~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/selinux/hooks.c

Version: ~ [ linux-5.10-rc6 ] ~ [ linux-5.9.12 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.81 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.161 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.210 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.247 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.247 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  *  NSA Security-Enhanced Linux (SELinux) security module
  3  *
  4  *  This file contains the SELinux hook function implementations.
  5  *
  6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
  7  *            Chris Vance, <cvance@nai.com>
  8  *            Wayne Salamon, <wsalamon@nai.com>
  9  *            James Morris <jmorris@redhat.com>
 10  *
 11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
 12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
 13  *                                         Eric Paris <eparis@redhat.com>
 14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
 15  *                          <dgoeddel@trustedcs.com>
 16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
 17  *      Paul Moore <paul@paul-moore.com>
 18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
 19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
 20  *
 21  *      This program is free software; you can redistribute it and/or modify
 22  *      it under the terms of the GNU General Public License version 2,
 23  *      as published by the Free Software Foundation.
 24  */
 25 
 26 #include <linux/init.h>
 27 #include <linux/kd.h>
 28 #include <linux/kernel.h>
 29 #include <linux/tracehook.h>
 30 #include <linux/errno.h>
 31 #include <linux/sched.h>
 32 #include <linux/security.h>
 33 #include <linux/xattr.h>
 34 #include <linux/capability.h>
 35 #include <linux/unistd.h>
 36 #include <linux/mm.h>
 37 #include <linux/mman.h>
 38 #include <linux/slab.h>
 39 #include <linux/pagemap.h>
 40 #include <linux/proc_fs.h>
 41 #include <linux/swap.h>
 42 #include <linux/spinlock.h>
 43 #include <linux/syscalls.h>
 44 #include <linux/dcache.h>
 45 #include <linux/file.h>
 46 #include <linux/fdtable.h>
 47 #include <linux/namei.h>
 48 #include <linux/mount.h>
 49 #include <linux/netfilter_ipv4.h>
 50 #include <linux/netfilter_ipv6.h>
 51 #include <linux/tty.h>
 52 #include <net/icmp.h>
 53 #include <net/ip.h>             /* for local_port_range[] */
 54 #include <net/sock.h>
 55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 56 #include <net/inet_connection_sock.h>
 57 #include <net/net_namespace.h>
 58 #include <net/netlabel.h>
 59 #include <linux/uaccess.h>
 60 #include <asm/ioctls.h>
 61 #include <linux/atomic.h>
 62 #include <linux/bitops.h>
 63 #include <linux/interrupt.h>
 64 #include <linux/netdevice.h>    /* for network interface checks */
 65 #include <net/netlink.h>
 66 #include <linux/tcp.h>
 67 #include <linux/udp.h>
 68 #include <linux/dccp.h>
 69 #include <linux/quota.h>
 70 #include <linux/un.h>           /* for Unix socket types */
 71 #include <net/af_unix.h>        /* for Unix socket types */
 72 #include <linux/parser.h>
 73 #include <linux/nfs_mount.h>
 74 #include <net/ipv6.h>
 75 #include <linux/hugetlb.h>
 76 #include <linux/personality.h>
 77 #include <linux/audit.h>
 78 #include <linux/string.h>
 79 #include <linux/selinux.h>
 80 #include <linux/mutex.h>
 81 #include <linux/posix-timers.h>
 82 #include <linux/syslog.h>
 83 #include <linux/user_namespace.h>
 84 #include <linux/export.h>
 85 #include <linux/msg.h>
 86 #include <linux/shm.h>
 87 
 88 #include "avc.h"
 89 #include "objsec.h"
 90 #include "netif.h"
 91 #include "netnode.h"
 92 #include "netport.h"
 93 #include "xfrm.h"
 94 #include "netlabel.h"
 95 #include "audit.h"
 96 #include "avc_ss.h"
 97 
 98 /* SECMARK reference count */
 99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103 
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!kstrtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113 
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!kstrtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128 
129 static struct kmem_cache *sel_inode_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
139  * policy capability is enabled, SECMARK is always considered enabled.
140  *
141  */
142 static int selinux_secmark_enabled(void)
143 {
144         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146 
147 /**
148  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149  *
150  * Description:
151  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
152  * (1) if any are enabled or false (0) if neither are enabled.  If the
153  * always_check_network policy capability is enabled, peer labeling
154  * is always considered enabled.
155  *
156  */
157 static int selinux_peerlbl_enabled(void)
158 {
159         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161 
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164         if (event == AVC_CALLBACK_RESET) {
165                 sel_netif_flush();
166                 sel_netnode_flush();
167                 sel_netport_flush();
168                 synchronize_net();
169         }
170         return 0;
171 }
172 
173 /*
174  * initialise the security for the init task
175  */
176 static void cred_init_security(void)
177 {
178         struct cred *cred = (struct cred *) current->real_cred;
179         struct task_security_struct *tsec;
180 
181         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182         if (!tsec)
183                 panic("SELinux:  Failed to initialize initial task.\n");
184 
185         tsec->osid = tsec->sid = SECINITSID_KERNEL;
186         cred->security = tsec;
187 }
188 
189 /*
190  * get the security ID of a set of credentials
191  */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194         const struct task_security_struct *tsec;
195 
196         tsec = cred->security;
197         return tsec->sid;
198 }
199 
200 /*
201  * get the objective security ID of a task
202  */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205         u32 sid;
206 
207         rcu_read_lock();
208         sid = cred_sid(__task_cred(task));
209         rcu_read_unlock();
210         return sid;
211 }
212 
213 /*
214  * get the subjective security ID of the current task
215  */
216 static inline u32 current_sid(void)
217 {
218         const struct task_security_struct *tsec = current_security();
219 
220         return tsec->sid;
221 }
222 
223 /* Allocate and free functions for each kind of security blob. */
224 
225 static int inode_alloc_security(struct inode *inode)
226 {
227         struct inode_security_struct *isec;
228         u32 sid = current_sid();
229 
230         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231         if (!isec)
232                 return -ENOMEM;
233 
234         mutex_init(&isec->lock);
235         INIT_LIST_HEAD(&isec->list);
236         isec->inode = inode;
237         isec->sid = SECINITSID_UNLABELED;
238         isec->sclass = SECCLASS_FILE;
239         isec->task_sid = sid;
240         inode->i_security = isec;
241 
242         return 0;
243 }
244 
245 static void inode_free_rcu(struct rcu_head *head)
246 {
247         struct inode_security_struct *isec;
248 
249         isec = container_of(head, struct inode_security_struct, rcu);
250         kmem_cache_free(sel_inode_cache, isec);
251 }
252 
253 static void inode_free_security(struct inode *inode)
254 {
255         struct inode_security_struct *isec = inode->i_security;
256         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
257 
258         spin_lock(&sbsec->isec_lock);
259         if (!list_empty(&isec->list))
260                 list_del_init(&isec->list);
261         spin_unlock(&sbsec->isec_lock);
262 
263         /*
264          * The inode may still be referenced in a path walk and
265          * a call to selinux_inode_permission() can be made
266          * after inode_free_security() is called. Ideally, the VFS
267          * wouldn't do this, but fixing that is a much harder
268          * job. For now, simply free the i_security via RCU, and
269          * leave the current inode->i_security pointer intact.
270          * The inode will be freed after the RCU grace period too.
271          */
272         call_rcu(&isec->rcu, inode_free_rcu);
273 }
274 
275 static int file_alloc_security(struct file *file)
276 {
277         struct file_security_struct *fsec;
278         u32 sid = current_sid();
279 
280         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
281         if (!fsec)
282                 return -ENOMEM;
283 
284         fsec->sid = sid;
285         fsec->fown_sid = sid;
286         file->f_security = fsec;
287 
288         return 0;
289 }
290 
291 static void file_free_security(struct file *file)
292 {
293         struct file_security_struct *fsec = file->f_security;
294         file->f_security = NULL;
295         kfree(fsec);
296 }
297 
298 static int superblock_alloc_security(struct super_block *sb)
299 {
300         struct superblock_security_struct *sbsec;
301 
302         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
303         if (!sbsec)
304                 return -ENOMEM;
305 
306         mutex_init(&sbsec->lock);
307         INIT_LIST_HEAD(&sbsec->isec_head);
308         spin_lock_init(&sbsec->isec_lock);
309         sbsec->sb = sb;
310         sbsec->sid = SECINITSID_UNLABELED;
311         sbsec->def_sid = SECINITSID_FILE;
312         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
313         sb->s_security = sbsec;
314 
315         return 0;
316 }
317 
318 static void superblock_free_security(struct super_block *sb)
319 {
320         struct superblock_security_struct *sbsec = sb->s_security;
321         sb->s_security = NULL;
322         kfree(sbsec);
323 }
324 
325 /* The file system's label must be initialized prior to use. */
326 
327 static const char *labeling_behaviors[7] = {
328         "uses xattr",
329         "uses transition SIDs",
330         "uses task SIDs",
331         "uses genfs_contexts",
332         "not configured for labeling",
333         "uses mountpoint labeling",
334         "uses native labeling",
335 };
336 
337 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
338 
339 static inline int inode_doinit(struct inode *inode)
340 {
341         return inode_doinit_with_dentry(inode, NULL);
342 }
343 
344 enum {
345         Opt_error = -1,
346         Opt_context = 1,
347         Opt_fscontext = 2,
348         Opt_defcontext = 3,
349         Opt_rootcontext = 4,
350         Opt_labelsupport = 5,
351         Opt_nextmntopt = 6,
352 };
353 
354 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
355 
356 static const match_table_t tokens = {
357         {Opt_context, CONTEXT_STR "%s"},
358         {Opt_fscontext, FSCONTEXT_STR "%s"},
359         {Opt_defcontext, DEFCONTEXT_STR "%s"},
360         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
361         {Opt_labelsupport, LABELSUPP_STR},
362         {Opt_error, NULL},
363 };
364 
365 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
366 
367 static int may_context_mount_sb_relabel(u32 sid,
368                         struct superblock_security_struct *sbsec,
369                         const struct cred *cred)
370 {
371         const struct task_security_struct *tsec = cred->security;
372         int rc;
373 
374         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
375                           FILESYSTEM__RELABELFROM, NULL);
376         if (rc)
377                 return rc;
378 
379         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
380                           FILESYSTEM__RELABELTO, NULL);
381         return rc;
382 }
383 
384 static int may_context_mount_inode_relabel(u32 sid,
385                         struct superblock_security_struct *sbsec,
386                         const struct cred *cred)
387 {
388         const struct task_security_struct *tsec = cred->security;
389         int rc;
390         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
391                           FILESYSTEM__RELABELFROM, NULL);
392         if (rc)
393                 return rc;
394 
395         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
396                           FILESYSTEM__ASSOCIATE, NULL);
397         return rc;
398 }
399 
400 static int selinux_is_sblabel_mnt(struct super_block *sb)
401 {
402         struct superblock_security_struct *sbsec = sb->s_security;
403 
404         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
405                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
406                 sbsec->behavior == SECURITY_FS_USE_TASK ||
407                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
408                 /* Special handling. Genfs but also in-core setxattr handler */
409                 !strcmp(sb->s_type->name, "sysfs") ||
410                 !strcmp(sb->s_type->name, "pstore") ||
411                 !strcmp(sb->s_type->name, "debugfs") ||
412                 !strcmp(sb->s_type->name, "rootfs");
413 }
414 
415 static int sb_finish_set_opts(struct super_block *sb)
416 {
417         struct superblock_security_struct *sbsec = sb->s_security;
418         struct dentry *root = sb->s_root;
419         struct inode *root_inode = root->d_inode;
420         int rc = 0;
421 
422         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
423                 /* Make sure that the xattr handler exists and that no
424                    error other than -ENODATA is returned by getxattr on
425                    the root directory.  -ENODATA is ok, as this may be
426                    the first boot of the SELinux kernel before we have
427                    assigned xattr values to the filesystem. */
428                 if (!root_inode->i_op->getxattr) {
429                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
430                                "xattr support\n", sb->s_id, sb->s_type->name);
431                         rc = -EOPNOTSUPP;
432                         goto out;
433                 }
434                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
435                 if (rc < 0 && rc != -ENODATA) {
436                         if (rc == -EOPNOTSUPP)
437                                 printk(KERN_WARNING "SELinux: (dev %s, type "
438                                        "%s) has no security xattr handler\n",
439                                        sb->s_id, sb->s_type->name);
440                         else
441                                 printk(KERN_WARNING "SELinux: (dev %s, type "
442                                        "%s) getxattr errno %d\n", sb->s_id,
443                                        sb->s_type->name, -rc);
444                         goto out;
445                 }
446         }
447 
448         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
449                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
450                        sb->s_id, sb->s_type->name);
451 
452         sbsec->flags |= SE_SBINITIALIZED;
453         if (selinux_is_sblabel_mnt(sb))
454                 sbsec->flags |= SBLABEL_MNT;
455 
456         /* Initialize the root inode. */
457         rc = inode_doinit_with_dentry(root_inode, root);
458 
459         /* Initialize any other inodes associated with the superblock, e.g.
460            inodes created prior to initial policy load or inodes created
461            during get_sb by a pseudo filesystem that directly
462            populates itself. */
463         spin_lock(&sbsec->isec_lock);
464 next_inode:
465         if (!list_empty(&sbsec->isec_head)) {
466                 struct inode_security_struct *isec =
467                                 list_entry(sbsec->isec_head.next,
468                                            struct inode_security_struct, list);
469                 struct inode *inode = isec->inode;
470                 list_del_init(&isec->list);
471                 spin_unlock(&sbsec->isec_lock);
472                 inode = igrab(inode);
473                 if (inode) {
474                         if (!IS_PRIVATE(inode))
475                                 inode_doinit(inode);
476                         iput(inode);
477                 }
478                 spin_lock(&sbsec->isec_lock);
479                 goto next_inode;
480         }
481         spin_unlock(&sbsec->isec_lock);
482 out:
483         return rc;
484 }
485 
486 /*
487  * This function should allow an FS to ask what it's mount security
488  * options were so it can use those later for submounts, displaying
489  * mount options, or whatever.
490  */
491 static int selinux_get_mnt_opts(const struct super_block *sb,
492                                 struct security_mnt_opts *opts)
493 {
494         int rc = 0, i;
495         struct superblock_security_struct *sbsec = sb->s_security;
496         char *context = NULL;
497         u32 len;
498         char tmp;
499 
500         security_init_mnt_opts(opts);
501 
502         if (!(sbsec->flags & SE_SBINITIALIZED))
503                 return -EINVAL;
504 
505         if (!ss_initialized)
506                 return -EINVAL;
507 
508         /* make sure we always check enough bits to cover the mask */
509         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
510 
511         tmp = sbsec->flags & SE_MNTMASK;
512         /* count the number of mount options for this sb */
513         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
514                 if (tmp & 0x01)
515                         opts->num_mnt_opts++;
516                 tmp >>= 1;
517         }
518         /* Check if the Label support flag is set */
519         if (sbsec->flags & SBLABEL_MNT)
520                 opts->num_mnt_opts++;
521 
522         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
523         if (!opts->mnt_opts) {
524                 rc = -ENOMEM;
525                 goto out_free;
526         }
527 
528         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
529         if (!opts->mnt_opts_flags) {
530                 rc = -ENOMEM;
531                 goto out_free;
532         }
533 
534         i = 0;
535         if (sbsec->flags & FSCONTEXT_MNT) {
536                 rc = security_sid_to_context(sbsec->sid, &context, &len);
537                 if (rc)
538                         goto out_free;
539                 opts->mnt_opts[i] = context;
540                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
541         }
542         if (sbsec->flags & CONTEXT_MNT) {
543                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
544                 if (rc)
545                         goto out_free;
546                 opts->mnt_opts[i] = context;
547                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
548         }
549         if (sbsec->flags & DEFCONTEXT_MNT) {
550                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
551                 if (rc)
552                         goto out_free;
553                 opts->mnt_opts[i] = context;
554                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
555         }
556         if (sbsec->flags & ROOTCONTEXT_MNT) {
557                 struct inode *root = sbsec->sb->s_root->d_inode;
558                 struct inode_security_struct *isec = root->i_security;
559 
560                 rc = security_sid_to_context(isec->sid, &context, &len);
561                 if (rc)
562                         goto out_free;
563                 opts->mnt_opts[i] = context;
564                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
565         }
566         if (sbsec->flags & SBLABEL_MNT) {
567                 opts->mnt_opts[i] = NULL;
568                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
569         }
570 
571         BUG_ON(i != opts->num_mnt_opts);
572 
573         return 0;
574 
575 out_free:
576         security_free_mnt_opts(opts);
577         return rc;
578 }
579 
580 static int bad_option(struct superblock_security_struct *sbsec, char flag,
581                       u32 old_sid, u32 new_sid)
582 {
583         char mnt_flags = sbsec->flags & SE_MNTMASK;
584 
585         /* check if the old mount command had the same options */
586         if (sbsec->flags & SE_SBINITIALIZED)
587                 if (!(sbsec->flags & flag) ||
588                     (old_sid != new_sid))
589                         return 1;
590 
591         /* check if we were passed the same options twice,
592          * aka someone passed context=a,context=b
593          */
594         if (!(sbsec->flags & SE_SBINITIALIZED))
595                 if (mnt_flags & flag)
596                         return 1;
597         return 0;
598 }
599 
600 /*
601  * Allow filesystems with binary mount data to explicitly set mount point
602  * labeling information.
603  */
604 static int selinux_set_mnt_opts(struct super_block *sb,
605                                 struct security_mnt_opts *opts,
606                                 unsigned long kern_flags,
607                                 unsigned long *set_kern_flags)
608 {
609         const struct cred *cred = current_cred();
610         int rc = 0, i;
611         struct superblock_security_struct *sbsec = sb->s_security;
612         const char *name = sb->s_type->name;
613         struct inode *inode = sbsec->sb->s_root->d_inode;
614         struct inode_security_struct *root_isec = inode->i_security;
615         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
616         u32 defcontext_sid = 0;
617         char **mount_options = opts->mnt_opts;
618         int *flags = opts->mnt_opts_flags;
619         int num_opts = opts->num_mnt_opts;
620 
621         mutex_lock(&sbsec->lock);
622 
623         if (!ss_initialized) {
624                 if (!num_opts) {
625                         /* Defer initialization until selinux_complete_init,
626                            after the initial policy is loaded and the security
627                            server is ready to handle calls. */
628                         goto out;
629                 }
630                 rc = -EINVAL;
631                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
632                         "before the security server is initialized\n");
633                 goto out;
634         }
635         if (kern_flags && !set_kern_flags) {
636                 /* Specifying internal flags without providing a place to
637                  * place the results is not allowed */
638                 rc = -EINVAL;
639                 goto out;
640         }
641 
642         /*
643          * Binary mount data FS will come through this function twice.  Once
644          * from an explicit call and once from the generic calls from the vfs.
645          * Since the generic VFS calls will not contain any security mount data
646          * we need to skip the double mount verification.
647          *
648          * This does open a hole in which we will not notice if the first
649          * mount using this sb set explict options and a second mount using
650          * this sb does not set any security options.  (The first options
651          * will be used for both mounts)
652          */
653         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
654             && (num_opts == 0))
655                 goto out;
656 
657         /*
658          * parse the mount options, check if they are valid sids.
659          * also check if someone is trying to mount the same sb more
660          * than once with different security options.
661          */
662         for (i = 0; i < num_opts; i++) {
663                 u32 sid;
664 
665                 if (flags[i] == SBLABEL_MNT)
666                         continue;
667                 rc = security_context_to_sid(mount_options[i],
668                                              strlen(mount_options[i]), &sid, GFP_KERNEL);
669                 if (rc) {
670                         printk(KERN_WARNING "SELinux: security_context_to_sid"
671                                "(%s) failed for (dev %s, type %s) errno=%d\n",
672                                mount_options[i], sb->s_id, name, rc);
673                         goto out;
674                 }
675                 switch (flags[i]) {
676                 case FSCONTEXT_MNT:
677                         fscontext_sid = sid;
678 
679                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
680                                         fscontext_sid))
681                                 goto out_double_mount;
682 
683                         sbsec->flags |= FSCONTEXT_MNT;
684                         break;
685                 case CONTEXT_MNT:
686                         context_sid = sid;
687 
688                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
689                                         context_sid))
690                                 goto out_double_mount;
691 
692                         sbsec->flags |= CONTEXT_MNT;
693                         break;
694                 case ROOTCONTEXT_MNT:
695                         rootcontext_sid = sid;
696 
697                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
698                                         rootcontext_sid))
699                                 goto out_double_mount;
700 
701                         sbsec->flags |= ROOTCONTEXT_MNT;
702 
703                         break;
704                 case DEFCONTEXT_MNT:
705                         defcontext_sid = sid;
706 
707                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
708                                         defcontext_sid))
709                                 goto out_double_mount;
710 
711                         sbsec->flags |= DEFCONTEXT_MNT;
712 
713                         break;
714                 default:
715                         rc = -EINVAL;
716                         goto out;
717                 }
718         }
719 
720         if (sbsec->flags & SE_SBINITIALIZED) {
721                 /* previously mounted with options, but not on this attempt? */
722                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
723                         goto out_double_mount;
724                 rc = 0;
725                 goto out;
726         }
727 
728         if (strcmp(sb->s_type->name, "proc") == 0)
729                 sbsec->flags |= SE_SBPROC;
730 
731         if (!sbsec->behavior) {
732                 /*
733                  * Determine the labeling behavior to use for this
734                  * filesystem type.
735                  */
736                 rc = security_fs_use(sb);
737                 if (rc) {
738                         printk(KERN_WARNING
739                                 "%s: security_fs_use(%s) returned %d\n",
740                                         __func__, sb->s_type->name, rc);
741                         goto out;
742                 }
743         }
744         /* sets the context of the superblock for the fs being mounted. */
745         if (fscontext_sid) {
746                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
747                 if (rc)
748                         goto out;
749 
750                 sbsec->sid = fscontext_sid;
751         }
752 
753         /*
754          * Switch to using mount point labeling behavior.
