xref: /linux/security/selinux/hooks.c (revision 615e51fdda6f274e94b1e905fcaf6111e0d9aa20)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>		/* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h>		/* for Unix socket types */
71 #include <net/af_unix.h>	/* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87 
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97 
98 extern struct security_operations *security_ops;
99 
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105 
106 static int __init enforcing_setup(char *str)
107 {
108 	unsigned long enforcing;
109 	if (!kstrtoul(str, 0, &enforcing))
110 		selinux_enforcing = enforcing ? 1 : 0;
111 	return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115 
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 
119 static int __init selinux_enabled_setup(char *str)
120 {
121 	unsigned long enabled;
122 	if (!kstrtoul(str, 0, &enabled))
123 		selinux_enabled = enabled ? 1 : 0;
124 	return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130 
131 static struct kmem_cache *sel_inode_cache;
132 
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
141  * policy capability is enabled, SECMARK is always considered enabled.
142  *
143  */
144 static int selinux_secmark_enabled(void)
145 {
146 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147 }
148 
149 /**
150  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151  *
152  * Description:
153  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
154  * (1) if any are enabled or false (0) if neither are enabled.  If the
155  * always_check_network policy capability is enabled, peer labeling
156  * is always considered enabled.
157  *
158  */
159 static int selinux_peerlbl_enabled(void)
160 {
161 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 }
163 
164 static int selinux_netcache_avc_callback(u32 event)
165 {
166 	if (event == AVC_CALLBACK_RESET) {
167 		sel_netif_flush();
168 		sel_netnode_flush();
169 		sel_netport_flush();
170 		synchronize_net();
171 	}
172 	return 0;
173 }
174 
175 /*
176  * initialise the security for the init task
177  */
178 static void cred_init_security(void)
179 {
180 	struct cred *cred = (struct cred *) current->real_cred;
181 	struct task_security_struct *tsec;
182 
183 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
184 	if (!tsec)
185 		panic("SELinux:  Failed to initialize initial task.\n");
186 
187 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
188 	cred->security = tsec;
189 }
190 
191 /*
192  * get the security ID of a set of credentials
193  */
194 static inline u32 cred_sid(const struct cred *cred)
195 {
196 	const struct task_security_struct *tsec;
197 
198 	tsec = cred->security;
199 	return tsec->sid;
200 }
201 
202 /*
203  * get the objective security ID of a task
204  */
205 static inline u32 task_sid(const struct task_struct *task)
206 {
207 	u32 sid;
208 
209 	rcu_read_lock();
210 	sid = cred_sid(__task_cred(task));
211 	rcu_read_unlock();
212 	return sid;
213 }
214 
215 /*
216  * get the subjective security ID of the current task
217  */
218 static inline u32 current_sid(void)
219 {
220 	const struct task_security_struct *tsec = current_security();
221 
222 	return tsec->sid;
223 }
224 
225 /* Allocate and free functions for each kind of security blob. */
226 
227 static int inode_alloc_security(struct inode *inode)
228 {
229 	struct inode_security_struct *isec;
230 	u32 sid = current_sid();
231 
232 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
233 	if (!isec)
234 		return -ENOMEM;
235 
236 	mutex_init(&isec->lock);
237 	INIT_LIST_HEAD(&isec->list);
238 	isec->inode = inode;
239 	isec->sid = SECINITSID_UNLABELED;
240 	isec->sclass = SECCLASS_FILE;
241 	isec->task_sid = sid;
242 	inode->i_security = isec;
243 
244 	return 0;
245 }
246 
247 static void inode_free_rcu(struct rcu_head *head)
248 {
249 	struct inode_security_struct *isec;
250 
251 	isec = container_of(head, struct inode_security_struct, rcu);
252 	kmem_cache_free(sel_inode_cache, isec);
253 }
254 
255 static void inode_free_security(struct inode *inode)
256 {
257 	struct inode_security_struct *isec = inode->i_security;
258 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
259 
260 	spin_lock(&sbsec->isec_lock);
261 	if (!list_empty(&isec->list))
262 		list_del_init(&isec->list);
263 	spin_unlock(&sbsec->isec_lock);
264 
265 	/*
266 	 * The inode may still be referenced in a path walk and
267 	 * a call to selinux_inode_permission() can be made
268 	 * after inode_free_security() is called. Ideally, the VFS
269 	 * wouldn't do this, but fixing that is a much harder
270 	 * job. For now, simply free the i_security via RCU, and
271 	 * leave the current inode->i_security pointer intact.
272 	 * The inode will be freed after the RCU grace period too.
273 	 */
274 	call_rcu(&isec->rcu, inode_free_rcu);
275 }
276 
277 static int file_alloc_security(struct file *file)
278 {
279 	struct file_security_struct *fsec;
280 	u32 sid = current_sid();
281 
282 	fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
283 	if (!fsec)
284 		return -ENOMEM;
285 
286 	fsec->sid = sid;
287 	fsec->fown_sid = sid;
288 	file->f_security = fsec;
289 
290 	return 0;
291 }
292 
293 static void file_free_security(struct file *file)
294 {
295 	struct file_security_struct *fsec = file->f_security;
296 	file->f_security = NULL;
297 	kfree(fsec);
298 }
299 
300 static int superblock_alloc_security(struct super_block *sb)
301 {
302 	struct superblock_security_struct *sbsec;
303 
304 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
305 	if (!sbsec)
306 		return -ENOMEM;
307 
308 	mutex_init(&sbsec->lock);
309 	INIT_LIST_HEAD(&sbsec->isec_head);
310 	spin_lock_init(&sbsec->isec_lock);
311 	sbsec->sb = sb;
312 	sbsec->sid = SECINITSID_UNLABELED;
313 	sbsec->def_sid = SECINITSID_FILE;
314 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
315 	sb->s_security = sbsec;
316 
317 	return 0;
318 }
319 
320 static void superblock_free_security(struct super_block *sb)
321 {
322 	struct superblock_security_struct *sbsec = sb->s_security;
323 	sb->s_security = NULL;
324 	kfree(sbsec);
325 }
326 
327 /* The file system's label must be initialized prior to use. */
328 
329 static const char *labeling_behaviors[7] = {
330 	"uses xattr",
331 	"uses transition SIDs",
332 	"uses task SIDs",
333 	"uses genfs_contexts",
334 	"not configured for labeling",
335 	"uses mountpoint labeling",
336 	"uses native labeling",
337 };
338 
339 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
340 
341 static inline int inode_doinit(struct inode *inode)
342 {
343 	return inode_doinit_with_dentry(inode, NULL);
344 }
345 
346 enum {
347 	Opt_error = -1,
348 	Opt_context = 1,
349 	Opt_fscontext = 2,
350 	Opt_defcontext = 3,
351 	Opt_rootcontext = 4,
352 	Opt_labelsupport = 5,
353 	Opt_nextmntopt = 6,
354 };
355 
356 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
357 
358 static const match_table_t tokens = {
359 	{Opt_context, CONTEXT_STR "%s"},
360 	{Opt_fscontext, FSCONTEXT_STR "%s"},
361 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
362 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363 	{Opt_labelsupport, LABELSUPP_STR},
364 	{Opt_error, NULL},
365 };
366 
367 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
368 
369 static int may_context_mount_sb_relabel(u32 sid,
370 			struct superblock_security_struct *sbsec,
371 			const struct cred *cred)
372 {
373 	const struct task_security_struct *tsec = cred->security;
374 	int rc;
375 
376 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
377 			  FILESYSTEM__RELABELFROM, NULL);
378 	if (rc)
379 		return rc;
380 
381 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
382 			  FILESYSTEM__RELABELTO, NULL);
383 	return rc;
384 }
385 
386 static int may_context_mount_inode_relabel(u32 sid,
387 			struct superblock_security_struct *sbsec,
388 			const struct cred *cred)
389 {
390 	const struct task_security_struct *tsec = cred->security;
391 	int rc;
392 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
393 			  FILESYSTEM__RELABELFROM, NULL);
394 	if (rc)
395 		return rc;
396 
397 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
398 			  FILESYSTEM__ASSOCIATE, NULL);
399 	return rc;
400 }
401 
402 static int selinux_is_sblabel_mnt(struct super_block *sb)
403 {
404 	struct superblock_security_struct *sbsec = sb->s_security;
405 
406 	if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
407 	    sbsec->behavior == SECURITY_FS_USE_TRANS ||
408 	    sbsec->behavior == SECURITY_FS_USE_TASK)
409 		return 1;
410 
411 	/* Special handling for sysfs. Is genfs but also has setxattr handler*/
412 	if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
413 		return 1;
414 
415 	/*
416 	 * Special handling for rootfs. Is genfs but supports
417 	 * setting SELinux context on in-core inodes.
418 	 */
419 	if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
420 		return 1;
421 
422 	return 0;
423 }
424 
425 static int sb_finish_set_opts(struct super_block *sb)
426 {
427 	struct superblock_security_struct *sbsec = sb->s_security;
428 	struct dentry *root = sb->s_root;
429 	struct inode *root_inode = root->d_inode;
430 	int rc = 0;
431 
432 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
433 		/* Make sure that the xattr handler exists and that no
434 		   error other than -ENODATA is returned by getxattr on
435 		   the root directory.  -ENODATA is ok, as this may be
436 		   the first boot of the SELinux kernel before we have
437 		   assigned xattr values to the filesystem. */
438 		if (!root_inode->i_op->getxattr) {
439 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
440 			       "xattr support\n", sb->s_id, sb->s_type->name);
441 			rc = -EOPNOTSUPP;
442 			goto out;
443 		}
444 		rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
445 		if (rc < 0 && rc != -ENODATA) {
446 			if (rc == -EOPNOTSUPP)
447 				printk(KERN_WARNING "SELinux: (dev %s, type "
448 				       "%s) has no security xattr handler\n",
449 				       sb->s_id, sb->s_type->name);
450 			else
451 				printk(KERN_WARNING "SELinux: (dev %s, type "
452 				       "%s) getxattr errno %d\n", sb->s_id,
453 				       sb->s_type->name, -rc);
454 			goto out;
455 		}
456 	}
457 
458 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
459 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
460 		       sb->s_id, sb->s_type->name);
461 	else
462 		printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
463 		       sb->s_id, sb->s_type->name,
464 		       labeling_behaviors[sbsec->behavior-1]);
465 
466 	sbsec->flags |= SE_SBINITIALIZED;
467 	if (selinux_is_sblabel_mnt(sb))
468 		sbsec->flags |= SBLABEL_MNT;
469 
470 	/* Initialize the root inode. */
471 	rc = inode_doinit_with_dentry(root_inode, root);
472 
473 	/* Initialize any other inodes associated with the superblock, e.g.
474 	   inodes created prior to initial policy load or inodes created
475 	   during get_sb by a pseudo filesystem that directly
476 	   populates itself. */
477 	spin_lock(&sbsec->isec_lock);
478 next_inode:
479 	if (!list_empty(&sbsec->isec_head)) {
480 		struct inode_security_struct *isec =
481 				list_entry(sbsec->isec_head.next,
482 					   struct inode_security_struct, list);
483 		struct inode *inode = isec->inode;
484 		spin_unlock(&sbsec->isec_lock);
485 		inode = igrab(inode);
486 		if (inode) {
487 			if (!IS_PRIVATE(inode))
488 				inode_doinit(inode);
489 			iput(inode);
490 		}
491 		spin_lock(&sbsec->isec_lock);
492 		list_del_init(&isec->list);
493 		goto next_inode;
494 	}
495 	spin_unlock(&sbsec->isec_lock);
496 out:
497 	return rc;
498 }
499 
500 /*
501  * This function should allow an FS to ask what it's mount security
502  * options were so it can use those later for submounts, displaying
503  * mount options, or whatever.
504  */
505 static int selinux_get_mnt_opts(const struct super_block *sb,
506 				struct security_mnt_opts *opts)
507 {
508 	int rc = 0, i;
509 	struct superblock_security_struct *sbsec = sb->s_security;
510 	char *context = NULL;
511 	u32 len;
512 	char tmp;
513 
514 	security_init_mnt_opts(opts);
515 
516 	if (!(sbsec->flags & SE_SBINITIALIZED))
517 		return -EINVAL;
518 
519 	if (!ss_initialized)
520 		return -EINVAL;
521 
522 	/* make sure we always check enough bits to cover the mask */
523 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
524 
525 	tmp = sbsec->flags & SE_MNTMASK;
526 	/* count the number of mount options for this sb */
527 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
528 		if (tmp & 0x01)
529 			opts->num_mnt_opts++;
530 		tmp >>= 1;
531 	}
532 	/* Check if the Label support flag is set */
533 	if (sbsec->flags & SBLABEL_MNT)
534 		opts->num_mnt_opts++;
535 
536 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
537 	if (!opts->mnt_opts) {
538 		rc = -ENOMEM;
539 		goto out_free;
540 	}
541 
542 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
543 	if (!opts->mnt_opts_flags) {
544 		rc = -ENOMEM;
545 		goto out_free;
546 	}
547 
548 	i = 0;
549 	if (sbsec->flags & FSCONTEXT_MNT) {
550 		rc = security_sid_to_context(sbsec->sid, &context, &len);
551 		if (rc)
552 			goto out_free;
553 		opts->mnt_opts[i] = context;
554 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
555 	}
556 	if (sbsec->flags & CONTEXT_MNT) {
557 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
558 		if (rc)
559 			goto out_free;
560 		opts->mnt_opts[i] = context;
561 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
562 	}
563 	if (sbsec->flags & DEFCONTEXT_MNT) {
564 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
565 		if (rc)
566 			goto out_free;
567 		opts->mnt_opts[i] = context;
568 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
569 	}
570 	if (sbsec->flags & ROOTCONTEXT_MNT) {
571 		struct inode *root = sbsec->sb->s_root->d_inode;
572 		struct inode_security_struct *isec = root->i_security;
573 
574 		rc = security_sid_to_context(isec->sid, &context, &len);
575 		if (rc)
576 			goto out_free;
577 		opts->mnt_opts[i] = context;
578 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
579 	}
580 	if (sbsec->flags & SBLABEL_MNT) {
581 		opts->mnt_opts[i] = NULL;
582 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
583 	}
584 
585 	BUG_ON(i != opts->num_mnt_opts);
586 
587 	return 0;
588 
589 out_free:
590 	security_free_mnt_opts(opts);
591 	return rc;
592 }
593 
594 static int bad_option(struct superblock_security_struct *sbsec, char flag,
595 		      u32 old_sid, u32 new_sid)
596 {
597 	char mnt_flags = sbsec->flags & SE_MNTMASK;
598 
599 	/* check if the old mount command had the same options */
600 	if (sbsec->flags & SE_SBINITIALIZED)
601 		if (!(sbsec->flags & flag) ||
602 		    (old_sid != new_sid))
603 			return 1;
604 
605 	/* check if we were passed the same options twice,
606 	 * aka someone passed context=a,context=b
607 	 */
608 	if (!(sbsec->flags & SE_SBINITIALIZED))
609 		if (mnt_flags & flag)
610 			return 1;
611 	return 0;
612 }
613 
614 /*
615  * Allow filesystems with binary mount data to explicitly set mount point
616  * labeling information.
617  */
618 static int selinux_set_mnt_opts(struct super_block *sb,
619 				struct security_mnt_opts *opts,
620 				unsigned long kern_flags,
621 				unsigned long *set_kern_flags)
622 {
623 	const struct cred *cred = current_cred();
624 	int rc = 0, i;
625 	struct superblock_security_struct *sbsec = sb->s_security;
626 	const char *name = sb->s_type->name;
627 	struct inode *inode = sbsec->sb->s_root->d_inode;
628 	struct inode_security_struct *root_isec = inode->i_security;
629 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
630 	u32 defcontext_sid = 0;
631 	char **mount_options = opts->mnt_opts;
632 	int *flags = opts->mnt_opts_flags;
633 	int num_opts = opts->num_mnt_opts;
634 
635 	mutex_lock(&sbsec->lock);
636 
637 	if (!ss_initialized) {
638 		if (!num_opts) {
639 			/* Defer initialization until selinux_complete_init,
640 			   after the initial policy is loaded and the security
641 			   server is ready to handle calls. */
642 			goto out;
643 		}
644 		rc = -EINVAL;
645 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
646 			"before the security server is initialized\n");
647 		goto out;
648 	}
649 	if (kern_flags && !set_kern_flags) {
650 		/* Specifying internal flags without providing a place to
651 		 * place the results is not allowed */
652 		rc = -EINVAL;
653 		goto out;
654 	}
655 
656 	/*
657 	 * Binary mount data FS will come through this function twice.  Once
658 	 * from an explicit call and once from the generic calls from the vfs.
659 	 * Since the generic VFS calls will not contain any security mount data
660 	 * we need to skip the double mount verification.
661 	 *
662 	 * This does open a hole in which we will not notice if the first
663 	 * mount using this sb set explict options and a second mount using
664 	 * this sb does not set any security options.  (The first options
665 	 * will be used for both mounts)
666 	 */
667 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
668 	    && (num_opts == 0))
669 		goto out;
670 
671 	/*
672 	 * parse the mount options, check if they are valid sids.
673 	 * also check if someone is trying to mount the same sb more
674 	 * than once with different security options.
675 	 */
676 	for (i = 0; i < num_opts; i++) {
677 		u32 sid;
678 
679 		if (flags[i] == SBLABEL_MNT)
680 			continue;
681 		rc = security_context_to_sid(mount_options[i],
682 					     strlen(mount_options[i]), &sid, GFP_KERNEL);
683 		if (rc) {
684 			printk(KERN_WARNING "SELinux: security_context_to_sid"
685 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
686 			       mount_options[i], sb->s_id, name, rc);
687 			goto out;
688 		}
689 		switch (flags[i]) {
690 		case FSCONTEXT_MNT:
691 			fscontext_sid = sid;
692 
693 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
694 					fscontext_sid))
695 				goto out_double_mount;
696 
697 			sbsec->flags |= FSCONTEXT_MNT;
698 			break;
699 		case CONTEXT_MNT:
700 			context_sid = sid;
701 
702 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
703 					context_sid))
704 				goto out_double_mount;
705 
706 			sbsec->flags |= CONTEXT_MNT;
707 			break;
708 		case ROOTCONTEXT_MNT:
709 			rootcontext_sid = sid;
710 
711 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
712 					rootcontext_sid))
713 				goto out_double_mount;
714 
715 			sbsec->flags |= ROOTCONTEXT_MNT;
716 
717 			break;
718 		case DEFCONTEXT_MNT:
719 			defcontext_sid = sid;
720 
721 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
722 					defcontext_sid))
723 				goto out_double_mount;
724 
725 			sbsec->flags |= DEFCONTEXT_MNT;
726 
727 			break;
728 		default:
729 			rc = -EINVAL;
730 			goto out;
731 		}
732 	}
733 
734 	if (sbsec->flags & SE_SBINITIALIZED) {
735 		/* previously mounted with options, but not on this attempt? */
736 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
737 			goto out_double_mount;
738 		rc = 0;
739 		goto out;
740 	}
741 
742 	if (strcmp(sb->s_type->name, "proc") == 0)
743 		sbsec->flags |= SE_SBPROC;
744 
745 	if (!sbsec->behavior) {
746 		/*
747 		 * Determine the labeling behavior to use for this
748 		 * filesystem type.
749 		 */
750 		rc = security_fs_use(sb);
751 		if (rc) {
752 			printk(KERN_WARNING
753 				"%s: security_fs_use(%s) returned %d\n",
754 					__func__, sb->s_type->name, rc);
755 			goto out;
756 		}
757 	}
758 	/* sets the context of the superblock for the fs being mounted. */
759 	if (fscontext_sid) {
760 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
761 		if (rc)
762 			goto out;
763 
764 		sbsec->sid = fscontext_sid;
765 	}
766 
767 	/*
768 	 * Switch to using mount point labeling behavior.
769 	 * sets the label used on all file below the mountpoint, and will set
770 	 * the superblock context if not already set.
