xref: /linux/security/selinux/hooks.c (revision d593b5413d13be31782385bf5b27af3b3bad59eb)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>	/* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>		/* for Unix socket types */
70 #include <net/af_unix.h>	/* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92 #include "avc_ss.h"
93 
94 #define NUM_SEL_MNT_OPTS 5
95 
96 extern struct security_operations *security_ops;
97 
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103 
104 static int __init enforcing_setup(char *str)
105 {
106 	unsigned long enforcing;
107 	if (!strict_strtoul(str, 0, &enforcing))
108 		selinux_enforcing = enforcing ? 1 : 0;
109 	return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113 
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 
117 static int __init selinux_enabled_setup(char *str)
118 {
119 	unsigned long enabled;
120 	if (!strict_strtoul(str, 0, &enabled))
121 		selinux_enabled = enabled ? 1 : 0;
122 	return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128 
129 static struct kmem_cache *sel_inode_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.
139  *
140  */
141 static int selinux_secmark_enabled(void)
142 {
143 	return (atomic_read(&selinux_secmark_refcount) > 0);
144 }
145 
146 /*
147  * initialise the security for the init task
148  */
149 static void cred_init_security(void)
150 {
151 	struct cred *cred = (struct cred *) current->real_cred;
152 	struct task_security_struct *tsec;
153 
154 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155 	if (!tsec)
156 		panic("SELinux:  Failed to initialize initial task.\n");
157 
158 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
159 	cred->security = tsec;
160 }
161 
162 /*
163  * get the security ID of a set of credentials
164  */
165 static inline u32 cred_sid(const struct cred *cred)
166 {
167 	const struct task_security_struct *tsec;
168 
169 	tsec = cred->security;
170 	return tsec->sid;
171 }
172 
173 /*
174  * get the objective security ID of a task
175  */
176 static inline u32 task_sid(const struct task_struct *task)
177 {
178 	u32 sid;
179 
180 	rcu_read_lock();
181 	sid = cred_sid(__task_cred(task));
182 	rcu_read_unlock();
183 	return sid;
184 }
185 
186 /*
187  * get the subjective security ID of the current task
188  */
189 static inline u32 current_sid(void)
190 {
191 	const struct task_security_struct *tsec = current_security();
192 
193 	return tsec->sid;
194 }
195 
196 /* Allocate and free functions for each kind of security blob. */
197 
198 static int inode_alloc_security(struct inode *inode)
199 {
200 	struct inode_security_struct *isec;
201 	u32 sid = current_sid();
202 
203 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
204 	if (!isec)
205 		return -ENOMEM;
206 
207 	mutex_init(&isec->lock);
208 	INIT_LIST_HEAD(&isec->list);
209 	isec->inode = inode;
210 	isec->sid = SECINITSID_UNLABELED;
211 	isec->sclass = SECCLASS_FILE;
212 	isec->task_sid = sid;
213 	inode->i_security = isec;
214 
215 	return 0;
216 }
217 
218 static void inode_free_security(struct inode *inode)
219 {
220 	struct inode_security_struct *isec = inode->i_security;
221 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222 
223 	spin_lock(&sbsec->isec_lock);
224 	if (!list_empty(&isec->list))
225 		list_del_init(&isec->list);
226 	spin_unlock(&sbsec->isec_lock);
227 
228 	inode->i_security = NULL;
229 	kmem_cache_free(sel_inode_cache, isec);
230 }
231 
232 static int file_alloc_security(struct file *file)
233 {
234 	struct file_security_struct *fsec;
235 	u32 sid = current_sid();
236 
237 	fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
238 	if (!fsec)
239 		return -ENOMEM;
240 
241 	fsec->sid = sid;
242 	fsec->fown_sid = sid;
243 	file->f_security = fsec;
244 
245 	return 0;
246 }
247 
248 static void file_free_security(struct file *file)
249 {
250 	struct file_security_struct *fsec = file->f_security;
251 	file->f_security = NULL;
252 	kfree(fsec);
253 }
254 
255 static int superblock_alloc_security(struct super_block *sb)
256 {
257 	struct superblock_security_struct *sbsec;
258 
259 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
260 	if (!sbsec)
261 		return -ENOMEM;
262 
263 	mutex_init(&sbsec->lock);
264 	INIT_LIST_HEAD(&sbsec->isec_head);
265 	spin_lock_init(&sbsec->isec_lock);
266 	sbsec->sb = sb;
267 	sbsec->sid = SECINITSID_UNLABELED;
268 	sbsec->def_sid = SECINITSID_FILE;
269 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270 	sb->s_security = sbsec;
271 
272 	return 0;
273 }
274 
275 static void superblock_free_security(struct super_block *sb)
276 {
277 	struct superblock_security_struct *sbsec = sb->s_security;
278 	sb->s_security = NULL;
279 	kfree(sbsec);
280 }
281 
282 /* The file system's label must be initialized prior to use. */
283 
284 static const char *labeling_behaviors[6] = {
285 	"uses xattr",
286 	"uses transition SIDs",
287 	"uses task SIDs",
288 	"uses genfs_contexts",
289 	"not configured for labeling",
290 	"uses mountpoint labeling",
291 };
292 
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
294 
295 static inline int inode_doinit(struct inode *inode)
296 {
297 	return inode_doinit_with_dentry(inode, NULL);
298 }
299 
300 enum {
301 	Opt_error = -1,
302 	Opt_context = 1,
303 	Opt_fscontext = 2,
304 	Opt_defcontext = 3,
305 	Opt_rootcontext = 4,
306 	Opt_labelsupport = 5,
307 };
308 
309 static const match_table_t tokens = {
310 	{Opt_context, CONTEXT_STR "%s"},
311 	{Opt_fscontext, FSCONTEXT_STR "%s"},
312 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
313 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314 	{Opt_labelsupport, LABELSUPP_STR},
315 	{Opt_error, NULL},
316 };
317 
318 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
319 
320 static int may_context_mount_sb_relabel(u32 sid,
321 			struct superblock_security_struct *sbsec,
322 			const struct cred *cred)
323 {
324 	const struct task_security_struct *tsec = cred->security;
325 	int rc;
326 
327 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328 			  FILESYSTEM__RELABELFROM, NULL);
329 	if (rc)
330 		return rc;
331 
332 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333 			  FILESYSTEM__RELABELTO, NULL);
334 	return rc;
335 }
336 
337 static int may_context_mount_inode_relabel(u32 sid,
338 			struct superblock_security_struct *sbsec,
339 			const struct cred *cred)
340 {
341 	const struct task_security_struct *tsec = cred->security;
342 	int rc;
343 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344 			  FILESYSTEM__RELABELFROM, NULL);
345 	if (rc)
346 		return rc;
347 
348 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349 			  FILESYSTEM__ASSOCIATE, NULL);
350 	return rc;
351 }
352 
353 static int sb_finish_set_opts(struct super_block *sb)
354 {
355 	struct superblock_security_struct *sbsec = sb->s_security;
356 	struct dentry *root = sb->s_root;
357 	struct inode *root_inode = root->d_inode;
358 	int rc = 0;
359 
360 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361 		/* Make sure that the xattr handler exists and that no
362 		   error other than -ENODATA is returned by getxattr on
363 		   the root directory.  -ENODATA is ok, as this may be
364 		   the first boot of the SELinux kernel before we have
365 		   assigned xattr values to the filesystem. */
366 		if (!root_inode->i_op->getxattr) {
367 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368 			       "xattr support\n", sb->s_id, sb->s_type->name);
369 			rc = -EOPNOTSUPP;
370 			goto out;
371 		}
372 		rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373 		if (rc < 0 && rc != -ENODATA) {
374 			if (rc == -EOPNOTSUPP)
375 				printk(KERN_WARNING "SELinux: (dev %s, type "
376 				       "%s) has no security xattr handler\n",
377 				       sb->s_id, sb->s_type->name);
378 			else
379 				printk(KERN_WARNING "SELinux: (dev %s, type "
380 				       "%s) getxattr errno %d\n", sb->s_id,
381 				       sb->s_type->name, -rc);
382 			goto out;
383 		}
384 	}
385 
386 	sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
387 
388 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390 		       sb->s_id, sb->s_type->name);
391 	else
392 		printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393 		       sb->s_id, sb->s_type->name,
394 		       labeling_behaviors[sbsec->behavior-1]);
395 
396 	if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397 	    sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398 	    sbsec->behavior == SECURITY_FS_USE_NONE ||
399 	    sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400 		sbsec->flags &= ~SE_SBLABELSUPP;
401 
402 	/* Special handling for sysfs. Is genfs but also has setxattr handler*/
403 	if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404 		sbsec->flags |= SE_SBLABELSUPP;
405 
406 	/* Initialize the root inode. */
407 	rc = inode_doinit_with_dentry(root_inode, root);
408 
409 	/* Initialize any other inodes associated with the superblock, e.g.
410 	   inodes created prior to initial policy load or inodes created
411 	   during get_sb by a pseudo filesystem that directly
412 	   populates itself. */
413 	spin_lock(&sbsec->isec_lock);
414 next_inode:
415 	if (!list_empty(&sbsec->isec_head)) {
416 		struct inode_security_struct *isec =
417 				list_entry(sbsec->isec_head.next,
418 					   struct inode_security_struct, list);
419 		struct inode *inode = isec->inode;
420 		spin_unlock(&sbsec->isec_lock);
421 		inode = igrab(inode);
422 		if (inode) {
423 			if (!IS_PRIVATE(inode))
424 				inode_doinit(inode);
425 			iput(inode);
426 		}
427 		spin_lock(&sbsec->isec_lock);
428 		list_del_init(&isec->list);
429 		goto next_inode;
430 	}
431 	spin_unlock(&sbsec->isec_lock);
432 out:
433 	return rc;
434 }
435 
436 /*
437  * This function should allow an FS to ask what it's mount security
438  * options were so it can use those later for submounts, displaying
439  * mount options, or whatever.
440  */
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442 				struct security_mnt_opts *opts)
443 {
444 	int rc = 0, i;
445 	struct superblock_security_struct *sbsec = sb->s_security;
446 	char *context = NULL;
447 	u32 len;
448 	char tmp;
449 
450 	security_init_mnt_opts(opts);
451 
452 	if (!(sbsec->flags & SE_SBINITIALIZED))
453 		return -EINVAL;
454 
455 	if (!ss_initialized)
456 		return -EINVAL;
457 
458 	tmp = sbsec->flags & SE_MNTMASK;
459 	/* count the number of mount options for this sb */
460 	for (i = 0; i < 8; i++) {
461 		if (tmp & 0x01)
462 			opts->num_mnt_opts++;
463 		tmp >>= 1;
464 	}
465 	/* Check if the Label support flag is set */
466 	if (sbsec->flags & SE_SBLABELSUPP)
467 		opts->num_mnt_opts++;
468 
469 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470 	if (!opts->mnt_opts) {
471 		rc = -ENOMEM;
472 		goto out_free;
473 	}
474 
475 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476 	if (!opts->mnt_opts_flags) {
477 		rc = -ENOMEM;
478 		goto out_free;
479 	}
480 
481 	i = 0;
482 	if (sbsec->flags & FSCONTEXT_MNT) {
483 		rc = security_sid_to_context(sbsec->sid, &context, &len);
484 		if (rc)
485 			goto out_free;
486 		opts->mnt_opts[i] = context;
487 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
488 	}
489 	if (sbsec->flags & CONTEXT_MNT) {
490 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
491 		if (rc)
492 			goto out_free;
493 		opts->mnt_opts[i] = context;
494 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
495 	}
496 	if (sbsec->flags & DEFCONTEXT_MNT) {
497 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
498 		if (rc)
499 			goto out_free;
500 		opts->mnt_opts[i] = context;
501 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
502 	}
503 	if (sbsec->flags & ROOTCONTEXT_MNT) {
504 		struct inode *root = sbsec->sb->s_root->d_inode;
505 		struct inode_security_struct *isec = root->i_security;
506 
507 		rc = security_sid_to_context(isec->sid, &context, &len);
508 		if (rc)
509 			goto out_free;
510 		opts->mnt_opts[i] = context;
511 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
512 	}
513 	if (sbsec->flags & SE_SBLABELSUPP) {
514 		opts->mnt_opts[i] = NULL;
515 		opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
516 	}
517 
518 	BUG_ON(i != opts->num_mnt_opts);
519 
520 	return 0;
521 
522 out_free:
523 	security_free_mnt_opts(opts);
524 	return rc;
525 }
526 
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528 		      u32 old_sid, u32 new_sid)
529 {
530 	char mnt_flags = sbsec->flags & SE_MNTMASK;
531 
532 	/* check if the old mount command had the same options */
533 	if (sbsec->flags & SE_SBINITIALIZED)
534 		if (!(sbsec->flags & flag) ||
535 		    (old_sid != new_sid))
536 			return 1;
537 
538 	/* check if we were passed the same options twice,
539 	 * aka someone passed context=a,context=b
540 	 */
541 	if (!(sbsec->flags & SE_SBINITIALIZED))
542 		if (mnt_flags & flag)
543 			return 1;
544 	return 0;
545 }
546 
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552 				struct security_mnt_opts *opts)
553 {
554 	const struct cred *cred = current_cred();
555 	int rc = 0, i;
556 	struct superblock_security_struct *sbsec = sb->s_security;
557 	const char *name = sb->s_type->name;
558 	struct inode *inode = sbsec->sb->s_root->d_inode;
559 	struct inode_security_struct *root_isec = inode->i_security;
560 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561 	u32 defcontext_sid = 0;
562 	char **mount_options = opts->mnt_opts;
563 	int *flags = opts->mnt_opts_flags;
564 	int num_opts = opts->num_mnt_opts;
565 
566 	mutex_lock(&sbsec->lock);
567 
568 	if (!ss_initialized) {
569 		if (!num_opts) {
570 			/* Defer initialization until selinux_complete_init,
571 			   after the initial policy is loaded and the security
572 			   server is ready to handle calls. */
573 			goto out;
574 		}
575 		rc = -EINVAL;
576 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
577 			"before the security server is initialized\n");
578 		goto out;
579 	}
580 
581 	/*
582 	 * Binary mount data FS will come through this function twice.  Once
583 	 * from an explicit call and once from the generic calls from the vfs.
584 	 * Since the generic VFS calls will not contain any security mount data
585 	 * we need to skip the double mount verification.
586 	 *
587 	 * This does open a hole in which we will not notice if the first
588 	 * mount using this sb set explict options and a second mount using
589 	 * this sb does not set any security options.  (The first options
590 	 * will be used for both mounts)
591 	 */
592 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593 	    && (num_opts == 0))
594 		goto out;
595 
596 	/*
597 	 * parse the mount options, check if they are valid sids.
598 	 * also check if someone is trying to mount the same sb more
599 	 * than once with different security options.
600 	 */
601 	for (i = 0; i < num_opts; i++) {
602 		u32 sid;
603 
604 		if (flags[i] == SE_SBLABELSUPP)
605 			continue;
606 		rc = security_context_to_sid(mount_options[i],
607 					     strlen(mount_options[i]), &sid);
608 		if (rc) {
609 			printk(KERN_WARNING "SELinux: security_context_to_sid"
610 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
611 			       mount_options[i], sb->s_id, name, rc);
612 			goto out;
613 		}
614 		switch (flags[i]) {
615 		case FSCONTEXT_MNT:
616 			fscontext_sid = sid;
617 
618 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619 					fscontext_sid))
620 				goto out_double_mount;
621 
622 			sbsec->flags |= FSCONTEXT_MNT;
623 			break;
624 		case CONTEXT_MNT:
625 			context_sid = sid;
626 
627 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628 					context_sid))
629 				goto out_double_mount;
630 
631 			sbsec->flags |= CONTEXT_MNT;
632 			break;
633 		case ROOTCONTEXT_MNT:
634 			rootcontext_sid = sid;
635 
636 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637 					rootcontext_sid))
638 				goto out_double_mount;
639 
640 			sbsec->flags |= ROOTCONTEXT_MNT;
641 
642 			break;
643 		case DEFCONTEXT_MNT:
644 			defcontext_sid = sid;
645 
646 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647 					defcontext_sid))
648 				goto out_double_mount;
649 
650 			sbsec->flags |= DEFCONTEXT_MNT;
651 
652 			break;
653 		default:
654 			rc = -EINVAL;
655 			goto out;
656 		}
657 	}
658 
659 	if (sbsec->flags & SE_SBINITIALIZED) {
660 		/* previously mounted with options, but not on this attempt? */
661 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662 			goto out_double_mount;
663 		rc = 0;
664 		goto out;
665 	}
666 
667 	if (strcmp(sb->s_type->name, "proc") == 0)
668 		sbsec->flags |= SE_SBPROC;
669 
670 	/* Determine the labeling behavior to use for this filesystem type. */
671 	rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672 	if (rc) {
673 		printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 		       __func__, sb->s_type->name, rc);
675 		goto out;
676 	}
677 
678 	/* sets the context of the superblock for the fs being mounted. */
679 	if (fscontext_sid) {
680 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
681 		if (rc)
682 			goto out;
683 
684 		sbsec->sid = fscontext_sid;
685 	}
686 
687 	/*
688 	 * Switch to using mount point labeling behavior.
689 	 * sets the label used on all file below the mountpoint, and will set
690 	 * the superblock context if not already set.
