xref: /linux/security/selinux/hooks.c (revision 0883c2c06fb5bcf5b9e008270827e63c09a88c1e)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>		/* for local_port_range[] */
54 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>	/* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>		/* for Unix socket types */
70 #include <net/af_unix.h>	/* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86 
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96 
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102 
103 static int __init enforcing_setup(char *str)
104 {
105 	unsigned long enforcing;
106 	if (!kstrtoul(str, 0, &enforcing))
107 		selinux_enforcing = enforcing ? 1 : 0;
108 	return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112 
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 
116 static int __init selinux_enabled_setup(char *str)
117 {
118 	unsigned long enabled;
119 	if (!kstrtoul(str, 0, &enabled))
120 		selinux_enabled = enabled ? 1 : 0;
121 	return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127 
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
139  * policy capability is enabled, SECMARK is always considered enabled.
140  *
141  */
142 static int selinux_secmark_enabled(void)
143 {
144 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146 
147 /**
148  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149  *
150  * Description:
151  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
152  * (1) if any are enabled or false (0) if neither are enabled.  If the
153  * always_check_network policy capability is enabled, peer labeling
154  * is always considered enabled.
155  *
156  */
157 static int selinux_peerlbl_enabled(void)
158 {
159 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161 
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 	if (event == AVC_CALLBACK_RESET) {
165 		sel_netif_flush();
166 		sel_netnode_flush();
167 		sel_netport_flush();
168 		synchronize_net();
169 	}
170 	return 0;
171 }
172 
173 /*
174  * initialise the security for the init task
175  */
176 static void cred_init_security(void)
177 {
178 	struct cred *cred = (struct cred *) current->real_cred;
179 	struct task_security_struct *tsec;
180 
181 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 	if (!tsec)
183 		panic("SELinux:  Failed to initialize initial task.\n");
184 
185 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 	cred->security = tsec;
187 }
188 
189 /*
190  * get the security ID of a set of credentials
191  */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 	const struct task_security_struct *tsec;
195 
196 	tsec = cred->security;
197 	return tsec->sid;
198 }
199 
200 /*
201  * get the objective security ID of a task
202  */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 	u32 sid;
206 
207 	rcu_read_lock();
208 	sid = cred_sid(__task_cred(task));
209 	rcu_read_unlock();
210 	return sid;
211 }
212 
213 /*
214  * get the subjective security ID of the current task
215  */
216 static inline u32 current_sid(void)
217 {
218 	const struct task_security_struct *tsec = current_security();
219 
220 	return tsec->sid;
221 }
222 
223 /* Allocate and free functions for each kind of security blob. */
224 
225 static int inode_alloc_security(struct inode *inode)
226 {
227 	struct inode_security_struct *isec;
228 	u32 sid = current_sid();
229 
230 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 	if (!isec)
232 		return -ENOMEM;
233 
234 	mutex_init(&isec->lock);
235 	INIT_LIST_HEAD(&isec->list);
236 	isec->inode = inode;
237 	isec->sid = SECINITSID_UNLABELED;
238 	isec->sclass = SECCLASS_FILE;
239 	isec->task_sid = sid;
240 	inode->i_security = isec;
241 
242 	return 0;
243 }
244 
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246 
247 /*
248  * Try reloading inode security labels that have been marked as invalid.  The
249  * @may_sleep parameter indicates when sleeping and thus reloading labels is
250  * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
252  * when no dentry is available, set it to NULL instead.
253  */
254 static int __inode_security_revalidate(struct inode *inode,
255 				       struct dentry *opt_dentry,
256 				       bool may_sleep)
257 {
258 	struct inode_security_struct *isec = inode->i_security;
259 
260 	might_sleep_if(may_sleep);
261 
262 	if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263 		if (!may_sleep)
264 			return -ECHILD;
265 
266 		/*
267 		 * Try reloading the inode security label.  This will fail if
268 		 * @opt_dentry is NULL and no dentry for this inode can be
269 		 * found; in that case, continue using the old label.
270 		 */
271 		inode_doinit_with_dentry(inode, opt_dentry);
272 	}
273 	return 0;
274 }
275 
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 	return inode->i_security;
279 }
280 
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 	int error;
284 
285 	error = __inode_security_revalidate(inode, NULL, !rcu);
286 	if (error)
287 		return ERR_PTR(error);
288 	return inode->i_security;
289 }
290 
291 /*
292  * Get the security label of an inode.
293  */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 	__inode_security_revalidate(inode, NULL, true);
297 	return inode->i_security;
298 }
299 
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 	struct inode *inode = d_backing_inode(dentry);
303 
304 	return inode->i_security;
305 }
306 
307 /*
308  * Get the security label of a dentry's backing inode.
309  */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 	struct inode *inode = d_backing_inode(dentry);
313 
314 	__inode_security_revalidate(inode, dentry, true);
315 	return inode->i_security;
316 }
317 
318 static void inode_free_rcu(struct rcu_head *head)
319 {
320 	struct inode_security_struct *isec;
321 
322 	isec = container_of(head, struct inode_security_struct, rcu);
323 	kmem_cache_free(sel_inode_cache, isec);
324 }
325 
326 static void inode_free_security(struct inode *inode)
327 {
328 	struct inode_security_struct *isec = inode->i_security;
329 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330 
331 	/*
332 	 * As not all inode security structures are in a list, we check for
333 	 * empty list outside of the lock to make sure that we won't waste
334 	 * time taking a lock doing nothing.
335 	 *
336 	 * The list_del_init() function can be safely called more than once.
337 	 * It should not be possible for this function to be called with
338 	 * concurrent list_add(), but for better safety against future changes
339 	 * in the code, we use list_empty_careful() here.
340 	 */
341 	if (!list_empty_careful(&isec->list)) {
342 		spin_lock(&sbsec->isec_lock);
343 		list_del_init(&isec->list);
344 		spin_unlock(&sbsec->isec_lock);
345 	}
346 
347 	/*
348 	 * The inode may still be referenced in a path walk and
349 	 * a call to selinux_inode_permission() can be made
350 	 * after inode_free_security() is called. Ideally, the VFS
351 	 * wouldn't do this, but fixing that is a much harder
352 	 * job. For now, simply free the i_security via RCU, and
353 	 * leave the current inode->i_security pointer intact.
354 	 * The inode will be freed after the RCU grace period too.
355 	 */
356 	call_rcu(&isec->rcu, inode_free_rcu);
357 }
358 
359 static int file_alloc_security(struct file *file)
360 {
361 	struct file_security_struct *fsec;
362 	u32 sid = current_sid();
363 
364 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
365 	if (!fsec)
366 		return -ENOMEM;
367 
368 	fsec->sid = sid;
369 	fsec->fown_sid = sid;
370 	file->f_security = fsec;
371 
372 	return 0;
373 }
374 
375 static void file_free_security(struct file *file)
376 {
377 	struct file_security_struct *fsec = file->f_security;
378 	file->f_security = NULL;
379 	kmem_cache_free(file_security_cache, fsec);
380 }
381 
382 static int superblock_alloc_security(struct super_block *sb)
383 {
384 	struct superblock_security_struct *sbsec;
385 
386 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
387 	if (!sbsec)
388 		return -ENOMEM;
389 
390 	mutex_init(&sbsec->lock);
391 	INIT_LIST_HEAD(&sbsec->isec_head);
392 	spin_lock_init(&sbsec->isec_lock);
393 	sbsec->sb = sb;
394 	sbsec->sid = SECINITSID_UNLABELED;
395 	sbsec->def_sid = SECINITSID_FILE;
396 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397 	sb->s_security = sbsec;
398 
399 	return 0;
400 }
401 
402 static void superblock_free_security(struct super_block *sb)
403 {
404 	struct superblock_security_struct *sbsec = sb->s_security;
405 	sb->s_security = NULL;
406 	kfree(sbsec);
407 }
408 
409 /* The file system's label must be initialized prior to use. */
410 
411 static const char *labeling_behaviors[7] = {
412 	"uses xattr",
413 	"uses transition SIDs",
414 	"uses task SIDs",
415 	"uses genfs_contexts",
416 	"not configured for labeling",
417 	"uses mountpoint labeling",
418 	"uses native labeling",
419 };
420 
421 static inline int inode_doinit(struct inode *inode)
422 {
423 	return inode_doinit_with_dentry(inode, NULL);
424 }
425 
426 enum {
427 	Opt_error = -1,
428 	Opt_context = 1,
429 	Opt_fscontext = 2,
430 	Opt_defcontext = 3,
431 	Opt_rootcontext = 4,
432 	Opt_labelsupport = 5,
433 	Opt_nextmntopt = 6,
434 };
435 
436 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
437 
438 static const match_table_t tokens = {
439 	{Opt_context, CONTEXT_STR "%s"},
440 	{Opt_fscontext, FSCONTEXT_STR "%s"},
441 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
442 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
443 	{Opt_labelsupport, LABELSUPP_STR},
444 	{Opt_error, NULL},
445 };
446 
447 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
448 
449 static int may_context_mount_sb_relabel(u32 sid,
450 			struct superblock_security_struct *sbsec,
451 			const struct cred *cred)
452 {
453 	const struct task_security_struct *tsec = cred->security;
454 	int rc;
455 
456 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 			  FILESYSTEM__RELABELFROM, NULL);
458 	if (rc)
459 		return rc;
460 
461 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 			  FILESYSTEM__RELABELTO, NULL);
463 	return rc;
464 }
465 
466 static int may_context_mount_inode_relabel(u32 sid,
467 			struct superblock_security_struct *sbsec,
468 			const struct cred *cred)
469 {
470 	const struct task_security_struct *tsec = cred->security;
471 	int rc;
472 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 			  FILESYSTEM__RELABELFROM, NULL);
474 	if (rc)
475 		return rc;
476 
477 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 			  FILESYSTEM__ASSOCIATE, NULL);
479 	return rc;
480 }
481 
482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484 	struct superblock_security_struct *sbsec = sb->s_security;
485 
486 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 		sbsec->behavior == SECURITY_FS_USE_TASK ||
489 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
490 		/* Special handling. Genfs but also in-core setxattr handler */
491 		!strcmp(sb->s_type->name, "sysfs") ||
492 		!strcmp(sb->s_type->name, "pstore") ||
493 		!strcmp(sb->s_type->name, "debugfs") ||
494 		!strcmp(sb->s_type->name, "rootfs");
495 }
496 
497 static int sb_finish_set_opts(struct super_block *sb)
498 {
499 	struct superblock_security_struct *sbsec = sb->s_security;
500 	struct dentry *root = sb->s_root;
501 	struct inode *root_inode = d_backing_inode(root);
502 	int rc = 0;
503 
504 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 		/* Make sure that the xattr handler exists and that no
506 		   error other than -ENODATA is returned by getxattr on
507 		   the root directory.  -ENODATA is ok, as this may be
508 		   the first boot of the SELinux kernel before we have
509 		   assigned xattr values to the filesystem. */
510 		if (!root_inode->i_op->getxattr) {
511 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 			       "xattr support\n", sb->s_id, sb->s_type->name);
513 			rc = -EOPNOTSUPP;
514 			goto out;
515 		}
516 		rc = root_inode->i_op->getxattr(root, root_inode,
517 						XATTR_NAME_SELINUX, NULL, 0);
518 		if (rc < 0 && rc != -ENODATA) {
519 			if (rc == -EOPNOTSUPP)
520 				printk(KERN_WARNING "SELinux: (dev %s, type "
521 				       "%s) has no security xattr handler\n",
522 				       sb->s_id, sb->s_type->name);
523 			else
524 				printk(KERN_WARNING "SELinux: (dev %s, type "
525 				       "%s) getxattr errno %d\n", sb->s_id,
526 				       sb->s_type->name, -rc);
527 			goto out;
528 		}
529 	}
530 
531 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
532 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533 		       sb->s_id, sb->s_type->name);
534 
535 	sbsec->flags |= SE_SBINITIALIZED;
536 	if (selinux_is_sblabel_mnt(sb))
537 		sbsec->flags |= SBLABEL_MNT;
538 
539 	/* Initialize the root inode. */
540 	rc = inode_doinit_with_dentry(root_inode, root);
541 
542 	/* Initialize any other inodes associated with the superblock, e.g.
543 	   inodes created prior to initial policy load or inodes created
544 	   during get_sb by a pseudo filesystem that directly
545 	   populates itself. */
546 	spin_lock(&sbsec->isec_lock);
547 next_inode:
548 	if (!list_empty(&sbsec->isec_head)) {
549 		struct inode_security_struct *isec =
550 				list_entry(sbsec->isec_head.next,
551 					   struct inode_security_struct, list);
552 		struct inode *inode = isec->inode;
553 		list_del_init(&isec->list);
554 		spin_unlock(&sbsec->isec_lock);
555 		inode = igrab(inode);
556 		if (inode) {
557 			if (!IS_PRIVATE(inode))
558 				inode_doinit(inode);
559 			iput(inode);
560 		}
561 		spin_lock(&sbsec->isec_lock);
562 		goto next_inode;
563 	}
564 	spin_unlock(&sbsec->isec_lock);
565 out:
566 	return rc;
567 }
568 
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 				struct security_mnt_opts *opts)
576 {
577 	int rc = 0, i;
578 	struct superblock_security_struct *sbsec = sb->s_security;
579 	char *context = NULL;
580 	u32 len;
581 	char tmp;
582 
583 	security_init_mnt_opts(opts);
584 
585 	if (!(sbsec->flags & SE_SBINITIALIZED))
586 		return -EINVAL;
587 
588 	if (!ss_initialized)
589 		return -EINVAL;
590 
591 	/* make sure we always check enough bits to cover the mask */
592 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593 
594 	tmp = sbsec->flags & SE_MNTMASK;
595 	/* count the number of mount options for this sb */
596 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597 		if (tmp & 0x01)
598 			opts->num_mnt_opts++;
599 		tmp >>= 1;
600 	}
601 	/* Check if the Label support flag is set */
602 	if (sbsec->flags & SBLABEL_MNT)
603 		opts->num_mnt_opts++;
604 
605 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 	if (!opts->mnt_opts) {
607 		rc = -ENOMEM;
608 		goto out_free;
609 	}
610 
611 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 	if (!opts->mnt_opts_flags) {
613 		rc = -ENOMEM;
614 		goto out_free;
615 	}
616 
617 	i = 0;
618 	if (sbsec->flags & FSCONTEXT_MNT) {
619 		rc = security_sid_to_context(sbsec->sid, &context, &len);
620 		if (rc)
621 			goto out_free;
622 		opts->mnt_opts[i] = context;
623 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624 	}
625 	if (sbsec->flags & CONTEXT_MNT) {
626 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 		if (rc)
628 			goto out_free;
629 		opts->mnt_opts[i] = context;
630 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631 	}
632 	if (sbsec->flags & DEFCONTEXT_MNT) {
633 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 		if (rc)
635 			goto out_free;
636 		opts->mnt_opts[i] = context;
637 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638 	}
639 	if (sbsec->flags & ROOTCONTEXT_MNT) {
640 		struct dentry *root = sbsec->sb->s_root;
641 		struct inode_security_struct *isec = backing_inode_security(root);
642 
643 		rc = security_sid_to_context(isec->sid, &context, &len);
644 		if (rc)
645 			goto out_free;
646 		opts->mnt_opts[i] = context;
647 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648 	}
649 	if (sbsec->flags & SBLABEL_MNT) {
650 		opts->mnt_opts[i] = NULL;
651 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652 	}
653 
654 	BUG_ON(i != opts->num_mnt_opts);
655 
656 	return 0;
657 
658 out_free:
659 	security_free_mnt_opts(opts);
660 	return rc;
661 }
662 
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 		      u32 old_sid, u32 new_sid)
665 {
666 	char mnt_flags = sbsec->flags & SE_MNTMASK;
667 
668 	/* check if the old mount command had the same options */
669 	if (sbsec->flags & SE_SBINITIALIZED)
670 		if (!(sbsec->flags & flag) ||
671 		    (old_sid != new_sid))
672 			return 1;
673 
674 	/* check if we were passed the same options twice,
675 	 * aka someone passed context=a,context=b
676 	 */
677 	if (!(sbsec->flags & SE_SBINITIALIZED))
678 		if (mnt_flags & flag)
679 			return 1;
680 	return 0;
681 }
682 
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 				struct security_mnt_opts *opts,
689 				unsigned long kern_flags,
690 				unsigned long *set_kern_flags)
691 {
692 	const struct cred *cred = current_cred();
693 	int rc = 0, i;
694 	struct superblock_security_struct *sbsec = sb->s_security;
695 	const char *name = sb->s_type->name;
696 	struct dentry *root = sbsec->sb->s_root;
697 	struct inode_security_struct *root_isec;
698 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 	u32 defcontext_sid = 0;
700 	char **mount_options = opts->mnt_opts;
701 	int *flags = opts->mnt_opts_flags;
702 	int num_opts = opts->num_mnt_opts;
703 
704 	mutex_lock(&sbsec->lock);
705 
706 	if (!ss_initialized) {
707 		if (!num_opts) {
708 			/* Defer initialization until selinux_complete_init,
709 			   after the initial policy is loaded and the security
710 			   server is ready to handle calls. */
711 			goto out;
712 		}
713 		rc = -EINVAL;
714 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 			"before the security server is initialized\n");
716 		goto out;
717 	}
718 	if (kern_flags && !set_kern_flags) {
719 		/* Specifying internal flags without providing a place to
720 		 * place the results is not allowed */
721 		rc = -EINVAL;
722 		goto out;
723 	}
724 
725 	/*
726 	 * Binary mount data FS will come through this function twice.  Once
727 	 * from an explicit call and once from the generic calls from the vfs.
728 	 * Since the generic VFS calls will not contain any security mount data
729 	 * we need to skip the double mount verification.
730 	 *
731 	 * This does open a hole in which we will not notice if the first
732 	 * mount using this sb set explict options and a second mount using
733 	 * this sb does not set any security options.  (The first options
734 	 * will be used for both mounts)
735 	 */
736 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737 	    && (num_opts == 0))
738 		goto out;
739 
740 	root_isec = backing_inode_security_novalidate(root);
741 
742 	/*
743 	 * parse the mount options, check if they are valid sids.
744 	 * also check if someone is trying to mount the same sb more
745 	 * than once with different security options.
746 	 */
747 	for (i = 0; i < num_opts; i++) {
748 		u32 sid;
749 
750 		if (flags[i] == SBLABEL_MNT)
751 			continue;
752 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753 		if (rc) {
754 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
756 			       mount_options[i], sb->s_id, name, rc);
757 			goto out;
758 		}
759 		switch (flags[i]) {
760 		case FSCONTEXT_MNT:
761 			fscontext_sid = sid;
762 
763 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 					fscontext_sid))
765 				goto out_double_mount;
766 
767 			sbsec->flags |= FSCONTEXT_MNT;
768 			break;
769 		case CONTEXT_MNT:
770 			context_sid = sid;
771 
772 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 					context_sid))
774 				goto out_double_mount;
775 
776 			sbsec->flags |= CONTEXT_MNT;
777 			break;
778 		case ROOTCONTEXT_MNT:
779 			rootcontext_sid = sid;
780 
781 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 					rootcontext_sid))
783 				goto out_double_mount;
784 
785 			sbsec->flags |= ROOTCONTEXT_MNT;
786 
787 			break;
788 		case DEFCONTEXT_MNT:
789 			defcontext_sid = sid;
790 
791 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 					defcontext_sid))
793 				goto out_double_mount;
794 
795 			sbsec->flags |= DEFCONTEXT_MNT;
796 
797 			break;
798 		default:
799 			rc = -EINVAL;
800 			goto out;
801 		}
802 	}
803 
804 	if (sbsec->flags & SE_SBINITIALIZED) {
805 		/* previously mounted with options, but not on this attempt? */
806 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 			goto out_double_mount;
808 		rc = 0;
809 		goto out;
810 	}
811 
812 	if (strcmp(sb->s_type->name, "proc") == 0)
813 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814 
815 	if (!strcmp(sb->s_type->name, "debugfs") ||
816 	    !strcmp(sb->s_type->name, "sysfs") ||
817 	    !strcmp(sb->s_type->name, "pstore"))
818 		sbsec->flags |= SE_SBGENFS;
819 
820 	if (!sbsec->behavior) {
821 		/*
822 		 * Determine the labeling behavior to use for this
823 		 * filesystem type.
824 		 */
825 		rc = security_fs_use(sb);
826 		if (rc) {
827 			printk(KERN_WARNING
828 				"%s: security_fs_use(%s) returned %d\n",
829 					__func__, sb->s_type->name, rc);
830 			goto out;
831 		}
832 	}
833 	/* sets the context of the superblock for the fs being mounted. */
834 	if (fscontext_sid) {
835 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
836 		if (rc)
837 			goto out;
838 
839 		sbsec->sid = fscontext_sid;
840 	}
841 
842 	/*
843 	 * Switch to using mount point labeling behavior.
844 	 * sets the label used on all file below the mountpoint, and will set
845 	 * the superblock context if not already set.