771 	 */
772 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
773 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
774 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
775 	}
776 
777 	if (context_sid) {
778 		if (!fscontext_sid) {
779 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
780 							  cred);
781 			if (rc)
782 				goto out;
783 			sbsec->sid = context_sid;
784 		} else {
785 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
786 							     cred);
787 			if (rc)
788 				goto out;
789 		}
790 		if (!rootcontext_sid)
791 			rootcontext_sid = context_sid;
792 
793 		sbsec->mntpoint_sid = context_sid;
794 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
795 	}
796 
797 	if (rootcontext_sid) {
798 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
799 						     cred);
800 		if (rc)
801 			goto out;
802 
803 		root_isec->sid = rootcontext_sid;
804 		root_isec->initialized = 1;
805 	}
806 
807 	if (defcontext_sid) {
808 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
809 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
810 			rc = -EINVAL;
811 			printk(KERN_WARNING "SELinux: defcontext option is "
812 			       "invalid for this filesystem type\n");
813 			goto out;
814 		}
815 
816 		if (defcontext_sid != sbsec->def_sid) {
817 			rc = may_context_mount_inode_relabel(defcontext_sid,
818 							     sbsec, cred);
819 			if (rc)
820 				goto out;
821 		}
822 
823 		sbsec->def_sid = defcontext_sid;
824 	}
825 
826 	rc = sb_finish_set_opts(sb);
827 out:
828 	mutex_unlock(&sbsec->lock);
829 	return rc;
830 out_double_mount:
831 	rc = -EINVAL;
832 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
833 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
834 	goto out;
835 }
836 
837 static int selinux_cmp_sb_context(const struct super_block *oldsb,
838 				    const struct super_block *newsb)
839 {
840 	struct superblock_security_struct *old = oldsb->s_security;
841 	struct superblock_security_struct *new = newsb->s_security;
842 	char oldflags = old->flags & SE_MNTMASK;
843 	char newflags = new->flags & SE_MNTMASK;
844 
845 	if (oldflags != newflags)
846 		goto mismatch;
847 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
848 		goto mismatch;
849 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
850 		goto mismatch;
851 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
852 		goto mismatch;
853 	if (oldflags & ROOTCONTEXT_MNT) {
854 		struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
855 		struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
856 		if (oldroot->sid != newroot->sid)
857 			goto mismatch;
858 	}
859 	return 0;
860 mismatch:
861 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
862 			    "different security settings for (dev %s, "
863 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
864 	return -EBUSY;
865 }
866 
867 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
868 					struct super_block *newsb)
869 {
870 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
871 	struct superblock_security_struct *newsbsec = newsb->s_security;
872 
873 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
874 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
875 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
876 
877 	/*
878 	 * if the parent was able to be mounted it clearly had no special lsm
879 	 * mount options.  thus we can safely deal with this superblock later
880 	 */
881 	if (!ss_initialized)
882 		return 0;
883 
884 	/* how can we clone if the old one wasn't set up?? */
885 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
886 
887 	/* if fs is reusing a sb, make sure that the contexts match */
888 	if (newsbsec->flags & SE_SBINITIALIZED)
889 		return selinux_cmp_sb_context(oldsb, newsb);
890 
891 	mutex_lock(&newsbsec->lock);
892 
893 	newsbsec->flags = oldsbsec->flags;
894 
895 	newsbsec->sid = oldsbsec->sid;
896 	newsbsec->def_sid = oldsbsec->def_sid;
897 	newsbsec->behavior = oldsbsec->behavior;
898 
899 	if (set_context) {
900 		u32 sid = oldsbsec->mntpoint_sid;
901 
902 		if (!set_fscontext)
903 			newsbsec->sid = sid;
904 		if (!set_rootcontext) {
905 			struct inode *newinode = newsb->s_root->d_inode;
906 			struct inode_security_struct *newisec = newinode->i_security;
907 			newisec->sid = sid;
908 		}
909 		newsbsec->mntpoint_sid = sid;
910 	}
911 	if (set_rootcontext) {
912 		const struct inode *oldinode = oldsb->s_root->d_inode;
913 		const struct inode_security_struct *oldisec = oldinode->i_security;
914 		struct inode *newinode = newsb->s_root->d_inode;
915 		struct inode_security_struct *newisec = newinode->i_security;
916 
917 		newisec->sid = oldisec->sid;
918 	}
919 
920 	sb_finish_set_opts(newsb);
921 	mutex_unlock(&newsbsec->lock);
922 	return 0;
923 }
924 
925 static int selinux_parse_opts_str(char *options,
926 				  struct security_mnt_opts *opts)
927 {
928 	char *p;
929 	char *context = NULL, *defcontext = NULL;
930 	char *fscontext = NULL, *rootcontext = NULL;
931 	int rc, num_mnt_opts = 0;
932 
933 	opts->num_mnt_opts = 0;
934 
935 	/* Standard string-based options. */
936 	while ((p = strsep(&options, "|")) != NULL) {
937 		int token;
938 		substring_t args[MAX_OPT_ARGS];
939 
940 		if (!*p)
941 			continue;
942 
943 		token = match_token(p, tokens, args);
944 
945 		switch (token) {
946 		case Opt_context:
947 			if (context || defcontext) {
948 				rc = -EINVAL;
949 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
950 				goto out_err;
951 			}
952 			context = match_strdup(&args[0]);
953 			if (!context) {
954 				rc = -ENOMEM;
955 				goto out_err;
956 			}
957 			break;
958 
959 		case Opt_fscontext:
960 			if (fscontext) {
961 				rc = -EINVAL;
962 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
963 				goto out_err;
964 			}
965 			fscontext = match_strdup(&args[0]);
966 			if (!fscontext) {
967 				rc = -ENOMEM;
968 				goto out_err;
969 			}
970 			break;
971 
972 		case Opt_rootcontext:
973 			if (rootcontext) {
974 				rc = -EINVAL;
975 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
976 				goto out_err;
977 			}
978 			rootcontext = match_strdup(&args[0]);
979 			if (!rootcontext) {
980 				rc = -ENOMEM;
981 				goto out_err;
982 			}
983 			break;
984 
985 		case Opt_defcontext:
986 			if (context || defcontext) {
987 				rc = -EINVAL;
988 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
989 				goto out_err;
990 			}
991 			defcontext = match_strdup(&args[0]);
992 			if (!defcontext) {
993 				rc = -ENOMEM;
994 				goto out_err;
995 			}
996 			break;
997 		case Opt_labelsupport:
998 			break;
999 		default:
1000 			rc = -EINVAL;
1001 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1002 			goto out_err;
1003 
1004 		}
1005 	}
1006 
1007 	rc = -ENOMEM;
1008 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1009 	if (!opts->mnt_opts)
1010 		goto out_err;
1011 
1012 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1013 	if (!opts->mnt_opts_flags) {
1014 		kfree(opts->mnt_opts);
1015 		goto out_err;
1016 	}
1017 
1018 	if (fscontext) {
1019 		opts->mnt_opts[num_mnt_opts] = fscontext;
1020 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1021 	}
1022 	if (context) {
1023 		opts->mnt_opts[num_mnt_opts] = context;
1024 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1025 	}
1026 	if (rootcontext) {
1027 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1028 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1029 	}
1030 	if (defcontext) {
1031 		opts->mnt_opts[num_mnt_opts] = defcontext;
1032 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1033 	}
1034 
1035 	opts->num_mnt_opts = num_mnt_opts;
1036 	return 0;
1037 
1038 out_err:
1039 	kfree(context);
1040 	kfree(defcontext);
1041 	kfree(fscontext);
1042 	kfree(rootcontext);
1043 	return rc;
1044 }
1045 /*
1046  * string mount options parsing and call set the sbsec
1047  */
1048 static int superblock_doinit(struct super_block *sb, void *data)
1049 {
1050 	int rc = 0;
1051 	char *options = data;
1052 	struct security_mnt_opts opts;
1053 
1054 	security_init_mnt_opts(&opts);
1055 
1056 	if (!data)
1057 		goto out;
1058 
1059 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1060 
1061 	rc = selinux_parse_opts_str(options, &opts);
1062 	if (rc)
1063 		goto out_err;
1064 
1065 out:
1066 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1067 
1068 out_err:
1069 	security_free_mnt_opts(&opts);
1070 	return rc;
1071 }
1072 
1073 static void selinux_write_opts(struct seq_file *m,
1074 			       struct security_mnt_opts *opts)
1075 {
1076 	int i;
1077 	char *prefix;
1078 
1079 	for (i = 0; i < opts->num_mnt_opts; i++) {
1080 		char *has_comma;
1081 
1082 		if (opts->mnt_opts[i])
1083 			has_comma = strchr(opts->mnt_opts[i], ',');
1084 		else
1085 			has_comma = NULL;
1086 
1087 		switch (opts->mnt_opts_flags[i]) {
1088 		case CONTEXT_MNT:
1089 			prefix = CONTEXT_STR;
1090 			break;
1091 		case FSCONTEXT_MNT:
1092 			prefix = FSCONTEXT_STR;
1093 			break;
1094 		case ROOTCONTEXT_MNT:
1095 			prefix = ROOTCONTEXT_STR;
1096 			break;
1097 		case DEFCONTEXT_MNT:
1098 			prefix = DEFCONTEXT_STR;
1099 			break;
1100 		case SBLABEL_MNT:
1101 			seq_putc(m, ',');
1102 			seq_puts(m, LABELSUPP_STR);
1103 			continue;
1104 		default:
1105 			BUG();
1106 			return;
1107 		};
1108 		/* we need a comma before each option */
1109 		seq_putc(m, ',');
1110 		seq_puts(m, prefix);
1111 		if (has_comma)
1112 			seq_putc(m, '\"');
1113 		seq_puts(m, opts->mnt_opts[i]);
1114 		if (has_comma)
1115 			seq_putc(m, '\"');
1116 	}
1117 }
1118 
1119 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1120 {
1121 	struct security_mnt_opts opts;
1122 	int rc;
1123 
1124 	rc = selinux_get_mnt_opts(sb, &opts);
1125 	if (rc) {
1126 		/* before policy load we may get EINVAL, don't show anything */
1127 		if (rc == -EINVAL)
1128 			rc = 0;
1129 		return rc;
1130 	}
1131 
1132 	selinux_write_opts(m, &opts);
1133 
1134 	security_free_mnt_opts(&opts);
1135 
1136 	return rc;
1137 }
1138 
1139 static inline u16 inode_mode_to_security_class(umode_t mode)
1140 {
1141 	switch (mode & S_IFMT) {
1142 	case S_IFSOCK:
1143 		return SECCLASS_SOCK_FILE;
1144 	case S_IFLNK:
1145 		return SECCLASS_LNK_FILE;
1146 	case S_IFREG:
1147 		return SECCLASS_FILE;
1148 	case S_IFBLK:
1149 		return SECCLASS_BLK_FILE;
1150 	case S_IFDIR:
1151 		return SECCLASS_DIR;
1152 	case S_IFCHR:
1153 		return SECCLASS_CHR_FILE;
1154 	case S_IFIFO:
1155 		return SECCLASS_FIFO_FILE;
1156 
1157 	}
1158 
1159 	return SECCLASS_FILE;
1160 }
1161 
1162 static inline int default_protocol_stream(int protocol)
1163 {
1164 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1165 }
1166 
1167 static inline int default_protocol_dgram(int protocol)
1168 {
1169 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1170 }
1171 
1172 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1173 {
1174 	switch (family) {
1175 	case PF_UNIX:
1176 		switch (type) {
1177 		case SOCK_STREAM:
1178 		case SOCK_SEQPACKET:
1179 			return SECCLASS_UNIX_STREAM_SOCKET;
1180 		case SOCK_DGRAM:
1181 			return SECCLASS_UNIX_DGRAM_SOCKET;
1182 		}
1183 		break;
1184 	case PF_INET:
1185 	case PF_INET6:
1186 		switch (type) {
1187 		case SOCK_STREAM:
1188 			if (default_protocol_stream(protocol))
1189 				return SECCLASS_TCP_SOCKET;
1190 			else
1191 				return SECCLASS_RAWIP_SOCKET;
1192 		case SOCK_DGRAM:
1193 			if (default_protocol_dgram(protocol))
1194 				return SECCLASS_UDP_SOCKET;
1195 			else
1196 				return SECCLASS_RAWIP_SOCKET;
1197 		case SOCK_DCCP:
1198 			return SECCLASS_DCCP_SOCKET;
1199 		default:
1200 			return SECCLASS_RAWIP_SOCKET;
1201 		}
1202 		break;
1203 	case PF_NETLINK:
1204 		switch (protocol) {
1205 		case NETLINK_ROUTE:
1206 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1207 		case NETLINK_FIREWALL:
1208 			return SECCLASS_NETLINK_FIREWALL_SOCKET;
1209 		case NETLINK_SOCK_DIAG:
1210 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1211 		case NETLINK_NFLOG:
1212 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1213 		case NETLINK_XFRM:
1214 			return SECCLASS_NETLINK_XFRM_SOCKET;
1215 		case NETLINK_SELINUX:
1216 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1217 		case NETLINK_AUDIT:
1218 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1219 		case NETLINK_IP6_FW:
1220 			return SECCLASS_NETLINK_IP6FW_SOCKET;
1221 		case NETLINK_DNRTMSG:
1222 			return SECCLASS_NETLINK_DNRT_SOCKET;
1223 		case NETLINK_KOBJECT_UEVENT:
1224 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1225 		default:
1226 			return SECCLASS_NETLINK_SOCKET;
1227 		}
1228 	case PF_PACKET:
1229 		return SECCLASS_PACKET_SOCKET;
1230 	case PF_KEY:
1231 		return SECCLASS_KEY_SOCKET;
1232 	case PF_APPLETALK:
1233 		return SECCLASS_APPLETALK_SOCKET;
1234 	}
1235 
1236 	return SECCLASS_SOCKET;
1237 }
1238 
1239 #ifdef CONFIG_PROC_FS
1240 static int selinux_proc_get_sid(struct dentry *dentry,
1241 				u16 tclass,
1242 				u32 *sid)
1243 {
1244 	int rc;
1245 	char *buffer, *path;
1246 
1247 	buffer = (char *)__get_free_page(GFP_KERNEL);
1248 	if (!buffer)
1249 		return -ENOMEM;
1250 
1251 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1252 	if (IS_ERR(path))
1253 		rc = PTR_ERR(path);
1254 	else {
1255 		/* each process gets a /proc/PID/ entry. Strip off the
1256 		 * PID part to get a valid selinux labeling.
1257 		 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1258 		while (path[1] >= '0' && path[1] <= '9') {
1259 			path[1] = '/';
1260 			path++;
1261 		}
1262 		rc = security_genfs_sid("proc", path, tclass, sid);
1263 	}
1264 	free_page((unsigned long)buffer);
1265 	return rc;
1266 }
1267 #else
1268 static int selinux_proc_get_sid(struct dentry *dentry,
1269 				u16 tclass,
1270 				u32 *sid)
1271 {
1272 	return -EINVAL;
1273 }
1274 #endif
1275 
1276 /* The inode's security attributes must be initialized before first use. */
1277 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1278 {
1279 	struct superblock_security_struct *sbsec = NULL;
1280 	struct inode_security_struct *isec = inode->i_security;
1281 	u32 sid;
1282 	struct dentry *dentry;
1283 #define INITCONTEXTLEN 255
1284 	char *context = NULL;
1285 	unsigned len = 0;
1286 	int rc = 0;
1287 
1288 	if (isec->initialized)
1289 		goto out;
1290 
1291 	mutex_lock(&isec->lock);
1292 	if (isec->initialized)
1293 		goto out_unlock;
1294 
1295 	sbsec = inode->i_sb->s_security;
1296 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1297 		/* Defer initialization until selinux_complete_init,
1298 		   after the initial policy is loaded and the security
1299 		   server is ready to handle calls. */
1300 		spin_lock(&sbsec->isec_lock);
1301 		if (list_empty(&isec->list))
1302 			list_add(&isec->list, &sbsec->isec_head);
1303 		spin_unlock(&sbsec->isec_lock);
1304 		goto out_unlock;
1305 	}
1306 
1307 	switch (sbsec->behavior) {
1308 	case SECURITY_FS_USE_NATIVE:
1309 		break;
1310 	case SECURITY_FS_USE_XATTR:
1311 		if (!inode->i_op->getxattr) {
1312 			isec->sid = sbsec->def_sid;
1313 			break;
1314 		}
1315 
1316 		/* Need a dentry, since the xattr API requires one.
1317 		   Life would be simpler if we could just pass the inode. */
1318 		if (opt_dentry) {
1319 			/* Called from d_instantiate or d_splice_alias. */
1320 			dentry = dget(opt_dentry);
1321 		} else {
1322 			/* Called from selinux_complete_init, try to find a dentry. */
1323 			dentry = d_find_alias(inode);
1324 		}
1325 		if (!dentry) {
1326 			/*
1327 			 * this is can be hit on boot when a file is accessed
1328 			 * before the policy is loaded.  When we load policy we
1329 			 * may find inodes that have no dentry on the
1330 			 * sbsec->isec_head list.  No reason to complain as these
1331 			 * will get fixed up the next time we go through
1332 			 * inode_doinit with a dentry, before these inodes could
1333 			 * be used again by userspace.
1334 			 */
1335 			goto out_unlock;
1336 		}
1337 
1338 		len = INITCONTEXTLEN;
1339 		context = kmalloc(len+1, GFP_NOFS);
1340 		if (!context) {
1341 			rc = -ENOMEM;
1342 			dput(dentry);
1343 			goto out_unlock;
1344 		}
1345 		context[len] = '\0';
1346 		rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1347 					   context, len);
1348 		if (rc == -ERANGE) {
1349 			kfree(context);
1350 
1351 			/* Need a larger buffer.  Query for the right size. */
1352 			rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1353 						   NULL, 0);
1354 			if (rc < 0) {
1355 				dput(dentry);
1356 				goto out_unlock;
1357 			}
1358 			len = rc;
1359 			context = kmalloc(len+1, GFP_NOFS);
1360 			if (!context) {
1361 				rc = -ENOMEM;
1362 				dput(dentry);
1363 				goto out_unlock;
1364 			}
1365 			context[len] = '\0';
1366 			rc = inode->i_op->getxattr(dentry,
1367 						   XATTR_NAME_SELINUX,
1368 						   context, len);
1369 		}
1370 		dput(dentry);
1371 		if (rc < 0) {
1372 			if (rc != -ENODATA) {
1373 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1374 				       "%d for dev=%s ino=%ld\n", __func__,
1375 				       -rc, inode->i_sb->s_id, inode->i_ino);
1376 				kfree(context);
1377 				goto out_unlock;
1378 			}
1379 			/* Map ENODATA to the default file SID */
1380 			sid = sbsec->def_sid;
1381 			rc = 0;
1382 		} else {
1383 			rc = security_context_to_sid_default(context, rc, &sid,
1384 							     sbsec->def_sid,
1385 							     GFP_NOFS);
1386 			if (rc) {
1387 				char *dev = inode->i_sb->s_id;
1388 				unsigned long ino = inode->i_ino;
1389 
1390 				if (rc == -EINVAL) {
1391 					if (printk_ratelimit())
1392 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1393 							"context=%s.  This indicates you may need to relabel the inode or the "
1394 							"filesystem in question.\n", ino, dev, context);
1395 				} else {
1396 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1397 					       "returned %d for dev=%s ino=%ld\n",
1398 					       __func__, context, -rc, dev, ino);
1399 				}
1400 				kfree(context);
1401 				/* Leave with the unlabeled SID */
1402 				rc = 0;
1403 				break;
1404 			}
1405 		}
1406 		kfree(context);
1407 		isec->sid = sid;
1408 		break;
1409 	case SECURITY_FS_USE_TASK:
1410 		isec->sid = isec->task_sid;
1411 		break;
1412 	case SECURITY_FS_USE_TRANS:
1413 		/* Default to the fs SID. */
1414 		isec->sid = sbsec->sid;
1415 
1416 		/* Try to obtain a transition SID. */
1417 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1418 		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1419 					     isec->sclass, NULL, &sid);
1420 		if (rc)
1421 			goto out_unlock;
1422 		isec->sid = sid;
1423 		break;
1424 	case SECURITY_FS_USE_MNTPOINT:
1425 		isec->sid = sbsec->mntpoint_sid;
1426 		break;
1427 	default:
1428 		/* Default to the fs superblock SID. */
1429 		isec->sid = sbsec->sid;
1430 
1431 		if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1432 			/* We must have a dentry to determine the label on
1433 			 * procfs inodes */
1434 			if (opt_dentry)
1435 				/* Called from d_instantiate or
1436 				 * d_splice_alias. */
1437 				dentry = dget(opt_dentry);
1438 			else
1439 				/* Called from selinux_complete_init, try to
1440 				 * find a dentry. */
1441 				dentry = d_find_alias(inode);
1442 			/*
1443 			 * This can be hit on boot when a file is accessed
1444 			 * before the policy is loaded.  When we load policy we
1445 			 * may find inodes that have no dentry on the
1446 			 * sbsec->isec_head list.  No reason to complain as
1447 			 * these will get fixed up the next time we go through
1448 			 * inode_doinit() with a dentry, before these inodes
1449 			 * could be used again by userspace.
1450 			 */
1451 			if (!dentry)
1452 				goto out_unlock;
1453 			isec->sclass = inode_mode_to_security_class(inode->i_mode);
1454 			rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1455 			dput(dentry);
1456 			if (rc)
1457 				goto out_unlock;
1458 			isec->sid = sid;
1459 		}
1460 		break;
1461 	}
1462 
1463 	isec->initialized = 1;
1464 
1465 out_unlock:
1466 	mutex_unlock(&isec->lock);
1467 out:
1468 	if (isec->sclass == SECCLASS_FILE)
1469 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1470 	return rc;
1471 }
1472 
1473 /* Convert a Linux signal to an access vector. */
1474 static inline u32 signal_to_av(int sig)
1475 {
1476 	u32 perm = 0;
1477 
1478 	switch (sig) {
1479 	case SIGCHLD:
1480 		/* Commonly granted from child to parent. */
1481 		perm = PROCESS__SIGCHLD;
1482 		break;
1483 	case SIGKILL:
1484 		/* Cannot be caught or ignored */
1485 		perm = PROCESS__SIGKILL;
1486 		break;
1487 	case SIGSTOP:
1488 		/* Cannot be caught or ignored */
1489 		perm = PROCESS__SIGSTOP;
1490 		break;
1491 	default:
1492 		/* All other signals. */
1493 		perm = PROCESS__SIGNAL;
1494 		break;
1495 	}
1496 
1497 	return perm;
1498 }
1499 
1500 /*
1501  * Check permission between a pair of credentials
1502  * fork check, ptrace check, etc.
1503  */
1504 static int cred_has_perm(const struct cred *actor,
1505 			 const struct cred *target,
1506 			 u32 perms)
1507 {
1508 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1509 
1510 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1511 }
1512 
1513 /*
1514  * Check permission between a pair of tasks, e.g. signal checks,
1515  * fork check, ptrace check, etc.
1516  * tsk1 is the actor and tsk2 is the target
1517  * - this uses the default subjective creds of tsk1
1518  */
1519 static int task_has_perm(const struct task_struct *tsk1,
1520 			 const struct task_struct *tsk2,
1521 			 u32 perms)
1522 {
1523 	const struct task_security_struct *__tsec1, *__tsec2;
1524 	u32 sid1, sid2;
1525 
1526 	rcu_read_lock();
1527 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1528 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1529 	rcu_read_unlock();
1530 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1531 }
1532 
1533 /*
1534  * Check permission between current and another task, e.g. signal checks,
1535  * fork check, ptrace check, etc.
1536  * current is the actor and tsk2 is the target
1537  * - this uses current's subjective creds
1538  */
1539 static int current_has_perm(const struct task_struct *tsk,
1540 			    u32 perms)
1541 {
1542 	u32 sid, tsid;
1543 
1544 	sid = current_sid();
1545 	tsid = task_sid(tsk);
1546 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1547 }
1548 
1549 #if CAP_LAST_CAP > 63
1550 #error Fix SELinux to handle capabilities > 63.
1551 #endif
1552 
1553 /* Check whether a task is allowed to use a capability. */
1554 static int cred_has_capability(const struct cred *cred,
1555 			       int cap, int audit)
1556 {
1557 	struct common_audit_data ad;
1558 	struct av_decision avd;
1559 	u16 sclass;
1560 	u32 sid = cred_sid(cred);
1561 	u32 av = CAP_TO_MASK(cap);
1562 	int rc;
1563 
1564 	ad.type = LSM_AUDIT_DATA_CAP;
1565 	ad.u.cap = cap;
1566 
1567 	switch (CAP_TO_INDEX(cap)) {
1568 	case 0:
1569 		sclass = SECCLASS_CAPABILITY;
1570 		break;
1571 	case 1:
1572 		sclass = SECCLASS_CAPABILITY2;
1573 		break;
1574 	default:
1575 		printk(KERN_ERR
1576 		       "SELinux:  out of range capability %d\n", cap);
1577 		BUG();
1578 		return -EINVAL;
1579 	}
1580 
1581 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1582 	if (audit == SECURITY_CAP_AUDIT) {
1583 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1584 		if (rc2)
1585 			return rc2;
1586 	}
1587 	return rc;
1588 }
1589 
1590 /* Check whether a task is allowed to use a system operation. */
1591 static int task_has_system(struct task_struct *tsk,
1592 			   u32 perms)
1593 {
1594 	u32 sid = task_sid(tsk);
1595 
1596 	return avc_has_perm(sid, SECINITSID_KERNEL,
1597 			    SECCLASS_SYSTEM, perms, NULL);
1598 }
1599 
1600 /* Check whether a task has a particular permission to an inode.