691 	 */
692 	if (context_sid) {
693 		if (!fscontext_sid) {
694 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
695 							  cred);
696 			if (rc)
697 				goto out;
698 			sbsec->sid = context_sid;
699 		} else {
700 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
701 							     cred);
702 			if (rc)
703 				goto out;
704 		}
705 		if (!rootcontext_sid)
706 			rootcontext_sid = context_sid;
707 
708 		sbsec->mntpoint_sid = context_sid;
709 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710 	}
711 
712 	if (rootcontext_sid) {
713 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
714 						     cred);
715 		if (rc)
716 			goto out;
717 
718 		root_isec->sid = rootcontext_sid;
719 		root_isec->initialized = 1;
720 	}
721 
722 	if (defcontext_sid) {
723 		if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724 			rc = -EINVAL;
725 			printk(KERN_WARNING "SELinux: defcontext option is "
726 			       "invalid for this filesystem type\n");
727 			goto out;
728 		}
729 
730 		if (defcontext_sid != sbsec->def_sid) {
731 			rc = may_context_mount_inode_relabel(defcontext_sid,
732 							     sbsec, cred);
733 			if (rc)
734 				goto out;
735 		}
736 
737 		sbsec->def_sid = defcontext_sid;
738 	}
739 
740 	rc = sb_finish_set_opts(sb);
741 out:
742 	mutex_unlock(&sbsec->lock);
743 	return rc;
744 out_double_mount:
745 	rc = -EINVAL;
746 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
747 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
748 	goto out;
749 }
750 
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752 					struct super_block *newsb)
753 {
754 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755 	struct superblock_security_struct *newsbsec = newsb->s_security;
756 
757 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
758 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
759 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
760 
761 	/*
762 	 * if the parent was able to be mounted it clearly had no special lsm
763 	 * mount options.  thus we can safely deal with this superblock later
764 	 */
765 	if (!ss_initialized)
766 		return;
767 
768 	/* how can we clone if the old one wasn't set up?? */
769 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
770 
771 	/* if fs is reusing a sb, just let its options stand... */
772 	if (newsbsec->flags & SE_SBINITIALIZED)
773 		return;
774 
775 	mutex_lock(&newsbsec->lock);
776 
777 	newsbsec->flags = oldsbsec->flags;
778 
779 	newsbsec->sid = oldsbsec->sid;
780 	newsbsec->def_sid = oldsbsec->def_sid;
781 	newsbsec->behavior = oldsbsec->behavior;
782 
783 	if (set_context) {
784 		u32 sid = oldsbsec->mntpoint_sid;
785 
786 		if (!set_fscontext)
787 			newsbsec->sid = sid;
788 		if (!set_rootcontext) {
789 			struct inode *newinode = newsb->s_root->d_inode;
790 			struct inode_security_struct *newisec = newinode->i_security;
791 			newisec->sid = sid;
792 		}
793 		newsbsec->mntpoint_sid = sid;
794 	}
795 	if (set_rootcontext) {
796 		const struct inode *oldinode = oldsb->s_root->d_inode;
797 		const struct inode_security_struct *oldisec = oldinode->i_security;
798 		struct inode *newinode = newsb->s_root->d_inode;
799 		struct inode_security_struct *newisec = newinode->i_security;
800 
801 		newisec->sid = oldisec->sid;
802 	}
803 
804 	sb_finish_set_opts(newsb);
805 	mutex_unlock(&newsbsec->lock);
806 }
807 
808 static int selinux_parse_opts_str(char *options,
809 				  struct security_mnt_opts *opts)
810 {
811 	char *p;
812 	char *context = NULL, *defcontext = NULL;
813 	char *fscontext = NULL, *rootcontext = NULL;
814 	int rc, num_mnt_opts = 0;
815 
816 	opts->num_mnt_opts = 0;
817 
818 	/* Standard string-based options. */
819 	while ((p = strsep(&options, "|")) != NULL) {
820 		int token;
821 		substring_t args[MAX_OPT_ARGS];
822 
823 		if (!*p)
824 			continue;
825 
826 		token = match_token(p, tokens, args);
827 
828 		switch (token) {
829 		case Opt_context:
830 			if (context || defcontext) {
831 				rc = -EINVAL;
832 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833 				goto out_err;
834 			}
835 			context = match_strdup(&args[0]);
836 			if (!context) {
837 				rc = -ENOMEM;
838 				goto out_err;
839 			}
840 			break;
841 
842 		case Opt_fscontext:
843 			if (fscontext) {
844 				rc = -EINVAL;
845 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846 				goto out_err;
847 			}
848 			fscontext = match_strdup(&args[0]);
849 			if (!fscontext) {
850 				rc = -ENOMEM;
851 				goto out_err;
852 			}
853 			break;
854 
855 		case Opt_rootcontext:
856 			if (rootcontext) {
857 				rc = -EINVAL;
858 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859 				goto out_err;
860 			}
861 			rootcontext = match_strdup(&args[0]);
862 			if (!rootcontext) {
863 				rc = -ENOMEM;
864 				goto out_err;
865 			}
866 			break;
867 
868 		case Opt_defcontext:
869 			if (context || defcontext) {
870 				rc = -EINVAL;
871 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872 				goto out_err;
873 			}
874 			defcontext = match_strdup(&args[0]);
875 			if (!defcontext) {
876 				rc = -ENOMEM;
877 				goto out_err;
878 			}
879 			break;
880 		case Opt_labelsupport:
881 			break;
882 		default:
883 			rc = -EINVAL;
884 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
885 			goto out_err;
886 
887 		}
888 	}
889 
890 	rc = -ENOMEM;
891 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
892 	if (!opts->mnt_opts)
893 		goto out_err;
894 
895 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896 	if (!opts->mnt_opts_flags) {
897 		kfree(opts->mnt_opts);
898 		goto out_err;
899 	}
900 
901 	if (fscontext) {
902 		opts->mnt_opts[num_mnt_opts] = fscontext;
903 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
904 	}
905 	if (context) {
906 		opts->mnt_opts[num_mnt_opts] = context;
907 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
908 	}
909 	if (rootcontext) {
910 		opts->mnt_opts[num_mnt_opts] = rootcontext;
911 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
912 	}
913 	if (defcontext) {
914 		opts->mnt_opts[num_mnt_opts] = defcontext;
915 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
916 	}
917 
918 	opts->num_mnt_opts = num_mnt_opts;
919 	return 0;
920 
921 out_err:
922 	kfree(context);
923 	kfree(defcontext);
924 	kfree(fscontext);
925 	kfree(rootcontext);
926 	return rc;
927 }
928 /*
929  * string mount options parsing and call set the sbsec
930  */
931 static int superblock_doinit(struct super_block *sb, void *data)
932 {
933 	int rc = 0;
934 	char *options = data;
935 	struct security_mnt_opts opts;
936 
937 	security_init_mnt_opts(&opts);
938 
939 	if (!data)
940 		goto out;
941 
942 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
943 
944 	rc = selinux_parse_opts_str(options, &opts);
945 	if (rc)
946 		goto out_err;
947 
948 out:
949 	rc = selinux_set_mnt_opts(sb, &opts);
950 
951 out_err:
952 	security_free_mnt_opts(&opts);
953 	return rc;
954 }
955 
956 static void selinux_write_opts(struct seq_file *m,
957 			       struct security_mnt_opts *opts)
958 {
959 	int i;
960 	char *prefix;
961 
962 	for (i = 0; i < opts->num_mnt_opts; i++) {
963 		char *has_comma;
964 
965 		if (opts->mnt_opts[i])
966 			has_comma = strchr(opts->mnt_opts[i], ',');
967 		else
968 			has_comma = NULL;
969 
970 		switch (opts->mnt_opts_flags[i]) {
971 		case CONTEXT_MNT:
972 			prefix = CONTEXT_STR;
973 			break;
974 		case FSCONTEXT_MNT:
975 			prefix = FSCONTEXT_STR;
976 			break;
977 		case ROOTCONTEXT_MNT:
978 			prefix = ROOTCONTEXT_STR;
979 			break;
980 		case DEFCONTEXT_MNT:
981 			prefix = DEFCONTEXT_STR;
982 			break;
983 		case SE_SBLABELSUPP:
984 			seq_putc(m, ',');
985 			seq_puts(m, LABELSUPP_STR);
986 			continue;
987 		default:
988 			BUG();
989 			return;
990 		};
991 		/* we need a comma before each option */
992 		seq_putc(m, ',');
993 		seq_puts(m, prefix);
994 		if (has_comma)
995 			seq_putc(m, '\"');
996 		seq_puts(m, opts->mnt_opts[i]);
997 		if (has_comma)
998 			seq_putc(m, '\"');
999 	}
1000 }
1001 
1002 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1003 {
1004 	struct security_mnt_opts opts;
1005 	int rc;
1006 
1007 	rc = selinux_get_mnt_opts(sb, &opts);
1008 	if (rc) {
1009 		/* before policy load we may get EINVAL, don't show anything */
1010 		if (rc == -EINVAL)
1011 			rc = 0;
1012 		return rc;
1013 	}
1014 
1015 	selinux_write_opts(m, &opts);
1016 
1017 	security_free_mnt_opts(&opts);
1018 
1019 	return rc;
1020 }
1021 
1022 static inline u16 inode_mode_to_security_class(umode_t mode)
1023 {
1024 	switch (mode & S_IFMT) {
1025 	case S_IFSOCK:
1026 		return SECCLASS_SOCK_FILE;
1027 	case S_IFLNK:
1028 		return SECCLASS_LNK_FILE;
1029 	case S_IFREG:
1030 		return SECCLASS_FILE;
1031 	case S_IFBLK:
1032 		return SECCLASS_BLK_FILE;
1033 	case S_IFDIR:
1034 		return SECCLASS_DIR;
1035 	case S_IFCHR:
1036 		return SECCLASS_CHR_FILE;
1037 	case S_IFIFO:
1038 		return SECCLASS_FIFO_FILE;
1039 
1040 	}
1041 
1042 	return SECCLASS_FILE;
1043 }
1044 
1045 static inline int default_protocol_stream(int protocol)
1046 {
1047 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1048 }
1049 
1050 static inline int default_protocol_dgram(int protocol)
1051 {
1052 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1053 }
1054 
1055 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1056 {
1057 	switch (family) {
1058 	case PF_UNIX:
1059 		switch (type) {
1060 		case SOCK_STREAM:
1061 		case SOCK_SEQPACKET:
1062 			return SECCLASS_UNIX_STREAM_SOCKET;
1063 		case SOCK_DGRAM:
1064 			return SECCLASS_UNIX_DGRAM_SOCKET;
1065 		}
1066 		break;
1067 	case PF_INET:
1068 	case PF_INET6:
1069 		switch (type) {
1070 		case SOCK_STREAM:
1071 			if (default_protocol_stream(protocol))
1072 				return SECCLASS_TCP_SOCKET;
1073 			else
1074 				return SECCLASS_RAWIP_SOCKET;
1075 		case SOCK_DGRAM:
1076 			if (default_protocol_dgram(protocol))
1077 				return SECCLASS_UDP_SOCKET;
1078 			else
1079 				return SECCLASS_RAWIP_SOCKET;
1080 		case SOCK_DCCP:
1081 			return SECCLASS_DCCP_SOCKET;
1082 		default:
1083 			return SECCLASS_RAWIP_SOCKET;
1084 		}
1085 		break;
1086 	case PF_NETLINK:
1087 		switch (protocol) {
1088 		case NETLINK_ROUTE:
1089 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1090 		case NETLINK_FIREWALL:
1091 			return SECCLASS_NETLINK_FIREWALL_SOCKET;
1092 		case NETLINK_INET_DIAG:
1093 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1094 		case NETLINK_NFLOG:
1095 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1096 		case NETLINK_XFRM:
1097 			return SECCLASS_NETLINK_XFRM_SOCKET;
1098 		case NETLINK_SELINUX:
1099 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1100 		case NETLINK_AUDIT:
1101 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1102 		case NETLINK_IP6_FW:
1103 			return SECCLASS_NETLINK_IP6FW_SOCKET;
1104 		case NETLINK_DNRTMSG:
1105 			return SECCLASS_NETLINK_DNRT_SOCKET;
1106 		case NETLINK_KOBJECT_UEVENT:
1107 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1108 		default:
1109 			return SECCLASS_NETLINK_SOCKET;
1110 		}
1111 	case PF_PACKET:
1112 		return SECCLASS_PACKET_SOCKET;
1113 	case PF_KEY:
1114 		return SECCLASS_KEY_SOCKET;
1115 	case PF_APPLETALK:
1116 		return SECCLASS_APPLETALK_SOCKET;
1117 	}
1118 
1119 	return SECCLASS_SOCKET;
1120 }
1121 
1122 #ifdef CONFIG_PROC_FS
1123 static int selinux_proc_get_sid(struct dentry *dentry,
1124 				u16 tclass,
1125 				u32 *sid)
1126 {
1127 	int rc;
1128 	char *buffer, *path;
1129 
1130 	buffer = (char *)__get_free_page(GFP_KERNEL);
1131 	if (!buffer)
1132 		return -ENOMEM;
1133 
1134 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1135 	if (IS_ERR(path))
1136 		rc = PTR_ERR(path);
1137 	else {
1138 		/* each process gets a /proc/PID/ entry. Strip off the
1139 		 * PID part to get a valid selinux labeling.
1140 		 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1141 		while (path[1] >= '0' && path[1] <= '9') {
1142 			path[1] = '/';
1143 			path++;
1144 		}
1145 		rc = security_genfs_sid("proc", path, tclass, sid);
1146 	}
1147 	free_page((unsigned long)buffer);
1148 	return rc;
1149 }
1150 #else
1151 static int selinux_proc_get_sid(struct dentry *dentry,
1152 				u16 tclass,
1153 				u32 *sid)
1154 {
1155 	return -EINVAL;
1156 }
1157 #endif
1158 
1159 /* The inode's security attributes must be initialized before first use. */
1160 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1161 {
1162 	struct superblock_security_struct *sbsec = NULL;
1163 	struct inode_security_struct *isec = inode->i_security;
1164 	u32 sid;
1165 	struct dentry *dentry;
1166 #define INITCONTEXTLEN 255
1167 	char *context = NULL;
1168 	unsigned len = 0;
1169 	int rc = 0;
1170 
1171 	if (isec->initialized)
1172 		goto out;
1173 
1174 	mutex_lock(&isec->lock);
1175 	if (isec->initialized)
1176 		goto out_unlock;
1177 
1178 	sbsec = inode->i_sb->s_security;
1179 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1180 		/* Defer initialization until selinux_complete_init,
1181 		   after the initial policy is loaded and the security
1182 		   server is ready to handle calls. */
1183 		spin_lock(&sbsec->isec_lock);
1184 		if (list_empty(&isec->list))
1185 			list_add(&isec->list, &sbsec->isec_head);
1186 		spin_unlock(&sbsec->isec_lock);
1187 		goto out_unlock;
1188 	}
1189 
1190 	switch (sbsec->behavior) {
1191 	case SECURITY_FS_USE_XATTR:
1192 		if (!inode->i_op->getxattr) {
1193 			isec->sid = sbsec->def_sid;
1194 			break;
1195 		}
1196 
1197 		/* Need a dentry, since the xattr API requires one.
1198 		   Life would be simpler if we could just pass the inode. */
1199 		if (opt_dentry) {
1200 			/* Called from d_instantiate or d_splice_alias. */
1201 			dentry = dget(opt_dentry);
1202 		} else {
1203 			/* Called from selinux_complete_init, try to find a dentry. */
1204 			dentry = d_find_alias(inode);
1205 		}
1206 		if (!dentry) {
1207 			/*
1208 			 * this is can be hit on boot when a file is accessed
1209 			 * before the policy is loaded.  When we load policy we
1210 			 * may find inodes that have no dentry on the
1211 			 * sbsec->isec_head list.  No reason to complain as these
1212 			 * will get fixed up the next time we go through
1213 			 * inode_doinit with a dentry, before these inodes could
1214 			 * be used again by userspace.
1215 			 */
1216 			goto out_unlock;
1217 		}
1218 
1219 		len = INITCONTEXTLEN;
1220 		context = kmalloc(len+1, GFP_NOFS);
1221 		if (!context) {
1222 			rc = -ENOMEM;
1223 			dput(dentry);
1224 			goto out_unlock;
1225 		}
1226 		context[len] = '\0';
1227 		rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1228 					   context, len);
1229 		if (rc == -ERANGE) {
1230 			kfree(context);
1231 
1232 			/* Need a larger buffer.  Query for the right size. */
1233 			rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1234 						   NULL, 0);
1235 			if (rc < 0) {
1236 				dput(dentry);
1237 				goto out_unlock;
1238 			}
1239 			len = rc;
1240 			context = kmalloc(len+1, GFP_NOFS);
1241 			if (!context) {
1242 				rc = -ENOMEM;
1243 				dput(dentry);
1244 				goto out_unlock;
1245 			}
1246 			context[len] = '\0';
1247 			rc = inode->i_op->getxattr(dentry,
1248 						   XATTR_NAME_SELINUX,
1249 						   context, len);
1250 		}
1251 		dput(dentry);
1252 		if (rc < 0) {
1253 			if (rc != -ENODATA) {
1254 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1255 				       "%d for dev=%s ino=%ld\n", __func__,
1256 				       -rc, inode->i_sb->s_id, inode->i_ino);
1257 				kfree(context);
1258 				goto out_unlock;
1259 			}
1260 			/* Map ENODATA to the default file SID */
1261 			sid = sbsec->def_sid;
1262 			rc = 0;
1263 		} else {
1264 			rc = security_context_to_sid_default(context, rc, &sid,
1265 							     sbsec->def_sid,
1266 							     GFP_NOFS);
1267 			if (rc) {
1268 				char *dev = inode->i_sb->s_id;
1269 				unsigned long ino = inode->i_ino;
1270 
1271 				if (rc == -EINVAL) {
1272 					if (printk_ratelimit())
1273 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1274 							"context=%s.  This indicates you may need to relabel the inode or the "
1275 							"filesystem in question.\n", ino, dev, context);
1276 				} else {
1277 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1278 					       "returned %d for dev=%s ino=%ld\n",
1279 					       __func__, context, -rc, dev, ino);
1280 				}
1281 				kfree(context);
1282 				/* Leave with the unlabeled SID */
1283 				rc = 0;
1284 				break;
1285 			}
1286 		}
1287 		kfree(context);
1288 		isec->sid = sid;
1289 		break;
1290 	case SECURITY_FS_USE_TASK:
1291 		isec->sid = isec->task_sid;
1292 		break;
1293 	case SECURITY_FS_USE_TRANS:
1294 		/* Default to the fs SID. */
1295 		isec->sid = sbsec->sid;
1296 
1297 		/* Try to obtain a transition SID. */
1298 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1299 		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1300 					     isec->sclass, NULL, &sid);
1301 		if (rc)
1302 			goto out_unlock;
1303 		isec->sid = sid;
1304 		break;
1305 	case SECURITY_FS_USE_MNTPOINT:
1306 		isec->sid = sbsec->mntpoint_sid;
1307 		break;
1308 	default:
1309 		/* Default to the fs superblock SID. */
1310 		isec->sid = sbsec->sid;
1311 
1312 		if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1313 			if (opt_dentry) {
1314 				isec->sclass = inode_mode_to_security_class(inode->i_mode);
1315 				rc = selinux_proc_get_sid(opt_dentry,
1316 							  isec->sclass,
1317 							  &sid);
1318 				if (rc)
1319 					goto out_unlock;
1320 				isec->sid = sid;
1321 			}
1322 		}
1323 		break;
1324 	}
1325 
1326 	isec->initialized = 1;
1327 
1328 out_unlock:
1329 	mutex_unlock(&isec->lock);
1330 out:
1331 	if (isec->sclass == SECCLASS_FILE)
1332 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 	return rc;
1334 }
1335 
1336 /* Convert a Linux signal to an access vector. */
1337 static inline u32 signal_to_av(int sig)
1338 {
1339 	u32 perm = 0;
1340 
1341 	switch (sig) {
1342 	case SIGCHLD:
1343 		/* Commonly granted from child to parent. */
1344 		perm = PROCESS__SIGCHLD;
1345 		break;
1346 	case SIGKILL:
1347 		/* Cannot be caught or ignored */
1348 		perm = PROCESS__SIGKILL;
1349 		break;
1350 	case SIGSTOP:
1351 		/* Cannot be caught or ignored */
1352 		perm = PROCESS__SIGSTOP;
1353 		break;
1354 	default:
1355 		/* All other signals. */
1356 		perm = PROCESS__SIGNAL;
1357 		break;
1358 	}
1359 
1360 	return perm;
1361 }
1362 
1363 /*
1364  * Check permission between a pair of credentials
1365  * fork check, ptrace check, etc.
1366  */
1367 static int cred_has_perm(const struct cred *actor,
1368 			 const struct cred *target,
1369 			 u32 perms)
1370 {
1371 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1372 
1373 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1374 }
1375 
1376 /*
1377  * Check permission between a pair of tasks, e.g. signal checks,
1378  * fork check, ptrace check, etc.
1379  * tsk1 is the actor and tsk2 is the target
1380  * - this uses the default subjective creds of tsk1
1381  */
1382 static int task_has_perm(const struct task_struct *tsk1,
1383 			 const struct task_struct *tsk2,
1384 			 u32 perms)
1385 {
1386 	const struct task_security_struct *__tsec1, *__tsec2;
1387 	u32 sid1, sid2;
1388 
1389 	rcu_read_lock();
1390 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1391 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1392 	rcu_read_unlock();
1393 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1394 }
1395 
1396 /*
1397  * Check permission between current and another task, e.g. signal checks,
1398  * fork check, ptrace check, etc.
1399  * current is the actor and tsk2 is the target
1400  * - this uses current's subjective creds
1401  */
1402 static int current_has_perm(const struct task_struct *tsk,
1403 			    u32 perms)
1404 {
1405 	u32 sid, tsid;
1406 
1407 	sid = current_sid();
1408 	tsid = task_sid(tsk);
1409 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1410 }
1411 
1412 #if CAP_LAST_CAP > 63
1413 #error Fix SELinux to handle capabilities > 63.
1414 #endif
1415 
1416 /* Check whether a task is allowed to use a capability. */
1417 static int task_has_capability(struct task_struct *tsk,
1418 			       const struct cred *cred,
1419 			       int cap, int audit)
1420 {
1421 	struct common_audit_data ad;
1422 	struct av_decision avd;
1423 	u16 sclass;
1424 	u32 sid = cred_sid(cred);
1425 	u32 av = CAP_TO_MASK(cap);
1426 	int rc;
1427 
1428 	COMMON_AUDIT_DATA_INIT(&ad, CAP);
1429 	ad.tsk = tsk;
1430 	ad.u.cap = cap;
1431 
1432 	switch (CAP_TO_INDEX(cap)) {
1433 	case 0:
1434 		sclass = SECCLASS_CAPABILITY;
1435 		break;
1436 	case 1:
1437 		sclass = SECCLASS_CAPABILITY2;
1438 		break;
1439 	default:
1440 		printk(KERN_ERR
1441 		       "SELinux:  out of range capability %d\n", cap);
1442 		BUG();
1443 		return -EINVAL;
1444 	}
1445 
1446 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1447 	if (audit == SECURITY_CAP_AUDIT) {
1448 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1449 		if (rc2)
1450 			return rc2;
1451 	}
1452 	return rc;
1453 }
1454 
1455 /* Check whether a task is allowed to use a system operation. */
1456 static int task_has_system(struct task_struct *tsk,
1457 			   u32 perms)
1458 {
1459 	u32 sid = task_sid(tsk);
1460 
1461 	return avc_has_perm(sid, SECINITSID_KERNEL,
1462 			    SECCLASS_SYSTEM, perms, NULL);
1463 }
1464 
1465 /* Check whether a task has a particular permission to an inode.
1466    The 'adp' parameter is optional and allows other audit
1467    data to be passed (e.g. the dentry). */
1468 static int inode_has_perm(const struct cred *cred,
1469 			  struct inode *inode,
1470 			  u32 perms,
1471 			  struct common_audit_data *adp,
1472 			  unsigned flags)
1473 {
1474 	struct inode_security_struct *isec;
1475 	u32 sid;
1476 
1477 	validate_creds(cred);
1478 
1479 	if (unlikely(IS_PRIVATE(inode)))
1480 		return 0;
1481 
1482 	sid = cred_sid(cred);
1483 	isec = inode->i_security;
1484 
1485 	return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1486 }
1487 
1488 static int inode_has_perm_noadp(const struct cred *cred,
1489 				struct inode *inode,
1490 				u32 perms,
1491 				unsigned flags)
1492 {
1493 	struct common_audit_data ad;
1494 
1495 	COMMON_AUDIT_DATA_INIT(&ad, INODE);
1496 	ad.u.inode = inode;
1497 	return inode_has_perm(cred, inode, perms, &ad, flags);
1498 }
1499 
1500 /* Same as inode_has_perm, but pass explicit audit data containing
1501    the dentry to help the auditing code to more easily generate the
1502    pathname if needed. */
1503 static inline int dentry_has_perm(const struct cred *cred,
1504 				  struct dentry *dentry,
1505 				  u32 av)
1506 {
1507 	struct inode *inode = dentry->d_inode;
1508 	struct common_audit_data ad;
1509 
1510 	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1511 	ad.u.dentry = dentry;
1512 	return inode_has_perm(cred, inode, av, &ad, 0);
1513 }
1514 
1515 /* Same as inode_has_perm, but pass explicit audit data containing
1516    the path to help the auditing code to more easily generate the
1517    pathname if needed. */
1518 static inline int path_has_perm(const struct cred *cred,
1519 				struct path *path,
1520 				u32 av)
1521 {
1522 	struct inode *inode = path->dentry->d_inode;
1523 	struct common_audit_data ad;
1524 
1525 	COMMON_AUDIT_DATA_INIT(&ad, PATH);
1526 	ad.u.path = *path;
1527 	return inode_has_perm(cred, inode, av, &ad, 0);
1528 }
1529 
1530 /* Check whether a task can use an open file descriptor to
1531    access an inode in a given way.  Check access to the
1532    descriptor itself, and then use dentry_has_perm to
1533    check a particular permission to the file.
