~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/selinux/hooks.c

Version: ~ [ linux-5.19-rc3 ] ~ [ linux-5.18.5 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.48 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.123 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.199 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.248 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.284 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.319 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.302 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  *  NSA Security-Enhanced Linux (SELinux) security module
  3  *
  4  *  This file contains the SELinux hook function implementations.
  5  *
  6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
  7  *            Chris Vance, <cvance@nai.com>
  8  *            Wayne Salamon, <wsalamon@nai.com>
  9  *            James Morris <jmorris@redhat.com>
 10  *
 11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
 12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
 13  *                                         Eric Paris <eparis@redhat.com>
 14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
 15  *                          <dgoeddel@trustedcs.com>
 16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
 17  *      Paul Moore <paul@paul-moore.com>
 18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
 19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
 20  *
 21  *      This program is free software; you can redistribute it and/or modify
 22  *      it under the terms of the GNU General Public License version 2,
 23  *      as published by the Free Software Foundation.
 24  */
 25 
 26 #include <linux/init.h>
 27 #include <linux/kd.h>
 28 #include <linux/kernel.h>
 29 #include <linux/tracehook.h>
 30 #include <linux/errno.h>
 31 #include <linux/sched.h>
 32 #include <linux/lsm_hooks.h>
 33 #include <linux/xattr.h>
 34 #include <linux/capability.h>
 35 #include <linux/unistd.h>
 36 #include <linux/mm.h>
 37 #include <linux/mman.h>
 38 #include <linux/slab.h>
 39 #include <linux/pagemap.h>
 40 #include <linux/proc_fs.h>
 41 #include <linux/swap.h>
 42 #include <linux/spinlock.h>
 43 #include <linux/syscalls.h>
 44 #include <linux/dcache.h>
 45 #include <linux/file.h>
 46 #include <linux/fdtable.h>
 47 #include <linux/namei.h>
 48 #include <linux/mount.h>
 49 #include <linux/netfilter_ipv4.h>
 50 #include <linux/netfilter_ipv6.h>
 51 #include <linux/tty.h>
 52 #include <net/icmp.h>
 53 #include <net/ip.h>             /* for local_port_range[] */
 54 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 55 #include <net/inet_connection_sock.h>
 56 #include <net/net_namespace.h>
 57 #include <net/netlabel.h>
 58 #include <linux/uaccess.h>
 59 #include <asm/ioctls.h>
 60 #include <linux/atomic.h>
 61 #include <linux/bitops.h>
 62 #include <linux/interrupt.h>
 63 #include <linux/netdevice.h>    /* for network interface checks */
 64 #include <net/netlink.h>
 65 #include <linux/tcp.h>
 66 #include <linux/udp.h>
 67 #include <linux/dccp.h>
 68 #include <linux/quota.h>
 69 #include <linux/un.h>           /* for Unix socket types */
 70 #include <net/af_unix.h>        /* for Unix socket types */
 71 #include <linux/parser.h>
 72 #include <linux/nfs_mount.h>
 73 #include <net/ipv6.h>
 74 #include <linux/hugetlb.h>
 75 #include <linux/personality.h>
 76 #include <linux/audit.h>
 77 #include <linux/string.h>
 78 #include <linux/selinux.h>
 79 #include <linux/mutex.h>
 80 #include <linux/posix-timers.h>
 81 #include <linux/syslog.h>
 82 #include <linux/user_namespace.h>
 83 #include <linux/export.h>
 84 #include <linux/msg.h>
 85 #include <linux/shm.h>
 86 
 87 #include "avc.h"
 88 #include "objsec.h"
 89 #include "netif.h"
 90 #include "netnode.h"
 91 #include "netport.h"
 92 #include "xfrm.h"
 93 #include "netlabel.h"
 94 #include "audit.h"
 95 #include "avc_ss.h"
 96 
 97 /* SECMARK reference count */
 98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 99 
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102 
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!kstrtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112 
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!kstrtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127 
128 static struct kmem_cache *sel_inode_cache;
129 
130 /**
131  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132  *
133  * Description:
134  * This function checks the SECMARK reference counter to see if any SECMARK
135  * targets are currently configured, if the reference counter is greater than
136  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
137  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
138  * policy capability is enabled, SECMARK is always considered enabled.