1601    The 'adp' parameter is optional and allows other audit
1602    data to be passed (e.g. the dentry). */
1603 static int inode_has_perm(const struct cred *cred,
1604 			  struct inode *inode,
1605 			  u32 perms,
1606 			  struct common_audit_data *adp)
1607 {
1608 	struct inode_security_struct *isec;
1609 	u32 sid;
1610 
1611 	validate_creds(cred);
1612 
1613 	if (unlikely(IS_PRIVATE(inode)))
1614 		return 0;
1615 
1616 	sid = cred_sid(cred);
1617 	isec = inode->i_security;
1618 
1619 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1620 }
1621 
1622 /* Same as inode_has_perm, but pass explicit audit data containing
1623    the dentry to help the auditing code to more easily generate the
1624    pathname if needed. */
1625 static inline int dentry_has_perm(const struct cred *cred,
1626 				  struct dentry *dentry,
1627 				  u32 av)
1628 {
1629 	struct inode *inode = dentry->d_inode;
1630 	struct common_audit_data ad;
1631 
1632 	ad.type = LSM_AUDIT_DATA_DENTRY;
1633 	ad.u.dentry = dentry;
1634 	return inode_has_perm(cred, inode, av, &ad);
1635 }
1636 
1637 /* Same as inode_has_perm, but pass explicit audit data containing
1638    the path to help the auditing code to more easily generate the
1639    pathname if needed. */
1640 static inline int path_has_perm(const struct cred *cred,
1641 				struct path *path,
1642 				u32 av)
1643 {
1644 	struct inode *inode = path->dentry->d_inode;
1645 	struct common_audit_data ad;
1646 
1647 	ad.type = LSM_AUDIT_DATA_PATH;
1648 	ad.u.path = *path;
1649 	return inode_has_perm(cred, inode, av, &ad);
1650 }
1651 
1652 /* Same as path_has_perm, but uses the inode from the file struct. */
1653 static inline int file_path_has_perm(const struct cred *cred,
1654 				     struct file *file,
1655 				     u32 av)
1656 {
1657 	struct common_audit_data ad;
1658 
1659 	ad.type = LSM_AUDIT_DATA_PATH;
1660 	ad.u.path = file->f_path;
1661 	return inode_has_perm(cred, file_inode(file), av, &ad);
1662 }
1663 
1664 /* Check whether a task can use an open file descriptor to
1665    access an inode in a given way.  Check access to the
1666    descriptor itself, and then use dentry_has_perm to
1667    check a particular permission to the file.
1668    Access to the descriptor is implicitly granted if it
1669    has the same SID as the process.  If av is zero, then
1670    access to the file is not checked, e.g. for cases
1671    where only the descriptor is affected like seek. */
1672 static int file_has_perm(const struct cred *cred,
1673 			 struct file *file,
1674 			 u32 av)
1675 {
1676 	struct file_security_struct *fsec = file->f_security;
1677 	struct inode *inode = file_inode(file);
1678 	struct common_audit_data ad;
1679 	u32 sid = cred_sid(cred);
1680 	int rc;
1681 
1682 	ad.type = LSM_AUDIT_DATA_PATH;
1683 	ad.u.path = file->f_path;
1684 
1685 	if (sid != fsec->sid) {
1686 		rc = avc_has_perm(sid, fsec->sid,
1687 				  SECCLASS_FD,
1688 				  FD__USE,
1689 				  &ad);
1690 		if (rc)
1691 			goto out;
1692 	}
1693 
1694 	/* av is zero if only checking access to the descriptor. */
1695 	rc = 0;
1696 	if (av)
1697 		rc = inode_has_perm(cred, inode, av, &ad);
1698 
1699 out:
1700 	return rc;
1701 }
1702 
1703 /* Check whether a task can create a file. */
1704 static int may_create(struct inode *dir,
1705 		      struct dentry *dentry,
1706 		      u16 tclass)
1707 {
1708 	const struct task_security_struct *tsec = current_security();
1709 	struct inode_security_struct *dsec;
1710 	struct superblock_security_struct *sbsec;
1711 	u32 sid, newsid;
1712 	struct common_audit_data ad;
1713 	int rc;
1714 
1715 	dsec = dir->i_security;
1716 	sbsec = dir->i_sb->s_security;
1717 
1718 	sid = tsec->sid;
1719 	newsid = tsec->create_sid;
1720 
1721 	ad.type = LSM_AUDIT_DATA_DENTRY;
1722 	ad.u.dentry = dentry;
1723 
1724 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1725 			  DIR__ADD_NAME | DIR__SEARCH,
1726 			  &ad);
1727 	if (rc)
1728 		return rc;
1729 
1730 	if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1731 		rc = security_transition_sid(sid, dsec->sid, tclass,
1732 					     &dentry->d_name, &newsid);
1733 		if (rc)
1734 			return rc;
1735 	}
1736 
1737 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1738 	if (rc)
1739 		return rc;
1740 
1741 	return avc_has_perm(newsid, sbsec->sid,
1742 			    SECCLASS_FILESYSTEM,
1743 			    FILESYSTEM__ASSOCIATE, &ad);
1744 }
1745 
1746 /* Check whether a task can create a key. */
1747 static int may_create_key(u32 ksid,
1748 			  struct task_struct *ctx)
1749 {
1750 	u32 sid = task_sid(ctx);
1751 
1752 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1753 }
1754 
1755 #define MAY_LINK	0
1756 #define MAY_UNLINK	1
1757 #define MAY_RMDIR	2
1758 
1759 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1760 static int may_link(struct inode *dir,
1761 		    struct dentry *dentry,
1762 		    int kind)
1763 
1764 {
1765 	struct inode_security_struct *dsec, *isec;
1766 	struct common_audit_data ad;
1767 	u32 sid = current_sid();
1768 	u32 av;
1769 	int rc;
1770 
1771 	dsec = dir->i_security;
1772 	isec = dentry->d_inode->i_security;
1773 
1774 	ad.type = LSM_AUDIT_DATA_DENTRY;
1775 	ad.u.dentry = dentry;
1776 
1777 	av = DIR__SEARCH;
1778 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1779 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1780 	if (rc)
1781 		return rc;
1782 
1783 	switch (kind) {
1784 	case MAY_LINK:
1785 		av = FILE__LINK;
1786 		break;
1787 	case MAY_UNLINK:
1788 		av = FILE__UNLINK;
1789 		break;
1790 	case MAY_RMDIR:
1791 		av = DIR__RMDIR;
1792 		break;
1793 	default:
1794 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1795 			__func__, kind);
1796 		return 0;
1797 	}
1798 
1799 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1800 	return rc;
1801 }
1802 
1803 static inline int may_rename(struct inode *old_dir,
1804 			     struct dentry *old_dentry,
1805 			     struct inode *new_dir,
1806 			     struct dentry *new_dentry)
1807 {
1808 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1809 	struct common_audit_data ad;
1810 	u32 sid = current_sid();
1811 	u32 av;
1812 	int old_is_dir, new_is_dir;
1813 	int rc;
1814 
1815 	old_dsec = old_dir->i_security;
1816 	old_isec = old_dentry->d_inode->i_security;
1817 	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1818 	new_dsec = new_dir->i_security;
1819 
1820 	ad.type = LSM_AUDIT_DATA_DENTRY;
1821 
1822 	ad.u.dentry = old_dentry;
1823 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1824 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1825 	if (rc)
1826 		return rc;
1827 	rc = avc_has_perm(sid, old_isec->sid,
1828 			  old_isec->sclass, FILE__RENAME, &ad);
1829 	if (rc)
1830 		return rc;
1831 	if (old_is_dir && new_dir != old_dir) {
1832 		rc = avc_has_perm(sid, old_isec->sid,
1833 				  old_isec->sclass, DIR__REPARENT, &ad);
1834 		if (rc)
1835 			return rc;
1836 	}
1837 
1838 	ad.u.dentry = new_dentry;
1839 	av = DIR__ADD_NAME | DIR__SEARCH;
1840 	if (new_dentry->d_inode)
1841 		av |= DIR__REMOVE_NAME;
1842 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1843 	if (rc)
1844 		return rc;
1845 	if (new_dentry->d_inode) {
1846 		new_isec = new_dentry->d_inode->i_security;
1847 		new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1848 		rc = avc_has_perm(sid, new_isec->sid,
1849 				  new_isec->sclass,
1850 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1851 		if (rc)
1852 			return rc;
1853 	}
1854 
1855 	return 0;
1856 }
1857 
1858 /* Check whether a task can perform a filesystem operation. */
1859 static int superblock_has_perm(const struct cred *cred,
1860 			       struct super_block *sb,
1861 			       u32 perms,
1862 			       struct common_audit_data *ad)
1863 {
1864 	struct superblock_security_struct *sbsec;
1865 	u32 sid = cred_sid(cred);
1866 
1867 	sbsec = sb->s_security;
1868 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1869 }
1870 
1871 /* Convert a Linux mode and permission mask to an access vector. */
1872 static inline u32 file_mask_to_av(int mode, int mask)
1873 {
1874 	u32 av = 0;
1875 
1876 	if (!S_ISDIR(mode)) {
1877 		if (mask & MAY_EXEC)
1878 			av |= FILE__EXECUTE;
1879 		if (mask & MAY_READ)
1880 			av |= FILE__READ;
1881 
1882 		if (mask & MAY_APPEND)
1883 			av |= FILE__APPEND;
1884 		else if (mask & MAY_WRITE)
1885 			av |= FILE__WRITE;
1886 
1887 	} else {
1888 		if (mask & MAY_EXEC)
1889 			av |= DIR__SEARCH;
1890 		if (mask & MAY_WRITE)
1891 			av |= DIR__WRITE;
1892 		if (mask & MAY_READ)
1893 			av |= DIR__READ;
1894 	}
1895 
1896 	return av;
1897 }
1898 
1899 /* Convert a Linux file to an access vector. */
1900 static inline u32 file_to_av(struct file *file)
1901 {
1902 	u32 av = 0;
1903 
1904 	if (file->f_mode & FMODE_READ)
1905 		av |= FILE__READ;
1906 	if (file->f_mode & FMODE_WRITE) {
1907 		if (file->f_flags & O_APPEND)
1908 			av |= FILE__APPEND;
1909 		else
1910 			av |= FILE__WRITE;
1911 	}
1912 	if (!av) {
1913 		/*
1914 		 * Special file opened with flags 3 for ioctl-only use.
1915 		 */
1916 		av = FILE__IOCTL;
1917 	}
1918 
1919 	return av;
1920 }
1921 
1922 /*
1923  * Convert a file to an access vector and include the correct open
1924  * open permission.
1925  */
1926 static inline u32 open_file_to_av(struct file *file)
1927 {
1928 	u32 av = file_to_av(file);
1929 
1930 	if (selinux_policycap_openperm)
1931 		av |= FILE__OPEN;
1932 
1933 	return av;
1934 }
1935 
1936 /* Hook functions begin here. */
1937 
1938 static int selinux_ptrace_access_check(struct task_struct *child,
1939 				     unsigned int mode)
1940 {
1941 	int rc;
1942 
1943 	rc = cap_ptrace_access_check(child, mode);
1944 	if (rc)
1945 		return rc;
1946 
1947 	if (mode & PTRACE_MODE_READ) {
1948 		u32 sid = current_sid();
1949 		u32 csid = task_sid(child);
1950 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1951 	}
1952 
1953 	return current_has_perm(child, PROCESS__PTRACE);
1954 }
1955 
1956 static int selinux_ptrace_traceme(struct task_struct *parent)
1957 {
1958 	int rc;
1959 
1960 	rc = cap_ptrace_traceme(parent);
1961 	if (rc)
1962 		return rc;
1963 
1964 	return task_has_perm(parent, current, PROCESS__PTRACE);
1965 }
1966 
1967 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1968 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
1969 {
1970 	int error;
1971 
1972 	error = current_has_perm(target, PROCESS__GETCAP);
1973 	if (error)
1974 		return error;
1975 
1976 	return cap_capget(target, effective, inheritable, permitted);
1977 }
1978 
1979 static int selinux_capset(struct cred *new, const struct cred *old,
1980 			  const kernel_cap_t *effective,
1981 			  const kernel_cap_t *inheritable,
1982 			  const kernel_cap_t *permitted)
1983 {
1984 	int error;
1985 
1986 	error = cap_capset(new, old,
1987 				      effective, inheritable, permitted);
1988 	if (error)
1989 		return error;
1990 
1991 	return cred_has_perm(old, new, PROCESS__SETCAP);
1992 }
1993 
1994 /*
1995  * (This comment used to live with the selinux_task_setuid hook,
1996  * which was removed).
1997  *
1998  * Since setuid only affects the current process, and since the SELinux
1999  * controls are not based on the Linux identity attributes, SELinux does not
2000  * need to control this operation.  However, SELinux does control the use of
2001  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2002  */
2003 
2004 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2005 			   int cap, int audit)
2006 {
2007 	int rc;
2008 
2009 	rc = cap_capable(cred, ns, cap, audit);
2010 	if (rc)
2011 		return rc;
2012 
2013 	return cred_has_capability(cred, cap, audit);
2014 }
2015 
2016 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2017 {
2018 	const struct cred *cred = current_cred();
2019 	int rc = 0;
2020 
2021 	if (!sb)
2022 		return 0;
2023 
2024 	switch (cmds) {
2025 	case Q_SYNC:
2026 	case Q_QUOTAON:
2027 	case Q_QUOTAOFF:
2028 	case Q_SETINFO:
2029 	case Q_SETQUOTA:
2030 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2031 		break;
2032 	case Q_GETFMT:
2033 	case Q_GETINFO:
2034 	case Q_GETQUOTA:
2035 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2036 		break;
2037 	default:
2038 		rc = 0;  /* let the kernel handle invalid cmds */
2039 		break;
2040 	}
2041 	return rc;
2042 }
2043 
2044 static int selinux_quota_on(struct dentry *dentry)
2045 {
2046 	const struct cred *cred = current_cred();
2047 
2048 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2049 }
2050 
2051 static int selinux_syslog(int type)
2052 {
2053 	int rc;
2054 
2055 	switch (type) {
2056 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2057 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2058 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2059 		break;
2060 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2061 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2062 	/* Set level of messages printed to console */
2063 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2064 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2065 		break;
2066 	case SYSLOG_ACTION_CLOSE:	/* Close log */
2067 	case SYSLOG_ACTION_OPEN:	/* Open log */
2068 	case SYSLOG_ACTION_READ:	/* Read from log */
2069 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2070 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2071 	default:
2072 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2073 		break;
2074 	}
2075 	return rc;
2076 }
2077 
2078 /*
2079  * Check that a process has enough memory to allocate a new virtual
2080  * mapping. 0 means there is enough memory for the allocation to
2081  * succeed and -ENOMEM implies there is not.
2082  *
2083  * Do not audit the selinux permission check, as this is applied to all
2084  * processes that allocate mappings.
2085  */
2086 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2087 {
2088 	int rc, cap_sys_admin = 0;
2089 
2090 	rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2091 			     SECURITY_CAP_NOAUDIT);
2092 	if (rc == 0)
2093 		cap_sys_admin = 1;
2094 
2095 	return __vm_enough_memory(mm, pages, cap_sys_admin);
2096 }
2097 
2098 /* binprm security operations */
2099 
2100 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2101 {
2102 	const struct task_security_struct *old_tsec;
2103 	struct task_security_struct *new_tsec;
2104 	struct inode_security_struct *isec;
2105 	struct common_audit_data ad;
2106 	struct inode *inode = file_inode(bprm->file);
2107 	int rc;
2108 
2109 	rc = cap_bprm_set_creds(bprm);
2110 	if (rc)
2111 		return rc;
2112 
2113 	/* SELinux context only depends on initial program or script and not
2114 	 * the script interpreter */
2115 	if (bprm->cred_prepared)
2116 		return 0;
2117 
2118 	old_tsec = current_security();
2119 	new_tsec = bprm->cred->security;
2120 	isec = inode->i_security;
2121 
2122 	/* Default to the current task SID. */
2123 	new_tsec->sid = old_tsec->sid;
2124 	new_tsec->osid = old_tsec->sid;
2125 
2126 	/* Reset fs, key, and sock SIDs on execve. */
2127 	new_tsec->create_sid = 0;
2128 	new_tsec->keycreate_sid = 0;
2129 	new_tsec->sockcreate_sid = 0;
2130 
2131 	if (old_tsec->exec_sid) {
2132 		new_tsec->sid = old_tsec->exec_sid;
2133 		/* Reset exec SID on execve. */
2134 		new_tsec->exec_sid = 0;
2135 
2136 		/*
2137 		 * Minimize confusion: if no_new_privs or nosuid and a
2138 		 * transition is explicitly requested, then fail the exec.
2139 		 */
2140 		if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2141 			return -EPERM;
2142 		if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2143 			return -EACCES;
2144 	} else {
2145 		/* Check for a default transition on this program. */
2146 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2147 					     SECCLASS_PROCESS, NULL,
2148 					     &new_tsec->sid);
2149 		if (rc)
2150 			return rc;
2151 	}
2152 
2153 	ad.type = LSM_AUDIT_DATA_PATH;
2154 	ad.u.path = bprm->file->f_path;
2155 
2156 	if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2157 	    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2158 		new_tsec->sid = old_tsec->sid;
2159 
2160 	if (new_tsec->sid == old_tsec->sid) {
2161 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2162 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2163 		if (rc)
2164 			return rc;
2165 	} else {
2166 		/* Check permissions for the transition. */
2167 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2168 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2169 		if (rc)
2170 			return rc;
2171 
2172 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2173 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2174 		if (rc)
2175 			return rc;
2176 
2177 		/* Check for shared state */
2178 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2179 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2180 					  SECCLASS_PROCESS, PROCESS__SHARE,
2181 					  NULL);
2182 			if (rc)
2183 				return -EPERM;
2184 		}
2185 
2186 		/* Make sure that anyone attempting to ptrace over a task that
2187 		 * changes its SID has the appropriate permit */
2188 		if (bprm->unsafe &
2189 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2190 			struct task_struct *tracer;
2191 			struct task_security_struct *sec;
2192 			u32 ptsid = 0;
2193 
2194 			rcu_read_lock();
2195 			tracer = ptrace_parent(current);
2196 			if (likely(tracer != NULL)) {
2197 				sec = __task_cred(tracer)->security;
2198 				ptsid = sec->sid;
2199 			}
2200 			rcu_read_unlock();
2201 
2202 			if (ptsid != 0) {
2203 				rc = avc_has_perm(ptsid, new_tsec->sid,
2204 						  SECCLASS_PROCESS,
2205 						  PROCESS__PTRACE, NULL);
2206 				if (rc)
2207 					return -EPERM;
2208 			}
2209 		}
2210 
2211 		/* Clear any possibly unsafe personality bits on exec: */
2212 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2213 	}
2214 
2215 	return 0;
2216 }
2217 
2218 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2219 {
2220 	const struct task_security_struct *tsec = current_security();
2221 	u32 sid, osid;
2222 	int atsecure = 0;
2223 
2224 	sid = tsec->sid;
2225 	osid = tsec->osid;
2226 
2227 	if (osid != sid) {
2228 		/* Enable secure mode for SIDs transitions unless
2229 		   the noatsecure permission is granted between
2230 		   the two SIDs, i.e. ahp returns 0. */
2231 		atsecure = avc_has_perm(osid, sid,
2232 					SECCLASS_PROCESS,
2233 					PROCESS__NOATSECURE, NULL);
2234 	}
2235 
2236 	return (atsecure || cap_bprm_secureexec(bprm));
2237 }
2238 
2239 static int match_file(const void *p, struct file *file, unsigned fd)
2240 {
2241 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2242 }
2243 
2244 /* Derived from fs/exec.c:flush_old_files. */
2245 static inline void flush_unauthorized_files(const struct cred *cred,
2246 					    struct files_struct *files)
2247 {
2248 	struct file *file, *devnull = NULL;
2249 	struct tty_struct *tty;
2250 	int drop_tty = 0;
2251 	unsigned n;
2252 
2253 	tty = get_current_tty();
2254 	if (tty) {
2255 		spin_lock(&tty_files_lock);
2256 		if (!list_empty(&tty->tty_files)) {
2257 			struct tty_file_private *file_priv;
2258 
2259 			/* Revalidate access to controlling tty.
2260 			   Use file_path_has_perm on the tty path directly
2261 			   rather than using file_has_perm, as this particular
2262 			   open file may belong to another process and we are
2263 			   only interested in the inode-based check here. */
2264 			file_priv = list_first_entry(&tty->tty_files,
2265 						struct tty_file_private, list);
2266 			file = file_priv->file;
2267 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2268 				drop_tty = 1;
2269 		}
2270 		spin_unlock(&tty_files_lock);
2271 		tty_kref_put(tty);
2272 	}
2273 	/* Reset controlling tty. */
2274 	if (drop_tty)
2275 		no_tty();
2276 
2277 	/* Revalidate access to inherited open files. */
2278 	n = iterate_fd(files, 0, match_file, cred);
2279 	if (!n) /* none found? */
2280 		return;
2281 
2282 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2283 	if (IS_ERR(devnull))
2284 		devnull = NULL;
2285 	/* replace all the matching ones with this */
2286 	do {
2287 		replace_fd(n - 1, devnull, 0);
2288 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2289 	if (devnull)
2290 		fput(devnull);
2291 }
2292 
2293 /*
2294  * Prepare a process for imminent new credential changes due to exec
2295  */
2296 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2297 {
2298 	struct task_security_struct *new_tsec;
2299 	struct rlimit *rlim, *initrlim;
2300 	int rc, i;
2301 
2302 	new_tsec = bprm->cred->security;
2303 	if (new_tsec->sid == new_tsec->osid)
2304 		return;
2305 
2306 	/* Close files for which the new task SID is not authorized. */
2307 	flush_unauthorized_files(bprm->cred, current->files);
2308 
2309 	/* Always clear parent death signal on SID transitions. */
2310 	current->pdeath_signal = 0;
2311 
2312 	/* Check whether the new SID can inherit resource limits from the old
2313 	 * SID.  If not, reset all soft limits to the lower of the current
2314 	 * task's hard limit and the init task's soft limit.
2315 	 *
2316 	 * Note that the setting of hard limits (even to lower them) can be
2317 	 * controlled by the setrlimit check.  The inclusion of the init task's
2318 	 * soft limit into the computation is to avoid resetting soft limits
2319 	 * higher than the default soft limit for cases where the default is
2320 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2321 	 */
2322 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2323 			  PROCESS__RLIMITINH, NULL);
2324 	if (rc) {
2325 		/* protect against do_prlimit() */
2326 		task_lock(current);
2327 		for (i = 0; i < RLIM_NLIMITS; i++) {
2328 			rlim = current->signal->rlim + i;
2329 			initrlim = init_task.signal->rlim + i;
2330 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2331 		}
2332 		task_unlock(current);
2333 		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2334 	}
2335 }
2336 
2337 /*
2338  * Clean up the process immediately after the installation of new credentials
2339  * due to exec
2340  */
2341 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2342 {
2343 	const struct task_security_struct *tsec = current_security();
2344 	struct itimerval itimer;
2345 	u32 osid, sid;
2346 	int rc, i;
2347 
2348 	osid = tsec->osid;
2349 	sid = tsec->sid;
2350 
2351 	if (sid == osid)
2352 		return;
2353 
2354 	/* Check whether the new SID can inherit signal state from the old SID.
2355 	 * If not, clear itimers to avoid subsequent signal generation and
2356 	 * flush and unblock signals.
2357 	 *
2358 	 * This must occur _after_ the task SID has been updated so that any
2359 	 * kill done after the flush will be checked against the new SID.