1534    Access to the descriptor is implicitly granted if it
1535    has the same SID as the process.  If av is zero, then
1536    access to the file is not checked, e.g. for cases
1537    where only the descriptor is affected like seek. */
1538 static int file_has_perm(const struct cred *cred,
1539 			 struct file *file,
1540 			 u32 av)
1541 {
1542 	struct file_security_struct *fsec = file->f_security;
1543 	struct inode *inode = file->f_path.dentry->d_inode;
1544 	struct common_audit_data ad;
1545 	u32 sid = cred_sid(cred);
1546 	int rc;
1547 
1548 	COMMON_AUDIT_DATA_INIT(&ad, PATH);
1549 	ad.u.path = file->f_path;
1550 
1551 	if (sid != fsec->sid) {
1552 		rc = avc_has_perm(sid, fsec->sid,
1553 				  SECCLASS_FD,
1554 				  FD__USE,
1555 				  &ad);
1556 		if (rc)
1557 			goto out;
1558 	}
1559 
1560 	/* av is zero if only checking access to the descriptor. */
1561 	rc = 0;
1562 	if (av)
1563 		rc = inode_has_perm(cred, inode, av, &ad, 0);
1564 
1565 out:
1566 	return rc;
1567 }
1568 
1569 /* Check whether a task can create a file. */
1570 static int may_create(struct inode *dir,
1571 		      struct dentry *dentry,
1572 		      u16 tclass)
1573 {
1574 	const struct task_security_struct *tsec = current_security();
1575 	struct inode_security_struct *dsec;
1576 	struct superblock_security_struct *sbsec;
1577 	u32 sid, newsid;
1578 	struct common_audit_data ad;
1579 	int rc;
1580 
1581 	dsec = dir->i_security;
1582 	sbsec = dir->i_sb->s_security;
1583 
1584 	sid = tsec->sid;
1585 	newsid = tsec->create_sid;
1586 
1587 	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1588 	ad.u.dentry = dentry;
1589 
1590 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1591 			  DIR__ADD_NAME | DIR__SEARCH,
1592 			  &ad);
1593 	if (rc)
1594 		return rc;
1595 
1596 	if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1597 		rc = security_transition_sid(sid, dsec->sid, tclass,
1598 					     &dentry->d_name, &newsid);
1599 		if (rc)
1600 			return rc;
1601 	}
1602 
1603 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1604 	if (rc)
1605 		return rc;
1606 
1607 	return avc_has_perm(newsid, sbsec->sid,
1608 			    SECCLASS_FILESYSTEM,
1609 			    FILESYSTEM__ASSOCIATE, &ad);
1610 }
1611 
1612 /* Check whether a task can create a key. */
1613 static int may_create_key(u32 ksid,
1614 			  struct task_struct *ctx)
1615 {
1616 	u32 sid = task_sid(ctx);
1617 
1618 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1619 }
1620 
1621 #define MAY_LINK	0
1622 #define MAY_UNLINK	1
1623 #define MAY_RMDIR	2
1624 
1625 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1626 static int may_link(struct inode *dir,
1627 		    struct dentry *dentry,
1628 		    int kind)
1629 
1630 {
1631 	struct inode_security_struct *dsec, *isec;
1632 	struct common_audit_data ad;
1633 	u32 sid = current_sid();
1634 	u32 av;
1635 	int rc;
1636 
1637 	dsec = dir->i_security;
1638 	isec = dentry->d_inode->i_security;
1639 
1640 	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1641 	ad.u.dentry = dentry;
1642 
1643 	av = DIR__SEARCH;
1644 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1645 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1646 	if (rc)
1647 		return rc;
1648 
1649 	switch (kind) {
1650 	case MAY_LINK:
1651 		av = FILE__LINK;
1652 		break;
1653 	case MAY_UNLINK:
1654 		av = FILE__UNLINK;
1655 		break;
1656 	case MAY_RMDIR:
1657 		av = DIR__RMDIR;
1658 		break;
1659 	default:
1660 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1661 			__func__, kind);
1662 		return 0;
1663 	}
1664 
1665 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1666 	return rc;
1667 }
1668 
1669 static inline int may_rename(struct inode *old_dir,
1670 			     struct dentry *old_dentry,
1671 			     struct inode *new_dir,
1672 			     struct dentry *new_dentry)
1673 {
1674 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1675 	struct common_audit_data ad;
1676 	u32 sid = current_sid();
1677 	u32 av;
1678 	int old_is_dir, new_is_dir;
1679 	int rc;
1680 
1681 	old_dsec = old_dir->i_security;
1682 	old_isec = old_dentry->d_inode->i_security;
1683 	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1684 	new_dsec = new_dir->i_security;
1685 
1686 	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1687 
1688 	ad.u.dentry = old_dentry;
1689 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1690 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1691 	if (rc)
1692 		return rc;
1693 	rc = avc_has_perm(sid, old_isec->sid,
1694 			  old_isec->sclass, FILE__RENAME, &ad);
1695 	if (rc)
1696 		return rc;
1697 	if (old_is_dir && new_dir != old_dir) {
1698 		rc = avc_has_perm(sid, old_isec->sid,
1699 				  old_isec->sclass, DIR__REPARENT, &ad);
1700 		if (rc)
1701 			return rc;
1702 	}
1703 
1704 	ad.u.dentry = new_dentry;
1705 	av = DIR__ADD_NAME | DIR__SEARCH;
1706 	if (new_dentry->d_inode)
1707 		av |= DIR__REMOVE_NAME;
1708 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1709 	if (rc)
1710 		return rc;
1711 	if (new_dentry->d_inode) {
1712 		new_isec = new_dentry->d_inode->i_security;
1713 		new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1714 		rc = avc_has_perm(sid, new_isec->sid,
1715 				  new_isec->sclass,
1716 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1717 		if (rc)
1718 			return rc;
1719 	}
1720 
1721 	return 0;
1722 }
1723 
1724 /* Check whether a task can perform a filesystem operation. */
1725 static int superblock_has_perm(const struct cred *cred,
1726 			       struct super_block *sb,
1727 			       u32 perms,
1728 			       struct common_audit_data *ad)
1729 {
1730 	struct superblock_security_struct *sbsec;
1731 	u32 sid = cred_sid(cred);
1732 
1733 	sbsec = sb->s_security;
1734 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1735 }
1736 
1737 /* Convert a Linux mode and permission mask to an access vector. */
1738 static inline u32 file_mask_to_av(int mode, int mask)
1739 {
1740 	u32 av = 0;
1741 
1742 	if ((mode & S_IFMT) != S_IFDIR) {
1743 		if (mask & MAY_EXEC)
1744 			av |= FILE__EXECUTE;
1745 		if (mask & MAY_READ)
1746 			av |= FILE__READ;
1747 
1748 		if (mask & MAY_APPEND)
1749 			av |= FILE__APPEND;
1750 		else if (mask & MAY_WRITE)
1751 			av |= FILE__WRITE;
1752 
1753 	} else {
1754 		if (mask & MAY_EXEC)
1755 			av |= DIR__SEARCH;
1756 		if (mask & MAY_WRITE)
1757 			av |= DIR__WRITE;
1758 		if (mask & MAY_READ)
1759 			av |= DIR__READ;
1760 	}
1761 
1762 	return av;
1763 }
1764 
1765 /* Convert a Linux file to an access vector. */
1766 static inline u32 file_to_av(struct file *file)
1767 {
1768 	u32 av = 0;
1769 
1770 	if (file->f_mode & FMODE_READ)
1771 		av |= FILE__READ;
1772 	if (file->f_mode & FMODE_WRITE) {
1773 		if (file->f_flags & O_APPEND)
1774 			av |= FILE__APPEND;
1775 		else
1776 			av |= FILE__WRITE;
1777 	}
1778 	if (!av) {
1779 		/*
1780 		 * Special file opened with flags 3 for ioctl-only use.
1781 		 */
1782 		av = FILE__IOCTL;
1783 	}
1784 
1785 	return av;
1786 }
1787 
1788 /*
1789  * Convert a file to an access vector and include the correct open
1790  * open permission.
1791  */
1792 static inline u32 open_file_to_av(struct file *file)
1793 {
1794 	u32 av = file_to_av(file);
1795 
1796 	if (selinux_policycap_openperm)
1797 		av |= FILE__OPEN;
1798 
1799 	return av;
1800 }
1801 
1802 /* Hook functions begin here. */
1803 
1804 static int selinux_ptrace_access_check(struct task_struct *child,
1805 				     unsigned int mode)
1806 {
1807 	int rc;
1808 
1809 	rc = cap_ptrace_access_check(child, mode);
1810 	if (rc)
1811 		return rc;
1812 
1813 	if (mode == PTRACE_MODE_READ) {
1814 		u32 sid = current_sid();
1815 		u32 csid = task_sid(child);
1816 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1817 	}
1818 
1819 	return current_has_perm(child, PROCESS__PTRACE);
1820 }
1821 
1822 static int selinux_ptrace_traceme(struct task_struct *parent)
1823 {
1824 	int rc;
1825 
1826 	rc = cap_ptrace_traceme(parent);
1827 	if (rc)
1828 		return rc;
1829 
1830 	return task_has_perm(parent, current, PROCESS__PTRACE);
1831 }
1832 
1833 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1834 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
1835 {
1836 	int error;
1837 
1838 	error = current_has_perm(target, PROCESS__GETCAP);
1839 	if (error)
1840 		return error;
1841 
1842 	return cap_capget(target, effective, inheritable, permitted);
1843 }
1844 
1845 static int selinux_capset(struct cred *new, const struct cred *old,
1846 			  const kernel_cap_t *effective,
1847 			  const kernel_cap_t *inheritable,
1848 			  const kernel_cap_t *permitted)
1849 {
1850 	int error;
1851 
1852 	error = cap_capset(new, old,
1853 				      effective, inheritable, permitted);
1854 	if (error)
1855 		return error;
1856 
1857 	return cred_has_perm(old, new, PROCESS__SETCAP);
1858 }
1859 
1860 /*
1861  * (This comment used to live with the selinux_task_setuid hook,
1862  * which was removed).
1863  *
1864  * Since setuid only affects the current process, and since the SELinux
1865  * controls are not based on the Linux identity attributes, SELinux does not
1866  * need to control this operation.  However, SELinux does control the use of
1867  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1868  */
1869 
1870 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1871 			   struct user_namespace *ns, int cap, int audit)
1872 {
1873 	int rc;
1874 
1875 	rc = cap_capable(tsk, cred, ns, cap, audit);
1876 	if (rc)
1877 		return rc;
1878 
1879 	return task_has_capability(tsk, cred, cap, audit);
1880 }
1881 
1882 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1883 {
1884 	const struct cred *cred = current_cred();
1885 	int rc = 0;
1886 
1887 	if (!sb)
1888 		return 0;
1889 
1890 	switch (cmds) {
1891 	case Q_SYNC:
1892 	case Q_QUOTAON:
1893 	case Q_QUOTAOFF:
1894 	case Q_SETINFO:
1895 	case Q_SETQUOTA:
1896 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1897 		break;
1898 	case Q_GETFMT:
1899 	case Q_GETINFO:
1900 	case Q_GETQUOTA:
1901 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1902 		break;
1903 	default:
1904 		rc = 0;  /* let the kernel handle invalid cmds */
1905 		break;
1906 	}
1907 	return rc;
1908 }
1909 
1910 static int selinux_quota_on(struct dentry *dentry)
1911 {
1912 	const struct cred *cred = current_cred();
1913 
1914 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1915 }
1916 
1917 static int selinux_syslog(int type)
1918 {
1919 	int rc;
1920 
1921 	switch (type) {
1922 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
1923 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
1924 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1925 		break;
1926 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
1927 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
1928 	/* Set level of messages printed to console */
1929 	case SYSLOG_ACTION_CONSOLE_LEVEL:
1930 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1931 		break;
1932 	case SYSLOG_ACTION_CLOSE:	/* Close log */
1933 	case SYSLOG_ACTION_OPEN:	/* Open log */
1934 	case SYSLOG_ACTION_READ:	/* Read from log */
1935 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
1936 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
1937 	default:
1938 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1939 		break;
1940 	}
1941 	return rc;
1942 }
1943 
1944 /*
1945  * Check that a process has enough memory to allocate a new virtual
1946  * mapping. 0 means there is enough memory for the allocation to
1947  * succeed and -ENOMEM implies there is not.
1948  *
1949  * Do not audit the selinux permission check, as this is applied to all
1950  * processes that allocate mappings.
1951  */
1952 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1953 {
1954 	int rc, cap_sys_admin = 0;
1955 
1956 	rc = selinux_capable(current, current_cred(),
1957 			     &init_user_ns, CAP_SYS_ADMIN,
1958 			     SECURITY_CAP_NOAUDIT);
1959 	if (rc == 0)
1960 		cap_sys_admin = 1;
1961 
1962 	return __vm_enough_memory(mm, pages, cap_sys_admin);
1963 }
1964 
1965 /* binprm security operations */
1966 
1967 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1968 {
1969 	const struct task_security_struct *old_tsec;
1970 	struct task_security_struct *new_tsec;
1971 	struct inode_security_struct *isec;
1972 	struct common_audit_data ad;
1973 	struct inode *inode = bprm->file->f_path.dentry->d_inode;
1974 	int rc;
1975 
1976 	rc = cap_bprm_set_creds(bprm);
1977 	if (rc)
1978 		return rc;
1979 
1980 	/* SELinux context only depends on initial program or script and not
1981 	 * the script interpreter */
1982 	if (bprm->cred_prepared)
1983 		return 0;
1984 
1985 	old_tsec = current_security();
1986 	new_tsec = bprm->cred->security;
1987 	isec = inode->i_security;
1988 
1989 	/* Default to the current task SID. */
1990 	new_tsec->sid = old_tsec->sid;
1991 	new_tsec->osid = old_tsec->sid;
1992 
1993 	/* Reset fs, key, and sock SIDs on execve. */
1994 	new_tsec->create_sid = 0;
1995 	new_tsec->keycreate_sid = 0;
1996 	new_tsec->sockcreate_sid = 0;
1997 
1998 	if (old_tsec->exec_sid) {
1999 		new_tsec->sid = old_tsec->exec_sid;
2000 		/* Reset exec SID on execve. */
2001 		new_tsec->exec_sid = 0;
2002 	} else {
2003 		/* Check for a default transition on this program. */
2004 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2005 					     SECCLASS_PROCESS, NULL,
2006 					     &new_tsec->sid);
2007 		if (rc)
2008 			return rc;
2009 	}
2010 
2011 	COMMON_AUDIT_DATA_INIT(&ad, PATH);
2012 	ad.u.path = bprm->file->f_path;
2013 
2014 	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2015 		new_tsec->sid = old_tsec->sid;
2016 
2017 	if (new_tsec->sid == old_tsec->sid) {
2018 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2019 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2020 		if (rc)
2021 			return rc;
2022 	} else {
2023 		/* Check permissions for the transition. */
2024 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2025 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2026 		if (rc)
2027 			return rc;
2028 
2029 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2030 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2031 		if (rc)
2032 			return rc;
2033 
2034 		/* Check for shared state */
2035 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2036 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2037 					  SECCLASS_PROCESS, PROCESS__SHARE,
2038 					  NULL);
2039 			if (rc)
2040 				return -EPERM;
2041 		}
2042 
2043 		/* Make sure that anyone attempting to ptrace over a task that
2044 		 * changes its SID has the appropriate permit */
2045 		if (bprm->unsafe &
2046 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2047 			struct task_struct *tracer;
2048 			struct task_security_struct *sec;
2049 			u32 ptsid = 0;
2050 
2051 			rcu_read_lock();
2052 			tracer = ptrace_parent(current);
2053 			if (likely(tracer != NULL)) {
2054 				sec = __task_cred(tracer)->security;
2055 				ptsid = sec->sid;
2056 			}
2057 			rcu_read_unlock();
2058 
2059 			if (ptsid != 0) {
2060 				rc = avc_has_perm(ptsid, new_tsec->sid,
2061 						  SECCLASS_PROCESS,
2062 						  PROCESS__PTRACE, NULL);
2063 				if (rc)
2064 					return -EPERM;
2065 			}
2066 		}
2067 
2068 		/* Clear any possibly unsafe personality bits on exec: */
2069 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2070 	}
2071 
2072 	return 0;
2073 }
2074 
2075 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2076 {
2077 	const struct task_security_struct *tsec = current_security();
2078 	u32 sid, osid;
2079 	int atsecure = 0;
2080 
2081 	sid = tsec->sid;
2082 	osid = tsec->osid;
2083 
2084 	if (osid != sid) {
2085 		/* Enable secure mode for SIDs transitions unless
2086 		   the noatsecure permission is granted between
2087 		   the two SIDs, i.e. ahp returns 0. */
2088 		atsecure = avc_has_perm(osid, sid,
2089 					SECCLASS_PROCESS,
2090 					PROCESS__NOATSECURE, NULL);
2091 	}
2092 
2093 	return (atsecure || cap_bprm_secureexec(bprm));
2094 }
2095 
2096 /* Derived from fs/exec.c:flush_old_files. */
2097 static inline void flush_unauthorized_files(const struct cred *cred,
2098 					    struct files_struct *files)
2099 {
2100 	struct common_audit_data ad;
2101 	struct file *file, *devnull = NULL;
2102 	struct tty_struct *tty;
2103 	struct fdtable *fdt;
2104 	long j = -1;
2105 	int drop_tty = 0;
2106 
2107 	tty = get_current_tty();
2108 	if (tty) {
2109 		spin_lock(&tty_files_lock);
2110 		if (!list_empty(&tty->tty_files)) {
2111 			struct tty_file_private *file_priv;
2112 			struct inode *inode;
2113 
2114 			/* Revalidate access to controlling tty.
2115 			   Use inode_has_perm on the tty inode directly rather
2116 			   than using file_has_perm, as this particular open
2117 			   file may belong to another process and we are only
2118 			   interested in the inode-based check here. */
2119 			file_priv = list_first_entry(&tty->tty_files,
2120 						struct tty_file_private, list);
2121 			file = file_priv->file;
2122 			inode = file->f_path.dentry->d_inode;
2123 			if (inode_has_perm_noadp(cred, inode,
2124 					   FILE__READ | FILE__WRITE, 0)) {
2125 				drop_tty = 1;
2126 			}
2127 		}
2128 		spin_unlock(&tty_files_lock);
2129 		tty_kref_put(tty);
2130 	}
2131 	/* Reset controlling tty. */
2132 	if (drop_tty)
2133 		no_tty();
2134 
2135 	/* Revalidate access to inherited open files. */
2136 
2137 	COMMON_AUDIT_DATA_INIT(&ad, INODE);
2138 
2139 	spin_lock(&files->file_lock);
2140 	for (;;) {
2141 		unsigned long set, i;
2142 		int fd;
2143 
2144 		j++;
2145 		i = j * __NFDBITS;
2146 		fdt = files_fdtable(files);
2147 		if (i >= fdt->max_fds)
2148 			break;
2149 		set = fdt->open_fds->fds_bits[j];
2150 		if (!set)
2151 			continue;
2152 		spin_unlock(&files->file_lock);
2153 		for ( ; set ; i++, set >>= 1) {
2154 			if (set & 1) {
2155 				file = fget(i);
2156 				if (!file)
2157 					continue;
2158 				if (file_has_perm(cred,
2159 						  file,
2160 						  file_to_av(file))) {
2161 					sys_close(i);
2162 					fd = get_unused_fd();
2163 					if (fd != i) {
2164 						if (fd >= 0)
2165 							put_unused_fd(fd);
2166 						fput(file);
2167 						continue;
2168 					}
2169 					if (devnull) {
2170 						get_file(devnull);
2171 					} else {
2172 						devnull = dentry_open(
2173 							dget(selinux_null),
2174 							mntget(selinuxfs_mount),
2175 							O_RDWR, cred);
2176 						if (IS_ERR(devnull)) {
2177 							devnull = NULL;
2178 							put_unused_fd(fd);
2179 							fput(file);
2180 							continue;
2181 						}
2182 					}
2183 					fd_install(fd, devnull);
2184 				}
2185 				fput(file);
2186 			}
2187 		}
2188 		spin_lock(&files->file_lock);
2189 
2190 	}
2191 	spin_unlock(&files->file_lock);
2192 }
2193 
2194 /*
2195  * Prepare a process for imminent new credential changes due to exec
2196  */
2197 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2198 {
2199 	struct task_security_struct *new_tsec;
2200 	struct rlimit *rlim, *initrlim;
2201 	int rc, i;
2202 
2203 	new_tsec = bprm->cred->security;
2204 	if (new_tsec->sid == new_tsec->osid)
2205 		return;
2206 
2207 	/* Close files for which the new task SID is not authorized. */
2208 	flush_unauthorized_files(bprm->cred, current->files);
2209 
2210 	/* Always clear parent death signal on SID transitions. */
2211 	current->pdeath_signal = 0;
2212 
2213 	/* Check whether the new SID can inherit resource limits from the old
2214 	 * SID.  If not, reset all soft limits to the lower of the current
2215 	 * task's hard limit and the init task's soft limit.
2216 	 *
2217 	 * Note that the setting of hard limits (even to lower them) can be
2218 	 * controlled by the setrlimit check.  The inclusion of the init task's
2219 	 * soft limit into the computation is to avoid resetting soft limits
2220 	 * higher than the default soft limit for cases where the default is
2221 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2222 	 */
2223 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2224 			  PROCESS__RLIMITINH, NULL);
2225 	if (rc) {
2226 		/* protect against do_prlimit() */
2227 		task_lock(current);
2228 		for (i = 0; i < RLIM_NLIMITS; i++) {
2229 			rlim = current->signal->rlim + i;
2230 			initrlim = init_task.signal->rlim + i;
2231 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2232 		}
2233 		task_unlock(current);
2234 		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2235 	}
2236 }
2237 
2238 /*
2239  * Clean up the process immediately after the installation of new credentials
2240  * due to exec
2241  */
2242 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2243 {
2244 	const struct task_security_struct *tsec = current_security();
2245 	struct itimerval itimer;
2246 	u32 osid, sid;
2247 	int rc, i;
2248 
2249 	osid = tsec->osid;
2250 	sid = tsec->sid;
2251 
2252 	if (sid == osid)
2253 		return;
2254 
2255 	/* Check whether the new SID can inherit signal state from the old SID.