139  *
140  */
141 static int selinux_secmark_enabled(void)
142 {
143         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
144 }
145 
146 /**
147  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
148  *
149  * Description:
150  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
151  * (1) if any are enabled or false (0) if neither are enabled.  If the
152  * always_check_network policy capability is enabled, peer labeling
153  * is always considered enabled.
154  *
155  */
156 static int selinux_peerlbl_enabled(void)
157 {
158         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
159 }
160 
161 static int selinux_netcache_avc_callback(u32 event)
162 {
163         if (event == AVC_CALLBACK_RESET) {
164                 sel_netif_flush();
165                 sel_netnode_flush();
166                 sel_netport_flush();
167                 synchronize_net();
168         }
169         return 0;
170 }
171 
172 /*
173  * initialise the security for the init task
174  */
175 static void cred_init_security(void)
176 {
177         struct cred *cred = (struct cred *) current->real_cred;
178         struct task_security_struct *tsec;
179 
180         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
181         if (!tsec)
182                 panic("SELinux:  Failed to initialize initial task.\n");
183 
184         tsec->osid = tsec->sid = SECINITSID_KERNEL;
185         cred->security = tsec;
186 }
187 
188 /*
189  * get the security ID of a set of credentials
190  */
191 static inline u32 cred_sid(const struct cred *cred)
192 {
193         const struct task_security_struct *tsec;
194 
195         tsec = cred->security;
196         return tsec->sid;
197 }
198 
199 /*
200  * get the objective security ID of a task
201  */
202 static inline u32 task_sid(const struct task_struct *task)
203 {
204         u32 sid;
205 
206         rcu_read_lock();
207         sid = cred_sid(__task_cred(task));
208         rcu_read_unlock();
209         return sid;
210 }
211 
212 /*
213  * get the subjective security ID of the current task
214  */
215 static inline u32 current_sid(void)
216 {
217         const struct task_security_struct *tsec = current_security();
218 
219         return tsec->sid;
220 }
221 
222 /* Allocate and free functions for each kind of security blob. */
223 
224 static int inode_alloc_security(struct inode *inode)
225 {
226         struct inode_security_struct *isec;
227         u32 sid = current_sid();
228 
229         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
230         if (!isec)
231                 return -ENOMEM;
232 
233         mutex_init(&isec->lock);
234         INIT_LIST_HEAD(&isec->list);
235         isec->inode = inode;
236         isec->sid = SECINITSID_UNLABELED;
237         isec->sclass = SECCLASS_FILE;
238         isec->task_sid = sid;
239         inode->i_security = isec;
240 
241         return 0;
242 }
243 
244 static void inode_free_rcu(struct rcu_head *head)
245 {
246         struct inode_security_struct *isec;
247 
248         isec = container_of(head, struct inode_security_struct, rcu);
249         kmem_cache_free(sel_inode_cache, isec);
250 }
251 
252 static void inode_free_security(struct inode *inode)
253 {
254         struct inode_security_struct *isec = inode->i_security;
255         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
256 
257         spin_lock(&sbsec->isec_lock);
258         if (!list_empty(&isec->list))
259                 list_del_init(&isec->list);
260         spin_unlock(&sbsec->isec_lock);
261 
262         /*
263          * The inode may still be referenced in a path walk and
264          * a call to selinux_inode_permission() can be made
265          * after inode_free_security() is called. Ideally, the VFS
266          * wouldn't do this, but fixing that is a much harder
267          * job. For now, simply free the i_security via RCU, and
268          * leave the current inode->i_security pointer intact.
269          * The inode will be freed after the RCU grace period too.