2360 	 */
2361 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2362 	if (rc) {
2363 		memset(&itimer, 0, sizeof itimer);
2364 		for (i = 0; i < 3; i++)
2365 			do_setitimer(i, &itimer, NULL);
2366 		spin_lock_irq(&current->sighand->siglock);
2367 		if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2368 			__flush_signals(current);
2369 			flush_signal_handlers(current, 1);
2370 			sigemptyset(&current->blocked);
2371 		}
2372 		spin_unlock_irq(&current->sighand->siglock);
2373 	}
2374 
2375 	/* Wake up the parent if it is waiting so that it can recheck
2376 	 * wait permission to the new task SID. */
2377 	read_lock(&tasklist_lock);
2378 	__wake_up_parent(current, current->real_parent);
2379 	read_unlock(&tasklist_lock);
2380 }
2381 
2382 /* superblock security operations */
2383 
2384 static int selinux_sb_alloc_security(struct super_block *sb)
2385 {
2386 	return superblock_alloc_security(sb);
2387 }
2388 
2389 static void selinux_sb_free_security(struct super_block *sb)
2390 {
2391 	superblock_free_security(sb);
2392 }
2393 
2394 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2395 {
2396 	if (plen > olen)
2397 		return 0;
2398 
2399 	return !memcmp(prefix, option, plen);
2400 }
2401 
2402 static inline int selinux_option(char *option, int len)
2403 {
2404 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2405 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2406 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2407 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2408 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2409 }
2410 
2411 static inline void take_option(char **to, char *from, int *first, int len)
2412 {
2413 	if (!*first) {
2414 		**to = ',';
2415 		*to += 1;
2416 	} else
2417 		*first = 0;
2418 	memcpy(*to, from, len);
2419 	*to += len;
2420 }
2421 
2422 static inline void take_selinux_option(char **to, char *from, int *first,
2423 				       int len)
2424 {
2425 	int current_size = 0;
2426 
2427 	if (!*first) {
2428 		**to = '|';
2429 		*to += 1;
2430 	} else
2431 		*first = 0;
2432 
2433 	while (current_size < len) {
2434 		if (*from != '"') {
2435 			**to = *from;
2436 			*to += 1;
2437 		}
2438 		from += 1;
2439 		current_size += 1;
2440 	}
2441 }
2442 
2443 static int selinux_sb_copy_data(char *orig, char *copy)
2444 {
2445 	int fnosec, fsec, rc = 0;
2446 	char *in_save, *in_curr, *in_end;
2447 	char *sec_curr, *nosec_save, *nosec;
2448 	int open_quote = 0;
2449 
2450 	in_curr = orig;
2451 	sec_curr = copy;
2452 
2453 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2454 	if (!nosec) {
2455 		rc = -ENOMEM;
2456 		goto out;
2457 	}
2458 
2459 	nosec_save = nosec;
2460 	fnosec = fsec = 1;
2461 	in_save = in_end = orig;
2462 
2463 	do {
2464 		if (*in_end == '"')
2465 			open_quote = !open_quote;
2466 		if ((*in_end == ',' && open_quote == 0) ||
2467 				*in_end == '\0') {
2468 			int len = in_end - in_curr;
2469 
2470 			if (selinux_option(in_curr, len))
2471 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2472 			else
2473 				take_option(&nosec, in_curr, &fnosec, len);
2474 
2475 			in_curr = in_end + 1;
2476 		}
2477 	} while (*in_end++);
2478 
2479 	strcpy(in_save, nosec_save);
2480 	free_page((unsigned long)nosec_save);
2481 out:
2482 	return rc;
2483 }
2484 
2485 static int selinux_sb_remount(struct super_block *sb, void *data)
2486 {
2487 	int rc, i, *flags;
2488 	struct security_mnt_opts opts;
2489 	char *secdata, **mount_options;
2490 	struct superblock_security_struct *sbsec = sb->s_security;
2491 
2492 	if (!(sbsec->flags & SE_SBINITIALIZED))
2493 		return 0;
2494 
2495 	if (!data)
2496 		return 0;
2497 
2498 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2499 		return 0;
2500 
2501 	security_init_mnt_opts(&opts);
2502 	secdata = alloc_secdata();
2503 	if (!secdata)
2504 		return -ENOMEM;
2505 	rc = selinux_sb_copy_data(data, secdata);
2506 	if (rc)
2507 		goto out_free_secdata;
2508 
2509 	rc = selinux_parse_opts_str(secdata, &opts);
2510 	if (rc)
2511 		goto out_free_secdata;
2512 
2513 	mount_options = opts.mnt_opts;
2514 	flags = opts.mnt_opts_flags;
2515 
2516 	for (i = 0; i < opts.num_mnt_opts; i++) {
2517 		u32 sid;
2518 		size_t len;
2519 
2520 		if (flags[i] == SBLABEL_MNT)
2521 			continue;
2522 		len = strlen(mount_options[i]);
2523 		rc = security_context_to_sid(mount_options[i], len, &sid,
2524 					     GFP_KERNEL);
2525 		if (rc) {
2526 			printk(KERN_WARNING "SELinux: security_context_to_sid"
2527 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2528 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2529 			goto out_free_opts;
2530 		}
2531 		rc = -EINVAL;
2532 		switch (flags[i]) {
2533 		case FSCONTEXT_MNT:
2534 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2535 				goto out_bad_option;
2536 			break;
2537 		case CONTEXT_MNT:
2538 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2539 				goto out_bad_option;
2540 			break;
2541 		case ROOTCONTEXT_MNT: {
2542 			struct inode_security_struct *root_isec;
2543 			root_isec = sb->s_root->d_inode->i_security;
2544 
2545 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2546 				goto out_bad_option;
2547 			break;
2548 		}
2549 		case DEFCONTEXT_MNT:
2550 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2551 				goto out_bad_option;
2552 			break;
2553 		default:
2554 			goto out_free_opts;
2555 		}
2556 	}
2557 
2558 	rc = 0;
2559 out_free_opts:
2560 	security_free_mnt_opts(&opts);
2561 out_free_secdata:
2562 	free_secdata(secdata);
2563 	return rc;
2564 out_bad_option:
2565 	printk(KERN_WARNING "SELinux: unable to change security options "
2566 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2567 	       sb->s_type->name);
2568 	goto out_free_opts;
2569 }
2570 
2571 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2572 {
2573 	const struct cred *cred = current_cred();
2574 	struct common_audit_data ad;
2575 	int rc;
2576 
2577 	rc = superblock_doinit(sb, data);
2578 	if (rc)
2579 		return rc;
2580 
2581 	/* Allow all mounts performed by the kernel */
2582 	if (flags & MS_KERNMOUNT)
2583 		return 0;
2584 
2585 	ad.type = LSM_AUDIT_DATA_DENTRY;
2586 	ad.u.dentry = sb->s_root;
2587 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2588 }
2589 
2590 static int selinux_sb_statfs(struct dentry *dentry)
2591 {
2592 	const struct cred *cred = current_cred();
2593 	struct common_audit_data ad;
2594 
2595 	ad.type = LSM_AUDIT_DATA_DENTRY;
2596 	ad.u.dentry = dentry->d_sb->s_root;
2597 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2598 }
2599 
2600 static int selinux_mount(const char *dev_name,
2601 			 struct path *path,
2602 			 const char *type,
2603 			 unsigned long flags,
2604 			 void *data)
2605 {
2606 	const struct cred *cred = current_cred();
2607 
2608 	if (flags & MS_REMOUNT)
2609 		return superblock_has_perm(cred, path->dentry->d_sb,
2610 					   FILESYSTEM__REMOUNT, NULL);
2611 	else
2612 		return path_has_perm(cred, path, FILE__MOUNTON);
2613 }
2614 
2615 static int selinux_umount(struct vfsmount *mnt, int flags)
2616 {
2617 	const struct cred *cred = current_cred();
2618 
2619 	return superblock_has_perm(cred, mnt->mnt_sb,
2620 				   FILESYSTEM__UNMOUNT, NULL);
2621 }
2622 
2623 /* inode security operations */
2624 
2625 static int selinux_inode_alloc_security(struct inode *inode)
2626 {
2627 	return inode_alloc_security(inode);
2628 }
2629 
2630 static void selinux_inode_free_security(struct inode *inode)
2631 {
2632 	inode_free_security(inode);
2633 }
2634 
2635 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2636 					struct qstr *name, void **ctx,
2637 					u32 *ctxlen)
2638 {
2639 	const struct cred *cred = current_cred();
2640 	struct task_security_struct *tsec;
2641 	struct inode_security_struct *dsec;
2642 	struct superblock_security_struct *sbsec;
2643 	struct inode *dir = dentry->d_parent->d_inode;
2644 	u32 newsid;
2645 	int rc;
2646 
2647 	tsec = cred->security;
2648 	dsec = dir->i_security;
2649 	sbsec = dir->i_sb->s_security;
2650 
2651 	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2652 		newsid = tsec->create_sid;
2653 	} else {
2654 		rc = security_transition_sid(tsec->sid, dsec->sid,
2655 					     inode_mode_to_security_class(mode),
2656 					     name,
2657 					     &newsid);
2658 		if (rc) {
2659 			printk(KERN_WARNING
2660 				"%s: security_transition_sid failed, rc=%d\n",
2661 			       __func__, -rc);
2662 			return rc;
2663 		}
2664 	}
2665 
2666 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2667 }
2668 
2669 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2670 				       const struct qstr *qstr,
2671 				       const char **name,
2672 				       void **value, size_t *len)
2673 {
2674 	const struct task_security_struct *tsec = current_security();
2675 	struct inode_security_struct *dsec;
2676 	struct superblock_security_struct *sbsec;
2677 	u32 sid, newsid, clen;
2678 	int rc;
2679 	char *context;
2680 
2681 	dsec = dir->i_security;
2682 	sbsec = dir->i_sb->s_security;
2683 
2684 	sid = tsec->sid;
2685 	newsid = tsec->create_sid;
2686 
2687 	if ((sbsec->flags & SE_SBINITIALIZED) &&
2688 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2689 		newsid = sbsec->mntpoint_sid;
2690 	else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2691 		rc = security_transition_sid(sid, dsec->sid,
2692 					     inode_mode_to_security_class(inode->i_mode),
2693 					     qstr, &newsid);
2694 		if (rc) {
2695 			printk(KERN_WARNING "%s:  "
2696 			       "security_transition_sid failed, rc=%d (dev=%s "
2697 			       "ino=%ld)\n",
2698 			       __func__,
2699 			       -rc, inode->i_sb->s_id, inode->i_ino);
2700 			return rc;
2701 		}
2702 	}
2703 
2704 	/* Possibly defer initialization to selinux_complete_init. */
2705 	if (sbsec->flags & SE_SBINITIALIZED) {
2706 		struct inode_security_struct *isec = inode->i_security;
2707 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2708 		isec->sid = newsid;
2709 		isec->initialized = 1;
2710 	}
2711 
2712 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2713 		return -EOPNOTSUPP;
2714 
2715 	if (name)
2716 		*name = XATTR_SELINUX_SUFFIX;
2717 
2718 	if (value && len) {
2719 		rc = security_sid_to_context_force(newsid, &context, &clen);
2720 		if (rc)
2721 			return rc;
2722 		*value = context;
2723 		*len = clen;
2724 	}
2725 
2726 	return 0;
2727 }
2728 
2729 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2730 {
2731 	return may_create(dir, dentry, SECCLASS_FILE);
2732 }
2733 
2734 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2735 {
2736 	return may_link(dir, old_dentry, MAY_LINK);
2737 }
2738 
2739 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2740 {
2741 	return may_link(dir, dentry, MAY_UNLINK);
2742 }
2743 
2744 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2745 {
2746 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2747 }
2748 
2749 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2750 {
2751 	return may_create(dir, dentry, SECCLASS_DIR);
2752 }
2753 
2754 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2755 {
2756 	return may_link(dir, dentry, MAY_RMDIR);
2757 }
2758 
2759 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2760 {
2761 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2762 }
2763 
2764 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2765 				struct inode *new_inode, struct dentry *new_dentry)
2766 {
2767 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2768 }
2769 
2770 static int selinux_inode_readlink(struct dentry *dentry)
2771 {
2772 	const struct cred *cred = current_cred();
2773 
2774 	return dentry_has_perm(cred, dentry, FILE__READ);
2775 }
2776 
2777 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2778 {
2779 	const struct cred *cred = current_cred();
2780 
2781 	return dentry_has_perm(cred, dentry, FILE__READ);
2782 }
2783 
2784 static noinline int audit_inode_permission(struct inode *inode,
2785 					   u32 perms, u32 audited, u32 denied,
2786 					   int result,
2787 					   unsigned flags)
2788 {
2789 	struct common_audit_data ad;
2790 	struct inode_security_struct *isec = inode->i_security;
2791 	int rc;
2792 
2793 	ad.type = LSM_AUDIT_DATA_INODE;
2794 	ad.u.inode = inode;
2795 
2796 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2797 			    audited, denied, result, &ad, flags);
2798 	if (rc)
2799 		return rc;
2800 	return 0;
2801 }
2802 
2803 static int selinux_inode_permission(struct inode *inode, int mask)
2804 {
2805 	const struct cred *cred = current_cred();
2806 	u32 perms;
2807 	bool from_access;
2808 	unsigned flags = mask & MAY_NOT_BLOCK;
2809 	struct inode_security_struct *isec;
2810 	u32 sid;
2811 	struct av_decision avd;
2812 	int rc, rc2;
2813 	u32 audited, denied;
2814 
2815 	from_access = mask & MAY_ACCESS;
2816 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2817 
2818 	/* No permission to check.  Existence test. */
2819 	if (!mask)
2820 		return 0;
2821 
2822 	validate_creds(cred);
2823 
2824 	if (unlikely(IS_PRIVATE(inode)))
2825 		return 0;
2826 
2827 	perms = file_mask_to_av(inode->i_mode, mask);
2828 
2829 	sid = cred_sid(cred);
2830 	isec = inode->i_security;
2831 
2832 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2833 	audited = avc_audit_required(perms, &avd, rc,
2834 				     from_access ? FILE__AUDIT_ACCESS : 0,
2835 				     &denied);
2836 	if (likely(!audited))
2837 		return rc;
2838 
2839 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2840 	if (rc2)
2841 		return rc2;
2842 	return rc;
2843 }
2844 
2845 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2846 {
2847 	const struct cred *cred = current_cred();
2848 	unsigned int ia_valid = iattr->ia_valid;
2849 	__u32 av = FILE__WRITE;
2850 
2851 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2852 	if (ia_valid & ATTR_FORCE) {
2853 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2854 			      ATTR_FORCE);
2855 		if (!ia_valid)
2856 			return 0;
2857 	}
2858 
2859 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2860 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2861 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
2862 
2863 	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2864 		av |= FILE__OPEN;
2865 
2866 	return dentry_has_perm(cred, dentry, av);
2867 }
2868 
2869 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2870 {
2871 	const struct cred *cred = current_cred();
2872 	struct path path;
2873 
2874 	path.dentry = dentry;
2875 	path.mnt = mnt;
2876 
2877 	return path_has_perm(cred, &path, FILE__GETATTR);
2878 }
2879 
2880 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2881 {
2882 	const struct cred *cred = current_cred();
2883 
2884 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
2885 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
2886 		if (!strcmp(name, XATTR_NAME_CAPS)) {
2887 			if (!capable(CAP_SETFCAP))
2888 				return -EPERM;
2889 		} else if (!capable(CAP_SYS_ADMIN)) {
2890 			/* A different attribute in the security namespace.
2891 			   Restrict to administrator. */
2892 			return -EPERM;
2893 		}
2894 	}
2895 
2896 	/* Not an attribute we recognize, so just check the
2897 	   ordinary setattr permission. */
2898 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
2899 }
2900 
2901 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2902 				  const void *value, size_t size, int flags)
2903 {
2904 	struct inode *inode = dentry->d_inode;
2905 	struct inode_security_struct *isec = inode->i_security;
2906 	struct superblock_security_struct *sbsec;
2907 	struct common_audit_data ad;
2908 	u32 newsid, sid = current_sid();
2909 	int rc = 0;
2910 
2911 	if (strcmp(name, XATTR_NAME_SELINUX))
2912 		return selinux_inode_setotherxattr(dentry, name);
2913 
2914 	sbsec = inode->i_sb->s_security;
2915 	if (!(sbsec->flags & SBLABEL_MNT))
2916 		return -EOPNOTSUPP;
2917 
2918 	if (!inode_owner_or_capable(inode))
2919 		return -EPERM;
2920 
2921 	ad.type = LSM_AUDIT_DATA_DENTRY;
2922 	ad.u.dentry = dentry;
2923 
2924 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
2925 			  FILE__RELABELFROM, &ad);
2926 	if (rc)
2927 		return rc;
2928 
2929 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2930 	if (rc == -EINVAL) {
2931 		if (!capable(CAP_MAC_ADMIN)) {
2932 			struct audit_buffer *ab;
2933 			size_t audit_size;
2934 			const char *str;
2935 
2936 			/* We strip a nul only if it is at the end, otherwise the
2937 			 * context contains a nul and we should audit that */
2938 			if (value) {
2939 				str = value;
2940 				if (str[size - 1] == '\0')
2941 					audit_size = size - 1;
2942 				else
2943 					audit_size = size;
2944 			} else {
2945 				str = "";
2946 				audit_size = 0;
2947 			}
2948 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2949 			audit_log_format(ab, "op=setxattr invalid_context=");
2950 			audit_log_n_untrustedstring(ab, value, audit_size);
2951 			audit_log_end(ab);
2952 
2953 			return rc;
2954 		}
2955 		rc = security_context_to_sid_force(value, size, &newsid);
2956 	}
2957 	if (rc)
2958 		return rc;
2959 
2960 	rc = avc_has_perm(sid, newsid, isec->sclass,
2961 			  FILE__RELABELTO, &ad);
2962 	if (rc)
2963 		return rc;
2964 
2965 	rc = security_validate_transition(isec->sid, newsid, sid,
2966 					  isec->sclass);
2967 	if (rc)
2968 		return rc;
2969 
2970 	return avc_has_perm(newsid,
2971 			    sbsec->sid,
2972 			    SECCLASS_FILESYSTEM,
2973 			    FILESYSTEM__ASSOCIATE,
2974 			    &ad);
2975 }
2976 
2977 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2978 					const void *value, size_t size,
2979 					int flags)
2980 {
2981 	struct inode *inode = dentry->d_inode;
2982 	struct inode_security_struct *isec = inode->i_security;
2983 	u32 newsid;
2984 	int rc;
2985 
2986 	if (strcmp(name, XATTR_NAME_SELINUX)) {
2987 		/* Not an attribute we recognize, so nothing to do. */
2988 		return;
2989 	}
2990 
2991 	rc = security_context_to_sid_force(value, size, &newsid);
2992 	if (rc) {
2993 		printk(KERN_ERR "SELinux:  unable to map context to SID"
2994 		       "for (%s, %lu), rc=%d\n",
2995 		       inode->i_sb->s_id, inode->i_ino, -rc);
2996 		return;
2997 	}
2998 
2999 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3000 	isec->sid = newsid;
3001 	isec->initialized = 1;
3002 
3003 	return;
3004 }
3005 
3006 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3007 {
3008 	const struct cred *cred = current_cred();
3009 
3010 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3011 }
3012 
3013 static int selinux_inode_listxattr(struct dentry *dentry)
3014 {
3015 	const struct cred *cred = current_cred();
3016 
3017 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3018 }
3019 
3020 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3021 {
3022 	if (strcmp(name, XATTR_NAME_SELINUX))
3023 		return selinux_inode_setotherxattr(dentry, name);
3024 
3025 	/* No one is allowed to remove a SELinux security label.
3026 	   You can change the label, but all data must be labeled. */
3027 	return -EACCES;
3028 }
3029 
3030 /*
3031  * Copy the inode security context value to the user.
3032  *
3033  * Permission check is handled by selinux_inode_getxattr hook.
3034  */
3035 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3036 {
3037 	u32 size;
3038 	int error;
3039 	char *context = NULL;
3040 	struct inode_security_struct *isec = inode->i_security;
3041 
3042 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3043 		return -EOPNOTSUPP;
3044 
3045 	/*
3046 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3047 	 * value even if it is not defined by current policy; otherwise,
3048 	 * use the in-core value under current policy.
3049 	 * Use the non-auditing forms of the permission checks since
3050 	 * getxattr may be called by unprivileged processes commonly
3051 	 * and lack of permission just means that we fall back to the
3052 	 * in-core context value, not a denial.
3053 	 */
3054 	error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3055 				SECURITY_CAP_NOAUDIT);
3056 	if (!error)
3057 		error = security_sid_to_context_force(isec->sid, &context,
3058 						      &size);
3059 	else
3060 		error = security_sid_to_context(isec->sid, &context, &size);
3061 	if (error)
3062 		return error;
3063 	error = size;
3064 	if (alloc) {
3065 		*buffer = context;
3066 		goto out_nofree;
3067 	}
3068 	kfree(context);
3069 out_nofree:
3070 	return error;
3071 }
3072 
3073 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3074 				     const void *value, size_t size, int flags)
3075 {
3076 	struct inode_security_struct *isec = inode->i_security;
3077 	u32 newsid;
3078 	int rc;
3079 
3080 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3081 		return -EOPNOTSUPP;
3082 
3083 	if (!value || !size)
3084 		return -EACCES;
3085 
3086 	rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3087 	if (rc)
3088 		return rc;
3089 
3090 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3091 	isec->sid = newsid;
3092 	isec->initialized = 1;
3093 	return 0;
3094 }
3095 
3096 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3097 {
3098 	const int len = sizeof(XATTR_NAME_SELINUX);
3099 	if (buffer && len <= buffer_size)
3100 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3101 	return len;
3102 }
3103 
3104 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3105 {
3106 	struct inode_security_struct *isec = inode->i_security;
3107 	*secid = isec->sid;
3108 }
3109 
3110 /* file security operations */
3111 
3112 static int selinux_revalidate_file_permission(struct file *file, int mask)
3113 {
3114 	const struct cred *cred = current_cred();
3115 	struct inode *inode = file_inode(file);
3116 
3117 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3118 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3119 		mask |= MAY_APPEND;
3120 
3121 	return file_has_perm(cred, file,
3122 			     file_mask_to_av(inode->i_mode, mask));
3123 }
3124 
3125 static int selinux_file_permission(struct file *file, int mask)
3126 {
3127 	struct inode *inode = file_inode(file);
3128 	struct file_security_struct *fsec = file->f_security;
3129 	struct inode_security_struct *isec = inode->i_security;
3130 	u32 sid = current_sid();
3131 
3132 	if (!mask)
3133 		/* No permission to check.  Existence test. */
3134 		return 0;
3135 
3136 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3137 	    fsec->pseqno == avc_policy_seqno())
3138 		/* No change since file_open check. */
3139 		return 0;
3140 
3141 	return selinux_revalidate_file_permission(file, mask);
3142 }
3143 
3144 static int selinux_file_alloc_security(struct file *file)
3145 {
3146 	return file_alloc_security(file);
3147 }
3148 
3149 static void selinux_file_free_security(struct file *file)
3150 {
3151 	file_free_security(file);
3152 }
3153 
3154 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3155 			      unsigned long arg)
3156 {
3157 	const struct cred *cred = current_cred();
3158 	int error = 0;
3159 
3160 	switch (cmd) {
3161 	case FIONREAD:
3162 	/* fall through */
3163 	case FIBMAP:
3164 	/* fall through */
3165 	case FIGETBSZ:
3166 	/* fall through */
3167 	case FS_IOC_GETFLAGS:
3168 	/* fall through */
3169 	case FS_IOC_GETVERSION:
3170 		error = file_has_perm(cred, file, FILE__GETATTR);
3171 		break;
3172 
3173 	case FS_IOC_SETFLAGS:
3174 	/* fall through */
3175 	case FS_IOC_SETVERSION:
3176 		error = file_has_perm(cred, file, FILE__SETATTR);
3177 		break;
3178 
3179 	/* sys_ioctl() checks */
3180 	case FIONBIO:
3181 	/* fall through */
3182 	case FIOASYNC:
3183 		error = file_has_perm(cred, file, 0);
3184 		break;
3185 
3186 	case KDSKBENT:
3187 	case KDSKBSENT:
3188 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3189 					    SECURITY_CAP_AUDIT);
3190 		break;
3191 
3192 	/* default case assumes that the command will go
3193 	 * to the file's ioctl() function.