755          * sets the label used on all file below the mountpoint, and will set
756          * the superblock context if not already set.
757          */
758         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
759                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
760                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
761         }
762 
763         if (context_sid) {
764                 if (!fscontext_sid) {
765                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
766                                                           cred);
767                         if (rc)
768                                 goto out;
769                         sbsec->sid = context_sid;
770                 } else {
771                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
772                                                              cred);
773                         if (rc)
774                                 goto out;
775                 }
776                 if (!rootcontext_sid)
777                         rootcontext_sid = context_sid;
778 
779                 sbsec->mntpoint_sid = context_sid;
780                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
781         }
782 
783         if (rootcontext_sid) {
784                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
785                                                      cred);
786                 if (rc)
787                         goto out;
788 
789                 root_isec->sid = rootcontext_sid;
790                 root_isec->initialized = 1;
791         }
792 
793         if (defcontext_sid) {
794                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
795                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
796                         rc = -EINVAL;
797                         printk(KERN_WARNING "SELinux: defcontext option is "
798                                "invalid for this filesystem type\n");
799                         goto out;
800                 }
801 
802                 if (defcontext_sid != sbsec->def_sid) {
803                         rc = may_context_mount_inode_relabel(defcontext_sid,
804                                                              sbsec, cred);
805                         if (rc)
806                                 goto out;
807                 }
808 
809                 sbsec->def_sid = defcontext_sid;
810         }
811 
812         rc = sb_finish_set_opts(sb);
813 out:
814         mutex_unlock(&sbsec->lock);
815         return rc;
816 out_double_mount:
817         rc = -EINVAL;
818         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
819                "security settings for (dev %s, type %s)\n", sb->s_id, name);
820         goto out;
821 }
822 
823 static int selinux_cmp_sb_context(const struct super_block *oldsb,
824                                     const struct super_block *newsb)
825 {
826         struct superblock_security_struct *old = oldsb->s_security;
827         struct superblock_security_struct *new = newsb->s_security;
828         char oldflags = old->flags & SE_MNTMASK;
829         char newflags = new->flags & SE_MNTMASK;
830 
831         if (oldflags != newflags)
832                 goto mismatch;
833         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
834                 goto mismatch;
835         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
836                 goto mismatch;
837         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
838                 goto mismatch;
839         if (oldflags & ROOTCONTEXT_MNT) {
840                 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
841                 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
842                 if (oldroot->sid != newroot->sid)
843                         goto mismatch;
844         }
845         return 0;
846 mismatch:
847         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
848                             "different security settings for (dev %s, "
849                             "type %s)\n", newsb->s_id, newsb->s_type->name);
850         return -EBUSY;
851 }
852 
853 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
854                                         struct super_block *newsb)
855 {
856         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
857         struct superblock_security_struct *newsbsec = newsb->s_security;
858 
859         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
860         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
861         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
862 
863         /*
864          * if the parent was able to be mounted it clearly had no special lsm
865          * mount options.  thus we can safely deal with this superblock later
866          */
867         if (!ss_initialized)
868                 return 0;
869 
870         /* how can we clone if the old one wasn't set up?? */
871         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
872 
873         /* if fs is reusing a sb, make sure that the contexts match */
874         if (newsbsec->flags & SE_SBINITIALIZED)
875                 return selinux_cmp_sb_context(oldsb, newsb);
876 
877         mutex_lock(&newsbsec->lock);
878 
879         newsbsec->flags = oldsbsec->flags;
880 
881         newsbsec->sid = oldsbsec->sid;
882         newsbsec->def_sid = oldsbsec->def_sid;
883         newsbsec->behavior = oldsbsec->behavior;
884 
885         if (set_context) {
886                 u32 sid = oldsbsec->mntpoint_sid;
887 
888                 if (!set_fscontext)
889                         newsbsec->sid = sid;
890                 if (!set_rootcontext) {
891                         struct inode *newinode = newsb->s_root->d_inode;
892                         struct inode_security_struct *newisec = newinode->i_security;
893                         newisec->sid = sid;
894                 }
895                 newsbsec->mntpoint_sid = sid;
896         }
897         if (set_rootcontext) {
898                 const struct inode *oldinode = oldsb->s_root->d_inode;
899                 const struct inode_security_struct *oldisec = oldinode->i_security;
900                 struct inode *newinode = newsb->s_root->d_inode;
901                 struct inode_security_struct *newisec = newinode->i_security;
902 
903                 newisec->sid = oldisec->sid;
904         }
905 
906         sb_finish_set_opts(newsb);
907         mutex_unlock(&newsbsec->lock);
908         return 0;
909 }
910 
911 static int selinux_parse_opts_str(char *options,
912                                   struct security_mnt_opts *opts)
913 {
914         char *p;
915         char *context = NULL, *defcontext = NULL;
916         char *fscontext = NULL, *rootcontext = NULL;
917         int rc, num_mnt_opts = 0;
918 
919         opts->num_mnt_opts = 0;
920 
921         /* Standard string-based options. */
922         while ((p = strsep(&options, "|")) != NULL) {
923                 int token;
924                 substring_t args[MAX_OPT_ARGS];
925 
926                 if (!*p)
927                         continue;
928 
929                 token = match_token(p, tokens, args);
930 
931                 switch (token) {
932                 case Opt_context:
933                         if (context || defcontext) {
934                                 rc = -EINVAL;
935                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
936                                 goto out_err;
937                         }
938                         context = match_strdup(&args[0]);
939                         if (!context) {
940                                 rc = -ENOMEM;
941                                 goto out_err;
942                         }
943                         break;
944 
945                 case Opt_fscontext:
946                         if (fscontext) {
947                                 rc = -EINVAL;
948                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
949                                 goto out_err;
950                         }
951                         fscontext = match_strdup(&args[0]);
952                         if (!fscontext) {
953                                 rc = -ENOMEM;
954                                 goto out_err;
955                         }
956                         break;
957 
958                 case Opt_rootcontext:
959                         if (rootcontext) {
960                                 rc = -EINVAL;
961                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
962                                 goto out_err;
963                         }
964                         rootcontext = match_strdup(&args[0]);
965                         if (!rootcontext) {
966                                 rc = -ENOMEM;
967                                 goto out_err;
968                         }
969                         break;
970 
971                 case Opt_defcontext:
972                         if (context || defcontext) {
973                                 rc = -EINVAL;
974                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
975                                 goto out_err;
976                         }
977                         defcontext = match_strdup(&args[0]);
978                         if (!defcontext) {
979                                 rc = -ENOMEM;
980                                 goto out_err;
981                         }
982                         break;
983                 case Opt_labelsupport:
984                         break;
985                 default:
986                         rc = -EINVAL;
987                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
988                         goto out_err;
989 
990                 }
991         }
992 
993         rc = -ENOMEM;
994         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
995         if (!opts->mnt_opts)
996                 goto out_err;
997 
998         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
999         if (!opts->mnt_opts_flags) {
1000                 kfree(opts->mnt_opts);
1001                 goto out_err;
1002         }
1003 
1004         if (fscontext) {
1005                 opts->mnt_opts[num_mnt_opts] = fscontext;
1006                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1007         }
1008         if (context) {
1009                 opts->mnt_opts[num_mnt_opts] = context;
1010                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1011         }
1012         if (rootcontext) {
1013                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1014                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1015         }
1016         if (defcontext) {
1017                 opts->mnt_opts[num_mnt_opts] = defcontext;
1018                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1019         }
1020 
1021         opts->num_mnt_opts = num_mnt_opts;
1022         return 0;
1023 
1024 out_err:
1025         kfree(context);
1026         kfree(defcontext);
1027         kfree(fscontext);
1028         kfree(rootcontext);
1029         return rc;
1030 }
1031 /*
1032  * string mount options parsing and call set the sbsec
1033  */
1034 static int superblock_doinit(struct super_block *sb, void *data)
1035 {
1036         int rc = 0;
1037         char *options = data;
1038         struct security_mnt_opts opts;
1039 
1040         security_init_mnt_opts(&opts);
1041 
1042         if (!data)
1043                 goto out;
1044 
1045         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1046 
1047         rc = selinux_parse_opts_str(options, &opts);
1048         if (rc)
1049                 goto out_err;
1050 
1051 out:
1052         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1053 
1054 out_err:
1055         security_free_mnt_opts(&opts);
1056         return rc;
1057 }
1058 
1059 static void selinux_write_opts(struct seq_file *m,
1060                                struct security_mnt_opts *opts)
1061 {
1062         int i;
1063         char *prefix;
1064 
1065         for (i = 0; i < opts->num_mnt_opts; i++) {
1066                 char *has_comma;
1067 
1068                 if (opts->mnt_opts[i])
1069                         has_comma = strchr(opts->mnt_opts[i], ',');
1070                 else
1071                         has_comma = NULL;
1072 
1073                 switch (opts->mnt_opts_flags[i]) {
1074                 case CONTEXT_MNT:
1075                         prefix = CONTEXT_STR;
1076                         break;
1077                 case FSCONTEXT_MNT:
1078                         prefix = FSCONTEXT_STR;
1079                         break;
1080                 case ROOTCONTEXT_MNT:
1081                         prefix = ROOTCONTEXT_STR;
1082                         break;
1083                 case DEFCONTEXT_MNT:
1084                         prefix = DEFCONTEXT_STR;
1085                         break;
1086                 case SBLABEL_MNT:
1087                         seq_putc(m, ',');
1088                         seq_puts(m, LABELSUPP_STR);
1089                         continue;
1090                 default:
1091                         BUG();
1092                         return;
1093                 };
1094                 /* we need a comma before each option */
1095                 seq_putc(m, ',');
1096                 seq_puts(m, prefix);
1097                 if (has_comma)
1098                         seq_putc(m, '\"');
1099                 seq_puts(m, opts->mnt_opts[i]);
1100                 if (has_comma)
1101                         seq_putc(m, '\"');
1102         }
1103 }
1104 
1105 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1106 {
1107         struct security_mnt_opts opts;
1108         int rc;
1109 
1110         rc = selinux_get_mnt_opts(sb, &opts);
1111         if (rc) {
1112                 /* before policy load we may get EINVAL, don't show anything */
1113                 if (rc == -EINVAL)
1114                         rc = 0;
1115                 return rc;
1116         }
1117 
1118         selinux_write_opts(m, &opts);
1119 
1120         security_free_mnt_opts(&opts);
1121 
1122         return rc;
1123 }
1124 
1125 static inline u16 inode_mode_to_security_class(umode_t mode)
1126 {
1127         switch (mode & S_IFMT) {
1128         case S_IFSOCK:
1129                 return SECCLASS_SOCK_FILE;
1130         case S_IFLNK:
1131                 return SECCLASS_LNK_FILE;
1132         case S_IFREG:
1133                 return SECCLASS_FILE;
1134         case S_IFBLK:
1135                 return SECCLASS_BLK_FILE;
1136         case S_IFDIR:
1137                 return SECCLASS_DIR;
1138         case S_IFCHR:
1139                 return SECCLASS_CHR_FILE;
1140         case S_IFIFO:
1141                 return SECCLASS_FIFO_FILE;
1142 
1143         }
1144 
1145         return SECCLASS_FILE;
1146 }
1147 
1148 static inline int default_protocol_stream(int protocol)
1149 {
1150         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1151 }
1152 
1153 static inline int default_protocol_dgram(int protocol)
1154 {
1155         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1156 }
1157 
1158 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1159 {
1160         switch (family) {
1161         case PF_UNIX:
1162                 switch (type) {
1163                 case SOCK_STREAM:
1164                 case SOCK_SEQPACKET:
1165                         return SECCLASS_UNIX_STREAM_SOCKET;
1166                 case SOCK_DGRAM:
1167                         return SECCLASS_UNIX_DGRAM_SOCKET;
1168                 }
1169                 break;
1170         case PF_INET:
1171         case PF_INET6:
1172                 switch (type) {
1173                 case SOCK_STREAM:
1174                         if (default_protocol_stream(protocol))
1175                                 return SECCLASS_TCP_SOCKET;
1176                         else
1177                                 return SECCLASS_RAWIP_SOCKET;
1178                 case SOCK_DGRAM:
1179                         if (default_protocol_dgram(protocol))
1180                                 return SECCLASS_UDP_SOCKET;
1181                         else
1182                                 return SECCLASS_RAWIP_SOCKET;
1183                 case SOCK_DCCP:
1184                         return SECCLASS_DCCP_SOCKET;
1185                 default:
1186                         return SECCLASS_RAWIP_SOCKET;
1187                 }
1188                 break;
1189         case PF_NETLINK:
1190                 switch (protocol) {
1191                 case NETLINK_ROUTE:
1192                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1193                 case NETLINK_FIREWALL:
1194                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1195                 case NETLINK_SOCK_DIAG:
1196                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1197                 case NETLINK_NFLOG:
1198                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1199                 case NETLINK_XFRM:
1200                         return SECCLASS_NETLINK_XFRM_SOCKET;
1201                 case NETLINK_SELINUX:
1202                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1203                 case NETLINK_AUDIT:
1204                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1205                 case NETLINK_IP6_FW:
1206                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1207                 case NETLINK_DNRTMSG:
1208                         return SECCLASS_NETLINK_DNRT_SOCKET;
1209                 case NETLINK_KOBJECT_UEVENT:
1210                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1211                 default:
1212                         return SECCLASS_NETLINK_SOCKET;
1213                 }
1214         case PF_PACKET:
1215                 return SECCLASS_PACKET_SOCKET;
1216         case PF_KEY:
1217                 return SECCLASS_KEY_SOCKET;
1218         case PF_APPLETALK:
1219                 return SECCLASS_APPLETALK_SOCKET;
1220         }
1221 
1222         return SECCLASS_SOCKET;
1223 }
1224 
1225 #ifdef CONFIG_PROC_FS
1226 static int selinux_proc_get_sid(struct dentry *dentry,
1227                                 u16 tclass,
1228                                 u32 *sid)
1229 {
1230         int rc;
1231         char *buffer, *path;
1232 
1233         buffer = (char *)__get_free_page(GFP_KERNEL);
1234         if (!buffer)
1235                 return -ENOMEM;
1236 
1237         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1238         if (IS_ERR(path))
1239                 rc = PTR_ERR(path);
1240         else {
1241                 /* each process gets a /proc/PID/ entry. Strip off the
1242                  * PID part to get a valid selinux labeling.
1243                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1244                 while (path[1] >= '' && path[1] <= '9') {
1245                         path[1] = '/';
1246                         path++;
1247                 }
1248                 rc = security_genfs_sid("proc", path, tclass, sid);
1249         }
1250         free_page((unsigned long)buffer);
1251         return rc;
1252 }
1253 #else
1254 static int selinux_proc_get_sid(struct dentry *dentry,
1255                                 u16 tclass,
1256                                 u32 *sid)
1257 {
1258         return -EINVAL;
1259 }
1260 #endif
1261 
1262 /* The inode's security attributes must be initialized before first use. */
1263 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1264 {
1265         struct superblock_security_struct *sbsec = NULL;
1266         struct inode_security_struct *isec = inode->i_security;
1267         u32 sid;
1268         struct dentry *dentry;
1269 #define INITCONTEXTLEN 255
1270         char *context = NULL;
1271         unsigned len = 0;
1272         int rc = 0;
1273 
1274         if (isec->initialized)
1275                 goto out;
1276 
1277         mutex_lock(&isec->lock);
1278         if (isec->initialized)
1279                 goto out_unlock;
1280 
1281         sbsec = inode->i_sb->s_security;
1282         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1283                 /* Defer initialization until selinux_complete_init,
1284                    after the initial policy is loaded and the security
1285                    server is ready to handle calls. */
1286                 spin_lock(&sbsec->isec_lock);
1287                 if (list_empty(&isec->list))
1288                         list_add(&isec->list, &sbsec->isec_head);
1289                 spin_unlock(&sbsec->isec_lock);
1290                 goto out_unlock;
1291         }
1292 
1293         switch (sbsec->behavior) {
1294         case SECURITY_FS_USE_NATIVE:
1295                 break;
1296         case SECURITY_FS_USE_XATTR:
1297                 if (!inode->i_op->getxattr) {
1298                         isec->sid = sbsec->def_sid;
1299                         break;
1300                 }
1301 
1302                 /* Need a dentry, since the xattr API requires one.
1303                    Life would be simpler if we could just pass the inode. */
1304                 if (opt_dentry) {
1305                         /* Called from d_instantiate or d_splice_alias. */
1306                         dentry = dget(opt_dentry);
1307                 } else {
1308                         /* Called from selinux_complete_init, try to find a dentry. */
1309                         dentry = d_find_alias(inode);
1310                 }
1311                 if (!dentry) {
1312                         /*
1313                          * this is can be hit on boot when a file is accessed
1314                          * before the policy is loaded.  When we load policy we
1315                          * may find inodes that have no dentry on the
1316                          * sbsec->isec_head list.  No reason to complain as these
1317                          * will get fixed up the next time we go through
1318                          * inode_doinit with a dentry, before these inodes could
1319                          * be used again by userspace.
1320                          */
1321                         goto out_unlock;
1322                 }
1323 
1324                 len = INITCONTEXTLEN;
1325                 context = kmalloc(len+1, GFP_NOFS);
1326                 if (!context) {
1327                         rc = -ENOMEM;
1328                         dput(dentry);
1329                         goto out_unlock;
1330                 }
1331                 context[len] = '\0';
1332                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1333                                            context, len);
1334                 if (rc == -ERANGE) {
1335                         kfree(context);
1336 
1337                         /* Need a larger buffer.  Query for the right size. */
1338                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1339                                                    NULL, 0);
1340                         if (rc < 0) {
1341                                 dput(dentry);
1342                                 goto out_unlock;
1343                         }
1344                         len = rc;
1345                         context = kmalloc(len+1, GFP_NOFS);
1346                         if (!context) {
1347                                 rc = -ENOMEM;
1348                                 dput(dentry);
1349                                 goto out_unlock;
1350                         }
1351                         context[len] = '\0';
1352                         rc = inode->i_op->getxattr(dentry,
1353                                                    XATTR_NAME_SELINUX,
1354                                                    context, len);
1355                 }
1356                 dput(dentry);
1357                 if (rc < 0) {
1358                         if (rc != -ENODATA) {
1359                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1360                                        "%d for dev=%s ino=%ld\n", __func__,
1361                                        -rc, inode->i_sb->s_id, inode->i_ino);
1362                                 kfree(context);
1363                                 goto out_unlock;
1364                         }
1365                         /* Map ENODATA to the default file SID */
1366                         sid = sbsec->def_sid;
1367                         rc = 0;
1368                 } else {
1369                         rc = security_context_to_sid_default(context, rc, &sid,
1370                                                              sbsec->def_sid,
1371                                                              GFP_NOFS);
1372                         if (rc) {
1373                                 char *dev = inode->i_sb->s_id;
1374                                 unsigned long ino = inode->i_ino;
1375 
1376                                 if (rc == -EINVAL) {
1377                                         if (printk_ratelimit())
1378                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1379                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1380                                                         "filesystem in question.\n", ino, dev, context);
1381                                 } else {
1382                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1383                                                "returned %d for dev=%s ino=%ld\n",
1384                                                __func__, context, -rc, dev, ino);
1385                                 }
1386                                 kfree(context);
1387                                 /* Leave with the unlabeled SID */
1388                                 rc = 0;
1389                                 break;
1390                         }
1391                 }
1392                 kfree(context);
1393                 isec->sid = sid;
1394                 break;
1395         case SECURITY_FS_USE_TASK:
1396                 isec->sid = isec->task_sid;
1397                 break;
1398         case SECURITY_FS_USE_TRANS:
1399                 /* Default to the fs SID. */
1400                 isec->sid = sbsec->sid;
1401 
1402                 /* Try to obtain a transition SID. */
1403                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1404                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1405                                              isec->sclass, NULL, &sid);
1406                 if (rc)
1407                         goto out_unlock;
1408                 isec->sid = sid;
1409                 break;
1410         case SECURITY_FS_USE_MNTPOINT:
1411                 isec->sid = sbsec->mntpoint_sid;
1412                 break;
1413         default:
1414                 /* Default to the fs superblock SID. */
1415                 isec->sid = sbsec->sid;
1416 
1417                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1418                         /* We must have a dentry to determine the label on
1419                          * procfs inodes */
1420                         if (opt_dentry)
1421                                 /* Called from d_instantiate or
1422                                  * d_splice_alias. */
1423                                 dentry = dget(opt_dentry);
1424                         else
1425                                 /* Called from selinux_complete_init, try to
1426                                  * find a dentry. */
1427                                 dentry = d_find_alias(inode);
1428                         /*
1429                          * This can be hit on boot when a file is accessed
1430                          * before the policy is loaded.  When we load policy we
1431                          * may find inodes that have no dentry on the
1432                          * sbsec->isec_head list.  No reason to complain as
1433                          * these will get fixed up the next time we go through
1434                          * inode_doinit() with a dentry, before these inodes
1435                          * could be used again by userspace.
1436                          */
1437                         if (!dentry)
1438                                 goto out_unlock;
1439                         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1440                         rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1441                         dput(dentry);
1442                         if (rc)
1443                                 goto out_unlock;
1444                         isec->sid = sid;
1445                 }
1446                 break;
1447         }
1448 
1449         isec->initialized = 1;
1450 
1451 out_unlock:
1452         mutex_unlock(&isec->lock);
1453 out:
1454         if (isec->sclass == SECCLASS_FILE)
1455                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1456         return rc;
1457 }
1458 
1459 /* Convert a Linux signal to an access vector. */
1460 static inline u32 signal_to_av(int sig)
1461 {
1462         u32 perm = 0;
1463 
1464         switch (sig) {
1465         case SIGCHLD:
1466                 /* Commonly granted from child to parent. */
1467                 perm = PROCESS__SIGCHLD;
1468                 break;
1469         case SIGKILL:
1470                 /* Cannot be caught or ignored */
1471                 perm = PROCESS__SIGKILL;
1472                 break;
1473         case SIGSTOP:
1474                 /* Cannot be caught or ignored */
1475                 perm = PROCESS__SIGSTOP;
1476                 break;
1477         default:
1478                 /* All other signals. */
1479                 perm = PROCESS__SIGNAL;
1480                 break;
1481         }
1482 
1483         return perm;
1484 }
1485 
1486 /*
1487  * Check permission between a pair of credentials
1488  * fork check, ptrace check, etc.