270          */
271         call_rcu(&isec->rcu, inode_free_rcu);
272 }
273 
274 static int file_alloc_security(struct file *file)
275 {
276         struct file_security_struct *fsec;
277         u32 sid = current_sid();
278 
279         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
280         if (!fsec)
281                 return -ENOMEM;
282 
283         fsec->sid = sid;
284         fsec->fown_sid = sid;
285         file->f_security = fsec;
286 
287         return 0;
288 }
289 
290 static void file_free_security(struct file *file)
291 {
292         struct file_security_struct *fsec = file->f_security;
293         file->f_security = NULL;
294         kfree(fsec);
295 }
296 
297 static int superblock_alloc_security(struct super_block *sb)
298 {
299         struct superblock_security_struct *sbsec;
300 
301         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
302         if (!sbsec)
303                 return -ENOMEM;
304 
305         mutex_init(&sbsec->lock);
306         INIT_LIST_HEAD(&sbsec->isec_head);
307         spin_lock_init(&sbsec->isec_lock);
308         sbsec->sb = sb;
309         sbsec->sid = SECINITSID_UNLABELED;
310         sbsec->def_sid = SECINITSID_FILE;
311         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
312         sb->s_security = sbsec;
313 
314         return 0;
315 }
316 
317 static void superblock_free_security(struct super_block *sb)
318 {
319         struct superblock_security_struct *sbsec = sb->s_security;
320         sb->s_security = NULL;
321         kfree(sbsec);
322 }
323 
324 /* The file system's label must be initialized prior to use. */
325 
326 static const char *labeling_behaviors[7] = {
327         "uses xattr",
328         "uses transition SIDs",
329         "uses task SIDs",
330         "uses genfs_contexts",
331         "not configured for labeling",
332         "uses mountpoint labeling",
333         "uses native labeling",
334 };
335 
336 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
337 
338 static inline int inode_doinit(struct inode *inode)
339 {
340         return inode_doinit_with_dentry(inode, NULL);
341 }
342 
343 enum {
344         Opt_error = -1,
345         Opt_context = 1,
346         Opt_fscontext = 2,
347         Opt_defcontext = 3,
348         Opt_rootcontext = 4,
349         Opt_labelsupport = 5,
350         Opt_nextmntopt = 6,
351 };
352 
353 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
354 
355 static const match_table_t tokens = {
356         {Opt_context, CONTEXT_STR "%s"},
357         {Opt_fscontext, FSCONTEXT_STR "%s"},
358         {Opt_defcontext, DEFCONTEXT_STR "%s"},
359         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
360         {Opt_labelsupport, LABELSUPP_STR},
361         {Opt_error, NULL},
362 };
363 
364 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
365 
366 static int may_context_mount_sb_relabel(u32 sid,
367                         struct superblock_security_struct *sbsec,
368                         const struct cred *cred)
369 {
370         const struct task_security_struct *tsec = cred->security;
371         int rc;
372 
373         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374                           FILESYSTEM__RELABELFROM, NULL);
375         if (rc)
376                 return rc;
377 
378         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
379                           FILESYSTEM__RELABELTO, NULL);
380         return rc;
381 }
382 
383 static int may_context_mount_inode_relabel(u32 sid,
384                         struct superblock_security_struct *sbsec,
385                         const struct cred *cred)
386 {
387         const struct task_security_struct *tsec = cred->security;
388         int rc;
389         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
390                           FILESYSTEM__RELABELFROM, NULL);
391         if (rc)
392                 return rc;
393 
394         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
395                           FILESYSTEM__ASSOCIATE, NULL);
396         return rc;
397 }
398 
399 static int selinux_is_sblabel_mnt(struct super_block *sb)
400 {
401         struct superblock_security_struct *sbsec = sb->s_security;
402 
403         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
404                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
405                 sbsec->behavior == SECURITY_FS_USE_TASK ||
406                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
407                 /* Special handling. Genfs but also in-core setxattr handler */
408                 !strcmp(sb->s_type->name, "sysfs") ||
409                 !strcmp(sb->s_type->name, "pstore") ||
410                 !strcmp(sb->s_type->name, "debugfs") ||
411                 !strcmp(sb->s_type->name, "rootfs");
412 }
413 
414 static int sb_finish_set_opts(struct super_block *sb)
415 {
416         struct superblock_security_struct *sbsec = sb->s_security;
417         struct dentry *root = sb->s_root;
418         struct inode *root_inode = d_backing_inode(root);
419         int rc = 0;