846 	 */
847 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
848 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
849 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
850 	}
851 
852 	if (context_sid) {
853 		if (!fscontext_sid) {
854 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
855 							  cred);
856 			if (rc)
857 				goto out;
858 			sbsec->sid = context_sid;
859 		} else {
860 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
861 							     cred);
862 			if (rc)
863 				goto out;
864 		}
865 		if (!rootcontext_sid)
866 			rootcontext_sid = context_sid;
867 
868 		sbsec->mntpoint_sid = context_sid;
869 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
870 	}
871 
872 	if (rootcontext_sid) {
873 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
874 						     cred);
875 		if (rc)
876 			goto out;
877 
878 		root_isec->sid = rootcontext_sid;
879 		root_isec->initialized = LABEL_INITIALIZED;
880 	}
881 
882 	if (defcontext_sid) {
883 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
884 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
885 			rc = -EINVAL;
886 			printk(KERN_WARNING "SELinux: defcontext option is "
887 			       "invalid for this filesystem type\n");
888 			goto out;
889 		}
890 
891 		if (defcontext_sid != sbsec->def_sid) {
892 			rc = may_context_mount_inode_relabel(defcontext_sid,
893 							     sbsec, cred);
894 			if (rc)
895 				goto out;
896 		}
897 
898 		sbsec->def_sid = defcontext_sid;
899 	}
900 
901 	rc = sb_finish_set_opts(sb);
902 out:
903 	mutex_unlock(&sbsec->lock);
904 	return rc;
905 out_double_mount:
906 	rc = -EINVAL;
907 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
908 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
909 	goto out;
910 }
911 
912 static int selinux_cmp_sb_context(const struct super_block *oldsb,
913 				    const struct super_block *newsb)
914 {
915 	struct superblock_security_struct *old = oldsb->s_security;
916 	struct superblock_security_struct *new = newsb->s_security;
917 	char oldflags = old->flags & SE_MNTMASK;
918 	char newflags = new->flags & SE_MNTMASK;
919 
920 	if (oldflags != newflags)
921 		goto mismatch;
922 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
923 		goto mismatch;
924 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
925 		goto mismatch;
926 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
927 		goto mismatch;
928 	if (oldflags & ROOTCONTEXT_MNT) {
929 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
930 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
931 		if (oldroot->sid != newroot->sid)
932 			goto mismatch;
933 	}
934 	return 0;
935 mismatch:
936 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
937 			    "different security settings for (dev %s, "
938 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
939 	return -EBUSY;
940 }
941 
942 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
943 					struct super_block *newsb)
944 {
945 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
946 	struct superblock_security_struct *newsbsec = newsb->s_security;
947 
948 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
949 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
950 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
951 
952 	/*
953 	 * if the parent was able to be mounted it clearly had no special lsm
954 	 * mount options.  thus we can safely deal with this superblock later
955 	 */
956 	if (!ss_initialized)
957 		return 0;
958 
959 	/* how can we clone if the old one wasn't set up?? */
960 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
961 
962 	/* if fs is reusing a sb, make sure that the contexts match */
963 	if (newsbsec->flags & SE_SBINITIALIZED)
964 		return selinux_cmp_sb_context(oldsb, newsb);
965 
966 	mutex_lock(&newsbsec->lock);
967 
968 	newsbsec->flags = oldsbsec->flags;
969 
970 	newsbsec->sid = oldsbsec->sid;
971 	newsbsec->def_sid = oldsbsec->def_sid;
972 	newsbsec->behavior = oldsbsec->behavior;
973 
974 	if (set_context) {
975 		u32 sid = oldsbsec->mntpoint_sid;
976 
977 		if (!set_fscontext)
978 			newsbsec->sid = sid;
979 		if (!set_rootcontext) {
980 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
981 			newisec->sid = sid;
982 		}
983 		newsbsec->mntpoint_sid = sid;
984 	}
985 	if (set_rootcontext) {
986 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
987 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
988 
989 		newisec->sid = oldisec->sid;
990 	}
991 
992 	sb_finish_set_opts(newsb);
993 	mutex_unlock(&newsbsec->lock);
994 	return 0;
995 }
996 
997 static int selinux_parse_opts_str(char *options,
998 				  struct security_mnt_opts *opts)
999 {
1000 	char *p;
1001 	char *context = NULL, *defcontext = NULL;
1002 	char *fscontext = NULL, *rootcontext = NULL;
1003 	int rc, num_mnt_opts = 0;
1004 
1005 	opts->num_mnt_opts = 0;
1006 
1007 	/* Standard string-based options. */
1008 	while ((p = strsep(&options, "|")) != NULL) {
1009 		int token;
1010 		substring_t args[MAX_OPT_ARGS];
1011 
1012 		if (!*p)
1013 			continue;
1014 
1015 		token = match_token(p, tokens, args);
1016 
1017 		switch (token) {
1018 		case Opt_context:
1019 			if (context || defcontext) {
1020 				rc = -EINVAL;
1021 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1022 				goto out_err;
1023 			}
1024 			context = match_strdup(&args[0]);
1025 			if (!context) {
1026 				rc = -ENOMEM;
1027 				goto out_err;
1028 			}
1029 			break;
1030 
1031 		case Opt_fscontext:
1032 			if (fscontext) {
1033 				rc = -EINVAL;
1034 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1035 				goto out_err;
1036 			}
1037 			fscontext = match_strdup(&args[0]);
1038 			if (!fscontext) {
1039 				rc = -ENOMEM;
1040 				goto out_err;
1041 			}
1042 			break;
1043 
1044 		case Opt_rootcontext:
1045 			if (rootcontext) {
1046 				rc = -EINVAL;
1047 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1048 				goto out_err;
1049 			}
1050 			rootcontext = match_strdup(&args[0]);
1051 			if (!rootcontext) {
1052 				rc = -ENOMEM;
1053 				goto out_err;
1054 			}
1055 			break;
1056 
1057 		case Opt_defcontext:
1058 			if (context || defcontext) {
1059 				rc = -EINVAL;
1060 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1061 				goto out_err;
1062 			}
1063 			defcontext = match_strdup(&args[0]);
1064 			if (!defcontext) {
1065 				rc = -ENOMEM;
1066 				goto out_err;
1067 			}
1068 			break;
1069 		case Opt_labelsupport:
1070 			break;
1071 		default:
1072 			rc = -EINVAL;
1073 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1074 			goto out_err;
1075 
1076 		}
1077 	}
1078 
1079 	rc = -ENOMEM;
1080 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1081 	if (!opts->mnt_opts)
1082 		goto out_err;
1083 
1084 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1085 	if (!opts->mnt_opts_flags) {
1086 		kfree(opts->mnt_opts);
1087 		goto out_err;
1088 	}
1089 
1090 	if (fscontext) {
1091 		opts->mnt_opts[num_mnt_opts] = fscontext;
1092 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1093 	}
1094 	if (context) {
1095 		opts->mnt_opts[num_mnt_opts] = context;
1096 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1097 	}
1098 	if (rootcontext) {
1099 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1100 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1101 	}
1102 	if (defcontext) {
1103 		opts->mnt_opts[num_mnt_opts] = defcontext;
1104 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1105 	}
1106 
1107 	opts->num_mnt_opts = num_mnt_opts;
1108 	return 0;
1109 
1110 out_err:
1111 	kfree(context);
1112 	kfree(defcontext);
1113 	kfree(fscontext);
1114 	kfree(rootcontext);
1115 	return rc;
1116 }
1117 /*
1118  * string mount options parsing and call set the sbsec
1119  */
1120 static int superblock_doinit(struct super_block *sb, void *data)
1121 {
1122 	int rc = 0;
1123 	char *options = data;
1124 	struct security_mnt_opts opts;
1125 
1126 	security_init_mnt_opts(&opts);
1127 
1128 	if (!data)
1129 		goto out;
1130 
1131 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1132 
1133 	rc = selinux_parse_opts_str(options, &opts);
1134 	if (rc)
1135 		goto out_err;
1136 
1137 out:
1138 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1139 
1140 out_err:
1141 	security_free_mnt_opts(&opts);
1142 	return rc;
1143 }
1144 
1145 static void selinux_write_opts(struct seq_file *m,
1146 			       struct security_mnt_opts *opts)
1147 {
1148 	int i;
1149 	char *prefix;
1150 
1151 	for (i = 0; i < opts->num_mnt_opts; i++) {
1152 		char *has_comma;
1153 
1154 		if (opts->mnt_opts[i])
1155 			has_comma = strchr(opts->mnt_opts[i], ',');
1156 		else
1157 			has_comma = NULL;
1158 
1159 		switch (opts->mnt_opts_flags[i]) {
1160 		case CONTEXT_MNT:
1161 			prefix = CONTEXT_STR;
1162 			break;
1163 		case FSCONTEXT_MNT:
1164 			prefix = FSCONTEXT_STR;
1165 			break;
1166 		case ROOTCONTEXT_MNT:
1167 			prefix = ROOTCONTEXT_STR;
1168 			break;
1169 		case DEFCONTEXT_MNT:
1170 			prefix = DEFCONTEXT_STR;
1171 			break;
1172 		case SBLABEL_MNT:
1173 			seq_putc(m, ',');
1174 			seq_puts(m, LABELSUPP_STR);
1175 			continue;
1176 		default:
1177 			BUG();
1178 			return;
1179 		};
1180 		/* we need a comma before each option */
1181 		seq_putc(m, ',');
1182 		seq_puts(m, prefix);
1183 		if (has_comma)
1184 			seq_putc(m, '\"');
1185 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1186 		if (has_comma)
1187 			seq_putc(m, '\"');
1188 	}
1189 }
1190 
1191 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1192 {
1193 	struct security_mnt_opts opts;
1194 	int rc;
1195 
1196 	rc = selinux_get_mnt_opts(sb, &opts);
1197 	if (rc) {
1198 		/* before policy load we may get EINVAL, don't show anything */
1199 		if (rc == -EINVAL)
1200 			rc = 0;
1201 		return rc;
1202 	}
1203 
1204 	selinux_write_opts(m, &opts);
1205 
1206 	security_free_mnt_opts(&opts);
1207 
1208 	return rc;
1209 }
1210 
1211 static inline u16 inode_mode_to_security_class(umode_t mode)
1212 {
1213 	switch (mode & S_IFMT) {
1214 	case S_IFSOCK:
1215 		return SECCLASS_SOCK_FILE;
1216 	case S_IFLNK:
1217 		return SECCLASS_LNK_FILE;
1218 	case S_IFREG:
1219 		return SECCLASS_FILE;
1220 	case S_IFBLK:
1221 		return SECCLASS_BLK_FILE;
1222 	case S_IFDIR:
1223 		return SECCLASS_DIR;
1224 	case S_IFCHR:
1225 		return SECCLASS_CHR_FILE;
1226 	case S_IFIFO:
1227 		return SECCLASS_FIFO_FILE;
1228 
1229 	}
1230 
1231 	return SECCLASS_FILE;
1232 }
1233 
1234 static inline int default_protocol_stream(int protocol)
1235 {
1236 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1237 }
1238 
1239 static inline int default_protocol_dgram(int protocol)
1240 {
1241 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1242 }
1243 
1244 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1245 {
1246 	switch (family) {
1247 	case PF_UNIX:
1248 		switch (type) {
1249 		case SOCK_STREAM:
1250 		case SOCK_SEQPACKET:
1251 			return SECCLASS_UNIX_STREAM_SOCKET;
1252 		case SOCK_DGRAM:
1253 			return SECCLASS_UNIX_DGRAM_SOCKET;
1254 		}
1255 		break;
1256 	case PF_INET:
1257 	case PF_INET6:
1258 		switch (type) {
1259 		case SOCK_STREAM:
1260 			if (default_protocol_stream(protocol))
1261 				return SECCLASS_TCP_SOCKET;
1262 			else
1263 				return SECCLASS_RAWIP_SOCKET;
1264 		case SOCK_DGRAM:
1265 			if (default_protocol_dgram(protocol))
1266 				return SECCLASS_UDP_SOCKET;
1267 			else
1268 				return SECCLASS_RAWIP_SOCKET;
1269 		case SOCK_DCCP:
1270 			return SECCLASS_DCCP_SOCKET;
1271 		default:
1272 			return SECCLASS_RAWIP_SOCKET;
1273 		}
1274 		break;
1275 	case PF_NETLINK:
1276 		switch (protocol) {
1277 		case NETLINK_ROUTE:
1278 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1279 		case NETLINK_SOCK_DIAG:
1280 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1281 		case NETLINK_NFLOG:
1282 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1283 		case NETLINK_XFRM:
1284 			return SECCLASS_NETLINK_XFRM_SOCKET;
1285 		case NETLINK_SELINUX:
1286 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1287 		case NETLINK_ISCSI:
1288 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1289 		case NETLINK_AUDIT:
1290 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1291 		case NETLINK_FIB_LOOKUP:
1292 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1293 		case NETLINK_CONNECTOR:
1294 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1295 		case NETLINK_NETFILTER:
1296 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1297 		case NETLINK_DNRTMSG:
1298 			return SECCLASS_NETLINK_DNRT_SOCKET;
1299 		case NETLINK_KOBJECT_UEVENT:
1300 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1301 		case NETLINK_GENERIC:
1302 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1303 		case NETLINK_SCSITRANSPORT:
1304 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1305 		case NETLINK_RDMA:
1306 			return SECCLASS_NETLINK_RDMA_SOCKET;
1307 		case NETLINK_CRYPTO:
1308 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1309 		default:
1310 			return SECCLASS_NETLINK_SOCKET;
1311 		}
1312 	case PF_PACKET:
1313 		return SECCLASS_PACKET_SOCKET;
1314 	case PF_KEY:
1315 		return SECCLASS_KEY_SOCKET;
1316 	case PF_APPLETALK:
1317 		return SECCLASS_APPLETALK_SOCKET;
1318 	}
1319 
1320 	return SECCLASS_SOCKET;
1321 }
1322 
1323 static int selinux_genfs_get_sid(struct dentry *dentry,
1324 				 u16 tclass,
1325 				 u16 flags,
1326 				 u32 *sid)
1327 {
1328 	int rc;
1329 	struct super_block *sb = dentry->d_sb;
1330 	char *buffer, *path;
1331 
1332 	buffer = (char *)__get_free_page(GFP_KERNEL);
1333 	if (!buffer)
1334 		return -ENOMEM;
1335 
1336 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1337 	if (IS_ERR(path))
1338 		rc = PTR_ERR(path);
1339 	else {
1340 		if (flags & SE_SBPROC) {
1341 			/* each process gets a /proc/PID/ entry. Strip off the
1342 			 * PID part to get a valid selinux labeling.
1343 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1344 			while (path[1] >= '0' && path[1] <= '9') {
1345 				path[1] = '/';
1346 				path++;
1347 			}
1348 		}
1349 		rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1350 	}
1351 	free_page((unsigned long)buffer);
1352 	return rc;
1353 }
1354 
1355 /* The inode's security attributes must be initialized before first use. */
1356 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1357 {
1358 	struct superblock_security_struct *sbsec = NULL;
1359 	struct inode_security_struct *isec = inode->i_security;
1360 	u32 sid;
1361 	struct dentry *dentry;
1362 #define INITCONTEXTLEN 255
1363 	char *context = NULL;
1364 	unsigned len = 0;
1365 	int rc = 0;
1366 
1367 	if (isec->initialized == LABEL_INITIALIZED)
1368 		goto out;
1369 
1370 	mutex_lock(&isec->lock);
1371 	if (isec->initialized == LABEL_INITIALIZED)
1372 		goto out_unlock;
1373 
1374 	sbsec = inode->i_sb->s_security;
1375 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1376 		/* Defer initialization until selinux_complete_init,
1377 		   after the initial policy is loaded and the security
1378 		   server is ready to handle calls. */
1379 		spin_lock(&sbsec->isec_lock);
1380 		if (list_empty(&isec->list))
1381 			list_add(&isec->list, &sbsec->isec_head);
1382 		spin_unlock(&sbsec->isec_lock);
1383 		goto out_unlock;
1384 	}
1385 
1386 	switch (sbsec->behavior) {
1387 	case SECURITY_FS_USE_NATIVE:
1388 		break;
1389 	case SECURITY_FS_USE_XATTR:
1390 		if (!inode->i_op->getxattr) {
1391 			isec->sid = sbsec->def_sid;
1392 			break;
1393 		}
1394 
1395 		/* Need a dentry, since the xattr API requires one.
1396 		   Life would be simpler if we could just pass the inode. */
1397 		if (opt_dentry) {
1398 			/* Called from d_instantiate or d_splice_alias. */
1399 			dentry = dget(opt_dentry);
1400 		} else {
1401 			/* Called from selinux_complete_init, try to find a dentry. */
1402 			dentry = d_find_alias(inode);
1403 		}
1404 		if (!dentry) {
1405 			/*
1406 			 * this is can be hit on boot when a file is accessed
1407 			 * before the policy is loaded.  When we load policy we
1408 			 * may find inodes that have no dentry on the
1409 			 * sbsec->isec_head list.  No reason to complain as these
1410 			 * will get fixed up the next time we go through
1411 			 * inode_doinit with a dentry, before these inodes could
1412 			 * be used again by userspace.
1413 			 */
1414 			goto out_unlock;
1415 		}
1416 
1417 		len = INITCONTEXTLEN;
1418 		context = kmalloc(len+1, GFP_NOFS);
1419 		if (!context) {
1420 			rc = -ENOMEM;
1421 			dput(dentry);
1422 			goto out_unlock;
1423 		}
1424 		context[len] = '\0';
1425 		rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1426 					   context, len);
1427 		if (rc == -ERANGE) {
1428 			kfree(context);
1429 
1430 			/* Need a larger buffer.  Query for the right size. */
1431 			rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1432 						   NULL, 0);
1433 			if (rc < 0) {
1434 				dput(dentry);
1435 				goto out_unlock;
1436 			}
1437 			len = rc;
1438 			context = kmalloc(len+1, GFP_NOFS);
1439 			if (!context) {
1440 				rc = -ENOMEM;
1441 				dput(dentry);
1442 				goto out_unlock;
1443 			}
1444 			context[len] = '\0';
1445 			rc = inode->i_op->getxattr(dentry, inode,
1446 						   XATTR_NAME_SELINUX,
1447 						   context, len);
1448 		}
1449 		dput(dentry);
1450 		if (rc < 0) {
1451 			if (rc != -ENODATA) {
1452 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1453 				       "%d for dev=%s ino=%ld\n", __func__,
1454 				       -rc, inode->i_sb->s_id, inode->i_ino);
1455 				kfree(context);
1456 				goto out_unlock;
1457 			}
1458 			/* Map ENODATA to the default file SID */
1459 			sid = sbsec->def_sid;
1460 			rc = 0;
1461 		} else {
1462 			rc = security_context_to_sid_default(context, rc, &sid,
1463 							     sbsec->def_sid,
1464 							     GFP_NOFS);
1465 			if (rc) {
1466 				char *dev = inode->i_sb->s_id;
1467 				unsigned long ino = inode->i_ino;
1468 
1469 				if (rc == -EINVAL) {
1470 					if (printk_ratelimit())
1471 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1472 							"context=%s.  This indicates you may need to relabel the inode or the "
1473 							"filesystem in question.\n", ino, dev, context);
1474 				} else {
1475 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1476 					       "returned %d for dev=%s ino=%ld\n",
1477 					       __func__, context, -rc, dev, ino);
1478 				}
1479 				kfree(context);
1480 				/* Leave with the unlabeled SID */
1481 				rc = 0;
1482 				break;
1483 			}
1484 		}
1485 		kfree(context);
1486 		isec->sid = sid;
1487 		break;
1488 	case SECURITY_FS_USE_TASK:
1489 		isec->sid = isec->task_sid;
1490 		break;
1491 	case SECURITY_FS_USE_TRANS:
1492 		/* Default to the fs SID. */
1493 		isec->sid = sbsec->sid;
1494 
1495 		/* Try to obtain a transition SID. */
1496 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1497 		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1498 					     isec->sclass, NULL, &sid);
1499 		if (rc)
1500 			goto out_unlock;
1501 		isec->sid = sid;
1502 		break;
1503 	case SECURITY_FS_USE_MNTPOINT:
1504 		isec->sid = sbsec->mntpoint_sid;
1505 		break;
1506 	default:
1507 		/* Default to the fs superblock SID. */
1508 		isec->sid = sbsec->sid;
1509 
1510 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1511 			/* We must have a dentry to determine the label on
1512 			 * procfs inodes */
1513 			if (opt_dentry)
1514 				/* Called from d_instantiate or
1515 				 * d_splice_alias. */
1516 				dentry = dget(opt_dentry);
1517 			else
1518 				/* Called from selinux_complete_init, try to
1519 				 * find a dentry. */
1520 				dentry = d_find_alias(inode);
1521 			/*
1522 			 * This can be hit on boot when a file is accessed
1523 			 * before the policy is loaded.  When we load policy we
1524 			 * may find inodes that have no dentry on the
1525 			 * sbsec->isec_head list.  No reason to complain as
1526 			 * these will get fixed up the next time we go through
1527 			 * inode_doinit() with a dentry, before these inodes
1528 			 * could be used again by userspace.
1529 			 */
1530 			if (!dentry)
1531 				goto out_unlock;
1532 			isec->sclass = inode_mode_to_security_class(inode->i_mode);
1533 			rc = selinux_genfs_get_sid(dentry, isec->sclass,
1534 						   sbsec->flags, &sid);
1535 			dput(dentry);
1536 			if (rc)
1537 				goto out_unlock;
1538 			isec->sid = sid;
1539 		}
1540 		break;
1541 	}
1542 
1543 	isec->initialized = LABEL_INITIALIZED;
1544 
1545 out_unlock:
1546 	mutex_unlock(&isec->lock);
1547 out:
1548 	if (isec->sclass == SECCLASS_FILE)
1549 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1550 	return rc;
1551 }
1552 
1553 /* Convert a Linux signal to an access vector. */
1554 static inline u32 signal_to_av(int sig)
1555 {
1556 	u32 perm = 0;
1557 
1558 	switch (sig) {
1559 	case SIGCHLD:
1560 		/* Commonly granted from child to parent. */
1561 		perm = PROCESS__SIGCHLD;
1562 		break;
1563 	case SIGKILL:
1564 		/* Cannot be caught or ignored */
1565 		perm = PROCESS__SIGKILL;
1566 		break;
1567 	case SIGSTOP:
1568 		/* Cannot be caught or ignored */
1569 		perm = PROCESS__SIGSTOP;
1570 		break;
1571 	default:
1572 		/* All other signals. */
1573 		perm = PROCESS__SIGNAL;
1574 		break;
1575 	}
1576 
1577 	return perm;
1578 }
1579 
1580 /*
1581  * Check permission between a pair of credentials
1582  * fork check, ptrace check, etc.
1583  */
1584 static int cred_has_perm(const struct cred *actor,
1585 			 const struct cred *target,
1586 			 u32 perms)
1587 {
1588 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1589 
1590 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1591 }
1592 
1593 /*
1594  * Check permission between a pair of tasks, e.g. signal checks,
1595  * fork check, ptrace check, etc.
1596  * tsk1 is the actor and tsk2 is the target
1597  * - this uses the default subjective creds of tsk1
1598  */
1599 static int task_has_perm(const struct task_struct *tsk1,
1600 			 const struct task_struct *tsk2,
1601 			 u32 perms)
1602 {
1603 	const struct task_security_struct *__tsec1, *__tsec2;
1604 	u32 sid1, sid2;
1605 
1606 	rcu_read_lock();
1607 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1608 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1609 	rcu_read_unlock();
1610 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1611 }
1612 
1613 /*
1614  * Check permission between current and another task, e.g. signal checks,
1615  * fork check, ptrace check, etc.
1616  * current is the actor and tsk2 is the target
1617  * - this uses current's subjective creds
1618  */
1619 static int current_has_perm(const struct task_struct *tsk,
1620 			    u32 perms)
1621 {
1622 	u32 sid, tsid;
1623 
1624 	sid = current_sid();
1625 	tsid = task_sid(tsk);
1626 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1627 }
1628 
1629 #if CAP_LAST_CAP > 63
1630 #error Fix SELinux to handle capabilities > 63.