1489  */
1490 static int cred_has_perm(const struct cred *actor,
1491                          const struct cred *target,
1492                          u32 perms)
1493 {
1494         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1495 
1496         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1497 }
1498 
1499 /*
1500  * Check permission between a pair of tasks, e.g. signal checks,
1501  * fork check, ptrace check, etc.
1502  * tsk1 is the actor and tsk2 is the target
1503  * - this uses the default subjective creds of tsk1
1504  */
1505 static int task_has_perm(const struct task_struct *tsk1,
1506                          const struct task_struct *tsk2,
1507                          u32 perms)
1508 {
1509         const struct task_security_struct *__tsec1, *__tsec2;
1510         u32 sid1, sid2;
1511 
1512         rcu_read_lock();
1513         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1514         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1515         rcu_read_unlock();
1516         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1517 }
1518 
1519 /*
1520  * Check permission between current and another task, e.g. signal checks,
1521  * fork check, ptrace check, etc.
1522  * current is the actor and tsk2 is the target
1523  * - this uses current's subjective creds
1524  */
1525 static int current_has_perm(const struct task_struct *tsk,
1526                             u32 perms)
1527 {
1528         u32 sid, tsid;
1529 
1530         sid = current_sid();
1531         tsid = task_sid(tsk);
1532         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1533 }
1534 
1535 #if CAP_LAST_CAP > 63
1536 #error Fix SELinux to handle capabilities > 63.
1537 #endif
1538 
1539 /* Check whether a task is allowed to use a capability. */
1540 static int cred_has_capability(const struct cred *cred,
1541                                int cap, int audit)
1542 {
1543         struct common_audit_data ad;
1544         struct av_decision avd;
1545         u16 sclass;
1546         u32 sid = cred_sid(cred);
1547         u32 av = CAP_TO_MASK(cap);
1548         int rc;
1549 
1550         ad.type = LSM_AUDIT_DATA_CAP;
1551         ad.u.cap = cap;
1552 
1553         switch (CAP_TO_INDEX(cap)) {
1554         case 0:
1555                 sclass = SECCLASS_CAPABILITY;
1556                 break;
1557         case 1:
1558                 sclass = SECCLASS_CAPABILITY2;
1559                 break;
1560         default:
1561                 printk(KERN_ERR
1562                        "SELinux:  out of range capability %d\n", cap);
1563                 BUG();
1564                 return -EINVAL;
1565         }
1566 
1567         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1568         if (audit == SECURITY_CAP_AUDIT) {
1569                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1570                 if (rc2)
1571                         return rc2;
1572         }
1573         return rc;
1574 }
1575 
1576 /* Check whether a task is allowed to use a system operation. */
1577 static int task_has_system(struct task_struct *tsk,
1578                            u32 perms)
1579 {
1580         u32 sid = task_sid(tsk);
1581 
1582         return avc_has_perm(sid, SECINITSID_KERNEL,
1583                             SECCLASS_SYSTEM, perms, NULL);
1584 }
1585 
1586 /* Check whether a task has a particular permission to an inode.
1587    The 'adp' parameter is optional and allows other audit
1588    data to be passed (e.g. the dentry). */
1589 static int inode_has_perm(const struct cred *cred,
1590                           struct inode *inode,
1591                           u32 perms,
1592                           struct common_audit_data *adp)
1593 {
1594         struct inode_security_struct *isec;
1595         u32 sid;
1596 
1597         validate_creds(cred);
1598 
1599         if (unlikely(IS_PRIVATE(inode)))
1600                 return 0;
1601 
1602         sid = cred_sid(cred);
1603         isec = inode->i_security;
1604 
1605         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1606 }
1607 
1608 /* Same as inode_has_perm, but pass explicit audit data containing
1609    the dentry to help the auditing code to more easily generate the
1610    pathname if needed. */
1611 static inline int dentry_has_perm(const struct cred *cred,
1612                                   struct dentry *dentry,
1613                                   u32 av)
1614 {
1615         struct inode *inode = dentry->d_inode;
1616         struct common_audit_data ad;
1617 
1618         ad.type = LSM_AUDIT_DATA_DENTRY;
1619         ad.u.dentry = dentry;
1620         return inode_has_perm(cred, inode, av, &ad);
1621 }
1622 
1623 /* Same as inode_has_perm, but pass explicit audit data containing
1624    the path to help the auditing code to more easily generate the
1625    pathname if needed. */
1626 static inline int path_has_perm(const struct cred *cred,
1627                                 struct path *path,
1628                                 u32 av)
1629 {
1630         struct inode *inode = path->dentry->d_inode;
1631         struct common_audit_data ad;
1632 
1633         ad.type = LSM_AUDIT_DATA_PATH;
1634         ad.u.path = *path;
1635         return inode_has_perm(cred, inode, av, &ad);
1636 }
1637 
1638 /* Same as path_has_perm, but uses the inode from the file struct. */
1639 static inline int file_path_has_perm(const struct cred *cred,
1640                                      struct file *file,
1641                                      u32 av)
1642 {
1643         struct common_audit_data ad;
1644 
1645         ad.type = LSM_AUDIT_DATA_PATH;
1646         ad.u.path = file->f_path;
1647         return inode_has_perm(cred, file_inode(file), av, &ad);
1648 }
1649 
1650 /* Check whether a task can use an open file descriptor to
1651    access an inode in a given way.  Check access to the
1652    descriptor itself, and then use dentry_has_perm to
1653    check a particular permission to the file.
1654    Access to the descriptor is implicitly granted if it
1655    has the same SID as the process.  If av is zero, then
1656    access to the file is not checked, e.g. for cases
1657    where only the descriptor is affected like seek. */
1658 static int file_has_perm(const struct cred *cred,
1659                          struct file *file,
1660                          u32 av)
1661 {
1662         struct file_security_struct *fsec = file->f_security;
1663         struct inode *inode = file_inode(file);
1664         struct common_audit_data ad;
1665         u32 sid = cred_sid(cred);
1666         int rc;
1667 
1668         ad.type = LSM_AUDIT_DATA_PATH;
1669         ad.u.path = file->f_path;
1670 
1671         if (sid != fsec->sid) {
1672                 rc = avc_has_perm(sid, fsec->sid,
1673                                   SECCLASS_FD,
1674                                   FD__USE,
1675                                   &ad);
1676                 if (rc)
1677                         goto out;
1678         }
1679 
1680         /* av is zero if only checking access to the descriptor. */
1681         rc = 0;
1682         if (av)
1683                 rc = inode_has_perm(cred, inode, av, &ad);
1684 
1685 out:
1686         return rc;
1687 }
1688 
1689 /* Check whether a task can create a file. */
1690 static int may_create(struct inode *dir,
1691                       struct dentry *dentry,
1692                       u16 tclass)
1693 {
1694         const struct task_security_struct *tsec = current_security();
1695         struct inode_security_struct *dsec;
1696         struct superblock_security_struct *sbsec;
1697         u32 sid, newsid;
1698         struct common_audit_data ad;
1699         int rc;
1700 
1701         dsec = dir->i_security;
1702         sbsec = dir->i_sb->s_security;
1703 
1704         sid = tsec->sid;
1705         newsid = tsec->create_sid;
1706 
1707         ad.type = LSM_AUDIT_DATA_DENTRY;
1708         ad.u.dentry = dentry;
1709 
1710         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1711                           DIR__ADD_NAME | DIR__SEARCH,
1712                           &ad);
1713         if (rc)
1714                 return rc;
1715 
1716         if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1717                 rc = security_transition_sid(sid, dsec->sid, tclass,
1718                                              &dentry->d_name, &newsid);
1719                 if (rc)
1720                         return rc;
1721         }
1722 
1723         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1724         if (rc)
1725                 return rc;
1726 
1727         return avc_has_perm(newsid, sbsec->sid,
1728                             SECCLASS_FILESYSTEM,
1729                             FILESYSTEM__ASSOCIATE, &ad);
1730 }
1731 
1732 /* Check whether a task can create a key. */
1733 static int may_create_key(u32 ksid,
1734                           struct task_struct *ctx)
1735 {
1736         u32 sid = task_sid(ctx);
1737 
1738         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1739 }
1740 
1741 #define MAY_LINK        0
1742 #define MAY_UNLINK      1
1743 #define MAY_RMDIR       2
1744 
1745 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1746 static int may_link(struct inode *dir,
1747                     struct dentry *dentry,
1748                     int kind)
1749 
1750 {
1751         struct inode_security_struct *dsec, *isec;
1752         struct common_audit_data ad;
1753         u32 sid = current_sid();
1754         u32 av;
1755         int rc;
1756 
1757         dsec = dir->i_security;
1758         isec = dentry->d_inode->i_security;
1759 
1760         ad.type = LSM_AUDIT_DATA_DENTRY;
1761         ad.u.dentry = dentry;
1762 
1763         av = DIR__SEARCH;
1764         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1765         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1766         if (rc)
1767                 return rc;
1768 
1769         switch (kind) {
1770         case MAY_LINK:
1771                 av = FILE__LINK;
1772                 break;
1773         case MAY_UNLINK:
1774                 av = FILE__UNLINK;
1775                 break;
1776         case MAY_RMDIR:
1777                 av = DIR__RMDIR;
1778                 break;
1779         default:
1780                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1781                         __func__, kind);
1782                 return 0;
1783         }
1784 
1785         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1786         return rc;
1787 }
1788 
1789 static inline int may_rename(struct inode *old_dir,
1790                              struct dentry *old_dentry,
1791                              struct inode *new_dir,
1792                              struct dentry *new_dentry)
1793 {
1794         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1795         struct common_audit_data ad;
1796         u32 sid = current_sid();
1797         u32 av;
1798         int old_is_dir, new_is_dir;
1799         int rc;
1800 
1801         old_dsec = old_dir->i_security;
1802         old_isec = old_dentry->d_inode->i_security;
1803         old_is_dir = d_is_dir(old_dentry);
1804         new_dsec = new_dir->i_security;
1805 
1806         ad.type = LSM_AUDIT_DATA_DENTRY;
1807 
1808         ad.u.dentry = old_dentry;
1809         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1810                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1811         if (rc)
1812                 return rc;
1813         rc = avc_has_perm(sid, old_isec->sid,
1814                           old_isec->sclass, FILE__RENAME, &ad);
1815         if (rc)
1816                 return rc;
1817         if (old_is_dir && new_dir != old_dir) {
1818                 rc = avc_has_perm(sid, old_isec->sid,
1819                                   old_isec->sclass, DIR__REPARENT, &ad);
1820                 if (rc)
1821                         return rc;
1822         }
1823 
1824         ad.u.dentry = new_dentry;
1825         av = DIR__ADD_NAME | DIR__SEARCH;
1826         if (d_is_positive(new_dentry))
1827                 av |= DIR__REMOVE_NAME;
1828         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1829         if (rc)
1830                 return rc;
1831         if (d_is_positive(new_dentry)) {
1832                 new_isec = new_dentry->d_inode->i_security;
1833                 new_is_dir = d_is_dir(new_dentry);
1834                 rc = avc_has_perm(sid, new_isec->sid,
1835                                   new_isec->sclass,
1836                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1837                 if (rc)
1838                         return rc;
1839         }
1840 
1841         return 0;
1842 }
1843 
1844 /* Check whether a task can perform a filesystem operation. */
1845 static int superblock_has_perm(const struct cred *cred,
1846                                struct super_block *sb,
1847                                u32 perms,
1848                                struct common_audit_data *ad)
1849 {
1850         struct superblock_security_struct *sbsec;
1851         u32 sid = cred_sid(cred);
1852 
1853         sbsec = sb->s_security;
1854         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1855 }
1856 
1857 /* Convert a Linux mode and permission mask to an access vector. */
1858 static inline u32 file_mask_to_av(int mode, int mask)
1859 {
1860         u32 av = 0;
1861 
1862         if (!S_ISDIR(mode)) {
1863                 if (mask & MAY_EXEC)
1864                         av |= FILE__EXECUTE;
1865                 if (mask & MAY_READ)
1866                         av |= FILE__READ;
1867 
1868                 if (mask & MAY_APPEND)
1869                         av |= FILE__APPEND;
1870                 else if (mask & MAY_WRITE)
1871                         av |= FILE__WRITE;
1872 
1873         } else {
1874                 if (mask & MAY_EXEC)
1875                         av |= DIR__SEARCH;
1876                 if (mask & MAY_WRITE)
1877                         av |= DIR__WRITE;
1878                 if (mask & MAY_READ)
1879                         av |= DIR__READ;
1880         }
1881 
1882         return av;
1883 }
1884 
1885 /* Convert a Linux file to an access vector. */
1886 static inline u32 file_to_av(struct file *file)
1887 {
1888         u32 av = 0;
1889 
1890         if (file->f_mode & FMODE_READ)
1891                 av |= FILE__READ;
1892         if (file->f_mode & FMODE_WRITE) {
1893                 if (file->f_flags & O_APPEND)
1894                         av |= FILE__APPEND;
1895                 else
1896                         av |= FILE__WRITE;
1897         }
1898         if (!av) {
1899                 /*
1900                  * Special file opened with flags 3 for ioctl-only use.
1901                  */
1902                 av = FILE__IOCTL;
1903         }
1904 
1905         return av;
1906 }
1907 
1908 /*
1909  * Convert a file to an access vector and include the correct open
1910  * open permission.
1911  */
1912 static inline u32 open_file_to_av(struct file *file)
1913 {
1914         u32 av = file_to_av(file);
1915 
1916         if (selinux_policycap_openperm)
1917                 av |= FILE__OPEN;
1918 
1919         return av;
1920 }
1921 
1922 /* Hook functions begin here. */
1923 
1924 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1925 {
1926         u32 mysid = current_sid();
1927         u32 mgrsid = task_sid(mgr);
1928 
1929         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1930                             BINDER__SET_CONTEXT_MGR, NULL);
1931 }
1932 
1933 static int selinux_binder_transaction(struct task_struct *from,
1934                                       struct task_struct *to)
1935 {
1936         u32 mysid = current_sid();
1937         u32 fromsid = task_sid(from);
1938         u32 tosid = task_sid(to);
1939         int rc;
1940 
1941         if (mysid != fromsid) {
1942                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1943                                   BINDER__IMPERSONATE, NULL);
1944                 if (rc)
1945                         return rc;
1946         }
1947 
1948         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1949                             NULL);
1950 }
1951 
1952 static int selinux_binder_transfer_binder(struct task_struct *from,
1953                                           struct task_struct *to)
1954 {
1955         u32 fromsid = task_sid(from);
1956         u32 tosid = task_sid(to);
1957 
1958         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1959                             NULL);
1960 }
1961 
1962 static int selinux_binder_transfer_file(struct task_struct *from,
1963                                         struct task_struct *to,
1964                                         struct file *file)
1965 {
1966         u32 sid = task_sid(to);
1967         struct file_security_struct *fsec = file->f_security;
1968         struct inode *inode = file->f_path.dentry->d_inode;
1969         struct inode_security_struct *isec = inode->i_security;
1970         struct common_audit_data ad;
1971         int rc;
1972 
1973         ad.type = LSM_AUDIT_DATA_PATH;
1974         ad.u.path = file->f_path;
1975 
1976         if (sid != fsec->sid) {
1977                 rc = avc_has_perm(sid, fsec->sid,
1978                                   SECCLASS_FD,
1979                                   FD__USE,
1980                                   &ad);
1981                 if (rc)
1982                         return rc;
1983         }
1984 
1985         if (unlikely(IS_PRIVATE(inode)))
1986                 return 0;
1987 
1988         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1989                             &ad);
1990 }
1991 
1992 static int selinux_ptrace_access_check(struct task_struct *child,
1993                                      unsigned int mode)
1994 {
1995         int rc;
1996 
1997         rc = cap_ptrace_access_check(child, mode);
1998         if (rc)
1999                 return rc;
2000 
2001         if (mode & PTRACE_MODE_READ) {
2002                 u32 sid = current_sid();
2003                 u32 csid = task_sid(child);
2004                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2005         }
2006 
2007         return current_has_perm(child, PROCESS__PTRACE);
2008 }
2009 
2010 static int selinux_ptrace_traceme(struct task_struct *parent)
2011 {
2012         int rc;
2013 
2014         rc = cap_ptrace_traceme(parent);
2015         if (rc)
2016                 return rc;
2017 
2018         return task_has_perm(parent, current, PROCESS__PTRACE);
2019 }
2020 
2021 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2022                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2023 {
2024         int error;
2025 
2026         error = current_has_perm(target, PROCESS__GETCAP);
2027         if (error)
2028                 return error;
2029 
2030         return cap_capget(target, effective, inheritable, permitted);
2031 }
2032 
2033 static int selinux_capset(struct cred *new, const struct cred *old,
2034                           const kernel_cap_t *effective,
2035                           const kernel_cap_t *inheritable,
2036                           const kernel_cap_t *permitted)
2037 {
2038         int error;
2039 
2040         error = cap_capset(new, old,
2041                                       effective, inheritable, permitted);
2042         if (error)
2043                 return error;
2044 
2045         return cred_has_perm(old, new, PROCESS__SETCAP);
2046 }
2047 
2048 /*
2049  * (This comment used to live with the selinux_task_setuid hook,
2050  * which was removed).
2051  *
2052  * Since setuid only affects the current process, and since the SELinux
2053  * controls are not based on the Linux identity attributes, SELinux does not
2054  * need to control this operation.  However, SELinux does control the use of
2055  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2056  */
2057 
2058 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2059                            int cap, int audit)
2060 {
2061         int rc;
2062 
2063         rc = cap_capable(cred, ns, cap, audit);
2064         if (rc)
2065                 return rc;
2066 
2067         return cred_has_capability(cred, cap, audit);
2068 }
2069 
2070 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2071 {
2072         const struct cred *cred = current_cred();
2073         int rc = 0;
2074 
2075         if (!sb)
2076                 return 0;
2077 
2078         switch (cmds) {
2079         case Q_SYNC:
2080         case Q_QUOTAON:
2081         case Q_QUOTAOFF:
2082         case Q_SETINFO:
2083         case Q_SETQUOTA:
2084                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2085                 break;
2086         case Q_GETFMT:
2087         case Q_GETINFO:
2088         case Q_GETQUOTA:
2089                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2090                 break;
2091         default:
2092                 rc = 0;  /* let the kernel handle invalid cmds */
2093                 break;
2094         }
2095         return rc;
2096 }
2097 
2098 static int selinux_quota_on(struct dentry *dentry)
2099 {
2100         const struct cred *cred = current_cred();
2101 
2102         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2103 }
2104 
2105 static int selinux_syslog(int type)
2106 {
2107         int rc;
2108 
2109         switch (type) {
2110         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2111         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2112                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2113                 break;
2114         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2115         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2116         /* Set level of messages printed to console */
2117         case SYSLOG_ACTION_CONSOLE_LEVEL:
2118                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2119                 break;
2120         case SYSLOG_ACTION_CLOSE:       /* Close log */
2121         case SYSLOG_ACTION_OPEN:        /* Open log */
2122         case SYSLOG_ACTION_READ:        /* Read from log */
2123         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
2124         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
2125         default:
2126                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2127                 break;
2128         }
2129         return rc;
2130 }
2131 
2132 /*
2133  * Check that a process has enough memory to allocate a new virtual
2134  * mapping. 0 means there is enough memory for the allocation to
2135  * succeed and -ENOMEM implies there is not.
2136  *
2137  * Do not audit the selinux permission check, as this is applied to all
2138  * processes that allocate mappings.
2139  */
2140 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2141 {
2142         int rc, cap_sys_admin = 0;
2143 
2144         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2145                              SECURITY_CAP_NOAUDIT);
2146         if (rc == 0)
2147                 cap_sys_admin = 1;
2148 
2149         return __vm_enough_memory(mm, pages, cap_sys_admin);
2150 }
2151 
2152 /* binprm security operations */
2153 
2154 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2155                             const struct task_security_struct *old_tsec,
2156                             const struct task_security_struct *new_tsec)
2157 {
2158         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2159         int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2160         int rc;
2161 
2162         if (!nnp && !nosuid)
2163                 return 0; /* neither NNP nor nosuid */
2164 
2165         if (new_tsec->sid == old_tsec->sid)
2166                 return 0; /* No change in credentials */
2167 
2168         /*
2169          * The only transitions we permit under NNP or nosuid
2170          * are transitions to bounded SIDs, i.e. SIDs that are
2171          * guaranteed to only be allowed a subset of the permissions
2172          * of the current SID.
2173          */
2174         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2175         if (rc) {
2176                 /*
2177                  * On failure, preserve the errno values for NNP vs nosuid.
2178                  * NNP:  Operation not permitted for caller.
2179                  * nosuid:  Permission denied to file.
