 static int selinux_sb_copy_data(char *orig, char *copy)
2479 {
2480         int fnosec, fsec, rc = 0;
2481         char *in_save, *in_curr, *in_end;
2482         char *sec_curr, *nosec_save, *nosec;
2483         int open_quote = 0;
2484
2485         in_curr = orig;
2486         sec_curr = copy;
2487
2488         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2489         if (!nosec) {
2490                 rc = -ENOMEM;
2491                 goto out;
2492         }
2493
2494         nosec_save = nosec;
2495         fnosec = fsec = 1;
2496         in_save = in_end = orig;
2497
2498         do {
2499                 if (*in_end == '"')
2500                         open_quote = !open_quote;
2501                 if ((*in_end == ',' && open_quote == 0) ||
2502                                 *in_end == '\0') {
2503                         int len = in_end - in_curr;
2504
2505                         if (selinux_option(in_curr, len))
2506                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2507                         else
2508                                 take_option(&nosec, in_curr, &fnosec, len);
2509
2510                         in_curr = in_end + 1;
2511                 }
2512         } while (*in_end++);
2513
2514         strcpy(in_save, nosec_save);
2515         free_page((unsigned long)nosec_save);
2516 out:
2517         return rc;
2518 }
2519
2520 static int selinux_sb_remount(struct super_block *sb, void *data)
2521 {
2522         int rc, i, *flags;
2523         struct security_mnt_opts opts;
2524         char *secdata, **mount_options;
2525         struct superblock_security_struct *sbsec = sb->s_security;
2526
2527         if (!(sbsec->flags & SE_SBINITIALIZED))
2528                 return 0;
2529
2530         if (!data)
2531                 return 0;
2532
2533         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2534                 return 0;
2535
2536         security_init_mnt_opts(&opts);
2537         secdata = alloc_secdata();
2538         if (!secdata)
2539                 return -ENOMEM;
2540         rc = selinux_sb_copy_data(data, secdata);
2541         if (rc)
2542                 goto out_free_secdata;
2543
2544         rc = selinux_parse_opts_str(secdata, &opts);
2545         if (rc)
2546                 goto out_free_secdata;
2547
2548         mount_options = opts.mnt_opts;
2549         flags = opts.mnt_opts_flags;
2550
2551         for (i = 0; i < opts.num_mnt_opts; i++) {
2552                 u32 sid;
2553                 size_t len;
2554
2555                 if (flags[i] == SBLABEL_MNT)
2556                         continue;
2557                 len = strlen(mount_options[i]);
2558                 rc = security_context_to_sid(mount_options[i], len, &sid,
2559                                              GFP_KERNEL);
2560                 if (rc) {
2561                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2562                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2563                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2564                         goto out_free_opts;
2565                 }
2566                 rc = -EINVAL;
2567                 switch (flags[i]) {
2568                 case FSCONTEXT_MNT:
2569                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2570                                 goto out_bad_option;
2571                         break;
2572                 case CONTEXT_MNT:
2573                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2574                                 goto out_bad_option;
2575                         break;
2576                 case ROOTCONTEXT_MNT: {
2577                         struct inode_security_struct *root_isec;
2578                         root_isec = sb->s_root->d_inode->i_security;
2579
2580                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2581                                 goto out_bad_option;
2582                         break;
2583                 }
2584                 case DEFCONTEXT_MNT:
2585                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2586                                 goto out_bad_option;
2587                         break;
2588                 default:
2589                         goto out_free_opts;
2590                 }
2591         }
2592
2593         rc = 0;
2594 out_free_opts:
2595         security_free_mnt_opts(&opts);
2596 out_free_secdata:
2597         free_secdata(secdata);
2598         return rc;
2599 out_bad_option:
2600         printk(KERN_WARNING "SELinux: unable to change security options "
2601                "during remount (dev %s, type=%s)\n", sb->s_id,
2602                sb->s_type->name);
2603         goto out_free_opts;
2604 }
2605
2606 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2607 {
2608         const struct cred *cred = current_cred();
2609         struct common_audit_data ad;
2610         int rc;
2611
2612         rc = superblock_doinit(sb, data);
2613         if (rc)
2614                 return rc;
2615
2616         /* Allow all mounts performed by the kernel */
2617         if (flags & MS_KERNMOUNT)
2618                 return 0;
2619
2620         ad.type = LSM_AUDIT_DATA_DENTRY;
2621         ad.u.dentry = sb->s_root;
2622         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2623 }
2624
2625 static int selinux_sb_statfs(struct dentry *dentry)
2626 {
2627         const struct cred *cred = current_cred();
2628         struct common_audit_data ad;
2629
2630         ad.type = LSM_AUDIT_DATA_DENTRY;
2631         ad.u.dentry = dentry->d_sb->s_root;
2632         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2633 }
2634
2635 static int selinux_mount(const char *dev_name,
2636                          struct path *path,
2637                          const char *type,
2638                          unsigned long flags,
2639                          void *data)
2640 {
2641         const struct cred *cred = current_cred();
2642
2643         if (flags & MS_REMOUNT)
2644                 return superblock_has_perm(cred, path->dentry->d_sb,
2645                                            FILESYSTEM__REMOUNT, NULL);
2646         else
2647                 return path_has_perm(cred, path, FILE__MOUNTON);
2648 }
2649
2650 static int selinux_umount(struct vfsmount *mnt, int flags)
2651 {
2652         const struct cred *cred = current_cred();
2653
2654         return superblock_has_perm(cred, mnt->mnt_sb,
2655                                    FILESYSTEM__UNMOUNT, NULL);
2656 }
2657
2658 /* inode security operations */
2659
2660 static int selinux_inode_alloc_security(struct inode *inode)
2661 {
2662         return inode_alloc_security(inode);
2663 }
2664
2665 static void selinux_inode_free_security(struct inode *inode)
2666 {
2667         inode_free_security(inode);
2668 }
2669
2670 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2671                                         struct qstr *name, void **ctx,
2672                                         u32 *ctxlen)
2673 {
2674         const struct cred *cred = current_cred();
2675         struct task_security_struct *tsec;
2676         struct inode_security_struct *dsec;
2677         struct superblock_security_struct *sbsec;
2678         struct inode *dir = dentry->d_parent->d_inode;
2679         u32 newsid;
2680         int rc;
2681
2682         tsec = cred->security;
2683         dsec = dir->i_security;
2684         sbsec = dir->i_sb->s_security;
2685
2686         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2687                 newsid = tsec->create_sid;
2688         } else {
2689                 rc = security_transition_sid(tsec->sid, dsec->sid,
2690                                              inode_mode_to_security_class(mode),
2691                                              name,
2692                                              &newsid);
2693                 if (rc) {
2694                         printk(KERN_WARNING
2695                                 "%s: security_transition_sid failed, rc=%d\n",
2696                                __func__, -rc);
2697                         return rc;
2698                 }
2699         }
2700
2701         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2702 }
2703
2704 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2705                                        const struct qstr *qstr,
2706                                        const char **name,
2707                                        void **value, size_t *len)
2708 {
2709         const struct task_security_struct *tsec = current_security();
2710         struct inode_security_struct *dsec;
2711         struct superblock_security_struct *sbsec;
2712         u32 sid, newsid, clen;
2713         int rc;
2714         char *context;
2715
2716         dsec = dir->i_security;
2717         sbsec = dir->i_sb->s_security;
2718
2719         sid = tsec->sid;
2720         newsid = tsec->create_sid;
2721
2722         if ((sbsec->flags & SE_SBINITIALIZED) &&
2723             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2724                 newsid = sbsec->mntpoint_sid;
2725         else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2726                 rc = security_transition_sid(sid, dsec->sid,
2727                                              inode_mode_to_security_class(inode->i_mode),
2728                                              qstr, &newsid);
2729                 if (rc) {
2730                         printk(KERN_WARNING "%s:  "
2731                                "security_transition_sid failed, rc=%d (dev=%s "
2732                                "ino=%ld)\n",
2733                                __func__,
2734                                -rc, inode->i_sb->s_id, inode->i_ino);
2735                         return rc;
2736                 }
2737         }
2738
2739         /* Possibly defer initialization to selinux_complete_init. */
2740         if (sbsec->flags & SE_SBINITIALIZED) {
2741                 struct inode_security_struct *isec = inode->i_security;
2742                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2743                 isec->sid = newsid;
2744                 isec->initialized = 1;
2745         }
2746
2747         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2748                 return -EOPNOTSUPP;
2749
2750         if (name)
2751                 *name = XATTR_SELINUX_SUFFIX;
2752
2753         if (value && len) {
2754                 rc = security_sid_to_context_force(newsid, &context, &clen);
2755                 if (rc)
2756                         return rc;
2757                 *value = context;
2758                 *len = clen;
2759         }
2760
2761         return 0;
2762 }
2763
2764 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2765 {
2766         return may_create(dir, dentry, SECCLASS_FILE);
2767 }
2768
2769 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2770 {
2771         return may_link(dir, old_dentry, MAY_LINK);
2772 }
2773
2774 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2775 {
2776         return may_link(dir, dentry, MAY_UNLINK);
2777 }
2778
2779 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2780 {
2781         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2782 }
2783
2784 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2785 {
2786         return may_create(dir, dentry, SECCLASS_DIR);
2787 }
2788
2789 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2790 {
2791         return may_link(dir, dentry, MAY_RMDIR);
2792 }
2793
2794 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2795 {
2796         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2797 }
2798
2799 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2800                                 struct inode *new_inode, struct dentry *new_dentry)
2801 {
2802         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2803 }
2804
2805 static int selinux_inode_readlink(struct dentry *dentry)
2806 {
2807         const struct cred *cred = current_cred();
2808
2809         return dentry_has_perm(cred, dentry, FILE__READ);
2810 }
2811
2812 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2813 {
2814         const struct cred *cred = current_cred();
2815
2816         return dentry_has_perm(cred, dentry, FILE__READ);
2817 }
2818
2819 static noinline int audit_inode_permission(struct inode *inode,
2820                                            u32 perms, u32 audited, u32 denied,
2821                                            int result,
2822                                            unsigned flags)
2823 {
2824         struct common_audit_data ad;
2825         struct inode_security_struct *isec = inode->i_security;
2826         int rc;
2827
2828         ad.type = LSM_AUDIT_DATA_INODE;
2829         ad.u.inode = inode;
2830
2831         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2832                             audited, denied, result, &ad, flags);
2833         if (rc)
2834                 return rc;
2835         return 0;
2836 }
2837
2838 static int selinux_inode_permission(struct inode *inode, int mask)
2839 {
2840         const struct cred *cred = current_cred();
2841         u32 perms;
2842         bool from_access;
2843         unsigned flags = mask & MAY_NOT_BLOCK;
2844         struct inode_security_struct *isec;
2845         u32 sid;
2846         struct av_decision avd;
2847         int rc, rc2;
2848         u32 audited, denied;
2849
2850         from_access = mask & MAY_ACCESS;
2851         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2852
2853         /* No permission to check.  Existence test. */
2854         if (!mask)
2855                 return 0;
2856
2857         validate_creds(cred);
2858
2859         if (unlikely(IS_PRIVATE(inode)))
2860                 return 0;
2861
2862         perms = file_mask_to_av(inode->i_mode, mask);
2863
2864         sid = cred_sid(cred);
2865         isec = inode->i_security;
2866
2867         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2868         audited = avc_audit_required(perms, &avd, rc,
2869                                      from_access ? FILE__AUDIT_ACCESS : 0,
2870                                      &denied);
2871         if (likely(!audited))
2872                 return rc;
2873
2874         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2875         if (rc2)
2876                 return rc2;
2877         return rc;
2878 }
2879
2880 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2881 {
2882         const struct cred *cred = current_cred();
2883         unsigned int ia_valid = iattr->ia_valid;
2884         __u32 av = FILE__WRITE;
2885
2886         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2887         if (ia_valid & ATTR_FORCE) {
2888                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2889                               ATTR_FORCE);
2890                 if (!ia_valid)
2891                         return 0;
2892         }
2893
2894         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2895                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2896                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2897
2898         if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2899                 av |= FILE__OPEN;
2900
2901         return dentry_has_perm(cred, dentry, av);
2902 }
2903
2904 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2905 {
2906         const struct cred *cred = current_cred();
2907         struct path path;
2908
2909         path.dentry = dentry;
2910         path.mnt = mnt;
2911
2912         return path_has_perm(cred, &path, FILE__GETATTR);
2913 }
2914
2915 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2916 {
2917         const struct cred *cred = current_cred();
2918
2919         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2920                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2921                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2922                         if (!capable(CAP_SETFCAP))
2923                                 return -EPERM;
2924                 } else if (!capable(CAP_SYS_ADMIN)) {
2925                         /* A different attribute in the security namespace.