420 
421         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
422                 /* Make sure that the xattr handler exists and that no
423                    error other than -ENODATA is returned by getxattr on
424                    the root directory.  -ENODATA is ok, as this may be
425                    the first boot of the SELinux kernel before we have
426                    assigned xattr values to the filesystem. */
427                 if (!root_inode->i_op->getxattr) {
428                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
429                                "xattr support\n", sb->s_id, sb->s_type->name);
430                         rc = -EOPNOTSUPP;
431                         goto out;
432                 }
433                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
434                 if (rc < 0 && rc != -ENODATA) {
435                         if (rc == -EOPNOTSUPP)
436                                 printk(KERN_WARNING "SELinux: (dev %s, type "
437                                        "%s) has no security xattr handler\n",
438                                        sb->s_id, sb->s_type->name);
439                         else
440                                 printk(KERN_WARNING "SELinux: (dev %s, type "
441                                        "%s) getxattr errno %d\n", sb->s_id,
442                                        sb->s_type->name, -rc);
443                         goto out;
444                 }
445         }
446 
447         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
448                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
449                        sb->s_id, sb->s_type->name);
450 
451         sbsec->flags |= SE_SBINITIALIZED;
452         if (selinux_is_sblabel_mnt(sb))
453                 sbsec->flags |= SBLABEL_MNT;
454 
455         /* Initialize the root inode. */
456         rc = inode_doinit_with_dentry(root_inode, root);
457 
458         /* Initialize any other inodes associated with the superblock, e.g.
459            inodes created prior to initial policy load or inodes created
460            during get_sb by a pseudo filesystem that directly
461            populates itself. */
462         spin_lock(&sbsec->isec_lock);
463 next_inode:
464         if (!list_empty(&sbsec->isec_head)) {
465                 struct inode_security_struct *isec =
466                                 list_entry(sbsec->isec_head.next,
467                                            struct inode_security_struct, list);
468                 struct inode *inode = isec->inode;
469                 list_del_init(&isec->list);
470                 spin_unlock(&sbsec->isec_lock);
471                 inode = igrab(inode);
472                 if (inode) {
473                         if (!IS_PRIVATE(inode))
474                                 inode_doinit(inode);
475                         iput(inode);
476                 }
477                 spin_lock(&sbsec->isec_lock);
478                 goto next_inode;
479         }
480         spin_unlock(&sbsec->isec_lock);
481 out:
482         return rc;
483 }
484 
485 /*
486  * This function should allow an FS to ask what it's mount security
487  * options were so it can use those later for submounts, displaying
488  * mount options, or whatever.
489  */
490 static int selinux_get_mnt_opts(const struct super_block *sb,
491                                 struct security_mnt_opts *opts)
492 {
493         int rc = 0, i;
494         struct superblock_security_struct *sbsec = sb->s_security;
495         char *context = NULL;
496         u32 len;
497         char tmp;
498 
499         security_init_mnt_opts(opts);
500 
501         if (!(sbsec->flags & SE_SBINITIALIZED))
502                 return -EINVAL;
503 
504         if (!ss_initialized)
505                 return -EINVAL;
506 
507         /* make sure we always check enough bits to cover the mask */
508         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
509 
510         tmp = sbsec->flags & SE_MNTMASK;
511         /* count the number of mount options for this sb */
512         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
513                 if (tmp & 0x01)
514                         opts->num_mnt_opts++;
515                 tmp >>= 1;
516         }
517         /* Check if the Label support flag is set */
518         if (sbsec->flags & SBLABEL_MNT)
519                 opts->num_mnt_opts++;
520 
521         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
522         if (!opts->mnt_opts) {
523                 rc = -ENOMEM;
524                 goto out_free;
525         }
526 
527         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
528         if (!opts->mnt_opts_flags) {
529                 rc = -ENOMEM;
530                 goto out_free;
531         }
532 
533         i = 0;
534         if (sbsec->flags & FSCONTEXT_MNT) {
535                 rc = security_sid_to_context(sbsec->sid, &context, &len);
536                 if (rc)
537                         goto out_free;
538                 opts->mnt_opts[i] = context;