2256 	 * If not, clear itimers to avoid subsequent signal generation and
2257 	 * flush and unblock signals.
2258 	 *
2259 	 * This must occur _after_ the task SID has been updated so that any
2260 	 * kill done after the flush will be checked against the new SID.
2261 	 */
2262 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2263 	if (rc) {
2264 		memset(&itimer, 0, sizeof itimer);
2265 		for (i = 0; i < 3; i++)
2266 			do_setitimer(i, &itimer, NULL);
2267 		spin_lock_irq(&current->sighand->siglock);
2268 		if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2269 			__flush_signals(current);
2270 			flush_signal_handlers(current, 1);
2271 			sigemptyset(&current->blocked);
2272 		}
2273 		spin_unlock_irq(&current->sighand->siglock);
2274 	}
2275 
2276 	/* Wake up the parent if it is waiting so that it can recheck
2277 	 * wait permission to the new task SID. */
2278 	read_lock(&tasklist_lock);
2279 	__wake_up_parent(current, current->real_parent);
2280 	read_unlock(&tasklist_lock);
2281 }
2282 
2283 /* superblock security operations */
2284 
2285 static int selinux_sb_alloc_security(struct super_block *sb)
2286 {
2287 	return superblock_alloc_security(sb);
2288 }
2289 
2290 static void selinux_sb_free_security(struct super_block *sb)
2291 {
2292 	superblock_free_security(sb);
2293 }
2294 
2295 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2296 {
2297 	if (plen > olen)
2298 		return 0;
2299 
2300 	return !memcmp(prefix, option, plen);
2301 }
2302 
2303 static inline int selinux_option(char *option, int len)
2304 {
2305 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2306 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2307 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2308 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2309 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2310 }
2311 
2312 static inline void take_option(char **to, char *from, int *first, int len)
2313 {
2314 	if (!*first) {
2315 		**to = ',';
2316 		*to += 1;
2317 	} else
2318 		*first = 0;
2319 	memcpy(*to, from, len);
2320 	*to += len;
2321 }
2322 
2323 static inline void take_selinux_option(char **to, char *from, int *first,
2324 				       int len)
2325 {
2326 	int current_size = 0;
2327 
2328 	if (!*first) {
2329 		**to = '|';
2330 		*to += 1;
2331 	} else
2332 		*first = 0;
2333 
2334 	while (current_size < len) {
2335 		if (*from != '"') {
2336 			**to = *from;
2337 			*to += 1;
2338 		}
2339 		from += 1;
2340 		current_size += 1;
2341 	}
2342 }
2343 
2344 static int selinux_sb_copy_data(char *orig, char *copy)
2345 {
2346 	int fnosec, fsec, rc = 0;
2347 	char *in_save, *in_curr, *in_end;
2348 	char *sec_curr, *nosec_save, *nosec;
2349 	int open_quote = 0;
2350 
2351 	in_curr = orig;
2352 	sec_curr = copy;
2353 
2354 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2355 	if (!nosec) {
2356 		rc = -ENOMEM;
2357 		goto out;
2358 	}
2359 
2360 	nosec_save = nosec;
2361 	fnosec = fsec = 1;
2362 	in_save = in_end = orig;
2363 
2364 	do {
2365 		if (*in_end == '"')
2366 			open_quote = !open_quote;
2367 		if ((*in_end == ',' && open_quote == 0) ||
2368 				*in_end == '\0') {
2369 			int len = in_end - in_curr;
2370 
2371 			if (selinux_option(in_curr, len))
2372 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2373 			else
2374 				take_option(&nosec, in_curr, &fnosec, len);
2375 
2376 			in_curr = in_end + 1;
2377 		}
2378 	} while (*in_end++);
2379 
2380 	strcpy(in_save, nosec_save);
2381 	free_page((unsigned long)nosec_save);
2382 out:
2383 	return rc;
2384 }
2385 
2386 static int selinux_sb_remount(struct super_block *sb, void *data)
2387 {
2388 	int rc, i, *flags;
2389 	struct security_mnt_opts opts;
2390 	char *secdata, **mount_options;
2391 	struct superblock_security_struct *sbsec = sb->s_security;
2392 
2393 	if (!(sbsec->flags & SE_SBINITIALIZED))
2394 		return 0;
2395 
2396 	if (!data)
2397 		return 0;
2398 
2399 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2400 		return 0;
2401 
2402 	security_init_mnt_opts(&opts);
2403 	secdata = alloc_secdata();
2404 	if (!secdata)
2405 		return -ENOMEM;
2406 	rc = selinux_sb_copy_data(data, secdata);
2407 	if (rc)
2408 		goto out_free_secdata;
2409 
2410 	rc = selinux_parse_opts_str(secdata, &opts);
2411 	if (rc)
2412 		goto out_free_secdata;
2413 
2414 	mount_options = opts.mnt_opts;
2415 	flags = opts.mnt_opts_flags;
2416 
2417 	for (i = 0; i < opts.num_mnt_opts; i++) {
2418 		u32 sid;
2419 		size_t len;
2420 
2421 		if (flags[i] == SE_SBLABELSUPP)
2422 			continue;
2423 		len = strlen(mount_options[i]);
2424 		rc = security_context_to_sid(mount_options[i], len, &sid);
2425 		if (rc) {
2426 			printk(KERN_WARNING "SELinux: security_context_to_sid"
2427 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2428 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2429 			goto out_free_opts;
2430 		}
2431 		rc = -EINVAL;
2432 		switch (flags[i]) {
2433 		case FSCONTEXT_MNT:
2434 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2435 				goto out_bad_option;
2436 			break;
2437 		case CONTEXT_MNT:
2438 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2439 				goto out_bad_option;
2440 			break;
2441 		case ROOTCONTEXT_MNT: {
2442 			struct inode_security_struct *root_isec;
2443 			root_isec = sb->s_root->d_inode->i_security;
2444 
2445 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2446 				goto out_bad_option;
2447 			break;
2448 		}
2449 		case DEFCONTEXT_MNT:
2450 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2451 				goto out_bad_option;
2452 			break;
2453 		default:
2454 			goto out_free_opts;
2455 		}
2456 	}
2457 
2458 	rc = 0;
2459 out_free_opts:
2460 	security_free_mnt_opts(&opts);
2461 out_free_secdata:
2462 	free_secdata(secdata);
2463 	return rc;
2464 out_bad_option:
2465 	printk(KERN_WARNING "SELinux: unable to change security options "
2466 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2467 	       sb->s_type->name);
2468 	goto out_free_opts;
2469 }
2470 
2471 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2472 {
2473 	const struct cred *cred = current_cred();
2474 	struct common_audit_data ad;
2475 	int rc;
2476 
2477 	rc = superblock_doinit(sb, data);
2478 	if (rc)
2479 		return rc;
2480 
2481 	/* Allow all mounts performed by the kernel */
2482 	if (flags & MS_KERNMOUNT)
2483 		return 0;
2484 
2485 	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2486 	ad.u.dentry = sb->s_root;
2487 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2488 }
2489 
2490 static int selinux_sb_statfs(struct dentry *dentry)
2491 {
2492 	const struct cred *cred = current_cred();
2493 	struct common_audit_data ad;
2494 
2495 	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2496 	ad.u.dentry = dentry->d_sb->s_root;
2497 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2498 }
2499 
2500 static int selinux_mount(char *dev_name,
2501 			 struct path *path,
2502 			 char *type,
2503 			 unsigned long flags,
2504 			 void *data)
2505 {
2506 	const struct cred *cred = current_cred();
2507 
2508 	if (flags & MS_REMOUNT)
2509 		return superblock_has_perm(cred, path->mnt->mnt_sb,
2510 					   FILESYSTEM__REMOUNT, NULL);
2511 	else
2512 		return path_has_perm(cred, path, FILE__MOUNTON);
2513 }
2514 
2515 static int selinux_umount(struct vfsmount *mnt, int flags)
2516 {
2517 	const struct cred *cred = current_cred();
2518 
2519 	return superblock_has_perm(cred, mnt->mnt_sb,
2520 				   FILESYSTEM__UNMOUNT, NULL);
2521 }
2522 
2523 /* inode security operations */
2524 
2525 static int selinux_inode_alloc_security(struct inode *inode)
2526 {
2527 	return inode_alloc_security(inode);
2528 }
2529 
2530 static void selinux_inode_free_security(struct inode *inode)
2531 {
2532 	inode_free_security(inode);
2533 }
2534 
2535 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2536 				       const struct qstr *qstr, char **name,
2537 				       void **value, size_t *len)
2538 {
2539 	const struct task_security_struct *tsec = current_security();
2540 	struct inode_security_struct *dsec;
2541 	struct superblock_security_struct *sbsec;
2542 	u32 sid, newsid, clen;
2543 	int rc;
2544 	char *namep = NULL, *context;
2545 
2546 	dsec = dir->i_security;
2547 	sbsec = dir->i_sb->s_security;
2548 
2549 	sid = tsec->sid;
2550 	newsid = tsec->create_sid;
2551 
2552 	if ((sbsec->flags & SE_SBINITIALIZED) &&
2553 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2554 		newsid = sbsec->mntpoint_sid;
2555 	else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2556 		rc = security_transition_sid(sid, dsec->sid,
2557 					     inode_mode_to_security_class(inode->i_mode),
2558 					     qstr, &newsid);
2559 		if (rc) {
2560 			printk(KERN_WARNING "%s:  "
2561 			       "security_transition_sid failed, rc=%d (dev=%s "
2562 			       "ino=%ld)\n",
2563 			       __func__,
2564 			       -rc, inode->i_sb->s_id, inode->i_ino);
2565 			return rc;
2566 		}
2567 	}
2568 
2569 	/* Possibly defer initialization to selinux_complete_init. */
2570 	if (sbsec->flags & SE_SBINITIALIZED) {
2571 		struct inode_security_struct *isec = inode->i_security;
2572 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2573 		isec->sid = newsid;
2574 		isec->initialized = 1;
2575 	}
2576 
2577 	if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2578 		return -EOPNOTSUPP;
2579 
2580 	if (name) {
2581 		namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2582 		if (!namep)
2583 			return -ENOMEM;
2584 		*name = namep;
2585 	}
2586 
2587 	if (value && len) {
2588 		rc = security_sid_to_context_force(newsid, &context, &clen);
2589 		if (rc) {
2590 			kfree(namep);
2591 			return rc;
2592 		}
2593 		*value = context;
2594 		*len = clen;
2595 	}
2596 
2597 	return 0;
2598 }
2599 
2600 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2601 {
2602 	return may_create(dir, dentry, SECCLASS_FILE);
2603 }
2604 
2605 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2606 {
2607 	return may_link(dir, old_dentry, MAY_LINK);
2608 }
2609 
2610 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2611 {
2612 	return may_link(dir, dentry, MAY_UNLINK);
2613 }
2614 
2615 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2616 {
2617 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2618 }
2619 
2620 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2621 {
2622 	return may_create(dir, dentry, SECCLASS_DIR);
2623 }
2624 
2625 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2626 {
2627 	return may_link(dir, dentry, MAY_RMDIR);
2628 }
2629 
2630 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2631 {
2632 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2633 }
2634 
2635 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2636 				struct inode *new_inode, struct dentry *new_dentry)
2637 {
2638 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2639 }
2640 
2641 static int selinux_inode_readlink(struct dentry *dentry)
2642 {
2643 	const struct cred *cred = current_cred();
2644 
2645 	return dentry_has_perm(cred, dentry, FILE__READ);
2646 }
2647 
2648 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2649 {
2650 	const struct cred *cred = current_cred();
2651 
2652 	return dentry_has_perm(cred, dentry, FILE__READ);
2653 }
2654 
2655 static int selinux_inode_permission(struct inode *inode, int mask)
2656 {
2657 	const struct cred *cred = current_cred();
2658 	struct common_audit_data ad;
2659 	u32 perms;
2660 	bool from_access;
2661 	unsigned flags = mask & MAY_NOT_BLOCK;
2662 
2663 	from_access = mask & MAY_ACCESS;
2664 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2665 
2666 	/* No permission to check.  Existence test. */
2667 	if (!mask)
2668 		return 0;
2669 
2670 	COMMON_AUDIT_DATA_INIT(&ad, INODE);
2671 	ad.u.inode = inode;
2672 
2673 	if (from_access)
2674 		ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2675 
2676 	perms = file_mask_to_av(inode->i_mode, mask);
2677 
2678 	return inode_has_perm(cred, inode, perms, &ad, flags);
2679 }
2680 
2681 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2682 {
2683 	const struct cred *cred = current_cred();
2684 	unsigned int ia_valid = iattr->ia_valid;
2685 
2686 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2687 	if (ia_valid & ATTR_FORCE) {
2688 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2689 			      ATTR_FORCE);
2690 		if (!ia_valid)
2691 			return 0;
2692 	}
2693 
2694 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2695 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2696 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
2697 
2698 	return dentry_has_perm(cred, dentry, FILE__WRITE);
2699 }
2700 
2701 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2702 {
2703 	const struct cred *cred = current_cred();
2704 	struct path path;
2705 
2706 	path.dentry = dentry;
2707 	path.mnt = mnt;
2708 
2709 	return path_has_perm(cred, &path, FILE__GETATTR);
2710 }
2711 
2712 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2713 {
2714 	const struct cred *cred = current_cred();
2715 
2716 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
2717 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
2718 		if (!strcmp(name, XATTR_NAME_CAPS)) {
2719 			if (!capable(CAP_SETFCAP))
2720 				return -EPERM;
2721 		} else if (!capable(CAP_SYS_ADMIN)) {
2722 			/* A different attribute in the security namespace.
2723 			   Restrict to administrator. */
2724 			return -EPERM;
2725 		}
2726 	}
2727 
2728 	/* Not an attribute we recognize, so just check the
2729 	   ordinary setattr permission. */
2730 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
2731 }
2732 
2733 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2734 				  const void *value, size_t size, int flags)
2735 {
2736 	struct inode *inode = dentry->d_inode;
2737 	struct inode_security_struct *isec = inode->i_security;
2738 	struct superblock_security_struct *sbsec;
2739 	struct common_audit_data ad;
2740 	u32 newsid, sid = current_sid();
2741 	int rc = 0;
2742 
2743 	if (strcmp(name, XATTR_NAME_SELINUX))
2744 		return selinux_inode_setotherxattr(dentry, name);
2745 
2746 	sbsec = inode->i_sb->s_security;
2747 	if (!(sbsec->flags & SE_SBLABELSUPP))
2748 		return -EOPNOTSUPP;
2749 
2750 	if (!inode_owner_or_capable(inode))
2751 		return -EPERM;
2752 
2753 	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2754 	ad.u.dentry = dentry;
2755 
2756 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
2757 			  FILE__RELABELFROM, &ad);
2758 	if (rc)
2759 		return rc;
2760 
2761 	rc = security_context_to_sid(value, size, &newsid);
2762 	if (rc == -EINVAL) {
2763 		if (!capable(CAP_MAC_ADMIN))
2764 			return rc;
2765 		rc = security_context_to_sid_force(value, size, &newsid);
2766 	}
2767 	if (rc)
2768 		return rc;
2769 
2770 	rc = avc_has_perm(sid, newsid, isec->sclass,
2771 			  FILE__RELABELTO, &ad);
2772 	if (rc)
2773 		return rc;
2774 
2775 	rc = security_validate_transition(isec->sid, newsid, sid,
2776 					  isec->sclass);
2777 	if (rc)
2778 		return rc;
2779 
2780 	return avc_has_perm(newsid,
2781 			    sbsec->sid,
2782 			    SECCLASS_FILESYSTEM,
2783 			    FILESYSTEM__ASSOCIATE,
2784 			    &ad);
2785 }
2786 
2787 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2788 					const void *value, size_t size,
2789 					int flags)
2790 {
2791 	struct inode *inode = dentry->d_inode;
2792 	struct inode_security_struct *isec = inode->i_security;
2793 	u32 newsid;
2794 	int rc;
2795 
2796 	if (strcmp(name, XATTR_NAME_SELINUX)) {
2797 		/* Not an attribute we recognize, so nothing to do. */
2798 		return;
2799 	}
2800 
2801 	rc = security_context_to_sid_force(value, size, &newsid);
2802 	if (rc) {
2803 		printk(KERN_ERR "SELinux:  unable to map context to SID"
2804 		       "for (%s, %lu), rc=%d\n",
2805 		       inode->i_sb->s_id, inode->i_ino, -rc);
2806 		return;
2807 	}
2808 
2809 	isec->sid = newsid;
2810 	return;
2811 }
2812 
2813 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2814 {
2815 	const struct cred *cred = current_cred();
2816 
2817 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
2818 }
2819 
2820 static int selinux_inode_listxattr(struct dentry *dentry)
2821 {
2822 	const struct cred *cred = current_cred();
2823 
2824 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
2825 }
2826 
2827 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2828 {
2829 	if (strcmp(name, XATTR_NAME_SELINUX))
2830 		return selinux_inode_setotherxattr(dentry, name);
2831 
2832 	/* No one is allowed to remove a SELinux security label.
2833 	   You can change the label, but all data must be labeled. */
2834 	return -EACCES;
2835 }
2836 
2837 /*
2838  * Copy the inode security context value to the user.
2839  *
2840  * Permission check is handled by selinux_inode_getxattr hook.
2841  */
2842 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2843 {
2844 	u32 size;
2845 	int error;
2846 	char *context = NULL;
2847 	struct inode_security_struct *isec = inode->i_security;
2848 
2849 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
2850 		return -EOPNOTSUPP;
2851 
2852 	/*
2853 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
2854 	 * value even if it is not defined by current policy; otherwise,
2855 	 * use the in-core value under current policy.
2856 	 * Use the non-auditing forms of the permission checks since
2857 	 * getxattr may be called by unprivileged processes commonly
2858 	 * and lack of permission just means that we fall back to the
2859 	 * in-core context value, not a denial.
2860 	 */
2861 	error = selinux_capable(current, current_cred(),
2862 				&init_user_ns, CAP_MAC_ADMIN,
2863 				SECURITY_CAP_NOAUDIT);
2864 	if (!error)
2865 		error = security_sid_to_context_force(isec->sid, &context,
2866 						      &size);
2867 	else
2868 		error = security_sid_to_context(isec->sid, &context, &size);
2869 	if (error)
2870 		return error;
2871 	error = size;
2872 	if (alloc) {
2873 		*buffer = context;
2874 		goto out_nofree;
2875 	}
2876 	kfree(context);
2877 out_nofree:
2878 	return error;
2879 }
2880 
2881 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2882 				     const void *value, size_t size, int flags)
2883 {
2884 	struct inode_security_struct *isec = inode->i_security;
2885 	u32 newsid;
2886 	int rc;
2887 
2888 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
2889 		return -EOPNOTSUPP;
2890 
2891 	if (!value || !size)
2892 		return -EACCES;
2893 
2894 	rc = security_context_to_sid((void *)value, size, &newsid);
2895 	if (rc)
2896 		return rc;
2897 
2898 	isec->sid = newsid;
2899 	isec->initialized = 1;
2900 	return 0;
2901 }
2902 
2903 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2904 {
2905 	const int len = sizeof(XATTR_NAME_SELINUX);
2906 	if (buffer && len <= buffer_size)
2907 		memcpy(buffer, XATTR_NAME_SELINUX, len);
2908 	return len;
2909 }
2910 
2911 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2912 {
2913 	struct inode_security_struct *isec = inode->i_security;
2914 	*secid = isec->sid;
2915 }
2916 
2917 /* file security operations */
2918 
2919 static int selinux_revalidate_file_permission(struct file *file, int mask)
2920 {
2921 	const struct cred *cred = current_cred();
2922 	struct inode *inode = file->f_path.dentry->d_inode;
2923 
2924 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2925 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2926 		mask |= MAY_APPEND;
2927 
2928 	return file_has_perm(cred, file,
2929 			     file_mask_to_av(inode->i_mode, mask));
2930 }
2931 
2932 static int selinux_file_permission(struct file *file, int mask)
2933 {
2934 	struct inode *inode = file->f_path.dentry->d_inode;
2935 	struct file_security_struct *fsec = file->f_security;
2936 	struct inode_security_struct *isec = inode->i_security;
2937 	u32 sid = current_sid();
2938 
2939 	if (!mask)
2940 		/* No permission to check.  Existence test. */
2941 		return 0;
2942 
2943 	if (sid == fsec->sid && fsec->isid == isec->sid &&
2944 	    fsec->pseqno == avc_policy_seqno())
2945 		/* No change since dentry_open check. */
2946 		return 0;
2947 
2948 	return selinux_revalidate_file_permission(file, mask);
2949 }
2950 
2951 static int selinux_file_alloc_security(struct file *file)
2952 {
2953 	return file_alloc_security(file);
2954 }
2955 
2956 static void selinux_file_free_security(struct file *file)
2957 {
2958 	file_free_security(file);
2959 }
2960 
2961 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2962 			      unsigned long arg)
2963 {
2964 	const struct cred *cred = current_cred();
2965 	int error = 0;
2966 
2967 	switch (cmd) {
2968 	case FIONREAD:
2969 	/* fall through */
2970 	case FIBMAP:
2971 	/* fall through */
2972 	case FIGETBSZ:
2973 	/* fall through */
2974 	case EXT2_IOC_GETFLAGS:
2975 	/* fall through */
2976 	case EXT2_IOC_GETVERSION:
2977 		error = file_has_perm(cred, file, FILE__GETATTR);
2978 		break;
2979 
2980 	case EXT2_IOC_SETFLAGS:
2981 	/* fall through */
2982 	case EXT2_IOC_SETVERSION:
2983 		error = file_has_perm(cred, file, FILE__SETATTR);
2984 		break;
2985 
2986 	/* sys_ioctl() checks */
2987 	case FIONBIO:
2988 	/* fall through */
2989 	case FIOASYNC:
2990 		error = file_has_perm(cred, file, 0);
2991 		break;
2992 
2993 	case KDSKBENT:
2994 	case KDSKBSENT:
2995 		error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2996 					SECURITY_CAP_AUDIT);
2997 		break;
2998 
2999 	/* default case assumes that the command will go
3000 	 * to the file's ioctl() function.