2926                            Restrict to administrator. */
2927                         return -EPERM;
2928                 }
2929         }
2930
2931         /* Not an attribute we recognize, so just check the
2932            ordinary setattr permission. */
2933         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2934 }
2935
2936 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2937                                   const void *value, size_t size, int flags)
2938 {
2939         struct inode *inode = dentry->d_inode;
2940         struct inode_security_struct *isec = inode->i_security;
2941         struct superblock_security_struct *sbsec;
2942         struct common_audit_data ad;
2943         u32 newsid, sid = current_sid();
2944         int rc = 0;
2945
2946         if (strcmp(name, XATTR_NAME_SELINUX))
2947                 return selinux_inode_setotherxattr(dentry, name);
2948
2949         sbsec = inode->i_sb->s_security;
2950         if (!(sbsec->flags & SBLABEL_MNT))
2951                 return -EOPNOTSUPP;
2952
2953         if (!inode_owner_or_capable(inode))
2954                 return -EPERM;
2955
2956         ad.type = LSM_AUDIT_DATA_DENTRY;
2957         ad.u.dentry = dentry;
2958
2959         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2960                           FILE__RELABELFROM, &ad);
2961         if (rc)
2962                 return rc;
2963
2964         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2965         if (rc == -EINVAL) {
2966                 if (!capable(CAP_MAC_ADMIN)) {
2967                         struct audit_buffer *ab;
2968                         size_t audit_size;
2969                         const char *str;
2970
2971                         /* We strip a nul only if it is at the end, otherwise the
2972                          * context contains a nul and we should audit that */
2973                         if (value) {
2974                                 str = value;
2975                                 if (str[size - 1] == '\0')
2976                                         audit_size = size - 1;
2977                                 else
2978                                         audit_size = size;
2979                         } else {
2980                                 str = "";
2981                                 audit_size = 0;
2982                         }
2983                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2984                         audit_log_format(ab, "op=setxattr invalid_context=");
2985                         audit_log_n_untrustedstring(ab, value, audit_size);
2986                         audit_log_end(ab);
2987
2988                         return rc;
2989                 }
2990                 rc = security_context_to_sid_force(value, size, &newsid);
2991         }
2992         if (rc)
2993                 return rc;
2994
2995         rc = avc_has_perm(sid, newsid, isec->sclass,
2996                           FILE__RELABELTO, &ad);
2997         if (rc)
2998                 return rc;
2999
3000         rc = security_validate_transition(isec->sid, newsid, sid,
3001                                           isec->sclass);
3002         if (rc)
3003                 return rc;
3004
3005         return avc_has_perm(newsid,
3006                             sbsec->sid,
3007                             SECCLASS_FILESYSTEM,
3008                             FILESYSTEM__ASSOCIATE,
3009                             &ad);
3010 }
3011
3012 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3013                                         const void *value, size_t size,
3014                                         int flags)
3015 {
3016         struct inode *inode = dentry->d_inode;
3017         struct inode_security_struct *isec = inode->i_security;
3018         u32 newsid;
3019         int rc;
3020
3021         if (strcmp(name, XATTR_NAME_SELINUX)) {
3022                 /* Not an attribute we recognize, so nothing to do. */
3023                 return;
3024         }
3025
3026         rc = security_context_to_sid_force(value, size, &newsid);
3027         if (rc) {
3028                 printk(KERN_ERR "SELinux:  unable to map context to SID"
3029                        "for (%s, %lu), rc=%d\n",
3030                        inode->i_sb->s_id, inode->i_ino, -rc);
3031                 return;
3032         }
3033
3034         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3035         isec->sid = newsid;
3036         isec->initialized = 1;
3037
3038         return;
3039 }
3040
3041 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3042 {
3043         const struct cred *cred = current_cred();
3044
3045         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3046 }
3047
3048 static int selinux_inode_listxattr(struct dentry *dentry)
3049 {
3050         const struct cred *cred = current_cred();
3051
3052         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3053 }
3054
3055 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3056 {
3057         if (strcmp(name, XATTR_NAME_SELINUX))
3058                 return selinux_inode_setotherxattr(dentry, name);
3059
3060         /* No one is allowed to remove a SELinux security label.
3061            You can change the label, but all data must be labeled. */
3062         return -EACCES;
3063 }
3064
3065 /*
3066  * Copy the inode security context value to the user.
3067  *
3068  * Permission check is handled by selinux_inode_getxattr hook.
3069  */
3070 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3071 {
3072         u32 size;
3073         int error;
3074         char *context = NULL;
3075         struct inode_security_struct *isec = inode->i_security;
3076
3077         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3078                 return -EOPNOTSUPP;
3079
3080         /*
3081          * If the caller has CAP_MAC_ADMIN, then get the raw context
3082          * value even if it is not defined by current policy; otherwise,
3083          * use the in-core value under current policy.
3084          * Use the non-auditing forms of the permission checks since
3085          * getxattr may be called by unprivileged processes commonly
3086          * and lack of permission just means that we fall back to the
3087          * in-core context value, not a denial.
3088          */
3089         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3090                                 SECURITY_CAP_NOAUDIT);
3091         if (!error)
3092                 error = security_sid_to_context_force(isec->sid, &context,
3093                                                       &size);
3094         else
3095                 error = security_sid_to_context(isec->sid, &context, &size);
3096         if (error)
3097                 return error;
3098         error = size;
3099         if (alloc) {
3100                 *buffer = context;
3101                 goto out_nofree;
3102         }
3103         kfree(context);
3104 out_nofree:
3105         return error;
3106 }
3107
3108 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3109                                      const void *value, size_t size, int flags)
3110 {
3111         struct inode_security_struct *isec = inode->i_security;
3112         u32 newsid;
3113         int rc;
3114
3115         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3116                 return -EOPNOTSUPP;
3117
3118         if (!value || !size)
3119                 return -EACCES;
3120
3121         rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3122         if (rc)
3123                 return rc;
3124
3125         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3126         isec->sid = newsid;
3127         isec->initialized = 1;
3128         return 0;
3129 }
3130
3131 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3132 {
3133         const int len = sizeof(XATTR_NAME_SELINUX);
3134         if (buffer && len <= buffer_size)
3135                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3136         return len;
3137 }
3138
3139 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3140 {
3141         struct inode_security_struct *isec = inode->i_security;
3142         *secid = isec->sid;
3143 }
3144
3145 /* file security operations */
3146
3147 static int selinux_revalidate_file_permission(struct file *file, int mask)
3148 {
3149         const struct cred *cred = current_cred();
3150         struct inode *inode = file_inode(file);
3151
3152         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3153         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3154                 mask |= MAY_APPEND;
3155
3156         return file_has_perm(cred, file,
3157                              file_mask_to_av(inode->i_mode, mask));
3158 }
3159
3160 static int selinux_file_permission(struct file *file, int mask)
3161 {
3162         struct inode *inode = file_inode(file);
3163         struct file_security_struct *fsec = file->f_security;
3164         struct inode_security_struct *isec = inode->i_security;
3165         u32 sid = current_sid();
3166
3167         if (!mask)
3168                 /* No permission to check.  Existence test. */
3169                 return 0;
3170
3171         if (sid == fsec->sid && fsec->isid == isec->sid &&
3172             fsec->pseqno == avc_policy_seqno())
3173                 /* No change since file_open check. */
3174                 return 0;
3175
3176         return selinux_revalidate_file_permission(file, mask);
3177 }
3178
3179 static int selinux_file_alloc_security(struct file *file)
3180 {
3181         return file_alloc_security(file);
3182 }
3183
3184 static void selinux_file_free_security(struct file *file)
3185 {
3186         file_free_security(file);
3187 }
3188
3189 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3190                               unsigned long arg)
3191 {
3192         const struct cred *cred = current_cred();
3193         int error = 0;
3194
3195         switch (cmd) {
3196         case FIONREAD:
3197         /* fall through */
3198         case FIBMAP:
3199         /* fall through */
3200         case FIGETBSZ:
3201         /* fall through */
3202         case FS_IOC_GETFLAGS:
3203         /* fall through */
3204         case FS_IOC_GETVERSION:
3205                 error = file_has_perm(cred, file, FILE__GETATTR);
3206                 break;
3207
3208         case FS_IOC_SETFLAGS:
3209         /* fall through */
3210         case FS_IOC_SETVERSION:
3211                 error = file_has_perm(cred, file, FILE__SETATTR);
3212                 break;
3213
3214         /* sys_ioctl() checks */
3215         case FIONBIO:
3216         /* fall through */
3217         case FIOASYNC:
3218                 error = file_has_perm(cred, file, 0);
3219                 break;
3220
3221         case KDSKBENT:
3222         case KDSKBSENT:
3223                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3224                                             SECURITY_CAP_AUDIT);
3225                 break;
3226
3227         /* default case assumes that the command will go
3228          * to the file's ioctl() function.
3229          */
3230         default:
3231                 error = file_has_perm(cred, file, FILE__IOCTL);
3232         }
3233         return error;
3234 }
3235
3236 static int default_noexec;
3237
3238 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3239 {
3240         const struct cred *cred = current_cred();
3241         int rc = 0;
3242
3243         if (default_noexec &&
3244             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3245                 /*
3246                  * We are making executable an anonymous mapping or a
3247                  * private file mapping that will also be writable.
3248                  * This has an additional check.
3249                  */
3250                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3251                 if (rc)
3252                         goto error;
3253         }
3254
3255         if (file) {
3256                 /* read access is always possible with a mapping */
3257                 u32 av = FILE__READ;
3258
3259                 /* write access only matters if the mapping is shared */
3260                 if (shared && (prot & PROT_WRITE))
3261                         av |= FILE__WRITE;
3262
3263                 if (prot & PROT_EXEC)
3264                         av |= FILE__EXECUTE;
3265
3266                 return file_has_perm(cred, file, av);
3267         }
3268
3269 error:
3270         return rc;
3271 }
3272
3273 static int selinux_mmap_addr(unsigned long addr)
3274 {
3275         int rc;
3276
3277         /* do DAC check on address space usage */
3278         rc = cap_mmap_addr(addr);
3279         if (rc)
3280                 return rc;
3281
3282         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3283                 u32 sid = current_sid();
3284                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3285                                   MEMPROTECT__MMAP_ZERO, NULL);
3286         }
3287
3288         return rc;
3289 }
3290
3291 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3292                              unsigned long prot, unsigned long flags)
3293 {
3294         if (selinux_checkreqprot)
3295                 prot = reqprot;
3296
3297         return file_map_prot_check(file, prot,
3298                                    (flags & MAP_TYPE) == MAP_SHARED);
3299 }
3300
3301 static int selinux_file_mprotect(struct vm_area_struct *vma,
3302                                  unsigned long reqprot,
3303                                  unsigned long prot)
3304 {
3305         const struct cred *cred = current_cred();
3306
3307         if (selinux_checkreqprot)
3308                 prot = reqprot;
3309
3310         if (default_noexec &&
3311             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3312                 int rc = 0;
3313                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3314                     vma->vm_end <= vma->vm_mm->brk) {
3315                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3316                 } else if (!vma->vm_file &&
3317                            vma->vm_start <= vma->vm_mm->start_stack &&
3318                            vma->vm_end >= vma->vm_mm->start_stack) {
3319                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3320                 } else if (vma->vm_file && vma->anon_vma) {
3321                         /*
3322                          * We are making executable a file mapping that has
3323                          * had some COW done. Since pages might have been
3324                          * written, check ability to execute the possibly
3325                          * modified content.  This typically should only
3326                          * occur for text relocations.
3327                          */
3328                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3329                 }
3330                 if (rc)
3331                         return rc;
3332         }
3333
3334         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3335 }
3336
3337 static int selinux_file_lock(struct file *file, unsigned int cmd)
3338 {
3339         const struct cred *cred = current_cred();
3340
3341         return file_has_perm(cred, file, FILE__LOCK);
3342 }
3343
3344 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3345                               unsigned long arg)
3346 {
3347         const struct cred *cred = current_cred();
3348         int err = 0;
3349
3350         switch (cmd) {
3351         case F_SETFL:
3352                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3353                         err = file_has_perm(cred, file, FILE__WRITE);
3354                         break;
3355                 }
3356                 /* fall through */
3357         case F_SETOWN:
3358         case F_SETSIG:
3359         case F_GETFL:
3360         case F_GETOWN:
3361         case F_GETSIG:
3362         case F_GETOWNER_UIDS:
3363                 /* Just check FD__USE permission */
3364                 err = file_has_perm(cred, file, 0);
3365                 break;
3366         case F_GETLK:
3367         case F_SETLK:
3368         case F_SETLKW:
3369         case F_OFD_GETLK:
3370         case F_OFD_SETLK:
3371         case F_OFD_SETLKW:
3372 #if BITS_PER_LONG == 32
3373         case F_GETLK64:
3374         case F_SETLK64:
3375         case F_SETLKW64:
3376 #endif
3377                 err = file_has_perm(cred, file, FILE__LOCK);
3378                 break;
3379         }
3380
3381         return err;
3382 }
3383
3384 static int selinux_file_set_fowner(struct file *file)
3385 {
3386         struct file_security_struct *fsec;
3387
3388         fsec = file->f_security;
3389         fsec->fown_sid = current_sid();
3390
3391         return 0;
3392 }
3393
3394 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3395                                        struct fown_struct *fown, int signum)
3396 {
3397         struct file *file;
3398         u32 sid = task_sid(tsk);
3399         u32 perm;
3400         struct file_security_struct *fsec;
3401
3402         /* struct fown_struct is never outside the context of a struct file */
3403         file = container_of(fown, struct file, f_owner);
3404
3405         fsec = file->f_security;
3406
3407         if (!signum)
3408                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3409         else
3410                 perm = signal_to_av(signum);
3411
3412         return avc_has_perm(fsec->fown_sid, sid,
3413                             SECCLASS_PROCESS, perm, NULL);
3414 }
3415
3416 static int selinux_file_receive(struct file *file)
3417 {
3418         const struct cred *cred = current_cred();
3419
3420         return file_has_perm(cred, file, file_to_av(file));
3421 }
3422
3423 static int selinux_file_open(struct file *file, const struct cred *cred)
3424 {
3425         struct file_security_struct *fsec;
3426         struct inode_security_struct *isec;
3427
3428         fsec = file->f_security;
3429         isec = file_inode(file)->i_security;
3430         /*
3431          * Save inode label and policy sequence number
3432          * at open-time so that selinux_file_permission
3433          * can determine whether revalidation is necessary.
3434          * Task label is already saved in the file security
3435          * struct as its SID.
3436          */
3437         fsec->isid = isec->sid;
3438         fsec->pseqno = avc_policy_seqno();
3439         /*
3440          * Since the inode label or policy seqno may have changed
3441          * between the selinux_inode_permission check and the saving
3442          * of state above, recheck that access is still permitted.