2180                  */
2181                 if (nnp)
2182                         return -EPERM;
2183                 else
2184                         return -EACCES;
2185         }
2186         return 0;
2187 }
2188 
2189 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2190 {
2191         const struct task_security_struct *old_tsec;
2192         struct task_security_struct *new_tsec;
2193         struct inode_security_struct *isec;
2194         struct common_audit_data ad;
2195         struct inode *inode = file_inode(bprm->file);
2196         int rc;
2197 
2198         rc = cap_bprm_set_creds(bprm);
2199         if (rc)
2200                 return rc;
2201 
2202         /* SELinux context only depends on initial program or script and not
2203          * the script interpreter */
2204         if (bprm->cred_prepared)
2205                 return 0;
2206 
2207         old_tsec = current_security();
2208         new_tsec = bprm->cred->security;
2209         isec = inode->i_security;
2210 
2211         /* Default to the current task SID. */
2212         new_tsec->sid = old_tsec->sid;
2213         new_tsec->osid = old_tsec->sid;
2214 
2215         /* Reset fs, key, and sock SIDs on execve. */
2216         new_tsec->create_sid = 0;
2217         new_tsec->keycreate_sid = 0;
2218         new_tsec->sockcreate_sid = 0;
2219 
2220         if (old_tsec->exec_sid) {
2221                 new_tsec->sid = old_tsec->exec_sid;
2222                 /* Reset exec SID on execve. */
2223                 new_tsec->exec_sid = 0;
2224 
2225                 /* Fail on NNP or nosuid if not an allowed transition. */
2226                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2227                 if (rc)
2228                         return rc;
2229         } else {
2230                 /* Check for a default transition on this program. */
2231                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2232                                              SECCLASS_PROCESS, NULL,
2233                                              &new_tsec->sid);
2234                 if (rc)
2235                         return rc;
2236 
2237                 /*
2238                  * Fallback to old SID on NNP or nosuid if not an allowed
2239                  * transition.
2240                  */
2241                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2242                 if (rc)
2243                         new_tsec->sid = old_tsec->sid;
2244         }
2245 
2246         ad.type = LSM_AUDIT_DATA_PATH;
2247         ad.u.path = bprm->file->f_path;
2248 
2249         if (new_tsec->sid == old_tsec->sid) {
2250                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2251                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2252                 if (rc)
2253                         return rc;
2254         } else {
2255                 /* Check permissions for the transition. */
2256                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2257                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2258                 if (rc)
2259                         return rc;
2260 
2261                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2262                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2263                 if (rc)
2264                         return rc;
2265 
2266                 /* Check for shared state */
2267                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2268                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2269                                           SECCLASS_PROCESS, PROCESS__SHARE,
2270                                           NULL);
2271                         if (rc)
2272                                 return -EPERM;
2273                 }
2274 
2275                 /* Make sure that anyone attempting to ptrace over a task that
2276                  * changes its SID has the appropriate permit */
2277                 if (bprm->unsafe &
2278                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2279                         struct task_struct *tracer;
2280                         struct task_security_struct *sec;
2281                         u32 ptsid = 0;
2282 
2283                         rcu_read_lock();
2284                         tracer = ptrace_parent(current);
2285                         if (likely(tracer != NULL)) {
2286                                 sec = __task_cred(tracer)->security;
2287                                 ptsid = sec->sid;
2288                         }
2289                         rcu_read_unlock();
2290 
2291                         if (ptsid != 0) {
2292                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2293                                                   SECCLASS_PROCESS,
2294                                                   PROCESS__PTRACE, NULL);
2295                                 if (rc)
2296                                         return -EPERM;
2297                         }
2298                 }
2299 
2300                 /* Clear any possibly unsafe personality bits on exec: */
2301                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2302         }
2303 
2304         return 0;
2305 }
2306 
2307 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2308 {
2309         const struct task_security_struct *tsec = current_security();
2310         u32 sid, osid;
2311         int atsecure = 0;
2312 
2313         sid = tsec->sid;
2314         osid = tsec->osid;
2315 
2316         if (osid != sid) {
2317                 /* Enable secure mode for SIDs transitions unless
2318                    the noatsecure permission is granted between
2319                    the two SIDs, i.e. ahp returns 0. */
2320                 atsecure = avc_has_perm(osid, sid,
2321                                         SECCLASS_PROCESS,
2322                                         PROCESS__NOATSECURE, NULL);
2323         }
2324 
2325         return (atsecure || cap_bprm_secureexec(bprm));
2326 }
2327 
2328 static int match_file(const void *p, struct file *file, unsigned fd)
2329 {
2330         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2331 }
2332 
2333 /* Derived from fs/exec.c:flush_old_files. */
2334 static inline void flush_unauthorized_files(const struct cred *cred,
2335                                             struct files_struct *files)
2336 {
2337         struct file *file, *devnull = NULL;
2338         struct tty_struct *tty;
2339         int drop_tty = 0;
2340         unsigned n;
2341 
2342         tty = get_current_tty();
2343         if (tty) {
2344                 spin_lock(&tty_files_lock);
2345                 if (!list_empty(&tty->tty_files)) {
2346                         struct tty_file_private *file_priv;
2347 
2348                         /* Revalidate access to controlling tty.
2349                            Use file_path_has_perm on the tty path directly
2350                            rather than using file_has_perm, as this particular
2351                            open file may belong to another process and we are
2352                            only interested in the inode-based check here. */
2353                         file_priv = list_first_entry(&tty->tty_files,
2354                                                 struct tty_file_private, list);
2355                         file = file_priv->file;
2356                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2357                                 drop_tty = 1;
2358                 }
2359                 spin_unlock(&tty_files_lock);
2360                 tty_kref_put(tty);
2361         }
2362         /* Reset controlling tty. */
2363         if (drop_tty)
2364                 no_tty();
2365 
2366         /* Revalidate access to inherited open files. */
2367         n = iterate_fd(files, 0, match_file, cred);
2368         if (!n) /* none found? */
2369                 return;
2370 
2371         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2372         if (IS_ERR(devnull))
2373                 devnull = NULL;
2374         /* replace all the matching ones with this */
2375         do {
2376                 replace_fd(n - 1, devnull, 0);
2377         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2378         if (devnull)
2379                 fput(devnull);
2380 }
2381 
2382 /*
2383  * Prepare a process for imminent new credential changes due to exec
2384  */
2385 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2386 {
2387         struct task_security_struct *new_tsec;
2388         struct rlimit *rlim, *initrlim;
2389         int rc, i;
2390 
2391         new_tsec = bprm->cred->security;
2392         if (new_tsec->sid == new_tsec->osid)
2393                 return;
2394 
2395         /* Close files for which the new task SID is not authorized. */
2396         flush_unauthorized_files(bprm->cred, current->files);
2397 
2398         /* Always clear parent death signal on SID transitions. */
2399         current->pdeath_signal = 0;
2400 
2401         /* Check whether the new SID can inherit resource limits from the old
2402          * SID.  If not, reset all soft limits to the lower of the current
2403          * task's hard limit and the init task's soft limit.
2404          *
2405          * Note that the setting of hard limits (even to lower them) can be
2406          * controlled by the setrlimit check.  The inclusion of the init task's
2407          * soft limit into the computation is to avoid resetting soft limits
2408          * higher than the default soft limit for cases where the default is
2409          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2410          */
2411         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2412                           PROCESS__RLIMITINH, NULL);
2413         if (rc) {
2414                 /* protect against do_prlimit() */
2415                 task_lock(current);
2416                 for (i = 0; i < RLIM_NLIMITS; i++) {
2417                         rlim = current->signal->rlim + i;
2418                         initrlim = init_task.signal->rlim + i;
2419                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2420                 }
2421                 task_unlock(current);
2422                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2423         }
2424 }
2425 
2426 /*
2427  * Clean up the process immediately after the installation of new credentials
2428  * due to exec
2429  */
2430 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2431 {
2432         const struct task_security_struct *tsec = current_security();
2433         struct itimerval itimer;
2434         u32 osid, sid;
2435         int rc, i;
2436 
2437         osid = tsec->osid;
2438         sid = tsec->sid;
2439 
2440         if (sid == osid)
2441                 return;
2442 
2443         /* Check whether the new SID can inherit signal state from the old SID.
2444          * If not, clear itimers to avoid subsequent signal generation and
2445          * flush and unblock signals.
2446          *
2447          * This must occur _after_ the task SID has been updated so that any
2448          * kill done after the flush will be checked against the new SID.
2449          */
2450         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2451         if (rc) {
2452                 memset(&itimer, 0, sizeof itimer);
2453                 for (i = 0; i < 3; i++)
2454                         do_setitimer(i, &itimer, NULL);
2455                 spin_lock_irq(&current->sighand->siglock);
2456                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2457                         __flush_signals(current);
2458                         flush_signal_handlers(current, 1);
2459                         sigemptyset(&current->blocked);
2460                 }
2461                 spin_unlock_irq(&current->sighand->siglock);
2462         }
2463 
2464         /* Wake up the parent if it is waiting so that it can recheck
2465          * wait permission to the new task SID. */
2466         read_lock(&tasklist_lock);
2467         __wake_up_parent(current, current->real_parent);
2468         read_unlock(&tasklist_lock);
2469 }
2470 
2471 /* superblock security operations */
2472 
2473 static int selinux_sb_alloc_security(struct super_block *sb)
2474 {
2475         return superblock_alloc_security(sb);
2476 }
2477 
2478 static void selinux_sb_free_security(struct super_block *sb)
2479 {
2480         superblock_free_security(sb);
2481 }
2482 
2483 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2484 {
2485         if (plen > olen)
2486                 return 0;
2487 
2488         return !memcmp(prefix, option, plen);
2489 }
2490 
2491 static inline int selinux_option(char *option, int len)
2492 {
2493         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2494                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2495                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2496                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2497                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2498 }
2499 
2500 static inline void take_option(char **to, char *from, int *first, int len)
2501 {
2502         if (!*first) {
2503                 **to = ',';
2504                 *to += 1;
2505         } else
2506                 *first = 0;
2507         memcpy(*to, from, len);
2508         *to += len;
2509 }
2510 
2511 static inline void take_selinux_option(char **to, char *from, int *first,
2512                                        int len)
2513 {
2514         int current_size = 0;
2515 
2516         if (!*first) {
2517                 **to = '|';
2518                 *to += 1;
2519         } else
2520                 *first = 0;
2521 
2522         while (current_size < len) {
2523                 if (*from != '"') {
2524                         **to = *from;
2525                         *to += 1;
2526                 }
2527                 from += 1;
2528                 current_size += 1;
2529         }
2530 }
2531 
2532 static int selinux_sb_copy_data(char *orig, char *copy)
2533 {
2534         int fnosec, fsec, rc = 0;
2535         char *in_save, *in_curr, *in_end;
2536         char *sec_curr, *nosec_save, *nosec;
2537         int open_quote = 0;
2538 
2539         in_curr = orig;
2540         sec_curr = copy;
2541 
2542         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2543         if (!nosec) {
2544                 rc = -ENOMEM;
2545                 goto out;
2546         }
2547 
2548         nosec_save = nosec;
2549         fnosec = fsec = 1;
2550         in_save = in_end = orig;
2551 
2552         do {
2553                 if (*in_end == '"')
2554                         open_quote = !open_quote;
2555                 if ((*in_end == ',' && open_quote == 0) ||
2556                                 *in_end == '\0') {
2557                         int len = in_end - in_curr;
2558 
2559                         if (selinux_option(in_curr, len))
2560                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2561                         else
2562                                 take_option(&nosec, in_curr, &fnosec, len);
2563 
2564                         in_curr = in_end + 1;
2565                 }
2566         } while (*in_end++);
2567 
2568         strcpy(in_save, nosec_save);
2569         free_page((unsigned long)nosec_save);
2570 out:
2571         return rc;
2572 }
2573 
2574 static int selinux_sb_remount(struct super_block *sb, void *data)
2575 {
2576         int rc, i, *flags;
2577         struct security_mnt_opts opts;
2578         char *secdata, **mount_options;
2579         struct superblock_security_struct *sbsec = sb->s_security;
2580 
2581         if (!(sbsec->flags & SE_SBINITIALIZED))
2582                 return 0;
2583 
2584         if (!data)
2585                 return 0;
2586 
2587         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2588                 return 0;
2589 
2590         security_init_mnt_opts(&opts);
2591         secdata = alloc_secdata();
2592         if (!secdata)
2593                 return -ENOMEM;
2594         rc = selinux_sb_copy_data(data, secdata);
2595         if (rc)
2596                 goto out_free_secdata;
2597 
2598         rc = selinux_parse_opts_str(secdata, &opts);
2599         if (rc)
2600                 goto out_free_secdata;
2601 
2602         mount_options = opts.mnt_opts;
2603         flags = opts.mnt_opts_flags;
2604 
2605         for (i = 0; i < opts.num_mnt_opts; i++) {
2606                 u32 sid;
2607                 size_t len;
2608 
2609                 if (flags[i] == SBLABEL_MNT)
2610                         continue;
2611                 len = strlen(mount_options[i]);
2612                 rc = security_context_to_sid(mount_options[i], len, &sid,
2613                                              GFP_KERNEL);
2614                 if (rc) {
2615                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2616                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2617                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2618                         goto out_free_opts;
2619                 }
2620                 rc = -EINVAL;
2621                 switch (flags[i]) {
2622                 case FSCONTEXT_MNT:
2623                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2624                                 goto out_bad_option;
2625                         break;
2626                 case CONTEXT_MNT:
2627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2628                                 goto out_bad_option;
2629                         break;
2630                 case ROOTCONTEXT_MNT: {
2631                         struct inode_security_struct *root_isec;
2632                         root_isec = sb->s_root->d_inode->i_security;
2633 
2634                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2635                                 goto out_bad_option;
2636                         break;
2637                 }
2638                 case DEFCONTEXT_MNT:
2639                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2640                                 goto out_bad_option;
2641                         break;
2642                 default:
2643                         goto out_free_opts;
2644                 }
2645         }
2646 
2647         rc = 0;
2648 out_free_opts:
2649         security_free_mnt_opts(&opts);
2650 out_free_secdata:
2651         free_secdata(secdata);
2652         return rc;
2653 out_bad_option:
2654         printk(KERN_WARNING "SELinux: unable to change security options "
2655                "during remount (dev %s, type=%s)\n", sb->s_id,
2656                sb->s_type->name);
2657         goto out_free_opts;
2658 }
2659 
2660 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2661 {
2662         const struct cred *cred = current_cred();
2663         struct common_audit_data ad;
2664         int rc;
2665 
2666         rc = superblock_doinit(sb, data);
2667         if (rc)
2668                 return rc;
2669 
2670         /* Allow all mounts performed by the kernel */
2671         if (flags & MS_KERNMOUNT)
2672                 return 0;
2673 
2674         ad.type = LSM_AUDIT_DATA_DENTRY;
2675         ad.u.dentry = sb->s_root;
2676         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2677 }
2678 
2679 static int selinux_sb_statfs(struct dentry *dentry)
2680 {
2681         const struct cred *cred = current_cred();
2682         struct common_audit_data ad;
2683 
2684         ad.type = LSM_AUDIT_DATA_DENTRY;
2685         ad.u.dentry = dentry->d_sb->s_root;
2686         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2687 }
2688 
2689 static int selinux_mount(const char *dev_name,
2690                          struct path *path,
2691                          const char *type,
2692                          unsigned long flags,
2693                          void *data)
2694 {
2695         const struct cred *cred = current_cred();
2696 
2697         if (flags & MS_REMOUNT)
2698                 return superblock_has_perm(cred, path->dentry->d_sb,
2699                                            FILESYSTEM__REMOUNT, NULL);
2700         else
2701                 return path_has_perm(cred, path, FILE__MOUNTON);
2702 }
2703 
2704 static int selinux_umount(struct vfsmount *mnt, int flags)
2705 {
2706         const struct cred *cred = current_cred();
2707 
2708         return superblock_has_perm(cred, mnt->mnt_sb,
2709                                    FILESYSTEM__UNMOUNT, NULL);
2710 }
2711 
2712 /* inode security operations */
2713 
2714 static int selinux_inode_alloc_security(struct inode *inode)
2715 {
2716         return inode_alloc_security(inode);
2717 }
2718 
2719 static void selinux_inode_free_security(struct inode *inode)
2720 {
2721         inode_free_security(inode);
2722 }
2723 
2724 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2725                                         struct qstr *name, void **ctx,
2726                                         u32 *ctxlen)
2727 {
2728         const struct cred *cred = current_cred();
2729         struct task_security_struct *tsec;
2730         struct inode_security_struct *dsec;
2731         struct superblock_security_struct *sbsec;
2732         struct inode *dir = dentry->d_parent->d_inode;
2733         u32 newsid;
2734         int rc;
2735 
2736         tsec = cred->security;
2737         dsec = dir->i_security;
2738         sbsec = dir->i_sb->s_security;
2739 
2740         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2741                 newsid = tsec->create_sid;
2742         } else {
2743                 rc = security_transition_sid(tsec->sid, dsec->sid,
2744                                              inode_mode_to_security_class(mode),
2745                                              name,
2746                                              &newsid);
2747                 if (rc) {
2748                         printk(KERN_WARNING
2749                                 "%s: security_transition_sid failed, rc=%d\n",
2750                                __func__, -rc);
2751                         return rc;
2752                 }
2753         }
2754 
2755         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2756 }
2757 
2758 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2759                                        const struct qstr *qstr,
2760                                        const char **name,
2761                                        void **value, size_t *len)
2762 {
2763         const struct task_security_struct *tsec = current_security();
2764         struct inode_security_struct *dsec;
2765         struct superblock_security_struct *sbsec;
2766         u32 sid, newsid, clen;
2767         int rc;
2768         char *context;
2769 
2770         dsec = dir->i_security;
2771         sbsec = dir->i_sb->s_security;
2772 
2773         sid = tsec->sid;
2774         newsid = tsec->create_sid;
2775 
2776         if ((sbsec->flags & SE_SBINITIALIZED) &&
2777             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2778                 newsid = sbsec->mntpoint_sid;
2779         else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2780                 rc = security_transition_sid(sid, dsec->sid,
2781                                              inode_mode_to_security_class(inode->i_mode),
2782                                              qstr, &newsid);
2783                 if (rc) {
2784                         printk(KERN_WARNING "%s:  "
2785                                "security_transition_sid failed, rc=%d (dev=%s "
2786                                "ino=%ld)\n",
2787                                __func__,
2788                                -rc, inode->i_sb->s_id, inode->i_ino);
2789                         return rc;
2790                 }
2791         }
2792 
2793         /* Possibly defer initialization to selinux_complete_init. */
2794         if (sbsec->flags & SE_SBINITIALIZED) {
2795                 struct inode_security_struct *isec = inode->i_security;
2796                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2797                 isec->sid = newsid;
2798                 isec->initialized = 1;
2799         }
2800 
2801         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2802                 return -EOPNOTSUPP;
2803 
2804         if (name)
2805                 *name = XATTR_SELINUX_SUFFIX;
2806 
2807         if (value && len) {
2808                 rc = security_sid_to_context_force(newsid, &context, &clen);
2809                 if (rc)
2810                         return rc;
2811                 *value = context;
2812                 *len = clen;
2813         }
2814 
2815         return 0;
2816 }
2817 
2818 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2819 {
2820         return may_create(dir, dentry, SECCLASS_FILE);
2821 }
2822 
2823 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2824 {
2825         return may_link(dir, old_dentry, MAY_LINK);
2826 }
2827 
2828 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2829 {
2830         return may_link(dir, dentry, MAY_UNLINK);
2831 }
2832 
2833 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2834 {
2835         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2836 }
2837 
2838 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2839 {
2840         return may_create(dir, dentry, SECCLASS_DIR);
2841 }
2842 
2843 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2844 {
2845         return may_link(dir, dentry, MAY_RMDIR);
2846 }
2847 
2848 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2849 {
2850         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2851 }
2852 
2853 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2854                                 struct inode *new_inode, struct dentry *new_dentry)
2855 {
2856         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2857 }
2858 
2859 static int selinux_inode_readlink(struct dentry *dentry)
2860 {
2861         const struct cred *cred = current_cred();
2862 
2863         return dentry_has_perm(cred, dentry, FILE__READ);
2864 }
2865 
2866 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2867 {
2868         const struct cred *cred = current_cred();
2869 
2870         return dentry_has_perm(cred, dentry, FILE__READ);
2871 }
2872 
2873 static noinline int audit_inode_permission(struct inode *inode,
2874                                            u32 perms, u32 audited, u32 denied,
2875                                            int result,
2876                                            unsigned flags)
2877 {
2878         struct common_audit_data ad;
2879         struct inode_security_struct *isec = inode->i_security;
2880         int rc;
2881 
2882         ad.type = LSM_AUDIT_DATA_INODE;
2883         ad.u.inode = inode;
2884 
2885         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2886                             audited, denied, result, &ad, flags);
2887         if (rc)
2888                 return rc;
2889         return 0;
2890 }
2891 
2892 static int selinux_inode_permission(struct inode *inode, int mask)
2893 {
2894         const struct cred *cred = current_cred();
2895         u32 perms;
2896         bool from_access;
2897         unsigned flags = mask & MAY_NOT_BLOCK;
2898         struct inode_security_struct *isec;
2899         u32 sid;
2900         struct av_decision avd;
2901         int rc, rc2;
2902         u32 audited, denied;
2903 
2904         from_access = mask & MAY_ACCESS;
2905         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2906 
2907         /* No permission to check.  Existence test. */
2908         if (!mask)
2909                 return 0;
2910 
2911         validate_creds(cred);
2912 
2913         if (unlikely(IS_PRIVATE(inode)))
2914                 return 0;
2915 
2916         perms = file_mask_to_av(inode->i_mode, mask);
2917 
2918         sid = cred_sid(cred);
2919         isec = inode->i_security;
2920 
2921         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2922         audited = avc_audit_required(perms, &avd, rc,
2923                                      from_access ? FILE__AUDIT_ACCESS : 0,
2924                                      &denied);
2925         if (likely(!audited))
2926                 return rc;
2927 
2928         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2929         if (rc2)
2930                 return rc2;
2931         return rc;
2932 }
2933 
2934 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2935 {
2936         const struct cred *cred = current_cred();
2937         unsigned int ia_valid = iattr->ia_valid;
2938         __u32 av = FILE__WRITE;
2939 
2940         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2941         if (ia_valid & ATTR_FORCE) {
2942                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2943                               ATTR_FORCE);
2944                 if (!ia_valid)
2945                         return 0;
2946         }
2947 
2948         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2949                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2950                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2951 
2952         if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2953                 av |= FILE__OPEN;
2954 
2955         return dentry_has_perm(cred, dentry, av);
2956 }
2957 
2958 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2959 {
2960         const struct cred *cred = current_cred();
2961         struct path path;
2962 
2963         path.dentry = dentry;
2964         path.mnt = mnt;
2965 
2966         return path_has_perm(cred, &path, FILE__GETATTR);
2967 }
2968 
2969 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2970 {
2971         const struct cred *cred = current_cred();
2972 
2973         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2974                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2975                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2976                         if (!capable(CAP_SETFCAP))
2977                                 return -EPERM;
2978                 } else if (!capable(CAP_SYS_ADMIN)) {
2979                         /* A different attribute in the security namespace.