3194 	 */
3195 	default:
3196 		error = file_has_perm(cred, file, FILE__IOCTL);
3197 	}
3198 	return error;
3199 }
3200 
3201 static int default_noexec;
3202 
3203 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3204 {
3205 	const struct cred *cred = current_cred();
3206 	int rc = 0;
3207 
3208 	if (default_noexec &&
3209 	    (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3210 		/*
3211 		 * We are making executable an anonymous mapping or a
3212 		 * private file mapping that will also be writable.
3213 		 * This has an additional check.
3214 		 */
3215 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3216 		if (rc)
3217 			goto error;
3218 	}
3219 
3220 	if (file) {
3221 		/* read access is always possible with a mapping */
3222 		u32 av = FILE__READ;
3223 
3224 		/* write access only matters if the mapping is shared */
3225 		if (shared && (prot & PROT_WRITE))
3226 			av |= FILE__WRITE;
3227 
3228 		if (prot & PROT_EXEC)
3229 			av |= FILE__EXECUTE;
3230 
3231 		return file_has_perm(cred, file, av);
3232 	}
3233 
3234 error:
3235 	return rc;
3236 }
3237 
3238 static int selinux_mmap_addr(unsigned long addr)
3239 {
3240 	int rc;
3241 
3242 	/* do DAC check on address space usage */
3243 	rc = cap_mmap_addr(addr);
3244 	if (rc)
3245 		return rc;
3246 
3247 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3248 		u32 sid = current_sid();
3249 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3250 				  MEMPROTECT__MMAP_ZERO, NULL);
3251 	}
3252 
3253 	return rc;
3254 }
3255 
3256 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3257 			     unsigned long prot, unsigned long flags)
3258 {
3259 	if (selinux_checkreqprot)
3260 		prot = reqprot;
3261 
3262 	return file_map_prot_check(file, prot,
3263 				   (flags & MAP_TYPE) == MAP_SHARED);
3264 }
3265 
3266 static int selinux_file_mprotect(struct vm_area_struct *vma,
3267 				 unsigned long reqprot,
3268 				 unsigned long prot)
3269 {
3270 	const struct cred *cred = current_cred();
3271 
3272 	if (selinux_checkreqprot)
3273 		prot = reqprot;
3274 
3275 	if (default_noexec &&
3276 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3277 		int rc = 0;
3278 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3279 		    vma->vm_end <= vma->vm_mm->brk) {
3280 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3281 		} else if (!vma->vm_file &&
3282 			   vma->vm_start <= vma->vm_mm->start_stack &&
3283 			   vma->vm_end >= vma->vm_mm->start_stack) {
3284 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3285 		} else if (vma->vm_file && vma->anon_vma) {
3286 			/*
3287 			 * We are making executable a file mapping that has
3288 			 * had some COW done. Since pages might have been
3289 			 * written, check ability to execute the possibly
3290 			 * modified content.  This typically should only
3291 			 * occur for text relocations.
3292 			 */
3293 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3294 		}
3295 		if (rc)
3296 			return rc;
3297 	}
3298 
3299 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3300 }
3301 
3302 static int selinux_file_lock(struct file *file, unsigned int cmd)
3303 {
3304 	const struct cred *cred = current_cred();
3305 
3306 	return file_has_perm(cred, file, FILE__LOCK);
3307 }
3308 
3309 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3310 			      unsigned long arg)
3311 {
3312 	const struct cred *cred = current_cred();
3313 	int err = 0;
3314 
3315 	switch (cmd) {
3316 	case F_SETFL:
3317 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3318 			err = file_has_perm(cred, file, FILE__WRITE);
3319 			break;
3320 		}
3321 		/* fall through */
3322 	case F_SETOWN:
3323 	case F_SETSIG:
3324 	case F_GETFL:
3325 	case F_GETOWN:
3326 	case F_GETSIG:
3327 	case F_GETOWNER_UIDS:
3328 		/* Just check FD__USE permission */
3329 		err = file_has_perm(cred, file, 0);
3330 		break;
3331 	case F_GETLK:
3332 	case F_SETLK:
3333 	case F_SETLKW:
3334 	case F_OFD_GETLK:
3335 	case F_OFD_SETLK:
3336 	case F_OFD_SETLKW:
3337 #if BITS_PER_LONG == 32
3338 	case F_GETLK64:
3339 	case F_SETLK64:
3340 	case F_SETLKW64:
3341 #endif
3342 		err = file_has_perm(cred, file, FILE__LOCK);
3343 		break;
3344 	}
3345 
3346 	return err;
3347 }
3348 
3349 static int selinux_file_set_fowner(struct file *file)
3350 {
3351 	struct file_security_struct *fsec;
3352 
3353 	fsec = file->f_security;
3354 	fsec->fown_sid = current_sid();
3355 
3356 	return 0;
3357 }
3358 
3359 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3360 				       struct fown_struct *fown, int signum)
3361 {
3362 	struct file *file;
3363 	u32 sid = task_sid(tsk);
3364 	u32 perm;
3365 	struct file_security_struct *fsec;
3366 
3367 	/* struct fown_struct is never outside the context of a struct file */
3368 	file = container_of(fown, struct file, f_owner);
3369 
3370 	fsec = file->f_security;
3371 
3372 	if (!signum)
3373 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3374 	else
3375 		perm = signal_to_av(signum);
3376 
3377 	return avc_has_perm(fsec->fown_sid, sid,
3378 			    SECCLASS_PROCESS, perm, NULL);
3379 }
3380 
3381 static int selinux_file_receive(struct file *file)
3382 {
3383 	const struct cred *cred = current_cred();
3384 
3385 	return file_has_perm(cred, file, file_to_av(file));
3386 }
3387 
3388 static int selinux_file_open(struct file *file, const struct cred *cred)
3389 {
3390 	struct file_security_struct *fsec;
3391 	struct inode_security_struct *isec;
3392 
3393 	fsec = file->f_security;
3394 	isec = file_inode(file)->i_security;
3395 	/*
3396 	 * Save inode label and policy sequence number
3397 	 * at open-time so that selinux_file_permission
3398 	 * can determine whether revalidation is necessary.
3399 	 * Task label is already saved in the file security
3400 	 * struct as its SID.
3401 	 */
3402 	fsec->isid = isec->sid;
3403 	fsec->pseqno = avc_policy_seqno();
3404 	/*
3405 	 * Since the inode label or policy seqno may have changed
3406 	 * between the selinux_inode_permission check and the saving
3407 	 * of state above, recheck that access is still permitted.
3408 	 * Otherwise, access might never be revalidated against the
3409 	 * new inode label or new policy.
3410 	 * This check is not redundant - do not remove.
3411 	 */
3412 	return file_path_has_perm(cred, file, open_file_to_av(file));
3413 }
3414 
3415 /* task security operations */
3416 
3417 static int selinux_task_create(unsigned long clone_flags)
3418 {
3419 	return current_has_perm(current, PROCESS__FORK);
3420 }
3421 
3422 /*
3423  * allocate the SELinux part of blank credentials
3424  */
3425 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3426 {
3427 	struct task_security_struct *tsec;
3428 
3429 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3430 	if (!tsec)
3431 		return -ENOMEM;
3432 
3433 	cred->security = tsec;
3434 	return 0;
3435 }
3436 
3437 /*
3438  * detach and free the LSM part of a set of credentials
3439  */
3440 static void selinux_cred_free(struct cred *cred)
3441 {
3442 	struct task_security_struct *tsec = cred->security;
3443 
3444 	/*
3445 	 * cred->security == NULL if security_cred_alloc_blank() or
3446 	 * security_prepare_creds() returned an error.
3447 	 */
3448 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3449 	cred->security = (void *) 0x7UL;
3450 	kfree(tsec);
3451 }
3452 
3453 /*
3454  * prepare a new set of credentials for modification
3455  */
3456 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3457 				gfp_t gfp)
3458 {
3459 	const struct task_security_struct *old_tsec;
3460 	struct task_security_struct *tsec;
3461 
3462 	old_tsec = old->security;
3463 
3464 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3465 	if (!tsec)
3466 		return -ENOMEM;
3467 
3468 	new->security = tsec;
3469 	return 0;
3470 }
3471 
3472 /*
3473  * transfer the SELinux data to a blank set of creds
3474  */
3475 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3476 {
3477 	const struct task_security_struct *old_tsec = old->security;
3478 	struct task_security_struct *tsec = new->security;
3479 
3480 	*tsec = *old_tsec;
3481 }
3482 
3483 /*
3484  * set the security data for a kernel service
3485  * - all the creation contexts are set to unlabelled
3486  */
3487 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3488 {
3489 	struct task_security_struct *tsec = new->security;
3490 	u32 sid = current_sid();
3491 	int ret;
3492 
3493 	ret = avc_has_perm(sid, secid,
3494 			   SECCLASS_KERNEL_SERVICE,
3495 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3496 			   NULL);
3497 	if (ret == 0) {
3498 		tsec->sid = secid;
3499 		tsec->create_sid = 0;
3500 		tsec->keycreate_sid = 0;
3501 		tsec->sockcreate_sid = 0;
3502 	}
3503 	return ret;
3504 }
3505 
3506 /*
3507  * set the file creation context in a security record to the same as the
3508  * objective context of the specified inode
3509  */
3510 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3511 {
3512 	struct inode_security_struct *isec = inode->i_security;
3513 	struct task_security_struct *tsec = new->security;
3514 	u32 sid = current_sid();
3515 	int ret;
3516 
3517 	ret = avc_has_perm(sid, isec->sid,
3518 			   SECCLASS_KERNEL_SERVICE,
3519 			   KERNEL_SERVICE__CREATE_FILES_AS,
3520 			   NULL);
3521 
3522 	if (ret == 0)
3523 		tsec->create_sid = isec->sid;
3524 	return ret;
3525 }
3526 
3527 static int selinux_kernel_module_request(char *kmod_name)
3528 {
3529 	u32 sid;
3530 	struct common_audit_data ad;
3531 
3532 	sid = task_sid(current);
3533 
3534 	ad.type = LSM_AUDIT_DATA_KMOD;
3535 	ad.u.kmod_name = kmod_name;
3536 
3537 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3538 			    SYSTEM__MODULE_REQUEST, &ad);
3539 }
3540 
3541 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3542 {
3543 	return current_has_perm(p, PROCESS__SETPGID);
3544 }
3545 
3546 static int selinux_task_getpgid(struct task_struct *p)
3547 {
3548 	return current_has_perm(p, PROCESS__GETPGID);
3549 }
3550 
3551 static int selinux_task_getsid(struct task_struct *p)
3552 {
3553 	return current_has_perm(p, PROCESS__GETSESSION);
3554 }
3555 
3556 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3557 {
3558 	*secid = task_sid(p);
3559 }
3560 
3561 static int selinux_task_setnice(struct task_struct *p, int nice)
3562 {
3563 	int rc;
3564 
3565 	rc = cap_task_setnice(p, nice);
3566 	if (rc)
3567 		return rc;
3568 
3569 	return current_has_perm(p, PROCESS__SETSCHED);
3570 }
3571 
3572 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3573 {
3574 	int rc;
3575 
3576 	rc = cap_task_setioprio(p, ioprio);
3577 	if (rc)
3578 		return rc;
3579 
3580 	return current_has_perm(p, PROCESS__SETSCHED);
3581 }
3582 
3583 static int selinux_task_getioprio(struct task_struct *p)
3584 {
3585 	return current_has_perm(p, PROCESS__GETSCHED);
3586 }
3587 
3588 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3589 		struct rlimit *new_rlim)
3590 {
3591 	struct rlimit *old_rlim = p->signal->rlim + resource;
3592 
3593 	/* Control the ability to change the hard limit (whether
3594 	   lowering or raising it), so that the hard limit can
3595 	   later be used as a safe reset point for the soft limit
3596 	   upon context transitions.  See selinux_bprm_committing_creds. */
3597 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3598 		return current_has_perm(p, PROCESS__SETRLIMIT);
3599 
3600 	return 0;
3601 }
3602 
3603 static int selinux_task_setscheduler(struct task_struct *p)
3604 {
3605 	int rc;
3606 
3607 	rc = cap_task_setscheduler(p);
3608 	if (rc)
3609 		return rc;
3610 
3611 	return current_has_perm(p, PROCESS__SETSCHED);
3612 }
3613 
3614 static int selinux_task_getscheduler(struct task_struct *p)
3615 {
3616 	return current_has_perm(p, PROCESS__GETSCHED);
3617 }
3618 
3619 static int selinux_task_movememory(struct task_struct *p)
3620 {
3621 	return current_has_perm(p, PROCESS__SETSCHED);
3622 }
3623 
3624 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3625 				int sig, u32 secid)
3626 {
3627 	u32 perm;
3628 	int rc;
3629 
3630 	if (!sig)
3631 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3632 	else
3633 		perm = signal_to_av(sig);
3634 	if (secid)
3635 		rc = avc_has_perm(secid, task_sid(p),
3636 				  SECCLASS_PROCESS, perm, NULL);
3637 	else
3638 		rc = current_has_perm(p, perm);
3639 	return rc;
3640 }
3641 
3642 static int selinux_task_wait(struct task_struct *p)
3643 {
3644 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3645 }
3646 
3647 static void selinux_task_to_inode(struct task_struct *p,
3648 				  struct inode *inode)
3649 {
3650 	struct inode_security_struct *isec = inode->i_security;
3651 	u32 sid = task_sid(p);
3652 
3653 	isec->sid = sid;
3654 	isec->initialized = 1;
3655 }
3656 
3657 /* Returns error only if unable to parse addresses */
3658 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3659 			struct common_audit_data *ad, u8 *proto)
3660 {
3661 	int offset, ihlen, ret = -EINVAL;
3662 	struct iphdr _iph, *ih;
3663 
3664 	offset = skb_network_offset(skb);
3665 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3666 	if (ih == NULL)
3667 		goto out;
3668 
3669 	ihlen = ih->ihl * 4;
3670 	if (ihlen < sizeof(_iph))
3671 		goto out;
3672 
3673 	ad->u.net->v4info.saddr = ih->saddr;
3674 	ad->u.net->v4info.daddr = ih->daddr;
3675 	ret = 0;
3676 
3677 	if (proto)
3678 		*proto = ih->protocol;
3679 
3680 	switch (ih->protocol) {
3681 	case IPPROTO_TCP: {
3682 		struct tcphdr _tcph, *th;
3683 
3684 		if (ntohs(ih->frag_off) & IP_OFFSET)
3685 			break;
3686 
3687 		offset += ihlen;
3688 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3689 		if (th == NULL)
3690 			break;
3691 
3692 		ad->u.net->sport = th->source;
3693 		ad->u.net->dport = th->dest;
3694 		break;
3695 	}
3696 
3697 	case IPPROTO_UDP: {
3698 		struct udphdr _udph, *uh;
3699 
3700 		if (ntohs(ih->frag_off) & IP_OFFSET)
3701 			break;
3702 
3703 		offset += ihlen;
3704 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3705 		if (uh == NULL)
3706 			break;
3707 
3708 		ad->u.net->sport = uh->source;
3709 		ad->u.net->dport = uh->dest;
3710 		break;
3711 	}
3712 
3713 	case IPPROTO_DCCP: {
3714 		struct dccp_hdr _dccph, *dh;
3715 
3716 		if (ntohs(ih->frag_off) & IP_OFFSET)
3717 			break;
3718 
3719 		offset += ihlen;
3720 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3721 		if (dh == NULL)
3722 			break;
3723 
3724 		ad->u.net->sport = dh->dccph_sport;
3725 		ad->u.net->dport = dh->dccph_dport;
3726 		break;
3727 	}
3728 
3729 	default:
3730 		break;
3731 	}
3732 out:
3733 	return ret;
3734 }
3735 
3736 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3737 
3738 /* Returns error only if unable to parse addresses */
3739 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3740 			struct common_audit_data *ad, u8 *proto)
3741 {
3742 	u8 nexthdr;
3743 	int ret = -EINVAL, offset;
3744 	struct ipv6hdr _ipv6h, *ip6;
3745 	__be16 frag_off;
3746 
3747 	offset = skb_network_offset(skb);
3748 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3749 	if (ip6 == NULL)
3750 		goto out;
3751 
3752 	ad->u.net->v6info.saddr = ip6->saddr;
3753 	ad->u.net->v6info.daddr = ip6->daddr;
3754 	ret = 0;
3755 
3756 	nexthdr = ip6->nexthdr;
3757 	offset += sizeof(_ipv6h);
3758 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3759 	if (offset < 0)
3760 		goto out;
3761 
3762 	if (proto)
3763 		*proto = nexthdr;
3764 
3765 	switch (nexthdr) {
3766 	case IPPROTO_TCP: {
3767 		struct tcphdr _tcph, *th;
3768 
3769 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3770 		if (th == NULL)
3771 			break;
3772 
3773 		ad->u.net->sport = th->source;
3774 		ad->u.net->dport = th->dest;
3775 		break;
3776 	}
3777 
3778 	case IPPROTO_UDP: {
3779 		struct udphdr _udph, *uh;
3780 
3781 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3782 		if (uh == NULL)
3783 			break;
3784 
3785 		ad->u.net->sport = uh->source;
3786 		ad->u.net->dport = uh->dest;
3787 		break;
3788 	}
3789 
3790 	case IPPROTO_DCCP: {
3791 		struct dccp_hdr _dccph, *dh;
3792 
3793 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3794 		if (dh == NULL)
3795 			break;
3796 
3797 		ad->u.net->sport = dh->dccph_sport;
3798 		ad->u.net->dport = dh->dccph_dport;
3799 		break;
3800 	}
3801 
3802 	/* includes fragments */
3803 	default:
3804 		break;
3805 	}
3806 out:
3807 	return ret;
3808 }
3809 
3810 #endif /* IPV6 */
3811 
3812 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3813 			     char **_addrp, int src, u8 *proto)
3814 {
3815 	char *addrp;
3816 	int ret;
3817 
3818 	switch (ad->u.net->family) {
3819 	case PF_INET:
3820 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
3821 		if (ret)
3822 			goto parse_error;
3823 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3824 				       &ad->u.net->v4info.daddr);
3825 		goto okay;
3826 
3827 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3828 	case PF_INET6:
3829 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
3830 		if (ret)
3831 			goto parse_error;
3832 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3833 				       &ad->u.net->v6info.daddr);
3834 		goto okay;
3835 #endif	/* IPV6 */
3836 	default:
3837 		addrp = NULL;
3838 		goto okay;
3839 	}
3840 
3841 parse_error:
3842 	printk(KERN_WARNING
3843 	       "SELinux: failure in selinux_parse_skb(),"
3844 	       " unable to parse packet\n");
3845 	return ret;
3846 
3847 okay:
3848 	if (_addrp)
3849 		*_addrp = addrp;
3850 	return 0;
3851 }
3852 
3853 /**
3854  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3855  * @skb: the packet
3856  * @family: protocol family
3857  * @sid: the packet's peer label SID
3858  *
3859  * Description:
3860  * Check the various different forms of network peer labeling and determine
3861  * the peer label/SID for the packet; most of the magic actually occurs in
3862  * the security server function security_net_peersid_cmp().  The function
3863  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3864  * or -EACCES if @sid is invalid due to inconsistencies with the different
3865  * peer labels.
3866  *
3867  */
3868 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3869 {
3870 	int err;
3871 	u32 xfrm_sid;
3872 	u32 nlbl_sid;
3873 	u32 nlbl_type;
3874 
3875 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3876 	if (unlikely(err))
3877 		return -EACCES;
3878 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3879 	if (unlikely(err))
3880 		return -EACCES;
3881 
3882 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3883 	if (unlikely(err)) {
3884 		printk(KERN_WARNING
3885 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3886 		       " unable to determine packet's peer label\n");
3887 		return -EACCES;
3888 	}
3889 
3890 	return 0;
3891 }
3892 
3893 /**
3894  * selinux_conn_sid - Determine the child socket label for a connection
3895  * @sk_sid: the parent socket's SID
3896  * @skb_sid: the packet's SID
3897  * @conn_sid: the resulting connection SID
3898  *
3899  * If @skb_sid is valid then the user:role:type information from @sk_sid is
3900  * combined with the MLS information from @skb_sid in order to create
3901  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
3902  * of @sk_sid.  Returns zero on success, negative values on failure.
3903  *
3904  */
3905 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3906 {
3907 	int err = 0;
3908 
3909 	if (skb_sid != SECSID_NULL)
3910 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3911 	else
3912 		*conn_sid = sk_sid;
3913 
3914 	return err;
3915 }
3916 
3917 /* socket security operations */
3918 
3919 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3920 				 u16 secclass, u32 *socksid)
3921 {
3922 	if (tsec->sockcreate_sid > SECSID_NULL) {
3923 		*socksid = tsec->sockcreate_sid;
3924 		return 0;
3925 	}
3926 
3927 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3928 				       socksid);
3929 }
3930 
3931 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3932 {
3933 	struct sk_security_struct *sksec = sk->sk_security;
3934 	struct common_audit_data ad;
3935 	struct lsm_network_audit net = {0,};
3936 	u32 tsid = task_sid(task);
3937 
3938 	if (sksec->sid == SECINITSID_KERNEL)
3939 		return 0;
3940 
3941 	ad.type = LSM_AUDIT_DATA_NET;
3942 	ad.u.net = &net;
3943 	ad.u.net->sk = sk;
3944 
3945 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3946 }
3947 
3948 static int selinux_socket_create(int family, int type,
3949 				 int protocol, int kern)
3950 {
3951 	const struct task_security_struct *tsec = current_security();
3952 	u32 newsid;
3953 	u16 secclass;
3954 	int rc;
3955 
3956 	if (kern)
3957 		return 0;
3958 
3959 	secclass = socket_type_to_security_class(family, type, protocol);
3960 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3961 	if (rc)
3962 		return rc;
3963 
3964 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3965 }
3966 
3967 static int selinux_socket_post_create(struct socket *sock, int family,
3968 				      int type, int protocol, int kern)
3969 {
3970 	const struct task_security_struct *tsec = current_security();
3971 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3972 	struct sk_security_struct *sksec;
3973 	int err = 0;
3974 
3975 	isec->sclass = socket_type_to_security_class(family, type, protocol);
3976 
3977 	if (kern)
3978 		isec->sid = SECINITSID_KERNEL;
3979 	else {
3980 		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3981 		if (err)
3982 			return err;
3983 	}
3984 
3985 	isec->initialized = 1;
3986 
3987 	if (sock->sk) {
3988 		sksec = sock->sk->sk_security;
3989 		sksec->sid = isec->sid;
3990 		sksec->sclass = isec->sclass;
3991 		err = selinux_netlbl_socket_post_create(sock->sk, family);
3992 	}
3993 
3994 	return err;
3995 }
3996 
3997 /* Range of port numbers used to automatically bind.