1631 #endif
1632 
1633 /* Check whether a task is allowed to use a capability. */
1634 static int cred_has_capability(const struct cred *cred,
1635 			       int cap, int audit, bool initns)
1636 {
1637 	struct common_audit_data ad;
1638 	struct av_decision avd;
1639 	u16 sclass;
1640 	u32 sid = cred_sid(cred);
1641 	u32 av = CAP_TO_MASK(cap);
1642 	int rc;
1643 
1644 	ad.type = LSM_AUDIT_DATA_CAP;
1645 	ad.u.cap = cap;
1646 
1647 	switch (CAP_TO_INDEX(cap)) {
1648 	case 0:
1649 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1650 		break;
1651 	case 1:
1652 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1653 		break;
1654 	default:
1655 		printk(KERN_ERR
1656 		       "SELinux:  out of range capability %d\n", cap);
1657 		BUG();
1658 		return -EINVAL;
1659 	}
1660 
1661 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1662 	if (audit == SECURITY_CAP_AUDIT) {
1663 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1664 		if (rc2)
1665 			return rc2;
1666 	}
1667 	return rc;
1668 }
1669 
1670 /* Check whether a task is allowed to use a system operation. */
1671 static int task_has_system(struct task_struct *tsk,
1672 			   u32 perms)
1673 {
1674 	u32 sid = task_sid(tsk);
1675 
1676 	return avc_has_perm(sid, SECINITSID_KERNEL,
1677 			    SECCLASS_SYSTEM, perms, NULL);
1678 }
1679 
1680 /* Check whether a task has a particular permission to an inode.
1681    The 'adp' parameter is optional and allows other audit
1682    data to be passed (e.g. the dentry). */
1683 static int inode_has_perm(const struct cred *cred,
1684 			  struct inode *inode,
1685 			  u32 perms,
1686 			  struct common_audit_data *adp)
1687 {
1688 	struct inode_security_struct *isec;
1689 	u32 sid;
1690 
1691 	validate_creds(cred);
1692 
1693 	if (unlikely(IS_PRIVATE(inode)))
1694 		return 0;
1695 
1696 	sid = cred_sid(cred);
1697 	isec = inode->i_security;
1698 
1699 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1700 }
1701 
1702 /* Same as inode_has_perm, but pass explicit audit data containing
1703    the dentry to help the auditing code to more easily generate the
1704    pathname if needed. */
1705 static inline int dentry_has_perm(const struct cred *cred,
1706 				  struct dentry *dentry,
1707 				  u32 av)
1708 {
1709 	struct inode *inode = d_backing_inode(dentry);
1710 	struct common_audit_data ad;
1711 
1712 	ad.type = LSM_AUDIT_DATA_DENTRY;
1713 	ad.u.dentry = dentry;
1714 	__inode_security_revalidate(inode, dentry, true);
1715 	return inode_has_perm(cred, inode, av, &ad);
1716 }
1717 
1718 /* Same as inode_has_perm, but pass explicit audit data containing
1719    the path to help the auditing code to more easily generate the
1720    pathname if needed. */
1721 static inline int path_has_perm(const struct cred *cred,
1722 				const struct path *path,
1723 				u32 av)
1724 {
1725 	struct inode *inode = d_backing_inode(path->dentry);
1726 	struct common_audit_data ad;
1727 
1728 	ad.type = LSM_AUDIT_DATA_PATH;
1729 	ad.u.path = *path;
1730 	__inode_security_revalidate(inode, path->dentry, true);
1731 	return inode_has_perm(cred, inode, av, &ad);
1732 }
1733 
1734 /* Same as path_has_perm, but uses the inode from the file struct. */
1735 static inline int file_path_has_perm(const struct cred *cred,
1736 				     struct file *file,
1737 				     u32 av)
1738 {
1739 	struct common_audit_data ad;
1740 
1741 	ad.type = LSM_AUDIT_DATA_PATH;
1742 	ad.u.path = file->f_path;
1743 	return inode_has_perm(cred, file_inode(file), av, &ad);
1744 }
1745 
1746 /* Check whether a task can use an open file descriptor to
1747    access an inode in a given way.  Check access to the
1748    descriptor itself, and then use dentry_has_perm to
1749    check a particular permission to the file.
1750    Access to the descriptor is implicitly granted if it
1751    has the same SID as the process.  If av is zero, then
1752    access to the file is not checked, e.g. for cases
1753    where only the descriptor is affected like seek. */
1754 static int file_has_perm(const struct cred *cred,
1755 			 struct file *file,
1756 			 u32 av)
1757 {
1758 	struct file_security_struct *fsec = file->f_security;
1759 	struct inode *inode = file_inode(file);
1760 	struct common_audit_data ad;
1761 	u32 sid = cred_sid(cred);
1762 	int rc;
1763 
1764 	ad.type = LSM_AUDIT_DATA_PATH;
1765 	ad.u.path = file->f_path;
1766 
1767 	if (sid != fsec->sid) {
1768 		rc = avc_has_perm(sid, fsec->sid,
1769 				  SECCLASS_FD,
1770 				  FD__USE,
1771 				  &ad);
1772 		if (rc)
1773 			goto out;
1774 	}
1775 
1776 	/* av is zero if only checking access to the descriptor. */
1777 	rc = 0;
1778 	if (av)
1779 		rc = inode_has_perm(cred, inode, av, &ad);
1780 
1781 out:
1782 	return rc;
1783 }
1784 
1785 /*
1786  * Determine the label for an inode that might be unioned.
1787  */
1788 static int selinux_determine_inode_label(struct inode *dir,
1789 					 const struct qstr *name,
1790 					 u16 tclass,
1791 					 u32 *_new_isid)
1792 {
1793 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1794 	const struct task_security_struct *tsec = current_security();
1795 
1796 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1797 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1798 		*_new_isid = sbsec->mntpoint_sid;
1799 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1800 		   tsec->create_sid) {
1801 		*_new_isid = tsec->create_sid;
1802 	} else {
1803 		const struct inode_security_struct *dsec = inode_security(dir);
1804 		return security_transition_sid(tsec->sid, dsec->sid, tclass,
1805 					       name, _new_isid);
1806 	}
1807 
1808 	return 0;
1809 }
1810 
1811 /* Check whether a task can create a file. */
1812 static int may_create(struct inode *dir,
1813 		      struct dentry *dentry,
1814 		      u16 tclass)
1815 {
1816 	const struct task_security_struct *tsec = current_security();
1817 	struct inode_security_struct *dsec;
1818 	struct superblock_security_struct *sbsec;
1819 	u32 sid, newsid;
1820 	struct common_audit_data ad;
1821 	int rc;
1822 
1823 	dsec = inode_security(dir);
1824 	sbsec = dir->i_sb->s_security;
1825 
1826 	sid = tsec->sid;
1827 
1828 	ad.type = LSM_AUDIT_DATA_DENTRY;
1829 	ad.u.dentry = dentry;
1830 
1831 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1832 			  DIR__ADD_NAME | DIR__SEARCH,
1833 			  &ad);
1834 	if (rc)
1835 		return rc;
1836 
1837 	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1838 					   &newsid);
1839 	if (rc)
1840 		return rc;
1841 
1842 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1843 	if (rc)
1844 		return rc;
1845 
1846 	return avc_has_perm(newsid, sbsec->sid,
1847 			    SECCLASS_FILESYSTEM,
1848 			    FILESYSTEM__ASSOCIATE, &ad);
1849 }
1850 
1851 /* Check whether a task can create a key. */
1852 static int may_create_key(u32 ksid,
1853 			  struct task_struct *ctx)
1854 {
1855 	u32 sid = task_sid(ctx);
1856 
1857 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1858 }
1859 
1860 #define MAY_LINK	0
1861 #define MAY_UNLINK	1
1862 #define MAY_RMDIR	2
1863 
1864 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1865 static int may_link(struct inode *dir,
1866 		    struct dentry *dentry,
1867 		    int kind)
1868 
1869 {
1870 	struct inode_security_struct *dsec, *isec;
1871 	struct common_audit_data ad;
1872 	u32 sid = current_sid();
1873 	u32 av;
1874 	int rc;
1875 
1876 	dsec = inode_security(dir);
1877 	isec = backing_inode_security(dentry);
1878 
1879 	ad.type = LSM_AUDIT_DATA_DENTRY;
1880 	ad.u.dentry = dentry;
1881 
1882 	av = DIR__SEARCH;
1883 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1884 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1885 	if (rc)
1886 		return rc;
1887 
1888 	switch (kind) {
1889 	case MAY_LINK:
1890 		av = FILE__LINK;
1891 		break;
1892 	case MAY_UNLINK:
1893 		av = FILE__UNLINK;
1894 		break;
1895 	case MAY_RMDIR:
1896 		av = DIR__RMDIR;
1897 		break;
1898 	default:
1899 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1900 			__func__, kind);
1901 		return 0;
1902 	}
1903 
1904 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1905 	return rc;
1906 }
1907 
1908 static inline int may_rename(struct inode *old_dir,
1909 			     struct dentry *old_dentry,
1910 			     struct inode *new_dir,
1911 			     struct dentry *new_dentry)
1912 {
1913 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1914 	struct common_audit_data ad;
1915 	u32 sid = current_sid();
1916 	u32 av;
1917 	int old_is_dir, new_is_dir;
1918 	int rc;
1919 
1920 	old_dsec = inode_security(old_dir);
1921 	old_isec = backing_inode_security(old_dentry);
1922 	old_is_dir = d_is_dir(old_dentry);
1923 	new_dsec = inode_security(new_dir);
1924 
1925 	ad.type = LSM_AUDIT_DATA_DENTRY;
1926 
1927 	ad.u.dentry = old_dentry;
1928 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1929 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1930 	if (rc)
1931 		return rc;
1932 	rc = avc_has_perm(sid, old_isec->sid,
1933 			  old_isec->sclass, FILE__RENAME, &ad);
1934 	if (rc)
1935 		return rc;
1936 	if (old_is_dir && new_dir != old_dir) {
1937 		rc = avc_has_perm(sid, old_isec->sid,
1938 				  old_isec->sclass, DIR__REPARENT, &ad);
1939 		if (rc)
1940 			return rc;
1941 	}
1942 
1943 	ad.u.dentry = new_dentry;
1944 	av = DIR__ADD_NAME | DIR__SEARCH;
1945 	if (d_is_positive(new_dentry))
1946 		av |= DIR__REMOVE_NAME;
1947 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1948 	if (rc)
1949 		return rc;
1950 	if (d_is_positive(new_dentry)) {
1951 		new_isec = backing_inode_security(new_dentry);
1952 		new_is_dir = d_is_dir(new_dentry);
1953 		rc = avc_has_perm(sid, new_isec->sid,
1954 				  new_isec->sclass,
1955 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1956 		if (rc)
1957 			return rc;
1958 	}
1959 
1960 	return 0;
1961 }
1962 
1963 /* Check whether a task can perform a filesystem operation. */
1964 static int superblock_has_perm(const struct cred *cred,
1965 			       struct super_block *sb,
1966 			       u32 perms,
1967 			       struct common_audit_data *ad)
1968 {
1969 	struct superblock_security_struct *sbsec;
1970 	u32 sid = cred_sid(cred);
1971 
1972 	sbsec = sb->s_security;
1973 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1974 }
1975 
1976 /* Convert a Linux mode and permission mask to an access vector. */
1977 static inline u32 file_mask_to_av(int mode, int mask)
1978 {
1979 	u32 av = 0;
1980 
1981 	if (!S_ISDIR(mode)) {
1982 		if (mask & MAY_EXEC)
1983 			av |= FILE__EXECUTE;
1984 		if (mask & MAY_READ)
1985 			av |= FILE__READ;
1986 
1987 		if (mask & MAY_APPEND)
1988 			av |= FILE__APPEND;
1989 		else if (mask & MAY_WRITE)
1990 			av |= FILE__WRITE;
1991 
1992 	} else {
1993 		if (mask & MAY_EXEC)
1994 			av |= DIR__SEARCH;
1995 		if (mask & MAY_WRITE)
1996 			av |= DIR__WRITE;
1997 		if (mask & MAY_READ)
1998 			av |= DIR__READ;
1999 	}
2000 
2001 	return av;
2002 }
2003 
2004 /* Convert a Linux file to an access vector. */
2005 static inline u32 file_to_av(struct file *file)
2006 {
2007 	u32 av = 0;
2008 
2009 	if (file->f_mode & FMODE_READ)
2010 		av |= FILE__READ;
2011 	if (file->f_mode & FMODE_WRITE) {
2012 		if (file->f_flags & O_APPEND)
2013 			av |= FILE__APPEND;
2014 		else
2015 			av |= FILE__WRITE;
2016 	}
2017 	if (!av) {
2018 		/*
2019 		 * Special file opened with flags 3 for ioctl-only use.
2020 		 */
2021 		av = FILE__IOCTL;
2022 	}
2023 
2024 	return av;
2025 }
2026 
2027 /*
2028  * Convert a file to an access vector and include the correct open
2029  * open permission.
2030  */
2031 static inline u32 open_file_to_av(struct file *file)
2032 {
2033 	u32 av = file_to_av(file);
2034 
2035 	if (selinux_policycap_openperm)
2036 		av |= FILE__OPEN;
2037 
2038 	return av;
2039 }
2040 
2041 /* Hook functions begin here. */
2042 
2043 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2044 {
2045 	u32 mysid = current_sid();
2046 	u32 mgrsid = task_sid(mgr);
2047 
2048 	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2049 			    BINDER__SET_CONTEXT_MGR, NULL);
2050 }
2051 
2052 static int selinux_binder_transaction(struct task_struct *from,
2053 				      struct task_struct *to)
2054 {
2055 	u32 mysid = current_sid();
2056 	u32 fromsid = task_sid(from);
2057 	u32 tosid = task_sid(to);
2058 	int rc;
2059 
2060 	if (mysid != fromsid) {
2061 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2062 				  BINDER__IMPERSONATE, NULL);
2063 		if (rc)
2064 			return rc;
2065 	}
2066 
2067 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2068 			    NULL);
2069 }
2070 
2071 static int selinux_binder_transfer_binder(struct task_struct *from,
2072 					  struct task_struct *to)
2073 {
2074 	u32 fromsid = task_sid(from);
2075 	u32 tosid = task_sid(to);
2076 
2077 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2078 			    NULL);
2079 }
2080 
2081 static int selinux_binder_transfer_file(struct task_struct *from,
2082 					struct task_struct *to,
2083 					struct file *file)
2084 {
2085 	u32 sid = task_sid(to);
2086 	struct file_security_struct *fsec = file->f_security;
2087 	struct dentry *dentry = file->f_path.dentry;
2088 	struct inode_security_struct *isec;
2089 	struct common_audit_data ad;
2090 	int rc;
2091 
2092 	ad.type = LSM_AUDIT_DATA_PATH;
2093 	ad.u.path = file->f_path;
2094 
2095 	if (sid != fsec->sid) {
2096 		rc = avc_has_perm(sid, fsec->sid,
2097 				  SECCLASS_FD,
2098 				  FD__USE,
2099 				  &ad);
2100 		if (rc)
2101 			return rc;
2102 	}
2103 
2104 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2105 		return 0;
2106 
2107 	isec = backing_inode_security(dentry);
2108 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2109 			    &ad);
2110 }
2111 
2112 static int selinux_ptrace_access_check(struct task_struct *child,
2113 				     unsigned int mode)
2114 {
2115 	if (mode & PTRACE_MODE_READ) {
2116 		u32 sid = current_sid();
2117 		u32 csid = task_sid(child);
2118 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2119 	}
2120 
2121 	return current_has_perm(child, PROCESS__PTRACE);
2122 }
2123 
2124 static int selinux_ptrace_traceme(struct task_struct *parent)
2125 {
2126 	return task_has_perm(parent, current, PROCESS__PTRACE);
2127 }
2128 
2129 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2130 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2131 {
2132 	return current_has_perm(target, PROCESS__GETCAP);
2133 }
2134 
2135 static int selinux_capset(struct cred *new, const struct cred *old,
2136 			  const kernel_cap_t *effective,
2137 			  const kernel_cap_t *inheritable,
2138 			  const kernel_cap_t *permitted)
2139 {
2140 	return cred_has_perm(old, new, PROCESS__SETCAP);
2141 }
2142 
2143 /*
2144  * (This comment used to live with the selinux_task_setuid hook,
2145  * which was removed).
2146  *
2147  * Since setuid only affects the current process, and since the SELinux
2148  * controls are not based on the Linux identity attributes, SELinux does not
2149  * need to control this operation.  However, SELinux does control the use of
2150  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2151  */
2152 
2153 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2154 			   int cap, int audit)
2155 {
2156 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2157 }
2158 
2159 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2160 {
2161 	const struct cred *cred = current_cred();
2162 	int rc = 0;
2163 
2164 	if (!sb)
2165 		return 0;
2166 
2167 	switch (cmds) {
2168 	case Q_SYNC:
2169 	case Q_QUOTAON:
2170 	case Q_QUOTAOFF:
2171 	case Q_SETINFO:
2172 	case Q_SETQUOTA:
2173 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2174 		break;
2175 	case Q_GETFMT:
2176 	case Q_GETINFO:
2177 	case Q_GETQUOTA:
2178 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2179 		break;
2180 	default:
2181 		rc = 0;  /* let the kernel handle invalid cmds */
2182 		break;
2183 	}
2184 	return rc;
2185 }
2186 
2187 static int selinux_quota_on(struct dentry *dentry)
2188 {
2189 	const struct cred *cred = current_cred();
2190 
2191 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2192 }
2193 
2194 static int selinux_syslog(int type)
2195 {
2196 	int rc;
2197 
2198 	switch (type) {
2199 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2200 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2201 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2202 		break;
2203 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2204 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2205 	/* Set level of messages printed to console */
2206 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2207 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2208 		break;
2209 	case SYSLOG_ACTION_CLOSE:	/* Close log */
2210 	case SYSLOG_ACTION_OPEN:	/* Open log */
2211 	case SYSLOG_ACTION_READ:	/* Read from log */
2212 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2213 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2214 	default:
2215 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2216 		break;
2217 	}
2218 	return rc;
2219 }
2220 
2221 /*
2222  * Check that a process has enough memory to allocate a new virtual
2223  * mapping. 0 means there is enough memory for the allocation to
2224  * succeed and -ENOMEM implies there is not.
2225  *
2226  * Do not audit the selinux permission check, as this is applied to all
2227  * processes that allocate mappings.
2228  */
2229 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2230 {
2231 	int rc, cap_sys_admin = 0;
2232 
2233 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2234 				 SECURITY_CAP_NOAUDIT, true);
2235 	if (rc == 0)
2236 		cap_sys_admin = 1;
2237 
2238 	return cap_sys_admin;
2239 }
2240 
2241 /* binprm security operations */
2242 
2243 static u32 ptrace_parent_sid(struct task_struct *task)
2244 {
2245 	u32 sid = 0;
2246 	struct task_struct *tracer;
2247 
2248 	rcu_read_lock();
2249 	tracer = ptrace_parent(task);
2250 	if (tracer)
2251 		sid = task_sid(tracer);
2252 	rcu_read_unlock();
2253 
2254 	return sid;
2255 }
2256 
2257 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2258 			    const struct task_security_struct *old_tsec,
2259 			    const struct task_security_struct *new_tsec)
2260 {
2261 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2262 	int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2263 	int rc;
2264 
2265 	if (!nnp && !nosuid)
2266 		return 0; /* neither NNP nor nosuid */
2267 
2268 	if (new_tsec->sid == old_tsec->sid)
2269 		return 0; /* No change in credentials */
2270 
2271 	/*
2272 	 * The only transitions we permit under NNP or nosuid
2273 	 * are transitions to bounded SIDs, i.e. SIDs that are
2274 	 * guaranteed to only be allowed a subset of the permissions
2275 	 * of the current SID.
2276 	 */
2277 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2278 	if (rc) {
2279 		/*
2280 		 * On failure, preserve the errno values for NNP vs nosuid.
2281 		 * NNP:  Operation not permitted for caller.
2282 		 * nosuid:  Permission denied to file.
2283 		 */
2284 		if (nnp)
2285 			return -EPERM;
2286 		else
2287 			return -EACCES;
2288 	}
2289 	return 0;
2290 }
2291 
2292 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2293 {
2294 	const struct task_security_struct *old_tsec;
2295 	struct task_security_struct *new_tsec;
2296 	struct inode_security_struct *isec;
2297 	struct common_audit_data ad;
2298 	struct inode *inode = file_inode(bprm->file);
2299 	int rc;
2300 
2301 	/* SELinux context only depends on initial program or script and not
2302 	 * the script interpreter */
2303 	if (bprm->cred_prepared)
2304 		return 0;
2305 
2306 	old_tsec = current_security();
2307 	new_tsec = bprm->cred->security;
2308 	isec = inode_security(inode);
2309 
2310 	/* Default to the current task SID. */
2311 	new_tsec->sid = old_tsec->sid;
2312 	new_tsec->osid = old_tsec->sid;
2313 
2314 	/* Reset fs, key, and sock SIDs on execve. */
2315 	new_tsec->create_sid = 0;
2316 	new_tsec->keycreate_sid = 0;
2317 	new_tsec->sockcreate_sid = 0;
2318 
2319 	if (old_tsec->exec_sid) {
2320 		new_tsec->sid = old_tsec->exec_sid;
2321 		/* Reset exec SID on execve. */
2322 		new_tsec->exec_sid = 0;
2323 
2324 		/* Fail on NNP or nosuid if not an allowed transition. */
2325 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2326 		if (rc)
2327 			return rc;
2328 	} else {
2329 		/* Check for a default transition on this program. */
2330 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2331 					     SECCLASS_PROCESS, NULL,
2332 					     &new_tsec->sid);
2333 		if (rc)
2334 			return rc;
2335 
2336 		/*
2337 		 * Fallback to old SID on NNP or nosuid if not an allowed
2338 		 * transition.