3443          * Otherwise, access might never be revalidated against the
3444          * new inode label or new policy.
3445          * This check is not redundant - do not remove.
3446          */
3447         return file_path_has_perm(cred, file, open_file_to_av(file));
3448 }
3449
3450 /* task security operations */
3451
3452 static int selinux_task_create(unsigned long clone_flags)
3453 {
3454         return current_has_perm(current, PROCESS__FORK);
3455 }
3456
3457 /*
3458  * allocate the SELinux part of blank credentials
3459  */
3460 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3461 {
3462         struct task_security_struct *tsec;
3463
3464         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3465         if (!tsec)
3466                 return -ENOMEM;
3467
3468         cred->security = tsec;
3469         return 0;
3470 }
3471
3472 /*
3473  * detach and free the LSM part of a set of credentials
3474  */
3475 static void selinux_cred_free(struct cred *cred)
3476 {
3477         struct task_security_struct *tsec = cred->security;
3478
3479         /*
3480          * cred->security == NULL if security_cred_alloc_blank() or
3481          * security_prepare_creds() returned an error.
3482          */
3483         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3484         cred->security = (void *) 0x7UL;
3485         kfree(tsec);
3486 }
3487
3488 /*
3489  * prepare a new set of credentials for modification
3490  */
3491 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3492                                 gfp_t gfp)
3493 {
3494         const struct task_security_struct *old_tsec;
3495         struct task_security_struct *tsec;
3496
3497         old_tsec = old->security;
3498
3499         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3500         if (!tsec)
3501                 return -ENOMEM;
3502
3503         new->security = tsec;
3504         return 0;
3505 }
3506
3507 /*
3508  * transfer the SELinux data to a blank set of creds
3509  */
3510 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3511 {
3512         const struct task_security_struct *old_tsec = old->security;
3513         struct task_security_struct *tsec = new->security;
3514
3515         *tsec = *old_tsec;
3516 }
3517
3518 /*
3519  * set the security data for a kernel service
3520  * - all the creation contexts are set to unlabelled
3521  */
3522 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3523 {
3524         struct task_security_struct *tsec = new->security;
3525         u32 sid = current_sid();
3526         int ret;
3527
3528         ret = avc_has_perm(sid, secid,
3529                            SECCLASS_KERNEL_SERVICE,
3530                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3531                            NULL);
3532         if (ret == 0) {
3533                 tsec->sid = secid;
3534                 tsec->create_sid = 0;
3535                 tsec->keycreate_sid = 0;
3536                 tsec->sockcreate_sid = 0;
3537         }
3538         return ret;
3539 }
3540
3541 /*
3542  * set the file creation context in a security record to the same as the
3543  * objective context of the specified inode
3544  */
3545 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3546 {
3547         struct inode_security_struct *isec = inode->i_security;
3548         struct task_security_struct *tsec = new->security;
3549         u32 sid = current_sid();
3550         int ret;
3551
3552         ret = avc_has_perm(sid, isec->sid,
3553                            SECCLASS_KERNEL_SERVICE,
3554                            KERNEL_SERVICE__CREATE_FILES_AS,
3555                            NULL);
3556
3557         if (ret == 0)
3558                 tsec->create_sid = isec->sid;
3559         return ret;
3560 }
3561
3562 static int selinux_kernel_module_request(char *kmod_name)
3563 {
3564         u32 sid;
3565         struct common_audit_data ad;
3566
3567         sid = task_sid(current);
3568
3569         ad.type = LSM_AUDIT_DATA_KMOD;
3570         ad.u.kmod_name = kmod_name;
3571
3572         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3573                             SYSTEM__MODULE_REQUEST, &ad);
3574 }
3575
3576 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3577 {
3578         return current_has_perm(p, PROCESS__SETPGID);
3579 }
3580
3581 static int selinux_task_getpgid(struct task_struct *p)
3582 {
3583         return current_has_perm(p, PROCESS__GETPGID);
3584 }
3585
3586 static int selinux_task_getsid(struct task_struct *p)
3587 {
3588         return current_has_perm(p, PROCESS__GETSESSION);
3589 }
3590
3591 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3592 {
3593         *secid = task_sid(p);
3594 }
3595
3596 static int selinux_task_setnice(struct task_struct *p, int nice)
3597 {
3598         int rc;
3599
3600         rc = cap_task_setnice(p, nice);
3601         if (rc)
3602                 return rc;
3603
3604         return current_has_perm(p, PROCESS__SETSCHED);
3605 }
3606
3607 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3608 {
3609         int rc;
3610
3611         rc = cap_task_setioprio(p, ioprio);
3612         if (rc)
3613                 return rc;
3614
3615         return current_has_perm(p, PROCESS__SETSCHED);
3616 }
3617
3618 static int selinux_task_getioprio(struct task_struct *p)
3619 {
3620         return current_has_perm(p, PROCESS__GETSCHED);
3621 }
3622
3623 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3624                 struct rlimit *new_rlim)
3625 {
3626         struct rlimit *old_rlim = p->signal->rlim + resource;
3627
3628         /* Control the ability to change the hard limit (whether
3629            lowering or raising it), so that the hard limit can
3630            later be used as a safe reset point for the soft limit
3631            upon context transitions.  See selinux_bprm_committing_creds. */
3632         if (old_rlim->rlim_max != new_rlim->rlim_max)
3633                 return current_has_perm(p, PROCESS__SETRLIMIT);
3634
3635         return 0;
3636 }
3637
3638 static int selinux_task_setscheduler(struct task_struct *p)
3639 {
3640         int rc;
3641
3642         rc = cap_task_setscheduler(p);
3643         if (rc)
3644                 return rc;
3645
3646         return current_has_perm(p, PROCESS__SETSCHED);
3647 }
3648
3649 static int selinux_task_getscheduler(struct task_struct *p)
3650 {
3651         return current_has_perm(p, PROCESS__GETSCHED);
3652 }
3653
3654 static int selinux_task_movememory(struct task_struct *p)
3655 {
3656         return current_has_perm(p, PROCESS__SETSCHED);
3657 }
3658
3659 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3660                                 int sig, u32 secid)
3661 {
3662         u32 perm;
3663         int rc;
3664
3665         if (!sig)
3666                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3667         else
3668                 perm = signal_to_av(sig);
3669         if (secid)
3670                 rc = avc_has_perm(secid, task_sid(p),
3671                                   SECCLASS_PROCESS, perm, NULL);
3672         else
3673                 rc = current_has_perm(p, perm);
3674         return rc;
3675 }
3676
3677 static int selinux_task_wait(struct task_struct *p)
3678 {
3679         return task_has_perm(p, current, PROCESS__SIGCHLD);
3680 }
3681
3682 static void selinux_task_to_inode(struct task_struct *p,
3683                                   struct inode *inode)
3684 {
3685         struct inode_security_struct *isec = inode->i_security;
3686         u32 sid = task_sid(p);
3687
3688         isec->sid = sid;
3689         isec->initialized = 1;
3690 }
3691
3692 /* Returns error only if unable to parse addresses */
3693 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3694                         struct common_audit_data *ad, u8 *proto)
3695 {
3696         int offset, ihlen, ret = -EINVAL;
3697         struct iphdr _iph, *ih;
3698
3699         offset = skb_network_offset(skb);
3700         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3701         if (ih == NULL)
3702                 goto out;
3703
3704         ihlen = ih->ihl * 4;
3705         if (ihlen < sizeof(_iph))
3706                 goto out;
3707
3708         ad->u.net->v4info.saddr = ih->saddr;
3709         ad->u.net->v4info.daddr = ih->daddr;
3710         ret = 0;
3711
3712         if (proto)
3713                 *proto = ih->protocol;
3714
3715         switch (ih->protocol) {
3716         case IPPROTO_TCP: {
3717                 struct tcphdr _tcph, *th;
3718
3719                 if (ntohs(ih->frag_off) & IP_OFFSET)
3720                         break;
3721
3722                 offset += ihlen;
3723                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3724                 if (th == NULL)
3725                         break;
3726
3727                 ad->u.net->sport = th->source;
3728                 ad->u.net->dport = th->dest;
3729                 break;
3730         }
3731
3732         case IPPROTO_UDP: {
3733                 struct udphdr _udph, *uh;
3734
3735                 if (ntohs(ih->frag_off) & IP_OFFSET)
3736                         break;
3737
3738                 offset += ihlen;
3739                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3740                 if (uh == NULL)
3741                         break;
3742
3743                 ad->u.net->sport = uh->source;
3744                 ad->u.net->dport = uh->dest;
3745                 break;
3746         }
3747
3748         case IPPROTO_DCCP: {
3749                 struct dccp_hdr _dccph, *dh;
3750
3751                 if (ntohs(ih->frag_off) & IP_OFFSET)
3752                         break;
3753
3754                 offset += ihlen;
3755                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3756                 if (dh == NULL)
3757                         break;
3758
3759                 ad->u.net->sport = dh->dccph_sport;
3760                 ad->u.net->dport = dh->dccph_dport;
3761                 break;
3762         }
3763
3764         default:
3765                 break;
3766         }
3767 out:
3768         return ret;
3769 }
3770
3771 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3772
3773 /* Returns error only if unable to parse addresses */
3774 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3775                         struct common_audit_data *ad, u8 *proto)
3776 {
3777         u8 nexthdr;
3778         int ret = -EINVAL, offset;
3779         struct ipv6hdr _ipv6h, *ip6;
3780         __be16 frag_off;
3781
3782         offset = skb_network_offset(skb);
3783         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3784         if (ip6 == NULL)
3785                 goto out;
3786
3787         ad->u.net->v6info.saddr = ip6->saddr;
3788         ad->u.net->v6info.daddr = ip6->daddr;
3789         ret = 0;
3790
3791         nexthdr = ip6->nexthdr;
3792         offset += sizeof(_ipv6h);
3793         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3794         if (offset < 0)
3795                 goto out;
3796
3797         if (proto)
3798                 *proto = nexthdr;
3799
3800         switch (nexthdr) {
3801         case IPPROTO_TCP: {
3802                 struct tcphdr _tcph, *th;
3803
3804                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3805                 if (th == NULL)
3806                         break;
3807
3808                 ad->u.net->sport = th->source;
3809                 ad->u.net->dport = th->dest;
3810                 break;
3811         }
3812
3813         case IPPROTO_UDP: {
3814                 struct udphdr _udph, *uh;
3815
3816                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3817                 if (uh == NULL)
3818                         break;
3819
3820                 ad->u.net->sport = uh->source;
3821                 ad->u.net->dport = uh->dest;
3822                 break;
3823         }
3824
3825         case IPPROTO_DCCP: {
3826                 struct dccp_hdr _dccph, *dh;
3827
3828                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3829                 if (dh == NULL)
3830                         break;
3831
3832                 ad->u.net->sport = dh->dccph_sport;
3833                 ad->u.net->dport = dh->dccph_dport;
3834                 break;
3835         }
3836
3837         /* includes fragments */
3838         default:
3839                 break;
3840         }
3841 out:
3842         return ret;
3843 }
3844
3845 #endif /* IPV6 */
3846
3847 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3848                              char **_addrp, int src, u8 *proto)
3849 {
3850         char *addrp;
3851         int ret;
3852
3853         switch (ad->u.net->family) {
3854         case PF_INET:
3855                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3856                 if (ret)
3857                         goto parse_error;
3858                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3859                                        &ad->u.net->v4info.daddr);
3860                 goto okay;
3861
3862 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3863         case PF_INET6:
3864                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3865                 if (ret)
3866                         goto parse_error;
3867                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3868                                        &ad->u.net->v6info.daddr);
3869                 goto okay;
3870 #endif  /* IPV6 */
3871         default:
3872                 addrp = NULL;
3873                 goto okay;
3874         }
3875
3876 parse_error:
3877         printk(KERN_WARNING
3878                "SELinux: failure in selinux_parse_skb(),"
3879                " unable to parse packet\n");
3880         return ret;
3881
3882 okay:
3883         if (_addrp)
3884                 *_addrp = addrp;
3885         return 0;
3886 }
3887
3888 /**
3889  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3890  * @skb: the packet
3891  * @family: protocol family
3892  * @sid: the packet's peer label SID
3893  *
3894  * Description:
3895  * Check the various different forms of network peer labeling and determine
3896  * the peer label/SID for the packet; most of the magic actually occurs in
3897  * the security server function security_net_peersid_cmp().  The function
3898  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3899  * or -EACCES if @sid is invalid due to inconsistencies with the different
3900  * peer labels.
3901  *
3902  */
3903 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3904 {
3905         int err;
3906         u32 xfrm_sid;
3907         u32 nlbl_sid;
3908         u32 nlbl_type;
3909
3910         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3911         if (unlikely(err))
3912                 return -EACCES;
3913         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3914         if (unlikely(err))
3915                 return -EACCES;
3916
3917         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3918         if (unlikely(err)) {
3919                 printk(KERN_WARNING
3920                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3921                        " unable to determine packet's peer label\n");
3922                 return -EACCES;
3923         }
3924
3925         return 0;
3926 }
3927
3928 /**
3929  * selinux_conn_sid - Determine the child socket label for a connection
3930  * @sk_sid: the parent socket's SID
3931  * @skb_sid: the packet's SID
3932  * @conn_sid: the resulting connection SID
3933  *
3934  * If @skb_sid is valid then the user:role:type information from @sk_sid is
3935  * combined with the MLS information from @skb_sid in order to create
3936  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
3937  * of @sk_sid.  Returns zero on success, negative values on failure.