3998    Need to determine whether we should perform a name_bind
3999    permission check between the socket and the port number. */
4000 
4001 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4002 {
4003 	struct sock *sk = sock->sk;
4004 	u16 family;
4005 	int err;
4006 
4007 	err = sock_has_perm(current, sk, SOCKET__BIND);
4008 	if (err)
4009 		goto out;
4010 
4011 	/*
4012 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4013 	 * Multiple address binding for SCTP is not supported yet: we just
4014 	 * check the first address now.
4015 	 */
4016 	family = sk->sk_family;
4017 	if (family == PF_INET || family == PF_INET6) {
4018 		char *addrp;
4019 		struct sk_security_struct *sksec = sk->sk_security;
4020 		struct common_audit_data ad;
4021 		struct lsm_network_audit net = {0,};
4022 		struct sockaddr_in *addr4 = NULL;
4023 		struct sockaddr_in6 *addr6 = NULL;
4024 		unsigned short snum;
4025 		u32 sid, node_perm;
4026 
4027 		if (family == PF_INET) {
4028 			addr4 = (struct sockaddr_in *)address;
4029 			snum = ntohs(addr4->sin_port);
4030 			addrp = (char *)&addr4->sin_addr.s_addr;
4031 		} else {
4032 			addr6 = (struct sockaddr_in6 *)address;
4033 			snum = ntohs(addr6->sin6_port);
4034 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4035 		}
4036 
4037 		if (snum) {
4038 			int low, high;
4039 
4040 			inet_get_local_port_range(sock_net(sk), &low, &high);
4041 
4042 			if (snum < max(PROT_SOCK, low) || snum > high) {
4043 				err = sel_netport_sid(sk->sk_protocol,
4044 						      snum, &sid);
4045 				if (err)
4046 					goto out;
4047 				ad.type = LSM_AUDIT_DATA_NET;
4048 				ad.u.net = &net;
4049 				ad.u.net->sport = htons(snum);
4050 				ad.u.net->family = family;
4051 				err = avc_has_perm(sksec->sid, sid,
4052 						   sksec->sclass,
4053 						   SOCKET__NAME_BIND, &ad);
4054 				if (err)
4055 					goto out;
4056 			}
4057 		}
4058 
4059 		switch (sksec->sclass) {
4060 		case SECCLASS_TCP_SOCKET:
4061 			node_perm = TCP_SOCKET__NODE_BIND;
4062 			break;
4063 
4064 		case SECCLASS_UDP_SOCKET:
4065 			node_perm = UDP_SOCKET__NODE_BIND;
4066 			break;
4067 
4068 		case SECCLASS_DCCP_SOCKET:
4069 			node_perm = DCCP_SOCKET__NODE_BIND;
4070 			break;
4071 
4072 		default:
4073 			node_perm = RAWIP_SOCKET__NODE_BIND;
4074 			break;
4075 		}
4076 
4077 		err = sel_netnode_sid(addrp, family, &sid);
4078 		if (err)
4079 			goto out;
4080 
4081 		ad.type = LSM_AUDIT_DATA_NET;
4082 		ad.u.net = &net;
4083 		ad.u.net->sport = htons(snum);
4084 		ad.u.net->family = family;
4085 
4086 		if (family == PF_INET)
4087 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4088 		else
4089 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4090 
4091 		err = avc_has_perm(sksec->sid, sid,
4092 				   sksec->sclass, node_perm, &ad);
4093 		if (err)
4094 			goto out;
4095 	}
4096 out:
4097 	return err;
4098 }
4099 
4100 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4101 {
4102 	struct sock *sk = sock->sk;
4103 	struct sk_security_struct *sksec = sk->sk_security;
4104 	int err;
4105 
4106 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4107 	if (err)
4108 		return err;
4109 
4110 	/*
4111 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4112 	 */
4113 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4114 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4115 		struct common_audit_data ad;
4116 		struct lsm_network_audit net = {0,};
4117 		struct sockaddr_in *addr4 = NULL;
4118 		struct sockaddr_in6 *addr6 = NULL;
4119 		unsigned short snum;
4120 		u32 sid, perm;
4121 
4122 		if (sk->sk_family == PF_INET) {
4123 			addr4 = (struct sockaddr_in *)address;
4124 			if (addrlen < sizeof(struct sockaddr_in))
4125 				return -EINVAL;
4126 			snum = ntohs(addr4->sin_port);
4127 		} else {
4128 			addr6 = (struct sockaddr_in6 *)address;
4129 			if (addrlen < SIN6_LEN_RFC2133)
4130 				return -EINVAL;
4131 			snum = ntohs(addr6->sin6_port);
4132 		}
4133 
4134 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4135 		if (err)
4136 			goto out;
4137 
4138 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4139 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4140 
4141 		ad.type = LSM_AUDIT_DATA_NET;
4142 		ad.u.net = &net;
4143 		ad.u.net->dport = htons(snum);
4144 		ad.u.net->family = sk->sk_family;
4145 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4146 		if (err)
4147 			goto out;
4148 	}
4149 
4150 	err = selinux_netlbl_socket_connect(sk, address);
4151 
4152 out:
4153 	return err;
4154 }
4155 
4156 static int selinux_socket_listen(struct socket *sock, int backlog)
4157 {
4158 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4159 }
4160 
4161 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4162 {
4163 	int err;
4164 	struct inode_security_struct *isec;
4165 	struct inode_security_struct *newisec;
4166 
4167 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4168 	if (err)
4169 		return err;
4170 
4171 	newisec = SOCK_INODE(newsock)->i_security;
4172 
4173 	isec = SOCK_INODE(sock)->i_security;
4174 	newisec->sclass = isec->sclass;
4175 	newisec->sid = isec->sid;
4176 	newisec->initialized = 1;
4177 
4178 	return 0;
4179 }
4180 
4181 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4182 				  int size)
4183 {
4184 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4185 }
4186 
4187 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4188 				  int size, int flags)
4189 {
4190 	return sock_has_perm(current, sock->sk, SOCKET__READ);
4191 }
4192 
4193 static int selinux_socket_getsockname(struct socket *sock)
4194 {
4195 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4196 }
4197 
4198 static int selinux_socket_getpeername(struct socket *sock)
4199 {
4200 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4201 }
4202 
4203 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4204 {
4205 	int err;
4206 
4207 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4208 	if (err)
4209 		return err;
4210 
4211 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4212 }
4213 
4214 static int selinux_socket_getsockopt(struct socket *sock, int level,
4215 				     int optname)
4216 {
4217 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4218 }
4219 
4220 static int selinux_socket_shutdown(struct socket *sock, int how)
4221 {
4222 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4223 }
4224 
4225 static int selinux_socket_unix_stream_connect(struct sock *sock,
4226 					      struct sock *other,
4227 					      struct sock *newsk)
4228 {
4229 	struct sk_security_struct *sksec_sock = sock->sk_security;
4230 	struct sk_security_struct *sksec_other = other->sk_security;
4231 	struct sk_security_struct *sksec_new = newsk->sk_security;
4232 	struct common_audit_data ad;
4233 	struct lsm_network_audit net = {0,};
4234 	int err;
4235 
4236 	ad.type = LSM_AUDIT_DATA_NET;
4237 	ad.u.net = &net;
4238 	ad.u.net->sk = other;
4239 
4240 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4241 			   sksec_other->sclass,
4242 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4243 	if (err)
4244 		return err;
4245 
4246 	/* server child socket */
4247 	sksec_new->peer_sid = sksec_sock->sid;
4248 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4249 				    &sksec_new->sid);
4250 	if (err)
4251 		return err;
4252 
4253 	/* connecting socket */
4254 	sksec_sock->peer_sid = sksec_new->sid;
4255 
4256 	return 0;
4257 }
4258 
4259 static int selinux_socket_unix_may_send(struct socket *sock,
4260 					struct socket *other)
4261 {
4262 	struct sk_security_struct *ssec = sock->sk->sk_security;
4263 	struct sk_security_struct *osec = other->sk->sk_security;
4264 	struct common_audit_data ad;
4265 	struct lsm_network_audit net = {0,};
4266 
4267 	ad.type = LSM_AUDIT_DATA_NET;
4268 	ad.u.net = &net;
4269 	ad.u.net->sk = other->sk;
4270 
4271 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4272 			    &ad);
4273 }
4274 
4275 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4276 				    u32 peer_sid,
4277 				    struct common_audit_data *ad)
4278 {
4279 	int err;
4280 	u32 if_sid;
4281 	u32 node_sid;
4282 
4283 	err = sel_netif_sid(ifindex, &if_sid);
4284 	if (err)
4285 		return err;
4286 	err = avc_has_perm(peer_sid, if_sid,
4287 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4288 	if (err)
4289 		return err;
4290 
4291 	err = sel_netnode_sid(addrp, family, &node_sid);
4292 	if (err)
4293 		return err;
4294 	return avc_has_perm(peer_sid, node_sid,
4295 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4296 }
4297 
4298 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4299 				       u16 family)
4300 {
4301 	int err = 0;
4302 	struct sk_security_struct *sksec = sk->sk_security;
4303 	u32 sk_sid = sksec->sid;
4304 	struct common_audit_data ad;
4305 	struct lsm_network_audit net = {0,};
4306 	char *addrp;
4307 
4308 	ad.type = LSM_AUDIT_DATA_NET;
4309 	ad.u.net = &net;
4310 	ad.u.net->netif = skb->skb_iif;
4311 	ad.u.net->family = family;
4312 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4313 	if (err)
4314 		return err;
4315 
4316 	if (selinux_secmark_enabled()) {
4317 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4318 				   PACKET__RECV, &ad);
4319 		if (err)
4320 			return err;
4321 	}
4322 
4323 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4324 	if (err)
4325 		return err;
4326 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4327 
4328 	return err;
4329 }
4330 
4331 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4332 {
4333 	int err;
4334 	struct sk_security_struct *sksec = sk->sk_security;
4335 	u16 family = sk->sk_family;
4336 	u32 sk_sid = sksec->sid;
4337 	struct common_audit_data ad;
4338 	struct lsm_network_audit net = {0,};
4339 	char *addrp;
4340 	u8 secmark_active;
4341 	u8 peerlbl_active;
4342 
4343 	if (family != PF_INET && family != PF_INET6)
4344 		return 0;
4345 
4346 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4347 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4348 		family = PF_INET;
4349 
4350 	/* If any sort of compatibility mode is enabled then handoff processing
4351 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4352 	 * special handling.  We do this in an attempt to keep this function
4353 	 * as fast and as clean as possible. */
4354 	if (!selinux_policycap_netpeer)
4355 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4356 
4357 	secmark_active = selinux_secmark_enabled();
4358 	peerlbl_active = selinux_peerlbl_enabled();
4359 	if (!secmark_active && !peerlbl_active)
4360 		return 0;
4361 
4362 	ad.type = LSM_AUDIT_DATA_NET;
4363 	ad.u.net = &net;
4364 	ad.u.net->netif = skb->skb_iif;
4365 	ad.u.net->family = family;
4366 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4367 	if (err)
4368 		return err;
4369 
4370 	if (peerlbl_active) {
4371 		u32 peer_sid;
4372 
4373 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4374 		if (err)
4375 			return err;
4376 		err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4377 					       peer_sid, &ad);
4378 		if (err) {
4379 			selinux_netlbl_err(skb, err, 0);
4380 			return err;
4381 		}
4382 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4383 				   PEER__RECV, &ad);
4384 		if (err) {
4385 			selinux_netlbl_err(skb, err, 0);
4386 			return err;
4387 		}
4388 	}
4389 
4390 	if (secmark_active) {
4391 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4392 				   PACKET__RECV, &ad);
4393 		if (err)
4394 			return err;
4395 	}
4396 
4397 	return err;
4398 }
4399 
4400 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4401 					    int __user *optlen, unsigned len)
4402 {
4403 	int err = 0;
4404 	char *scontext;
4405 	u32 scontext_len;
4406 	struct sk_security_struct *sksec = sock->sk->sk_security;
4407 	u32 peer_sid = SECSID_NULL;
4408 
4409 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4410 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4411 		peer_sid = sksec->peer_sid;
4412 	if (peer_sid == SECSID_NULL)
4413 		return -ENOPROTOOPT;
4414 
4415 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4416 	if (err)
4417 		return err;
4418 
4419 	if (scontext_len > len) {
4420 		err = -ERANGE;
4421 		goto out_len;
4422 	}
4423 
4424 	if (copy_to_user(optval, scontext, scontext_len))
4425 		err = -EFAULT;
4426 
4427 out_len:
4428 	if (put_user(scontext_len, optlen))
4429 		err = -EFAULT;
4430 	kfree(scontext);
4431 	return err;
4432 }
4433 
4434 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4435 {
4436 	u32 peer_secid = SECSID_NULL;
4437 	u16 family;
4438 
4439 	if (skb && skb->protocol == htons(ETH_P_IP))
4440 		family = PF_INET;
4441 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4442 		family = PF_INET6;
4443 	else if (sock)
4444 		family = sock->sk->sk_family;
4445 	else
4446 		goto out;
4447 
4448 	if (sock && family == PF_UNIX)
4449 		selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4450 	else if (skb)
4451 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4452 
4453 out:
4454 	*secid = peer_secid;
4455 	if (peer_secid == SECSID_NULL)
4456 		return -EINVAL;
4457 	return 0;
4458 }
4459 
4460 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4461 {
4462 	struct sk_security_struct *sksec;
4463 
4464 	sksec = kzalloc(sizeof(*sksec), priority);
4465 	if (!sksec)
4466 		return -ENOMEM;
4467 
4468 	sksec->peer_sid = SECINITSID_UNLABELED;
4469 	sksec->sid = SECINITSID_UNLABELED;
4470 	selinux_netlbl_sk_security_reset(sksec);
4471 	sk->sk_security = sksec;
4472 
4473 	return 0;
4474 }
4475 
4476 static void selinux_sk_free_security(struct sock *sk)
4477 {
4478 	struct sk_security_struct *sksec = sk->sk_security;
4479 
4480 	sk->sk_security = NULL;
4481 	selinux_netlbl_sk_security_free(sksec);
4482 	kfree(sksec);
4483 }
4484 
4485 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4486 {
4487 	struct sk_security_struct *sksec = sk->sk_security;
4488 	struct sk_security_struct *newsksec = newsk->sk_security;
4489 
4490 	newsksec->sid = sksec->sid;
4491 	newsksec->peer_sid = sksec->peer_sid;
4492 	newsksec->sclass = sksec->sclass;
4493 
4494 	selinux_netlbl_sk_security_reset(newsksec);
4495 }
4496 
4497 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4498 {
4499 	if (!sk)
4500 		*secid = SECINITSID_ANY_SOCKET;
4501 	else {
4502 		struct sk_security_struct *sksec = sk->sk_security;
4503 
4504 		*secid = sksec->sid;
4505 	}
4506 }
4507 
4508 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4509 {
4510 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4511 	struct sk_security_struct *sksec = sk->sk_security;
4512 
4513 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4514 	    sk->sk_family == PF_UNIX)
4515 		isec->sid = sksec->sid;
4516 	sksec->sclass = isec->sclass;
4517 }
4518 
4519 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4520 				     struct request_sock *req)
4521 {
4522 	struct sk_security_struct *sksec = sk->sk_security;
4523 	int err;
4524 	u16 family = req->rsk_ops->family;
4525 	u32 connsid;
4526 	u32 peersid;
4527 
4528 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4529 	if (err)
4530 		return err;
4531 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4532 	if (err)
4533 		return err;
4534 	req->secid = connsid;
4535 	req->peer_secid = peersid;
4536 
4537 	return selinux_netlbl_inet_conn_request(req, family);
4538 }
4539 
4540 static void selinux_inet_csk_clone(struct sock *newsk,
4541 				   const struct request_sock *req)
4542 {
4543 	struct sk_security_struct *newsksec = newsk->sk_security;
4544 
4545 	newsksec->sid = req->secid;
4546 	newsksec->peer_sid = req->peer_secid;
4547 	/* NOTE: Ideally, we should also get the isec->sid for the
4548 	   new socket in sync, but we don't have the isec available yet.
4549 	   So we will wait until sock_graft to do it, by which
4550 	   time it will have been created and available. */
4551 
4552 	/* We don't need to take any sort of lock here as we are the only
4553 	 * thread with access to newsksec */
4554 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4555 }
4556 
4557 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4558 {
4559 	u16 family = sk->sk_family;
4560 	struct sk_security_struct *sksec = sk->sk_security;
4561 
4562 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4563 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4564 		family = PF_INET;
4565 
4566 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4567 }
4568 
4569 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4570 {
4571 	skb_set_owner_w(skb, sk);
4572 }
4573 
4574 static int selinux_secmark_relabel_packet(u32 sid)
4575 {
4576 	const struct task_security_struct *__tsec;
4577 	u32 tsid;
4578 
4579 	__tsec = current_security();
4580 	tsid = __tsec->sid;
4581 
4582 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4583 }
4584 
4585 static void selinux_secmark_refcount_inc(void)
4586 {
4587 	atomic_inc(&selinux_secmark_refcount);
4588 }
4589 
4590 static void selinux_secmark_refcount_dec(void)
4591 {
4592 	atomic_dec(&selinux_secmark_refcount);
4593 }
4594 
4595 static void selinux_req_classify_flow(const struct request_sock *req,
4596 				      struct flowi *fl)
4597 {
4598 	fl->flowi_secid = req->secid;
4599 }
4600 
4601 static int selinux_tun_dev_alloc_security(void **security)
4602 {
4603 	struct tun_security_struct *tunsec;
4604 
4605 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4606 	if (!tunsec)
4607 		return -ENOMEM;
4608 	tunsec->sid = current_sid();
4609 
4610 	*security = tunsec;
4611 	return 0;
4612 }
4613 
4614 static void selinux_tun_dev_free_security(void *security)
4615 {
4616 	kfree(security);
4617 }
4618 
4619 static int selinux_tun_dev_create(void)
4620 {
4621 	u32 sid = current_sid();
4622 
4623 	/* we aren't taking into account the "sockcreate" SID since the socket
4624 	 * that is being created here is not a socket in the traditional sense,
4625 	 * instead it is a private sock, accessible only to the kernel, and
4626 	 * representing a wide range of network traffic spanning multiple
4627 	 * connections unlike traditional sockets - check the TUN driver to
4628 	 * get a better understanding of why this socket is special */
4629 
4630 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4631 			    NULL);
4632 }
4633 
4634 static int selinux_tun_dev_attach_queue(void *security)
4635 {
4636 	struct tun_security_struct *tunsec = security;
4637 
4638 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4639 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4640 }
4641 
4642 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4643 {
4644 	struct tun_security_struct *tunsec = security;
4645 	struct sk_security_struct *sksec = sk->sk_security;
4646 
4647 	/* we don't currently perform any NetLabel based labeling here and it
4648 	 * isn't clear that we would want to do so anyway; while we could apply
4649 	 * labeling without the support of the TUN user the resulting labeled
4650 	 * traffic from the other end of the connection would almost certainly
4651 	 * cause confusion to the TUN user that had no idea network labeling
4652 	 * protocols were being used */
4653 
4654 	sksec->sid = tunsec->sid;
4655 	sksec->sclass = SECCLASS_TUN_SOCKET;
4656 
4657 	return 0;
4658 }
4659 
4660 static int selinux_tun_dev_open(void *security)
4661 {
4662 	struct tun_security_struct *tunsec = security;
4663 	u32 sid = current_sid();
4664 	int err;
4665 
4666 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4667 			   TUN_SOCKET__RELABELFROM, NULL);
4668 	if (err)
4669 		return err;
4670 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4671 			   TUN_SOCKET__RELABELTO, NULL);
4672 	if (err)
4673 		return err;
4674 	tunsec->sid = sid;
4675 
4676 	return 0;
4677 }
4678 
4679 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4680 {
4681 	int err = 0;
4682 	u32 perm;
4683 	struct nlmsghdr *nlh;
4684 	struct sk_security_struct *sksec = sk->sk_security;
4685 
4686 	if (skb->len < NLMSG_HDRLEN) {
4687 		err = -EINVAL;
4688 		goto out;
4689 	}
4690 	nlh = nlmsg_hdr(skb);
4691 
4692 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4693 	if (err) {
4694 		if (err == -EINVAL) {
4695 			audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4696 				  "SELinux:  unrecognized netlink message"
4697 				  " type=%hu for sclass=%hu\n",
4698 				  nlh->nlmsg_type, sksec->sclass);
4699 			if (!selinux_enforcing || security_get_allow_unknown())
4700 				err = 0;
4701 		}
4702 
4703 		/* Ignore */
4704 		if (err == -ENOENT)
4705 			err = 0;
4706 		goto out;
4707 	}
4708 
4709 	err = sock_has_perm(current, sk, perm);
4710 out:
4711 	return err;
4712 }
4713 
4714 #ifdef CONFIG_NETFILTER
4715 
4716 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4717 				       u16 family)
4718 {
4719 	int err;
4720 	char *addrp;
4721 	u32 peer_sid;
4722 	struct common_audit_data ad;
4723 	struct lsm_network_audit net = {0,};
4724 	u8 secmark_active;
4725 	u8 netlbl_active;
4726 	u8 peerlbl_active;
4727 
4728 	if (!selinux_policycap_netpeer)
4729 		return NF_ACCEPT;
4730 
4731 	secmark_active = selinux_secmark_enabled();
4732 	netlbl_active = netlbl_enabled();
4733 	peerlbl_active = selinux_peerlbl_enabled();
4734 	if (!secmark_active && !peerlbl_active)
4735 		return NF_ACCEPT;
4736 
4737 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4738 		return NF_DROP;
4739 
4740 	ad.type = LSM_AUDIT_DATA_NET;
4741 	ad.u.net = &net;
4742 	ad.u.net->netif = ifindex;
4743 	ad.u.net->family = family;
4744 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4745 		return NF_DROP;
4746 
4747 	if (peerlbl_active) {
4748 		err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4749 					       peer_sid, &ad);
4750 		if (err) {
4751 			selinux_netlbl_err(skb, err, 1);
4752 			return NF_DROP;
4753 		}
4754 	}
4755 
4756 	if (secmark_active)
4757 		if (avc_has_perm(peer_sid, skb->secmark,
4758 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4759 			return NF_DROP;
4760 
4761 	if (netlbl_active)
4762 		/* we do this in the FORWARD path and not the POST_ROUTING
4763 		 * path because we want to make sure we apply the necessary
4764 		 * labeling before IPsec is applied so we can leverage AH
4765 		 * protection */
4766 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4767 			return NF_DROP;
4768 
4769 	return NF_ACCEPT;
4770 }
4771 
4772 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4773 					 struct sk_buff *skb,
4774 					 const struct net_device *in,
4775 					 const struct net_device *out,
4776 					 int (*okfn)(struct sk_buff *))
4777 {
4778 	return selinux_ip_forward(skb, in->ifindex, PF_INET);
4779 }
4780 
4781 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4782 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4783 					 struct sk_buff *skb,
4784 					 const struct net_device *in,
4785 					 const struct net_device *out,
4786 					 int (*okfn)(struct sk_buff *))
4787 {
4788 	return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4789 }
4790 #endif	/* IPV6 */
4791 
4792 static unsigned int selinux_ip_output(struct sk_buff *skb,
4793 				      u16 family)
4794 {
4795 	struct sock *sk;
4796 	u32 sid;
4797 
4798 	if (!netlbl_enabled())
4799 		return NF_ACCEPT;
4800 
4801 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4802 	 * because we want to make sure we apply the necessary labeling
4803 	 * before IPsec is applied so we can leverage AH protection */
4804 	sk = skb->sk;
4805 	if (sk) {
4806 		struct sk_security_struct *sksec;
4807 
4808 		if (sk->sk_state == TCP_LISTEN)
4809 			/* if the socket is the listening state then this
4810 			 * packet is a SYN-ACK packet which means it needs to
4811 			 * be labeled based on the connection/request_sock and
4812 			 * not the parent socket.  unfortunately, we can't
4813 			 * lookup the request_sock yet as it isn't queued on
4814 			 * the parent socket until after the SYN-ACK is sent.