3001 	 */
3002 	default:
3003 		error = file_has_perm(cred, file, FILE__IOCTL);
3004 	}
3005 	return error;
3006 }
3007 
3008 static int default_noexec;
3009 
3010 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3011 {
3012 	const struct cred *cred = current_cred();
3013 	int rc = 0;
3014 
3015 	if (default_noexec &&
3016 	    (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3017 		/*
3018 		 * We are making executable an anonymous mapping or a
3019 		 * private file mapping that will also be writable.
3020 		 * This has an additional check.
3021 		 */
3022 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3023 		if (rc)
3024 			goto error;
3025 	}
3026 
3027 	if (file) {
3028 		/* read access is always possible with a mapping */
3029 		u32 av = FILE__READ;
3030 
3031 		/* write access only matters if the mapping is shared */
3032 		if (shared && (prot & PROT_WRITE))
3033 			av |= FILE__WRITE;
3034 
3035 		if (prot & PROT_EXEC)
3036 			av |= FILE__EXECUTE;
3037 
3038 		return file_has_perm(cred, file, av);
3039 	}
3040 
3041 error:
3042 	return rc;
3043 }
3044 
3045 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3046 			     unsigned long prot, unsigned long flags,
3047 			     unsigned long addr, unsigned long addr_only)
3048 {
3049 	int rc = 0;
3050 	u32 sid = current_sid();
3051 
3052 	/*
3053 	 * notice that we are intentionally putting the SELinux check before
3054 	 * the secondary cap_file_mmap check.  This is such a likely attempt
3055 	 * at bad behaviour/exploit that we always want to get the AVC, even
3056 	 * if DAC would have also denied the operation.
3057 	 */
3058 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3059 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3060 				  MEMPROTECT__MMAP_ZERO, NULL);
3061 		if (rc)
3062 			return rc;
3063 	}
3064 
3065 	/* do DAC check on address space usage */
3066 	rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3067 	if (rc || addr_only)
3068 		return rc;
3069 
3070 	if (selinux_checkreqprot)
3071 		prot = reqprot;
3072 
3073 	return file_map_prot_check(file, prot,
3074 				   (flags & MAP_TYPE) == MAP_SHARED);
3075 }
3076 
3077 static int selinux_file_mprotect(struct vm_area_struct *vma,
3078 				 unsigned long reqprot,
3079 				 unsigned long prot)
3080 {
3081 	const struct cred *cred = current_cred();
3082 
3083 	if (selinux_checkreqprot)
3084 		prot = reqprot;
3085 
3086 	if (default_noexec &&
3087 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3088 		int rc = 0;
3089 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3090 		    vma->vm_end <= vma->vm_mm->brk) {
3091 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3092 		} else if (!vma->vm_file &&
3093 			   vma->vm_start <= vma->vm_mm->start_stack &&
3094 			   vma->vm_end >= vma->vm_mm->start_stack) {
3095 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3096 		} else if (vma->vm_file && vma->anon_vma) {
3097 			/*
3098 			 * We are making executable a file mapping that has
3099 			 * had some COW done. Since pages might have been
3100 			 * written, check ability to execute the possibly
3101 			 * modified content.  This typically should only
3102 			 * occur for text relocations.
3103 			 */
3104 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3105 		}
3106 		if (rc)
3107 			return rc;
3108 	}
3109 
3110 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3111 }
3112 
3113 static int selinux_file_lock(struct file *file, unsigned int cmd)
3114 {
3115 	const struct cred *cred = current_cred();
3116 
3117 	return file_has_perm(cred, file, FILE__LOCK);
3118 }
3119 
3120 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3121 			      unsigned long arg)
3122 {
3123 	const struct cred *cred = current_cred();
3124 	int err = 0;
3125 
3126 	switch (cmd) {
3127 	case F_SETFL:
3128 		if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3129 			err = -EINVAL;
3130 			break;
3131 		}
3132 
3133 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3134 			err = file_has_perm(cred, file, FILE__WRITE);
3135 			break;
3136 		}
3137 		/* fall through */
3138 	case F_SETOWN:
3139 	case F_SETSIG:
3140 	case F_GETFL:
3141 	case F_GETOWN:
3142 	case F_GETSIG:
3143 		/* Just check FD__USE permission */
3144 		err = file_has_perm(cred, file, 0);
3145 		break;
3146 	case F_GETLK:
3147 	case F_SETLK:
3148 	case F_SETLKW:
3149 #if BITS_PER_LONG == 32
3150 	case F_GETLK64:
3151 	case F_SETLK64:
3152 	case F_SETLKW64:
3153 #endif
3154 		if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3155 			err = -EINVAL;
3156 			break;
3157 		}
3158 		err = file_has_perm(cred, file, FILE__LOCK);
3159 		break;
3160 	}
3161 
3162 	return err;
3163 }
3164 
3165 static int selinux_file_set_fowner(struct file *file)
3166 {
3167 	struct file_security_struct *fsec;
3168 
3169 	fsec = file->f_security;
3170 	fsec->fown_sid = current_sid();
3171 
3172 	return 0;
3173 }
3174 
3175 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3176 				       struct fown_struct *fown, int signum)
3177 {
3178 	struct file *file;
3179 	u32 sid = task_sid(tsk);
3180 	u32 perm;
3181 	struct file_security_struct *fsec;
3182 
3183 	/* struct fown_struct is never outside the context of a struct file */
3184 	file = container_of(fown, struct file, f_owner);
3185 
3186 	fsec = file->f_security;
3187 
3188 	if (!signum)
3189 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3190 	else
3191 		perm = signal_to_av(signum);
3192 
3193 	return avc_has_perm(fsec->fown_sid, sid,
3194 			    SECCLASS_PROCESS, perm, NULL);
3195 }
3196 
3197 static int selinux_file_receive(struct file *file)
3198 {
3199 	const struct cred *cred = current_cred();
3200 
3201 	return file_has_perm(cred, file, file_to_av(file));
3202 }
3203 
3204 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3205 {
3206 	struct file_security_struct *fsec;
3207 	struct inode *inode;
3208 	struct inode_security_struct *isec;
3209 
3210 	inode = file->f_path.dentry->d_inode;
3211 	fsec = file->f_security;
3212 	isec = inode->i_security;
3213 	/*
3214 	 * Save inode label and policy sequence number
3215 	 * at open-time so that selinux_file_permission
3216 	 * can determine whether revalidation is necessary.
3217 	 * Task label is already saved in the file security
3218 	 * struct as its SID.
3219 	 */
3220 	fsec->isid = isec->sid;
3221 	fsec->pseqno = avc_policy_seqno();
3222 	/*
3223 	 * Since the inode label or policy seqno may have changed
3224 	 * between the selinux_inode_permission check and the saving
3225 	 * of state above, recheck that access is still permitted.
3226 	 * Otherwise, access might never be revalidated against the
3227 	 * new inode label or new policy.
3228 	 * This check is not redundant - do not remove.
3229 	 */
3230 	return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3231 }
3232 
3233 /* task security operations */
3234 
3235 static int selinux_task_create(unsigned long clone_flags)
3236 {
3237 	return current_has_perm(current, PROCESS__FORK);
3238 }
3239 
3240 /*
3241  * allocate the SELinux part of blank credentials
3242  */
3243 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3244 {
3245 	struct task_security_struct *tsec;
3246 
3247 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3248 	if (!tsec)
3249 		return -ENOMEM;
3250 
3251 	cred->security = tsec;
3252 	return 0;
3253 }
3254 
3255 /*
3256  * detach and free the LSM part of a set of credentials
3257  */
3258 static void selinux_cred_free(struct cred *cred)
3259 {
3260 	struct task_security_struct *tsec = cred->security;
3261 
3262 	/*
3263 	 * cred->security == NULL if security_cred_alloc_blank() or
3264 	 * security_prepare_creds() returned an error.
3265 	 */
3266 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3267 	cred->security = (void *) 0x7UL;
3268 	kfree(tsec);
3269 }
3270 
3271 /*
3272  * prepare a new set of credentials for modification
3273  */
3274 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3275 				gfp_t gfp)
3276 {
3277 	const struct task_security_struct *old_tsec;
3278 	struct task_security_struct *tsec;
3279 
3280 	old_tsec = old->security;
3281 
3282 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3283 	if (!tsec)
3284 		return -ENOMEM;
3285 
3286 	new->security = tsec;
3287 	return 0;
3288 }
3289 
3290 /*
3291  * transfer the SELinux data to a blank set of creds
3292  */
3293 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3294 {
3295 	const struct task_security_struct *old_tsec = old->security;
3296 	struct task_security_struct *tsec = new->security;
3297 
3298 	*tsec = *old_tsec;
3299 }
3300 
3301 /*
3302  * set the security data for a kernel service
3303  * - all the creation contexts are set to unlabelled
3304  */
3305 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3306 {
3307 	struct task_security_struct *tsec = new->security;
3308 	u32 sid = current_sid();
3309 	int ret;
3310 
3311 	ret = avc_has_perm(sid, secid,
3312 			   SECCLASS_KERNEL_SERVICE,
3313 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3314 			   NULL);
3315 	if (ret == 0) {
3316 		tsec->sid = secid;
3317 		tsec->create_sid = 0;
3318 		tsec->keycreate_sid = 0;
3319 		tsec->sockcreate_sid = 0;
3320 	}
3321 	return ret;
3322 }
3323 
3324 /*
3325  * set the file creation context in a security record to the same as the
3326  * objective context of the specified inode
3327  */
3328 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3329 {
3330 	struct inode_security_struct *isec = inode->i_security;
3331 	struct task_security_struct *tsec = new->security;
3332 	u32 sid = current_sid();
3333 	int ret;
3334 
3335 	ret = avc_has_perm(sid, isec->sid,
3336 			   SECCLASS_KERNEL_SERVICE,
3337 			   KERNEL_SERVICE__CREATE_FILES_AS,
3338 			   NULL);
3339 
3340 	if (ret == 0)
3341 		tsec->create_sid = isec->sid;
3342 	return ret;
3343 }
3344 
3345 static int selinux_kernel_module_request(char *kmod_name)
3346 {
3347 	u32 sid;
3348 	struct common_audit_data ad;
3349 
3350 	sid = task_sid(current);
3351 
3352 	COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3353 	ad.u.kmod_name = kmod_name;
3354 
3355 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3356 			    SYSTEM__MODULE_REQUEST, &ad);
3357 }
3358 
3359 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3360 {
3361 	return current_has_perm(p, PROCESS__SETPGID);
3362 }
3363 
3364 static int selinux_task_getpgid(struct task_struct *p)
3365 {
3366 	return current_has_perm(p, PROCESS__GETPGID);
3367 }
3368 
3369 static int selinux_task_getsid(struct task_struct *p)
3370 {
3371 	return current_has_perm(p, PROCESS__GETSESSION);
3372 }
3373 
3374 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3375 {
3376 	*secid = task_sid(p);
3377 }
3378 
3379 static int selinux_task_setnice(struct task_struct *p, int nice)
3380 {
3381 	int rc;
3382 
3383 	rc = cap_task_setnice(p, nice);
3384 	if (rc)
3385 		return rc;
3386 
3387 	return current_has_perm(p, PROCESS__SETSCHED);
3388 }
3389 
3390 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3391 {
3392 	int rc;
3393 
3394 	rc = cap_task_setioprio(p, ioprio);
3395 	if (rc)
3396 		return rc;
3397 
3398 	return current_has_perm(p, PROCESS__SETSCHED);
3399 }
3400 
3401 static int selinux_task_getioprio(struct task_struct *p)
3402 {
3403 	return current_has_perm(p, PROCESS__GETSCHED);
3404 }
3405 
3406 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3407 		struct rlimit *new_rlim)
3408 {
3409 	struct rlimit *old_rlim = p->signal->rlim + resource;
3410 
3411 	/* Control the ability to change the hard limit (whether
3412 	   lowering or raising it), so that the hard limit can
3413 	   later be used as a safe reset point for the soft limit
3414 	   upon context transitions.  See selinux_bprm_committing_creds. */
3415 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3416 		return current_has_perm(p, PROCESS__SETRLIMIT);
3417 
3418 	return 0;
3419 }
3420 
3421 static int selinux_task_setscheduler(struct task_struct *p)
3422 {
3423 	int rc;
3424 
3425 	rc = cap_task_setscheduler(p);
3426 	if (rc)
3427 		return rc;
3428 
3429 	return current_has_perm(p, PROCESS__SETSCHED);
3430 }
3431 
3432 static int selinux_task_getscheduler(struct task_struct *p)
3433 {
3434 	return current_has_perm(p, PROCESS__GETSCHED);
3435 }
3436 
3437 static int selinux_task_movememory(struct task_struct *p)
3438 {
3439 	return current_has_perm(p, PROCESS__SETSCHED);
3440 }
3441 
3442 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3443 				int sig, u32 secid)
3444 {
3445 	u32 perm;
3446 	int rc;
3447 
3448 	if (!sig)
3449 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3450 	else
3451 		perm = signal_to_av(sig);
3452 	if (secid)
3453 		rc = avc_has_perm(secid, task_sid(p),
3454 				  SECCLASS_PROCESS, perm, NULL);
3455 	else
3456 		rc = current_has_perm(p, perm);
3457 	return rc;
3458 }
3459 
3460 static int selinux_task_wait(struct task_struct *p)
3461 {
3462 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3463 }
3464 
3465 static void selinux_task_to_inode(struct task_struct *p,
3466 				  struct inode *inode)
3467 {
3468 	struct inode_security_struct *isec = inode->i_security;
3469 	u32 sid = task_sid(p);
3470 
3471 	isec->sid = sid;
3472 	isec->initialized = 1;
3473 }
3474 
3475 /* Returns error only if unable to parse addresses */
3476 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3477 			struct common_audit_data *ad, u8 *proto)
3478 {
3479 	int offset, ihlen, ret = -EINVAL;
3480 	struct iphdr _iph, *ih;
3481 
3482 	offset = skb_network_offset(skb);
3483 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3484 	if (ih == NULL)
3485 		goto out;
3486 
3487 	ihlen = ih->ihl * 4;
3488 	if (ihlen < sizeof(_iph))
3489 		goto out;
3490 
3491 	ad->u.net.v4info.saddr = ih->saddr;
3492 	ad->u.net.v4info.daddr = ih->daddr;
3493 	ret = 0;
3494 
3495 	if (proto)
3496 		*proto = ih->protocol;
3497 
3498 	switch (ih->protocol) {
3499 	case IPPROTO_TCP: {
3500 		struct tcphdr _tcph, *th;
3501 
3502 		if (ntohs(ih->frag_off) & IP_OFFSET)
3503 			break;
3504 
3505 		offset += ihlen;
3506 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3507 		if (th == NULL)
3508 			break;
3509 
3510 		ad->u.net.sport = th->source;
3511 		ad->u.net.dport = th->dest;
3512 		break;
3513 	}
3514 
3515 	case IPPROTO_UDP: {
3516 		struct udphdr _udph, *uh;
3517 
3518 		if (ntohs(ih->frag_off) & IP_OFFSET)
3519 			break;
3520 
3521 		offset += ihlen;
3522 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3523 		if (uh == NULL)
3524 			break;
3525 
3526 		ad->u.net.sport = uh->source;
3527 		ad->u.net.dport = uh->dest;
3528 		break;
3529 	}
3530 
3531 	case IPPROTO_DCCP: {
3532 		struct dccp_hdr _dccph, *dh;
3533 
3534 		if (ntohs(ih->frag_off) & IP_OFFSET)
3535 			break;
3536 
3537 		offset += ihlen;
3538 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3539 		if (dh == NULL)
3540 			break;
3541 
3542 		ad->u.net.sport = dh->dccph_sport;
3543 		ad->u.net.dport = dh->dccph_dport;
3544 		break;
3545 	}
3546 
3547 	default:
3548 		break;
3549 	}
3550 out:
3551 	return ret;
3552 }
3553 
3554 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3555 
3556 /* Returns error only if unable to parse addresses */
3557 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3558 			struct common_audit_data *ad, u8 *proto)
3559 {
3560 	u8 nexthdr;
3561 	int ret = -EINVAL, offset;
3562 	struct ipv6hdr _ipv6h, *ip6;
3563 
3564 	offset = skb_network_offset(skb);
3565 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3566 	if (ip6 == NULL)
3567 		goto out;
3568 
3569 	ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3570 	ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3571 	ret = 0;
3572 
3573 	nexthdr = ip6->nexthdr;
3574 	offset += sizeof(_ipv6h);
3575 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3576 	if (offset < 0)
3577 		goto out;
3578 
3579 	if (proto)
3580 		*proto = nexthdr;
3581 
3582 	switch (nexthdr) {
3583 	case IPPROTO_TCP: {
3584 		struct tcphdr _tcph, *th;
3585 
3586 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3587 		if (th == NULL)
3588 			break;
3589 
3590 		ad->u.net.sport = th->source;
3591 		ad->u.net.dport = th->dest;
3592 		break;
3593 	}
3594 
3595 	case IPPROTO_UDP: {
3596 		struct udphdr _udph, *uh;
3597 
3598 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3599 		if (uh == NULL)
3600 			break;
3601 
3602 		ad->u.net.sport = uh->source;
3603 		ad->u.net.dport = uh->dest;
3604 		break;
3605 	}
3606 
3607 	case IPPROTO_DCCP: {
3608 		struct dccp_hdr _dccph, *dh;
3609 
3610 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3611 		if (dh == NULL)
3612 			break;
3613 
3614 		ad->u.net.sport = dh->dccph_sport;
3615 		ad->u.net.dport = dh->dccph_dport;
3616 		break;
3617 	}
3618 
3619 	/* includes fragments */
3620 	default:
3621 		break;
3622 	}
3623 out:
3624 	return ret;
3625 }
3626 
3627 #endif /* IPV6 */
3628 
3629 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3630 			     char **_addrp, int src, u8 *proto)
3631 {
3632 	char *addrp;
3633 	int ret;
3634 
3635 	switch (ad->u.net.family) {
3636 	case PF_INET:
3637 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
3638 		if (ret)
3639 			goto parse_error;
3640 		addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3641 				       &ad->u.net.v4info.daddr);
3642 		goto okay;
3643 
3644 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3645 	case PF_INET6:
3646 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
3647 		if (ret)
3648 			goto parse_error;
3649 		addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3650 				       &ad->u.net.v6info.daddr);
3651 		goto okay;
3652 #endif	/* IPV6 */
3653 	default:
3654 		addrp = NULL;
3655 		goto okay;
3656 	}
3657 
3658 parse_error:
3659 	printk(KERN_WARNING
3660 	       "SELinux: failure in selinux_parse_skb(),"
3661 	       " unable to parse packet\n");
3662 	return ret;
3663 
3664 okay:
3665 	if (_addrp)
3666 		*_addrp = addrp;
3667 	return 0;
3668 }
3669 
3670 /**
3671  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3672  * @skb: the packet
3673  * @family: protocol family
3674  * @sid: the packet's peer label SID
3675  *
3676  * Description:
3677  * Check the various different forms of network peer labeling and determine
3678  * the peer label/SID for the packet; most of the magic actually occurs in
3679  * the security server function security_net_peersid_cmp().  The function
3680  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3681  * or -EACCES if @sid is invalid due to inconsistencies with the different
3682  * peer labels.
3683  *
3684  */
3685 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3686 {
3687 	int err;
3688 	u32 xfrm_sid;
3689 	u32 nlbl_sid;
3690 	u32 nlbl_type;
3691 
3692 	selinux_skb_xfrm_sid(skb, &xfrm_sid);
3693 	selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3694 
3695 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3696 	if (unlikely(err)) {
3697 		printk(KERN_WARNING
3698 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3699 		       " unable to determine packet's peer label\n");
3700 		return -EACCES;
3701 	}
3702 
3703 	return 0;
3704 }
3705 
3706 /* socket security operations */
3707 
3708 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3709 				 u16 secclass, u32 *socksid)
3710 {
3711 	if (tsec->sockcreate_sid > SECSID_NULL) {
3712 		*socksid = tsec->sockcreate_sid;
3713 		return 0;
3714 	}
3715 
3716 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3717 				       socksid);
3718 }
3719 
3720 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3721 {
3722 	struct sk_security_struct *sksec = sk->sk_security;
3723 	struct common_audit_data ad;
3724 	u32 tsid = task_sid(task);
3725 
3726 	if (sksec->sid == SECINITSID_KERNEL)
3727 		return 0;
3728 
3729 	COMMON_AUDIT_DATA_INIT(&ad, NET);
3730 	ad.u.net.sk = sk;
3731 
3732 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3733 }
3734 
3735 static int selinux_socket_create(int family, int type,
3736 				 int protocol, int kern)
3737 {
3738 	const struct task_security_struct *tsec = current_security();
3739 	u32 newsid;
3740 	u16 secclass;
3741 	int rc;
3742 
3743 	if (kern)
3744 		return 0;
3745 
3746 	secclass = socket_type_to_security_class(family, type, protocol);
3747 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3748 	if (rc)
3749 		return rc;
3750 
3751 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3752 }
3753 
3754 static int selinux_socket_post_create(struct socket *sock, int family,
3755 				      int type, int protocol, int kern)
3756 {
3757 	const struct task_security_struct *tsec = current_security();
3758 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3759 	struct sk_security_struct *sksec;
3760 	int err = 0;
3761 
3762 	isec->sclass = socket_type_to_security_class(family, type, protocol);
3763 
3764 	if (kern)
3765 		isec->sid = SECINITSID_KERNEL;
3766 	else {
3767 		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3768 		if (err)
3769 			return err;
3770 	}
3771 
3772 	isec->initialized = 1;
3773 
3774 	if (sock->sk) {
3775 		sksec = sock->sk->sk_security;
3776 		sksec->sid = isec->sid;
3777 		sksec->sclass = isec->sclass;
3778 		err = selinux_netlbl_socket_post_create(sock->sk, family);
3779 	}
3780 
3781 	return err;
3782 }
3783 
3784 /* Range of port numbers used to automatically bind.