3938  *
3939  */
3940 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3941 {
3942         int err = 0;
3943
3944         if (skb_sid != SECSID_NULL)
3945                 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3946         else
3947                 *conn_sid = sk_sid;
3948
3949         return err;
3950 }
3951
3952 /* socket security operations */
3953
3954 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3955                                  u16 secclass, u32 *socksid)
3956 {
3957         if (tsec->sockcreate_sid > SECSID_NULL) {
3958                 *socksid = tsec->sockcreate_sid;
3959                 return 0;
3960         }
3961
3962         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3963                                        socksid);
3964 }
3965
3966 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3967 {
3968         struct sk_security_struct *sksec = sk->sk_security;
3969         struct common_audit_data ad;
3970         struct lsm_network_audit net = {0,};
3971         u32 tsid = task_sid(task);
3972
3973         if (sksec->sid == SECINITSID_KERNEL)
3974                 return 0;
3975
3976         ad.type = LSM_AUDIT_DATA_NET;
3977         ad.u.net = &net;
3978         ad.u.net->sk = sk;
3979
3980         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3981 }
3982
3983 static int selinux_socket_create(int family, int type,
3984                                  int protocol, int kern)
3985 {
3986         const struct task_security_struct *tsec = current_security();
3987         u32 newsid;
3988         u16 secclass;
3989         int rc;
3990
3991         if (kern)
3992                 return 0;
3993
3994         secclass = socket_type_to_security_class(family, type, protocol);
3995         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3996         if (rc)
3997                 return rc;
3998
3999         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4000 }
4001
4002 static int selinux_socket_post_create(struct socket *sock, int family,
4003                                       int type, int protocol, int kern)
4004 {
4005         const struct task_security_struct *tsec = current_security();
4006         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4007         struct sk_security_struct *sksec;
4008         int err = 0;
4009
4010         isec->sclass = socket_type_to_security_class(family, type, protocol);
4011
4012         if (kern)
4013                 isec->sid = SECINITSID_KERNEL;
4014         else {
4015                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4016                 if (err)
4017                         return err;
4018         }
4019
4020         isec->initialized = 1;
4021
4022         if (sock->sk) {
4023                 sksec = sock->sk->sk_security;
4024                 sksec->sid = isec->sid;
4025                 sksec->sclass = isec->sclass;
4026                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4027         }
4028
4029         return err;
4030 }
4031
4032 /* Range of port numbers used to automatically bind.
4033    Need to determine whether we should perform a name_bind
4034    permission check between the socket and the port number. */
4035
4036 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4037 {
4038         struct sock *sk = sock->sk;
4039         u16 family;
4040         int err;
4041
4042         err = sock_has_perm(current, sk, SOCKET__BIND);
4043         if (err)
4044                 goto out;
4045
4046         /*
4047          * If PF_INET or PF_INET6, check name_bind permission for the port.
4048          * Multiple address binding for SCTP is not supported yet: we just
4049          * check the first address now.
4050          */
4051         family = sk->sk_family;
4052         if (family == PF_INET || family == PF_INET6) {
4053                 char *addrp;
4054                 struct sk_security_struct *sksec = sk->sk_security;
4055                 struct common_audit_data ad;
4056                 struct lsm_network_audit net = {0,};
4057                 struct sockaddr_in *addr4 = NULL;
4058                 struct sockaddr_in6 *addr6 = NULL;
4059                 unsigned short snum;
4060                 u32 sid, node_perm;
4061
4062                 if (family == PF_INET) {
4063                         addr4 = (struct sockaddr_in *)address;
4064                         snum = ntohs(addr4->sin_port);
4065                         addrp = (char *)&addr4->sin_addr.s_addr;
4066                 } else {
4067                         addr6 = (struct sockaddr_in6 *)address;
4068                         snum = ntohs(addr6->sin6_port);
4069                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4070                 }
4071
4072                 if (snum) {
4073                         int low, high;
4074
4075                         inet_get_local_port_range(sock_net(sk), &low, &high);
4076
4077                         if (snum < max(PROT_SOCK, low) || snum > high) {
4078                                 err = sel_netport_sid(sk->sk_protocol,
4079                                                       snum, &sid);
4080                                 if (err)
4081                                         goto out;
4082                                 ad.type = LSM_AUDIT_DATA_NET;
4083                                 ad.u.net = &net;
4084                                 ad.u.net->sport = htons(snum);
4085                                 ad.u.net->family = family;
4086                                 err = avc_has_perm(sksec->sid, sid,
4087                                                    sksec->sclass,
4088                                                    SOCKET__NAME_BIND, &ad);
4089                                 if (err)
4090                                         goto out;
4091                         }
4092                 }
4093
4094                 switch (sksec->sclass) {
4095                 case SECCLASS_TCP_SOCKET:
4096                         node_perm = TCP_SOCKET__NODE_BIND;
4097                         break;
4098
4099                 case SECCLASS_UDP_SOCKET:
4100                         node_perm = UDP_SOCKET__NODE_BIND;
4101                         break;
4102
4103                 case SECCLASS_DCCP_SOCKET:
4104                         node_perm = DCCP_SOCKET__NODE_BIND;
4105                         break;
4106
4107                 default:
4108                         node_perm = RAWIP_SOCKET__NODE_BIND;
4109                         break;
4110                 }
4111
4112                 err = sel_netnode_sid(addrp, family, &sid);
4113                 if (err)
4114                         goto out;
4115
4116                 ad.type = LSM_AUDIT_DATA_NET;
4117                 ad.u.net = &net;
4118                 ad.u.net->sport = htons(snum);
4119                 ad.u.net->family = family;
4120
4121                 if (family == PF_INET)
4122                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4123                 else
4124                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4125
4126                 err = avc_has_perm(sksec->sid, sid,
4127                                    sksec->sclass, node_perm, &ad);
4128                 if (err)
4129                         goto out;
4130         }
4131 out:
4132         return err;
4133 }
4134
4135 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4136 {
4137         struct sock *sk = sock->sk;
4138         struct sk_security_struct *sksec = sk->sk_security;
4139         int err;
4140
4141         err = sock_has_perm(current, sk, SOCKET__CONNECT);
4142         if (err)
4143                 return err;
4144
4145         /*
4146          * If a TCP or DCCP socket, check name_connect permission for the port.
4147          */
4148         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4149             sksec->sclass == SECCLASS_DCCP_SOCKET) {
4150                 struct common_audit_data ad;
4151                 struct lsm_network_audit net = {0,};
4152                 struct sockaddr_in *addr4 = NULL;
4153                 struct sockaddr_in6 *addr6 = NULL;
4154                 unsigned short snum;
4155                 u32 sid, perm;
4156
4157                 if (sk->sk_family == PF_INET) {
4158                         addr4 = (struct sockaddr_in *)address;
4159                         if (addrlen < sizeof(struct sockaddr_in))
4160                                 return -EINVAL;
4161                         snum = ntohs(addr4->sin_port);
4162                 } else {
4163                         addr6 = (struct sockaddr_in6 *)address;
4164                         if (addrlen < SIN6_LEN_RFC2133)
4165                                 return -EINVAL;
4166                         snum = ntohs(addr6->sin6_port);
4167                 }
4168
4169                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4170                 if (err)
4171                         goto out;
4172
4173                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4174                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4175
4176                 ad.type = LSM_AUDIT_DATA_NET;
4177                 ad.u.net = &net;
4178                 ad.u.net->dport = htons(snum);
4179                 ad.u.net->family = sk->sk_family;
4180                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4181                 if (err)
4182                         goto out;
4183         }
4184
4185         err = selinux_netlbl_socket_connect(sk, address);
4186
4187 out:
4188         return err;
4189 }
4190
4191 static int selinux_socket_listen(struct socket *sock, int backlog)
4192 {
4193         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4194 }
4195
4196 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4197 {
4198         int err;
4199         struct inode_security_struct *isec;
4200         struct inode_security_struct *newisec;
4201
4202         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4203         if (err)
4204                 return err;
4205
4206         newisec = SOCK_INODE(newsock)->i_security;
4207
4208         isec = SOCK_INODE(sock)->i_security;
4209         newisec->sclass = isec->sclass;
4210         newisec->sid = isec->sid;
4211         newisec->initialized = 1;
4212
4213         return 0;
4214 }
4215
4216 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4217                                   int size)
4218 {
4219         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4220 }
4221
4222 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4223                                   int size, int flags)
4224 {
4225         return sock_has_perm(current, sock->sk, SOCKET__READ);
4226 }
4227
4228 static int selinux_socket_getsockname(struct socket *sock)
4229 {
4230         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4231 }
4232
4233 static int selinux_socket_getpeername(struct socket *sock)
4234 {
4235         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4236 }
4237
4238 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4239 {
4240         int err;
4241
4242         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4243         if (err)
4244                 return err;
4245
4246         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4247 }
4248
4249 static int selinux_socket_getsockopt(struct socket *sock, int level,
4250                                      int optname)
4251 {
4252         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4253 }
4254
4255 static int selinux_socket_shutdown(struct socket *sock, int how)
4256 {
4257         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4258 }
4259
4260 static int selinux_socket_unix_stream_connect(struct sock *sock,
4261                                               struct sock *other,
4262                                               struct sock *newsk)
4263 {
4264         struct sk_security_struct *sksec_sock = sock->sk_security;
4265         struct sk_security_struct *sksec_other = other->sk_security;
4266         struct sk_security_struct *sksec_new = newsk->sk_security;
4267         struct common_audit_data ad;
4268         struct lsm_network_audit net = {0,};
4269         int err;
4270
4271         ad.type = LSM_AUDIT_DATA_NET;
4272         ad.u.net = &net;
4273         ad.u.net->sk = other;
4274
4275         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4276                            sksec_other->sclass,
4277                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4278         if (err)
4279                 return err;
4280
4281         /* server child socket */
4282         sksec_new->peer_sid = sksec_sock->sid;
4283         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4284                                     &sksec_new->sid);
4285         if (err)
4286                 return err;
4287
4288         /* connecting socket */
4289         sksec_sock->peer_sid = sksec_new->sid;
4290
4291         return 0;
4292 }
4293
4294 static int selinux_socket_unix_may_send(struct socket *sock,
4295                                         struct socket *other)
4296 {
4297         struct sk_security_struct *ssec = sock->sk->sk_security;
4298         struct sk_security_struct *osec = other->sk->sk_security;
4299         struct common_audit_data ad;
4300         struct lsm_network_audit net = {0,};
4301
4302         ad.type = LSM_AUDIT_DATA_NET;
4303         ad.u.net = &net;
4304         ad.u.net->sk = other->sk;
4305
4306         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4307                             &ad);
4308 }
4309
4310 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4311                                     char *addrp, u16 family, u32 peer_sid,
4312                                     struct common_audit_data *ad)
4313 {
4314         int err;
4315         u32 if_sid;
4316         u32 node_sid;
4317
4318         err = sel_netif_sid(ns, ifindex, &if_sid);
4319         if (err)
4320                 return err;
4321         err = avc_has_perm(peer_sid, if_sid,
4322                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4323         if (err)
4324                 return err;
4325
4326         err = sel_netnode_sid(addrp, family, &node_sid);
4327         if (err)
4328                 return err;
4329         return avc_has_perm(peer_sid, node_sid,
4330                             SECCLASS_NODE, NODE__RECVFROM, ad);
4331 }
4332
4333 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4334                                        u16 family)
4335 {
4336         int err = 0;
4337         struct sk_security_struct *sksec = sk->sk_security;
4338         u32 sk_sid = sksec->sid;
4339         struct common_audit_data ad;
4340         struct lsm_network_audit net = {0,};
4341         char *addrp;
4342
4343         ad.type = LSM_AUDIT_DATA_NET;
4344         ad.u.net = &net;
4345         ad.u.net->netif = skb->skb_iif;
4346         ad.u.net->family = family;
4347         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4348         if (err)
4349                 return err;
4350
4351         if (selinux_secmark_enabled()) {
4352                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4353                                    PACKET__RECV, &ad);
4354                 if (err)
4355                         return err;
4356         }
4357
4358         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4359         if (err)
4360                 return err;
4361         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4362
4363         return err;
4364 }
4365
4366 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4367 {
4368         int err;
4369         struct sk_security_struct *sksec = sk->sk_security;
4370         u16 family = sk->sk_family;
4371         u32 sk_sid = sksec->sid;
4372         struct common_audit_data ad;
4373         struct lsm_network_audit net = {0,};
4374         char *addrp;
4375         u8 secmark_active;
4376         u8 peerlbl_active;
4377
4378         if (family != PF_INET && family != PF_INET6)
4379                 return 0;
4380
4381         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4382         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4383                 family = PF_INET;
4384
4385         /* If any sort of compatibility mode is enabled then handoff processing
4386          * to the selinux_sock_rcv_skb_compat() function to deal with the
4387          * special handling.  We do this in an attempt to keep this function
4388          * as fast and as clean as possible. */
4389         if (!selinux_policycap_netpeer)
4390                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4391
4392         secmark_active = selinux_secmark_enabled();
4393         peerlbl_active = selinux_peerlbl_enabled();
4394         if (!secmark_active && !peerlbl_active)
4395                 return 0;
4396
4397         ad.type = LSM_AUDIT_DATA_NET;
4398         ad.u.net = &net;
4399         ad.u.net->netif = skb->skb_iif;
4400         ad.u.net->family = family;
4401         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4402         if (err)
4403                 return err;
4404
4405         if (peerlbl_active) {
4406                 u32 peer_sid;
4407
4408                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4409                 if (err)
4410                         return err;
4411                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4412                                                addrp, family, peer_sid, &ad);
4413                 if (err) {
4414                         selinux_netlbl_err(skb, err, 0);
4415                         return err;
4416                 }
4417                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4418                                    PEER__RECV, &ad);
4419                 if (err) {
4420                         selinux_netlbl_err(skb, err, 0);
4421                         return err;
4422                 }
4423         }
4424
4425         if (secmark_active) {
4426                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4427                                    PACKET__RECV, &ad);
4428                 if (err)
4429                         return err;
4430         }
4431
4432         return err;
4433 }
4434
4435 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4436                                             int __user *optlen, unsigned len)
4437 {
4438         int err = 0;
4439         char *scontext;
4440         u32 scontext_len;
4441         struct sk_security_struct *sksec = sock->sk->sk_security;
4442         u32 peer_sid = SECSID_NULL;
4443