2980                            Restrict to administrator. */
2981                         return -EPERM;
2982                 }
2983         }
2984 
2985         /* Not an attribute we recognize, so just check the
2986            ordinary setattr permission. */
2987         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2988 }
2989 
2990 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2991                                   const void *value, size_t size, int flags)
2992 {
2993         struct inode *inode = dentry->d_inode;
2994         struct inode_security_struct *isec = inode->i_security;
2995         struct superblock_security_struct *sbsec;
2996         struct common_audit_data ad;
2997         u32 newsid, sid = current_sid();
2998         int rc = 0;
2999 
3000         if (strcmp(name, XATTR_NAME_SELINUX))
3001                 return selinux_inode_setotherxattr(dentry, name);
3002 
3003         sbsec = inode->i_sb->s_security;
3004         if (!(sbsec->flags & SBLABEL_MNT))
3005                 return -EOPNOTSUPP;
3006 
3007         if (!inode_owner_or_capable(inode))
3008                 return -EPERM;
3009 
3010         ad.type = LSM_AUDIT_DATA_DENTRY;
3011         ad.u.dentry = dentry;
3012 
3013         rc = avc_has_perm(sid, isec->sid, isec->sclass,
3014                           FILE__RELABELFROM, &ad);
3015         if (rc)
3016                 return rc;
3017 
3018         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3019         if (rc == -EINVAL) {
3020                 if (!capable(CAP_MAC_ADMIN)) {
3021                         struct audit_buffer *ab;
3022                         size_t audit_size;
3023                         const char *str;
3024 
3025                         /* We strip a nul only if it is at the end, otherwise the
3026                          * context contains a nul and we should audit that */
3027                         if (value) {
3028                                 str = value;
3029                                 if (str[size - 1] == '\0')
3030                                         audit_size = size - 1;
3031                                 else
3032                                         audit_size = size;
3033                         } else {
3034                                 str = "";
3035                                 audit_size = 0;
3036                         }
3037                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3038                         audit_log_format(ab, "op=setxattr invalid_context=");
3039                         audit_log_n_untrustedstring(ab, value, audit_size);
3040                         audit_log_end(ab);
3041 
3042                         return rc;
3043                 }
3044                 rc = security_context_to_sid_force(value, size, &newsid);
3045         }
3046         if (rc)
3047                 return rc;
3048 
3049         rc = avc_has_perm(sid, newsid, isec->sclass,
3050                           FILE__RELABELTO, &ad);
3051         if (rc)
3052                 return rc;
3053 
3054         rc = security_validate_transition(isec->sid, newsid, sid,
3055                                           isec->sclass);
3056         if (rc)
3057                 return rc;
3058 
3059         return avc_has_perm(newsid,
3060                             sbsec->sid,
3061                             SECCLASS_FILESYSTEM,
3062                             FILESYSTEM__ASSOCIATE,
3063                             &ad);
3064 }
3065 
3066 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3067                                         const void *value, size_t size,
3068                                         int flags)
3069 {
3070         struct inode *inode = dentry->d_inode;
3071         struct inode_security_struct *isec = inode->i_security;
3072         u32 newsid;
3073         int rc;
3074 
3075         if (strcmp(name, XATTR_NAME_SELINUX)) {
3076                 /* Not an attribute we recognize, so nothing to do. */
3077                 return;
3078         }
3079 
3080         rc = security_context_to_sid_force(value, size, &newsid);
3081         if (rc) {
3082                 printk(KERN_ERR "SELinux:  unable to map context to SID"
3083                        "for (%s, %lu), rc=%d\n",
3084                        inode->i_sb->s_id, inode->i_ino, -rc);
3085                 return;
3086         }
3087 
3088         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3089         isec->sid = newsid;
3090         isec->initialized = 1;
3091 
3092         return;
3093 }
3094 
3095 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3096 {
3097         const struct cred *cred = current_cred();
3098 
3099         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3100 }
3101 
3102 static int selinux_inode_listxattr(struct dentry *dentry)
3103 {
3104         const struct cred *cred = current_cred();
3105 
3106         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3107 }
3108 
3109 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3110 {
3111         if (strcmp(name, XATTR_NAME_SELINUX))
3112                 return selinux_inode_setotherxattr(dentry, name);
3113 
3114         /* No one is allowed to remove a SELinux security label.
3115            You can change the label, but all data must be labeled. */
3116         return -EACCES;
3117 }
3118 
3119 /*
3120  * Copy the inode security context value to the user.
3121  *
3122  * Permission check is handled by selinux_inode_getxattr hook.
3123  */
3124 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3125 {
3126         u32 size;
3127         int error;
3128         char *context = NULL;
3129         struct inode_security_struct *isec = inode->i_security;
3130 
3131         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3132                 return -EOPNOTSUPP;
3133 
3134         /*
3135          * If the caller has CAP_MAC_ADMIN, then get the raw context
3136          * value even if it is not defined by current policy; otherwise,
3137          * use the in-core value under current policy.
3138          * Use the non-auditing forms of the permission checks since
3139          * getxattr may be called by unprivileged processes commonly
3140          * and lack of permission just means that we fall back to the
3141          * in-core context value, not a denial.
3142          */
3143         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3144                                 SECURITY_CAP_NOAUDIT);
3145         if (!error)
3146                 error = security_sid_to_context_force(isec->sid, &context,
3147                                                       &size);
3148         else
3149                 error = security_sid_to_context(isec->sid, &context, &size);
3150         if (error)
3151                 return error;
3152         error = size;
3153         if (alloc) {
3154                 *buffer = context;
3155                 goto out_nofree;
3156         }
3157         kfree(context);
3158 out_nofree:
3159         return error;
3160 }
3161 
3162 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3163                                      const void *value, size_t size, int flags)
3164 {
3165         struct inode_security_struct *isec = inode->i_security;
3166         u32 newsid;
3167         int rc;
3168 
3169         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3170                 return -EOPNOTSUPP;
3171 
3172         if (!value || !size)
3173                 return -EACCES;
3174 
3175         rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3176         if (rc)
3177                 return rc;
3178 
3179         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3180         isec->sid = newsid;
3181         isec->initialized = 1;
3182         return 0;
3183 }
3184 
3185 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3186 {
3187         const int len = sizeof(XATTR_NAME_SELINUX);
3188         if (buffer && len <= buffer_size)
3189                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3190         return len;
3191 }
3192 
3193 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3194 {
3195         struct inode_security_struct *isec = inode->i_security;
3196         *secid = isec->sid;
3197 }
3198 
3199 /* file security operations */
3200 
3201 static int selinux_revalidate_file_permission(struct file *file, int mask)
3202 {
3203         const struct cred *cred = current_cred();
3204         struct inode *inode = file_inode(file);
3205 
3206         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3207         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3208                 mask |= MAY_APPEND;
3209 
3210         return file_has_perm(cred, file,
3211                              file_mask_to_av(inode->i_mode, mask));
3212 }
3213 
3214 static int selinux_file_permission(struct file *file, int mask)
3215 {
3216         struct inode *inode = file_inode(file);
3217         struct file_security_struct *fsec = file->f_security;
3218         struct inode_security_struct *isec = inode->i_security;
3219         u32 sid = current_sid();
3220 
3221         if (!mask)
3222                 /* No permission to check.  Existence test. */
3223                 return 0;
3224 
3225         if (sid == fsec->sid && fsec->isid == isec->sid &&
3226             fsec->pseqno == avc_policy_seqno())
3227                 /* No change since file_open check. */
3228                 return 0;
3229 
3230         return selinux_revalidate_file_permission(file, mask);
3231 }
3232 
3233 static int selinux_file_alloc_security(struct file *file)
3234 {
3235         return file_alloc_security(file);
3236 }
3237 
3238 static void selinux_file_free_security(struct file *file)
3239 {
3240         file_free_security(file);
3241 }
3242 
3243 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3244                               unsigned long arg)
3245 {
3246         const struct cred *cred = current_cred();
3247         int error = 0;
3248 
3249         switch (cmd) {
3250         case FIONREAD:
3251         /* fall through */
3252         case FIBMAP:
3253         /* fall through */
3254         case FIGETBSZ:
3255         /* fall through */
3256         case FS_IOC_GETFLAGS:
3257         /* fall through */
3258         case FS_IOC_GETVERSION:
3259                 error = file_has_perm(cred, file, FILE__GETATTR);
3260                 break;
3261 
3262         case FS_IOC_SETFLAGS:
3263         /* fall through */
3264         case FS_IOC_SETVERSION:
3265                 error = file_has_perm(cred, file, FILE__SETATTR);
3266                 break;
3267 
3268         /* sys_ioctl() checks */
3269         case FIONBIO:
3270         /* fall through */
3271         case FIOASYNC:
3272                 error = file_has_perm(cred, file, 0);
3273                 break;
3274 
3275         case KDSKBENT:
3276         case KDSKBSENT:
3277                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3278                                             SECURITY_CAP_AUDIT);
3279                 break;
3280 
3281         /* default case assumes that the command will go
3282          * to the file's ioctl() function.
3283          */
3284         default:
3285                 error = file_has_perm(cred, file, FILE__IOCTL);
3286         }
3287         return error;
3288 }
3289 
3290 static int default_noexec;
3291 
3292 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3293 {
3294         const struct cred *cred = current_cred();
3295         int rc = 0;
3296 
3297         if (default_noexec &&
3298             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3299                 /*
3300                  * We are making executable an anonymous mapping or a
3301                  * private file mapping that will also be writable.
3302                  * This has an additional check.
3303                  */
3304                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3305                 if (rc)
3306                         goto error;
3307         }
3308 
3309         if (file) {
3310                 /* read access is always possible with a mapping */
3311                 u32 av = FILE__READ;
3312 
3313                 /* write access only matters if the mapping is shared */
3314                 if (shared && (prot & PROT_WRITE))
3315                         av |= FILE__WRITE;
3316 
3317                 if (prot & PROT_EXEC)
3318                         av |= FILE__EXECUTE;
3319 
3320                 return file_has_perm(cred, file, av);
3321         }
3322 
3323 error:
3324         return rc;
3325 }
3326 
3327 static int selinux_mmap_addr(unsigned long addr)
3328 {
3329         int rc;
3330 
3331         /* do DAC check on address space usage */
3332         rc = cap_mmap_addr(addr);
3333         if (rc)
3334                 return rc;
3335 
3336         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3337                 u32 sid = current_sid();
3338                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3339                                   MEMPROTECT__MMAP_ZERO, NULL);
3340         }
3341 
3342         return rc;
3343 }
3344 
3345 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3346                              unsigned long prot, unsigned long flags)
3347 {
3348         if (selinux_checkreqprot)
3349                 prot = reqprot;
3350 
3351         return file_map_prot_check(file, prot,
3352                                    (flags & MAP_TYPE) == MAP_SHARED);
3353 }
3354 
3355 static int selinux_file_mprotect(struct vm_area_struct *vma,
3356                                  unsigned long reqprot,
3357                                  unsigned long prot)
3358 {
3359         const struct cred *cred = current_cred();
3360 
3361         if (selinux_checkreqprot)
3362                 prot = reqprot;
3363 
3364         if (default_noexec &&
3365             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3366                 int rc = 0;
3367                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3368                     vma->vm_end <= vma->vm_mm->brk) {
3369                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3370                 } else if (!vma->vm_file &&
3371                            vma->vm_start <= vma->vm_mm->start_stack &&
3372                            vma->vm_end >= vma->vm_mm->start_stack) {
3373                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3374                 } else if (vma->vm_file && vma->anon_vma) {
3375                         /*
3376                          * We are making executable a file mapping that has
3377                          * had some COW done. Since pages might have been
3378                          * written, check ability to execute the possibly
3379                          * modified content.  This typically should only
3380                          * occur for text relocations.
3381                          */
3382                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3383                 }
3384                 if (rc)
3385                         return rc;
3386         }
3387 
3388         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3389 }
3390 
3391 static int selinux_file_lock(struct file *file, unsigned int cmd)
3392 {
3393         const struct cred *cred = current_cred();
3394 
3395         return file_has_perm(cred, file, FILE__LOCK);
3396 }
3397 
3398 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3399                               unsigned long arg)
3400 {
3401         const struct cred *cred = current_cred();
3402         int err = 0;
3403 
3404         switch (cmd) {
3405         case F_SETFL:
3406                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3407                         err = file_has_perm(cred, file, FILE__WRITE);
3408                         break;
3409                 }
3410                 /* fall through */
3411         case F_SETOWN:
3412         case F_SETSIG:
3413         case F_GETFL:
3414         case F_GETOWN:
3415         case F_GETSIG:
3416         case F_GETOWNER_UIDS:
3417                 /* Just check FD__USE permission */
3418                 err = file_has_perm(cred, file, 0);
3419                 break;
3420         case F_GETLK:
3421         case F_SETLK:
3422         case F_SETLKW:
3423         case F_OFD_GETLK:
3424         case F_OFD_SETLK:
3425         case F_OFD_SETLKW:
3426 #if BITS_PER_LONG == 32
3427         case F_GETLK64:
3428         case F_SETLK64:
3429         case F_SETLKW64:
3430 #endif
3431                 err = file_has_perm(cred, file, FILE__LOCK);
3432                 break;
3433         }
3434 
3435         return err;
3436 }
3437 
3438 static void selinux_file_set_fowner(struct file *file)
3439 {
3440         struct file_security_struct *fsec;
3441 
3442         fsec = file->f_security;
3443         fsec->fown_sid = current_sid();
3444 }
3445 
3446 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3447                                        struct fown_struct *fown, int signum)
3448 {
3449         struct file *file;
3450         u32 sid = task_sid(tsk);
3451         u32 perm;
3452         struct file_security_struct *fsec;
3453 
3454         /* struct fown_struct is never outside the context of a struct file */
3455         file = container_of(fown, struct file, f_owner);
3456 
3457         fsec = file->f_security;
3458 
3459         if (!signum)
3460                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3461         else
3462                 perm = signal_to_av(signum);
3463 
3464         return avc_has_perm(fsec->fown_sid, sid,
3465                             SECCLASS_PROCESS, perm, NULL);
3466 }
3467 
3468 static int selinux_file_receive(struct file *file)
3469 {
3470         const struct cred *cred = current_cred();
3471 
3472         return file_has_perm(cred, file, file_to_av(file));
3473 }
3474 
3475 static int selinux_file_open(struct file *file, const struct cred *cred)
3476 {
3477         struct file_security_struct *fsec;
3478         struct inode_security_struct *isec;
3479 
3480         fsec = file->f_security;
3481         isec = file_inode(file)->i_security;
3482         /*
3483          * Save inode label and policy sequence number
3484          * at open-time so that selinux_file_permission
3485          * can determine whether revalidation is necessary.
3486          * Task label is already saved in the file security
3487          * struct as its SID.
3488          */
3489         fsec->isid = isec->sid;
3490         fsec->pseqno = avc_policy_seqno();
3491         /*
3492          * Since the inode label or policy seqno may have changed
3493          * between the selinux_inode_permission check and the saving
3494          * of state above, recheck that access is still permitted.
3495          * Otherwise, access might never be revalidated against the
3496          * new inode label or new policy.
3497          * This check is not redundant - do not remove.
3498          */
3499         return file_path_has_perm(cred, file, open_file_to_av(file));
3500 }
3501 
3502 /* task security operations */
3503 
3504 static int selinux_task_create(unsigned long clone_flags)
3505 {
3506         return current_has_perm(current, PROCESS__FORK);
3507 }
3508 
3509 /*
3510  * allocate the SELinux part of blank credentials
3511  */
3512 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3513 {
3514         struct task_security_struct *tsec;
3515 
3516         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3517         if (!tsec)
3518                 return -ENOMEM;
3519 
3520         cred->security = tsec;
3521         return 0;
3522 }
3523 
3524 /*
3525  * detach and free the LSM part of a set of credentials
3526  */
3527 static void selinux_cred_free(struct cred *cred)
3528 {
3529         struct task_security_struct *tsec = cred->security;
3530 
3531         /*
3532          * cred->security == NULL if security_cred_alloc_blank() or
3533          * security_prepare_creds() returned an error.