2339 		 */
2340 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2341 		if (rc)
2342 			new_tsec->sid = old_tsec->sid;
2343 	}
2344 
2345 	ad.type = LSM_AUDIT_DATA_PATH;
2346 	ad.u.path = bprm->file->f_path;
2347 
2348 	if (new_tsec->sid == old_tsec->sid) {
2349 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2350 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2351 		if (rc)
2352 			return rc;
2353 	} else {
2354 		/* Check permissions for the transition. */
2355 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2356 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2357 		if (rc)
2358 			return rc;
2359 
2360 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2361 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2362 		if (rc)
2363 			return rc;
2364 
2365 		/* Check for shared state */
2366 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2367 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2368 					  SECCLASS_PROCESS, PROCESS__SHARE,
2369 					  NULL);
2370 			if (rc)
2371 				return -EPERM;
2372 		}
2373 
2374 		/* Make sure that anyone attempting to ptrace over a task that
2375 		 * changes its SID has the appropriate permit */
2376 		if (bprm->unsafe &
2377 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2378 			u32 ptsid = ptrace_parent_sid(current);
2379 			if (ptsid != 0) {
2380 				rc = avc_has_perm(ptsid, new_tsec->sid,
2381 						  SECCLASS_PROCESS,
2382 						  PROCESS__PTRACE, NULL);
2383 				if (rc)
2384 					return -EPERM;
2385 			}
2386 		}
2387 
2388 		/* Clear any possibly unsafe personality bits on exec: */
2389 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2390 	}
2391 
2392 	return 0;
2393 }
2394 
2395 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2396 {
2397 	const struct task_security_struct *tsec = current_security();
2398 	u32 sid, osid;
2399 	int atsecure = 0;
2400 
2401 	sid = tsec->sid;
2402 	osid = tsec->osid;
2403 
2404 	if (osid != sid) {
2405 		/* Enable secure mode for SIDs transitions unless
2406 		   the noatsecure permission is granted between
2407 		   the two SIDs, i.e. ahp returns 0. */
2408 		atsecure = avc_has_perm(osid, sid,
2409 					SECCLASS_PROCESS,
2410 					PROCESS__NOATSECURE, NULL);
2411 	}
2412 
2413 	return !!atsecure;
2414 }
2415 
2416 static int match_file(const void *p, struct file *file, unsigned fd)
2417 {
2418 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2419 }
2420 
2421 /* Derived from fs/exec.c:flush_old_files. */
2422 static inline void flush_unauthorized_files(const struct cred *cred,
2423 					    struct files_struct *files)
2424 {
2425 	struct file *file, *devnull = NULL;
2426 	struct tty_struct *tty;
2427 	int drop_tty = 0;
2428 	unsigned n;
2429 
2430 	tty = get_current_tty();
2431 	if (tty) {
2432 		spin_lock(&tty->files_lock);
2433 		if (!list_empty(&tty->tty_files)) {
2434 			struct tty_file_private *file_priv;
2435 
2436 			/* Revalidate access to controlling tty.
2437 			   Use file_path_has_perm on the tty path directly
2438 			   rather than using file_has_perm, as this particular
2439 			   open file may belong to another process and we are
2440 			   only interested in the inode-based check here. */
2441 			file_priv = list_first_entry(&tty->tty_files,
2442 						struct tty_file_private, list);
2443 			file = file_priv->file;
2444 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2445 				drop_tty = 1;
2446 		}
2447 		spin_unlock(&tty->files_lock);
2448 		tty_kref_put(tty);
2449 	}
2450 	/* Reset controlling tty. */
2451 	if (drop_tty)
2452 		no_tty();
2453 
2454 	/* Revalidate access to inherited open files. */
2455 	n = iterate_fd(files, 0, match_file, cred);
2456 	if (!n) /* none found? */
2457 		return;
2458 
2459 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2460 	if (IS_ERR(devnull))
2461 		devnull = NULL;
2462 	/* replace all the matching ones with this */
2463 	do {
2464 		replace_fd(n - 1, devnull, 0);
2465 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2466 	if (devnull)
2467 		fput(devnull);
2468 }
2469 
2470 /*
2471  * Prepare a process for imminent new credential changes due to exec
2472  */
2473 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2474 {
2475 	struct task_security_struct *new_tsec;
2476 	struct rlimit *rlim, *initrlim;
2477 	int rc, i;
2478 
2479 	new_tsec = bprm->cred->security;
2480 	if (new_tsec->sid == new_tsec->osid)
2481 		return;
2482 
2483 	/* Close files for which the new task SID is not authorized. */
2484 	flush_unauthorized_files(bprm->cred, current->files);
2485 
2486 	/* Always clear parent death signal on SID transitions. */
2487 	current->pdeath_signal = 0;
2488 
2489 	/* Check whether the new SID can inherit resource limits from the old
2490 	 * SID.  If not, reset all soft limits to the lower of the current
2491 	 * task's hard limit and the init task's soft limit.
2492 	 *
2493 	 * Note that the setting of hard limits (even to lower them) can be
2494 	 * controlled by the setrlimit check.  The inclusion of the init task's
2495 	 * soft limit into the computation is to avoid resetting soft limits
2496 	 * higher than the default soft limit for cases where the default is
2497 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2498 	 */
2499 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2500 			  PROCESS__RLIMITINH, NULL);
2501 	if (rc) {
2502 		/* protect against do_prlimit() */
2503 		task_lock(current);
2504 		for (i = 0; i < RLIM_NLIMITS; i++) {
2505 			rlim = current->signal->rlim + i;
2506 			initrlim = init_task.signal->rlim + i;
2507 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2508 		}
2509 		task_unlock(current);
2510 		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2511 	}
2512 }
2513 
2514 /*
2515  * Clean up the process immediately after the installation of new credentials
2516  * due to exec
2517  */
2518 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2519 {
2520 	const struct task_security_struct *tsec = current_security();
2521 	struct itimerval itimer;
2522 	u32 osid, sid;
2523 	int rc, i;
2524 
2525 	osid = tsec->osid;
2526 	sid = tsec->sid;
2527 
2528 	if (sid == osid)
2529 		return;
2530 
2531 	/* Check whether the new SID can inherit signal state from the old SID.
2532 	 * If not, clear itimers to avoid subsequent signal generation and
2533 	 * flush and unblock signals.
2534 	 *
2535 	 * This must occur _after_ the task SID has been updated so that any
2536 	 * kill done after the flush will be checked against the new SID.
2537 	 */
2538 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2539 	if (rc) {
2540 		memset(&itimer, 0, sizeof itimer);
2541 		for (i = 0; i < 3; i++)
2542 			do_setitimer(i, &itimer, NULL);
2543 		spin_lock_irq(&current->sighand->siglock);
2544 		if (!fatal_signal_pending(current)) {
2545 			flush_sigqueue(&current->pending);
2546 			flush_sigqueue(&current->signal->shared_pending);
2547 			flush_signal_handlers(current, 1);
2548 			sigemptyset(&current->blocked);
2549 			recalc_sigpending();
2550 		}
2551 		spin_unlock_irq(&current->sighand->siglock);
2552 	}
2553 
2554 	/* Wake up the parent if it is waiting so that it can recheck
2555 	 * wait permission to the new task SID. */
2556 	read_lock(&tasklist_lock);
2557 	__wake_up_parent(current, current->real_parent);
2558 	read_unlock(&tasklist_lock);
2559 }
2560 
2561 /* superblock security operations */
2562 
2563 static int selinux_sb_alloc_security(struct super_block *sb)
2564 {
2565 	return superblock_alloc_security(sb);
2566 }
2567 
2568 static void selinux_sb_free_security(struct super_block *sb)
2569 {
2570 	superblock_free_security(sb);
2571 }
2572 
2573 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2574 {
2575 	if (plen > olen)
2576 		return 0;
2577 
2578 	return !memcmp(prefix, option, plen);
2579 }
2580 
2581 static inline int selinux_option(char *option, int len)
2582 {
2583 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2584 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2585 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2586 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2587 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2588 }
2589 
2590 static inline void take_option(char **to, char *from, int *first, int len)
2591 {
2592 	if (!*first) {
2593 		**to = ',';
2594 		*to += 1;
2595 	} else
2596 		*first = 0;
2597 	memcpy(*to, from, len);
2598 	*to += len;
2599 }
2600 
2601 static inline void take_selinux_option(char **to, char *from, int *first,
2602 				       int len)
2603 {
2604 	int current_size = 0;
2605 
2606 	if (!*first) {
2607 		**to = '|';
2608 		*to += 1;
2609 	} else
2610 		*first = 0;
2611 
2612 	while (current_size < len) {
2613 		if (*from != '"') {
2614 			**to = *from;
2615 			*to += 1;
2616 		}
2617 		from += 1;
2618 		current_size += 1;
2619 	}
2620 }
2621 
2622 static int selinux_sb_copy_data(char *orig, char *copy)
2623 {
2624 	int fnosec, fsec, rc = 0;
2625 	char *in_save, *in_curr, *in_end;
2626 	char *sec_curr, *nosec_save, *nosec;
2627 	int open_quote = 0;
2628 
2629 	in_curr = orig;
2630 	sec_curr = copy;
2631 
2632 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2633 	if (!nosec) {
2634 		rc = -ENOMEM;
2635 		goto out;
2636 	}
2637 
2638 	nosec_save = nosec;
2639 	fnosec = fsec = 1;
2640 	in_save = in_end = orig;
2641 
2642 	do {
2643 		if (*in_end == '"')
2644 			open_quote = !open_quote;
2645 		if ((*in_end == ',' && open_quote == 0) ||
2646 				*in_end == '\0') {
2647 			int len = in_end - in_curr;
2648 
2649 			if (selinux_option(in_curr, len))
2650 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2651 			else
2652 				take_option(&nosec, in_curr, &fnosec, len);
2653 
2654 			in_curr = in_end + 1;
2655 		}
2656 	} while (*in_end++);
2657 
2658 	strcpy(in_save, nosec_save);
2659 	free_page((unsigned long)nosec_save);
2660 out:
2661 	return rc;
2662 }
2663 
2664 static int selinux_sb_remount(struct super_block *sb, void *data)
2665 {
2666 	int rc, i, *flags;
2667 	struct security_mnt_opts opts;
2668 	char *secdata, **mount_options;
2669 	struct superblock_security_struct *sbsec = sb->s_security;
2670 
2671 	if (!(sbsec->flags & SE_SBINITIALIZED))
2672 		return 0;
2673 
2674 	if (!data)
2675 		return 0;
2676 
2677 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2678 		return 0;
2679 
2680 	security_init_mnt_opts(&opts);
2681 	secdata = alloc_secdata();
2682 	if (!secdata)
2683 		return -ENOMEM;
2684 	rc = selinux_sb_copy_data(data, secdata);
2685 	if (rc)
2686 		goto out_free_secdata;
2687 
2688 	rc = selinux_parse_opts_str(secdata, &opts);
2689 	if (rc)
2690 		goto out_free_secdata;
2691 
2692 	mount_options = opts.mnt_opts;
2693 	flags = opts.mnt_opts_flags;
2694 
2695 	for (i = 0; i < opts.num_mnt_opts; i++) {
2696 		u32 sid;
2697 
2698 		if (flags[i] == SBLABEL_MNT)
2699 			continue;
2700 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2701 		if (rc) {
2702 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2703 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2704 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2705 			goto out_free_opts;
2706 		}
2707 		rc = -EINVAL;
2708 		switch (flags[i]) {
2709 		case FSCONTEXT_MNT:
2710 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2711 				goto out_bad_option;
2712 			break;
2713 		case CONTEXT_MNT:
2714 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2715 				goto out_bad_option;
2716 			break;
2717 		case ROOTCONTEXT_MNT: {
2718 			struct inode_security_struct *root_isec;
2719 			root_isec = backing_inode_security(sb->s_root);
2720 
2721 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2722 				goto out_bad_option;
2723 			break;
2724 		}
2725 		case DEFCONTEXT_MNT:
2726 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2727 				goto out_bad_option;
2728 			break;
2729 		default:
2730 			goto out_free_opts;
2731 		}
2732 	}
2733 
2734 	rc = 0;
2735 out_free_opts:
2736 	security_free_mnt_opts(&opts);
2737 out_free_secdata:
2738 	free_secdata(secdata);
2739 	return rc;
2740 out_bad_option:
2741 	printk(KERN_WARNING "SELinux: unable to change security options "
2742 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2743 	       sb->s_type->name);
2744 	goto out_free_opts;
2745 }
2746 
2747 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2748 {
2749 	const struct cred *cred = current_cred();
2750 	struct common_audit_data ad;
2751 	int rc;
2752 
2753 	rc = superblock_doinit(sb, data);
2754 	if (rc)
2755 		return rc;
2756 
2757 	/* Allow all mounts performed by the kernel */
2758 	if (flags & MS_KERNMOUNT)
2759 		return 0;
2760 
2761 	ad.type = LSM_AUDIT_DATA_DENTRY;
2762 	ad.u.dentry = sb->s_root;
2763 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2764 }
2765 
2766 static int selinux_sb_statfs(struct dentry *dentry)
2767 {
2768 	const struct cred *cred = current_cred();
2769 	struct common_audit_data ad;
2770 
2771 	ad.type = LSM_AUDIT_DATA_DENTRY;
2772 	ad.u.dentry = dentry->d_sb->s_root;
2773 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2774 }
2775 
2776 static int selinux_mount(const char *dev_name,
2777 			 const struct path *path,
2778 			 const char *type,
2779 			 unsigned long flags,
2780 			 void *data)
2781 {
2782 	const struct cred *cred = current_cred();
2783 
2784 	if (flags & MS_REMOUNT)
2785 		return superblock_has_perm(cred, path->dentry->d_sb,
2786 					   FILESYSTEM__REMOUNT, NULL);
2787 	else
2788 		return path_has_perm(cred, path, FILE__MOUNTON);
2789 }
2790 
2791 static int selinux_umount(struct vfsmount *mnt, int flags)
2792 {
2793 	const struct cred *cred = current_cred();
2794 
2795 	return superblock_has_perm(cred, mnt->mnt_sb,
2796 				   FILESYSTEM__UNMOUNT, NULL);
2797 }
2798 
2799 /* inode security operations */
2800 
2801 static int selinux_inode_alloc_security(struct inode *inode)
2802 {
2803 	return inode_alloc_security(inode);
2804 }
2805 
2806 static void selinux_inode_free_security(struct inode *inode)
2807 {
2808 	inode_free_security(inode);
2809 }
2810 
2811 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2812 					struct qstr *name, void **ctx,
2813 					u32 *ctxlen)
2814 {
2815 	u32 newsid;
2816 	int rc;
2817 
2818 	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2819 					   inode_mode_to_security_class(mode),
2820 					   &newsid);
2821 	if (rc)
2822 		return rc;
2823 
2824 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2825 }
2826 
2827 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2828 				       const struct qstr *qstr,
2829 				       const char **name,
2830 				       void **value, size_t *len)
2831 {
2832 	const struct task_security_struct *tsec = current_security();
2833 	struct superblock_security_struct *sbsec;
2834 	u32 sid, newsid, clen;
2835 	int rc;
2836 	char *context;
2837 
2838 	sbsec = dir->i_sb->s_security;
2839 
2840 	sid = tsec->sid;
2841 	newsid = tsec->create_sid;
2842 
2843 	rc = selinux_determine_inode_label(
2844 		dir, qstr,
2845 		inode_mode_to_security_class(inode->i_mode),
2846 		&newsid);
2847 	if (rc)
2848 		return rc;
2849 
2850 	/* Possibly defer initialization to selinux_complete_init. */
2851 	if (sbsec->flags & SE_SBINITIALIZED) {
2852 		struct inode_security_struct *isec = inode->i_security;
2853 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2854 		isec->sid = newsid;
2855 		isec->initialized = LABEL_INITIALIZED;
2856 	}
2857 
2858 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2859 		return -EOPNOTSUPP;
2860 
2861 	if (name)
2862 		*name = XATTR_SELINUX_SUFFIX;
2863 
2864 	if (value && len) {
2865 		rc = security_sid_to_context_force(newsid, &context, &clen);
2866 		if (rc)
2867 			return rc;
2868 		*value = context;
2869 		*len = clen;
2870 	}
2871 
2872 	return 0;
2873 }
2874 
2875 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2876 {
2877 	return may_create(dir, dentry, SECCLASS_FILE);
2878 }
2879 
2880 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2881 {
2882 	return may_link(dir, old_dentry, MAY_LINK);
2883 }
2884 
2885 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2886 {
2887 	return may_link(dir, dentry, MAY_UNLINK);
2888 }
2889 
2890 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2891 {
2892 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2893 }
2894 
2895 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2896 {
2897 	return may_create(dir, dentry, SECCLASS_DIR);
2898 }
2899 
2900 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2901 {
2902 	return may_link(dir, dentry, MAY_RMDIR);
2903 }
2904 
2905 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2906 {
2907 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2908 }
2909 
2910 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2911 				struct inode *new_inode, struct dentry *new_dentry)
2912 {
2913 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2914 }
2915 
2916 static int selinux_inode_readlink(struct dentry *dentry)
2917 {
2918 	const struct cred *cred = current_cred();
2919 
2920 	return dentry_has_perm(cred, dentry, FILE__READ);
2921 }
2922 
2923 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2924 				     bool rcu)
2925 {
2926 	const struct cred *cred = current_cred();
2927 	struct common_audit_data ad;
2928 	struct inode_security_struct *isec;
2929 	u32 sid;
2930 
2931 	validate_creds(cred);
2932 
2933 	ad.type = LSM_AUDIT_DATA_DENTRY;
2934 	ad.u.dentry = dentry;
2935 	sid = cred_sid(cred);
2936 	isec = inode_security_rcu(inode, rcu);
2937 	if (IS_ERR(isec))
2938 		return PTR_ERR(isec);
2939 
2940 	return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2941 				  rcu ? MAY_NOT_BLOCK : 0);
2942 }
2943 
2944 static noinline int audit_inode_permission(struct inode *inode,
2945 					   u32 perms, u32 audited, u32 denied,
2946 					   int result,
2947 					   unsigned flags)
2948 {
2949 	struct common_audit_data ad;
2950 	struct inode_security_struct *isec = inode->i_security;
2951 	int rc;
2952 
2953 	ad.type = LSM_AUDIT_DATA_INODE;
2954 	ad.u.inode = inode;
2955 
2956 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2957 			    audited, denied, result, &ad, flags);
2958 	if (rc)
2959 		return rc;
2960 	return 0;
2961 }
2962 
2963 static int selinux_inode_permission(struct inode *inode, int mask)
2964 {
2965 	const struct cred *cred = current_cred();
2966 	u32 perms;
2967 	bool from_access;
2968 	unsigned flags = mask & MAY_NOT_BLOCK;
2969 	struct inode_security_struct *isec;
2970 	u32 sid;
2971 	struct av_decision avd;
2972 	int rc, rc2;
2973 	u32 audited, denied;
2974 
2975 	from_access = mask & MAY_ACCESS;
2976 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2977 
2978 	/* No permission to check.  Existence test. */
2979 	if (!mask)
2980 		return 0;
2981 
2982 	validate_creds(cred);
2983 
2984 	if (unlikely(IS_PRIVATE(inode)))
2985 		return 0;
2986 
2987 	perms = file_mask_to_av(inode->i_mode, mask);
2988 
2989 	sid = cred_sid(cred);
2990 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2991 	if (IS_ERR(isec))
2992 		return PTR_ERR(isec);
2993 
2994 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2995 	audited = avc_audit_required(perms, &avd, rc,
2996 				     from_access ? FILE__AUDIT_ACCESS : 0,
2997 				     &denied);
2998 	if (likely(!audited))
2999 		return rc;
3000 
3001 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3002 	if (rc2)
3003 		return rc2;
3004 	return rc;
3005 }
3006 
3007 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3008 {
3009 	const struct cred *cred = current_cred();
3010 	unsigned int ia_valid = iattr->ia_valid;
3011 	__u32 av = FILE__WRITE;
3012 
3013 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3014 	if (ia_valid & ATTR_FORCE) {
3015 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3016 			      ATTR_FORCE);
3017 		if (!ia_valid)
3018 			return 0;
3019 	}
3020 
3021 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3022 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3023 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3024 
3025 	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3026 			&& !(ia_valid & ATTR_FILE))
3027 		av |= FILE__OPEN;
3028 
3029 	return dentry_has_perm(cred, dentry, av);
3030 }
3031 
3032 static int selinux_inode_getattr(const struct path *path)
3033 {
3034 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3035 }
3036 
3037 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3038 {
3039 	const struct cred *cred = current_cred();
3040 
3041 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
3042 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
3043 		if (!strcmp(name, XATTR_NAME_CAPS)) {
3044 			if (!capable(CAP_SETFCAP))
3045 				return -EPERM;
3046 		} else if (!capable(CAP_SYS_ADMIN)) {
3047 			/* A different attribute in the security namespace.
3048 			   Restrict to administrator. */
3049 			return -EPERM;
3050 		}
3051 	}
3052 
3053 	/* Not an attribute we recognize, so just check the
3054 	   ordinary setattr permission. */
3055 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
3056 }
3057 
3058 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3059 				  const void *value, size_t size, int flags)
3060 {
3061 	struct inode *inode = d_backing_inode(dentry);
3062 	struct inode_security_struct *isec;
3063 	struct superblock_security_struct *sbsec;
3064 	struct common_audit_data ad;
3065 	u32 newsid, sid = current_sid();
3066 	int rc = 0;
3067 
3068 	if (strcmp(name, XATTR_NAME_SELINUX))
3069 		return selinux_inode_setotherxattr(dentry, name);
3070 
3071 	sbsec = inode->i_sb->s_security;
3072 	if (!(sbsec->flags & SBLABEL_MNT))
3073 		return -EOPNOTSUPP;
3074 
3075 	if (!inode_owner_or_capable(inode))
3076 		return -EPERM;
3077 
3078 	ad.type = LSM_AUDIT_DATA_DENTRY;
3079 	ad.u.dentry = dentry;
3080 
3081 	isec = backing_inode_security(dentry);
3082 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3083 			  FILE__RELABELFROM, &ad);
3084 	if (rc)
3085 		return rc;
3086 
3087 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3088 	if (rc == -EINVAL) {
3089 		if (!capable(CAP_MAC_ADMIN)) {
3090 			struct audit_buffer *ab;
3091 			size_t audit_size;
3092 			const char *str;
3093 
3094 			/* We strip a nul only if it is at the end, otherwise the
3095 			 * context contains a nul and we should audit that */
3096 			if (value) {
3097 				str = value;
3098 				if (str[size - 1] == '\0')
3099 					audit_size = size - 1;
3100 				else
3101 					audit_size = size;
3102 			} else {
3103 				str = "";
3104 				audit_size = 0;
3105 			}
3106 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3107 			audit_log_format(ab, "op=setxattr invalid_context=");
3108 			audit_log_n_untrustedstring(ab, value, audit_size);
3109 			audit_log_end(ab);
3110 
3111 			return rc;
3112 		}
3113 		rc = security_context_to_sid_force(value, size, &newsid);
3114 	}
3115 	if (rc)
3116 		return rc;
3117 
3118 	rc = avc_has_perm(sid, newsid, isec->sclass,
3119 			  FILE__RELABELTO, &ad);
3120 	if (rc)
3121 		return rc;
3122 
3123 	rc = security_validate_transition(isec->sid, newsid, sid,
3124 					  isec->sclass);
3125 	if (rc)
3126 		return rc;
3127 
3128 	return avc_has_perm(newsid,
3129 			    sbsec->sid,
3130 			    SECCLASS_FILESYSTEM,
3131 			    FILESYSTEM__ASSOCIATE,
3132 			    &ad);
3133 }
3134 
3135 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3136 					const void *value, size_t size,
3137 					int flags)
3138 {
3139 	struct inode *inode = d_backing_inode(dentry);
3140 	struct inode_security_struct *isec;
3141 	u32 newsid;
3142 	int rc;
3143 
3144 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3145 		/* Not an attribute we recognize, so nothing to do. */
3146 		return;
3147 	}
3148 
3149 	rc = security_context_to_sid_force(value, size, &newsid);
3150 	if (rc) {
3151 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3152 		       "for (%s, %lu), rc=%d\n",
3153 		       inode->i_sb->s_id, inode->i_ino, -rc);
3154 		return;
3155 	}
3156 
3157 	isec = backing_inode_security(dentry);
3158 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3159 	isec->sid = newsid;
3160 	isec->initialized = LABEL_INITIALIZED;
3161 
3162 	return;
3163 }
3164 
3165 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3166 {
3167 	const struct cred *cred = current_cred();
3168 
3169 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3170 }
3171 
3172 static int selinux_inode_listxattr(struct dentry *dentry)
3173 {
3174 	const struct cred *cred = current_cred();
3175 
3176 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3177 }
3178 
3179 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3180 {
3181 	if (strcmp(name, XATTR_NAME_SELINUX))
3182 		return selinux_inode_setotherxattr(dentry, name);
3183 
3184 	/* No one is allowed to remove a SELinux security label.