4444         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4445             sksec->sclass == SECCLASS_TCP_SOCKET)
4446                 peer_sid = sksec->peer_sid;
4447         if (peer_sid == SECSID_NULL)
4448                 return -ENOPROTOOPT;
4449
4450         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4451         if (err)
4452                 return err;
4453
4454         if (scontext_len > len) {
4455                 err = -ERANGE;
4456                 goto out_len;
4457         }
4458
4459         if (copy_to_user(optval, scontext, scontext_len))
4460                 err = -EFAULT;
4461
4462 out_len:
4463         if (put_user(scontext_len, optlen))
4464                 err = -EFAULT;
4465         kfree(scontext);
4466         return err;
4467 }
4468
4469 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4470 {
4471         u32 peer_secid = SECSID_NULL;
4472         u16 family;
4473
4474         if (skb && skb->protocol == htons(ETH_P_IP))
4475                 family = PF_INET;
4476         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4477                 family = PF_INET6;
4478         else if (sock)
4479                 family = sock->sk->sk_family;
4480         else
4481                 goto out;
4482
4483         if (sock && family == PF_UNIX)
4484                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4485         else if (skb)
4486                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4487
4488 out:
4489         *secid = peer_secid;
4490         if (peer_secid == SECSID_NULL)
4491                 return -EINVAL;
4492         return 0;
4493 }
4494
4495 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4496 {
4497         struct sk_security_struct *sksec;
4498
4499         sksec = kzalloc(sizeof(*sksec), priority);
4500         if (!sksec)
4501                 return -ENOMEM;
4502
4503         sksec->peer_sid = SECINITSID_UNLABELED;
4504         sksec->sid = SECINITSID_UNLABELED;
4505         selinux_netlbl_sk_security_reset(sksec);
4506         sk->sk_security = sksec;
4507
4508         return 0;
4509 }
4510
4511 static void selinux_sk_free_security(struct sock *sk)
4512 {
4513         struct sk_security_struct *sksec = sk->sk_security;
4514
4515         sk->sk_security = NULL;
4516         selinux_netlbl_sk_security_free(sksec);
4517         kfree(sksec);
4518 }
4519
4520 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4521 {
4522         struct sk_security_struct *sksec = sk->sk_security;
4523         struct sk_security_struct *newsksec = newsk->sk_security;
4524
4525         newsksec->sid = sksec->sid;
4526         newsksec->peer_sid = sksec->peer_sid;
4527         newsksec->sclass = sksec->sclass;
4528
4529         selinux_netlbl_sk_security_reset(newsksec);
4530 }
4531
4532 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4533 {
4534         if (!sk)
4535                 *secid = SECINITSID_ANY_SOCKET;
4536         else {
4537                 struct sk_security_struct *sksec = sk->sk_security;
4538
4539                 *secid = sksec->sid;
4540         }
4541 }
4542
4543 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4544 {
4545         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4546         struct sk_security_struct *sksec = sk->sk_security;
4547
4548         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4549             sk->sk_family == PF_UNIX)
4550                 isec->sid = sksec->sid;
4551         sksec->sclass = isec->sclass;
4552 }
4553
4554 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4555                                      struct request_sock *req)
4556 {
4557         struct sk_security_struct *sksec = sk->sk_security;
4558         int err;
4559         u16 family = req->rsk_ops->family;
4560         u32 connsid;
4561         u32 peersid;
4562
4563         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4564         if (err)
4565                 return err;
4566         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4567         if (err)
4568                 return err;
4569         req->secid = connsid;
4570         req->peer_secid = peersid;
4571
4572         return selinux_netlbl_inet_conn_request(req, family);
4573 }
4574
4575 static void selinux_inet_csk_clone(struct sock *newsk,
4576                                    const struct request_sock *req)
4577 {
4578         struct sk_security_struct *newsksec = newsk->sk_security;
4579
4580         newsksec->sid = req->secid;
4581         newsksec->peer_sid = req->peer_secid;
4582         /* NOTE: Ideally, we should also get the isec->sid for the
4583            new socket in sync, but we don't have the isec available yet.
4584            So we will wait until sock_graft to do it, by which
4585            time it will have been created and available. */
4586
4587         /* We don't need to take any sort of lock here as we are the only
4588          * thread with access to newsksec */
4589         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4590 }
4591
4592 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4593 {
4594         u16 family = sk->sk_family;
4595         struct sk_security_struct *sksec = sk->sk_security;
4596
4597         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4598         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4599                 family = PF_INET;
4600
4601         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4602 }
4603
4604 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4605 {
4606         skb_set_owner_w(skb, sk);
4607 }
4608
4609 static int selinux_secmark_relabel_packet(u32 sid)
4610 {
4611         const struct task_security_struct *__tsec;
4612         u32 tsid;
4613
4614         __tsec = current_security();
4615         tsid = __tsec->sid;
4616
4617         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4618 }
4619
4620 static void selinux_secmark_refcount_inc(void)
4621 {
4622         atomic_inc(&selinux_secmark_refcount);
4623 }
4624
4625 static void selinux_secmark_refcount_dec(void)
4626 {
4627         atomic_dec(&selinux_secmark_refcount);
4628 }
4629
4630 static void selinux_req_classify_flow(const struct request_sock *req,
4631                                       struct flowi *fl)
4632 {
4633         fl->flowi_secid = req->secid;
4634 }
4635
4636 static int selinux_tun_dev_alloc_security(void **security)
4637 {
4638         struct tun_security_struct *tunsec;
4639
4640         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4641         if (!tunsec)
4642                 return -ENOMEM;
4643         tunsec->sid = current_sid();
4644
4645         *security = tunsec;
4646         return 0;
4647 }
4648
4649 static void selinux_tun_dev_free_security(void *security)
4650 {
4651         kfree(security);
4652 }
4653
4654 static int selinux_tun_dev_create(void)
4655 {
4656         u32 sid = current_sid();
4657
4658         /* we aren't taking into account the "sockcreate" SID since the socket
4659          * that is being created here is not a socket in the traditional sense,
4660          * instead it is a private sock, accessible only to the kernel, and
4661          * representing a wide range of network traffic spanning multiple
4662          * connections unlike traditional sockets - check the TUN driver to
4663          * get a better understanding of why this socket is special */
4664
4665         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4666                             NULL);
4667 }
4668
4669 static int selinux_tun_dev_attach_queue(void *security)
4670 {
4671         struct tun_security_struct *tunsec = security;
4672
4673         return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4674                             TUN_SOCKET__ATTACH_QUEUE, NULL);
4675 }
4676
4677 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4678 {
4679         struct tun_security_struct *tunsec = security;
4680         struct sk_security_struct *sksec = sk->sk_security;
4681
4682         /* we don't currently perform any NetLabel based labeling here and it
4683          * isn't clear that we would want to do so anyway; while we could apply
4684          * labeling without the support of the TUN user the resulting labeled
4685          * traffic from the other end of the connection would almost certainly
4686          * cause confusion to the TUN user that had no idea network labeling
4687          * protocols were being used */
4688
4689         sksec->sid = tunsec->sid;
4690         sksec->sclass = SECCLASS_TUN_SOCKET;
4691
4692         return 0;
4693 }
4694
4695 static int selinux_tun_dev_open(void *security)
4696 {
4697         struct tun_security_struct *tunsec = security;
4698         u32 sid = current_sid();
4699         int err;
4700
4701         err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4702                            TUN_SOCKET__RELABELFROM, NULL);
4703         if (err)
4704                 return err;
4705         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4706                            TUN_SOCKET__RELABELTO, NULL);
4707         if (err)
4708                 return err;
4709         tunsec->sid = sid;
4710
4711         return 0;
4712 }
4713
4714 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4715 {
4716         int err = 0;
4717         u32 perm;
4718         struct nlmsghdr *nlh;
4719         struct sk_security_struct *sksec = sk->sk_security;
4720
4721         if (skb->len < NLMSG_HDRLEN) {
4722                 err = -EINVAL;
4723                 goto out;
4724         }
4725         nlh = nlmsg_hdr(skb);
4726
4727         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4728         if (err) {
4729                 if (err == -EINVAL) {
4730                         WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink message:"
4731                                   " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4732                                   sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4733                         if (!selinux_enforcing || security_get_allow_unknown())
4734                                 err = 0;
4735                 }
4736
4737                 /* Ignore */
4738                 if (err == -ENOENT)
4739                         err = 0;
4740                 goto out;
4741         }
4742
4743         err = sock_has_perm(current, sk, perm);
4744 out:
4745         return err;
4746 }
4747
4748 #ifdef CONFIG_NETFILTER
4749
4750 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4751                                        const struct net_device *indev,
4752                                        u16 family)
4753 {
4754         int err;
4755         char *addrp;
4756         u32 peer_sid;
4757         struct common_audit_data ad;
4758         struct lsm_network_audit net = {0,};
4759         u8 secmark_active;
4760         u8 netlbl_active;
4761         u8 peerlbl_active;
4762
4763         if (!selinux_policycap_netpeer)
4764                 return NF_ACCEPT;
4765
4766         secmark_active = selinux_secmark_enabled();
4767         netlbl_active = netlbl_enabled();
4768         peerlbl_active = selinux_peerlbl_enabled();
4769         if (!secmark_active && !peerlbl_active)
4770                 return NF_ACCEPT;
4771
4772         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4773                 return NF_DROP;
4774
4775         ad.type = LSM_AUDIT_DATA_NET;
4776         ad.u.net = &net;
4777         ad.u.net->netif = indev->ifindex;
4778         ad.u.net->family = family;
4779         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4780                 return NF_DROP;
4781
4782         if (peerlbl_active) {
4783                 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4784                                                addrp, family, peer_sid, &ad);
4785                 if (err) {
4786                         selinux_netlbl_err(skb, err, 1);
4787                         return NF_DROP;
4788                 }
4789         }
4790
4791         if (secmark_active)
4792                 if (avc_has_perm(peer_sid, skb->secmark,
4793                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4794                         return NF_DROP;
4795
4796         if (netlbl_active)
4797                 /* we do this in the FORWARD path and not the POST_ROUTING
4798                  * path because we want to make sure we apply the necessary
4799                  * labeling before IPsec is applied so we can leverage AH
4800                  * protection */
4801                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4802                         return NF_DROP;
4803
4804         return NF_ACCEPT;
4805 }
4806
4807 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4808                                          struct sk_buff *skb,
4809                                          const struct net_device *in,
4810                                          const struct net_device *out,
4811                                          int (*okfn)(struct sk_buff *))
4812 {
4813         return selinux_ip_forward(skb, in, PF_INET);
4814 }
4815
4816 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4817 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4818                                          struct sk_buff *skb,
4819                                          const struct net_device *in,
4820                                          const struct net_device *out,
4821                                          int (*okfn)(struct sk_buff *))
4822 {
4823         return selinux_ip_forward(skb, in, PF_INET6);
4824 }
4825 #endif  /* IPV6 */
4826
4827 static unsigned int selinux_ip_output(struct sk_buff *skb,
4828                                       u16 family)
4829 {
4830         struct sock *sk;
4831         u32 sid;
4832
4833         if (!netlbl_enabled())
4834                 return NF_ACCEPT;
4835
4836         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4837          * because we want to make sure we apply the necessary labeling
4838          * before IPsec is applied so we can leverage AH protection */
4839         sk = skb->sk;
4840         if (sk) {
4841                 struct sk_security_struct *sksec;
4842
4843                 if (sk->sk_state == TCP_LISTEN)
4844                         /* if the socket is the listening state then this
4845                          * packet is a SYN-ACK packet which means it needs to
4846                          * be labeled based on the connection/request_sock and
4847                          * not the parent socket.  unfortunately, we can't
4848                          * lookup the request_sock yet as it isn't queued on
4849                          * the parent socket until after the SYN-ACK is sent.
4850                          * the "solution" is to simply pass the packet as-is
4851                          * as any IP option based labeling should be copied
4852                          * from the initial connection request (in the IP
4853                          * layer).  it is far from ideal, but until we get a
4854                          * security label in the packet itself this is the
4855                          * best we can do. */
4856                         return NF_ACCEPT;
4857
4858                 /* standard practice, label using the parent socket */
4859                 sksec = sk->sk_security;
4860                 sid = sksec->sid;
4861         } else
4862                 sid = SECINITSID_KERNEL;
4863         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4864                 return NF_DROP;
4865
4866         return NF_ACCEPT;
4867 }
4868
4869 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4870                                         struct sk_buff *skb,
4871                                         const struct net_device *in,
4872                                         const struct net_device *out,
4873                                         int (*okfn)(struct sk_buff *))
4874 {
4875         return selinux_ip_output(skb, PF_INET);
4876 }
4877
4878 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4879                                                 int ifindex,
4880                                                 u16 family)
4881 {
4882         struct sock *sk = skb->sk;
4883         struct sk_security_struct *sksec;
4884         struct common_audit_data ad;
4885         struct lsm_network_audit net = {0,};
4886         char *addrp;
4887         u8 proto;
4888
4889         if (sk == NULL)
4890                 return NF_ACCEPT;
4891         sksec = sk->sk_security;
4892
4893         ad.type = LSM_AUDIT_DATA_NET;
4894         ad.u.net = &net;
4895         ad.u.net->netif = ifindex;
4896         ad.u.net->family = family;
4897         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4898                 return NF_DROP;
4899
4900         if (selinux_secmark_enabled())
4901                 if (avc_has_perm(sksec->sid, skb->secmark,
4902                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4903                         return NF_DROP_ERR(-ECONNREFUSED);
4904
4905         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4906                 return NF_DROP_ERR(-ECONNREFUSED);
4907
4908         return NF_ACCEPT;
4909 }
4910
4911 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4912                                          const struct net_device *outdev,
4913                                          u16 family)
4914 {
4915         u32 secmark_perm;
4916         u32 peer_sid;
4917         int ifindex = outdev->ifindex;
4918         struct sock *sk;
4919         struct common_audit_data ad;
4920         struct lsm_network_audit net = {0,};
4921         char *addrp;
4922         u8 secmark_active;
4923         u8 peerlbl_active;
4924
4925         /* If any sort of compatibility mode is enabled then handoff processing
4926          * to the selinux_ip_postroute_compat() function to deal with the
4927          * special handling.  We do this in an attempt to keep this function
4928          * as fast and as clean as possible. */
4929         if (!selinux_policycap_netpeer)
4930                 return selinux_ip_postroute_compat(skb, ifindex, family);
4931
4932         secmark_active = selinux_secmark_enabled();
4933         peerlbl_active = selinux_peerlbl_enabled();
4934         if (!secmark_active && !peerlbl_active)
4935                 return NF_ACCEPT;
4936
4937         sk = skb->sk;
4938
4939 #ifdef CONFIG_XFRM
4940         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4941          * packet transformation so allow the packet to pass without any checks
4942          * since we'll have another chance to perform access control checks
4943          * when the packet is on it's final way out.