4815 			 * the "solution" is to simply pass the packet as-is
4816 			 * as any IP option based labeling should be copied
4817 			 * from the initial connection request (in the IP
4818 			 * layer).  it is far from ideal, but until we get a
4819 			 * security label in the packet itself this is the
4820 			 * best we can do. */
4821 			return NF_ACCEPT;
4822 
4823 		/* standard practice, label using the parent socket */
4824 		sksec = sk->sk_security;
4825 		sid = sksec->sid;
4826 	} else
4827 		sid = SECINITSID_KERNEL;
4828 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4829 		return NF_DROP;
4830 
4831 	return NF_ACCEPT;
4832 }
4833 
4834 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4835 					struct sk_buff *skb,
4836 					const struct net_device *in,
4837 					const struct net_device *out,
4838 					int (*okfn)(struct sk_buff *))
4839 {
4840 	return selinux_ip_output(skb, PF_INET);
4841 }
4842 
4843 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4844 						int ifindex,
4845 						u16 family)
4846 {
4847 	struct sock *sk = skb->sk;
4848 	struct sk_security_struct *sksec;
4849 	struct common_audit_data ad;
4850 	struct lsm_network_audit net = {0,};
4851 	char *addrp;
4852 	u8 proto;
4853 
4854 	if (sk == NULL)
4855 		return NF_ACCEPT;
4856 	sksec = sk->sk_security;
4857 
4858 	ad.type = LSM_AUDIT_DATA_NET;
4859 	ad.u.net = &net;
4860 	ad.u.net->netif = ifindex;
4861 	ad.u.net->family = family;
4862 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4863 		return NF_DROP;
4864 
4865 	if (selinux_secmark_enabled())
4866 		if (avc_has_perm(sksec->sid, skb->secmark,
4867 				 SECCLASS_PACKET, PACKET__SEND, &ad))
4868 			return NF_DROP_ERR(-ECONNREFUSED);
4869 
4870 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4871 		return NF_DROP_ERR(-ECONNREFUSED);
4872 
4873 	return NF_ACCEPT;
4874 }
4875 
4876 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4877 					 u16 family)
4878 {
4879 	u32 secmark_perm;
4880 	u32 peer_sid;
4881 	struct sock *sk;
4882 	struct common_audit_data ad;
4883 	struct lsm_network_audit net = {0,};
4884 	char *addrp;
4885 	u8 secmark_active;
4886 	u8 peerlbl_active;
4887 
4888 	/* If any sort of compatibility mode is enabled then handoff processing
4889 	 * to the selinux_ip_postroute_compat() function to deal with the
4890 	 * special handling.  We do this in an attempt to keep this function
4891 	 * as fast and as clean as possible. */
4892 	if (!selinux_policycap_netpeer)
4893 		return selinux_ip_postroute_compat(skb, ifindex, family);
4894 
4895 	secmark_active = selinux_secmark_enabled();
4896 	peerlbl_active = selinux_peerlbl_enabled();
4897 	if (!secmark_active && !peerlbl_active)
4898 		return NF_ACCEPT;
4899 
4900 	sk = skb->sk;
4901 
4902 #ifdef CONFIG_XFRM
4903 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4904 	 * packet transformation so allow the packet to pass without any checks
4905 	 * since we'll have another chance to perform access control checks
4906 	 * when the packet is on it's final way out.
4907 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4908 	 *       is NULL, in this case go ahead and apply access control.
4909 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4910 	 *       TCP listening state we cannot wait until the XFRM processing
4911 	 *       is done as we will miss out on the SA label if we do;
4912 	 *       unfortunately, this means more work, but it is only once per
4913 	 *       connection. */
4914 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4915 	    !(sk != NULL && sk->sk_state == TCP_LISTEN))
4916 		return NF_ACCEPT;
4917 #endif
4918 
4919 	if (sk == NULL) {
4920 		/* Without an associated socket the packet is either coming
4921 		 * from the kernel or it is being forwarded; check the packet
4922 		 * to determine which and if the packet is being forwarded
4923 		 * query the packet directly to determine the security label. */
4924 		if (skb->skb_iif) {
4925 			secmark_perm = PACKET__FORWARD_OUT;
4926 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4927 				return NF_DROP;
4928 		} else {
4929 			secmark_perm = PACKET__SEND;
4930 			peer_sid = SECINITSID_KERNEL;
4931 		}
4932 	} else if (sk->sk_state == TCP_LISTEN) {
4933 		/* Locally generated packet but the associated socket is in the
4934 		 * listening state which means this is a SYN-ACK packet.  In
4935 		 * this particular case the correct security label is assigned
4936 		 * to the connection/request_sock but unfortunately we can't
4937 		 * query the request_sock as it isn't queued on the parent
4938 		 * socket until after the SYN-ACK packet is sent; the only
4939 		 * viable choice is to regenerate the label like we do in
4940 		 * selinux_inet_conn_request().  See also selinux_ip_output()
4941 		 * for similar problems. */
4942 		u32 skb_sid;
4943 		struct sk_security_struct *sksec = sk->sk_security;
4944 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4945 			return NF_DROP;
4946 		/* At this point, if the returned skb peerlbl is SECSID_NULL
4947 		 * and the packet has been through at least one XFRM
4948 		 * transformation then we must be dealing with the "final"
4949 		 * form of labeled IPsec packet; since we've already applied
4950 		 * all of our access controls on this packet we can safely
4951 		 * pass the packet. */
4952 		if (skb_sid == SECSID_NULL) {
4953 			switch (family) {
4954 			case PF_INET:
4955 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4956 					return NF_ACCEPT;
4957 				break;
4958 			case PF_INET6:
4959 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4960 					return NF_ACCEPT;
4961 			default:
4962 				return NF_DROP_ERR(-ECONNREFUSED);
4963 			}
4964 		}
4965 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4966 			return NF_DROP;
4967 		secmark_perm = PACKET__SEND;
4968 	} else {
4969 		/* Locally generated packet, fetch the security label from the
4970 		 * associated socket. */
4971 		struct sk_security_struct *sksec = sk->sk_security;
4972 		peer_sid = sksec->sid;
4973 		secmark_perm = PACKET__SEND;
4974 	}
4975 
4976 	ad.type = LSM_AUDIT_DATA_NET;
4977 	ad.u.net = &net;
4978 	ad.u.net->netif = ifindex;
4979 	ad.u.net->family = family;
4980 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4981 		return NF_DROP;
4982 
4983 	if (secmark_active)
4984 		if (avc_has_perm(peer_sid, skb->secmark,
4985 				 SECCLASS_PACKET, secmark_perm, &ad))
4986 			return NF_DROP_ERR(-ECONNREFUSED);
4987 
4988 	if (peerlbl_active) {
4989 		u32 if_sid;
4990 		u32 node_sid;
4991 
4992 		if (sel_netif_sid(ifindex, &if_sid))
4993 			return NF_DROP;
4994 		if (avc_has_perm(peer_sid, if_sid,
4995 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4996 			return NF_DROP_ERR(-ECONNREFUSED);
4997 
4998 		if (sel_netnode_sid(addrp, family, &node_sid))
4999 			return NF_DROP;
5000 		if (avc_has_perm(peer_sid, node_sid,
5001 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5002 			return NF_DROP_ERR(-ECONNREFUSED);
5003 	}
5004 
5005 	return NF_ACCEPT;
5006 }
5007 
5008 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5009 					   struct sk_buff *skb,
5010 					   const struct net_device *in,
5011 					   const struct net_device *out,
5012 					   int (*okfn)(struct sk_buff *))
5013 {
5014 	return selinux_ip_postroute(skb, out->ifindex, PF_INET);
5015 }
5016 
5017 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5018 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5019 					   struct sk_buff *skb,
5020 					   const struct net_device *in,
5021 					   const struct net_device *out,
5022 					   int (*okfn)(struct sk_buff *))
5023 {
5024 	return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
5025 }
5026 #endif	/* IPV6 */
5027 
5028 #endif	/* CONFIG_NETFILTER */
5029 
5030 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5031 {
5032 	int err;
5033 
5034 	err = cap_netlink_send(sk, skb);
5035 	if (err)
5036 		return err;
5037 
5038 	return selinux_nlmsg_perm(sk, skb);
5039 }
5040 
5041 static int ipc_alloc_security(struct task_struct *task,
5042 			      struct kern_ipc_perm *perm,
5043 			      u16 sclass)
5044 {
5045 	struct ipc_security_struct *isec;
5046 	u32 sid;
5047 
5048 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5049 	if (!isec)
5050 		return -ENOMEM;
5051 
5052 	sid = task_sid(task);
5053 	isec->sclass = sclass;
5054 	isec->sid = sid;
5055 	perm->security = isec;
5056 
5057 	return 0;
5058 }
5059 
5060 static void ipc_free_security(struct kern_ipc_perm *perm)
5061 {
5062 	struct ipc_security_struct *isec = perm->security;
5063 	perm->security = NULL;
5064 	kfree(isec);
5065 }
5066 
5067 static int msg_msg_alloc_security(struct msg_msg *msg)
5068 {
5069 	struct msg_security_struct *msec;
5070 
5071 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5072 	if (!msec)
5073 		return -ENOMEM;
5074 
5075 	msec->sid = SECINITSID_UNLABELED;
5076 	msg->security = msec;
5077 
5078 	return 0;
5079 }
5080 
5081 static void msg_msg_free_security(struct msg_msg *msg)
5082 {
5083 	struct msg_security_struct *msec = msg->security;
5084 
5085 	msg->security = NULL;
5086 	kfree(msec);
5087 }
5088 
5089 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5090 			u32 perms)
5091 {
5092 	struct ipc_security_struct *isec;
5093 	struct common_audit_data ad;
5094 	u32 sid = current_sid();
5095 
5096 	isec = ipc_perms->security;
5097 
5098 	ad.type = LSM_AUDIT_DATA_IPC;
5099 	ad.u.ipc_id = ipc_perms->key;
5100 
5101 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5102 }
5103 
5104 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5105 {
5106 	return msg_msg_alloc_security(msg);
5107 }
5108 
5109 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5110 {
5111 	msg_msg_free_security(msg);
5112 }
5113 
5114 /* message queue security operations */
5115 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5116 {
5117 	struct ipc_security_struct *isec;
5118 	struct common_audit_data ad;
5119 	u32 sid = current_sid();
5120 	int rc;
5121 
5122 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5123 	if (rc)
5124 		return rc;
5125 
5126 	isec = msq->q_perm.security;
5127 
5128 	ad.type = LSM_AUDIT_DATA_IPC;
5129 	ad.u.ipc_id = msq->q_perm.key;
5130 
5131 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5132 			  MSGQ__CREATE, &ad);
5133 	if (rc) {
5134 		ipc_free_security(&msq->q_perm);
5135 		return rc;
5136 	}
5137 	return 0;
5138 }
5139 
5140 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5141 {
5142 	ipc_free_security(&msq->q_perm);
5143 }
5144 
5145 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5146 {
5147 	struct ipc_security_struct *isec;
5148 	struct common_audit_data ad;
5149 	u32 sid = current_sid();
5150 
5151 	isec = msq->q_perm.security;
5152 
5153 	ad.type = LSM_AUDIT_DATA_IPC;
5154 	ad.u.ipc_id = msq->q_perm.key;
5155 
5156 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5157 			    MSGQ__ASSOCIATE, &ad);
5158 }
5159 
5160 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5161 {
5162 	int err;
5163 	int perms;
5164 
5165 	switch (cmd) {
5166 	case IPC_INFO:
5167 	case MSG_INFO:
5168 		/* No specific object, just general system-wide information. */
5169 		return task_has_system(current, SYSTEM__IPC_INFO);
5170 	case IPC_STAT:
5171 	case MSG_STAT:
5172 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5173 		break;
5174 	case IPC_SET:
5175 		perms = MSGQ__SETATTR;
5176 		break;
5177 	case IPC_RMID:
5178 		perms = MSGQ__DESTROY;
5179 		break;
5180 	default:
5181 		return 0;
5182 	}
5183 
5184 	err = ipc_has_perm(&msq->q_perm, perms);
5185 	return err;
5186 }
5187 
5188 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5189 {
5190 	struct ipc_security_struct *isec;
5191 	struct msg_security_struct *msec;
5192 	struct common_audit_data ad;
5193 	u32 sid = current_sid();
5194 	int rc;
5195 
5196 	isec = msq->q_perm.security;
5197 	msec = msg->security;
5198 
5199 	/*
5200 	 * First time through, need to assign label to the message
5201 	 */
5202 	if (msec->sid == SECINITSID_UNLABELED) {
5203 		/*
5204 		 * Compute new sid based on current process and
5205 		 * message queue this message will be stored in
5206 		 */
5207 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5208 					     NULL, &msec->sid);
5209 		if (rc)
5210 			return rc;
5211 	}
5212 
5213 	ad.type = LSM_AUDIT_DATA_IPC;
5214 	ad.u.ipc_id = msq->q_perm.key;
5215 
5216 	/* Can this process write to the queue? */
5217 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5218 			  MSGQ__WRITE, &ad);
5219 	if (!rc)
5220 		/* Can this process send the message */
5221 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5222 				  MSG__SEND, &ad);
5223 	if (!rc)
5224 		/* Can the message be put in the queue? */
5225 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5226 				  MSGQ__ENQUEUE, &ad);
5227 
5228 	return rc;
5229 }
5230 
5231 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5232 				    struct task_struct *target,
5233 				    long type, int mode)
5234 {
5235 	struct ipc_security_struct *isec;
5236 	struct msg_security_struct *msec;
5237 	struct common_audit_data ad;
5238 	u32 sid = task_sid(target);
5239 	int rc;
5240 
5241 	isec = msq->q_perm.security;
5242 	msec = msg->security;
5243 
5244 	ad.type = LSM_AUDIT_DATA_IPC;
5245 	ad.u.ipc_id = msq->q_perm.key;
5246 
5247 	rc = avc_has_perm(sid, isec->sid,
5248 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5249 	if (!rc)
5250 		rc = avc_has_perm(sid, msec->sid,
5251 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5252 	return rc;
5253 }
5254 
5255 /* Shared Memory security operations */
5256 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5257 {
5258 	struct ipc_security_struct *isec;
5259 	struct common_audit_data ad;
5260 	u32 sid = current_sid();
5261 	int rc;
5262 
5263 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5264 	if (rc)
5265 		return rc;
5266 
5267 	isec = shp->shm_perm.security;
5268 
5269 	ad.type = LSM_AUDIT_DATA_IPC;
5270 	ad.u.ipc_id = shp->shm_perm.key;
5271 
5272 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5273 			  SHM__CREATE, &ad);
5274 	if (rc) {
5275 		ipc_free_security(&shp->shm_perm);
5276 		return rc;
5277 	}
5278 	return 0;
5279 }
5280 
5281 static void selinux_shm_free_security(struct shmid_kernel *shp)
5282 {
5283 	ipc_free_security(&shp->shm_perm);
5284 }
5285 
5286 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5287 {
5288 	struct ipc_security_struct *isec;
5289 	struct common_audit_data ad;
5290 	u32 sid = current_sid();
5291 
5292 	isec = shp->shm_perm.security;
5293 
5294 	ad.type = LSM_AUDIT_DATA_IPC;
5295 	ad.u.ipc_id = shp->shm_perm.key;
5296 
5297 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5298 			    SHM__ASSOCIATE, &ad);
5299 }
5300 
5301 /* Note, at this point, shp is locked down */
5302 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5303 {
5304 	int perms;
5305 	int err;
5306 
5307 	switch (cmd) {
5308 	case IPC_INFO:
5309 	case SHM_INFO:
5310 		/* No specific object, just general system-wide information. */
5311 		return task_has_system(current, SYSTEM__IPC_INFO);
5312 	case IPC_STAT:
5313 	case SHM_STAT:
5314 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5315 		break;
5316 	case IPC_SET:
5317 		perms = SHM__SETATTR;
5318 		break;
5319 	case SHM_LOCK:
5320 	case SHM_UNLOCK:
5321 		perms = SHM__LOCK;
5322 		break;
5323 	case IPC_RMID:
5324 		perms = SHM__DESTROY;
5325 		break;
5326 	default:
5327 		return 0;
5328 	}
5329 
5330 	err = ipc_has_perm(&shp->shm_perm, perms);
5331 	return err;
5332 }
5333 
5334 static int selinux_shm_shmat(struct shmid_kernel *shp,
5335 			     char __user *shmaddr, int shmflg)
5336 {
5337 	u32 perms;
5338 
5339 	if (shmflg & SHM_RDONLY)
5340 		perms = SHM__READ;
5341 	else
5342 		perms = SHM__READ | SHM__WRITE;
5343 
5344 	return ipc_has_perm(&shp->shm_perm, perms);
5345 }
5346 
5347 /* Semaphore security operations */
5348 static int selinux_sem_alloc_security(struct sem_array *sma)
5349 {
5350 	struct ipc_security_struct *isec;
5351 	struct common_audit_data ad;
5352 	u32 sid = current_sid();
5353 	int rc;
5354 
5355 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5356 	if (rc)
5357 		return rc;
5358 
5359 	isec = sma->sem_perm.security;
5360 
5361 	ad.type = LSM_AUDIT_DATA_IPC;
5362 	ad.u.ipc_id = sma->sem_perm.key;
5363 
5364 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5365 			  SEM__CREATE, &ad);
5366 	if (rc) {
5367 		ipc_free_security(&sma->sem_perm);
5368 		return rc;
5369 	}
5370 	return 0;
5371 }
5372 
5373 static void selinux_sem_free_security(struct sem_array *sma)
5374 {
5375 	ipc_free_security(&sma->sem_perm);
5376 }
5377 
5378 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5379 {
5380 	struct ipc_security_struct *isec;
5381 	struct common_audit_data ad;
5382 	u32 sid = current_sid();
5383 
5384 	isec = sma->sem_perm.security;
5385 
5386 	ad.type = LSM_AUDIT_DATA_IPC;
5387 	ad.u.ipc_id = sma->sem_perm.key;
5388 
5389 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5390 			    SEM__ASSOCIATE, &ad);
5391 }
5392 
5393 /* Note, at this point, sma is locked down */
5394 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5395 {
5396 	int err;
5397 	u32 perms;
5398 
5399 	switch (cmd) {
5400 	case IPC_INFO:
5401 	case SEM_INFO:
5402 		/* No specific object, just general system-wide information. */
5403 		return task_has_system(current, SYSTEM__IPC_INFO);
5404 	case GETPID:
5405 	case GETNCNT:
5406 	case GETZCNT:
5407 		perms = SEM__GETATTR;
5408 		break;
5409 	case GETVAL:
5410 	case GETALL:
5411 		perms = SEM__READ;
5412 		break;
5413 	case SETVAL:
5414 	case SETALL:
5415 		perms = SEM__WRITE;
5416 		break;
5417 	case IPC_RMID:
5418 		perms = SEM__DESTROY;
5419 		break;
5420 	case IPC_SET:
5421 		perms = SEM__SETATTR;
5422 		break;
5423 	case IPC_STAT:
5424 	case SEM_STAT:
5425 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5426 		break;
5427 	default:
5428 		return 0;
5429 	}
5430 
5431 	err = ipc_has_perm(&sma->sem_perm, perms);
5432 	return err;
5433 }
5434 
5435 static int selinux_sem_semop(struct sem_array *sma,
5436 			     struct sembuf *sops, unsigned nsops, int alter)
5437 {
5438 	u32 perms;
5439 
5440 	if (alter)
5441 		perms = SEM__READ | SEM__WRITE;
5442 	else
5443 		perms = SEM__READ;
5444 
5445 	return ipc_has_perm(&sma->sem_perm, perms);
5446 }
5447 
5448 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5449 {
5450 	u32 av = 0;
5451 
5452 	av = 0;
5453 	if (flag & S_IRUGO)
5454 		av |= IPC__UNIX_READ;
5455 	if (flag & S_IWUGO)
5456 		av |= IPC__UNIX_WRITE;
5457 
5458 	if (av == 0)
5459 		return 0;
5460 
5461 	return ipc_has_perm(ipcp, av);
5462 }
5463 
5464 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5465 {
5466 	struct ipc_security_struct *isec = ipcp->security;
5467 	*secid = isec->sid;
5468 }
5469 
5470 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5471 {
5472 	if (inode)
5473 		inode_doinit_with_dentry(inode, dentry);
5474 }
5475 
5476 static int selinux_getprocattr(struct task_struct *p,
5477 			       char *name, char **value)
5478 {
5479 	const struct task_security_struct *__tsec;
5480 	u32 sid;
5481 	int error;
5482 	unsigned len;
5483 
5484 	if (current != p) {
5485 		error = current_has_perm(p, PROCESS__GETATTR);
5486 		if (error)
5487 			return error;
5488 	}
5489 
5490 	rcu_read_lock();
5491 	__tsec = __task_cred(p)->security;
5492 
5493 	if (!strcmp(name, "current"))
5494 		sid = __tsec->sid;
5495 	else if (!strcmp(name, "prev"))
5496 		sid = __tsec->osid;
5497 	else if (!strcmp(name, "exec"))
5498 		sid = __tsec->exec_sid;
5499 	else if (!strcmp(name, "fscreate"))
5500 		sid = __tsec->create_sid;
5501 	else if (!strcmp(name, "keycreate"))
5502 		sid = __tsec->keycreate_sid;
5503 	else if (!strcmp(name, "sockcreate"))
5504 		sid = __tsec->sockcreate_sid;
5505 	else
5506 		goto invalid;
5507 	rcu_read_unlock();
5508 
5509 	if (!sid)
5510 		return 0;
5511 
5512 	error = security_sid_to_context(sid, value, &len);
5513 	if (error)
5514 		return error;
5515 	return len;
5516 
5517 invalid:
5518 	rcu_read_unlock();
5519 	return -EINVAL;
5520 }
5521 
5522 static int selinux_setprocattr(struct task_struct *p,
5523 			       char *name, void *value, size_t size)
5524 {
5525 	struct task_security_struct *tsec;
5526 	struct task_struct *tracer;
5527 	struct cred *new;
5528 	u32 sid = 0, ptsid;
5529 	int error;
5530 	char *str = value;
5531 
5532 	if (current != p) {
5533 		/* SELinux only allows a process to change its own
5534 		   security attributes. */
5535 		return -EACCES;
5536 	}
5537 
5538 	/*
5539 	 * Basic control over ability to set these attributes at all.
5540 	 * current == p, but we'll pass them separately in case the
5541 	 * above restriction is ever removed.