3534          */
3535         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3536         cred->security = (void *) 0x7UL;
3537         kfree(tsec);
3538 }
3539 
3540 /*
3541  * prepare a new set of credentials for modification
3542  */
3543 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3544                                 gfp_t gfp)
3545 {
3546         const struct task_security_struct *old_tsec;
3547         struct task_security_struct *tsec;
3548 
3549         old_tsec = old->security;
3550 
3551         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3552         if (!tsec)
3553                 return -ENOMEM;
3554 
3555         new->security = tsec;
3556         return 0;
3557 }
3558 
3559 /*
3560  * transfer the SELinux data to a blank set of creds
3561  */
3562 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3563 {
3564         const struct task_security_struct *old_tsec = old->security;
3565         struct task_security_struct *tsec = new->security;
3566 
3567         *tsec = *old_tsec;
3568 }
3569 
3570 /*
3571  * set the security data for a kernel service
3572  * - all the creation contexts are set to unlabelled
3573  */
3574 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3575 {
3576         struct task_security_struct *tsec = new->security;
3577         u32 sid = current_sid();
3578         int ret;
3579 
3580         ret = avc_has_perm(sid, secid,
3581                            SECCLASS_KERNEL_SERVICE,
3582                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3583                            NULL);
3584         if (ret == 0) {
3585                 tsec->sid = secid;
3586                 tsec->create_sid = 0;
3587                 tsec->keycreate_sid = 0;
3588                 tsec->sockcreate_sid = 0;
3589         }
3590         return ret;
3591 }
3592 
3593 /*
3594  * set the file creation context in a security record to the same as the
3595  * objective context of the specified inode
3596  */
3597 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3598 {
3599         struct inode_security_struct *isec = inode->i_security;
3600         struct task_security_struct *tsec = new->security;
3601         u32 sid = current_sid();
3602         int ret;
3603 
3604         ret = avc_has_perm(sid, isec->sid,
3605                            SECCLASS_KERNEL_SERVICE,
3606                            KERNEL_SERVICE__CREATE_FILES_AS,
3607                            NULL);
3608 
3609         if (ret == 0)
3610                 tsec->create_sid = isec->sid;
3611         return ret;
3612 }
3613 
3614 static int selinux_kernel_module_request(char *kmod_name)
3615 {
3616         u32 sid;
3617         struct common_audit_data ad;
3618 
3619         sid = task_sid(current);
3620 
3621         ad.type = LSM_AUDIT_DATA_KMOD;
3622         ad.u.kmod_name = kmod_name;
3623 
3624         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3625                             SYSTEM__MODULE_REQUEST, &ad);
3626 }
3627 
3628 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3629 {
3630         return current_has_perm(p, PROCESS__SETPGID);
3631 }
3632 
3633 static int selinux_task_getpgid(struct task_struct *p)
3634 {
3635         return current_has_perm(p, PROCESS__GETPGID);
3636 }
3637 
3638 static int selinux_task_getsid(struct task_struct *p)
3639 {
3640         return current_has_perm(p, PROCESS__GETSESSION);
3641 }
3642 
3643 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3644 {
3645         *secid = task_sid(p);
3646 }
3647 
3648 static int selinux_task_setnice(struct task_struct *p, int nice)
3649 {
3650         int rc;
3651 
3652         rc = cap_task_setnice(p, nice);
3653         if (rc)
3654                 return rc;
3655 
3656         return current_has_perm(p, PROCESS__SETSCHED);
3657 }
3658 
3659 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3660 {
3661         int rc;
3662 
3663         rc = cap_task_setioprio(p, ioprio);
3664         if (rc)
3665                 return rc;
3666 
3667         return current_has_perm(p, PROCESS__SETSCHED);
3668 }
3669 
3670 static int selinux_task_getioprio(struct task_struct *p)
3671 {
3672         return current_has_perm(p, PROCESS__GETSCHED);
3673 }
3674 
3675 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3676                 struct rlimit *new_rlim)
3677 {
3678         struct rlimit *old_rlim = p->signal->rlim + resource;
3679 
3680         /* Control the ability to change the hard limit (whether
3681            lowering or raising it), so that the hard limit can
3682            later be used as a safe reset point for the soft limit
3683            upon context transitions.  See selinux_bprm_committing_creds. */
3684         if (old_rlim->rlim_max != new_rlim->rlim_max)
3685                 return current_has_perm(p, PROCESS__SETRLIMIT);
3686 
3687         return 0;
3688 }
3689 
3690 static int selinux_task_setscheduler(struct task_struct *p)
3691 {
3692         int rc;
3693 
3694         rc = cap_task_setscheduler(p);
3695         if (rc)
3696                 return rc;
3697 
3698         return current_has_perm(p, PROCESS__SETSCHED);
3699 }
3700 
3701 static int selinux_task_getscheduler(struct task_struct *p)
3702 {
3703         return current_has_perm(p, PROCESS__GETSCHED);
3704 }
3705 
3706 static int selinux_task_movememory(struct task_struct *p)
3707 {
3708         return current_has_perm(p, PROCESS__SETSCHED);
3709 }
3710 
3711 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3712                                 int sig, u32 secid)
3713 {
3714         u32 perm;
3715         int rc;
3716 
3717         if (!sig)
3718                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3719         else
3720                 perm = signal_to_av(sig);
3721         if (secid)
3722                 rc = avc_has_perm(secid, task_sid(p),
3723                                   SECCLASS_PROCESS, perm, NULL);
3724         else
3725                 rc = current_has_perm(p, perm);
3726         return rc;
3727 }
3728 
3729 static int selinux_task_wait(struct task_struct *p)
3730 {
3731         return task_has_perm(p, current, PROCESS__SIGCHLD);
3732 }
3733 
3734 static void selinux_task_to_inode(struct task_struct *p,
3735                                   struct inode *inode)
3736 {
3737         struct inode_security_struct *isec = inode->i_security;
3738         u32 sid = task_sid(p);
3739 
3740         isec->sid = sid;
3741         isec->initialized = 1;
3742 }
3743 
3744 /* Returns error only if unable to parse addresses */
3745 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3746                         struct common_audit_data *ad, u8 *proto)
3747 {
3748         int offset, ihlen, ret = -EINVAL;
3749         struct iphdr _iph, *ih;
3750 
3751         offset = skb_network_offset(skb);
3752         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3753         if (ih == NULL)
3754                 goto out;
3755 
3756         ihlen = ih->ihl * 4;
3757         if (ihlen < sizeof(_iph))
3758                 goto out;
3759 
3760         ad->u.net->v4info.saddr = ih->saddr;
3761         ad->u.net->v4info.daddr = ih->daddr;
3762         ret = 0;
3763 
3764         if (proto)
3765                 *proto = ih->protocol;
3766 
3767         switch (ih->protocol) {
3768         case IPPROTO_TCP: {
3769                 struct tcphdr _tcph, *th;
3770 
3771                 if (ntohs(ih->frag_off) & IP_OFFSET)
3772                         break;
3773 
3774                 offset += ihlen;
3775                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3776                 if (th == NULL)
3777                         break;
3778 
3779                 ad->u.net->sport = th->source;
3780                 ad->u.net->dport = th->dest;
3781                 break;
3782         }
3783 
3784         case IPPROTO_UDP: {
3785                 struct udphdr _udph, *uh;
3786 
3787                 if (ntohs(ih->frag_off) & IP_OFFSET)
3788                         break;
3789 
3790                 offset += ihlen;
3791                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3792                 if (uh == NULL)
3793                         break;
3794 
3795                 ad->u.net->sport = uh->source;
3796                 ad->u.net->dport = uh->dest;
3797                 break;
3798         }
3799 
3800         case IPPROTO_DCCP: {
3801                 struct dccp_hdr _dccph, *dh;
3802 
3803                 if (ntohs(ih->frag_off) & IP_OFFSET)
3804                         break;
3805 
3806                 offset += ihlen;
3807                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3808                 if (dh == NULL)
3809                         break;
3810 
3811                 ad->u.net->sport = dh->dccph_sport;
3812                 ad->u.net->dport = dh->dccph_dport;
3813                 break;
3814         }
3815 
3816         default:
3817                 break;
3818         }
3819 out:
3820         return ret;
3821 }
3822 
3823 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3824 
3825 /* Returns error only if unable to parse addresses */
3826 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3827                         struct common_audit_data *ad, u8 *proto)
3828 {
3829         u8 nexthdr;
3830         int ret = -EINVAL, offset;
3831         struct ipv6hdr _ipv6h, *ip6;
3832         __be16 frag_off;
3833 
3834         offset = skb_network_offset(skb);
3835         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3836         if (ip6 == NULL)
3837                 goto out;
3838 
3839         ad->u.net->v6info.saddr = ip6->saddr;
3840         ad->u.net->v6info.daddr = ip6->daddr;
3841         ret = 0;
3842 
3843         nexthdr = ip6->nexthdr;
3844         offset += sizeof(_ipv6h);
3845         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3846         if (offset < 0)
3847                 goto out;
3848 
3849         if (proto)
3850                 *proto = nexthdr;
3851 
3852         switch (nexthdr) {
3853         case IPPROTO_TCP: {
3854                 struct tcphdr _tcph, *th;
3855 
3856                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3857                 if (th == NULL)
3858                         break;
3859 
3860                 ad->u.net->sport = th->source;
3861                 ad->u.net->dport = th->dest;
3862                 break;
3863         }
3864 
3865         case IPPROTO_UDP: {
3866                 struct udphdr _udph, *uh;
3867 
3868                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3869                 if (uh == NULL)
3870                         break;
3871 
3872                 ad->u.net->sport = uh->source;
3873                 ad->u.net->dport = uh->dest;
3874                 break;
3875         }
3876 
3877         case IPPROTO_DCCP: {
3878                 struct dccp_hdr _dccph, *dh;
3879 
3880                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3881                 if (dh == NULL)
3882                         break;
3883 
3884                 ad->u.net->sport = dh->dccph_sport;
3885                 ad->u.net->dport = dh->dccph_dport;
3886                 break;
3887         }
3888 
3889         /* includes fragments */
3890         default:
3891                 break;
3892         }
3893 out:
3894         return ret;
3895 }
3896 
3897 #endif /* IPV6 */
3898 
3899 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3900                              char **_addrp, int src, u8 *proto)
3901 {
3902         char *addrp;
3903         int ret;
3904 
3905         switch (ad->u.net->family) {
3906         case PF_INET:
3907                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3908                 if (ret)
3909                         goto parse_error;
3910                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3911                                        &ad->u.net->v4info.daddr);
3912                 goto okay;
3913 
3914 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3915         case PF_INET6:
3916                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3917                 if (ret)
3918                         goto parse_error;
3919                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3920                                        &ad->u.net->v6info.daddr);
3921                 goto okay;
3922 #endif  /* IPV6 */
3923         default:
3924                 addrp = NULL;
3925                 goto okay;
3926         }
3927 
3928 parse_error:
3929         printk(KERN_WARNING
3930                "SELinux: failure in selinux_parse_skb(),"
3931                " unable to parse packet\n");
3932         return ret;
3933 
3934 okay:
3935         if (_addrp)
3936                 *_addrp = addrp;
3937         return 0;
3938 }
3939 
3940 /**
3941  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3942  * @skb: the packet
3943  * @family: protocol family
3944  * @sid: the packet's peer label SID
3945  *
3946  * Description:
3947  * Check the various different forms of network peer labeling and determine
3948  * the peer label/SID for the packet; most of the magic actually occurs in
3949  * the security server function security_net_peersid_cmp().  The function
3950  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3951  * or -EACCES if @sid is invalid due to inconsistencies with the different
3952  * peer labels.
3953  *
3954  */
3955 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3956 {
3957         int err;
3958         u32 xfrm_sid;
3959         u32 nlbl_sid;
3960         u32 nlbl_type;
3961 
3962         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3963         if (unlikely(err))
3964                 return -EACCES;
3965         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3966         if (unlikely(err))
3967                 return -EACCES;
3968 
3969         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3970         if (unlikely(err)) {
3971                 printk(KERN_WARNING
3972                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3973                        " unable to determine packet's peer label\n");
3974                 return -EACCES;
3975         }
3976 
3977         return 0;
3978 }
3979 
3980 /**
3981  * selinux_conn_sid - Determine the child socket label for a connection
3982  * @sk_sid: the parent socket's SID
3983  * @skb_sid: the packet's SID
3984  * @conn_sid: the resulting connection SID
3985  *
3986  * If @skb_sid is valid then the user:role:type information from @sk_sid is
3987  * combined with the MLS information from @skb_sid in order to create
3988  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
3989  * of @sk_sid.  Returns zero on success, negative values on failure.
3990  *
3991  */
3992 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3993 {
3994         int err = 0;
3995 
3996         if (skb_sid != SECSID_NULL)
3997                 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3998         else
3999                 *conn_sid = sk_sid;
4000 
4001         return err;
4002 }
4003 
4004 /* socket security operations */
4005 
4006 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4007                                  u16 secclass, u32 *socksid)
4008 {
4009         if (tsec->sockcreate_sid > SECSID_NULL) {
4010                 *socksid = tsec->sockcreate_sid;
4011                 return 0;
4012         }
4013 
4014         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4015                                        socksid);
4016 }
4017 
4018 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4019 {
4020         struct sk_security_struct *sksec = sk->sk_security;
4021         struct common_audit_data ad;
4022         struct lsm_network_audit net = {0,};
4023         u32 tsid = task_sid(task);
4024 
4025         if (sksec->sid == SECINITSID_KERNEL)
4026                 return 0;
4027 
4028         ad.type = LSM_AUDIT_DATA_NET;
4029         ad.u.net = &net;
4030         ad.u.net->sk = sk;
4031 
4032         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4033 }
4034 
4035 static int selinux_socket_create(int family, int type,
4036                                  int protocol, int kern)
4037 {
4038         const struct task_security_struct *tsec = current_security();
4039         u32 newsid;
4040         u16 secclass;
4041         int rc;
4042 
4043         if (kern)
4044                 return 0;
4045 
4046         secclass = socket_type_to_security_class(family, type, protocol);
4047         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4048         if (rc)
4049                 return rc;
4050 
4051         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4052 }
4053 
4054 static int selinux_socket_post_create(struct socket *sock, int family,
4055                                       int type, int protocol, int kern)
4056 {
4057         const struct task_security_struct *tsec = current_security();
4058         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4059         struct sk_security_struct *sksec;
4060         int err = 0;
4061 
4062         isec->sclass = socket_type_to_security_class(family, type, protocol);
4063 
4064         if (kern)
4065                 isec->sid = SECINITSID_KERNEL;
4066         else {
4067                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4068                 if (err)
4069                         return err;
4070         }
4071 
4072         isec->initialized = 1;
4073 
4074         if (sock->sk) {
4075                 sksec = sock->sk->sk_security;
4076                 sksec->sid = isec->sid;
4077                 sksec->sclass = isec->sclass;
4078                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4079         }
4080 
4081         return err;
4082 }
4083 
4084 /* Range of port numbers used to automatically bind.
4085    Need to determine whether we should perform a name_bind
4086    permission check between the socket and the port number. */
4087 
4088 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4089 {
4090         struct sock *sk = sock->sk;
4091         u16 family;
4092         int err;
4093 
4094         err = sock_has_perm(current, sk, SOCKET__BIND);
4095         if (err)
4096                 goto out;
4097 
4098         /*
4099          * If PF_INET or PF_INET6, check name_bind permission for the port.
4100          * Multiple address binding for SCTP is not supported yet: we just
4101          * check the first address now.
4102          */
4103         family = sk->sk_family;
4104         if (family == PF_INET || family == PF_INET6) {
4105                 char *addrp;
4106                 struct sk_security_struct *sksec = sk->sk_security;
4107                 struct common_audit_data ad;
4108                 struct lsm_network_audit net = {0,};
4109                 struct sockaddr_in *addr4 = NULL;
4110                 struct sockaddr_in6 *addr6 = NULL;
4111                 unsigned short snum;
4112                 u32 sid, node_perm;
4113 
4114                 if (family == PF_INET) {
4115                         addr4 = (struct sockaddr_in *)address;
4116                         snum = ntohs(addr4->sin_port);
4117                         addrp = (char *)&addr4->sin_addr.s_addr;
4118                 } else {
4119                         addr6 = (struct sockaddr_in6 *)address;
4120                         snum = ntohs(addr6->sin6_port);
4121                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4122                 }
4123 
4124                 if (snum) {
4125                         int low, high;
4126 
4127                         inet_get_local_port_range(sock_net(sk), &low, &high);
4128 
4129                         if (snum < max(PROT_SOCK, low) || snum > high) {
4130                                 err = sel_netport_sid(sk->sk_protocol,
4131                                                       snum, &sid);
4132                                 if (err)
4133                                         goto out;
4134                                 ad.type = LSM_AUDIT_DATA_NET;
4135                                 ad.u.net = &net;
4136                                 ad.u.net->sport = htons(snum);
4137                                 ad.u.net->family = family;
4138                                 err = avc_has_perm(sksec->sid, sid,
4139                                                    sksec->sclass,
4140                                                    SOCKET__NAME_BIND, &ad);
4141                                 if (err)
4142                                         goto out;
4143                         }
4144                 }
4145 
4146                 switch (sksec->sclass) {
4147                 case SECCLASS_TCP_SOCKET:
4148                         node_perm = TCP_SOCKET__NODE_BIND;
4149                         break;
4150 
4151                 case SECCLASS_UDP_SOCKET:
4152                         node_perm = UDP_SOCKET__NODE_BIND;
4153                         break;
4154 
4155                 case SECCLASS_DCCP_SOCKET:
4156                         node_perm = DCCP_SOCKET__NODE_BIND;
4157                         break;
4158 
4159                 default:
4160                         node_perm = RAWIP_SOCKET__NODE_BIND;
4161                         break;
4162                 }
4163 
4164                 err = sel_netnode_sid(addrp, family, &sid);
4165                 if (err)
4166                         goto out;
4167 
4168                 ad.type = LSM_AUDIT_DATA_NET;
4169                 ad.u.net = &net;
4170                 ad.u.net->sport = htons(snum);
4171                 ad.u.net->family = family;
4172 
4173                 if (family == PF_INET)
4174                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4175                 else
4176                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4177 
4178                 err = avc_has_perm(sksec->sid, sid,
4179                                    sksec->sclass, node_perm, &ad);
4180                 if (err)
4181                         goto out;
4182         }
4183 out:
4184         return err;
4185 }
4186 
4187 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4188 {
4189         struct sock *sk = sock->sk;
4190         struct sk_security_struct *sksec = sk->sk_security;
4191         int err;
4192 
4193         err = sock_has_perm(current, sk, SOCKET__CONNECT);
4194         if (err)
4195                 return err;
4196 
4197         /*
4198          * If a TCP or DCCP socket, check name_connect permission for the port.
4199          */
4200         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4201             sksec->sclass == SECCLASS_DCCP_SOCKET) {
4202                 struct common_audit_data ad;
4203                 struct lsm_network_audit net = {0,};
4204                 struct sockaddr_in *addr4 = NULL;
4205                 struct sockaddr_in6 *addr6 = NULL;
4206                 unsigned short snum;
4207                 u32 sid, perm;
4208 
4209                 if (sk->sk_family == PF_INET) {
4210                         addr4 = (struct sockaddr_in *)address;
4211                         if (addrlen < sizeof(struct sockaddr_in))
4212                                 return -EINVAL;
4213                         snum = ntohs(addr4->sin_port);
4214                 } else {
4215                         addr6 = (struct sockaddr_in6 *)address;
4216                         if (addrlen < SIN6_LEN_RFC2133)
4217                                 return -EINVAL;
4218                         snum = ntohs(addr6->sin6_port);
4219                 }
4220 
4221                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4222                 if (err)
4223                         goto out;
4224 
4225                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4226                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4227 
4228                 ad.type = LSM_AUDIT_DATA_NET;
4229                 ad.u.net = &net;
4230                 ad.u.net->dport = htons(snum);
4231                 ad.u.net->family = sk->sk_family;
4232                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4233                 if (err)
4234                         goto out;
4235         }
4236 
4237         err = selinux_netlbl_socket_connect(sk, address);
4238 
4239 out:
4240         return err;
4241 }
4242 
4243 static int selinux_socket_listen(struct socket *sock, int backlog)
4244 {
4245         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4246 }
4247 
4248 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4249 {
4250         int err;
4251         struct inode_security_struct *isec;
4252         struct inode_security_struct *newisec;
4253 
4254         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4255         if (err)
4256                 return err;
4257 
4258         newisec = SOCK_INODE(newsock)->i_security;
4259 
4260         isec = SOCK_INODE(sock)->i_security;
4261         newisec->sclass = isec->sclass;
4262         newisec->sid = isec->sid;
4263         newisec->initialized = 1;
4264 
4265         return 0;
4266 }
4267 
4268 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4269                                   int size)
4270 {
4271         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4272 }
4273 
4274 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4275                                   int size, int flags)
4276 {
4277         return sock_has_perm(current, sock->sk, SOCKET__READ);
4278 }
4279 
4280 static int selinux_socket_getsockname(struct socket *sock)
4281 {
4282         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4283 }
4284 
4285 static int selinux_socket_getpeername(struct socket *sock)
4286 {
4287         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4288 }
4289 
4290 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4291 {
4292         int err;
4293 
4294         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4295         if (err)
4296                 return err;
4297 
4298         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4299 }
4300 
4301 static int selinux_socket_getsockopt(struct socket *sock, int level,
4302                                      int optname)
4303 {
4304         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4305 }
4306 
4307 static int selinux_socket_shutdown(struct socket *sock, int how)
4308 {
4309         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4310 }
4311 
4312 static int selinux_socket_unix_stream_connect(struct sock *sock,
4313                                               struct sock *other,
4314                                               struct sock *newsk)
4315 {
4316         struct sk_security_struct *sksec_sock = sock->sk_security;
4317         struct sk_security_struct *sksec_other = other->sk_security;
4318         struct sk_security_struct *sksec_new = newsk->sk_security;
4319         struct common_audit_data ad;
4320         struct lsm_network_audit net = {0,};
4321         int err;
4322 
4323         ad.type = LSM_AUDIT_DATA_NET;
4324         ad.u.net = &net;
4325         ad.u.net->sk = other;
4326 
4327         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4328                            sksec_other->sclass,
4329                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4330         if (err)
4331                 return err;
4332 
4333         /* server child socket */
4334         sksec_new->peer_sid = sksec_sock->sid;
4335         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4336                                     &sksec_new->sid);
4337         if (err)
4338                 return err;
4339 
4340         /* connecting socket */
4341         sksec_sock->peer_sid = sksec_new->sid;
4342 
4343         return 0;
4344 }
4345 
4346 static int selinux_socket_unix_may_send(struct socket *sock,
4347                                         struct socket *other)
4348 {
4349         struct sk_security_struct *ssec = sock->sk->sk_security;
4350         struct sk_security_struct *osec = other->sk->sk_security;
4351         struct common_audit_data ad;
4352         struct lsm_network_audit net = {0,};
4353 
4354         ad.type = LSM_AUDIT_DATA_NET;
4355         ad.u.net = &net;
4356         ad.u.net->sk = other->sk;
4357 
4358         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4359                             &ad);
4360 }
4361 
4362 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4363                                     char *addrp, u16 family, u32 peer_sid,
4364                                     struct common_audit_data *ad)
4365 {
4366         int err;
4367         u32 if_sid;
4368         u32 node_sid;
4369 
4370         err = sel_netif_sid(ns, ifindex, &if_sid);
4371         if (err)
4372                 return err;
4373         err = avc_has_perm(peer_sid, if_sid,
4374                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4375         if (err)
4376                 return err;
4377 
4378         err = sel_netnode_sid(addrp, family, &node_sid);
4379         if (err)
4380                 return err;
4381         return avc_has_perm(peer_sid, node_sid,
4382                             SECCLASS_NODE, NODE__RECVFROM, ad);
4383 }
4384 
4385 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4386                                        u16 family)
4387 {
4388         int err = 0;
4389         struct sk_security_struct *sksec = sk->sk_security;
4390         u32 sk_sid = sksec->sid;
4391         struct common_audit_data ad;
4392         struct lsm_network_audit net = {0,};
4393         char *addrp;
4394 
4395         ad.type = LSM_AUDIT_DATA_NET;
4396         ad.u.net = &net;
4397         ad.u.net->netif = skb->skb_iif;
4398         ad.u.net->family = family;
4399         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4400         if (err)
4401                 return err;
4402 
4403         if (selinux_secmark_enabled()) {
4404                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4405                                    PACKET__RECV, &ad);
4406                 if (err)
4407                         return err;
4408         }
4409 
4410         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4411         if (err)
4412                 return err;
4413         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4414 
4415         return err;
4416 }
4417 
4418 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4419 {
4420         int err;
4421         struct sk_security_struct *sksec = sk->sk_security;
4422         u16 family = sk->sk_family;
4423         u32 sk_sid = sksec->sid;
4424         struct common_audit_data ad;
4425         struct lsm_network_audit net = {0,};
4426         char *addrp;
4427         u8 secmark_active;
4428         u8 peerlbl_active;
4429 
4430         if (family != PF_INET && family != PF_INET6)
4431                 return 0;
4432 
4433         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4434         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4435                 family = PF_INET;
4436 
4437         /* If any sort of compatibility mode is enabled then handoff processing
4438          * to the selinux_sock_rcv_skb_compat() function to deal with the
4439          * special handling.  We do this in an attempt to keep this function
4440          * as fast and as clean as possible. */
4441         if (!selinux_policycap_netpeer)
4442                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4443 
4444         secmark_active = selinux_secmark_enabled();
4445         peerlbl_active = selinux_peerlbl_enabled();
4446         if (!secmark_active && !peerlbl_active)
4447                 return 0;
4448 
4449         ad.type = LSM_AUDIT_DATA_NET;
4450         ad.u.net = &net;
4451         ad.u.net->netif = skb->skb_iif;
4452         ad.u.net->family = family;
4453         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4454         if (err)
4455                 return err;
4456 
4457         if (peerlbl_active) {
4458                 u32 peer_sid;
4459 
4460                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4461                 if (err)
4462                         return err;
4463                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4464                                                addrp, family, peer_sid, &ad);
4465                 if (err) {
4466                         selinux_netlbl_err(skb, err, 0);
4467                         return err;
4468                 }
4469                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4470                                    PEER__RECV, &ad);
4471                 if (err) {
4472                         selinux_netlbl_err(skb, err, 0);
4473                         return err;
4474                 }
4475         }
4476 
4477         if (secmark_active) {
4478                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4479                                    PACKET__RECV, &ad);
4480                 if (err)
4481                         return err;
4482         }
4483 
4484         return err;
4485 }
4486 
4487 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4488                                             int __user *optlen, unsigned len)
4489 {
4490         int err = 0;
4491         char *scontext;
4492         u32 scontext_len;
4493         struct sk_security_struct *sksec = sock->sk->sk_security;
4494         u32 peer_sid = SECSID_NULL;
4495 
4496         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4497             sksec->sclass == SECCLASS_TCP_SOCKET)
4498                 peer_sid = sksec->peer_sid;
4499         if (peer_sid == SECSID_NULL)
4500                 return -ENOPROTOOPT;
4501 
4502         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4503         if (err)
4504                 return err;
4505 
4506         if (scontext_len > len) {
4507                 err = -ERANGE;
4508                 goto out_len;
4509         }
4510 
4511         if (copy_to_user(optval, scontext, scontext_len))
4512                 err = -EFAULT;
4513 
4514 out_len:
4515         if (put_user(scontext_len, optlen))
4516                 err = -EFAULT;
4517         kfree(scontext);
4518         return err;
4519 }
4520 
4521 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4522 {
4523         u32 peer_secid = SECSID_NULL;
4524         u16 family;
4525 
4526         if (skb && skb->protocol == htons(ETH_P_IP))
4527                 family = PF_INET;
4528         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4529                 family = PF_INET6;
4530         else if (sock)
4531                 family = sock->sk->sk_family;
4532         else
4533                 goto out;
4534 
4535         if (sock && family == PF_UNIX)
4536                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4537         else if (skb)
4538                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4539 
4540 out:
4541         *secid = peer_secid;
4542         if (peer_secid == SECSID_NULL)
4543                 return -EINVAL;
4544         return 0;
4545 }
4546 
4547 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4548 {
4549         struct sk_security_struct *sksec;
4550 
4551         sksec = kzalloc(sizeof(*sksec), priority);
4552         if (!sksec)
4553                 return -ENOMEM;
4554 
4555         sksec->peer_sid = SECINITSID_UNLABELED;
4556         sksec->sid = SECINITSID_UNLABELED;
4557         selinux_netlbl_sk_security_reset(sksec);
4558         sk->sk_security = sksec;
4559 
4560         return 0;
4561 }
4562 
4563 static void selinux_sk_free_security(struct sock *sk)
4564 {
4565         struct sk_security_struct *sksec = sk->sk_security;
4566 
4567         sk->sk_security = NULL;
4568         selinux_netlbl_sk_security_free(sksec);
4569         kfree(sksec);
4570 }
4571 
4572 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4573 {
4574         struct sk_security_struct *sksec = sk->sk_security;
4575         struct sk_security_struct *newsksec = newsk->sk_security;
4576 
4577         newsksec->sid = sksec->sid;
4578         newsksec->peer_sid = sksec->peer_sid;
4579         newsksec->sclass = sksec->sclass;
4580 
4581         selinux_netlbl_sk_security_reset(newsksec);
4582 }
4583 
4584 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4585 {
4586         if (!sk)
4587                 *secid = SECINITSID_ANY_SOCKET;
4588         else {
4589                 struct sk_security_struct *sksec = sk->sk_security;
4590 
4591                 *secid = sksec->sid;
4592         }
4593 }
4594 
4595 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4596 {
4597         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4598         struct sk_security_struct *sksec = sk->sk_security;
4599 
4600         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4601             sk->sk_family == PF_UNIX)
4602                 isec->sid = sksec->sid;
4603         sksec->sclass = isec->sclass;
4604 }
4605 
4606 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4607                                      struct request_sock *req)
4608 {
4609         struct sk_security_struct *sksec = sk->sk_security;
4610         int err;
4611         u16 family = req->rsk_ops->family;
4612         u32 connsid;
4613         u32 peersid;
4614 
4615         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4616         if (err)
4617                 return err;
4618         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4619         if (err)
4620                 return err;
4621         req->secid = connsid;
4622         req->peer_secid = peersid;
4623 
4624         return selinux_netlbl_inet_conn_request(req, family);
4625 }
4626 
4627 static void selinux_inet_csk_clone(struct sock *newsk,
4628                                    const struct request_sock *req)
4629 {
4630         struct sk_security_struct *newsksec = newsk->sk_security;
4631 
4632         newsksec->sid = req->secid;
4633         newsksec->peer_sid = req->peer_secid;
4634         /* NOTE: Ideally, we should also get the isec->sid for the
4635            new socket in sync, but we don't have the isec available yet.