3785    Need to determine whether we should perform a name_bind
3786    permission check between the socket and the port number. */
3787 
3788 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3789 {
3790 	struct sock *sk = sock->sk;
3791 	u16 family;
3792 	int err;
3793 
3794 	err = sock_has_perm(current, sk, SOCKET__BIND);
3795 	if (err)
3796 		goto out;
3797 
3798 	/*
3799 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
3800 	 * Multiple address binding for SCTP is not supported yet: we just
3801 	 * check the first address now.
3802 	 */
3803 	family = sk->sk_family;
3804 	if (family == PF_INET || family == PF_INET6) {
3805 		char *addrp;
3806 		struct sk_security_struct *sksec = sk->sk_security;
3807 		struct common_audit_data ad;
3808 		struct sockaddr_in *addr4 = NULL;
3809 		struct sockaddr_in6 *addr6 = NULL;
3810 		unsigned short snum;
3811 		u32 sid, node_perm;
3812 
3813 		if (family == PF_INET) {
3814 			addr4 = (struct sockaddr_in *)address;
3815 			snum = ntohs(addr4->sin_port);
3816 			addrp = (char *)&addr4->sin_addr.s_addr;
3817 		} else {
3818 			addr6 = (struct sockaddr_in6 *)address;
3819 			snum = ntohs(addr6->sin6_port);
3820 			addrp = (char *)&addr6->sin6_addr.s6_addr;
3821 		}
3822 
3823 		if (snum) {
3824 			int low, high;
3825 
3826 			inet_get_local_port_range(&low, &high);
3827 
3828 			if (snum < max(PROT_SOCK, low) || snum > high) {
3829 				err = sel_netport_sid(sk->sk_protocol,
3830 						      snum, &sid);
3831 				if (err)
3832 					goto out;
3833 				COMMON_AUDIT_DATA_INIT(&ad, NET);
3834 				ad.u.net.sport = htons(snum);
3835 				ad.u.net.family = family;
3836 				err = avc_has_perm(sksec->sid, sid,
3837 						   sksec->sclass,
3838 						   SOCKET__NAME_BIND, &ad);
3839 				if (err)
3840 					goto out;
3841 			}
3842 		}
3843 
3844 		switch (sksec->sclass) {
3845 		case SECCLASS_TCP_SOCKET:
3846 			node_perm = TCP_SOCKET__NODE_BIND;
3847 			break;
3848 
3849 		case SECCLASS_UDP_SOCKET:
3850 			node_perm = UDP_SOCKET__NODE_BIND;
3851 			break;
3852 
3853 		case SECCLASS_DCCP_SOCKET:
3854 			node_perm = DCCP_SOCKET__NODE_BIND;
3855 			break;
3856 
3857 		default:
3858 			node_perm = RAWIP_SOCKET__NODE_BIND;
3859 			break;
3860 		}
3861 
3862 		err = sel_netnode_sid(addrp, family, &sid);
3863 		if (err)
3864 			goto out;
3865 
3866 		COMMON_AUDIT_DATA_INIT(&ad, NET);
3867 		ad.u.net.sport = htons(snum);
3868 		ad.u.net.family = family;
3869 
3870 		if (family == PF_INET)
3871 			ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3872 		else
3873 			ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3874 
3875 		err = avc_has_perm(sksec->sid, sid,
3876 				   sksec->sclass, node_perm, &ad);
3877 		if (err)
3878 			goto out;
3879 	}
3880 out:
3881 	return err;
3882 }
3883 
3884 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3885 {
3886 	struct sock *sk = sock->sk;
3887 	struct sk_security_struct *sksec = sk->sk_security;
3888 	int err;
3889 
3890 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
3891 	if (err)
3892 		return err;
3893 
3894 	/*
3895 	 * If a TCP or DCCP socket, check name_connect permission for the port.
3896 	 */
3897 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3898 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
3899 		struct common_audit_data ad;
3900 		struct sockaddr_in *addr4 = NULL;
3901 		struct sockaddr_in6 *addr6 = NULL;
3902 		unsigned short snum;
3903 		u32 sid, perm;
3904 
3905 		if (sk->sk_family == PF_INET) {
3906 			addr4 = (struct sockaddr_in *)address;
3907 			if (addrlen < sizeof(struct sockaddr_in))
3908 				return -EINVAL;
3909 			snum = ntohs(addr4->sin_port);
3910 		} else {
3911 			addr6 = (struct sockaddr_in6 *)address;
3912 			if (addrlen < SIN6_LEN_RFC2133)
3913 				return -EINVAL;
3914 			snum = ntohs(addr6->sin6_port);
3915 		}
3916 
3917 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3918 		if (err)
3919 			goto out;
3920 
3921 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3922 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3923 
3924 		COMMON_AUDIT_DATA_INIT(&ad, NET);
3925 		ad.u.net.dport = htons(snum);
3926 		ad.u.net.family = sk->sk_family;
3927 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3928 		if (err)
3929 			goto out;
3930 	}
3931 
3932 	err = selinux_netlbl_socket_connect(sk, address);
3933 
3934 out:
3935 	return err;
3936 }
3937 
3938 static int selinux_socket_listen(struct socket *sock, int backlog)
3939 {
3940 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3941 }
3942 
3943 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3944 {
3945 	int err;
3946 	struct inode_security_struct *isec;
3947 	struct inode_security_struct *newisec;
3948 
3949 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3950 	if (err)
3951 		return err;
3952 
3953 	newisec = SOCK_INODE(newsock)->i_security;
3954 
3955 	isec = SOCK_INODE(sock)->i_security;
3956 	newisec->sclass = isec->sclass;
3957 	newisec->sid = isec->sid;
3958 	newisec->initialized = 1;
3959 
3960 	return 0;
3961 }
3962 
3963 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3964 				  int size)
3965 {
3966 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3967 }
3968 
3969 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3970 				  int size, int flags)
3971 {
3972 	return sock_has_perm(current, sock->sk, SOCKET__READ);
3973 }
3974 
3975 static int selinux_socket_getsockname(struct socket *sock)
3976 {
3977 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3978 }
3979 
3980 static int selinux_socket_getpeername(struct socket *sock)
3981 {
3982 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3983 }
3984 
3985 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3986 {
3987 	int err;
3988 
3989 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3990 	if (err)
3991 		return err;
3992 
3993 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
3994 }
3995 
3996 static int selinux_socket_getsockopt(struct socket *sock, int level,
3997 				     int optname)
3998 {
3999 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4000 }
4001 
4002 static int selinux_socket_shutdown(struct socket *sock, int how)
4003 {
4004 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4005 }
4006 
4007 static int selinux_socket_unix_stream_connect(struct sock *sock,
4008 					      struct sock *other,
4009 					      struct sock *newsk)
4010 {
4011 	struct sk_security_struct *sksec_sock = sock->sk_security;
4012 	struct sk_security_struct *sksec_other = other->sk_security;
4013 	struct sk_security_struct *sksec_new = newsk->sk_security;
4014 	struct common_audit_data ad;
4015 	int err;
4016 
4017 	COMMON_AUDIT_DATA_INIT(&ad, NET);
4018 	ad.u.net.sk = other;
4019 
4020 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4021 			   sksec_other->sclass,
4022 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4023 	if (err)
4024 		return err;
4025 
4026 	/* server child socket */
4027 	sksec_new->peer_sid = sksec_sock->sid;
4028 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4029 				    &sksec_new->sid);
4030 	if (err)
4031 		return err;
4032 
4033 	/* connecting socket */
4034 	sksec_sock->peer_sid = sksec_new->sid;
4035 
4036 	return 0;
4037 }
4038 
4039 static int selinux_socket_unix_may_send(struct socket *sock,
4040 					struct socket *other)
4041 {
4042 	struct sk_security_struct *ssec = sock->sk->sk_security;
4043 	struct sk_security_struct *osec = other->sk->sk_security;
4044 	struct common_audit_data ad;
4045 
4046 	COMMON_AUDIT_DATA_INIT(&ad, NET);
4047 	ad.u.net.sk = other->sk;
4048 
4049 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4050 			    &ad);
4051 }
4052 
4053 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4054 				    u32 peer_sid,
4055 				    struct common_audit_data *ad)
4056 {
4057 	int err;
4058 	u32 if_sid;
4059 	u32 node_sid;
4060 
4061 	err = sel_netif_sid(ifindex, &if_sid);
4062 	if (err)
4063 		return err;
4064 	err = avc_has_perm(peer_sid, if_sid,
4065 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4066 	if (err)
4067 		return err;
4068 
4069 	err = sel_netnode_sid(addrp, family, &node_sid);
4070 	if (err)
4071 		return err;
4072 	return avc_has_perm(peer_sid, node_sid,
4073 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4074 }
4075 
4076 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4077 				       u16 family)
4078 {
4079 	int err = 0;
4080 	struct sk_security_struct *sksec = sk->sk_security;
4081 	u32 sk_sid = sksec->sid;
4082 	struct common_audit_data ad;
4083 	char *addrp;
4084 
4085 	COMMON_AUDIT_DATA_INIT(&ad, NET);
4086 	ad.u.net.netif = skb->skb_iif;
4087 	ad.u.net.family = family;
4088 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4089 	if (err)
4090 		return err;
4091 
4092 	if (selinux_secmark_enabled()) {
4093 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4094 				   PACKET__RECV, &ad);
4095 		if (err)
4096 			return err;
4097 	}
4098 
4099 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4100 	if (err)
4101 		return err;
4102 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4103 
4104 	return err;
4105 }
4106 
4107 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4108 {
4109 	int err;
4110 	struct sk_security_struct *sksec = sk->sk_security;
4111 	u16 family = sk->sk_family;
4112 	u32 sk_sid = sksec->sid;
4113 	struct common_audit_data ad;
4114 	char *addrp;
4115 	u8 secmark_active;
4116 	u8 peerlbl_active;
4117 
4118 	if (family != PF_INET && family != PF_INET6)
4119 		return 0;
4120 
4121 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4122 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4123 		family = PF_INET;
4124 
4125 	/* If any sort of compatibility mode is enabled then handoff processing
4126 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4127 	 * special handling.  We do this in an attempt to keep this function
4128 	 * as fast and as clean as possible. */
4129 	if (!selinux_policycap_netpeer)
4130 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4131 
4132 	secmark_active = selinux_secmark_enabled();
4133 	peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4134 	if (!secmark_active && !peerlbl_active)
4135 		return 0;
4136 
4137 	COMMON_AUDIT_DATA_INIT(&ad, NET);
4138 	ad.u.net.netif = skb->skb_iif;
4139 	ad.u.net.family = family;
4140 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4141 	if (err)
4142 		return err;
4143 
4144 	if (peerlbl_active) {
4145 		u32 peer_sid;
4146 
4147 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4148 		if (err)
4149 			return err;
4150 		err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4151 					       peer_sid, &ad);
4152 		if (err) {
4153 			selinux_netlbl_err(skb, err, 0);
4154 			return err;
4155 		}
4156 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4157 				   PEER__RECV, &ad);
4158 		if (err)
4159 			selinux_netlbl_err(skb, err, 0);
4160 	}
4161 
4162 	if (secmark_active) {
4163 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4164 				   PACKET__RECV, &ad);
4165 		if (err)
4166 			return err;
4167 	}
4168 
4169 	return err;
4170 }
4171 
4172 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4173 					    int __user *optlen, unsigned len)
4174 {
4175 	int err = 0;
4176 	char *scontext;
4177 	u32 scontext_len;
4178 	struct sk_security_struct *sksec = sock->sk->sk_security;
4179 	u32 peer_sid = SECSID_NULL;
4180 
4181 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4182 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4183 		peer_sid = sksec->peer_sid;
4184 	if (peer_sid == SECSID_NULL)
4185 		return -ENOPROTOOPT;
4186 
4187 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4188 	if (err)
4189 		return err;
4190 
4191 	if (scontext_len > len) {
4192 		err = -ERANGE;
4193 		goto out_len;
4194 	}
4195 
4196 	if (copy_to_user(optval, scontext, scontext_len))
4197 		err = -EFAULT;
4198 
4199 out_len:
4200 	if (put_user(scontext_len, optlen))
4201 		err = -EFAULT;
4202 	kfree(scontext);
4203 	return err;
4204 }
4205 
4206 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4207 {
4208 	u32 peer_secid = SECSID_NULL;
4209 	u16 family;
4210 
4211 	if (skb && skb->protocol == htons(ETH_P_IP))
4212 		family = PF_INET;
4213 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4214 		family = PF_INET6;
4215 	else if (sock)
4216 		family = sock->sk->sk_family;
4217 	else
4218 		goto out;
4219 
4220 	if (sock && family == PF_UNIX)
4221 		selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4222 	else if (skb)
4223 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4224 
4225 out:
4226 	*secid = peer_secid;
4227 	if (peer_secid == SECSID_NULL)
4228 		return -EINVAL;
4229 	return 0;
4230 }
4231 
4232 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4233 {
4234 	struct sk_security_struct *sksec;
4235 
4236 	sksec = kzalloc(sizeof(*sksec), priority);
4237 	if (!sksec)
4238 		return -ENOMEM;
4239 
4240 	sksec->peer_sid = SECINITSID_UNLABELED;
4241 	sksec->sid = SECINITSID_UNLABELED;
4242 	selinux_netlbl_sk_security_reset(sksec);
4243 	sk->sk_security = sksec;
4244 
4245 	return 0;
4246 }
4247 
4248 static void selinux_sk_free_security(struct sock *sk)
4249 {
4250 	struct sk_security_struct *sksec = sk->sk_security;
4251 
4252 	sk->sk_security = NULL;
4253 	selinux_netlbl_sk_security_free(sksec);
4254 	kfree(sksec);
4255 }
4256 
4257 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4258 {
4259 	struct sk_security_struct *sksec = sk->sk_security;
4260 	struct sk_security_struct *newsksec = newsk->sk_security;
4261 
4262 	newsksec->sid = sksec->sid;
4263 	newsksec->peer_sid = sksec->peer_sid;
4264 	newsksec->sclass = sksec->sclass;
4265 
4266 	selinux_netlbl_sk_security_reset(newsksec);
4267 }
4268 
4269 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4270 {
4271 	if (!sk)
4272 		*secid = SECINITSID_ANY_SOCKET;
4273 	else {
4274 		struct sk_security_struct *sksec = sk->sk_security;
4275 
4276 		*secid = sksec->sid;
4277 	}
4278 }
4279 
4280 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4281 {
4282 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4283 	struct sk_security_struct *sksec = sk->sk_security;
4284 
4285 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4286 	    sk->sk_family == PF_UNIX)
4287 		isec->sid = sksec->sid;
4288 	sksec->sclass = isec->sclass;
4289 }
4290 
4291 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4292 				     struct request_sock *req)
4293 {
4294 	struct sk_security_struct *sksec = sk->sk_security;
4295 	int err;
4296 	u16 family = sk->sk_family;
4297 	u32 newsid;
4298 	u32 peersid;
4299 
4300 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4301 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4302 		family = PF_INET;
4303 
4304 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4305 	if (err)
4306 		return err;
4307 	if (peersid == SECSID_NULL) {
4308 		req->secid = sksec->sid;
4309 		req->peer_secid = SECSID_NULL;
4310 	} else {
4311 		err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4312 		if (err)
4313 			return err;
4314 		req->secid = newsid;
4315 		req->peer_secid = peersid;
4316 	}
4317 
4318 	return selinux_netlbl_inet_conn_request(req, family);
4319 }
4320 
4321 static void selinux_inet_csk_clone(struct sock *newsk,
4322 				   const struct request_sock *req)
4323 {
4324 	struct sk_security_struct *newsksec = newsk->sk_security;
4325 
4326 	newsksec->sid = req->secid;
4327 	newsksec->peer_sid = req->peer_secid;
4328 	/* NOTE: Ideally, we should also get the isec->sid for the
4329 	   new socket in sync, but we don't have the isec available yet.
4330 	   So we will wait until sock_graft to do it, by which
4331 	   time it will have been created and available. */
4332 
4333 	/* We don't need to take any sort of lock here as we are the only
4334 	 * thread with access to newsksec */
4335 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4336 }
4337 
4338 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4339 {
4340 	u16 family = sk->sk_family;
4341 	struct sk_security_struct *sksec = sk->sk_security;
4342 
4343 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4344 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4345 		family = PF_INET;
4346 
4347 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4348 }
4349 
4350 static int selinux_secmark_relabel_packet(u32 sid)
4351 {
4352 	const struct task_security_struct *__tsec;
4353 	u32 tsid;
4354 
4355 	__tsec = current_security();
4356 	tsid = __tsec->sid;
4357 
4358 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4359 }
4360 
4361 static void selinux_secmark_refcount_inc(void)
4362 {
4363 	atomic_inc(&selinux_secmark_refcount);
4364 }
4365 
4366 static void selinux_secmark_refcount_dec(void)
4367 {
4368 	atomic_dec(&selinux_secmark_refcount);
4369 }
4370 
4371 static void selinux_req_classify_flow(const struct request_sock *req,
4372 				      struct flowi *fl)
4373 {
4374 	fl->flowi_secid = req->secid;
4375 }
4376 
4377 static int selinux_tun_dev_create(void)
4378 {
4379 	u32 sid = current_sid();
4380 
4381 	/* we aren't taking into account the "sockcreate" SID since the socket
4382 	 * that is being created here is not a socket in the traditional sense,
4383 	 * instead it is a private sock, accessible only to the kernel, and
4384 	 * representing a wide range of network traffic spanning multiple
4385 	 * connections unlike traditional sockets - check the TUN driver to
4386 	 * get a better understanding of why this socket is special */
4387 
4388 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4389 			    NULL);
4390 }
4391 
4392 static void selinux_tun_dev_post_create(struct sock *sk)
4393 {
4394 	struct sk_security_struct *sksec = sk->sk_security;
4395 
4396 	/* we don't currently perform any NetLabel based labeling here and it
4397 	 * isn't clear that we would want to do so anyway; while we could apply
4398 	 * labeling without the support of the TUN user the resulting labeled
4399 	 * traffic from the other end of the connection would almost certainly
4400 	 * cause confusion to the TUN user that had no idea network labeling
4401 	 * protocols were being used */
4402 
4403 	/* see the comments in selinux_tun_dev_create() about why we don't use
4404 	 * the sockcreate SID here */
4405 
4406 	sksec->sid = current_sid();
4407 	sksec->sclass = SECCLASS_TUN_SOCKET;
4408 }
4409 
4410 static int selinux_tun_dev_attach(struct sock *sk)
4411 {
4412 	struct sk_security_struct *sksec = sk->sk_security;
4413 	u32 sid = current_sid();
4414 	int err;
4415 
4416 	err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4417 			   TUN_SOCKET__RELABELFROM, NULL);
4418 	if (err)
4419 		return err;
4420 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4421 			   TUN_SOCKET__RELABELTO, NULL);
4422 	if (err)
4423 		return err;
4424 
4425 	sksec->sid = sid;
4426 
4427 	return 0;
4428 }
4429 
4430 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4431 {
4432 	int err = 0;
4433 	u32 perm;
4434 	struct nlmsghdr *nlh;
4435 	struct sk_security_struct *sksec = sk->sk_security;
4436 
4437 	if (skb->len < NLMSG_SPACE(0)) {
4438 		err = -EINVAL;
4439 		goto out;
4440 	}
4441 	nlh = nlmsg_hdr(skb);
4442 
4443 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4444 	if (err) {
4445 		if (err == -EINVAL) {
4446 			audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4447 				  "SELinux:  unrecognized netlink message"
4448 				  " type=%hu for sclass=%hu\n",
4449 				  nlh->nlmsg_type, sksec->sclass);
4450 			if (!selinux_enforcing || security_get_allow_unknown())
4451 				err = 0;
4452 		}
4453 
4454 		/* Ignore */
4455 		if (err == -ENOENT)
4456 			err = 0;
4457 		goto out;
4458 	}
4459 
4460 	err = sock_has_perm(current, sk, perm);
4461 out:
4462 	return err;
4463 }
4464 
4465 #ifdef CONFIG_NETFILTER
4466 
4467 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4468 				       u16 family)
4469 {
4470 	int err;
4471 	char *addrp;
4472 	u32 peer_sid;
4473 	struct common_audit_data ad;
4474 	u8 secmark_active;
4475 	u8 netlbl_active;
4476 	u8 peerlbl_active;
4477 
4478 	if (!selinux_policycap_netpeer)
4479 		return NF_ACCEPT;
4480 
4481 	secmark_active = selinux_secmark_enabled();
4482 	netlbl_active = netlbl_enabled();
4483 	peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4484 	if (!secmark_active && !peerlbl_active)
4485 		return NF_ACCEPT;
4486 
4487 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4488 		return NF_DROP;
4489 
4490 	COMMON_AUDIT_DATA_INIT(&ad, NET);
4491 	ad.u.net.netif = ifindex;
4492 	ad.u.net.family = family;
4493 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4494 		return NF_DROP;
4495 
4496 	if (peerlbl_active) {
4497 		err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4498 					       peer_sid, &ad);
4499 		if (err) {
4500 			selinux_netlbl_err(skb, err, 1);
4501 			return NF_DROP;
4502 		}
4503 	}
4504 
4505 	if (secmark_active)
4506 		if (avc_has_perm(peer_sid, skb->secmark,
4507 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4508 			return NF_DROP;
4509 
4510 	if (netlbl_active)
4511 		/* we do this in the FORWARD path and not the POST_ROUTING
4512 		 * path because we want to make sure we apply the necessary
4513 		 * labeling before IPsec is applied so we can leverage AH
4514 		 * protection */
4515 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4516 			return NF_DROP;
4517 
4518 	return NF_ACCEPT;
4519 }
4520 
4521 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4522 					 struct sk_buff *skb,
4523 					 const struct net_device *in,
4524 					 const struct net_device *out,
4525 					 int (*okfn)(struct sk_buff *))
4526 {
4527 	return selinux_ip_forward(skb, in->ifindex, PF_INET);
4528 }
4529 
4530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4531 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4532 					 struct sk_buff *skb,
4533 					 const struct net_device *in,
4534 					 const struct net_device *out,
4535 					 int (*okfn)(struct sk_buff *))
4536 {
4537 	return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4538 }
4539 #endif	/* IPV6 */
4540 
4541 static unsigned int selinux_ip_output(struct sk_buff *skb,
4542 				      u16 family)
4543 {
4544 	u32 sid;
4545 
4546 	if (!netlbl_enabled())
4547 		return NF_ACCEPT;
4548 
4549 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4550 	 * because we want to make sure we apply the necessary labeling
4551 	 * before IPsec is applied so we can leverage AH protection */
4552 	if (skb->sk) {
4553 		struct sk_security_struct *sksec = skb->sk->sk_security;
4554 		sid = sksec->sid;
4555 	} else
4556 		sid = SECINITSID_KERNEL;
4557 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4558 		return NF_DROP;
4559 
4560 	return NF_ACCEPT;
4561 }
4562 
4563 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4564 					struct sk_buff *skb,
4565 					const struct net_device *in,
4566 					const struct net_device *out,
4567 					int (*okfn)(struct sk_buff *))
4568 {
4569 	return selinux_ip_output(skb, PF_INET);
4570 }
4571 
4572 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4573 						int ifindex,
4574 						u16 family)
4575 {
4576 	struct sock *sk = skb->sk;
4577 	struct sk_security_struct *sksec;
4578 	struct common_audit_data ad;
4579 	char *addrp;
4580 	u8 proto;
4581 
4582 	if (sk == NULL)
4583 		return NF_ACCEPT;
4584 	sksec = sk->sk_security;
4585 
4586 	COMMON_AUDIT_DATA_INIT(&ad, NET);
4587 	ad.u.net.netif = ifindex;
4588 	ad.u.net.family = family;
4589 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4590 		return NF_DROP;
4591 
4592 	if (selinux_secmark_enabled())
4593 		if (avc_has_perm(sksec->sid, skb->secmark,
4594 				 SECCLASS_PACKET, PACKET__SEND, &ad))
4595 			return NF_DROP_ERR(-ECONNREFUSED);
4596 
4597 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4598 		return NF_DROP_ERR(-ECONNREFUSED);
4599 
4600 	return NF_ACCEPT;
4601 }
4602 
4603 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4604 					 u16 family)
4605 {
4606 	u32 secmark_perm;
4607 	u32 peer_sid;
4608 	struct sock *sk;
4609 	struct common_audit_data ad;
4610 	char *addrp;
4611 	u8 secmark_active;
4612 	u8 peerlbl_active;
4613 
4614 	/* If any sort of compatibility mode is enabled then handoff processing
4615 	 * to the selinux_ip_postroute_compat() function to deal with the
4616 	 * special handling.  We do this in an attempt to keep this function
4617 	 * as fast and as clean as possible. */
4618 	if (!selinux_policycap_netpeer)
4619 		return selinux_ip_postroute_compat(skb, ifindex, family);
4620 #ifdef CONFIG_XFRM
4621 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4622 	 * packet transformation so allow the packet to pass without any checks
4623 	 * since we'll have another chance to perform access control checks
4624 	 * when the packet is on it's final way out.