539                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
540         }
541         if (sbsec->flags & CONTEXT_MNT) {
542                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
543                 if (rc)
544                         goto out_free;
545                 opts->mnt_opts[i] = context;
546                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
547         }
548         if (sbsec->flags & DEFCONTEXT_MNT) {
549                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
550                 if (rc)
551                         goto out_free;
552                 opts->mnt_opts[i] = context;
553                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
554         }
555         if (sbsec->flags & ROOTCONTEXT_MNT) {
556                 struct inode *root = d_backing_inode(sbsec->sb->s_root);
557                 struct inode_security_struct *isec = root->i_security;
558 
559                 rc = security_sid_to_context(isec->sid, &context, &len);
560                 if (rc)
561                         goto out_free;
562                 opts->mnt_opts[i] = context;
563                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
564         }
565         if (sbsec->flags & SBLABEL_MNT) {
566                 opts->mnt_opts[i] = NULL;
567                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
568         }
569 
570         BUG_ON(i != opts->num_mnt_opts);
571 
572         return 0;
573 
574 out_free:
575         security_free_mnt_opts(opts);
576         return rc;
577 }
578 
579 static int bad_option(struct superblock_security_struct *sbsec, char flag,
580                       u32 old_sid, u32 new_sid)
581 {
582         char mnt_flags = sbsec->flags & SE_MNTMASK;
583 
584         /* check if the old mount command had the same options */
585         if (sbsec->flags & SE_SBINITIALIZED)
586                 if (!(sbsec->flags & flag) ||
587                     (old_sid != new_sid))
588                         return 1;
589 
590         /* check if we were passed the same options twice,
591          * aka someone passed context=a,context=b
592          */
593         if (!(sbsec->flags & SE_SBINITIALIZED))
594                 if (mnt_flags & flag)
595                         return 1;
596         return 0;
597 }
598 
599 /*
600  * Allow filesystems with binary mount data to explicitly set mount point
601  * labeling information.
602  */
603 static int selinux_set_mnt_opts(struct super_block *sb,
604                                 struct security_mnt_opts *opts,
605                                 unsigned long kern_flags,
606                                 unsigned long *set_kern_flags)
607 {
608         const struct cred *cred = current_cred();
609         int rc = 0, i;
610         struct superblock_security_struct *sbsec = sb->s_security;
611         const char *name = sb->s_type->name;
612         struct inode *inode = d_backing_inode(sbsec->sb->s_root);
613         struct inode_security_struct *root_isec = inode->i_security;
614         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
615         u32 defcontext_sid = 0;
616         char **mount_options = opts->mnt_opts;
617         int *flags = opts->mnt_opts_flags;
618         int num_opts = opts->num_mnt_opts;
619 
620         mutex_lock(&sbsec->lock);
621 
622         if (!ss_initialized) {
623                 if (!num_opts) {
624                         /* Defer initialization until selinux_complete_init,
625                            after the initial policy is loaded and the security
626                            server is ready to handle calls. */
627                         goto out;
628                 }
629                 rc = -EINVAL;
630                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
631                         "before the security server is initialized\n");
632                 goto out;
633         }
634         if (kern_flags && !set_kern_flags) {
635                 /* Specifying internal flags without providing a place to
636                  * place the results is not allowed */
637                 rc = -EINVAL;
638                 goto out;
639         }
640 
641         /*
642          * Binary mount data FS will come through this function twice.  Once
643          * from an explicit call and once from the generic calls from the vfs.
644          * Since the generic VFS calls will not contain any security mount data
645          * we need to skip the double mount verification.
646          *
647          * This does open a hole in which we will not notice if the first
648          * mount using this sb set explict options and a second mount using
649          * this sb does not set any security options.  (The first options
650          * will be used for both mounts)
651          */
652         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
653             && (num_opts == 0))
654                 goto out;
655 
656         /*
657          * parse the mount options, check if they are valid sids.