4944          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4945          *       is NULL, in this case go ahead and apply access control.
4946          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4947          *       TCP listening state we cannot wait until the XFRM processing
4948          *       is done as we will miss out on the SA label if we do;
4949          *       unfortunately, this means more work, but it is only once per
4950          *       connection. */
4951         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4952             !(sk != NULL && sk->sk_state == TCP_LISTEN))
4953                 return NF_ACCEPT;
4954 #endif
4955
4956         if (sk == NULL) {
4957                 /* Without an associated socket the packet is either coming
4958                  * from the kernel or it is being forwarded; check the packet
4959                  * to determine which and if the packet is being forwarded
4960                  * query the packet directly to determine the security label. */
4961                 if (skb->skb_iif) {
4962                         secmark_perm = PACKET__FORWARD_OUT;
4963                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4964                                 return NF_DROP;
4965                 } else {
4966                         secmark_perm = PACKET__SEND;
4967                         peer_sid = SECINITSID_KERNEL;
4968                 }
4969         } else if (sk->sk_state == TCP_LISTEN) {
4970                 /* Locally generated packet but the associated socket is in the
4971                  * listening state which means this is a SYN-ACK packet.  In
4972                  * this particular case the correct security label is assigned
4973                  * to the connection/request_sock but unfortunately we can't
4974                  * query the request_sock as it isn't queued on the parent
4975                  * socket until after the SYN-ACK packet is sent; the only
4976                  * viable choice is to regenerate the label like we do in
4977                  * selinux_inet_conn_request().  See also selinux_ip_output()
4978                  * for similar problems. */
4979                 u32 skb_sid;
4980                 struct sk_security_struct *sksec = sk->sk_security;
4981                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4982                         return NF_DROP;
4983                 /* At this point, if the returned skb peerlbl is SECSID_NULL
4984                  * and the packet has been through at least one XFRM
4985                  * transformation then we must be dealing with the "final"
4986                  * form of labeled IPsec packet; since we've already applied
4987                  * all of our access controls on this packet we can safely
4988                  * pass the packet. */
4989                 if (skb_sid == SECSID_NULL) {
4990                         switch (family) {
4991                         case PF_INET:
4992                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4993                                         return NF_ACCEPT;
4994                                 break;
4995                         case PF_INET6:
4996                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4997                                         return NF_ACCEPT;
4998                                 break;
4999                         default:
5000                                 return NF_DROP_ERR(-ECONNREFUSED);
5001                         }
5002                 }
5003                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5004                         return NF_DROP;
5005                 secmark_perm = PACKET__SEND;
5006         } else {
5007                 /* Locally generated packet, fetch the security label from the
5008                  * associated socket. */
5009                 struct sk_security_struct *sksec = sk->sk_security;
5010                 peer_sid = sksec->sid;
5011                 secmark_perm = PACKET__SEND;
5012         }
5013
5014         ad.type = LSM_AUDIT_DATA_NET;
5015         ad.u.net = &net;
5016         ad.u.net->netif = ifindex;
5017         ad.u.net->family = family;
5018         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5019                 return NF_DROP;
5020
5021         if (secmark_active)
5022                 if (avc_has_perm(peer_sid, skb->secmark,
5023                                  SECCLASS_PACKET, secmark_perm, &ad))
5024                         return NF_DROP_ERR(-ECONNREFUSED);
5025
5026         if (peerlbl_active) {
5027                 u32 if_sid;
5028                 u32 node_sid;
5029
5030                 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5031                         return NF_DROP;
5032                 if (avc_has_perm(peer_sid, if_sid,
5033                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5034                         return NF_DROP_ERR(-ECONNREFUSED);
5035
5036                 if (sel_netnode_sid(addrp, family, &node_sid))
5037                         return NF_DROP;
5038                 if (avc_has_perm(peer_sid, node_sid,
5039                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5040                         return NF_DROP_ERR(-ECONNREFUSED);
5041         }
5042
5043         return NF_ACCEPT;
5044 }
5045
5046 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5047                                            struct sk_buff *skb,
5048                                            const struct net_device *in,
5049                                            const struct net_device *out,
5050                                            int (*okfn)(struct sk_buff *))
5051 {
5052         return selinux_ip_postroute(skb, out, PF_INET);
5053 }
5054
5055 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5056 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5057                                            struct sk_buff *skb,
5058                                            const struct net_device *in,
5059                                            const struct net_device *out,
5060                                            int (*okfn)(struct sk_buff *))
5061 {
5062         return selinux_ip_postroute(skb, out, PF_INET6);
5063 }
5064 #endif  /* IPV6 */
5065
5066 #endif  /* CONFIG_NETFILTER */
5067
5068 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5069 {
5070         int err;
5071
5072         err = cap_netlink_send(sk, skb);
5073         if (err)
5074                 return err;
5075
5076         return selinux_nlmsg_perm(sk, skb);
5077 }
5078
5079 static int ipc_alloc_security(struct task_struct *task,
5080                               struct kern_ipc_perm *perm,
5081                               u16 sclass)
5082 {
5083         struct ipc_security_struct *isec;
5084         u32 sid;
5085
5086         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5087         if (!isec)
5088                 return -ENOMEM;
5089
5090         sid = task_sid(task);
5091         isec->sclass = sclass;
5092         isec->sid = sid;
5093         perm->security = isec;
5094
5095         return 0;
5096 }
5097
5098 static void ipc_free_security(struct kern_ipc_perm *perm)
5099 {
5100         struct ipc_security_struct *isec = perm->security;
5101         perm->security = NULL;
5102         kfree(isec);
5103 }
5104
5105 static int msg_msg_alloc_security(struct msg_msg *msg)
5106 {
5107         struct msg_security_struct *msec;
5108
5109         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5110         if (!msec)
5111                 return -ENOMEM;
5112
5113         msec->sid = SECINITSID_UNLABELED;
5114         msg->security = msec;
5115
5116         return 0;
5117 }
5118
5119 static void msg_msg_free_security(struct msg_msg *msg)
5120 {
5121         struct msg_security_struct *msec = msg->security;
5122
5123         msg->security = NULL;
5124         kfree(msec);
5125 }
5126
5127 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5128                         u32 perms)
5129 {
5130         struct ipc_security_struct *isec;
5131         struct common_audit_data ad;
5132         u32 sid = current_sid();
5133
5134         isec = ipc_perms->security;
5135
5136         ad.type = LSM_AUDIT_DATA_IPC;
5137         ad.u.ipc_id = ipc_perms->key;
5138
5139         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5140 }
5141
5142 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5143 {
5144         return msg_msg_alloc_security(msg);
5145 }
5146
5147 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5148 {
5149         msg_msg_free_security(msg);
5150 }
5151
5152 /* message queue security operations */
5153 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5154 {
5155         struct ipc_security_struct *isec;
5156         struct common_audit_data ad;
5157         u32 sid = current_sid();
5158         int rc;
5159
5160         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5161         if (rc)
5162                 return rc;
5163
5164         isec = msq->q_perm.security;
5165
5166         ad.type = LSM_AUDIT_DATA_IPC;
5167         ad.u.ipc_id = msq->q_perm.key;
5168
5169         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5170                           MSGQ__CREATE, &ad);
5171         if (rc) {
5172                 ipc_free_security(&msq->q_perm);
5173                 return rc;
5174         }
5175         return 0;
5176 }
5177
5178 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5179 {
5180         ipc_free_security(&msq->q_perm);
5181 }
5182
5183 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5184 {
5185         struct ipc_security_struct *isec;
5186         struct common_audit_data ad;
5187         u32 sid = current_sid();
5188
5189         isec = msq->q_perm.security;
5190
5191         ad.type = LSM_AUDIT_DATA_IPC;
5192         ad.u.ipc_id = msq->q_perm.key;
5193
5194         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5195                             MSGQ__ASSOCIATE, &ad);
5196 }
5197
5198 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5199 {
5200         int err;
5201         int perms;
5202
5203         switch (cmd) {
5204         case IPC_INFO:
5205         case MSG_INFO:
5206                 /* No specific object, just general system-wide information. */
5207                 return task_has_system(current, SYSTEM__IPC_INFO);
5208         case IPC_STAT:
5209         case MSG_STAT:
5210                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5211                 break;
5212         case IPC_SET:
5213                 perms = MSGQ__SETATTR;
5214                 break;
5215         case IPC_RMID:
5216                 perms = MSGQ__DESTROY;
5217                 break;
5218         default:
5219                 return 0;
5220         }
5221
5222         err = ipc_has_perm(&msq->q_perm, perms);
5223         return err;
5224 }
5225
5226 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5227 {
5228         struct ipc_security_struct *isec;
5229         struct msg_security_struct *msec;
5230         struct common_audit_data ad;
5231         u32 sid = current_sid();
5232         int rc;
5233
5234         isec = msq->q_perm.security;
5235         msec = msg->security;
5236
5237         /*
5238          * First time through, need to assign label to the message
5239          */
5240         if (msec->sid == SECINITSID_UNLABELED) {
5241                 /*
5242                  * Compute new sid based on current process and
5243                  * message queue this message will be stored in
5244                  */
5245                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5246                                              NULL, &msec->sid);
5247                 if (rc)
5248                         return rc;
5249         }
5250
5251         ad.type = LSM_AUDIT_DATA_IPC;
5252         ad.u.ipc_id = msq->q_perm.key;
5253
5254         /* Can this process write to the queue? */
5255         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5256                           MSGQ__WRITE, &ad);
5257         if (!rc)
5258                 /* Can this process send the message */
5259                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5260                                   MSG__SEND, &ad);
5261         if (!rc)
5262                 /* Can the message be put in the queue? */
5263                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5264                                   MSGQ__ENQUEUE, &ad);
5265
5266         return rc;
5267 }
5268
5269 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5270                                     struct task_struct *target,
5271                                     long type, int mode)
5272 {
5273         struct ipc_security_struct *isec;
5274         struct msg_security_struct *msec;
5275         struct common_audit_data ad;
5276         u32 sid = task_sid(target);
5277         int rc;
5278
5279         isec = msq->q_perm.security;
5280         msec = msg->security;
5281
5282         ad.type = LSM_AUDIT_DATA_IPC;
5283         ad.u.ipc_id = msq->q_perm.key;
5284
5285         rc = avc_has_perm(sid, isec->sid,
5286                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5287         if (!rc)
5288                 rc = avc_has_perm(sid, msec->sid,
5289                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5290         return rc;
5291 }
5292
5293 /* Shared Memory security operations */
5294 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5295 {
5296         struct ipc_security_struct *isec;
5297         struct common_audit_data ad;
5298         u32 sid = current_sid();
5299         int rc;
5300
5301         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5302         if (rc)
5303                 return rc;
5304
5305         isec = shp->shm_perm.security;
5306
5307         ad.type = LSM_AUDIT_DATA_IPC;
5308         ad.u.ipc_id = shp->shm_perm.key;
5309
5310         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5311                           SHM__CREATE, &ad);
5312         if (rc) {
5313                 ipc_free_security(&shp->shm_perm);
5314                 return rc;
5315         }
5316         return 0;
5317 }
5318
5319 static void selinux_shm_free_security(struct shmid_kernel *shp)
5320 {
5321         ipc_free_security(&shp->shm_perm);
5322 }
5323
5324 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5325 {
5326         struct ipc_security_struct *isec;
5327         struct common_audit_data ad;
5328         u32 sid = current_sid();
5329
5330         isec = shp->shm_perm.security;
5331
5332         ad.type = LSM_AUDIT_DATA_IPC;
5333         ad.u.ipc_id = shp->shm_perm.key;
5334
5335         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5336                             SHM__ASSOCIATE, &ad);
5337 }
5338
5339 /* Note, at this point, shp is locked down */
5340 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5341 {
5342         int perms;
5343         int err;
5344
5345         switch (cmd) {
5346         case IPC_INFO:
5347         case SHM_INFO:
5348                 /* No specific object, just general system-wide information. */
5349                 return task_has_system(current, SYSTEM__IPC_INFO);
5350         case IPC_STAT:
5351         case SHM_STAT:
5352                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5353                 break;
5354         case IPC_SET:
5355                 perms = SHM__SETATTR;
5356                 break;
5357         case SHM_LOCK:
5358         case SHM_UNLOCK:
5359                 perms = SHM__LOCK;
5360                 break;
5361         case IPC_RMID:
5362                 perms = SHM__DESTROY;
5363                 break;
5364         default:
5365                 return 0;
5366         }
5367
5368         err = ipc_has_perm(&shp->shm_perm, perms);
5369         return err;
5370 }
5371
5372 static int selinux_shm_shmat(struct shmid_kernel *shp,
5373                              char __user *shmaddr, int shmflg)
5374 {
5375         u32 perms;
5376
5377         if (shmflg & SHM_RDONLY)
5378                 perms = SHM__READ;
5379         else
5380                 perms = SHM__READ | SHM__WRITE;
5381
5382         return ipc_has_perm(&shp->shm_perm, perms);
5383 }
5384