4625 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4626 	 *       is NULL, in this case go ahead and apply access control. */
4627 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4628 		return NF_ACCEPT;
4629 #endif
4630 	secmark_active = selinux_secmark_enabled();
4631 	peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4632 	if (!secmark_active && !peerlbl_active)
4633 		return NF_ACCEPT;
4634 
4635 	/* if the packet is being forwarded then get the peer label from the
4636 	 * packet itself; otherwise check to see if it is from a local
4637 	 * application or the kernel, if from an application get the peer label
4638 	 * from the sending socket, otherwise use the kernel's sid */
4639 	sk = skb->sk;
4640 	if (sk == NULL) {
4641 		if (skb->skb_iif) {
4642 			secmark_perm = PACKET__FORWARD_OUT;
4643 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4644 				return NF_DROP;
4645 		} else {
4646 			secmark_perm = PACKET__SEND;
4647 			peer_sid = SECINITSID_KERNEL;
4648 		}
4649 	} else {
4650 		struct sk_security_struct *sksec = sk->sk_security;
4651 		peer_sid = sksec->sid;
4652 		secmark_perm = PACKET__SEND;
4653 	}
4654 
4655 	COMMON_AUDIT_DATA_INIT(&ad, NET);
4656 	ad.u.net.netif = ifindex;
4657 	ad.u.net.family = family;
4658 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4659 		return NF_DROP;
4660 
4661 	if (secmark_active)
4662 		if (avc_has_perm(peer_sid, skb->secmark,
4663 				 SECCLASS_PACKET, secmark_perm, &ad))
4664 			return NF_DROP_ERR(-ECONNREFUSED);
4665 
4666 	if (peerlbl_active) {
4667 		u32 if_sid;
4668 		u32 node_sid;
4669 
4670 		if (sel_netif_sid(ifindex, &if_sid))
4671 			return NF_DROP;
4672 		if (avc_has_perm(peer_sid, if_sid,
4673 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4674 			return NF_DROP_ERR(-ECONNREFUSED);
4675 
4676 		if (sel_netnode_sid(addrp, family, &node_sid))
4677 			return NF_DROP;
4678 		if (avc_has_perm(peer_sid, node_sid,
4679 				 SECCLASS_NODE, NODE__SENDTO, &ad))
4680 			return NF_DROP_ERR(-ECONNREFUSED);
4681 	}
4682 
4683 	return NF_ACCEPT;
4684 }
4685 
4686 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4687 					   struct sk_buff *skb,
4688 					   const struct net_device *in,
4689 					   const struct net_device *out,
4690 					   int (*okfn)(struct sk_buff *))
4691 {
4692 	return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4693 }
4694 
4695 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4696 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4697 					   struct sk_buff *skb,
4698 					   const struct net_device *in,
4699 					   const struct net_device *out,
4700 					   int (*okfn)(struct sk_buff *))
4701 {
4702 	return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4703 }
4704 #endif	/* IPV6 */
4705 
4706 #endif	/* CONFIG_NETFILTER */
4707 
4708 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4709 {
4710 	int err;
4711 
4712 	err = cap_netlink_send(sk, skb);
4713 	if (err)
4714 		return err;
4715 
4716 	return selinux_nlmsg_perm(sk, skb);
4717 }
4718 
4719 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4720 {
4721 	int err;
4722 	struct common_audit_data ad;
4723 	u32 sid;
4724 
4725 	err = cap_netlink_recv(skb, capability);
4726 	if (err)
4727 		return err;
4728 
4729 	COMMON_AUDIT_DATA_INIT(&ad, CAP);
4730 	ad.u.cap = capability;
4731 
4732 	security_task_getsecid(current, &sid);
4733 	return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4734 			    CAP_TO_MASK(capability), &ad);
4735 }
4736 
4737 static int ipc_alloc_security(struct task_struct *task,
4738 			      struct kern_ipc_perm *perm,
4739 			      u16 sclass)
4740 {
4741 	struct ipc_security_struct *isec;
4742 	u32 sid;
4743 
4744 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4745 	if (!isec)
4746 		return -ENOMEM;
4747 
4748 	sid = task_sid(task);
4749 	isec->sclass = sclass;
4750 	isec->sid = sid;
4751 	perm->security = isec;
4752 
4753 	return 0;
4754 }
4755 
4756 static void ipc_free_security(struct kern_ipc_perm *perm)
4757 {
4758 	struct ipc_security_struct *isec = perm->security;
4759 	perm->security = NULL;
4760 	kfree(isec);
4761 }
4762 
4763 static int msg_msg_alloc_security(struct msg_msg *msg)
4764 {
4765 	struct msg_security_struct *msec;
4766 
4767 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4768 	if (!msec)
4769 		return -ENOMEM;
4770 
4771 	msec->sid = SECINITSID_UNLABELED;
4772 	msg->security = msec;
4773 
4774 	return 0;
4775 }
4776 
4777 static void msg_msg_free_security(struct msg_msg *msg)
4778 {
4779 	struct msg_security_struct *msec = msg->security;
4780 
4781 	msg->security = NULL;
4782 	kfree(msec);
4783 }
4784 
4785 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4786 			u32 perms)
4787 {
4788 	struct ipc_security_struct *isec;
4789 	struct common_audit_data ad;
4790 	u32 sid = current_sid();
4791 
4792 	isec = ipc_perms->security;
4793 
4794 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
4795 	ad.u.ipc_id = ipc_perms->key;
4796 
4797 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4798 }
4799 
4800 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4801 {
4802 	return msg_msg_alloc_security(msg);
4803 }
4804 
4805 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4806 {
4807 	msg_msg_free_security(msg);
4808 }
4809 
4810 /* message queue security operations */
4811 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4812 {
4813 	struct ipc_security_struct *isec;
4814 	struct common_audit_data ad;
4815 	u32 sid = current_sid();
4816 	int rc;
4817 
4818 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4819 	if (rc)
4820 		return rc;
4821 
4822 	isec = msq->q_perm.security;
4823 
4824 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
4825 	ad.u.ipc_id = msq->q_perm.key;
4826 
4827 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4828 			  MSGQ__CREATE, &ad);
4829 	if (rc) {
4830 		ipc_free_security(&msq->q_perm);
4831 		return rc;
4832 	}
4833 	return 0;
4834 }
4835 
4836 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4837 {
4838 	ipc_free_security(&msq->q_perm);
4839 }
4840 
4841 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4842 {
4843 	struct ipc_security_struct *isec;
4844 	struct common_audit_data ad;
4845 	u32 sid = current_sid();
4846 
4847 	isec = msq->q_perm.security;
4848 
4849 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
4850 	ad.u.ipc_id = msq->q_perm.key;
4851 
4852 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4853 			    MSGQ__ASSOCIATE, &ad);
4854 }
4855 
4856 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4857 {
4858 	int err;
4859 	int perms;
4860 
4861 	switch (cmd) {
4862 	case IPC_INFO:
4863 	case MSG_INFO:
4864 		/* No specific object, just general system-wide information. */
4865 		return task_has_system(current, SYSTEM__IPC_INFO);
4866 	case IPC_STAT:
4867 	case MSG_STAT:
4868 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4869 		break;
4870 	case IPC_SET:
4871 		perms = MSGQ__SETATTR;
4872 		break;
4873 	case IPC_RMID:
4874 		perms = MSGQ__DESTROY;
4875 		break;
4876 	default:
4877 		return 0;
4878 	}
4879 
4880 	err = ipc_has_perm(&msq->q_perm, perms);
4881 	return err;
4882 }
4883 
4884 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4885 {
4886 	struct ipc_security_struct *isec;
4887 	struct msg_security_struct *msec;
4888 	struct common_audit_data ad;
4889 	u32 sid = current_sid();
4890 	int rc;
4891 
4892 	isec = msq->q_perm.security;
4893 	msec = msg->security;
4894 
4895 	/*
4896 	 * First time through, need to assign label to the message
4897 	 */
4898 	if (msec->sid == SECINITSID_UNLABELED) {
4899 		/*
4900 		 * Compute new sid based on current process and
4901 		 * message queue this message will be stored in
4902 		 */
4903 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4904 					     NULL, &msec->sid);
4905 		if (rc)
4906 			return rc;
4907 	}
4908 
4909 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
4910 	ad.u.ipc_id = msq->q_perm.key;
4911 
4912 	/* Can this process write to the queue? */
4913 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4914 			  MSGQ__WRITE, &ad);
4915 	if (!rc)
4916 		/* Can this process send the message */
4917 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4918 				  MSG__SEND, &ad);
4919 	if (!rc)
4920 		/* Can the message be put in the queue? */
4921 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4922 				  MSGQ__ENQUEUE, &ad);
4923 
4924 	return rc;
4925 }
4926 
4927 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4928 				    struct task_struct *target,
4929 				    long type, int mode)
4930 {
4931 	struct ipc_security_struct *isec;
4932 	struct msg_security_struct *msec;
4933 	struct common_audit_data ad;
4934 	u32 sid = task_sid(target);
4935 	int rc;
4936 
4937 	isec = msq->q_perm.security;
4938 	msec = msg->security;
4939 
4940 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
4941 	ad.u.ipc_id = msq->q_perm.key;
4942 
4943 	rc = avc_has_perm(sid, isec->sid,
4944 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
4945 	if (!rc)
4946 		rc = avc_has_perm(sid, msec->sid,
4947 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
4948 	return rc;
4949 }
4950 
4951 /* Shared Memory security operations */
4952 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4953 {
4954 	struct ipc_security_struct *isec;
4955 	struct common_audit_data ad;
4956 	u32 sid = current_sid();
4957 	int rc;
4958 
4959 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4960 	if (rc)
4961 		return rc;
4962 
4963 	isec = shp->shm_perm.security;
4964 
4965 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
4966 	ad.u.ipc_id = shp->shm_perm.key;
4967 
4968 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4969 			  SHM__CREATE, &ad);
4970 	if (rc) {
4971 		ipc_free_security(&shp->shm_perm);
4972 		return rc;
4973 	}
4974 	return 0;
4975 }
4976 
4977 static void selinux_shm_free_security(struct shmid_kernel *shp)
4978 {
4979 	ipc_free_security(&shp->shm_perm);
4980 }
4981 
4982 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4983 {
4984 	struct ipc_security_struct *isec;
4985 	struct common_audit_data ad;
4986 	u32 sid = current_sid();
4987 
4988 	isec = shp->shm_perm.security;
4989 
4990 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
4991 	ad.u.ipc_id = shp->shm_perm.key;
4992 
4993 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4994 			    SHM__ASSOCIATE, &ad);
4995 }
4996 
4997 /* Note, at this point, shp is locked down */
4998 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4999 {
5000 	int perms;
5001 	int err;
5002 
5003 	switch (cmd) {
5004 	case IPC_INFO:
5005 	case SHM_INFO:
5006 		/* No specific object, just general system-wide information. */
5007 		return task_has_system(current, SYSTEM__IPC_INFO);
5008 	case IPC_STAT:
5009 	case SHM_STAT:
5010 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5011 		break;
5012 	case IPC_SET:
5013 		perms = SHM__SETATTR;
5014 		break;
5015 	case SHM_LOCK:
5016 	case SHM_UNLOCK:
5017 		perms = SHM__LOCK;
5018 		break;
5019 	case IPC_RMID:
5020 		perms = SHM__DESTROY;
5021 		break;
5022 	default:
5023 		return 0;
5024 	}
5025 
5026 	err = ipc_has_perm(&shp->shm_perm, perms);
5027 	return err;
5028 }
5029 
5030 static int selinux_shm_shmat(struct shmid_kernel *shp,
5031 			     char __user *shmaddr, int shmflg)
5032 {
5033 	u32 perms;
5034 
5035 	if (shmflg & SHM_RDONLY)
5036 		perms = SHM__READ;
5037 	else
5038 		perms = SHM__READ | SHM__WRITE;
5039 
5040 	return ipc_has_perm(&shp->shm_perm, perms);
5041 }
5042 
5043 /* Semaphore security operations */
5044 static int selinux_sem_alloc_security(struct sem_array *sma)
5045 {
5046 	struct ipc_security_struct *isec;
5047 	struct common_audit_data ad;
5048 	u32 sid = current_sid();
5049 	int rc;
5050 
5051 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5052 	if (rc)
5053 		return rc;
5054 
5055 	isec = sma->sem_perm.security;
5056 
5057 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
5058 	ad.u.ipc_id = sma->sem_perm.key;
5059 
5060 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5061 			  SEM__CREATE, &ad);
5062 	if (rc) {
5063 		ipc_free_security(&sma->sem_perm);
5064 		return rc;
5065 	}
5066 	return 0;
5067 }
5068 
5069 static void selinux_sem_free_security(struct sem_array *sma)
5070 {
5071 	ipc_free_security(&sma->sem_perm);
5072 }
5073 
5074 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5075 {
5076 	struct ipc_security_struct *isec;
5077 	struct common_audit_data ad;
5078 	u32 sid = current_sid();
5079 
5080 	isec = sma->sem_perm.security;
5081 
5082 	COMMON_AUDIT_DATA_INIT(&ad, IPC);
5083 	ad.u.ipc_id = sma->sem_perm.key;
5084 
5085 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5086 			    SEM__ASSOCIATE, &ad);
5087 }
5088 
5089 /* Note, at this point, sma is locked down */
5090 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5091 {
5092 	int err;
5093 	u32 perms;
5094 
5095 	switch (cmd) {
5096 	case IPC_INFO:
5097 	case SEM_INFO:
5098 		/* No specific object, just general system-wide information. */
5099 		return task_has_system(current, SYSTEM__IPC_INFO);
5100 	case GETPID:
5101 	case GETNCNT:
5102 	case GETZCNT:
5103 		perms = SEM__GETATTR;
5104 		break;
5105 	case GETVAL:
5106 	case GETALL:
5107 		perms = SEM__READ;
5108 		break;
5109 	case SETVAL:
5110 	case SETALL:
5111 		perms = SEM__WRITE;
5112 		break;
5113 	case IPC_RMID:
5114 		perms = SEM__DESTROY;
5115 		break;
5116 	case IPC_SET:
5117 		perms = SEM__SETATTR;
5118 		break;
5119 	case IPC_STAT:
5120 	case SEM_STAT:
5121 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5122 		break;
5123 	default:
5124 		return 0;
5125 	}
5126 
5127 	err = ipc_has_perm(&sma->sem_perm, perms);
5128 	return err;
5129 }
5130 
5131 static int selinux_sem_semop(struct sem_array *sma,
5132 			     struct sembuf *sops, unsigned nsops, int alter)
5133 {
5134 	u32 perms;
5135 
5136 	if (alter)
5137 		perms = SEM__READ | SEM__WRITE;
5138 	else
5139 		perms = SEM__READ;
5140 
5141 	return ipc_has_perm(&sma->sem_perm, perms);
5142 }
5143 
5144 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5145 {
5146 	u32 av = 0;
5147 
5148 	av = 0;
5149 	if (flag & S_IRUGO)
5150 		av |= IPC__UNIX_READ;
5151 	if (flag & S_IWUGO)
5152 		av |= IPC__UNIX_WRITE;
5153 
5154 	if (av == 0)
5155 		return 0;
5156 
5157 	return ipc_has_perm(ipcp, av);
5158 }
5159 
5160 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5161 {
5162 	struct ipc_security_struct *isec = ipcp->security;
5163 	*secid = isec->sid;
5164 }
5165 
5166 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5167 {
5168 	if (inode)
5169 		inode_doinit_with_dentry(inode, dentry);
5170 }
5171 
5172 static int selinux_getprocattr(struct task_struct *p,
5173 			       char *name, char **value)
5174 {
5175 	const struct task_security_struct *__tsec;
5176 	u32 sid;
5177 	int error;
5178 	unsigned len;
5179 
5180 	if (current != p) {
5181 		error = current_has_perm(p, PROCESS__GETATTR);
5182 		if (error)
5183 			return error;
5184 	}
5185 
5186 	rcu_read_lock();
5187 	__tsec = __task_cred(p)->security;
5188 
5189 	if (!strcmp(name, "current"))
5190 		sid = __tsec->sid;
5191 	else if (!strcmp(name, "prev"))
5192 		sid = __tsec->osid;
5193 	else if (!strcmp(name, "exec"))
5194 		sid = __tsec->exec_sid;
5195 	else if (!strcmp(name, "fscreate"))
5196 		sid = __tsec->create_sid;
5197 	else if (!strcmp(name, "keycreate"))
5198 		sid = __tsec->keycreate_sid;
5199 	else if (!strcmp(name, "sockcreate"))
5200 		sid = __tsec->sockcreate_sid;
5201 	else
5202 		goto invalid;
5203 	rcu_read_unlock();
5204 
5205 	if (!sid)
5206 		return 0;
5207 
5208 	error = security_sid_to_context(sid, value, &len);
5209 	if (error)
5210 		return error;
5211 	return len;
5212 
5213 invalid:
5214 	rcu_read_unlock();
5215 	return -EINVAL;
5216 }
5217 
5218 static int selinux_setprocattr(struct task_struct *p,
5219 			       char *name, void *value, size_t size)
5220 {
5221 	struct task_security_struct *tsec;
5222 	struct task_struct *tracer;
5223 	struct cred *new;
5224 	u32 sid = 0, ptsid;
5225 	int error;
5226 	char *str = value;
5227 
5228 	if (current != p) {
5229 		/* SELinux only allows a process to change its own
5230 		   security attributes. */
5231 		return -EACCES;
5232 	}
5233 
5234 	/*
5235 	 * Basic control over ability to set these attributes at all.
5236 	 * current == p, but we'll pass them separately in case the
5237 	 * above restriction is ever removed.