5542 	 */
5543 	if (!strcmp(name, "exec"))
5544 		error = current_has_perm(p, PROCESS__SETEXEC);
5545 	else if (!strcmp(name, "fscreate"))
5546 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5547 	else if (!strcmp(name, "keycreate"))
5548 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5549 	else if (!strcmp(name, "sockcreate"))
5550 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5551 	else if (!strcmp(name, "current"))
5552 		error = current_has_perm(p, PROCESS__SETCURRENT);
5553 	else
5554 		error = -EINVAL;
5555 	if (error)
5556 		return error;
5557 
5558 	/* Obtain a SID for the context, if one was specified. */
5559 	if (size && str[1] && str[1] != '\n') {
5560 		if (str[size-1] == '\n') {
5561 			str[size-1] = 0;
5562 			size--;
5563 		}
5564 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5565 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5566 			if (!capable(CAP_MAC_ADMIN)) {
5567 				struct audit_buffer *ab;
5568 				size_t audit_size;
5569 
5570 				/* We strip a nul only if it is at the end, otherwise the
5571 				 * context contains a nul and we should audit that */
5572 				if (str[size - 1] == '\0')
5573 					audit_size = size - 1;
5574 				else
5575 					audit_size = size;
5576 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5577 				audit_log_format(ab, "op=fscreate invalid_context=");
5578 				audit_log_n_untrustedstring(ab, value, audit_size);
5579 				audit_log_end(ab);
5580 
5581 				return error;
5582 			}
5583 			error = security_context_to_sid_force(value, size,
5584 							      &sid);
5585 		}
5586 		if (error)
5587 			return error;
5588 	}
5589 
5590 	new = prepare_creds();
5591 	if (!new)
5592 		return -ENOMEM;
5593 
5594 	/* Permission checking based on the specified context is
5595 	   performed during the actual operation (execve,
5596 	   open/mkdir/...), when we know the full context of the
5597 	   operation.  See selinux_bprm_set_creds for the execve
5598 	   checks and may_create for the file creation checks. The
5599 	   operation will then fail if the context is not permitted. */
5600 	tsec = new->security;
5601 	if (!strcmp(name, "exec")) {
5602 		tsec->exec_sid = sid;
5603 	} else if (!strcmp(name, "fscreate")) {
5604 		tsec->create_sid = sid;
5605 	} else if (!strcmp(name, "keycreate")) {
5606 		error = may_create_key(sid, p);
5607 		if (error)
5608 			goto abort_change;
5609 		tsec->keycreate_sid = sid;
5610 	} else if (!strcmp(name, "sockcreate")) {
5611 		tsec->sockcreate_sid = sid;
5612 	} else if (!strcmp(name, "current")) {
5613 		error = -EINVAL;
5614 		if (sid == 0)
5615 			goto abort_change;
5616 
5617 		/* Only allow single threaded processes to change context */
5618 		error = -EPERM;
5619 		if (!current_is_single_threaded()) {
5620 			error = security_bounded_transition(tsec->sid, sid);
5621 			if (error)
5622 				goto abort_change;
5623 		}
5624 
5625 		/* Check permissions for the transition. */
5626 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5627 				     PROCESS__DYNTRANSITION, NULL);
5628 		if (error)
5629 			goto abort_change;
5630 
5631 		/* Check for ptracing, and update the task SID if ok.
5632 		   Otherwise, leave SID unchanged and fail. */
5633 		ptsid = 0;
5634 		rcu_read_lock();
5635 		tracer = ptrace_parent(p);
5636 		if (tracer)
5637 			ptsid = task_sid(tracer);
5638 		rcu_read_unlock();
5639 
5640 		if (tracer) {
5641 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5642 					     PROCESS__PTRACE, NULL);
5643 			if (error)
5644 				goto abort_change;
5645 		}
5646 
5647 		tsec->sid = sid;
5648 	} else {
5649 		error = -EINVAL;
5650 		goto abort_change;
5651 	}
5652 
5653 	commit_creds(new);
5654 	return size;
5655 
5656 abort_change:
5657 	abort_creds(new);
5658 	return error;
5659 }
5660 
5661 static int selinux_ismaclabel(const char *name)
5662 {
5663 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5664 }
5665 
5666 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5667 {
5668 	return security_sid_to_context(secid, secdata, seclen);
5669 }
5670 
5671 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5672 {
5673 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5674 }
5675 
5676 static void selinux_release_secctx(char *secdata, u32 seclen)
5677 {
5678 	kfree(secdata);
5679 }
5680 
5681 /*
5682  *	called with inode->i_mutex locked
5683  */
5684 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5685 {
5686 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5687 }
5688 
5689 /*
5690  *	called with inode->i_mutex locked
5691  */
5692 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5693 {
5694 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5695 }
5696 
5697 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5698 {
5699 	int len = 0;
5700 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5701 						ctx, true);
5702 	if (len < 0)
5703 		return len;
5704 	*ctxlen = len;
5705 	return 0;
5706 }
5707 #ifdef CONFIG_KEYS
5708 
5709 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5710 			     unsigned long flags)
5711 {
5712 	const struct task_security_struct *tsec;
5713 	struct key_security_struct *ksec;
5714 
5715 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5716 	if (!ksec)
5717 		return -ENOMEM;
5718 
5719 	tsec = cred->security;
5720 	if (tsec->keycreate_sid)
5721 		ksec->sid = tsec->keycreate_sid;
5722 	else
5723 		ksec->sid = tsec->sid;
5724 
5725 	k->security = ksec;
5726 	return 0;
5727 }
5728 
5729 static void selinux_key_free(struct key *k)
5730 {
5731 	struct key_security_struct *ksec = k->security;
5732 
5733 	k->security = NULL;
5734 	kfree(ksec);
5735 }
5736 
5737 static int selinux_key_permission(key_ref_t key_ref,
5738 				  const struct cred *cred,
5739 				  key_perm_t perm)
5740 {
5741 	struct key *key;
5742 	struct key_security_struct *ksec;
5743 	u32 sid;
5744 
5745 	/* if no specific permissions are requested, we skip the
5746 	   permission check. No serious, additional covert channels
5747 	   appear to be created. */
5748 	if (perm == 0)
5749 		return 0;
5750 
5751 	sid = cred_sid(cred);
5752 
5753 	key = key_ref_to_ptr(key_ref);
5754 	ksec = key->security;
5755 
5756 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5757 }
5758 
5759 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5760 {
5761 	struct key_security_struct *ksec = key->security;
5762 	char *context = NULL;
5763 	unsigned len;
5764 	int rc;
5765 
5766 	rc = security_sid_to_context(ksec->sid, &context, &len);
5767 	if (!rc)
5768 		rc = len;
5769 	*_buffer = context;
5770 	return rc;
5771 }
5772 
5773 #endif
5774 
5775 static struct security_operations selinux_ops = {
5776 	.name =				"selinux",
5777 
5778 	.ptrace_access_check =		selinux_ptrace_access_check,
5779 	.ptrace_traceme =		selinux_ptrace_traceme,
5780 	.capget =			selinux_capget,
5781 	.capset =			selinux_capset,
5782 	.capable =			selinux_capable,
5783 	.quotactl =			selinux_quotactl,
5784 	.quota_on =			selinux_quota_on,
5785 	.syslog =			selinux_syslog,
5786 	.vm_enough_memory =		selinux_vm_enough_memory,
5787 
5788 	.netlink_send =			selinux_netlink_send,
5789 
5790 	.bprm_set_creds =		selinux_bprm_set_creds,
5791 	.bprm_committing_creds =	selinux_bprm_committing_creds,
5792 	.bprm_committed_creds =		selinux_bprm_committed_creds,
5793 	.bprm_secureexec =		selinux_bprm_secureexec,
5794 
5795 	.sb_alloc_security =		selinux_sb_alloc_security,
5796 	.sb_free_security =		selinux_sb_free_security,
5797 	.sb_copy_data =			selinux_sb_copy_data,
5798 	.sb_remount =			selinux_sb_remount,
5799 	.sb_kern_mount =		selinux_sb_kern_mount,
5800 	.sb_show_options =		selinux_sb_show_options,
5801 	.sb_statfs =			selinux_sb_statfs,
5802 	.sb_mount =			selinux_mount,
5803 	.sb_umount =			selinux_umount,
5804 	.sb_set_mnt_opts =		selinux_set_mnt_opts,
5805 	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
5806 	.sb_parse_opts_str = 		selinux_parse_opts_str,
5807 
5808 	.dentry_init_security =		selinux_dentry_init_security,
5809 
5810 	.inode_alloc_security =		selinux_inode_alloc_security,
5811 	.inode_free_security =		selinux_inode_free_security,
5812 	.inode_init_security =		selinux_inode_init_security,
5813 	.inode_create =			selinux_inode_create,
5814 	.inode_link =			selinux_inode_link,
5815 	.inode_unlink =			selinux_inode_unlink,
5816 	.inode_symlink =		selinux_inode_symlink,
5817 	.inode_mkdir =			selinux_inode_mkdir,
5818 	.inode_rmdir =			selinux_inode_rmdir,
5819 	.inode_mknod =			selinux_inode_mknod,
5820 	.inode_rename =			selinux_inode_rename,
5821 	.inode_readlink =		selinux_inode_readlink,
5822 	.inode_follow_link =		selinux_inode_follow_link,
5823 	.inode_permission =		selinux_inode_permission,
5824 	.inode_setattr =		selinux_inode_setattr,
5825 	.inode_getattr =		selinux_inode_getattr,
5826 	.inode_setxattr =		selinux_inode_setxattr,
5827 	.inode_post_setxattr =		selinux_inode_post_setxattr,
5828 	.inode_getxattr =		selinux_inode_getxattr,
5829 	.inode_listxattr =		selinux_inode_listxattr,
5830 	.inode_removexattr =		selinux_inode_removexattr,
5831 	.inode_getsecurity =		selinux_inode_getsecurity,
5832 	.inode_setsecurity =		selinux_inode_setsecurity,
5833 	.inode_listsecurity =		selinux_inode_listsecurity,
5834 	.inode_getsecid =		selinux_inode_getsecid,
5835 
5836 	.file_permission =		selinux_file_permission,
5837 	.file_alloc_security =		selinux_file_alloc_security,
5838 	.file_free_security =		selinux_file_free_security,
5839 	.file_ioctl =			selinux_file_ioctl,
5840 	.mmap_file =			selinux_mmap_file,
5841 	.mmap_addr =			selinux_mmap_addr,
5842 	.file_mprotect =		selinux_file_mprotect,
5843 	.file_lock =			selinux_file_lock,
5844 	.file_fcntl =			selinux_file_fcntl,
5845 	.file_set_fowner =		selinux_file_set_fowner,
5846 	.file_send_sigiotask =		selinux_file_send_sigiotask,
5847 	.file_receive =			selinux_file_receive,
5848 
5849 	.file_open =			selinux_file_open,
5850 
5851 	.task_create =			selinux_task_create,
5852 	.cred_alloc_blank =		selinux_cred_alloc_blank,
5853 	.cred_free =			selinux_cred_free,
5854 	.cred_prepare =			selinux_cred_prepare,
5855 	.cred_transfer =		selinux_cred_transfer,
5856 	.kernel_act_as =		selinux_kernel_act_as,
5857 	.kernel_create_files_as =	selinux_kernel_create_files_as,
5858 	.kernel_module_request =	selinux_kernel_module_request,
5859 	.task_setpgid =			selinux_task_setpgid,
5860 	.task_getpgid =			selinux_task_getpgid,
5861 	.task_getsid =			selinux_task_getsid,
5862 	.task_getsecid =		selinux_task_getsecid,
5863 	.task_setnice =			selinux_task_setnice,
5864 	.task_setioprio =		selinux_task_setioprio,
5865 	.task_getioprio =		selinux_task_getioprio,
5866 	.task_setrlimit =		selinux_task_setrlimit,
5867 	.task_setscheduler =		selinux_task_setscheduler,
5868 	.task_getscheduler =		selinux_task_getscheduler,
5869 	.task_movememory =		selinux_task_movememory,
5870 	.task_kill =			selinux_task_kill,
5871 	.task_wait =			selinux_task_wait,
5872 	.task_to_inode =		selinux_task_to_inode,
5873 
5874 	.ipc_permission =		selinux_ipc_permission,
5875 	.ipc_getsecid =			selinux_ipc_getsecid,
5876 
5877 	.msg_msg_alloc_security =	selinux_msg_msg_alloc_security,
5878 	.msg_msg_free_security =	selinux_msg_msg_free_security,
5879 
5880 	.msg_queue_alloc_security =	selinux_msg_queue_alloc_security,
5881 	.msg_queue_free_security =	selinux_msg_queue_free_security,
5882 	.msg_queue_associate =		selinux_msg_queue_associate,
5883 	.msg_queue_msgctl =		selinux_msg_queue_msgctl,
5884 	.msg_queue_msgsnd =		selinux_msg_queue_msgsnd,
5885 	.msg_queue_msgrcv =		selinux_msg_queue_msgrcv,
5886 
5887 	.shm_alloc_security =		selinux_shm_alloc_security,
5888 	.shm_free_security =		selinux_shm_free_security,
5889 	.shm_associate =		selinux_shm_associate,
5890 	.shm_shmctl =			selinux_shm_shmctl,
5891 	.shm_shmat =			selinux_shm_shmat,
5892 
5893 	.sem_alloc_security =		selinux_sem_alloc_security,
5894 	.sem_free_security =		selinux_sem_free_security,
5895 	.sem_associate =		selinux_sem_associate,
5896 	.sem_semctl =			selinux_sem_semctl,
5897 	.sem_semop =			selinux_sem_semop,
5898 
5899 	.d_instantiate =		selinux_d_instantiate,
5900 
5901 	.getprocattr =			selinux_getprocattr,
5902 	.setprocattr =			selinux_setprocattr,
5903 
5904 	.ismaclabel =			selinux_ismaclabel,
5905 	.secid_to_secctx =		selinux_secid_to_secctx,
5906 	.secctx_to_secid =		selinux_secctx_to_secid,
5907 	.release_secctx =		selinux_release_secctx,
5908 	.inode_notifysecctx =		selinux_inode_notifysecctx,
5909 	.inode_setsecctx =		selinux_inode_setsecctx,
5910 	.inode_getsecctx =		selinux_inode_getsecctx,
5911 
5912 	.unix_stream_connect =		selinux_socket_unix_stream_connect,
5913 	.unix_may_send =		selinux_socket_unix_may_send,
5914 
5915 	.socket_create =		selinux_socket_create,
5916 	.socket_post_create =		selinux_socket_post_create,
5917 	.socket_bind =			selinux_socket_bind,
5918 	.socket_connect =		selinux_socket_connect,
5919 	.socket_listen =		selinux_socket_listen,
5920 	.socket_accept =		selinux_socket_accept,
5921 	.socket_sendmsg =		selinux_socket_sendmsg,
5922 	.socket_recvmsg =		selinux_socket_recvmsg,
5923 	.socket_getsockname =		selinux_socket_getsockname,
5924 	.socket_getpeername =		selinux_socket_getpeername,
5925 	.socket_getsockopt =		selinux_socket_getsockopt,
5926 	.socket_setsockopt =		selinux_socket_setsockopt,
5927 	.socket_shutdown =		selinux_socket_shutdown,
5928 	.socket_sock_rcv_skb =		selinux_socket_sock_rcv_skb,
5929 	.socket_getpeersec_stream =	selinux_socket_getpeersec_stream,
5930 	.socket_getpeersec_dgram =	selinux_socket_getpeersec_dgram,
5931 	.sk_alloc_security =		selinux_sk_alloc_security,
5932 	.sk_free_security =		selinux_sk_free_security,
5933 	.sk_clone_security =		selinux_sk_clone_security,
5934 	.sk_getsecid =			selinux_sk_getsecid,
5935 	.sock_graft =			selinux_sock_graft,
5936 	.inet_conn_request =		selinux_inet_conn_request,
5937 	.inet_csk_clone =		selinux_inet_csk_clone,
5938 	.inet_conn_established =	selinux_inet_conn_established,
5939 	.secmark_relabel_packet =	selinux_secmark_relabel_packet,
5940 	.secmark_refcount_inc =		selinux_secmark_refcount_inc,
5941 	.secmark_refcount_dec =		selinux_secmark_refcount_dec,
5942 	.req_classify_flow =		selinux_req_classify_flow,
5943 	.tun_dev_alloc_security =	selinux_tun_dev_alloc_security,
5944 	.tun_dev_free_security =	selinux_tun_dev_free_security,
5945 	.tun_dev_create =		selinux_tun_dev_create,
5946 	.tun_dev_attach_queue =		selinux_tun_dev_attach_queue,
5947 	.tun_dev_attach =		selinux_tun_dev_attach,
5948 	.tun_dev_open =			selinux_tun_dev_open,
5949 	.skb_owned_by =			selinux_skb_owned_by,
5950 
5951 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5952 	.xfrm_policy_alloc_security =	selinux_xfrm_policy_alloc,
5953 	.xfrm_policy_clone_security =	selinux_xfrm_policy_clone,
5954 	.xfrm_policy_free_security =	selinux_xfrm_policy_free,
5955 	.xfrm_policy_delete_security =	selinux_xfrm_policy_delete,
5956 	.xfrm_state_alloc =		selinux_xfrm_state_alloc,
5957 	.xfrm_state_alloc_acquire =	selinux_xfrm_state_alloc_acquire,
5958 	.xfrm_state_free_security =	selinux_xfrm_state_free,
5959 	.xfrm_state_delete_security =	selinux_xfrm_state_delete,
5960 	.xfrm_policy_lookup =		selinux_xfrm_policy_lookup,
5961 	.xfrm_state_pol_flow_match =	selinux_xfrm_state_pol_flow_match,
5962 	.xfrm_decode_session =		selinux_xfrm_decode_session,
5963 #endif
5964 
5965 #ifdef CONFIG_KEYS
5966 	.key_alloc =			selinux_key_alloc,
5967 	.key_free =			selinux_key_free,
5968 	.key_permission =		selinux_key_permission,
5969 	.key_getsecurity =		selinux_key_getsecurity,
5970 #endif
5971 
5972 #ifdef CONFIG_AUDIT
5973 	.audit_rule_init =		selinux_audit_rule_init,
5974 	.audit_rule_known =		selinux_audit_rule_known,
5975 	.audit_rule_match =		selinux_audit_rule_match,
5976 	.audit_rule_free =		selinux_audit_rule_free,
5977 #endif
5978 };
5979 
5980 static __init int selinux_init(void)
5981 {
5982 	if (!security_module_enable(&selinux_ops)) {
5983 		selinux_enabled = 0;
5984 		return 0;
5985 	}
5986 
5987 	if (!selinux_enabled) {
5988 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5989 		return 0;
5990 	}
5991 
5992 	printk(KERN_INFO "SELinux:  Initializing.\n");
5993 
5994 	/* Set the security state for the initial task. */
5995 	cred_init_security();
5996 
5997 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5998 
5999 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6000 					    sizeof(struct inode_security_struct),
6001 					    0, SLAB_PANIC, NULL);
6002 	avc_init();
6003 
6004 	if (register_security(&selinux_ops))
6005 		panic("SELinux: Unable to register with kernel.\n");
6006 
6007 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6008 		panic("SELinux: Unable to register AVC netcache callback\n");
6009 
6010 	if (selinux_enforcing)
6011 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6012 	else
6013 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6014 
6015 	return 0;
6016 }
6017 
6018 static void delayed_superblock_init(struct super_block *sb, void *unused)
6019 {
6020 	superblock_doinit(sb, NULL);
6021 }
6022 
6023 void selinux_complete_init(void)
6024 {
6025 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6026 
6027 	/* Set up any superblocks initialized prior to the policy load. */
6028 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6029 	iterate_supers(delayed_superblock_init, NULL);
6030 }
6031 
6032 /* SELinux requires early initialization in order to label
6033    all processes and objects when they are created. */
6034 security_initcall(selinux_init);
6035 
6036 #if defined(CONFIG_NETFILTER)
6037 
6038 static struct nf_hook_ops selinux_ipv4_ops[] = {
6039 	{
6040 		.hook =		selinux_ipv4_postroute,
6041 		.owner =	THIS_MODULE,
6042 		.pf =		NFPROTO_IPV4,
6043 		.hooknum =	NF_INET_POST_ROUTING,
6044 		.priority =	NF_IP_PRI_SELINUX_LAST,
6045 	},
6046 	{
6047 		.hook =		selinux_ipv4_forward,
6048 		.owner =	THIS_MODULE,
6049 		.pf =		NFPROTO_IPV4,
6050 		.hooknum =	NF_INET_FORWARD,
6051 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6052 	},
6053 	{
6054 		.hook =		selinux_ipv4_output,
6055 		.owner =	THIS_MODULE,
6056 		.pf =		NFPROTO_IPV4,
6057 		.hooknum =	NF_INET_LOCAL_OUT,
6058 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6059 	}
6060 };
6061 
6062 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6063 
6064 static struct nf_hook_ops selinux_ipv6_ops[] = {
6065 	{
6066 		.hook =		selinux_ipv6_postroute,
6067 		.owner =	THIS_MODULE,
6068 		.pf =		NFPROTO_IPV6,
6069 		.hooknum =	NF_INET_POST_ROUTING,
6070 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6071 	},
6072 	{
6073 		.hook =		selinux_ipv6_forward,
6074 		.owner =	THIS_MODULE,
6075 		.pf =		NFPROTO_IPV6,
6076 		.hooknum =	NF_INET_FORWARD,
6077 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6078 	}
6079 };
6080 
6081 #endif	/* IPV6 */
6082 
6083 static int __init selinux_nf_ip_init(void)
6084 {
6085 	int err = 0;
6086 
6087 	if (!selinux_enabled)
6088 		goto out;
6089 
6090 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6091 
6092 	err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
6093 	if (err)
6094 		panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
6095 
6096 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6097 	err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6098 	if (err)
6099 		panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
6100 #endif	/* IPV6 */
6101 
6102 out:
6103 	return err;
6104 }
6105 
6106 __initcall(selinux_nf_ip_init);
6107 
6108 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6109 static void selinux_nf_ip_exit(void)
6110 {
6111 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6112 
6113 	nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
6114 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6115 	nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6116 #endif	/* IPV6 */
6117 }
6118 #endif
6119 
6120 #else /* CONFIG_NETFILTER */
6121 
6122 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6123 #define selinux_nf_ip_exit()
6124 #endif
6125 
6126 #endif /* CONFIG_NETFILTER */
6127 
6128 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6129 static int selinux_disabled;
6130 
6131 int selinux_disable(void)
6132 {
6133 	if (ss_initialized) {
6134 		/* Not permitted after initial policy load. */
6135 		return -EINVAL;
6136 	}
6137 
6138 	if (selinux_disabled) {
6139 		/* Only do this once. */
6140 		return -EINVAL;
6141 	}
6142 
6143 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6144 
6145 	selinux_disabled = 1;
6146 	selinux_enabled = 0;
6147 
6148 	reset_security_ops();
6149 
6150 	/* Try to destroy the avc node cache */
6151 	avc_disable();
6152 
6153 	/* Unregister netfilter hooks. */
6154 	selinux_nf_ip_exit();
6155 
6156 	/* Unregister selinuxfs. */
6157 	exit_sel_fs();
6158 
6159 	return 0;
6160 }
6161 #endif
6162