4636            So we will wait until sock_graft to do it, by which
4637            time it will have been created and available. */
4638 
4639         /* We don't need to take any sort of lock here as we are the only
4640          * thread with access to newsksec */
4641         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4642 }
4643 
4644 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4645 {
4646         u16 family = sk->sk_family;
4647         struct sk_security_struct *sksec = sk->sk_security;
4648 
4649         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4650         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4651                 family = PF_INET;
4652 
4653         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4654 }
4655 
4656 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4657 {
4658         skb_set_owner_w(skb, sk);
4659 }
4660 
4661 static int selinux_secmark_relabel_packet(u32 sid)
4662 {
4663         const struct task_security_struct *__tsec;
4664         u32 tsid;
4665 
4666         __tsec = current_security();
4667         tsid = __tsec->sid;
4668 
4669         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4670 }
4671 
4672 static void selinux_secmark_refcount_inc(void)
4673 {
4674         atomic_inc(&selinux_secmark_refcount);
4675 }
4676 
4677 static void selinux_secmark_refcount_dec(void)
4678 {
4679         atomic_dec(&selinux_secmark_refcount);
4680 }
4681 
4682 static void selinux_req_classify_flow(const struct request_sock *req,
4683                                       struct flowi *fl)
4684 {
4685         fl->flowi_secid = req->secid;
4686 }
4687 
4688 static int selinux_tun_dev_alloc_security(void **security)
4689 {
4690         struct tun_security_struct *tunsec;
4691 
4692         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4693         if (!tunsec)
4694                 return -ENOMEM;
4695         tunsec->sid = current_sid();
4696 
4697         *security = tunsec;
4698         return 0;
4699 }
4700 
4701 static void selinux_tun_dev_free_security(void *security)
4702 {
4703         kfree(security);
4704 }
4705 
4706 static int selinux_tun_dev_create(void)
4707 {
4708         u32 sid = current_sid();
4709 
4710         /* we aren't taking into account the "sockcreate" SID since the socket
4711          * that is being created here is not a socket in the traditional sense,
4712          * instead it is a private sock, accessible only to the kernel, and
4713          * representing a wide range of network traffic spanning multiple
4714          * connections unlike traditional sockets - check the TUN driver to
4715          * get a better understanding of why this socket is special */
4716 
4717         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4718                             NULL);
4719 }
4720 
4721 static int selinux_tun_dev_attach_queue(void *security)
4722 {
4723         struct tun_security_struct *tunsec = security;
4724 
4725         return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4726                             TUN_SOCKET__ATTACH_QUEUE, NULL);
4727 }
4728 
4729 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4730 {
4731         struct tun_security_struct *tunsec = security;
4732         struct sk_security_struct *sksec = sk->sk_security;
4733 
4734         /* we don't currently perform any NetLabel based labeling here and it
4735          * isn't clear that we would want to do so anyway; while we could apply
4736          * labeling without the support of the TUN user the resulting labeled
4737          * traffic from the other end of the connection would almost certainly
4738          * cause confusion to the TUN user that had no idea network labeling
4739          * protocols were being used */
4740 
4741         sksec->sid = tunsec->sid;
4742         sksec->sclass = SECCLASS_TUN_SOCKET;
4743 
4744         return 0;
4745 }
4746 
4747 static int selinux_tun_dev_open(void *security)
4748 {
4749         struct tun_security_struct *tunsec = security;
4750         u32 sid = current_sid();
4751         int err;
4752 
4753         err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4754                            TUN_SOCKET__RELABELFROM, NULL);
4755         if (err)
4756                 return err;
4757         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4758                            TUN_SOCKET__RELABELTO, NULL);
4759         if (err)
4760                 return err;
4761         tunsec->sid = sid;
4762 
4763         return 0;
4764 }
4765 
4766 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4767 {
4768         int err = 0;
4769         u32 perm;
4770         struct nlmsghdr *nlh;
4771         struct sk_security_struct *sksec = sk->sk_security;
4772 
4773         if (skb->len < NLMSG_HDRLEN) {
4774                 err = -EINVAL;
4775                 goto out;
4776         }
4777         nlh = nlmsg_hdr(skb);
4778 
4779         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4780         if (err) {
4781                 if (err == -EINVAL) {
4782                         printk(KERN_WARNING
4783                                "SELinux: unrecognized netlink message:"
4784                                " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4785                                sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4786                         if (!selinux_enforcing || security_get_allow_unknown())
4787                                 err = 0;
4788                 }
4789 
4790                 /* Ignore */
4791                 if (err == -ENOENT)
4792                         err = 0;
4793                 goto out;
4794         }
4795 
4796         err = sock_has_perm(current, sk, perm);
4797 out:
4798         return err;
4799 }
4800 
4801 #ifdef CONFIG_NETFILTER
4802 
4803 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4804                                        const struct net_device *indev,
4805                                        u16 family)
4806 {
4807         int err;
4808         char *addrp;
4809         u32 peer_sid;
4810         struct common_audit_data ad;
4811         struct lsm_network_audit net = {0,};
4812         u8 secmark_active;
4813         u8 netlbl_active;
4814         u8 peerlbl_active;
4815 
4816         if (!selinux_policycap_netpeer)
4817                 return NF_ACCEPT;
4818 
4819         secmark_active = selinux_secmark_enabled();
4820         netlbl_active = netlbl_enabled();
4821         peerlbl_active = selinux_peerlbl_enabled();
4822         if (!secmark_active && !peerlbl_active)
4823                 return NF_ACCEPT;
4824 
4825         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4826                 return NF_DROP;
4827 
4828         ad.type = LSM_AUDIT_DATA_NET;
4829         ad.u.net = &net;
4830         ad.u.net->netif = indev->ifindex;
4831         ad.u.net->family = family;
4832         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4833                 return NF_DROP;
4834 
4835         if (peerlbl_active) {
4836                 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4837                                                addrp, family, peer_sid, &ad);
4838                 if (err) {
4839                         selinux_netlbl_err(skb, err, 1);
4840                         return NF_DROP;
4841                 }
4842         }
4843 
4844         if (secmark_active)
4845                 if (avc_has_perm(peer_sid, skb->secmark,
4846                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4847                         return NF_DROP;
4848 
4849         if (netlbl_active)
4850                 /* we do this in the FORWARD path and not the POST_ROUTING
4851                  * path because we want to make sure we apply the necessary
4852                  * labeling before IPsec is applied so we can leverage AH
4853                  * protection */
4854                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4855                         return NF_DROP;
4856 
4857         return NF_ACCEPT;
4858 }
4859 
4860 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4861                                          struct sk_buff *skb,
4862                                          const struct net_device *in,
4863                                          const struct net_device *out,
4864                                          int (*okfn)(struct sk_buff *))
4865 {
4866         return selinux_ip_forward(skb, in, PF_INET);
4867 }
4868 
4869 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4870 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4871                                          struct sk_buff *skb,
4872                                          const struct net_device *in,
4873                                          const struct net_device *out,
4874                                          int (*okfn)(struct sk_buff *))
4875 {
4876         return selinux_ip_forward(skb, in, PF_INET6);
4877 }
4878 #endif  /* IPV6 */
4879 
4880 static unsigned int selinux_ip_output(struct sk_buff *skb,
4881                                       u16 family)
4882 {
4883         struct sock *sk;
4884         u32 sid;
4885 
4886         if (!netlbl_enabled())
4887                 return NF_ACCEPT;
4888 
4889         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4890          * because we want to make sure we apply the necessary labeling
4891          * before IPsec is applied so we can leverage AH protection */
4892         sk = skb->sk;
4893         if (sk) {
4894                 struct sk_security_struct *sksec;
4895 
4896                 if (sk->sk_state == TCP_LISTEN)
4897                         /* if the socket is the listening state then this
4898                          * packet is a SYN-ACK packet which means it needs to
4899                          * be labeled based on the connection/request_sock and
4900                          * not the parent socket.  unfortunately, we can't
4901                          * lookup the request_sock yet as it isn't queued on
4902                          * the parent socket until after the SYN-ACK is sent.
4903                          * the "solution" is to simply pass the packet as-is
4904                          * as any IP option based labeling should be copied
4905                          * from the initial connection request (in the IP
4906                          * layer).  it is far from ideal, but until we get a
4907                          * security label in the packet itself this is the
4908                          * best we can do. */
4909                         return NF_ACCEPT;
4910 
4911                 /* standard practice, label using the parent socket */
4912                 sksec = sk->sk_security;
4913                 sid = sksec->sid;
4914         } else
4915                 sid = SECINITSID_KERNEL;
4916         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4917                 return NF_DROP;
4918 
4919         return NF_ACCEPT;
4920 }
4921 
4922 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4923                                         struct sk_buff *skb,
4924                                         const struct net_device *in,
4925                                         const struct net_device *out,
4926                                         int (*okfn)(struct sk_buff *))
4927 {
4928         return selinux_ip_output(skb, PF_INET);
4929 }
4930 
4931 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4932                                                 int ifindex,
4933                                                 u16 family)
4934 {
4935         struct sock *sk = skb->sk;
4936         struct sk_security_struct *sksec;
4937         struct common_audit_data ad;
4938         struct lsm_network_audit net = {0,};
4939         char *addrp;
4940         u8 proto;
4941 
4942         if (sk == NULL)
4943                 return NF_ACCEPT;
4944         sksec = sk->sk_security;
4945 
4946         ad.type = LSM_AUDIT_DATA_NET;
4947         ad.u.net = &net;
4948         ad.u.net->netif = ifindex;
4949         ad.u.net->family = family;
4950         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4951                 return NF_DROP;
4952 
4953         if (selinux_secmark_enabled())
4954                 if (avc_has_perm(sksec->sid, skb->secmark,
4955                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4956                         return NF_DROP_ERR(-ECONNREFUSED);
4957 
4958         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4959                 return NF_DROP_ERR(-ECONNREFUSED);
4960 
4961         return NF_ACCEPT;
4962 }
4963 
4964 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4965                                          const struct net_device *outdev,
4966                                          u16 family)
4967 {
4968         u32 secmark_perm;
4969         u32 peer_sid;
4970         int ifindex = outdev->ifindex;
4971         struct sock *sk;
4972         struct common_audit_data ad;
4973         struct lsm_network_audit net = {0,};
4974         char *addrp;
4975         u8 secmark_active;
4976         u8 peerlbl_active;
4977 
4978         /* If any sort of compatibility mode is enabled then handoff processing
4979          * to the selinux_ip_postroute_compat() function to deal with the
4980          * special handling.  We do this in an attempt to keep this function
4981          * as fast and as clean as possible. */
4982         if (!selinux_policycap_netpeer)
4983                 return selinux_ip_postroute_compat(skb, ifindex, family);
4984 
4985         secmark_active = selinux_secmark_enabled();
4986         peerlbl_active = selinux_peerlbl_enabled();
4987         if (!secmark_active && !peerlbl_active)
4988                 return NF_ACCEPT;
4989 
4990         sk = skb->sk;
4991 
4992 #ifdef CONFIG_XFRM
4993         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4994          * packet transformation so allow the packet to pass without any checks
4995          * since we'll have another chance to perform access control checks
4996          * when the packet is on it's final way out.
4997          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4998          *       is NULL, in this case go ahead and apply access control.
4999          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5000          *       TCP listening state we cannot wait until the XFRM processing
5001          *       is done as we will miss out on the SA label if we do;
5002          *       unfortunately, this means more work, but it is only once per
5003          *       connection. */
5004         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5005             !(sk != NULL && sk->sk_state == TCP_LISTEN))
5006                 return NF_ACCEPT;
5007 #endif
5008 
5009         if (sk == NULL) {
5010                 /* Without an associated socket the packet is either coming
5011                  * from the kernel or it is being forwarded; check the packet
5012                  * to determine which and if the packet is being forwarded
5013                  * query the packet directly to determine the security label. */
5014                 if (skb->skb_iif) {
5015                         secmark_perm = PACKET__FORWARD_OUT;
5016                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5017                                 return NF_DROP;
5018                 } else {
5019                         secmark_perm = PACKET__SEND;
5020                         peer_sid = SECINITSID_KERNEL;
5021                 }
5022         } else if (sk->sk_state == TCP_LISTEN) {
5023                 /* Locally generated packet but the associated socket is in the
5024                  * listening state which means this is a SYN-ACK packet.  In
5025                  * this particular case the correct security label is assigned
5026                  * to the connection/request_sock but unfortunately we can't
5027                  * query the request_sock as it isn't queued on the parent
5028                  * socket until after the SYN-ACK packet is sent; the only
5029                  * viable choice is to regenerate the label like we do in
5030                  * selinux_inet_conn_request().  See also selinux_ip_output()
5031                  * for similar problems. */
5032                 u32 skb_sid;
5033                 struct sk_security_struct *sksec = sk->sk_security;
5034                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5035                         return NF_DROP;
5036                 /* At this point, if the returned skb peerlbl is SECSID_NULL
5037                  * and the packet has been through at least one XFRM
5038                  * transformation then we must be dealing with the "final"
5039                  * form of labeled IPsec packet; since we've already applied
5040                  * all of our access controls on this packet we can safely
5041                  * pass the packet. */
5042                 if (skb_sid == SECSID_NULL) {
5043                         switch (family) {
5044                         case PF_INET:
5045                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5046                                         return NF_ACCEPT;
5047                                 break;
5048                         case PF_INET6:
5049                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5050                                         return NF_ACCEPT;
5051                                 break;
5052                         default:
5053                                 return NF_DROP_ERR(-ECONNREFUSED);
5054                         }
5055                 }
5056                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5057                         return NF_DROP;
5058                 secmark_perm = PACKET__SEND;
5059         } else {
5060                 /* Locally generated packet, fetch the security label from the
5061                  * associated socket. */
5062                 struct sk_security_struct *sksec = sk->sk_security;
5063                 peer_sid = sksec->sid;
5064                 secmark_perm = PACKET__SEND;
5065         }
5066 
5067         ad.type = LSM_AUDIT_DATA_NET;
5068         ad.u.net = &net;
5069         ad.u.net->netif = ifindex;
5070         ad.u.net->family = family;
5071         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5072                 return NF_DROP;
5073 
5074         if (secmark_active)
5075                 if (avc_has_perm(peer_sid, skb->secmark,
5076                                  SECCLASS_PACKET, secmark_perm, &ad))
5077                         return NF_DROP_ERR(-ECONNREFUSED);
5078 
5079         if (peerlbl_active) {
5080                 u32 if_sid;
5081                 u32 node_sid;
5082 
5083                 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5084                         return NF_DROP;
5085                 if (avc_has_perm(peer_sid, if_sid,
5086                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5087                         return NF_DROP_ERR(-ECONNREFUSED);
5088 
5089                 if (sel_netnode_sid(addrp, family, &node_sid))
5090                         return NF_DROP;
5091                 if (avc_has_perm(peer_sid, node_sid,
5092                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5093                         return NF_DROP_ERR(-ECONNREFUSED);
5094         }
5095 
5096         return NF_ACCEPT;
5097 }
5098 
5099 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5100                                            struct sk_buff *skb,
5101                                            const struct net_device *in,
5102                                            const struct net_device *out,
5103                                            int (*okfn)(struct sk_buff *))
5104 {
5105         return selinux_ip_postroute(skb, out, PF_INET);
5106 }
5107 
5108 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5109 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5110                                            struct sk_buff *skb,
5111                                            const struct net_device *in,
5112                                            const struct net_device *out,
5113                                            int (*okfn)(struct sk_buff *))
5114 {
5115         return selinux_ip_postroute(skb, out, PF_INET6);
5116 }
5117 #endif  /* IPV6 */
5118 
5119 #endif  /* CONFIG_NETFILTER */
5120 
5121 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5122 {
5123         int err;
5124 
5125         err = cap_netlink_send(sk, skb);
5126         if (err)
5127                 return err;
5128 
5129         return selinux_nlmsg_perm(sk, skb);
5130 }
5131 
5132 static int ipc_alloc_security(struct task_struct *task,
5133                               struct kern_ipc_perm *perm,
5134                               u16 sclass)
5135 {
5136         struct ipc_security_struct *isec;
5137         u32 sid;
5138 
5139         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5140         if (!isec)
5141                 return -ENOMEM;
5142 
5143         sid = task_sid(task);
5144         isec->sclass = sclass;
5145         isec->sid = sid;
5146         perm->security = isec;
5147 
5148         return 0;
5149 }
5150 
5151 static void ipc_free_security(struct kern_ipc_perm *perm)
5152 {
5153         struct ipc_security_struct *isec = perm->security;
5154         perm->security = NULL;
5155         kfree(isec);
5156 }
5157 
5158 static int msg_msg_alloc_security(struct msg_msg *msg)
5159 {
5160         struct msg_security_struct *msec;
5161 
5162         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5163         if (!msec)
5164                 return -ENOMEM;
5165 
5166         msec->sid = SECINITSID_UNLABELED;
5167         msg->security = msec;
5168 
5169         return 0;
5170 }
5171 
5172 static void msg_msg_free_security(struct msg_msg *msg)
5173 {
5174         struct msg_security_struct *msec = msg->security;
5175 
5176         msg->security = NULL;
5177         kfree(msec);
5178 }
5179 
5180 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5181                         u32 perms)
5182 {
5183         struct ipc_security_struct *isec;
5184         struct common_audit_data ad;
5185         u32 sid = current_sid();
5186 
5187         isec = ipc_perms->security;
5188 
5189         ad.type = LSM_AUDIT_DATA_IPC;
5190         ad.u.ipc_id = ipc_perms->key;
5191 
5192         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5193 }
5194 
5195 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5196 {
5197         return msg_msg_alloc_security(msg);
5198 }
5199 
5200 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5201 {
5202         msg_msg_free_security(msg);
5203 }
5204 
5205 /* message queue security operations */
5206 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5207 {
5208         struct ipc_security_struct *isec;
5209         struct common_audit_data ad;
5210         u32 sid = current_sid();
5211         int rc;
5212 
5213         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5214         if (rc)
5215                 return rc;
5216 
5217         isec = msq->q_perm.security;
5218 
5219         ad.type = LSM_AUDIT_DATA_IPC;
5220         ad.u.ipc_id = msq->q_perm.key;
5221 
5222         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5223                           MSGQ__CREATE, &ad);
5224         if (rc) {
5225                 ipc_free_security(&msq->q_perm);
5226                 return rc;
5227         }
5228         return 0;
5229 }
5230 
5231 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5232 {
5233         ipc_free_security(&msq->q_perm);
5234 }
5235 
5236 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5237 {
5238         struct ipc_security_struct *isec;
5239         struct common_audit_data ad;
5240         u32 sid = current_sid();
5241 
5242         isec = msq->q_perm.security;
5243 
5244         ad.type = LSM_AUDIT_DATA_IPC;
5245         ad.u.ipc_id = msq->q_perm.key;
5246 
5247         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5248                             MSGQ__ASSOCIATE, &ad);
5249 }
5250 
5251 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5252 {
5253         int err;
5254         int perms;
5255 
5256         switch (cmd) {
5257         case IPC_INFO:
5258         case MSG_INFO:
5259                 /* No specific object, just general system-wide information. */
5260                 return task_has_system(current, SYSTEM__IPC_INFO);
5261         case IPC_STAT:
5262         case MSG_STAT:
5263                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5264                 break;
5265         case IPC_SET:
5266                 perms = MSGQ__SETATTR;
5267                 break;
5268         case IPC_RMID:
5269                 perms = MSGQ__DESTROY;
5270                 break;
5271         default:
5272                 return 0;
5273         }
5274 
5275         err = ipc_has_perm(&msq->q_perm, perms);