5385 /* Semaphore security operations */
5386 static int selinux_sem_alloc_security(struct sem_array *sma)
5387 {
5388         struct ipc_security_struct *isec;
5389         struct common_audit_data ad;
5390         u32 sid = current_sid();
5391         int rc;
5392
5393         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5394         if (rc)
5395                 return rc;
5396
5397         isec = sma->sem_perm.security;
5398
5399         ad.type = LSM_AUDIT_DATA_IPC;
5400         ad.u.ipc_id = sma->sem_perm.key;
5401
5402         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5403                           SEM__CREATE, &ad);
5404         if (rc) {
5405                 ipc_free_security(&sma->sem_perm);
5406                 return rc;
5407         }
5408         return 0;
5409 }
5410
5411 static void selinux_sem_free_security(struct sem_array *sma)
5412 {
5413         ipc_free_security(&sma->sem_perm);
5414 }
5415
5416 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5417 {
5418         struct ipc_security_struct *isec;
5419         struct common_audit_data ad;
5420         u32 sid = current_sid();
5421
5422         isec = sma->sem_perm.security;
5423
5424         ad.type = LSM_AUDIT_DATA_IPC;
5425         ad.u.ipc_id = sma->sem_perm.key;
5426
5427         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5428                             SEM__ASSOCIATE, &ad);
5429 }
5430
5431 /* Note, at this point, sma is locked down */
5432 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5433 {
5434         int err;
5435         u32 perms;
5436
5437         switch (cmd) {
5438         case IPC_INFO:
5439         case SEM_INFO:
5440                 /* No specific object, just general system-wide information. */
5441                 return task_has_system(current, SYSTEM__IPC_INFO);
5442         case GETPID:
5443         case GETNCNT:
5444         case GETZCNT:
5445                 perms = SEM__GETATTR;
5446                 break;
5447         case GETVAL:
5448         case GETALL:
5449                 perms = SEM__READ;
5450                 break;
5451         case SETVAL:
5452         case SETALL:
5453                 perms = SEM__WRITE;
5454                 break;
5455         case IPC_RMID:
5456                 perms = SEM__DESTROY;
5457                 break;
5458         case IPC_SET:
5459                 perms = SEM__SETATTR;
5460                 break;
5461         case IPC_STAT:
5462         case SEM_STAT:
5463                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5464                 break;
5465         default:
5466                 return 0;
5467         }
5468
5469         err = ipc_has_perm(&sma->sem_perm, perms);
5470         return err;
5471 }
5472
5473 static int selinux_sem_semop(struct sem_array *sma,
5474                              struct sembuf *sops, unsigned nsops, int alter)
5475 {
5476         u32 perms;
5477
5478         if (alter)
5479                 perms = SEM__READ | SEM__WRITE;
5480         else
5481                 perms = SEM__READ;
5482
5483         return ipc_has_perm(&sma->sem_perm, perms);
5484 }
5485
5486 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5487 {
5488         u32 av = 0;
5489
5490         av = 0;
5491         if (flag & S_IRUGO)
5492                 av |= IPC__UNIX_READ;
5493         if (flag & S_IWUGO)
5494                 av |= IPC__UNIX_WRITE;
5495
5496         if (av == 0)
5497                 return 0;
5498
5499         return ipc_has_perm(ipcp, av);
5500 }
5501
5502 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5503 {
5504         struct ipc_security_struct *isec = ipcp->security;
5505         *secid = isec->sid;
5506 }
5507
5508 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5509 {
5510         if (inode)
5511                 inode_doinit_with_dentry(inode, dentry);
5512 }
5513
5514 static int selinux_getprocattr(struct task_struct *p,
5515                                char *name, char **value)
5516 {
5517         const struct task_security_struct *__tsec;
5518         u32 sid;
5519         int error;
5520         unsigned len;
5521
5522         if (current != p) {
5523                 error = current_has_perm(p, PROCESS__GETATTR);
5524                 if (error)
5525                         return error;
5526         }
5527
5528         rcu_read_lock();
5529         __tsec = __task_cred(p)->security;
5530
5531         if (!strcmp(name, "current"))
5532                 sid = __tsec->sid;
5533         else if (!strcmp(name, "prev"))
5534                 sid = __tsec->osid;
5535         else if (!strcmp(name, "exec"))
5536                 sid = __tsec->exec_sid;
5537         else if (!strcmp(name, "fscreate"))
5538                 sid = __tsec->create_sid;
5539         else if (!strcmp(name, "keycreate"))
5540                 sid = __tsec->keycreate_sid;
5541         else if (!strcmp(name, "sockcreate"))
5542                 sid = __tsec->sockcreate_sid;
5543         else
5544                 goto invalid;
5545         rcu_read_unlock();
5546
5547         if (!sid)
5548                 return 0;
5549
5550         error = security_sid_to_context(sid, value, &len);
5551         if (error)
5552                 return error;
5553         return len;
5554
5555 invalid:
5556         rcu_read_unlock();
5557         return -EINVAL;
5558 }
5559
5560 static int selinux_setprocattr(struct task_struct *p,
5561                                char *name, void *value, size_t size)
5562 {
5563         struct task_security_struct *tsec;
5564         struct task_struct *tracer;
5565         struct cred *new;
5566         u32 sid = 0, ptsid;
5567         int error;
5568         char *str = value;
5569
5570         if (current != p) {
5571                 /* SELinux only allows a process to change its own
5572                    security attributes. */
5573                 return -EACCES;
5574         }
5575
5576         /*
5577          * Basic control over ability to set these attributes at all.
5578          * current == p, but we'll pass them separately in case the
5579          * above restriction is ever removed.
5580          */
5581         if (!strcmp(name, "exec"))
5582                 error = current_has_perm(p, PROCESS__SETEXEC);
5583         else if (!strcmp(name, "fscreate"))
5584                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5585         else if (!strcmp(name, "keycreate"))
5586                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5587         else if (!strcmp(name, "sockcreate"))
5588                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5589         else if (!strcmp(name, "current"))
5590                 error = current_has_perm(p, PROCESS__SETCURRENT);
5591         else
5592                 error = -EINVAL;
5593         if (error)
5594                 return error;
5595
5596         /* Obtain a SID for the context, if one was specified. */
5597         if (size && str[1] && str[1] != '\n') {
5598                 if (str[size-1] == '\n') {
5599                         str[size-1] = 0;
5600                         size--;
5601                 }
5602                 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5603                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5604                         if (!capable(CAP_MAC_ADMIN)) {
5605                                 struct audit_buffer *ab;
5606                                 size_t audit_size;
5607
5608                                 /* We strip a nul only if it is at the end, otherwise the
5609                                  * context contains a nul and we should audit that */
5610                                 if (str[size - 1] == '\0')
5611                                         audit_size = size - 1;
5612                                 else
5613                                         audit_size = size;
5614                                 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5615                                 audit_log_format(ab, "op=fscreate invalid_context=");
5616                                 audit_log_n_untrustedstring(ab, value, audit_size);
5617                                 audit_log_end(ab);
5618
5619                                 return error;
5620                         }
5621                         error = security_context_to_sid_force(value, size,
5622                                                               &sid);
5623                 }
5624                 if (error)
5625                         return error;
5626         }
5627
5628         new = prepare_creds();
5629         if (!new)
5630                 return -ENOMEM;
5631
5632         /* Permission checking based on the specified context is
5633            performed during the actual operation (execve,
5634            open/mkdir/...), when we know the full context of the
5635            operation.  See selinux_bprm_set_creds for the execve
5636            checks and may_create for the file creation checks. The
5637            operation will then fail if the context is not permitted. */
5638         tsec = new->security;
5639         if (!strcmp(name, "exec")) {
5640                 tsec->exec_sid = sid;
5641         } else if (!strcmp(name, "fscreate")) {
5642                 tsec->create_sid = sid;
5643         } else if (!strcmp(name, "keycreate")) {
5644                 error = may_create_key(sid, p);
5645                 if (error)
5646                         goto abort_change;
5647                 tsec->keycreate_sid = sid;
5648         } else if (!strcmp(name, "sockcreate")) {
5649                 tsec->sockcreate_sid = sid;
5650         } else if (!strcmp(name, "current")) {
5651                 error = -EINVAL;
5652                 if (sid == 0)
5653                         goto abort_change;
5654
5655                 /* Only allow single threaded processes to change context */
5656                 error = -EPERM;
5657                 if (!current_is_single_threaded()) {
5658                         error = security_bounded_transition(tsec->sid, sid);
5659                         if (error)
5660                                 goto abort_change;
5661                 }
5662
5663                 /* Check permissions for the transition. */
5664                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5665                                      PROCESS__DYNTRANSITION, NULL);
5666                 if (error)
5667                         goto abort_change;
5668
5669                 /* Check for ptracing, and update the task SID if ok.
5670                    Otherwise, leave SID unchanged and fail. */
5671                 ptsid = 0;
5672                 rcu_read_lock();
5673                 tracer = ptrace_parent(p);
5674                 if (tracer)
5675                         ptsid = task_sid(tracer);
5676                 rcu_read_unlock();
5677
5678                 if (tracer) {
5679                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5680                                              PROCESS__PTRACE, NULL);
5681                         if (error)
5682                                 goto abort_change;
5683                 }
5684
5685                 tsec->sid = sid;
5686         } else {
5687                 error = -EINVAL;
5688                 goto abort_change;
5689         }
5690
5691         commit_creds(new);
5692         return size;
5693
5694 abort_change:
5695         abort_creds(new);
5696         return error;
5697 }
5698
5699 static int selinux_ismaclabel(const char *name)
5700 {
5701         return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5702 }
5703
5704 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5705 {
5706         return security_sid_to_context(secid, secdata, seclen);
5707 }
5708
5709 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5710 {
5711         return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5712 }
5713
5714 static void selinux_release_secctx(char *secdata, u32 seclen)
5715 {
5716         kfree(secdata);
5717 }
5718
5719 /*
5720  *      called with inode->i_mutex locked
5721  */
5722 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5723 {
5724         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5725 }
5726
5727 /*
5728  *      called with inode->i_mutex locked
5729  */
5730 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5731 {
5732         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5733 }
5734
5735 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5736 {
5737         int len = 0;
5738         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5739                                                 ctx, true);
5740         if (len < 0)
5741                 return len;
5742         *ctxlen = len;
5743         return 0;
5744 }
5745 #ifdef CONFIG_KEYS
5746
5747 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5748                              unsigned long flags)
5749 {
5750         const struct task_security_struct *tsec;
5751         struct key_security_struct *ksec;
5752
5753         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5754         if (!ksec)
5755                 return -ENOMEM;
5756
5757         tsec = cred->security;
5758         if (tsec->keycreate_sid)
5759                 ksec->sid = tsec->keycreate_sid;
5760         else
5761                 ksec->sid = tsec->sid;
5762
5763         k->security = ksec;
5764         return 0;
5765 }
5766
5767 static void selinux_key_free(struct key *k)
5768 {
5769         struct key_security_struct *ksec = k->security;
5770
5771         k->security = NULL;
5772         kfree(ksec);
5773 }
5774
5775 static int selinux_key_permission(key_ref_t key_ref,
5776                                   const struct cred *cred,
5777                                   unsigned perm)
5778 {
5779         struct key *key;
5780         struct key_security_struct *ksec;
5781         u32 sid;
5782
5783         /* if no specific permissions are requested, we skip the
5784            permission check. No serious, additional covert channels
5785            appear to be created. */
5786         if (perm == 0)
5787                 return 0;
5788
5789         sid = cred_sid(cred);
5790
5791         key = key_ref_to_ptr(key_ref);
5792         ksec = key->security;
5793
5794         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5795 }
5796
5797 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5798 {
5799         struct key_security_struct *ksec = key->security;
5800         char *context = NULL;
5801         unsigned len;
5802         int rc;
5803
5804         rc = security_sid_to_context(ksec->sid, &context, &len);
5805         if (!rc)
5806                 rc = len;
5807         *_buffer = context;
5808         return rc;
5809 }
5810
5811 #endif
5812
5813 static struct security_operations selinux_ops = {
5814         .name =                         "selinux",
5815
5816         .ptrace_access_check =          selinux_ptrace_access_check,
5817         .ptrace_traceme =               selinux_ptrace_traceme,
5818         .capget =                       selinux_capget,
5819         .capset =                       selinux_capset,
5820         .capable =                      selinux_capable,
5821         .quotactl =                     selinux_quotactl,
5822         .quota_on =                     selinux_quota_on,
5823         .syslog =                       selinux_syslog,
5824         .vm_enough_memory =             selinux_vm_enough_memory,
5825
5826         .netlink_send =                 selinux_netlink_send,
5827
5828         .bprm_set_creds =               selinux_bprm_set_creds,
5829         .bprm_committing_creds =        selinux_bprm_committing_creds,
5830         .bprm_committed_creds =         selinux_bprm_committed_creds,
5831         .bprm_secureexec =              selinux_bprm_secureexec,
5832
5833         .sb_alloc_security =            selinux_sb_alloc_security,
5834         .sb_free_security =             selinux_sb_free_security,
5835         .sb_copy_data =                 selinux_sb_copy_data,
5836         .sb_remount =                   selinux_sb_remount,
5837         .sb_kern_mount =                selinux_sb_kern_mount,
5838         .sb_show_options =              selinux_sb_show_options,
5839         .sb_statfs =                    selinux_sb_statfs,