3185 	   You can change the label, but all data must be labeled. */
3186 	return -EACCES;
3187 }
3188 
3189 /*
3190  * Copy the inode security context value to the user.
3191  *
3192  * Permission check is handled by selinux_inode_getxattr hook.
3193  */
3194 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3195 {
3196 	u32 size;
3197 	int error;
3198 	char *context = NULL;
3199 	struct inode_security_struct *isec;
3200 
3201 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3202 		return -EOPNOTSUPP;
3203 
3204 	/*
3205 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3206 	 * value even if it is not defined by current policy; otherwise,
3207 	 * use the in-core value under current policy.
3208 	 * Use the non-auditing forms of the permission checks since
3209 	 * getxattr may be called by unprivileged processes commonly
3210 	 * and lack of permission just means that we fall back to the
3211 	 * in-core context value, not a denial.
3212 	 */
3213 	error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3214 			    SECURITY_CAP_NOAUDIT);
3215 	if (!error)
3216 		error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3217 					    SECURITY_CAP_NOAUDIT, true);
3218 	isec = inode_security(inode);
3219 	if (!error)
3220 		error = security_sid_to_context_force(isec->sid, &context,
3221 						      &size);
3222 	else
3223 		error = security_sid_to_context(isec->sid, &context, &size);
3224 	if (error)
3225 		return error;
3226 	error = size;
3227 	if (alloc) {
3228 		*buffer = context;
3229 		goto out_nofree;
3230 	}
3231 	kfree(context);
3232 out_nofree:
3233 	return error;
3234 }
3235 
3236 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3237 				     const void *value, size_t size, int flags)
3238 {
3239 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3240 	u32 newsid;
3241 	int rc;
3242 
3243 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3244 		return -EOPNOTSUPP;
3245 
3246 	if (!value || !size)
3247 		return -EACCES;
3248 
3249 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3250 	if (rc)
3251 		return rc;
3252 
3253 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3254 	isec->sid = newsid;
3255 	isec->initialized = LABEL_INITIALIZED;
3256 	return 0;
3257 }
3258 
3259 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3260 {
3261 	const int len = sizeof(XATTR_NAME_SELINUX);
3262 	if (buffer && len <= buffer_size)
3263 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3264 	return len;
3265 }
3266 
3267 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3268 {
3269 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3270 	*secid = isec->sid;
3271 }
3272 
3273 /* file security operations */
3274 
3275 static int selinux_revalidate_file_permission(struct file *file, int mask)
3276 {
3277 	const struct cred *cred = current_cred();
3278 	struct inode *inode = file_inode(file);
3279 
3280 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3281 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3282 		mask |= MAY_APPEND;
3283 
3284 	return file_has_perm(cred, file,
3285 			     file_mask_to_av(inode->i_mode, mask));
3286 }
3287 
3288 static int selinux_file_permission(struct file *file, int mask)
3289 {
3290 	struct inode *inode = file_inode(file);
3291 	struct file_security_struct *fsec = file->f_security;
3292 	struct inode_security_struct *isec;
3293 	u32 sid = current_sid();
3294 
3295 	if (!mask)
3296 		/* No permission to check.  Existence test. */
3297 		return 0;
3298 
3299 	isec = inode_security(inode);
3300 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3301 	    fsec->pseqno == avc_policy_seqno())
3302 		/* No change since file_open check. */
3303 		return 0;
3304 
3305 	return selinux_revalidate_file_permission(file, mask);
3306 }
3307 
3308 static int selinux_file_alloc_security(struct file *file)
3309 {
3310 	return file_alloc_security(file);
3311 }
3312 
3313 static void selinux_file_free_security(struct file *file)
3314 {
3315 	file_free_security(file);
3316 }
3317 
3318 /*
3319  * Check whether a task has the ioctl permission and cmd
3320  * operation to an inode.
3321  */
3322 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3323 		u32 requested, u16 cmd)
3324 {
3325 	struct common_audit_data ad;
3326 	struct file_security_struct *fsec = file->f_security;
3327 	struct inode *inode = file_inode(file);
3328 	struct inode_security_struct *isec;
3329 	struct lsm_ioctlop_audit ioctl;
3330 	u32 ssid = cred_sid(cred);
3331 	int rc;
3332 	u8 driver = cmd >> 8;
3333 	u8 xperm = cmd & 0xff;
3334 
3335 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3336 	ad.u.op = &ioctl;
3337 	ad.u.op->cmd = cmd;
3338 	ad.u.op->path = file->f_path;
3339 
3340 	if (ssid != fsec->sid) {
3341 		rc = avc_has_perm(ssid, fsec->sid,
3342 				SECCLASS_FD,
3343 				FD__USE,
3344 				&ad);
3345 		if (rc)
3346 			goto out;
3347 	}
3348 
3349 	if (unlikely(IS_PRIVATE(inode)))
3350 		return 0;
3351 
3352 	isec = inode_security(inode);
3353 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3354 			requested, driver, xperm, &ad);
3355 out:
3356 	return rc;
3357 }
3358 
3359 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3360 			      unsigned long arg)
3361 {
3362 	const struct cred *cred = current_cred();
3363 	int error = 0;
3364 
3365 	switch (cmd) {
3366 	case FIONREAD:
3367 	/* fall through */
3368 	case FIBMAP:
3369 	/* fall through */
3370 	case FIGETBSZ:
3371 	/* fall through */
3372 	case FS_IOC_GETFLAGS:
3373 	/* fall through */
3374 	case FS_IOC_GETVERSION:
3375 		error = file_has_perm(cred, file, FILE__GETATTR);
3376 		break;
3377 
3378 	case FS_IOC_SETFLAGS:
3379 	/* fall through */
3380 	case FS_IOC_SETVERSION:
3381 		error = file_has_perm(cred, file, FILE__SETATTR);
3382 		break;
3383 
3384 	/* sys_ioctl() checks */
3385 	case FIONBIO:
3386 	/* fall through */
3387 	case FIOASYNC:
3388 		error = file_has_perm(cred, file, 0);
3389 		break;
3390 
3391 	case KDSKBENT:
3392 	case KDSKBSENT:
3393 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3394 					    SECURITY_CAP_AUDIT, true);
3395 		break;
3396 
3397 	/* default case assumes that the command will go
3398 	 * to the file's ioctl() function.
3399 	 */
3400 	default:
3401 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3402 	}
3403 	return error;
3404 }
3405 
3406 static int default_noexec;
3407 
3408 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3409 {
3410 	const struct cred *cred = current_cred();
3411 	int rc = 0;
3412 
3413 	if (default_noexec &&
3414 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3415 				   (!shared && (prot & PROT_WRITE)))) {
3416 		/*
3417 		 * We are making executable an anonymous mapping or a
3418 		 * private file mapping that will also be writable.
3419 		 * This has an additional check.
3420 		 */
3421 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3422 		if (rc)
3423 			goto error;
3424 	}
3425 
3426 	if (file) {
3427 		/* read access is always possible with a mapping */
3428 		u32 av = FILE__READ;
3429 
3430 		/* write access only matters if the mapping is shared */
3431 		if (shared && (prot & PROT_WRITE))
3432 			av |= FILE__WRITE;
3433 
3434 		if (prot & PROT_EXEC)
3435 			av |= FILE__EXECUTE;
3436 
3437 		return file_has_perm(cred, file, av);
3438 	}
3439 
3440 error:
3441 	return rc;
3442 }
3443 
3444 static int selinux_mmap_addr(unsigned long addr)
3445 {
3446 	int rc = 0;
3447 
3448 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3449 		u32 sid = current_sid();
3450 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3451 				  MEMPROTECT__MMAP_ZERO, NULL);
3452 	}
3453 
3454 	return rc;
3455 }
3456 
3457 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3458 			     unsigned long prot, unsigned long flags)
3459 {
3460 	if (selinux_checkreqprot)
3461 		prot = reqprot;
3462 
3463 	return file_map_prot_check(file, prot,
3464 				   (flags & MAP_TYPE) == MAP_SHARED);
3465 }
3466 
3467 static int selinux_file_mprotect(struct vm_area_struct *vma,
3468 				 unsigned long reqprot,
3469 				 unsigned long prot)
3470 {
3471 	const struct cred *cred = current_cred();
3472 
3473 	if (selinux_checkreqprot)
3474 		prot = reqprot;
3475 
3476 	if (default_noexec &&
3477 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3478 		int rc = 0;
3479 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3480 		    vma->vm_end <= vma->vm_mm->brk) {
3481 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3482 		} else if (!vma->vm_file &&
3483 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3484 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3485 			    vma_is_stack_for_task(vma, current))) {
3486 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3487 		} else if (vma->vm_file && vma->anon_vma) {
3488 			/*
3489 			 * We are making executable a file mapping that has
3490 			 * had some COW done. Since pages might have been
3491 			 * written, check ability to execute the possibly
3492 			 * modified content.  This typically should only
3493 			 * occur for text relocations.
3494 			 */
3495 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3496 		}
3497 		if (rc)
3498 			return rc;
3499 	}
3500 
3501 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3502 }
3503 
3504 static int selinux_file_lock(struct file *file, unsigned int cmd)
3505 {
3506 	const struct cred *cred = current_cred();
3507 
3508 	return file_has_perm(cred, file, FILE__LOCK);
3509 }
3510 
3511 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3512 			      unsigned long arg)
3513 {
3514 	const struct cred *cred = current_cred();
3515 	int err = 0;
3516 
3517 	switch (cmd) {
3518 	case F_SETFL:
3519 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3520 			err = file_has_perm(cred, file, FILE__WRITE);
3521 			break;
3522 		}
3523 		/* fall through */
3524 	case F_SETOWN:
3525 	case F_SETSIG:
3526 	case F_GETFL:
3527 	case F_GETOWN:
3528 	case F_GETSIG:
3529 	case F_GETOWNER_UIDS:
3530 		/* Just check FD__USE permission */
3531 		err = file_has_perm(cred, file, 0);
3532 		break;
3533 	case F_GETLK:
3534 	case F_SETLK:
3535 	case F_SETLKW:
3536 	case F_OFD_GETLK:
3537 	case F_OFD_SETLK:
3538 	case F_OFD_SETLKW:
3539 #if BITS_PER_LONG == 32
3540 	case F_GETLK64:
3541 	case F_SETLK64:
3542 	case F_SETLKW64:
3543 #endif
3544 		err = file_has_perm(cred, file, FILE__LOCK);
3545 		break;
3546 	}
3547 
3548 	return err;
3549 }
3550 
3551 static void selinux_file_set_fowner(struct file *file)
3552 {
3553 	struct file_security_struct *fsec;
3554 
3555 	fsec = file->f_security;
3556 	fsec->fown_sid = current_sid();
3557 }
3558 
3559 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3560 				       struct fown_struct *fown, int signum)
3561 {
3562 	struct file *file;
3563 	u32 sid = task_sid(tsk);
3564 	u32 perm;
3565 	struct file_security_struct *fsec;
3566 
3567 	/* struct fown_struct is never outside the context of a struct file */
3568 	file = container_of(fown, struct file, f_owner);
3569 
3570 	fsec = file->f_security;
3571 
3572 	if (!signum)
3573 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3574 	else
3575 		perm = signal_to_av(signum);
3576 
3577 	return avc_has_perm(fsec->fown_sid, sid,
3578 			    SECCLASS_PROCESS, perm, NULL);
3579 }
3580 
3581 static int selinux_file_receive(struct file *file)
3582 {
3583 	const struct cred *cred = current_cred();
3584 
3585 	return file_has_perm(cred, file, file_to_av(file));
3586 }
3587 
3588 static int selinux_file_open(struct file *file, const struct cred *cred)
3589 {
3590 	struct file_security_struct *fsec;
3591 	struct inode_security_struct *isec;
3592 
3593 	fsec = file->f_security;
3594 	isec = inode_security(file_inode(file));
3595 	/*
3596 	 * Save inode label and policy sequence number
3597 	 * at open-time so that selinux_file_permission
3598 	 * can determine whether revalidation is necessary.
3599 	 * Task label is already saved in the file security
3600 	 * struct as its SID.
3601 	 */
3602 	fsec->isid = isec->sid;
3603 	fsec->pseqno = avc_policy_seqno();
3604 	/*
3605 	 * Since the inode label or policy seqno may have changed
3606 	 * between the selinux_inode_permission check and the saving
3607 	 * of state above, recheck that access is still permitted.
3608 	 * Otherwise, access might never be revalidated against the
3609 	 * new inode label or new policy.
3610 	 * This check is not redundant - do not remove.
3611 	 */
3612 	return file_path_has_perm(cred, file, open_file_to_av(file));
3613 }
3614 
3615 /* task security operations */
3616 
3617 static int selinux_task_create(unsigned long clone_flags)
3618 {
3619 	return current_has_perm(current, PROCESS__FORK);
3620 }
3621 
3622 /*
3623  * allocate the SELinux part of blank credentials
3624  */
3625 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3626 {
3627 	struct task_security_struct *tsec;
3628 
3629 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3630 	if (!tsec)
3631 		return -ENOMEM;
3632 
3633 	cred->security = tsec;
3634 	return 0;
3635 }
3636 
3637 /*
3638  * detach and free the LSM part of a set of credentials
3639  */
3640 static void selinux_cred_free(struct cred *cred)
3641 {
3642 	struct task_security_struct *tsec = cred->security;
3643 
3644 	/*
3645 	 * cred->security == NULL if security_cred_alloc_blank() or
3646 	 * security_prepare_creds() returned an error.
3647 	 */
3648 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3649 	cred->security = (void *) 0x7UL;
3650 	kfree(tsec);
3651 }
3652 
3653 /*
3654  * prepare a new set of credentials for modification
3655  */
3656 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3657 				gfp_t gfp)
3658 {
3659 	const struct task_security_struct *old_tsec;
3660 	struct task_security_struct *tsec;
3661 
3662 	old_tsec = old->security;
3663 
3664 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3665 	if (!tsec)
3666 		return -ENOMEM;
3667 
3668 	new->security = tsec;
3669 	return 0;
3670 }
3671 
3672 /*
3673  * transfer the SELinux data to a blank set of creds
3674  */
3675 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3676 {
3677 	const struct task_security_struct *old_tsec = old->security;
3678 	struct task_security_struct *tsec = new->security;
3679 
3680 	*tsec = *old_tsec;
3681 }
3682 
3683 /*
3684  * set the security data for a kernel service
3685  * - all the creation contexts are set to unlabelled
3686  */
3687 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3688 {
3689 	struct task_security_struct *tsec = new->security;
3690 	u32 sid = current_sid();
3691 	int ret;
3692 
3693 	ret = avc_has_perm(sid, secid,
3694 			   SECCLASS_KERNEL_SERVICE,
3695 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3696 			   NULL);
3697 	if (ret == 0) {
3698 		tsec->sid = secid;
3699 		tsec->create_sid = 0;
3700 		tsec->keycreate_sid = 0;
3701 		tsec->sockcreate_sid = 0;
3702 	}
3703 	return ret;
3704 }
3705 
3706 /*
3707  * set the file creation context in a security record to the same as the
3708  * objective context of the specified inode
3709  */
3710 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3711 {
3712 	struct inode_security_struct *isec = inode_security(inode);
3713 	struct task_security_struct *tsec = new->security;
3714 	u32 sid = current_sid();
3715 	int ret;
3716 
3717 	ret = avc_has_perm(sid, isec->sid,
3718 			   SECCLASS_KERNEL_SERVICE,
3719 			   KERNEL_SERVICE__CREATE_FILES_AS,
3720 			   NULL);
3721 
3722 	if (ret == 0)
3723 		tsec->create_sid = isec->sid;
3724 	return ret;
3725 }
3726 
3727 static int selinux_kernel_module_request(char *kmod_name)
3728 {
3729 	u32 sid;
3730 	struct common_audit_data ad;
3731 
3732 	sid = task_sid(current);
3733 
3734 	ad.type = LSM_AUDIT_DATA_KMOD;
3735 	ad.u.kmod_name = kmod_name;
3736 
3737 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3738 			    SYSTEM__MODULE_REQUEST, &ad);
3739 }
3740 
3741 static int selinux_kernel_module_from_file(struct file *file)
3742 {
3743 	struct common_audit_data ad;
3744 	struct inode_security_struct *isec;
3745 	struct file_security_struct *fsec;
3746 	u32 sid = current_sid();
3747 	int rc;
3748 
3749 	/* init_module */
3750 	if (file == NULL)
3751 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3752 					SYSTEM__MODULE_LOAD, NULL);
3753 
3754 	/* finit_module */
3755 
3756 	ad.type = LSM_AUDIT_DATA_PATH;
3757 	ad.u.path = file->f_path;
3758 
3759 	fsec = file->f_security;
3760 	if (sid != fsec->sid) {
3761 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3762 		if (rc)
3763 			return rc;
3764 	}
3765 
3766 	isec = inode_security(file_inode(file));
3767 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3768 				SYSTEM__MODULE_LOAD, &ad);
3769 }
3770 
3771 static int selinux_kernel_read_file(struct file *file,
3772 				    enum kernel_read_file_id id)
3773 {
3774 	int rc = 0;
3775 
3776 	switch (id) {
3777 	case READING_MODULE:
3778 		rc = selinux_kernel_module_from_file(file);
3779 		break;
3780 	default:
3781 		break;
3782 	}
3783 
3784 	return rc;
3785 }
3786 
3787 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3788 {
3789 	return current_has_perm(p, PROCESS__SETPGID);
3790 }
3791 
3792 static int selinux_task_getpgid(struct task_struct *p)
3793 {
3794 	return current_has_perm(p, PROCESS__GETPGID);
3795 }
3796 
3797 static int selinux_task_getsid(struct task_struct *p)
3798 {
3799 	return current_has_perm(p, PROCESS__GETSESSION);
3800 }
3801 
3802 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3803 {
3804 	*secid = task_sid(p);
3805 }
3806 
3807 static int selinux_task_setnice(struct task_struct *p, int nice)
3808 {
3809 	return current_has_perm(p, PROCESS__SETSCHED);
3810 }
3811 
3812 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3813 {
3814 	return current_has_perm(p, PROCESS__SETSCHED);
3815 }
3816 
3817 static int selinux_task_getioprio(struct task_struct *p)
3818 {
3819 	return current_has_perm(p, PROCESS__GETSCHED);
3820 }
3821 
3822 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3823 		struct rlimit *new_rlim)
3824 {
3825 	struct rlimit *old_rlim = p->signal->rlim + resource;
3826 
3827 	/* Control the ability to change the hard limit (whether
3828 	   lowering or raising it), so that the hard limit can
3829 	   later be used as a safe reset point for the soft limit
3830 	   upon context transitions.  See selinux_bprm_committing_creds. */
3831 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3832 		return current_has_perm(p, PROCESS__SETRLIMIT);
3833 
3834 	return 0;
3835 }
3836 
3837 static int selinux_task_setscheduler(struct task_struct *p)
3838 {
3839 	return current_has_perm(p, PROCESS__SETSCHED);
3840 }
3841 
3842 static int selinux_task_getscheduler(struct task_struct *p)
3843 {
3844 	return current_has_perm(p, PROCESS__GETSCHED);
3845 }
3846 
3847 static int selinux_task_movememory(struct task_struct *p)
3848 {
3849 	return current_has_perm(p, PROCESS__SETSCHED);
3850 }
3851 
3852 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3853 				int sig, u32 secid)
3854 {
3855 	u32 perm;
3856 	int rc;
3857 
3858 	if (!sig)
3859 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3860 	else
3861 		perm = signal_to_av(sig);
3862 	if (secid)
3863 		rc = avc_has_perm(secid, task_sid(p),
3864 				  SECCLASS_PROCESS, perm, NULL);
3865 	else
3866 		rc = current_has_perm(p, perm);
3867 	return rc;
3868 }
3869 
3870 static int selinux_task_wait(struct task_struct *p)
3871 {
3872 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3873 }
3874 
3875 static void selinux_task_to_inode(struct task_struct *p,
3876 				  struct inode *inode)
3877 {
3878 	struct inode_security_struct *isec = inode->i_security;
3879 	u32 sid = task_sid(p);
3880 
3881 	isec->sid = sid;
3882 	isec->initialized = LABEL_INITIALIZED;
3883 }
3884 
3885 /* Returns error only if unable to parse addresses */
3886 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3887 			struct common_audit_data *ad, u8 *proto)
3888 {
3889 	int offset, ihlen, ret = -EINVAL;
3890 	struct iphdr _iph, *ih;
3891 
3892 	offset = skb_network_offset(skb);
3893 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3894 	if (ih == NULL)
3895 		goto out;
3896 
3897 	ihlen = ih->ihl * 4;
3898 	if (ihlen < sizeof(_iph))
3899 		goto out;
3900 
3901 	ad->u.net->v4info.saddr = ih->saddr;
3902 	ad->u.net->v4info.daddr = ih->daddr;
3903 	ret = 0;
3904 
3905 	if (proto)
3906 		*proto = ih->protocol;
3907 
3908 	switch (ih->protocol) {
3909 	case IPPROTO_TCP: {
3910 		struct tcphdr _tcph, *th;
3911 
3912 		if (ntohs(ih->frag_off) & IP_OFFSET)
3913 			break;
3914 
3915 		offset += ihlen;
3916 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3917 		if (th == NULL)
3918 			break;
3919 
3920 		ad->u.net->sport = th->source;
3921 		ad->u.net->dport = th->dest;
3922 		break;
3923 	}
3924 
3925 	case IPPROTO_UDP: {
3926 		struct udphdr _udph, *uh;
3927 
3928 		if (ntohs(ih->frag_off) & IP_OFFSET)
3929 			break;
3930 
3931 		offset += ihlen;
3932 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3933 		if (uh == NULL)
3934 			break;
3935 
3936 		ad->u.net->sport = uh->source;
3937 		ad->u.net->dport = uh->dest;
3938 		break;
3939 	}
3940 
3941 	case IPPROTO_DCCP: {
3942 		struct dccp_hdr _dccph, *dh;
3943 
3944 		if (ntohs(ih->frag_off) & IP_OFFSET)
3945 			break;
3946 
3947 		offset += ihlen;
3948 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3949 		if (dh == NULL)
3950 			break;
3951 
3952 		ad->u.net->sport = dh->dccph_sport;
3953 		ad->u.net->dport = dh->dccph_dport;
3954 		break;
3955 	}
3956 
3957 	default:
3958 		break;
3959 	}
3960 out:
3961 	return ret;
3962 }
3963 
3964 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3965 
3966 /* Returns error only if unable to parse addresses */
3967 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3968 			struct common_audit_data *ad, u8 *proto)
3969 {
3970 	u8 nexthdr;
3971 	int ret = -EINVAL, offset;
3972 	struct ipv6hdr _ipv6h, *ip6;
3973 	__be16 frag_off;
3974 
3975 	offset = skb_network_offset(skb);
3976 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3977 	if (ip6 == NULL)
3978 		goto out;
3979 
3980 	ad->u.net->v6info.saddr = ip6->saddr;
3981 	ad->u.net->v6info.daddr = ip6->daddr;
3982 	ret = 0;
3983 
3984 	nexthdr = ip6->nexthdr;
3985 	offset += sizeof(_ipv6h);
3986 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3987 	if (offset < 0)
3988 		goto out;
3989 
3990 	if (proto)
3991 		*proto = nexthdr;
3992 
3993 	switch (nexthdr) {
3994 	case IPPROTO_TCP: {
3995 		struct tcphdr _tcph, *th;
3996 
3997 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3998 		if (th == NULL)
3999 			break;
4000 
4001 		ad->u.net->sport = th->source;
4002 		ad->u.net->dport = th->dest;
4003 		break;
4004 	}
4005 
4006 	case IPPROTO_UDP: {
4007 		struct udphdr _udph, *uh;
4008 
4009 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4010 		if (uh == NULL)
4011 			break;
4012 
4013 		ad->u.net->sport = uh->source;
4014 		ad->u.net->dport = uh->dest;
4015 		break;
4016 	}
4017 
4018 	case IPPROTO_DCCP: {
4019 		struct dccp_hdr _dccph, *dh;
4020 
4021 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4022 		if (dh == NULL)
4023 			break;
4024 
4025 		ad->u.net->sport = dh->dccph_sport;
4026 		ad->u.net->dport = dh->dccph_dport;
4027 		break;
4028 	}
4029 
4030 	/* includes fragments */
4031 	default:
4032 		break;
4033 	}
4034 out:
4035 	return ret;
4036 }
4037 
4038 #endif /* IPV6 */
4039 
4040 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4041 			     char **_addrp, int src, u8 *proto)
4042 {
4043 	char *addrp;
4044 	int ret;
4045 
4046 	switch (ad->u.net->family) {
4047 	case PF_INET:
4048 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4049 		if (ret)
4050 			goto parse_error;
4051 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4052 				       &ad->u.net->v4info.daddr);
4053 		goto okay;
4054 
4055 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4056 	case PF_INET6:
4057 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4058 		if (ret)
4059 			goto parse_error;
4060 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4061 				       &ad->u.net->v6info.daddr);
4062 		goto okay;
4063 #endif	/* IPV6 */
4064 	default:
4065 		addrp = NULL;
4066 		goto okay;
4067 	}
4068 
4069 parse_error:
4070 	printk(KERN_WARNING
4071 	       "SELinux: failure in selinux_parse_skb(),"
4072 	       " unable to parse packet\n");
4073 	return ret;
4074 
4075 okay:
4076 	if (_addrp)
4077 		*_addrp = addrp;
4078 	return 0;
4079 }
4080 
4081 /**
4082  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4083  * @skb: the packet
4084  * @family: protocol family
4085  * @sid: the packet's peer label SID
4086  *
4087  * Description:
4088  * Check the various different forms of network peer labeling and determine
4089  * the peer label/SID for the packet; most of the magic actually occurs in
4090  * the security server function security_net_peersid_cmp().  The function
4091  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4092  * or -EACCES if @sid is invalid due to inconsistencies with the different
4093  * peer labels.