5238 	 */
5239 	if (!strcmp(name, "exec"))
5240 		error = current_has_perm(p, PROCESS__SETEXEC);
5241 	else if (!strcmp(name, "fscreate"))
5242 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5243 	else if (!strcmp(name, "keycreate"))
5244 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5245 	else if (!strcmp(name, "sockcreate"))
5246 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5247 	else if (!strcmp(name, "current"))
5248 		error = current_has_perm(p, PROCESS__SETCURRENT);
5249 	else
5250 		error = -EINVAL;
5251 	if (error)
5252 		return error;
5253 
5254 	/* Obtain a SID for the context, if one was specified. */
5255 	if (size && str[1] && str[1] != '\n') {
5256 		if (str[size-1] == '\n') {
5257 			str[size-1] = 0;
5258 			size--;
5259 		}
5260 		error = security_context_to_sid(value, size, &sid);
5261 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5262 			if (!capable(CAP_MAC_ADMIN))
5263 				return error;
5264 			error = security_context_to_sid_force(value, size,
5265 							      &sid);
5266 		}
5267 		if (error)
5268 			return error;
5269 	}
5270 
5271 	new = prepare_creds();
5272 	if (!new)
5273 		return -ENOMEM;
5274 
5275 	/* Permission checking based on the specified context is
5276 	   performed during the actual operation (execve,
5277 	   open/mkdir/...), when we know the full context of the
5278 	   operation.  See selinux_bprm_set_creds for the execve
5279 	   checks and may_create for the file creation checks. The
5280 	   operation will then fail if the context is not permitted. */
5281 	tsec = new->security;
5282 	if (!strcmp(name, "exec")) {
5283 		tsec->exec_sid = sid;
5284 	} else if (!strcmp(name, "fscreate")) {
5285 		tsec->create_sid = sid;
5286 	} else if (!strcmp(name, "keycreate")) {
5287 		error = may_create_key(sid, p);
5288 		if (error)
5289 			goto abort_change;
5290 		tsec->keycreate_sid = sid;
5291 	} else if (!strcmp(name, "sockcreate")) {
5292 		tsec->sockcreate_sid = sid;
5293 	} else if (!strcmp(name, "current")) {
5294 		error = -EINVAL;
5295 		if (sid == 0)
5296 			goto abort_change;
5297 
5298 		/* Only allow single threaded processes to change context */
5299 		error = -EPERM;
5300 		if (!current_is_single_threaded()) {
5301 			error = security_bounded_transition(tsec->sid, sid);
5302 			if (error)
5303 				goto abort_change;
5304 		}
5305 
5306 		/* Check permissions for the transition. */
5307 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5308 				     PROCESS__DYNTRANSITION, NULL);
5309 		if (error)
5310 			goto abort_change;
5311 
5312 		/* Check for ptracing, and update the task SID if ok.
5313 		   Otherwise, leave SID unchanged and fail. */
5314 		ptsid = 0;
5315 		task_lock(p);
5316 		tracer = ptrace_parent(p);
5317 		if (tracer)
5318 			ptsid = task_sid(tracer);
5319 		task_unlock(p);
5320 
5321 		if (tracer) {
5322 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5323 					     PROCESS__PTRACE, NULL);
5324 			if (error)
5325 				goto abort_change;
5326 		}
5327 
5328 		tsec->sid = sid;
5329 	} else {
5330 		error = -EINVAL;
5331 		goto abort_change;
5332 	}
5333 
5334 	commit_creds(new);
5335 	return size;
5336 
5337 abort_change:
5338 	abort_creds(new);
5339 	return error;
5340 }
5341 
5342 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5343 {
5344 	return security_sid_to_context(secid, secdata, seclen);
5345 }
5346 
5347 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5348 {
5349 	return security_context_to_sid(secdata, seclen, secid);
5350 }
5351 
5352 static void selinux_release_secctx(char *secdata, u32 seclen)
5353 {
5354 	kfree(secdata);
5355 }
5356 
5357 /*
5358  *	called with inode->i_mutex locked
5359  */
5360 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5361 {
5362 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5363 }
5364 
5365 /*
5366  *	called with inode->i_mutex locked
5367  */
5368 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5369 {
5370 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5371 }
5372 
5373 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5374 {
5375 	int len = 0;
5376 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5377 						ctx, true);
5378 	if (len < 0)
5379 		return len;
5380 	*ctxlen = len;
5381 	return 0;
5382 }
5383 #ifdef CONFIG_KEYS
5384 
5385 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5386 			     unsigned long flags)
5387 {
5388 	const struct task_security_struct *tsec;
5389 	struct key_security_struct *ksec;
5390 
5391 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5392 	if (!ksec)
5393 		return -ENOMEM;
5394 
5395 	tsec = cred->security;
5396 	if (tsec->keycreate_sid)
5397 		ksec->sid = tsec->keycreate_sid;
5398 	else
5399 		ksec->sid = tsec->sid;
5400 
5401 	k->security = ksec;
5402 	return 0;
5403 }
5404 
5405 static void selinux_key_free(struct key *k)
5406 {
5407 	struct key_security_struct *ksec = k->security;
5408 
5409 	k->security = NULL;
5410 	kfree(ksec);
5411 }
5412 
5413 static int selinux_key_permission(key_ref_t key_ref,
5414 				  const struct cred *cred,
5415 				  key_perm_t perm)
5416 {
5417 	struct key *key;
5418 	struct key_security_struct *ksec;
5419 	u32 sid;
5420 
5421 	/* if no specific permissions are requested, we skip the
5422 	   permission check. No serious, additional covert channels
5423 	   appear to be created. */
5424 	if (perm == 0)
5425 		return 0;
5426 
5427 	sid = cred_sid(cred);
5428 
5429 	key = key_ref_to_ptr(key_ref);
5430 	ksec = key->security;
5431 
5432 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5433 }
5434 
5435 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5436 {
5437 	struct key_security_struct *ksec = key->security;
5438 	char *context = NULL;
5439 	unsigned len;
5440 	int rc;
5441 
5442 	rc = security_sid_to_context(ksec->sid, &context, &len);
5443 	if (!rc)
5444 		rc = len;
5445 	*_buffer = context;
5446 	return rc;
5447 }
5448 
5449 #endif
5450 
5451 static struct security_operations selinux_ops = {
5452 	.name =				"selinux",
5453 
5454 	.ptrace_access_check =		selinux_ptrace_access_check,
5455 	.ptrace_traceme =		selinux_ptrace_traceme,
5456 	.capget =			selinux_capget,
5457 	.capset =			selinux_capset,
5458 	.capable =			selinux_capable,
5459 	.quotactl =			selinux_quotactl,
5460 	.quota_on =			selinux_quota_on,
5461 	.syslog =			selinux_syslog,
5462 	.vm_enough_memory =		selinux_vm_enough_memory,
5463 
5464 	.netlink_send =			selinux_netlink_send,
5465 	.netlink_recv =			selinux_netlink_recv,
5466 
5467 	.bprm_set_creds =		selinux_bprm_set_creds,
5468 	.bprm_committing_creds =	selinux_bprm_committing_creds,
5469 	.bprm_committed_creds =		selinux_bprm_committed_creds,
5470 	.bprm_secureexec =		selinux_bprm_secureexec,
5471 
5472 	.sb_alloc_security =		selinux_sb_alloc_security,
5473 	.sb_free_security =		selinux_sb_free_security,
5474 	.sb_copy_data =			selinux_sb_copy_data,
5475 	.sb_remount =			selinux_sb_remount,
5476 	.sb_kern_mount =		selinux_sb_kern_mount,
5477 	.sb_show_options =		selinux_sb_show_options,
5478 	.sb_statfs =			selinux_sb_statfs,
5479 	.sb_mount =			selinux_mount,
5480 	.sb_umount =			selinux_umount,
5481 	.sb_set_mnt_opts =		selinux_set_mnt_opts,
5482 	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
5483 	.sb_parse_opts_str = 		selinux_parse_opts_str,
5484 
5485 
5486 	.inode_alloc_security =		selinux_inode_alloc_security,
5487 	.inode_free_security =		selinux_inode_free_security,
5488 	.inode_init_security =		selinux_inode_init_security,
5489 	.inode_create =			selinux_inode_create,
5490 	.inode_link =			selinux_inode_link,
5491 	.inode_unlink =			selinux_inode_unlink,
5492 	.inode_symlink =		selinux_inode_symlink,
5493 	.inode_mkdir =			selinux_inode_mkdir,
5494 	.inode_rmdir =			selinux_inode_rmdir,
5495 	.inode_mknod =			selinux_inode_mknod,
5496 	.inode_rename =			selinux_inode_rename,
5497 	.inode_readlink =		selinux_inode_readlink,
5498 	.inode_follow_link =		selinux_inode_follow_link,
5499 	.inode_permission =		selinux_inode_permission,
5500 	.inode_setattr =		selinux_inode_setattr,
5501 	.inode_getattr =		selinux_inode_getattr,
5502 	.inode_setxattr =		selinux_inode_setxattr,
5503 	.inode_post_setxattr =		selinux_inode_post_setxattr,
5504 	.inode_getxattr =		selinux_inode_getxattr,
5505 	.inode_listxattr =		selinux_inode_listxattr,
5506 	.inode_removexattr =		selinux_inode_removexattr,
5507 	.inode_getsecurity =		selinux_inode_getsecurity,
5508 	.inode_setsecurity =		selinux_inode_setsecurity,
5509 	.inode_listsecurity =		selinux_inode_listsecurity,
5510 	.inode_getsecid =		selinux_inode_getsecid,
5511 
5512 	.file_permission =		selinux_file_permission,
5513 	.file_alloc_security =		selinux_file_alloc_security,
5514 	.file_free_security =		selinux_file_free_security,
5515 	.file_ioctl =			selinux_file_ioctl,
5516 	.file_mmap =			selinux_file_mmap,
5517 	.file_mprotect =		selinux_file_mprotect,
5518 	.file_lock =			selinux_file_lock,
5519 	.file_fcntl =			selinux_file_fcntl,
5520 	.file_set_fowner =		selinux_file_set_fowner,
5521 	.file_send_sigiotask =		selinux_file_send_sigiotask,
5522 	.file_receive =			selinux_file_receive,
5523 
5524 	.dentry_open =			selinux_dentry_open,
5525 
5526 	.task_create =			selinux_task_create,
5527 	.cred_alloc_blank =		selinux_cred_alloc_blank,
5528 	.cred_free =			selinux_cred_free,
5529 	.cred_prepare =			selinux_cred_prepare,
5530 	.cred_transfer =		selinux_cred_transfer,
5531 	.kernel_act_as =		selinux_kernel_act_as,
5532 	.kernel_create_files_as =	selinux_kernel_create_files_as,
5533 	.kernel_module_request =	selinux_kernel_module_request,
5534 	.task_setpgid =			selinux_task_setpgid,
5535 	.task_getpgid =			selinux_task_getpgid,
5536 	.task_getsid =			selinux_task_getsid,
5537 	.task_getsecid =		selinux_task_getsecid,
5538 	.task_setnice =			selinux_task_setnice,
5539 	.task_setioprio =		selinux_task_setioprio,
5540 	.task_getioprio =		selinux_task_getioprio,
5541 	.task_setrlimit =		selinux_task_setrlimit,
5542 	.task_setscheduler =		selinux_task_setscheduler,
5543 	.task_getscheduler =		selinux_task_getscheduler,
5544 	.task_movememory =		selinux_task_movememory,
5545 	.task_kill =			selinux_task_kill,
5546 	.task_wait =			selinux_task_wait,
5547 	.task_to_inode =		selinux_task_to_inode,
5548 
5549 	.ipc_permission =		selinux_ipc_permission,
5550 	.ipc_getsecid =			selinux_ipc_getsecid,
5551 
5552 	.msg_msg_alloc_security =	selinux_msg_msg_alloc_security,
5553 	.msg_msg_free_security =	selinux_msg_msg_free_security,
5554 
5555 	.msg_queue_alloc_security =	selinux_msg_queue_alloc_security,
5556 	.msg_queue_free_security =	selinux_msg_queue_free_security,
5557 	.msg_queue_associate =		selinux_msg_queue_associate,
5558 	.msg_queue_msgctl =		selinux_msg_queue_msgctl,
5559 	.msg_queue_msgsnd =		selinux_msg_queue_msgsnd,
5560 	.msg_queue_msgrcv =		selinux_msg_queue_msgrcv,
5561 
5562 	.shm_alloc_security =		selinux_shm_alloc_security,
5563 	.shm_free_security =		selinux_shm_free_security,
5564 	.shm_associate =		selinux_shm_associate,
5565 	.shm_shmctl =			selinux_shm_shmctl,
5566 	.shm_shmat =			selinux_shm_shmat,
5567 
5568 	.sem_alloc_security =		selinux_sem_alloc_security,
5569 	.sem_free_security =		selinux_sem_free_security,
5570 	.sem_associate =		selinux_sem_associate,
5571 	.sem_semctl =			selinux_sem_semctl,
5572 	.sem_semop =			selinux_sem_semop,
5573 
5574 	.d_instantiate =		selinux_d_instantiate,
5575 
5576 	.getprocattr =			selinux_getprocattr,
5577 	.setprocattr =			selinux_setprocattr,
5578 
5579 	.secid_to_secctx =		selinux_secid_to_secctx,
5580 	.secctx_to_secid =		selinux_secctx_to_secid,
5581 	.release_secctx =		selinux_release_secctx,
5582 	.inode_notifysecctx =		selinux_inode_notifysecctx,
5583 	.inode_setsecctx =		selinux_inode_setsecctx,
5584 	.inode_getsecctx =		selinux_inode_getsecctx,
5585 
5586 	.unix_stream_connect =		selinux_socket_unix_stream_connect,
5587 	.unix_may_send =		selinux_socket_unix_may_send,
5588 
5589 	.socket_create =		selinux_socket_create,
5590 	.socket_post_create =		selinux_socket_post_create,
5591 	.socket_bind =			selinux_socket_bind,
5592 	.socket_connect =		selinux_socket_connect,
5593 	.socket_listen =		selinux_socket_listen,
5594 	.socket_accept =		selinux_socket_accept,
5595 	.socket_sendmsg =		selinux_socket_sendmsg,
5596 	.socket_recvmsg =		selinux_socket_recvmsg,
5597 	.socket_getsockname =		selinux_socket_getsockname,
5598 	.socket_getpeername =		selinux_socket_getpeername,
5599 	.socket_getsockopt =		selinux_socket_getsockopt,
5600 	.socket_setsockopt =		selinux_socket_setsockopt,
5601 	.socket_shutdown =		selinux_socket_shutdown,
5602 	.socket_sock_rcv_skb =		selinux_socket_sock_rcv_skb,
5603 	.socket_getpeersec_stream =	selinux_socket_getpeersec_stream,
5604 	.socket_getpeersec_dgram =	selinux_socket_getpeersec_dgram,
5605 	.sk_alloc_security =		selinux_sk_alloc_security,
5606 	.sk_free_security =		selinux_sk_free_security,
5607 	.sk_clone_security =		selinux_sk_clone_security,
5608 	.sk_getsecid =			selinux_sk_getsecid,
5609 	.sock_graft =			selinux_sock_graft,
5610 	.inet_conn_request =		selinux_inet_conn_request,
5611 	.inet_csk_clone =		selinux_inet_csk_clone,
5612 	.inet_conn_established =	selinux_inet_conn_established,
5613 	.secmark_relabel_packet =	selinux_secmark_relabel_packet,
5614 	.secmark_refcount_inc =		selinux_secmark_refcount_inc,
5615 	.secmark_refcount_dec =		selinux_secmark_refcount_dec,
5616 	.req_classify_flow =		selinux_req_classify_flow,
5617 	.tun_dev_create =		selinux_tun_dev_create,
5618 	.tun_dev_post_create = 		selinux_tun_dev_post_create,
5619 	.tun_dev_attach =		selinux_tun_dev_attach,
5620 
5621 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5622 	.xfrm_policy_alloc_security =	selinux_xfrm_policy_alloc,
5623 	.xfrm_policy_clone_security =	selinux_xfrm_policy_clone,
5624 	.xfrm_policy_free_security =	selinux_xfrm_policy_free,
5625 	.xfrm_policy_delete_security =	selinux_xfrm_policy_delete,
5626 	.xfrm_state_alloc_security =	selinux_xfrm_state_alloc,
5627 	.xfrm_state_free_security =	selinux_xfrm_state_free,
5628 	.xfrm_state_delete_security =	selinux_xfrm_state_delete,
5629 	.xfrm_policy_lookup =		selinux_xfrm_policy_lookup,
5630 	.xfrm_state_pol_flow_match =	selinux_xfrm_state_pol_flow_match,
5631 	.xfrm_decode_session =		selinux_xfrm_decode_session,
5632 #endif
5633 
5634 #ifdef CONFIG_KEYS
5635 	.key_alloc =			selinux_key_alloc,
5636 	.key_free =			selinux_key_free,
5637 	.key_permission =		selinux_key_permission,
5638 	.key_getsecurity =		selinux_key_getsecurity,
5639 #endif
5640 
5641 #ifdef CONFIG_AUDIT
5642 	.audit_rule_init =		selinux_audit_rule_init,
5643 	.audit_rule_known =		selinux_audit_rule_known,
5644 	.audit_rule_match =		selinux_audit_rule_match,
5645 	.audit_rule_free =		selinux_audit_rule_free,
5646 #endif
5647 };
5648 
5649 static __init int selinux_init(void)
5650 {
5651 	if (!security_module_enable(&selinux_ops)) {
5652 		selinux_enabled = 0;
5653 		return 0;
5654 	}
5655 
5656 	if (!selinux_enabled) {
5657 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5658 		return 0;
5659 	}
5660 
5661 	printk(KERN_INFO "SELinux:  Initializing.\n");
5662 
5663 	/* Set the security state for the initial task. */
5664 	cred_init_security();
5665 
5666 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5667 
5668 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
5669 					    sizeof(struct inode_security_struct),
5670 					    0, SLAB_PANIC, NULL);
5671 	avc_init();
5672 
5673 	if (register_security(&selinux_ops))
5674 		panic("SELinux: Unable to register with kernel.\n");
5675 
5676 	if (selinux_enforcing)
5677 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5678 	else
5679 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5680 
5681 	return 0;
5682 }
5683 
5684 static void delayed_superblock_init(struct super_block *sb, void *unused)
5685 {
5686 	superblock_doinit(sb, NULL);
5687 }
5688 
5689 void selinux_complete_init(void)
5690 {
5691 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5692 
5693 	/* Set up any superblocks initialized prior to the policy load. */
5694 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5695 	iterate_supers(delayed_superblock_init, NULL);
5696 }
5697 
5698 /* SELinux requires early initialization in order to label
5699    all processes and objects when they are created. */
5700 security_initcall(selinux_init);
5701 
5702 #if defined(CONFIG_NETFILTER)
5703 
5704 static struct nf_hook_ops selinux_ipv4_ops[] = {
5705 	{
5706 		.hook =		selinux_ipv4_postroute,
5707 		.owner =	THIS_MODULE,
5708 		.pf =		PF_INET,
5709 		.hooknum =	NF_INET_POST_ROUTING,
5710 		.priority =	NF_IP_PRI_SELINUX_LAST,
5711 	},
5712 	{
5713 		.hook =		selinux_ipv4_forward,
5714 		.owner =	THIS_MODULE,
5715 		.pf =		PF_INET,
5716 		.hooknum =	NF_INET_FORWARD,
5717 		.priority =	NF_IP_PRI_SELINUX_FIRST,
5718 	},
5719 	{
5720 		.hook =		selinux_ipv4_output,
5721 		.owner =	THIS_MODULE,
5722 		.pf =		PF_INET,
5723 		.hooknum =	NF_INET_LOCAL_OUT,
5724 		.priority =	NF_IP_PRI_SELINUX_FIRST,
5725 	}
5726 };
5727 
5728 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5729 
5730 static struct nf_hook_ops selinux_ipv6_ops[] = {
5731 	{
5732 		.hook =		selinux_ipv6_postroute,
5733 		.owner =	THIS_MODULE,
5734 		.pf =		PF_INET6,
5735 		.hooknum =	NF_INET_POST_ROUTING,
5736 		.priority =	NF_IP6_PRI_SELINUX_LAST,
5737 	},
5738 	{
5739 		.hook =		selinux_ipv6_forward,
5740 		.owner =	THIS_MODULE,
5741 		.pf =		PF_INET6,
5742 		.hooknum =	NF_INET_FORWARD,
5743 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
5744 	}
5745 };
5746 
5747 #endif	/* IPV6 */
5748 
5749 static int __init selinux_nf_ip_init(void)
5750 {
5751 	int err = 0;
5752 
5753 	if (!selinux_enabled)
5754 		goto out;
5755 
5756 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5757 
5758 	err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5759 	if (err)
5760 		panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5761 
5762 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5763 	err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5764 	if (err)
5765 		panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5766 #endif	/* IPV6 */
5767 
5768 out:
5769 	return err;
5770 }
5771 
5772 __initcall(selinux_nf_ip_init);
5773 
5774 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5775 static void selinux_nf_ip_exit(void)
5776 {
5777 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5778 
5779 	nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5780 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5781 	nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5782 #endif	/* IPV6 */
5783 }
5784 #endif
5785 
5786 #else /* CONFIG_NETFILTER */
5787 
5788 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5789 #define selinux_nf_ip_exit()
5790 #endif
5791 
5792 #endif /* CONFIG_NETFILTER */
5793 
5794 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5795 static int selinux_disabled;
5796 
5797 int selinux_disable(void)
5798 {
5799 	if (ss_initialized) {
5800 		/* Not permitted after initial policy load. */
5801 		return -EINVAL;
5802 	}
5803 
5804 	if (selinux_disabled) {
5805 		/* Only do this once. */
5806 		return -EINVAL;
5807 	}
5808 
5809 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5810 
5811 	selinux_disabled = 1;
5812 	selinux_enabled = 0;
5813 
5814 	reset_security_ops();
5815 
5816 	/* Try to destroy the avc node cache */
5817 	avc_disable();
5818 
5819 	/* Unregister netfilter hooks. */
5820 	selinux_nf_ip_exit();
5821 
5822 	/* Unregister selinuxfs. */
5823 	exit_sel_fs();
5824 
5825 	return 0;
5826 }
5827 #endif
5828