5276         return err;
5277 }
5278 
5279 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5280 {
5281         struct ipc_security_struct *isec;
5282         struct msg_security_struct *msec;
5283         struct common_audit_data ad;
5284         u32 sid = current_sid();
5285         int rc;
5286 
5287         isec = msq->q_perm.security;
5288         msec = msg->security;
5289 
5290         /*
5291          * First time through, need to assign label to the message
5292          */
5293         if (msec->sid == SECINITSID_UNLABELED) {
5294                 /*
5295                  * Compute new sid based on current process and
5296                  * message queue this message will be stored in
5297                  */
5298                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5299                                              NULL, &msec->sid);
5300                 if (rc)
5301                         return rc;
5302         }
5303 
5304         ad.type = LSM_AUDIT_DATA_IPC;
5305         ad.u.ipc_id = msq->q_perm.key;
5306 
5307         /* Can this process write to the queue? */
5308         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5309                           MSGQ__WRITE, &ad);
5310         if (!rc)
5311                 /* Can this process send the message */
5312                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5313                                   MSG__SEND, &ad);
5314         if (!rc)
5315                 /* Can the message be put in the queue? */
5316                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5317                                   MSGQ__ENQUEUE, &ad);
5318 
5319         return rc;
5320 }
5321 
5322 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5323                                     struct task_struct *target,
5324                                     long type, int mode)
5325 {
5326         struct ipc_security_struct *isec;
5327         struct msg_security_struct *msec;
5328         struct common_audit_data ad;
5329         u32 sid = task_sid(target);
5330         int rc;
5331 
5332         isec = msq->q_perm.security;
5333         msec = msg->security;
5334 
5335         ad.type = LSM_AUDIT_DATA_IPC;
5336         ad.u.ipc_id = msq->q_perm.key;
5337 
5338         rc = avc_has_perm(sid, isec->sid,
5339                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5340         if (!rc)
5341                 rc = avc_has_perm(sid, msec->sid,
5342                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5343         return rc;
5344 }
5345 
5346 /* Shared Memory security operations */
5347 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5348 {
5349         struct ipc_security_struct *isec;
5350         struct common_audit_data ad;
5351         u32 sid = current_sid();
5352         int rc;
5353 
5354         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5355         if (rc)
5356                 return rc;
5357 
5358         isec = shp->shm_perm.security;
5359 
5360         ad.type = LSM_AUDIT_DATA_IPC;
5361         ad.u.ipc_id = shp->shm_perm.key;
5362 
5363         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5364                           SHM__CREATE, &ad);
5365         if (rc) {
5366                 ipc_free_security(&shp->shm_perm);
5367                 return rc;
5368         }
5369         return 0;
5370 }
5371 
5372 static void selinux_shm_free_security(struct shmid_kernel *shp)
5373 {
5374         ipc_free_security(&shp->shm_perm);
5375 }
5376 
5377 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5378 {
5379         struct ipc_security_struct *isec;
5380         struct common_audit_data ad;
5381         u32 sid = current_sid();
5382 
5383         isec = shp->shm_perm.security;
5384 
5385         ad.type = LSM_AUDIT_DATA_IPC;
5386         ad.u.ipc_id = shp->shm_perm.key;
5387 
5388         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5389                             SHM__ASSOCIATE, &ad);
5390 }
5391 
5392 /* Note, at this point, shp is locked down */
5393 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5394 {
5395         int perms;
5396         int err;
5397 
5398         switch (cmd) {
5399         case IPC_INFO:
5400         case SHM_INFO:
5401                 /* No specific object, just general system-wide information. */
5402                 return task_has_system(current, SYSTEM__IPC_INFO);
5403         case IPC_STAT:
5404         case SHM_STAT:
5405                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5406                 break;
5407         case IPC_SET:
5408                 perms = SHM__SETATTR;
5409                 break;
5410         case SHM_LOCK:
5411         case SHM_UNLOCK:
5412                 perms = SHM__LOCK;
5413                 break;
5414         case IPC_RMID:
5415                 perms = SHM__DESTROY;
5416                 break;
5417         default:
5418                 return 0;
5419         }
5420 
5421         err = ipc_has_perm(&shp->shm_perm, perms);
5422         return err;
5423 }
5424 
5425 static int selinux_shm_shmat(struct shmid_kernel *shp,
5426                              char __user *shmaddr, int shmflg)
5427 {
5428         u32 perms;
5429 
5430         if (shmflg & SHM_RDONLY)
5431                 perms = SHM__READ;
5432         else
5433                 perms = SHM__READ | SHM__WRITE;
5434 
5435         return ipc_has_perm(&shp->shm_perm, perms);
5436 }
5437 
5438 /* Semaphore security operations */
5439 static int selinux_sem_alloc_security(struct sem_array *sma)
5440 {
5441         struct ipc_security_struct *isec;
5442         struct common_audit_data ad;
5443         u32 sid = current_sid();
5444         int rc;
5445 
5446         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5447         if (rc)
5448                 return rc;
5449 
5450         isec = sma->sem_perm.security;
5451 
5452         ad.type = LSM_AUDIT_DATA_IPC;
5453         ad.u.ipc_id = sma->sem_perm.key;
5454 
5455         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5456                           SEM__CREATE, &ad);
5457         if (rc) {
5458                 ipc_free_security(&sma->sem_perm);
5459                 return rc;
5460         }
5461         return 0;
5462 }
5463 
5464 static void selinux_sem_free_security(struct sem_array *sma)
5465 {
5466         ipc_free_security(&sma->sem_perm);
5467 }
5468 
5469 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5470 {
5471         struct ipc_security_struct *isec;
5472         struct common_audit_data ad;
5473         u32 sid = current_sid();
5474 
5475         isec = sma->sem_perm.security;
5476 
5477         ad.type = LSM_AUDIT_DATA_IPC;
5478         ad.u.ipc_id = sma->sem_perm.key;
5479 
5480         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5481                             SEM__ASSOCIATE, &ad);
5482 }
5483 
5484 /* Note, at this point, sma is locked down */
5485 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5486 {
5487         int err;
5488         u32 perms;
5489 
5490         switch (cmd) {
5491         case IPC_INFO:
5492         case SEM_INFO:
5493                 /* No specific object, just general system-wide information. */
5494                 return task_has_system(current, SYSTEM__IPC_INFO);
5495         case GETPID:
5496         case GETNCNT:
5497         case GETZCNT:
5498                 perms = SEM__GETATTR;
5499                 break;
5500         case GETVAL:
5501         case GETALL:
5502                 perms = SEM__READ;
5503                 break;
5504         case SETVAL:
5505         case SETALL:
5506                 perms = SEM__WRITE;
5507                 break;
5508         case IPC_RMID:
5509                 perms = SEM__DESTROY;
5510                 break;
5511         case IPC_SET:
5512                 perms = SEM__SETATTR;
5513                 break;
5514         case IPC_STAT:
5515         case SEM_STAT:
5516                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5517                 break;
5518         default:
5519                 return 0;
5520         }
5521 
5522         err = ipc_has_perm(&sma->sem_perm, perms);
5523         return err;
5524 }
5525 
5526 static int selinux_sem_semop(struct sem_array *sma,
5527                              struct sembuf *sops, unsigned nsops, int alter)
5528 {
5529         u32 perms;
5530 
5531         if (alter)
5532                 perms = SEM__READ | SEM__WRITE;
5533         else
5534                 perms = SEM__READ;
5535 
5536         return ipc_has_perm(&sma->sem_perm, perms);
5537 }
5538 
5539 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5540 {
5541         u32 av = 0;
5542 
5543         av = 0;
5544         if (flag & S_IRUGO)
5545                 av |= IPC__UNIX_READ;
5546         if (flag & S_IWUGO)
5547                 av |= IPC__UNIX_WRITE;
5548 
5549         if (av == 0)
5550                 return 0;
5551 
5552         return ipc_has_perm(ipcp, av);
5553 }
5554 
5555 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5556 {
5557         struct ipc_security_struct *isec = ipcp->security;
5558         *secid = isec->sid;
5559 }
5560 
5561 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5562 {
5563         if (inode)
5564                 inode_doinit_with_dentry(inode, dentry);
5565 }
5566 
5567 static int selinux_getprocattr(struct task_struct *p,
5568                                char *name, char **value)
5569 {
5570         const struct task_security_struct *__tsec;
5571         u32 sid;
5572         int error;
5573         unsigned len;
5574 
5575         if (current != p) {
5576                 error = current_has_perm(p, PROCESS__GETATTR);
5577                 if (error)
5578                         return error;
5579         }
5580 
5581         rcu_read_lock();
5582         __tsec = __task_cred(p)->security;
5583 
5584         if (!strcmp(name, "current"))
5585                 sid = __tsec->sid;
5586         else if (!strcmp(name, "prev"))
5587                 sid = __tsec->osid;
5588         else if (!strcmp(name, "exec"))
5589                 sid = __tsec->exec_sid;
5590         else if (!strcmp(name, "fscreate"))
5591                 sid = __tsec->create_sid;
5592         else if (!strcmp(name, "keycreate"))
5593                 sid = __tsec->keycreate_sid;
5594         else if (!strcmp(name, "sockcreate"))
5595                 sid = __tsec->sockcreate_sid;
5596         else
5597                 goto invalid;
5598         rcu_read_unlock();
5599 
5600         if (!sid)
5601                 return 0;
5602 
5603         error = security_sid_to_context(sid, value, &len);
5604         if (error)
5605                 return error;
5606         return len;
5607 
5608 invalid:
5609         rcu_read_unlock();
5610         return -EINVAL;
5611 }
5612 
5613 static int selinux_setprocattr(struct task_struct *p,
5614                                char *name, void *value, size_t size)
5615 {
5616         struct task_security_struct *tsec;
5617         struct task_struct *tracer;
5618         struct cred *new;
5619         u32 sid = 0, ptsid;
5620         int error;
5621         char *str = value;
5622 
5623         if (current != p) {
5624                 /* SELinux only allows a process to change its own
5625                    security attributes. */
5626                 return -EACCES;
5627         }
5628 
5629         /*
5630          * Basic control over ability to set these attributes at all.
5631          * current == p, but we'll pass them separately in case the
5632          * above restriction is ever removed.
5633          */
5634         if (!strcmp(name, "exec"))
5635                 error = current_has_perm(p, PROCESS__SETEXEC);
5636         else if (!strcmp(name, "fscreate"))
5637                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5638         else if (!strcmp(name, "keycreate"))
5639                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5640         else if (!strcmp(name, "sockcreate"))
5641                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5642         else if (!strcmp(name, "current"))
5643                 error = current_has_perm(p, PROCESS__SETCURRENT);
5644         else
5645                 error = -EINVAL;
5646         if (error)
5647                 return error;
5648 
5649         /* Obtain a SID for the context, if one was specified. */
5650         if (size && str[1] && str[1] != '\n') {
5651                 if (str[size-1] == '\n') {
5652                         str[size-1] = 0;
5653                         size--;
5654                 }
5655                 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5656                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5657                         if (!capable(CAP_MAC_ADMIN)) {
5658                                 struct audit_buffer *ab;
5659                                 size_t audit_size;
5660 
5661                                 /* We strip a nul only if it is at the end, otherwise the
5662                                  * context contains a nul and we should audit that */
5663                                 if (str[size - 1] == '\0')
5664                                         audit_size = size - 1;
5665                                 else
5666                                         audit_size = size;
5667                                 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5668                                 audit_log_format(ab, "op=fscreate invalid_context=");
5669                                 audit_log_n_untrustedstring(ab, value, audit_size);
5670                                 audit_log_end(ab);
5671 
5672                                 return error;
5673                         }
5674                         error = security_context_to_sid_force(value, size,
5675                                                               &sid);
5676                 }
5677                 if (error)
5678                         return error;
5679         }
5680 
5681         new = prepare_creds();
5682         if (!new)
5683                 return -ENOMEM;
5684 
5685         /* Permission checking based on the specified context is
5686            performed during the actual operation (execve,
5687            open/mkdir/...), when we know the full context of the
5688            operation.  See selinux_bprm_set_creds for the execve
5689            checks and may_create for the file creation checks. The
5690            operation will then fail if the context is not permitted. */
5691         tsec = new->security;
5692         if (!strcmp(name, "exec")) {
5693                 tsec->exec_sid = sid;
5694         } else if (!strcmp(name, "fscreate")) {
5695                 tsec->create_sid = sid;
5696         } else if (!strcmp(name, "keycreate")) {
5697                 error = may_create_key(sid, p);
5698                 if (error)
5699                         goto abort_change;
5700                 tsec->keycreate_sid = sid;
5701         } else if (!strcmp(name, "sockcreate")) {
5702                 tsec->sockcreate_sid = sid;
5703         } else if (!strcmp(name, "current")) {
5704                 error = -EINVAL;
5705                 if (sid == 0)
5706                         goto abort_change;
5707 
5708                 /* Only allow single threaded processes to change context */
5709                 error = -EPERM;
5710                 if (!current_is_single_threaded()) {
5711                         error = security_bounded_transition(tsec->sid, sid);
5712                         if (error)
5713                                 goto abort_change;
5714                 }
5715 
5716                 /* Check permissions for the transition. */
5717                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5718                                      PROCESS__DYNTRANSITION, NULL);
5719                 if (error)
5720                         goto abort_change;
5721 
5722                 /* Check for ptracing, and update the task SID if ok.
5723                    Otherwise, leave SID unchanged and fail. */
5724                 ptsid = 0;
5725                 rcu_read_lock();
5726                 tracer = ptrace_parent(p);
5727                 if (tracer)
5728                         ptsid = task_sid(tracer);
5729                 rcu_read_unlock();
5730 
5731                 if (tracer) {
5732                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5733                                              PROCESS__PTRACE, NULL);
5734                         if (error)
5735                                 goto abort_change;
5736                 }
5737 
5738                 tsec->sid = sid;
5739         } else {
5740                 error = -EINVAL;
5741                 goto abort_change;
5742         }
5743 
5744         commit_creds(new);
5745         return size;
5746 
5747 abort_change:
5748         abort_creds(new);
5749         return error;
5750 }
5751 
5752 static int selinux_ismaclabel(const char *name)
5753 {
5754         return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5755 }
5756 
5757 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5758 {
5759         return security_sid_to_context(secid, secdata, seclen);
5760 }
5761 
5762 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5763 {
5764         return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5765 }
5766 
5767 static void selinux_release_secctx(char *secdata, u32 seclen)
5768 {
5769         kfree(secdata);
5770 }
5771 
5772 /*
5773  *      called with inode->i_mutex locked
5774  */
5775 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5776 {
5777         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5778 }
5779 
5780 /*
5781  *      called with inode->i_mutex locked
5782  */
5783 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5784 {
5785         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5786 }
5787 
5788 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5789 {
5790         int len = 0;
5791         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5792                                                 ctx, true);
5793         if (len < 0)
5794                 return len;
5795         *ctxlen = len;
5796         return 0;
5797 }
5798 #ifdef CONFIG_KEYS
5799 
5800 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5801                              unsigned long flags)
5802 {
5803         const struct task_security_struct *tsec;
5804         struct key_security_struct *ksec;
5805 
5806         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5807         if (!ksec)
5808                 return -ENOMEM;
5809 
5810         tsec = cred->security;
5811         if (tsec->keycreate_sid)
5812                 ksec->sid = tsec->keycreate_sid;
5813         else
5814                 ksec->sid = tsec->sid;
5815 
5816         k->security = ksec;
5817         return 0;
5818 }
5819 
5820 static void selinux_key_free(struct key *k)
5821 {
5822         struct key_security_struct *ksec = k->security;
5823 
5824         k->security = NULL;
5825         kfree(ksec);
5826 }
5827 
5828 static int selinux_key_permission(key_ref_t key_ref,
5829                                   const struct cred *cred,
5830                                   unsigned perm)
5831 {
5832         struct key *key;
5833         struct key_security_struct *ksec;
5834         u32 sid;
5835 
5836         /* if no specific permissions are requested, we skip the
5837            permission check. No serious, additional covert channels
5838            appear to be created. */
5839         if (perm == 0)
5840                 return 0;
5841 
5842         sid = cred_sid(cred);
5843 
5844         key = key_ref_to_ptr(key_ref);
5845         ksec = key->security;
5846 
5847         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5848 }
5849 
5850 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5851 {
5852         struct key_security_struct *ksec = key->security;
5853         char *context = NULL;
5854         unsigned len;
5855         int rc;
5856 
5857         rc = security_sid_to_context(ksec->sid, &context, &len);
5858         if (!rc)
5859                 rc = len;
5860         *_buffer = context;
5861         return rc;
5862 }
5863 
5864 #endif
5865 
5866 static struct security_operations selinux_ops = {
5867         .name =                         "selinux",
5868 
5869         .binder_set_context_mgr =       selinux_binder_set_context_mgr,
5870         .binder_transaction =           selinux_binder_transaction,
5871         .binder_transfer_binder =       selinux_binder_transfer_binder,
5872         .binder_transfer_file =         selinux_binder_transfer_file,
5873 
5874         .ptrace_access_check =          selinux_ptrace_access_check,
5875         .ptrace_traceme =               selinux_ptrace_traceme,
5876         .capget =                       selinux_capget,
5877         .capset =                       selinux_capset,
5878         .capable =                      selinux_capable,
5879         .quotactl =                     selinux_quotactl,
5880         .quota_on =                     selinux_quota_on,
5881         .syslog =                       selinux_syslog,
5882         .vm_enough_memory =             selinux_vm_enough_memory,
5883 
5884         .netlink_send =                 selinux_netlink_send,
5885 
5886         .bprm_set_creds =               selinux_bprm_set_creds,
5887         .bprm_committing_creds =        selinux_bprm_committing_creds,
5888         .bprm_committed_creds =         selinux_bprm_committed_creds,
5889         .bprm_secureexec =              selinux_bprm_secureexec,
5890 
5891         .sb_alloc_security =            selinux_sb_alloc_security,
5892         .sb_free_security =             selinux_sb_free_security,
5893         .sb_copy_data =                 selinux_sb_copy_data,
5894         .sb_remount =                   selinux_sb_remount,
5895         .sb_kern_mount =                selinux_sb_kern_mount,
5896         .sb_show_options =              selinux_sb_show_options,
5897         .sb_statfs =                    selinux_sb_statfs,
5898         .sb_mount =                     selinux_mount,
5899         .sb_umount =                    selinux_umount,
5900         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5901         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5902         .sb_parse_opts_str =            selinux_parse_opts_str,
5903 
5904         .dentry_init_security =         selinux_dentry_init_security,
5905 
5906         .inode_alloc_security =         selinux_inode_alloc_security,
5907         .inode_free_security =          selinux_inode_free_security,
5908         .inode_init_security =          selinux_inode_init_security,
5909         .inode_create =                 selinux_inode_create,
5910         .inode_link =                   selinux_inode_link,
5911         .inode_unlink =                 selinux_inode_unlink,
5912         .inode_symlink =                selinux_inode_symlink,
5913         .inode_mkdir =                  selinux_inode_mkdir,
5914         .inode_rmdir =                  selinux_inode_rmdir,
5915         .inode_mknod =                  selinux_inode_mknod,
5916         .inode_rename =                 selinux_inode_rename,
5917         .inode_readlink =               selinux_inode_readlink,
5918         .inode_follow_link =            selinux_inode_follow_link,
5919         .inode_permission =             selinux_inode_permission,
5920         .inode_setattr =                selinux_inode_setattr,
5921         .inode_getattr =                selinux_inode_getattr,
5922         .inode_setxattr =               selinux_inode_setxattr,
5923         .inode_post_setxattr =          selinux_inode_post_setxattr,
5924         .inode_getxattr =               selinux_inode_getxattr,
5925         .inode_listxattr =              selinux_inode_listxattr,
5926         .inode_removexattr =            selinux_inode_removexattr,
5927         .inode_getsecurity =            selinux_inode_getsecurity,
5928         .inode_setsecurity =            selinux_inode_setsecurity,
5929         .inode_listsecurity =           selinux_inode_listsecurity,
5930         .inode_getsecid =               selinux_inode_getsecid,
5931 
5932         .file_permission =              selinux_file_permission,
5933         .file_alloc_security =          selinux_file_alloc_security,
5934         .file_free_security =           selinux_file_free_security,
5935         .file_ioctl =                   selinux_file_ioctl,
5936         .mmap_file =                    selinux_mmap_file,
5937         .mmap_addr =                    selinux_mmap_addr,
5938         .file_mprotect =                selinux_file_mprotect,
5939         .file_lock =                    selinux_file_lock,
5940         .file_fcntl =                   selinux_file_fcntl,
5941         .file_set_fowner =              selinux_file_set_fowner,
5942         .file_send_sigiotask =          selinux_file_send_sigiotask,
5943         .file_receive =