4094  *
4095  */
4096 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4097 {
4098 	int err;
4099 	u32 xfrm_sid;
4100 	u32 nlbl_sid;
4101 	u32 nlbl_type;
4102 
4103 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4104 	if (unlikely(err))
4105 		return -EACCES;
4106 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4107 	if (unlikely(err))
4108 		return -EACCES;
4109 
4110 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4111 	if (unlikely(err)) {
4112 		printk(KERN_WARNING
4113 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4114 		       " unable to determine packet's peer label\n");
4115 		return -EACCES;
4116 	}
4117 
4118 	return 0;
4119 }
4120 
4121 /**
4122  * selinux_conn_sid - Determine the child socket label for a connection
4123  * @sk_sid: the parent socket's SID
4124  * @skb_sid: the packet's SID
4125  * @conn_sid: the resulting connection SID
4126  *
4127  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4128  * combined with the MLS information from @skb_sid in order to create
4129  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4130  * of @sk_sid.  Returns zero on success, negative values on failure.
4131  *
4132  */
4133 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4134 {
4135 	int err = 0;
4136 
4137 	if (skb_sid != SECSID_NULL)
4138 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4139 	else
4140 		*conn_sid = sk_sid;
4141 
4142 	return err;
4143 }
4144 
4145 /* socket security operations */
4146 
4147 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4148 				 u16 secclass, u32 *socksid)
4149 {
4150 	if (tsec->sockcreate_sid > SECSID_NULL) {
4151 		*socksid = tsec->sockcreate_sid;
4152 		return 0;
4153 	}
4154 
4155 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4156 				       socksid);
4157 }
4158 
4159 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4160 {
4161 	struct sk_security_struct *sksec = sk->sk_security;
4162 	struct common_audit_data ad;
4163 	struct lsm_network_audit net = {0,};
4164 	u32 tsid = task_sid(task);
4165 
4166 	if (sksec->sid == SECINITSID_KERNEL)
4167 		return 0;
4168 
4169 	ad.type = LSM_AUDIT_DATA_NET;
4170 	ad.u.net = &net;
4171 	ad.u.net->sk = sk;
4172 
4173 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4174 }
4175 
4176 static int selinux_socket_create(int family, int type,
4177 				 int protocol, int kern)
4178 {
4179 	const struct task_security_struct *tsec = current_security();
4180 	u32 newsid;
4181 	u16 secclass;
4182 	int rc;
4183 
4184 	if (kern)
4185 		return 0;
4186 
4187 	secclass = socket_type_to_security_class(family, type, protocol);
4188 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4189 	if (rc)
4190 		return rc;
4191 
4192 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4193 }
4194 
4195 static int selinux_socket_post_create(struct socket *sock, int family,
4196 				      int type, int protocol, int kern)
4197 {
4198 	const struct task_security_struct *tsec = current_security();
4199 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4200 	struct sk_security_struct *sksec;
4201 	int err = 0;
4202 
4203 	isec->sclass = socket_type_to_security_class(family, type, protocol);
4204 
4205 	if (kern)
4206 		isec->sid = SECINITSID_KERNEL;
4207 	else {
4208 		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4209 		if (err)
4210 			return err;
4211 	}
4212 
4213 	isec->initialized = LABEL_INITIALIZED;
4214 
4215 	if (sock->sk) {
4216 		sksec = sock->sk->sk_security;
4217 		sksec->sid = isec->sid;
4218 		sksec->sclass = isec->sclass;
4219 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4220 	}
4221 
4222 	return err;
4223 }
4224 
4225 /* Range of port numbers used to automatically bind.
4226    Need to determine whether we should perform a name_bind
4227    permission check between the socket and the port number. */
4228 
4229 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4230 {
4231 	struct sock *sk = sock->sk;
4232 	u16 family;
4233 	int err;
4234 
4235 	err = sock_has_perm(current, sk, SOCKET__BIND);
4236 	if (err)
4237 		goto out;
4238 
4239 	/*
4240 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4241 	 * Multiple address binding for SCTP is not supported yet: we just
4242 	 * check the first address now.
4243 	 */
4244 	family = sk->sk_family;
4245 	if (family == PF_INET || family == PF_INET6) {
4246 		char *addrp;
4247 		struct sk_security_struct *sksec = sk->sk_security;
4248 		struct common_audit_data ad;
4249 		struct lsm_network_audit net = {0,};
4250 		struct sockaddr_in *addr4 = NULL;
4251 		struct sockaddr_in6 *addr6 = NULL;
4252 		unsigned short snum;
4253 		u32 sid, node_perm;
4254 
4255 		if (family == PF_INET) {
4256 			addr4 = (struct sockaddr_in *)address;
4257 			snum = ntohs(addr4->sin_port);
4258 			addrp = (char *)&addr4->sin_addr.s_addr;
4259 		} else {
4260 			addr6 = (struct sockaddr_in6 *)address;
4261 			snum = ntohs(addr6->sin6_port);
4262 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4263 		}
4264 
4265 		if (snum) {
4266 			int low, high;
4267 
4268 			inet_get_local_port_range(sock_net(sk), &low, &high);
4269 
4270 			if (snum < max(PROT_SOCK, low) || snum > high) {
4271 				err = sel_netport_sid(sk->sk_protocol,
4272 						      snum, &sid);
4273 				if (err)
4274 					goto out;
4275 				ad.type = LSM_AUDIT_DATA_NET;
4276 				ad.u.net = &net;
4277 				ad.u.net->sport = htons(snum);
4278 				ad.u.net->family = family;
4279 				err = avc_has_perm(sksec->sid, sid,
4280 						   sksec->sclass,
4281 						   SOCKET__NAME_BIND, &ad);
4282 				if (err)
4283 					goto out;
4284 			}
4285 		}
4286 
4287 		switch (sksec->sclass) {
4288 		case SECCLASS_TCP_SOCKET:
4289 			node_perm = TCP_SOCKET__NODE_BIND;
4290 			break;
4291 
4292 		case SECCLASS_UDP_SOCKET:
4293 			node_perm = UDP_SOCKET__NODE_BIND;
4294 			break;
4295 
4296 		case SECCLASS_DCCP_SOCKET:
4297 			node_perm = DCCP_SOCKET__NODE_BIND;
4298 			break;
4299 
4300 		default:
4301 			node_perm = RAWIP_SOCKET__NODE_BIND;
4302 			break;
4303 		}
4304 
4305 		err = sel_netnode_sid(addrp, family, &sid);
4306 		if (err)
4307 			goto out;
4308 
4309 		ad.type = LSM_AUDIT_DATA_NET;
4310 		ad.u.net = &net;
4311 		ad.u.net->sport = htons(snum);
4312 		ad.u.net->family = family;
4313 
4314 		if (family == PF_INET)
4315 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4316 		else
4317 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4318 
4319 		err = avc_has_perm(sksec->sid, sid,
4320 				   sksec->sclass, node_perm, &ad);
4321 		if (err)
4322 			goto out;
4323 	}
4324 out:
4325 	return err;
4326 }
4327 
4328 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4329 {
4330 	struct sock *sk = sock->sk;
4331 	struct sk_security_struct *sksec = sk->sk_security;
4332 	int err;
4333 
4334 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4335 	if (err)
4336 		return err;
4337 
4338 	/*
4339 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4340 	 */
4341 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4342 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4343 		struct common_audit_data ad;
4344 		struct lsm_network_audit net = {0,};
4345 		struct sockaddr_in *addr4 = NULL;
4346 		struct sockaddr_in6 *addr6 = NULL;
4347 		unsigned short snum;
4348 		u32 sid, perm;
4349 
4350 		if (sk->sk_family == PF_INET) {
4351 			addr4 = (struct sockaddr_in *)address;
4352 			if (addrlen < sizeof(struct sockaddr_in))
4353 				return -EINVAL;
4354 			snum = ntohs(addr4->sin_port);
4355 		} else {
4356 			addr6 = (struct sockaddr_in6 *)address;
4357 			if (addrlen < SIN6_LEN_RFC2133)
4358 				return -EINVAL;
4359 			snum = ntohs(addr6->sin6_port);
4360 		}
4361 
4362 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4363 		if (err)
4364 			goto out;
4365 
4366 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4367 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4368 
4369 		ad.type = LSM_AUDIT_DATA_NET;
4370 		ad.u.net = &net;
4371 		ad.u.net->dport = htons(snum);
4372 		ad.u.net->family = sk->sk_family;
4373 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4374 		if (err)
4375 			goto out;
4376 	}
4377 
4378 	err = selinux_netlbl_socket_connect(sk, address);
4379 
4380 out:
4381 	return err;
4382 }
4383 
4384 static int selinux_socket_listen(struct socket *sock, int backlog)
4385 {
4386 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4387 }
4388 
4389 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4390 {
4391 	int err;
4392 	struct inode_security_struct *isec;
4393 	struct inode_security_struct *newisec;
4394 
4395 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4396 	if (err)
4397 		return err;
4398 
4399 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4400 
4401 	isec = inode_security_novalidate(SOCK_INODE(sock));
4402 	newisec->sclass = isec->sclass;
4403 	newisec->sid = isec->sid;
4404 	newisec->initialized = LABEL_INITIALIZED;
4405 
4406 	return 0;
4407 }
4408 
4409 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4410 				  int size)
4411 {
4412 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4413 }
4414 
4415 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4416 				  int size, int flags)
4417 {
4418 	return sock_has_perm(current, sock->sk, SOCKET__READ);
4419 }
4420 
4421 static int selinux_socket_getsockname(struct socket *sock)
4422 {
4423 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4424 }
4425 
4426 static int selinux_socket_getpeername(struct socket *sock)
4427 {
4428 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4429 }
4430 
4431 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4432 {
4433 	int err;
4434 
4435 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4436 	if (err)
4437 		return err;
4438 
4439 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4440 }
4441 
4442 static int selinux_socket_getsockopt(struct socket *sock, int level,
4443 				     int optname)
4444 {
4445 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4446 }
4447 
4448 static int selinux_socket_shutdown(struct socket *sock, int how)
4449 {
4450 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4451 }
4452 
4453 static int selinux_socket_unix_stream_connect(struct sock *sock,
4454 					      struct sock *other,
4455 					      struct sock *newsk)
4456 {
4457 	struct sk_security_struct *sksec_sock = sock->sk_security;
4458 	struct sk_security_struct *sksec_other = other->sk_security;
4459 	struct sk_security_struct *sksec_new = newsk->sk_security;
4460 	struct common_audit_data ad;
4461 	struct lsm_network_audit net = {0,};
4462 	int err;
4463 
4464 	ad.type = LSM_AUDIT_DATA_NET;
4465 	ad.u.net = &net;
4466 	ad.u.net->sk = other;
4467 
4468 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4469 			   sksec_other->sclass,
4470 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4471 	if (err)
4472 		return err;
4473 
4474 	/* server child socket */
4475 	sksec_new->peer_sid = sksec_sock->sid;
4476 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4477 				    &sksec_new->sid);
4478 	if (err)
4479 		return err;
4480 
4481 	/* connecting socket */
4482 	sksec_sock->peer_sid = sksec_new->sid;
4483 
4484 	return 0;
4485 }
4486 
4487 static int selinux_socket_unix_may_send(struct socket *sock,
4488 					struct socket *other)
4489 {
4490 	struct sk_security_struct *ssec = sock->sk->sk_security;
4491 	struct sk_security_struct *osec = other->sk->sk_security;
4492 	struct common_audit_data ad;
4493 	struct lsm_network_audit net = {0,};
4494 
4495 	ad.type = LSM_AUDIT_DATA_NET;
4496 	ad.u.net = &net;
4497 	ad.u.net->sk = other->sk;
4498 
4499 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4500 			    &ad);
4501 }
4502 
4503 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4504 				    char *addrp, u16 family, u32 peer_sid,
4505 				    struct common_audit_data *ad)
4506 {
4507 	int err;
4508 	u32 if_sid;
4509 	u32 node_sid;
4510 
4511 	err = sel_netif_sid(ns, ifindex, &if_sid);
4512 	if (err)
4513 		return err;
4514 	err = avc_has_perm(peer_sid, if_sid,
4515 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4516 	if (err)
4517 		return err;
4518 
4519 	err = sel_netnode_sid(addrp, family, &node_sid);
4520 	if (err)
4521 		return err;
4522 	return avc_has_perm(peer_sid, node_sid,
4523 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4524 }
4525 
4526 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4527 				       u16 family)
4528 {
4529 	int err = 0;
4530 	struct sk_security_struct *sksec = sk->sk_security;
4531 	u32 sk_sid = sksec->sid;
4532 	struct common_audit_data ad;
4533 	struct lsm_network_audit net = {0,};
4534 	char *addrp;
4535 
4536 	ad.type = LSM_AUDIT_DATA_NET;
4537 	ad.u.net = &net;
4538 	ad.u.net->netif = skb->skb_iif;
4539 	ad.u.net->family = family;
4540 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4541 	if (err)
4542 		return err;
4543 
4544 	if (selinux_secmark_enabled()) {
4545 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4546 				   PACKET__RECV, &ad);
4547 		if (err)
4548 			return err;
4549 	}
4550 
4551 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4552 	if (err)
4553 		return err;
4554 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4555 
4556 	return err;
4557 }
4558 
4559 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4560 {
4561 	int err;
4562 	struct sk_security_struct *sksec = sk->sk_security;
4563 	u16 family = sk->sk_family;
4564 	u32 sk_sid = sksec->sid;
4565 	struct common_audit_data ad;
4566 	struct lsm_network_audit net = {0,};
4567 	char *addrp;
4568 	u8 secmark_active;
4569 	u8 peerlbl_active;
4570 
4571 	if (family != PF_INET && family != PF_INET6)
4572 		return 0;
4573 
4574 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4575 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4576 		family = PF_INET;
4577 
4578 	/* If any sort of compatibility mode is enabled then handoff processing
4579 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4580 	 * special handling.  We do this in an attempt to keep this function
4581 	 * as fast and as clean as possible. */
4582 	if (!selinux_policycap_netpeer)
4583 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4584 
4585 	secmark_active = selinux_secmark_enabled();
4586 	peerlbl_active = selinux_peerlbl_enabled();
4587 	if (!secmark_active && !peerlbl_active)
4588 		return 0;
4589 
4590 	ad.type = LSM_AUDIT_DATA_NET;
4591 	ad.u.net = &net;
4592 	ad.u.net->netif = skb->skb_iif;
4593 	ad.u.net->family = family;
4594 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4595 	if (err)
4596 		return err;
4597 
4598 	if (peerlbl_active) {
4599 		u32 peer_sid;
4600 
4601 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4602 		if (err)
4603 			return err;
4604 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4605 					       addrp, family, peer_sid, &ad);
4606 		if (err) {
4607 			selinux_netlbl_err(skb, err, 0);
4608 			return err;
4609 		}
4610 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4611 				   PEER__RECV, &ad);
4612 		if (err) {
4613 			selinux_netlbl_err(skb, err, 0);
4614 			return err;
4615 		}
4616 	}
4617 
4618 	if (secmark_active) {
4619 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4620 				   PACKET__RECV, &ad);
4621 		if (err)
4622 			return err;
4623 	}
4624 
4625 	return err;
4626 }
4627 
4628 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4629 					    int __user *optlen, unsigned len)
4630 {
4631 	int err = 0;
4632 	char *scontext;
4633 	u32 scontext_len;
4634 	struct sk_security_struct *sksec = sock->sk->sk_security;
4635 	u32 peer_sid = SECSID_NULL;
4636 
4637 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4638 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4639 		peer_sid = sksec->peer_sid;
4640 	if (peer_sid == SECSID_NULL)
4641 		return -ENOPROTOOPT;
4642 
4643 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4644 	if (err)
4645 		return err;
4646 
4647 	if (scontext_len > len) {
4648 		err = -ERANGE;
4649 		goto out_len;
4650 	}
4651 
4652 	if (copy_to_user(optval, scontext, scontext_len))
4653 		err = -EFAULT;
4654 
4655 out_len:
4656 	if (put_user(scontext_len, optlen))
4657 		err = -EFAULT;
4658 	kfree(scontext);
4659 	return err;
4660 }
4661 
4662 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4663 {
4664 	u32 peer_secid = SECSID_NULL;
4665 	u16 family;
4666 	struct inode_security_struct *isec;
4667 
4668 	if (skb && skb->protocol == htons(ETH_P_IP))
4669 		family = PF_INET;
4670 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4671 		family = PF_INET6;
4672 	else if (sock)
4673 		family = sock->sk->sk_family;
4674 	else
4675 		goto out;
4676 
4677 	if (sock && family == PF_UNIX) {
4678 		isec = inode_security_novalidate(SOCK_INODE(sock));
4679 		peer_secid = isec->sid;
4680 	} else if (skb)
4681 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4682 
4683 out:
4684 	*secid = peer_secid;
4685 	if (peer_secid == SECSID_NULL)
4686 		return -EINVAL;
4687 	return 0;
4688 }
4689 
4690 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4691 {
4692 	struct sk_security_struct *sksec;
4693 
4694 	sksec = kzalloc(sizeof(*sksec), priority);
4695 	if (!sksec)
4696 		return -ENOMEM;
4697 
4698 	sksec->peer_sid = SECINITSID_UNLABELED;
4699 	sksec->sid = SECINITSID_UNLABELED;
4700 	sksec->sclass = SECCLASS_SOCKET;
4701 	selinux_netlbl_sk_security_reset(sksec);
4702 	sk->sk_security = sksec;
4703 
4704 	return 0;
4705 }
4706 
4707 static void selinux_sk_free_security(struct sock *sk)
4708 {
4709 	struct sk_security_struct *sksec = sk->sk_security;
4710 
4711 	sk->sk_security = NULL;
4712 	selinux_netlbl_sk_security_free(sksec);
4713 	kfree(sksec);
4714 }
4715 
4716 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4717 {
4718 	struct sk_security_struct *sksec = sk->sk_security;
4719 	struct sk_security_struct *newsksec = newsk->sk_security;
4720 
4721 	newsksec->sid = sksec->sid;
4722 	newsksec->peer_sid = sksec->peer_sid;
4723 	newsksec->sclass = sksec->sclass;
4724 
4725 	selinux_netlbl_sk_security_reset(newsksec);
4726 }
4727 
4728 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4729 {
4730 	if (!sk)
4731 		*secid = SECINITSID_ANY_SOCKET;
4732 	else {
4733 		struct sk_security_struct *sksec = sk->sk_security;
4734 
4735 		*secid = sksec->sid;
4736 	}
4737 }
4738 
4739 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4740 {
4741 	struct inode_security_struct *isec =
4742 		inode_security_novalidate(SOCK_INODE(parent));
4743 	struct sk_security_struct *sksec = sk->sk_security;
4744 
4745 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4746 	    sk->sk_family == PF_UNIX)
4747 		isec->sid = sksec->sid;
4748 	sksec->sclass = isec->sclass;
4749 }
4750 
4751 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4752 				     struct request_sock *req)
4753 {
4754 	struct sk_security_struct *sksec = sk->sk_security;
4755 	int err;
4756 	u16 family = req->rsk_ops->family;
4757 	u32 connsid;
4758 	u32 peersid;
4759 
4760 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4761 	if (err)
4762 		return err;
4763 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4764 	if (err)
4765 		return err;
4766 	req->secid = connsid;
4767 	req->peer_secid = peersid;
4768 
4769 	return selinux_netlbl_inet_conn_request(req, family);
4770 }
4771 
4772 static void selinux_inet_csk_clone(struct sock *newsk,
4773 				   const struct request_sock *req)
4774 {
4775 	struct sk_security_struct *newsksec = newsk->sk_security;
4776 
4777 	newsksec->sid = req->secid;
4778 	newsksec->peer_sid = req->peer_secid;
4779 	/* NOTE: Ideally, we should also get the isec->sid for the
4780 	   new socket in sync, but we don't have the isec available yet.