5840         .sb_mount =                     selinux_mount,
5841         .sb_umount =                    selinux_umount,
5842         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5843         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5844         .sb_parse_opts_str =            selinux_parse_opts_str,
5845
5846         .dentry_init_security =         selinux_dentry_init_security,
5847
5848         .inode_alloc_security =         selinux_inode_alloc_security,
5849         .inode_free_security =          selinux_inode_free_security,
5850         .inode_init_security =          selinux_inode_init_security,
5851         .inode_create =                 selinux_inode_create,
5852         .inode_link =                   selinux_inode_link,
5853         .inode_unlink =                 selinux_inode_unlink,
5854         .inode_symlink =                selinux_inode_symlink,
5855         .inode_mkdir =                  selinux_inode_mkdir,
5856         .inode_rmdir =                  selinux_inode_rmdir,
5857         .inode_mknod =                  selinux_inode_mknod,
5858         .inode_rename =                 selinux_inode_rename,
5859         .inode_readlink =               selinux_inode_readlink,
5860         .inode_follow_link =            selinux_inode_follow_link,
5861         .inode_permission =             selinux_inode_permission,
5862         .inode_setattr =                selinux_inode_setattr,
5863         .inode_getattr =                selinux_inode_getattr,
5864         .inode_setxattr =               selinux_inode_setxattr,
5865         .inode_post_setxattr =          selinux_inode_post_setxattr,
5866         .inode_getxattr =               selinux_inode_getxattr,
5867         .inode_listxattr =              selinux_inode_listxattr,
5868         .inode_removexattr =            selinux_inode_removexattr,
5869         .inode_getsecurity =            selinux_inode_getsecurity,
5870         .inode_setsecurity =            selinux_inode_setsecurity,
5871         .inode_listsecurity =           selinux_inode_listsecurity,
5872         .inode_getsecid =               selinux_inode_getsecid,
5873
5874         .file_permission =              selinux_file_permission,
5875         .file_alloc_security =          selinux_file_alloc_security,
5876         .file_free_security =           selinux_file_free_security,
5877         .file_ioctl =                   selinux_file_ioctl,
5878         .mmap_file =                    selinux_mmap_file,
5879         .mmap_addr =                    selinux_mmap_addr,
5880         .file_mprotect =                selinux_file_mprotect,
5881         .file_lock =                    selinux_file_lock,
5882         .file_fcntl =                   selinux_file_fcntl,
5883         .file_set_fowner =              selinux_file_set_fowner,
5884         .file_send_sigiotask =          selinux_file_send_sigiotask,
5885         .file_receive =                 selinux_file_receive,
5886
5887         .file_open =                    selinux_file_open,
5888
5889         .task_create =                  selinux_task_create,
5890         .cred_alloc_blank =             selinux_cred_alloc_blank,
5891         .cred_free =                    selinux_cred_free,
5892         .cred_prepare =                 selinux_cred_prepare,
5893         .cred_transfer =                selinux_cred_transfer,
5894         .kernel_act_as =                selinux_kernel_act_as,
5895         .kernel_create_files_as =       selinux_kernel_create_files_as,
5896         .kernel_module_request =        selinux_kernel_module_request,
5897         .task_setpgid =                 selinux_task_setpgid,
5898         .task_getpgid =                 selinux_task_getpgid,
5899         .task_getsid =                  selinux_task_getsid,
5900         .task_getsecid =                selinux_task_getsecid,
5901         .task_setnice =                 selinux_task_setnice,
5902         .task_setioprio =               selinux_task_setioprio,
5903         .task_getioprio =               selinux_task_getioprio,
5904         .task_setrlimit =               selinux_task_setrlimit,
5905         .task_setscheduler =            selinux_task_setscheduler,
5906         .task_getscheduler =            selinux_task_getscheduler,
5907         .task_movememory =              selinux_task_movememory,
5908         .task_kill =                    selinux_task_kill,
5909         .task_wait =                    selinux_task_wait,
5910         .task_to_inode =                selinux_task_to_inode,
5911
5912         .ipc_permission =               selinux_ipc_permission,
5913         .ipc_getsecid =                 selinux_ipc_getsecid,
5914
5915         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5916         .msg_msg_free_security =        selinux_msg_msg_free_security,
5917
5918         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5919         .msg_queue_free_security =      selinux_msg_queue_free_security,
5920         .msg_queue_associate =          selinux_msg_queue_associate,
5921         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5922         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5923         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5924
5925         .shm_alloc_security =           selinux_shm_alloc_security,
5926         .shm_free_security =            selinux_shm_free_security,
5927         .shm_associate =                selinux_shm_associate,
5928         .shm_shmctl =                   selinux_shm_shmctl,
5929         .shm_shmat =                    selinux_shm_shmat,
5930
5931         .sem_alloc_security =           selinux_sem_alloc_security,
5932         .sem_free_security =            selinux_sem_free_security,
5933         .sem_associate =                selinux_sem_associate,
5934         .sem_semctl =                   selinux_sem_semctl,
5935         .sem_semop =                    selinux_sem_semop,
5936
5937         .d_instantiate =                selinux_d_instantiate,
5938
5939         .getprocattr =                  selinux_getprocattr,
5940         .setprocattr =                  selinux_setprocattr,
5941
5942         .ismaclabel =                   selinux_ismaclabel,
5943         .secid_to_secctx =              selinux_secid_to_secctx,
5944         .secctx_to_secid =              selinux_secctx_to_secid,
5945         .release_secctx =               selinux_release_secctx,
5946         .inode_notifysecctx =           selinux_inode_notifysecctx,
5947         .inode_setsecctx =              selinux_inode_setsecctx,
5948         .inode_getsecctx =              selinux_inode_getsecctx,
5949
5950         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5951         .unix_may_send =                selinux_socket_unix_may_send,
5952
5953         .socket_create =                selinux_socket_create,
5954         .socket_post_create =           selinux_socket_post_create,
5955         .socket_bind =                  selinux_socket_bind,
5956         .socket_connect =               selinux_socket_connect,
5957         .socket_listen =                selinux_socket_listen,
5958         .socket_accept =                selinux_socket_accept,
5959         .socket_sendmsg =               selinux_socket_sendmsg,
5960         .socket_recvmsg =               selinux_socket_recvmsg,
5961         .socket_getsockname =           selinux_socket_getsockname,
5962         .socket_getpeername =           selinux_socket_getpeername,
5963         .socket_getsockopt =            selinux_socket_getsockopt,
5964         .socket_setsockopt =            selinux_socket_setsockopt,
5965         .socket_shutdown =              selinux_socket_shutdown,
5966         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5967         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5968         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5969         .sk_alloc_security =            selinux_sk_alloc_security,
5970         .sk_free_security =             selinux_sk_free_security,
5971         .sk_clone_security =            selinux_sk_clone_security,
5972         .sk_getsecid =                  selinux_sk_getsecid,
5973         .sock_graft =                   selinux_sock_graft,
5974         .inet_conn_request =            selinux_inet_conn_request,
5975         .inet_csk_clone =               selinux_inet_csk_clone,
5976         .inet_conn_established =        selinux_inet_conn_established,
5977         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5978         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5979         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5980         .req_classify_flow =            selinux_req_classify_flow,
5981         .tun_dev_alloc_security =       selinux_tun_dev_alloc_security,
5982         .tun_dev_free_security =        selinux_tun_dev_free_security,
5983         .tun_dev_create =               selinux_tun_dev_create,
5984         .tun_dev_attach_queue =         selinux_tun_dev_attach_queue,
5985         .tun_dev_attach =               selinux_tun_dev_attach,
5986         .tun_dev_open =                 selinux_tun_dev_open,
5987         .skb_owned_by =                 selinux_skb_owned_by,
5988
5989 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5990         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5991         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5992         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5993         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5994         .xfrm_state_alloc =             selinux_xfrm_state_alloc,
5995         .xfrm_state_alloc_acquire =     selinux_xfrm_state_alloc_acquire,
5996         .xfrm_state_free_security =     selinux_xfrm_state_free,
5997         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5998         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5999         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
6000         .xfrm_decode_session =          selinux_xfrm_decode_session,
6001 #endif
6002
6003 #ifdef CONFIG_KEYS
6004         .key_alloc =                    selinux_key_alloc,
6005         .key_free =                     selinux_key_free,
6006         .key_permission =               selinux_key_permission,
6007         .key_getsecurity =              selinux_key_getsecurity,
6008 #endif
6009
6010 #ifdef CONFIG_AUDIT
6011         .audit_rule_init =              selinux_audit_rule_init,
6012         .audit_rule_known =             selinux_audit_rule_known,
6013         .audit_rule_match =             selinux_audit_rule_match,
6014         .audit_rule_free =              selinux_audit_rule_free,
6015 #endif
6016 };
6017
6018 static __init int selinux_init(void)
6019 {
6020         if (!security_module_enable(&selinux_ops)) {
6021                 selinux_enabled = 0;
6022                 return 0;
6023         }
6024
6025         if (!selinux_enabled) {
6026                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6027                 return 0;
6028         }
6029
6030         printk(KERN_INFO "SELinux:  Initializing.\n");
6031
6032         /* Set the security state for the initial task. */
6033         cred_init_security();
6034
6035         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6036
6037         sel_inode_cache = kmem_cache_create("selinux_inode_security",
6038                                             sizeof(struct inode_security_struct),
6039                                             0, SLAB_PANIC, NULL);
6040         avc_init();
6041
6042         if (register_security(&selinux_ops))
6043                 panic("SELinux: Unable to register with kernel.\n");
6044
6045         if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6046                 panic("SELinux: Unable to register AVC netcache callback\n");
6047
6048         if (selinux_enforcing)
6049                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6050         else
6051                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6052
6053         return 0;
6054 }
6055
6056 static void delayed_superblock_init(struct super_block *sb, void *unused)
6057 {
6058         superblock_doinit(sb, NULL);
6059 }
6060
6061 void selinux_complete_init(void)
6062 {
6063         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6064
6065         /* Set up any superblocks initialized prior to the policy load. */
6066         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6067         iterate_supers(delayed_superblock_init, NULL);
6068 }
6069
6070 /* SELinux requires early initialization in order to label
6071    all processes and objects when they are created. */
6072 security_initcall(selinux_init);
6073
6074 #if defined(CONFIG_NETFILTER)
6075
6076 static struct nf_hook_ops selinux_nf_ops[] = {
6077         {
6078                 .hook =         selinux_ipv4_postroute,
6079                 .owner =        THIS_MODULE,
6080                 .pf =           NFPROTO_IPV4,
6081                 .hooknum =      NF_INET_POST_ROUTING,
6082                 .priority =     NF_IP_PRI_SELINUX_LAST,
6083         },
6084         {
6085                 .hook =         selinux_ipv4_forward,
6086                 .owner =        THIS_MODULE,
6087                 .pf =           NFPROTO_IPV4,
6088                 .hooknum =      NF_INET_FORWARD,
6089                 .priority =     NF_IP_PRI_SELINUX_FIRST,
6090         },
6091         {
6092                 .hook =         selinux_ipv4_output,
6093                 .owner =        THIS_MODULE,
6094                 .pf =           NFPROTO_IPV4,
6095                 .hooknum =      NF_INET_LOCAL_OUT,
6096                 .priority =     NF_IP_PRI_SELINUX_FIRST,
6097         },
6098 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6099         {
6100                 .hook =         selinux_ipv6_postroute,
6101                 .owner =        THIS_MODULE,
6102                 .pf =           NFPROTO_IPV6,
6103                 .hooknum =      NF_INET_POST_ROUTING,
6104                 .priority =     NF_IP6_PRI_SELINUX_LAST,
6105         },
6106         {
6107                 .hook =         selinux_ipv6_forward,
6108                 .owner =        THIS_MODULE,
6109                 .pf =           NFPROTO_IPV6,
6110                 .hooknum =      NF_INET_FORWARD,
6111                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
6112         },
6113 #endif  /* IPV6 */
6114 };
6115
6116 static int __init selinux_nf_ip_init(void)
6117 {
6118         int err;
6119
6120         if (!selinux_enabled)
6121                 return 0;
6122
6123         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6124
6125         err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6126         if (err)
6127                 panic("SELinux: nf_register_hooks: error %d\n", err);
6128
6129         return 0;
6130 }
6131
6132 __initcall(selinux_nf_ip_init);
6133
6134 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6135 static void selinux_nf_ip_exit(void)
6136 {
6137         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6138
6139         nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6140 }
6141 #endif
6142
6143 #else /* CONFIG_NETFILTER */
6144
6145 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6146 #define selinux_nf_ip_exit()
6147 #endif
6148
6149 #endif /* CONFIG_NETFILTER */
6150
6151 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6152 static int selinux_disabled;
6153
6154 int selinux_disable(void)
6155 {
6156         if (ss_initialized) {
6157                 /* Not permitted after initial policy load. */
6158                 return -EINVAL;
6159         }
6160
6161         if (selinux_disabled) {
6162                 /* Only do this once. */
6163                 return -EINVAL;
6164         }
6165
6166         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6167
6168         selinux_disabled = 1;
6169         selinux_enabled = 0;
6170
6171         reset_security_ops();
6172
6173         /* Try to destroy the avc node cache */
6174         avc_disable();
6175
6176         /* Unregister netfilter hooks. */
6177         selinux_nf_ip_exit();
6178
6179         /* Unregister selinuxfs. */
6180         exit_sel_fs();
6181
6182         return 0;
6183 }
6184 #endif