4781 	   So we will wait until sock_graft to do it, by which
4782 	   time it will have been created and available. */
4783 
4784 	/* We don't need to take any sort of lock here as we are the only
4785 	 * thread with access to newsksec */
4786 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4787 }
4788 
4789 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4790 {
4791 	u16 family = sk->sk_family;
4792 	struct sk_security_struct *sksec = sk->sk_security;
4793 
4794 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4795 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4796 		family = PF_INET;
4797 
4798 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4799 }
4800 
4801 static int selinux_secmark_relabel_packet(u32 sid)
4802 {
4803 	const struct task_security_struct *__tsec;
4804 	u32 tsid;
4805 
4806 	__tsec = current_security();
4807 	tsid = __tsec->sid;
4808 
4809 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4810 }
4811 
4812 static void selinux_secmark_refcount_inc(void)
4813 {
4814 	atomic_inc(&selinux_secmark_refcount);
4815 }
4816 
4817 static void selinux_secmark_refcount_dec(void)
4818 {
4819 	atomic_dec(&selinux_secmark_refcount);
4820 }
4821 
4822 static void selinux_req_classify_flow(const struct request_sock *req,
4823 				      struct flowi *fl)
4824 {
4825 	fl->flowi_secid = req->secid;
4826 }
4827 
4828 static int selinux_tun_dev_alloc_security(void **security)
4829 {
4830 	struct tun_security_struct *tunsec;
4831 
4832 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4833 	if (!tunsec)
4834 		return -ENOMEM;
4835 	tunsec->sid = current_sid();
4836 
4837 	*security = tunsec;
4838 	return 0;
4839 }
4840 
4841 static void selinux_tun_dev_free_security(void *security)
4842 {
4843 	kfree(security);
4844 }
4845 
4846 static int selinux_tun_dev_create(void)
4847 {
4848 	u32 sid = current_sid();
4849 
4850 	/* we aren't taking into account the "sockcreate" SID since the socket
4851 	 * that is being created here is not a socket in the traditional sense,
4852 	 * instead it is a private sock, accessible only to the kernel, and
4853 	 * representing a wide range of network traffic spanning multiple
4854 	 * connections unlike traditional sockets - check the TUN driver to
4855 	 * get a better understanding of why this socket is special */
4856 
4857 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4858 			    NULL);
4859 }
4860 
4861 static int selinux_tun_dev_attach_queue(void *security)
4862 {
4863 	struct tun_security_struct *tunsec = security;
4864 
4865 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4866 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4867 }
4868 
4869 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4870 {
4871 	struct tun_security_struct *tunsec = security;
4872 	struct sk_security_struct *sksec = sk->sk_security;
4873 
4874 	/* we don't currently perform any NetLabel based labeling here and it
4875 	 * isn't clear that we would want to do so anyway; while we could apply
4876 	 * labeling without the support of the TUN user the resulting labeled
4877 	 * traffic from the other end of the connection would almost certainly
4878 	 * cause confusion to the TUN user that had no idea network labeling
4879 	 * protocols were being used */
4880 
4881 	sksec->sid = tunsec->sid;
4882 	sksec->sclass = SECCLASS_TUN_SOCKET;
4883 
4884 	return 0;
4885 }
4886 
4887 static int selinux_tun_dev_open(void *security)
4888 {
4889 	struct tun_security_struct *tunsec = security;
4890 	u32 sid = current_sid();
4891 	int err;
4892 
4893 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4894 			   TUN_SOCKET__RELABELFROM, NULL);
4895 	if (err)
4896 		return err;
4897 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4898 			   TUN_SOCKET__RELABELTO, NULL);
4899 	if (err)
4900 		return err;
4901 	tunsec->sid = sid;
4902 
4903 	return 0;
4904 }
4905 
4906 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4907 {
4908 	int err = 0;
4909 	u32 perm;
4910 	struct nlmsghdr *nlh;
4911 	struct sk_security_struct *sksec = sk->sk_security;
4912 
4913 	if (skb->len < NLMSG_HDRLEN) {
4914 		err = -EINVAL;
4915 		goto out;
4916 	}
4917 	nlh = nlmsg_hdr(skb);
4918 
4919 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4920 	if (err) {
4921 		if (err == -EINVAL) {
4922 			pr_warn_ratelimited("SELinux: unrecognized netlink"
4923 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4924 			       " pig=%d comm=%s\n",
4925 			       sk->sk_protocol, nlh->nlmsg_type,
4926 			       secclass_map[sksec->sclass - 1].name,
4927 			       task_pid_nr(current), current->comm);
4928 			if (!selinux_enforcing || security_get_allow_unknown())
4929 				err = 0;
4930 		}
4931 
4932 		/* Ignore */
4933 		if (err == -ENOENT)
4934 			err = 0;
4935 		goto out;
4936 	}
4937 
4938 	err = sock_has_perm(current, sk, perm);
4939 out:
4940 	return err;
4941 }
4942 
4943 #ifdef CONFIG_NETFILTER
4944 
4945 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4946 				       const struct net_device *indev,
4947 				       u16 family)
4948 {
4949 	int err;
4950 	char *addrp;
4951 	u32 peer_sid;
4952 	struct common_audit_data ad;
4953 	struct lsm_network_audit net = {0,};
4954 	u8 secmark_active;
4955 	u8 netlbl_active;
4956 	u8 peerlbl_active;
4957 
4958 	if (!selinux_policycap_netpeer)
4959 		return NF_ACCEPT;
4960 
4961 	secmark_active = selinux_secmark_enabled();
4962 	netlbl_active = netlbl_enabled();
4963 	peerlbl_active = selinux_peerlbl_enabled();
4964 	if (!secmark_active && !peerlbl_active)
4965 		return NF_ACCEPT;
4966 
4967 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4968 		return NF_DROP;
4969 
4970 	ad.type = LSM_AUDIT_DATA_NET;
4971 	ad.u.net = &net;
4972 	ad.u.net->netif = indev->ifindex;
4973 	ad.u.net->family = family;
4974 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4975 		return NF_DROP;
4976 
4977 	if (peerlbl_active) {
4978 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4979 					       addrp, family, peer_sid, &ad);
4980 		if (err) {
4981 			selinux_netlbl_err(skb, err, 1);
4982 			return NF_DROP;
4983 		}
4984 	}
4985 
4986 	if (secmark_active)
4987 		if (avc_has_perm(peer_sid, skb->secmark,
4988 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4989 			return NF_DROP;
4990 
4991 	if (netlbl_active)
4992 		/* we do this in the FORWARD path and not the POST_ROUTING
4993 		 * path because we want to make sure we apply the necessary
4994 		 * labeling before IPsec is applied so we can leverage AH
4995 		 * protection */
4996 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4997 			return NF_DROP;
4998 
4999 	return NF_ACCEPT;
5000 }
5001 
5002 static unsigned int selinux_ipv4_forward(void *priv,
5003 					 struct sk_buff *skb,
5004 					 const struct nf_hook_state *state)
5005 {
5006 	return selinux_ip_forward(skb, state->in, PF_INET);
5007 }
5008 
5009 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5010 static unsigned int selinux_ipv6_forward(void *priv,
5011 					 struct sk_buff *skb,
5012 					 const struct nf_hook_state *state)
5013 {
5014 	return selinux_ip_forward(skb, state->in, PF_INET6);
5015 }
5016 #endif	/* IPV6 */
5017 
5018 static unsigned int selinux_ip_output(struct sk_buff *skb,
5019 				      u16 family)
5020 {
5021 	struct sock *sk;
5022 	u32 sid;
5023 
5024 	if (!netlbl_enabled())
5025 		return NF_ACCEPT;
5026 
5027 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5028 	 * because we want to make sure we apply the necessary labeling
5029 	 * before IPsec is applied so we can leverage AH protection */
5030 	sk = skb->sk;
5031 	if (sk) {
5032 		struct sk_security_struct *sksec;
5033 
5034 		if (sk_listener(sk))
5035 			/* if the socket is the listening state then this
5036 			 * packet is a SYN-ACK packet which means it needs to
5037 			 * be labeled based on the connection/request_sock and
5038 			 * not the parent socket.  unfortunately, we can't
5039 			 * lookup the request_sock yet as it isn't queued on
5040 			 * the parent socket until after the SYN-ACK is sent.
5041 			 * the "solution" is to simply pass the packet as-is
5042 			 * as any IP option based labeling should be copied
5043 			 * from the initial connection request (in the IP
5044 			 * layer).  it is far from ideal, but until we get a
5045 			 * security label in the packet itself this is the
5046 			 * best we can do. */
5047 			return NF_ACCEPT;
5048 
5049 		/* standard practice, label using the parent socket */
5050 		sksec = sk->sk_security;
5051 		sid = sksec->sid;
5052 	} else
5053 		sid = SECINITSID_KERNEL;
5054 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5055 		return NF_DROP;
5056 
5057 	return NF_ACCEPT;
5058 }
5059 
5060 static unsigned int selinux_ipv4_output(void *priv,
5061 					struct sk_buff *skb,
5062 					const struct nf_hook_state *state)
5063 {
5064 	return selinux_ip_output(skb, PF_INET);
5065 }
5066 
5067 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5068 						int ifindex,
5069 						u16 family)
5070 {
5071 	struct sock *sk = skb_to_full_sk(skb);
5072 	struct sk_security_struct *sksec;
5073 	struct common_audit_data ad;
5074 	struct lsm_network_audit net = {0,};
5075 	char *addrp;
5076 	u8 proto;
5077 
5078 	if (sk == NULL)
5079 		return NF_ACCEPT;
5080 	sksec = sk->sk_security;
5081 
5082 	ad.type = LSM_AUDIT_DATA_NET;
5083 	ad.u.net = &net;
5084 	ad.u.net->netif = ifindex;
5085 	ad.u.net->family = family;
5086 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5087 		return NF_DROP;
5088 
5089 	if (selinux_secmark_enabled())
5090 		if (avc_has_perm(sksec->sid, skb->secmark,
5091 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5092 			return NF_DROP_ERR(-ECONNREFUSED);
5093 
5094 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5095 		return NF_DROP_ERR(-ECONNREFUSED);
5096 
5097 	return NF_ACCEPT;
5098 }
5099 
5100 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5101 					 const struct net_device *outdev,
5102 					 u16 family)
5103 {
5104 	u32 secmark_perm;
5105 	u32 peer_sid;
5106 	int ifindex = outdev->ifindex;
5107 	struct sock *sk;
5108 	struct common_audit_data ad;
5109 	struct lsm_network_audit net = {0,};
5110 	char *addrp;
5111 	u8 secmark_active;
5112 	u8 peerlbl_active;
5113 
5114 	/* If any sort of compatibility mode is enabled then handoff processing
5115 	 * to the selinux_ip_postroute_compat() function to deal with the
5116 	 * special handling.  We do this in an attempt to keep this function
5117 	 * as fast and as clean as possible. */
5118 	if (!selinux_policycap_netpeer)
5119 		return selinux_ip_postroute_compat(skb, ifindex, family);
5120 
5121 	secmark_active = selinux_secmark_enabled();
5122 	peerlbl_active = selinux_peerlbl_enabled();
5123 	if (!secmark_active && !peerlbl_active)
5124 		return NF_ACCEPT;
5125 
5126 	sk = skb_to_full_sk(skb);
5127 
5128 #ifdef CONFIG_XFRM
5129 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5130 	 * packet transformation so allow the packet to pass without any checks
5131 	 * since we'll have another chance to perform access control checks
5132 	 * when the packet is on it's final way out.
5133 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5134 	 *       is NULL, in this case go ahead and apply access control.
5135 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5136 	 *       TCP listening state we cannot wait until the XFRM processing
5137 	 *       is done as we will miss out on the SA label if we do;
5138 	 *       unfortunately, this means more work, but it is only once per
5139 	 *       connection. */
5140 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5141 	    !(sk && sk_listener(sk)))
5142 		return NF_ACCEPT;
5143 #endif
5144 
5145 	if (sk == NULL) {
5146 		/* Without an associated socket the packet is either coming
5147 		 * from the kernel or it is being forwarded; check the packet
5148 		 * to determine which and if the packet is being forwarded
5149 		 * query the packet directly to determine the security label. */
5150 		if (skb->skb_iif) {
5151 			secmark_perm = PACKET__FORWARD_OUT;
5152 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5153 				return NF_DROP;
5154 		} else {
5155 			secmark_perm = PACKET__SEND;
5156 			peer_sid = SECINITSID_KERNEL;
5157 		}
5158 	} else if (sk_listener(sk)) {
5159 		/* Locally generated packet but the associated socket is in the
5160 		 * listening state which means this is a SYN-ACK packet.  In
5161 		 * this particular case the correct security label is assigned
5162 		 * to the connection/request_sock but unfortunately we can't
5163 		 * query the request_sock as it isn't queued on the parent
5164 		 * socket until after the SYN-ACK packet is sent; the only
5165 		 * viable choice is to regenerate the label like we do in
5166 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5167 		 * for similar problems. */
5168 		u32 skb_sid;
5169 		struct sk_security_struct *sksec;
5170 
5171 		sksec = sk->sk_security;
5172 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5173 			return NF_DROP;
5174 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5175 		 * and the packet has been through at least one XFRM
5176 		 * transformation then we must be dealing with the "final"
5177 		 * form of labeled IPsec packet; since we've already applied
5178 		 * all of our access controls on this packet we can safely
5179 		 * pass the packet. */
5180 		if (skb_sid == SECSID_NULL) {
5181 			switch (family) {
5182 			case PF_INET:
5183 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5184 					return NF_ACCEPT;
5185 				break;
5186 			case PF_INET6:
5187 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5188 					return NF_ACCEPT;
5189 				break;
5190 			default:
5191 				return NF_DROP_ERR(-ECONNREFUSED);
5192 			}
5193 		}
5194 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5195 			return NF_DROP;
5196 		secmark_perm = PACKET__SEND;
5197 	} else {
5198 		/* Locally generated packet, fetch the security label from the
5199 		 * associated socket. */
5200 		struct sk_security_struct *sksec = sk->sk_security;
5201 		peer_sid = sksec->sid;
5202 		secmark_perm = PACKET__SEND;
5203 	}
5204 
5205 	ad.type = LSM_AUDIT_DATA_NET;
5206 	ad.u.net = &net;
5207 	ad.u.net->netif = ifindex;
5208 	ad.u.net->family = family;
5209 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5210 		return NF_DROP;
5211 
5212 	if (secmark_active)
5213 		if (avc_has_perm(peer_sid, skb->secmark,
5214 				 SECCLASS_PACKET, secmark_perm, &ad))
5215 			return NF_DROP_ERR(-ECONNREFUSED);
5216 
5217 	if (peerlbl_active) {
5218 		u32 if_sid;
5219 		u32 node_sid;
5220 
5221 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5222 			return NF_DROP;
5223 		if (avc_has_perm(peer_sid, if_sid,
5224 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5225 			return NF_DROP_ERR(-ECONNREFUSED);
5226 
5227 		if (sel_netnode_sid(addrp, family, &node_sid))
5228 			return NF_DROP;
5229 		if (avc_has_perm(peer_sid, node_sid,
5230 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5231 			return NF_DROP_ERR(-ECONNREFUSED);
5232 	}
5233 
5234 	return NF_ACCEPT;
5235 }
5236 
5237 static unsigned int selinux_ipv4_postroute(void *priv,
5238 					   struct sk_buff *skb,
5239 					   const struct nf_hook_state *state)
5240 {
5241 	return selinux_ip_postroute(skb, state->out, PF_INET);
5242 }
5243 
5244 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5245 static unsigned int selinux_ipv6_postroute(void *priv,
5246 					   struct sk_buff *skb,
5247 					   const struct nf_hook_state *state)
5248 {
5249 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5250 }
5251 #endif	/* IPV6 */
5252 
5253 #endif	/* CONFIG_NETFILTER */
5254 
5255 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5256 {
5257 	return selinux_nlmsg_perm(sk, skb);
5258 }
5259 
5260 static int ipc_alloc_security(struct task_struct *task,
5261 			      struct kern_ipc_perm *perm,
5262 			      u16 sclass)
5263 {
5264 	struct ipc_security_struct *isec;
5265 	u32 sid;
5266 
5267 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5268 	if (!isec)
5269 		return -ENOMEM;
5270 
5271 	sid = task_sid(task);
5272 	isec->sclass = sclass;
5273 	isec->sid = sid;
5274 	perm->security = isec;
5275 
5276 	return 0;
5277 }
5278 
5279 static void ipc_free_security(struct kern_ipc_perm *perm)
5280 {
5281 	struct ipc_security_struct *isec = perm->security;
5282 	perm->security = NULL;
5283 	kfree(isec);
5284 }
5285 
5286 static int msg_msg_alloc_security(struct msg_msg *msg)
5287 {
5288 	struct msg_security_struct *msec;
5289 
5290 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5291 	if (!msec)
5292 		return -ENOMEM;
5293 
5294 	msec->sid = SECINITSID_UNLABELED;
5295 	msg->security = msec;
5296 
5297 	return 0;
5298 }
5299 
5300 static void msg_msg_free_security(struct msg_msg *msg)
5301 {
5302 	struct msg_security_struct *msec = msg->security;
5303 
5304 	msg->security = NULL;
5305 	kfree(msec);
5306 }
5307 
5308 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5309 			u32 perms)
5310 {
5311 	struct ipc_security_struct *isec;
5312 	struct common_audit_data ad;
5313 	u32 sid = current_sid();
5314 
5315 	isec = ipc_perms->security;
5316 
5317 	ad.type = LSM_AUDIT_DATA_IPC;
5318 	ad.u.ipc_id = ipc_perms->key;
5319 
5320 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5321 }
5322 
5323 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5324 {
5325 	return msg_msg_alloc_security(msg);
5326 }
5327 
5328 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5329 {
5330 	msg_msg_free_security(msg);
5331 }
5332 
5333 /* message queue security operations */
5334 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5335 {
5336 	struct ipc_security_struct *isec;
5337 	struct common_audit_data ad;
5338 	u32 sid = current_sid();
5339 	int rc;
5340 
5341 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5342 	if (rc)
5343 		return rc;
5344 
5345 	isec = msq->q_perm.security;
5346 
5347 	ad.type = LSM_AUDIT_DATA_IPC;
5348 	ad.u.ipc_id = msq->q_perm.key;
5349 
5350 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5351 			  MSGQ__CREATE, &ad);
5352 	if (rc) {
5353 		ipc_free_security(&msq->q_perm);
5354 		return rc;
5355 	}
5356 	return 0;
5357 }
5358 
5359 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5360 {
5361 	ipc_free_security(&msq->q_perm);
5362 }
5363 
5364 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5365 {
5366 	struct ipc_security_struct *isec;
5367 	struct common_audit_data ad;
5368 	u32 sid = current_sid();
5369 
5370 	isec = msq->q_perm.security;
5371 
5372 	ad.type = LSM_AUDIT_DATA_IPC;
5373 	ad.u.ipc_id = msq->q_perm.key;
5374 
5375 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5376 			    MSGQ__ASSOCIATE, &ad);
5377 }
5378 
5379 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5380 {
5381 	int err;
5382 	int perms;
5383 
5384 	switch (cmd) {
5385 	case IPC_INFO:
5386 	case MSG_INFO:
5387 		/* No specific object, just general system-wide information. */
5388 		return task_has_system(current, SYSTEM__IPC_INFO);
5389 	case IPC_STAT:
5390 	case MSG_STAT:
5391 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5392 		break;
5393 	case IPC_SET:
5394 		perms = MSGQ__SETATTR;
5395 		break;
5396 	case IPC_RMID:
5397 		perms = MSGQ__DESTROY;
5398 		break;
5399 	default:
5400 		return 0;
5401 	}
5402 
5403 	err = ipc_has_perm(&msq->q_perm, perms);
5404 	return err;
5405 }
5406 
5407 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5408 {
5409 	struct ipc_security_struct *isec;
5410 	struct msg_security_struct *msec;
5411 	struct common_audit_data ad;
5412 	u32 sid = current_sid();
5413 	int rc;
5414 
5415 	isec = msq->q_perm.security;
5416 	msec = msg->security;
5417 
5418 	/*
5419 	 * First time through, need to assign label to the message
5420 	 */
5421 	if (msec->sid == SECINITSID_UNLABELED) {
5422 		/*
5423 		 * Compute new sid based on current process and
5424 		 * message queue this message will be stored in
5425 		 */
5426 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5427 					     NULL, &msec->sid);
5428 		if (rc)
5429 			return rc;
5430 	}
5431 
5432 	ad.type = LSM_AUDIT_DATA_IPC;
5433 	ad.u.ipc_id = msq->q_perm.key;
5434 
5435 	/* Can this process write to the queue? */
5436 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5437 			  MSGQ__WRITE, &ad);
5438 	if (!rc)
5439 		/* Can this process send the message */
5440 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5441 				  MSG__SEND, &ad);
5442 	if (!rc)
5443 		/* Can the message be put in the queue? */
5444 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5445 				  MSGQ__ENQUEUE, &ad);
5446 
5447 	return rc;
5448 }
5449 
5450 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5451 				    struct task_struct *target,
5452 				    long type, int mode)
5453 {
5454 	struct ipc_security_struct *isec;
5455 	struct msg_security_struct *msec;
5456 	struct common_audit_data ad;
5457 	u32 sid = task_sid(target);
5458 	int rc;
5459 
5460 	isec = msq->q_perm.security;
5461 	msec = msg->security;
5462 
5463 	ad.type = LSM_AUDIT_DATA_IPC;
5464 	ad.u.ipc_id = msq->q_perm.key;
5465 
5466 	rc = avc_has_perm(sid, isec->sid,
5467 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5468 	if (!rc)
5469 		rc = avc_has_perm(sid, msec->sid,
5470 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5471 	return rc;
5472 }
5473 
5474 /* Shared Memory security operations */
5475 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5476 {
5477 	struct ipc_security_struct *isec;
5478 	struct common_audit_data ad;
5479 	u32 sid = current_sid();
5480 	int rc;
5481 
5482 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5483 	if (rc)
5484 		return rc;
5485 
5486 	isec = shp->shm_perm.security;
5487 
5488 	ad.type = LSM_AUDIT_DATA_IPC;
5489 	ad.u.ipc_id = shp->shm_perm.key;
5490 
5491 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5492 			  SHM__CREATE, &ad);
5493 	if (rc) {
5494 		ipc_free_security(&shp->shm_perm);
5495 		return rc;
5496 	}
5497 	return 0;
5498 }
5499 
5500 static void selinux_shm_free_security(struct shmid_kernel *shp)
5501 {
5502 	ipc_free_security(&shp->shm_perm);
5503 }
5504 
5505 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5506 {
5507 	struct ipc_security_struct *isec;
5508 	struct common_audit_data ad;
5509 	u32 sid = current_sid();
5510 
5511 	isec = shp->shm_perm.security;
5512 
5513 	ad.type = LSM_AUDIT_DATA_IPC;
5514 	ad.u.ipc_id = shp->shm_perm.key;
5515 
5516 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5517 			    SHM__ASSOCIATE, &ad);
5518 }
5519 
5520 /* Note, at this point, shp is locked down */
5521 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5522 {
5523 	int perms;
5524 	int err;
5525 
5526 	switch (cmd) {
5527 	case IPC_INFO:
5528 	case SHM_INFO:
5529 		/* No specific object, just general system-wide information. */
5530 		return task_has_system(current, SYSTEM__IPC_INFO);
5531 	case IPC_STAT:
5532 	case SHM_STAT:
5533 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5534 		break;
5535 	case IPC_SET:
5536 		perms = SHM__SETATTR;
5537 		break;
5538 	case SHM_LOCK:
5539 	case SHM_UNLOCK:
5540 		perms = SHM__LOCK;
5541 		break;
5542 	case IPC_RMID:
5543 		perms = SHM__DESTROY;
5544 		break;
5545 	default:
5546 		return 0;
5547 	}
5548 
5549 	err = ipc_has_perm(&shp->shm_perm, perms);
5550 	return err;
5551 }
5552 
5553 static int selinux_shm_shmat(struct shmid_kernel *shp,
5554 			     char __user *shmaddr, int shmflg)
5555 {
5556 	u32 perms;
5557 
5558 	if (shmflg & SHM_RDONLY)
5559 		perms = SHM__READ;
5560 	else
5561 		perms = SHM__READ | SHM__WRITE;
5562 
5563 	return ipc_has_perm(&shp->shm_perm, perms);
5564 }
5565 
5566 /* Semaphore security operations */
5567 static int selinux_sem_alloc_security(struct sem_array *sma)
5568 {
5569 	struct ipc_security_struct *isec;
5570 	struct common_audit_data ad;
5571 	u32 sid = current_sid();
5572 	int rc;
5573 
5574 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5575 	if (rc)
5576 		return rc;
5577 
5578 	isec = sma->sem_perm.security;
5579 
5580 	ad.type = LSM_AUDIT_DATA_IPC;
5581 	ad.u.ipc_id = sma->sem_perm.key;
5582 
5583 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5584 			  SEM__CREATE, &ad);
5585 	if (rc) {
5586 		ipc_free_security(&sma->sem_perm);
5587 		return rc;
5588 	}
5589 	return 0;
5590 }
5591 
5592 static void selinux_sem_free_security(struct sem_array *sma)
5593 {
5594 	ipc_free_security(&sma->sem_perm);
5595 }
5596 
5597 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5598 {
5599 	struct ipc_security_struct *isec;
5600 	struct common_audit_data ad;
5601 	u32 sid = current_sid();
5602 
5603 	isec = sma->sem_perm.security;
5604 
5605 	ad.type = LSM_AUDIT_DATA_IPC;
5606 	ad.u.ipc_id = sma->sem_perm.key;
5607 
5608 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5609 			    SEM__ASSOCIATE, &ad);
5610 }
5611 
5612 /* Note, at this point, sma is locked down */
5613 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5614 {
5615 	int err;
5616 	u32 perms;
5617 
5618 	switch (cmd) {
5619 	case IPC_INFO:
5620 	case SEM_INFO:
5621 		/* No specific object, just general system-wide information. */
5622 		return task_has_system(current, SYSTEM__IPC_INFO);
5623 	case GETPID:
5624 	case GETNCNT:
5625 	case GETZCNT:
5626 		perms = SEM__GETATTR;
5627 		break;
5628 	case GETVAL:
5629 	case GETALL:
5630 		perms = SEM__READ;
5631 		break;
5632 	case SETVAL:
5633 	case SETALL:
5634 		perms = SEM__WRITE;
5635 		break;
5636 	case IPC_RMID:
5637 		perms = SEM__DESTROY;
5638 		break;
5639 	case IPC_SET:
5640 		perms = SEM__SETATTR;
5641 		break;
5642 	case IPC_STAT:
5643 	case SEM_STAT:
5644 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5645 		break;
5646 	default:
5647 		return 0;
5648 	}
5649 
5650 	err = ipc_has_perm(&sma->sem_perm, perms);
5651 	return err;
5652 }
5653 
5654 static int selinux_sem_semop(struct sem_array *sma,
5655 			     struct sembuf *sops, unsigned nsops, int alter)
5656 {
5657 	u32 perms;
5658 
5659 	if (alter)
5660 		perms = SEM__READ | SEM__WRITE;
5661 	else
5662 		perms = SEM__READ;
5663 
5664 	return ipc_has_perm(&sma->sem_perm, perms);
5665 }
5666 
5667 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5668 {
5669 	u32 av = 0;
5670 
5671 	av = 0;
5672 	if (flag & S_IRUGO)
5673 		av |= IPC__UNIX_READ;
5674 	if (flag & S_IWUGO)
5675 		av |= IPC__UNIX_WRITE;
5676 
5677 	if (av == 0)
5678 		return 0;
5679 
5680 	return ipc_has_perm(ipcp, av);
5681 }
5682 
5683 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5684 {
5685 	struct ipc_security_struct *isec = ipcp->security;
5686 	*secid = isec->sid;
5687 }
5688 
5689 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5690 {
5691 	if (inode)
5692 		inode_doinit_with_dentry(inode, dentry);
5693 }
5694 
5695 static int selinux_getprocattr(struct task_struct *p,
5696 			       char *name, char **value)
5697 {
5698 	const struct task_security_struct *__tsec;
5699 	u32 sid;
5700 	int error;
5701 	unsigned len;
5702 
5703 	if (current != p) {
5704 		error = current_has_perm(p, PROCESS__GETATTR);
5705 		if (error)
5706 			return error;
5707 	}
5708 
5709 	rcu_read_lock();
5710 	__tsec = __task_cred(p)->security;
5711 
5712 	if (!strcmp(name, "current"))
5713 		sid = __tsec->sid;
5714 	else if (!strcmp(name, "prev"))
5715 		sid = __tsec->osid;
5716 	else if (!strcmp(name, "exec"))
5717 		sid = __tsec->exec_sid;
5718 	else if (!strcmp(name, "fscreate"))
5719 		sid = __tsec->create_sid;
5720 	else if (!strcmp(name, "keycreate"))
5721 		sid = __tsec->keycreate_sid;
5722 	else if (!strcmp(name, "sockcreate"))
5723 		sid = __tsec->sockcreate_sid;
5724 	else
5725 		goto invalid;
5726 	rcu_read_unlock();
5727 
5728 	if (!sid)
5729 		return 0;
5730 
5731 	error = security_sid_to_context(sid, value, &len);
5732 	if (error)
5733 		return error;
5734 	return len;
5735 
5736 invalid:
5737 	rcu_read_unlock();
5738 	return -EINVAL;
5739 }
5740 
5741 static int selinux_setprocattr(struct task_struct *p,
5742 			       char *name, void *value, size_t size)
5743 {
5744 	struct task_security_struct *tsec;
5745 	struct cred *new;
5746 	u32 sid = 0, ptsid;
5747 	int error;
5748 	char *str = value;
5749 
5750 	if (current != p) {
5751 		/* SELinux only allows a process to change its own
5752 		   security attributes. */
5753 		return -EACCES;
5754 	}
5755 
5756 	/*
5757 	 * Basic control over ability to set these attributes at all.
5758 	 * current == p, but we'll pass them separately in case the
5759 	 * above restriction is ever removed.
5760 	 */
5761 	if (!strcmp(name, "exec"))
5762 		error = current_has_perm(p, PROCESS__SETEXEC);
5763 	else if (!strcmp(name, "fscreate"))
5764 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5765 	else if (!strcmp(name, "keycreate"))
5766 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5767 	else if (!strcmp(name, "sockcreate"))
5768 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5769 	else if (!strcmp(name, "current"))
5770 		error = current_has_perm(p, PROCESS__SETCURRENT);
5771 	else
5772 		error = -EINVAL;
5773 	if (error)
5774 		return error;
5775 
5776 	/* Obtain a SID for the context, if one was specified. */
5777 	if (size && str[1] && str[1] != '\n') {
5778 		if (str[size-1] == '\n') {
5779 			str[size-1] = 0;
5780 			size--;
5781 		}
5782 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5783 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5784 			if (!capable(CAP_MAC_ADMIN)) {
5785 				struct audit_buffer *ab;
5786 				size_t audit_size;
5787 
5788 				/* We strip a nul only if it is at the end, otherwise the
5789 				 * context contains a nul and we should audit that */
5790 				if (str[size - 1] == '\0')
5791 					audit_size = size - 1;
5792 				else
5793 					audit_size = size;
5794 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5795 				audit_log_format(ab, "op=fscreate invalid_context=");
5796 				audit_log_n_untrustedstring(ab, value, audit_size);
5797 				audit_log_end(ab);
5798 
5799 				return error;
5800 			}
5801 			error = security_context_to_sid_force(value, size,
5802 							      &sid);
5803 		}
5804 		if (error)
5805 			return error;
5806 	}
5807 
5808 	new = prepare_creds();
5809 	if (!new)
5810 		return -ENOMEM;
5811 
5812 	/* Permission checking based on the specified context is
5813 	   performed during the actual operation (execve,
5814 	   open/mkdir/...), when we know the full context of the
5815 	   operation.  See selinux_bprm_set_creds for the execve
5816 	   checks and may_create for the file creation checks. The
5817 	   operation will then fail if the context is not permitted. */
5818 	tsec = new->security;
5819 	if (!strcmp(name, "exec")) {
5820 		tsec->exec_sid = sid;
5821 	} else if (!strcmp(name, "fscreate")) {
5822 		tsec->create_sid = sid;
5823 	} else if (!strcmp(name, "keycreate")) {
5824 		error = may_create_key(sid, p);
5825 		if (error)
5826 			goto abort_change;
5827 		tsec->keycreate_sid = sid;
5828 	} else if (!strcmp(name, "sockcreate")) {
5829 		tsec->sockcreate_sid = sid;
5830 	} else if (!strcmp(name, "current")) {
5831 		error = -EINVAL;
5832 		if (sid == 0)
5833 			goto abort_change;
5834 
5835 		/* Only allow single threaded processes to change context */
5836 		error = -EPERM;
5837 		if (!current_is_single_threaded()) {
5838 			error = security_bounded_transition(tsec->sid, sid);
5839 			if (error)
5840 				goto abort_change;
5841 		}
5842 
5843 		/* Check permissions for the transition. */
5844 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5845 				     PROCESS__DYNTRANSITION, NULL);
5846 		if (error)
5847 			goto abort_change;
5848 
5849 		/* Check for ptracing, and update the task SID if ok.
5850 		   Otherwise, leave SID unchanged and fail. */
5851 		ptsid = ptrace_parent_sid(p);
5852 		if (ptsid != 0) {
5853 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5854 					     PROCESS__PTRACE, NULL);
5855 			if (error)
5856 				goto abort_change;
5857 		}
5858 
5859 		tsec->sid = sid;
5860 	} else {
5861 		error = -EINVAL;
5862 		goto abort_change;
5863 	}
5864 
5865 	commit_creds(new);
5866 	return size;
5867 
5868 abort_change:
5869 	abort_creds(new);
5870 	return error;
5871 }
5872 
5873 static int selinux_ismaclabel(const char *name)
5874 {
5875 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5876 }
5877 
5878 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5879 {
5880 	return security_sid_to_context(secid, secdata, seclen);
5881 }
5882 
5883 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5884 {
5885 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5886 }
5887 
5888 static void selinux_release_secctx(char *secdata, u32 seclen)
5889 {
5890 	kfree(secdata);
5891 }
5892 
5893 static void selinux_inode_invalidate_secctx(struct inode *inode)
5894 {
5895 	struct inode_security_struct *isec = inode->i_security;
5896 
5897 	mutex_lock(&isec->lock);
5898 	isec->initialized = LABEL_INVALID;
5899 	mutex_unlock(&isec->lock);
5900 }
5901 
5902 /*
5903  *	called with inode->i_mutex locked
5904  */
5905 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5906 {
5907 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5908 }
5909 
5910 /*
5911  *	called with inode->i_mutex locked
5912  */
5913 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5914 {
5915 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5916 }
5917 
5918 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5919 {
5920 	int len = 0;
5921 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5922 						ctx, true);
5923 	if (len < 0)
5924 		return len;
5925 	*ctxlen = len;
5926 	return 0;
5927 }
5928 #ifdef CONFIG_KEYS
5929 
5930 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5931 			     unsigned long flags)
5932 {
5933 	const struct task_security_struct *tsec;
5934 	struct key_security_struct *ksec;
5935 
5936 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5937 	if (!ksec)
5938 		return -ENOMEM;
5939 
5940 	tsec = cred->security;
5941 	if (tsec->keycreate_sid)
5942 		ksec->sid = tsec->keycreate_sid;
5943 	else
5944 		ksec->sid = tsec->sid;
5945 
5946 	k->security = ksec;
5947 	return 0;
5948 }
5949 
5950 static void selinux_key_free(struct key *k)
5951 {
5952 	struct key_security_struct *ksec = k->security;
5953 
5954 	k->security = NULL;
5955 	kfree(ksec);
5956 }
5957 
5958 static int selinux_key_permission(key_ref_t key_ref,
5959 				  const struct cred *cred,
5960 				  unsigned perm)
5961 {
5962 	struct key *key;
5963 	struct key_security_struct *ksec;
5964 	u32 sid;
5965 
5966 	/* if no specific permissions are requested, we skip the
5967 	   permission check. No serious, additional covert channels
5968 	   appear to be created. */
5969 	if (perm == 0)
5970 		return 0;
5971 
5972 	sid = cred_sid(cred);
5973 
5974 	key = key_ref_to_ptr(key_ref);
5975 	ksec = key->security;
5976 
5977 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5978 }
5979 
5980 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5981 {
5982 	struct key_security_struct *ksec = key->security;
5983 	char *context = NULL;
5984 	unsigned len;
5985 	int rc;
5986 
5987 	rc = security_sid_to_context(ksec->sid, &context, &len);
5988 	if (!rc)
5989 		rc = len;
5990 	*_buffer = context;
5991 	return rc;
5992 }
5993 
5994 #endif
5995 
5996 static struct security_hook_list selinux_hooks[] = {
5997 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5998 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5999 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6000 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6001 
6002 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6003 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6004 	LSM_HOOK_INIT(capget, selinux_capget),
6005 	LSM_HOOK_INIT(capset, selinux_capset),
6006 	LSM_HOOK_INIT(capable, selinux_capable),
6007 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6008 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6009 	LSM_HOOK_INIT(syslog, selinux_syslog),
6010 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6011 
6012 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6013 
6014 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6015 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6016 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6017 	LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6018 
6019 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6020 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6021 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6022 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6023 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6024 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6025 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6026 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6027 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6028 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6029 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6030 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6031 
6032 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6033 
6034 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6035 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6036 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6037 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6038 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6039 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6040 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6041 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6042 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6043 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6044 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6045 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6046 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6047 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6048 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6049 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6050 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6051 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6052 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6053 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6054 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6055 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6056 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6057 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6058 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6059 
6060 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6061 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6062 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6063 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6064 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6065 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6066 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6067 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6068 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6069 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6070 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6071 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6072 
6073 	LSM_HOOK_INIT(file_open, selinux_file_open),
6074 
6075 	LSM_HOOK_INIT(task_create, selinux_task_create),
6076 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6077 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6078 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6079 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6080 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6081 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6082 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6083 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6084 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6085 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6086 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6087 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6088 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6089 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6090 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6091 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6092 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6093 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6094 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6095 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6096 	LSM_HOOK_INIT(task_wait, selinux_task_wait),
6097 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6098 
6099 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6100 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6101 
6102 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6103 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6104 
6105 	LSM_HOOK_INIT(msg_queue_alloc_security,
6106 			selinux_msg_queue_alloc_security),
6107 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6108 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6109 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6110 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6111 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6112 
6113 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6114 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6115 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6116 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6117 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6118 
6119 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6120 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6121 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6122 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6123 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6124 
6125 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6126 
6127 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6128 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6129 
6130 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6131 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6132 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6133 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6134 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6135 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6136 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6137 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6138 
6139 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6140 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6141 
6142 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6143 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6144 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6145 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6146 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6147 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6148 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6149 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6150 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6151 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6152 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6153 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6154 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6155 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6156 	LSM_HOOK_INIT(socket_getpeersec_stream,
6157 			selinux_socket_getpeersec_stream),
6158 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6159 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6160 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6161 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6162 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6163 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6164 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6165 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6166 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6167 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6168 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6169 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6170 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6171 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6172 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6173 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6174 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6175 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6176 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6177 
6178 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6179 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6180 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6181 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6182 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6183 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6184 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6185 			selinux_xfrm_state_alloc_acquire),
6186 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6187 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6188 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6189 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6190 			selinux_xfrm_state_pol_flow_match),
6191 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6192 #endif
6193 
6194 #ifdef CONFIG_KEYS
6195 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6196 	LSM_HOOK_INIT(key_free, selinux_key_free),
6197 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
6198 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6199 #endif
6200 
6201 #ifdef CONFIG_AUDIT
6202 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6203 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6204 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6205 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6206 #endif
6207 };
6208 
6209 static __init int selinux_init(void)
6210 {
6211 	if (!security_module_enable("selinux")) {
6212 		selinux_enabled = 0;
6213 		return 0;
6214 	}
6215 
6216 	if (!selinux_enabled) {
6217 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6218 		return 0;
6219 	}
6220 
6221 	printk(KERN_INFO "SELinux:  Initializing.\n");
6222 
6223 	/* Set the security state for the initial task. */
6224 	cred_init_security();
6225 
6226 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6227 
6228 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6229 					    sizeof(struct inode_security_struct),
6230 					    0, SLAB_PANIC, NULL);
6231 	file_security_cache = kmem_cache_create("selinux_file_security",
6232 					    sizeof(struct file_security_struct),
6233 					    0, SLAB_PANIC, NULL);
6234 	avc_init();
6235 
6236 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6237 
6238 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6239 		panic("SELinux: Unable to register AVC netcache callback\n");
6240 
6241 	if (selinux_enforcing)
6242 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6243 	else
6244 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6245 
6246 	return 0;
6247 }
6248 
6249 static void delayed_superblock_init(struct super_block *sb, void *unused)
6250 {
6251 	superblock_doinit(sb, NULL);
6252 }
6253 
6254 void selinux_complete_init(void)
6255 {
6256 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6257 
6258 	/* Set up any superblocks initialized prior to the policy load. */
6259 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6260 	iterate_supers(delayed_superblock_init, NULL);
6261 }
6262 
6263 /* SELinux requires early initialization in order to label
6264    all processes and objects when they are created. */
6265 security_initcall(selinux_init);
6266 
6267 #if defined(CONFIG_NETFILTER)
6268 
6269 static struct nf_hook_ops selinux_nf_ops[] = {
6270 	{
6271 		.hook =		selinux_ipv4_postroute,
6272 		.pf =		NFPROTO_IPV4,
6273 		.hooknum =	NF_INET_POST_ROUTING,
6274 		.priority =	NF_IP_PRI_SELINUX_LAST,
6275 	},
6276 	{
6277 		.hook =		selinux_ipv4_forward,
6278 		.pf =		NFPROTO_IPV4,
6279 		.hooknum =	NF_INET_FORWARD,
6280 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6281 	},
6282 	{
6283 		.hook =		selinux_ipv4_output,
6284 		.pf =		NFPROTO_IPV4,
6285 		.hooknum =	NF_INET_LOCAL_OUT,
6286 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6287 	},
6288 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6289 	{
6290 		.hook =		selinux_ipv6_postroute,
6291 		.pf =		NFPROTO_IPV6,
6292 		.hooknum =	NF_INET_POST_ROUTING,
6293 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6294 	},
6295 	{
6296 		.hook =		selinux_ipv6_forward,
6297 		.pf =		NFPROTO_IPV6,
6298 		.hooknum =	NF_INET_FORWARD,
6299 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6300 	},
6301 #endif	/* IPV6 */
6302 };
6303 
6304 static int __init selinux_nf_ip_init(void)
6305 {
6306 	int err;
6307 
6308 	if (!selinux_enabled)
6309 		return 0;
6310 
6311 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6312 
6313 	err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6314 	if (err)
6315 		panic("SELinux: nf_register_hooks: error %d\n", err);
6316 
6317 	return 0;
6318 }
6319 
6320 __initcall(selinux_nf_ip_init);
6321 
6322 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6323 static void selinux_nf_ip_exit(void)
6324 {
6325 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6326 
6327 	nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6328 }
6329 #endif
6330 
6331 #else /* CONFIG_NETFILTER */
6332 
6333 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6334 #define selinux_nf_ip_exit()
6335 #endif
6336 
6337 #endif /* CONFIG_NETFILTER */
6338 
6339 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6340 static int selinux_disabled;
6341 
6342 int selinux_disable(void)
6343 {
6344 	if (ss_initialized) {
6345 		/* Not permitted after initial policy load. */
6346 		return -EINVAL;
6347 	}
6348 
6349 	if (selinux_disabled) {
6350 		/* Only do this once. */
6351 		return -EINVAL;
6352 	}
6353 
6354 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6355 
6356 	selinux_disabled = 1;
6357 	selinux_enabled = 0;
6358 
6359 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6360 
6361 	/* Try to destroy the avc node cache */
6362 	avc_disable();
6363 
6364 	/* Unregister netfilter hooks. */
6365 	selinux_nf_ip_exit();
6366 
6367 	/* Unregister selinuxfs. */
6368 	exit_sel_fs();
6369 
6370 	return 0;
6371 }
6372 #endif
6373