658          * also check if someone is trying to mount the same sb more
659          * than once with different security options.
660          */
661         for (i = 0; i < num_opts; i++) {
662                 u32 sid;
663 
664                 if (flags[i] == SBLABEL_MNT)
665                         continue;
666                 rc = security_context_to_sid(mount_options[i],
667                                              strlen(mount_options[i]), &sid, GFP_KERNEL);
668                 if (rc) {
669                         printk(KERN_WARNING "SELinux: security_context_to_sid"
670                                "(%s) failed for (dev %s, type %s) errno=%d\n",
671                                mount_options[i], sb->s_id, name, rc);
672                         goto out;
673                 }
674                 switch (flags[i]) {
675                 case FSCONTEXT_MNT:
676                         fscontext_sid = sid;
677 
678                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
679                                         fscontext_sid))
680                                 goto out_double_mount;
681 
682                         sbsec->flags |= FSCONTEXT_MNT;
683                         break;
684                 case CONTEXT_MNT:
685                         context_sid = sid;
686 
687                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
688                                         context_sid))
689                                 goto out_double_mount;
690 
691                         sbsec->flags |= CONTEXT_MNT;
692                         break;
693                 case ROOTCONTEXT_MNT:
694                         rootcontext_sid = sid;
695 
696                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
697                                         rootcontext_sid))
698                                 goto out_double_mount;
699 
700                         sbsec->flags |= ROOTCONTEXT_MNT;
701 
702                         break;
703                 case DEFCONTEXT_MNT:
704                         defcontext_sid = sid;
705 
706                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
707                                         defcontext_sid))
708                                 goto out_double_mount;
709 
710                         sbsec->flags |= DEFCONTEXT_MNT;
711 
712                         break;
713                 default:
714                         rc = -EINVAL;
715                         goto out;
716                 }
717         }
718 
719         if (sbsec->flags & SE_SBINITIALIZED) {
720                 /* previously mounted with options, but not on this attempt? */
721                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
722                         goto out_double_mount;
723                 rc = 0;
724                 goto out;
725         }
726 
727         if (strcmp(sb->s_type->name, "proc") == 0)
728                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
729 
730         if (!strcmp(sb->s_type->name, "debugfs") ||
731             !strcmp(sb->s_type->name, "sysfs") ||
732             !strcmp(sb->s_type->name, "pstore"))
733                 sbsec->flags |= SE_SBGENFS;
734 
735         if (!sbsec->behavior) {
736                 /*
737                  * Determine the labeling behavior to use for this
738                  * filesystem type.
739                  */
740                 rc = security_fs_use(sb);
741                 if (rc) {
742                         printk(KERN_WARNING
743                                 "%s: security_fs_use(%s) returned %d\n",
744                                         __func__, sb->s_type->name, rc);
745                         goto out;
746                 }
747         }
748         /* sets the context of the superblock for the fs being mounted. */
749         if (fscontext_sid) {
750                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
751                 if (rc)
752                         goto out;
753 
754                 sbsec->sid = fscontext_sid;
755         }
756 
757         /*
758          * Switch to using mount point labeling behavior.
759          * sets the label used on all file below the mountpoint, and will set
760          * the superblock context if not already set.
761          */
762         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
763                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
764                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
765         }
766 
767         if (context_sid) {
768                 if (!fscontext_sid) {
769                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
770                                                           cred);
771                         if (rc)
772                                 goto out;
773                         sbsec->sid = context_sid;
774                 } else {
775                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
776                                                              cred);
777                         if (rc)
778                                 goto out;
779                 }
780                 if (!rootcontext_sid)
781                         rootcontext_sid = context_sid;
782 
783                 sbsec->mntpoint_sid = context_sid;
784                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
785         }
786 
787         if (rootcontext_sid) {
788                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
789                                                      cred);
790                 if (rc)
791                         goto out;
792 
793                 root_isec->sid = rootcontext_sid;
794                 root_isec->initialized = 1;
795         }
796 
797         if (defcontext_sid) {
798                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
799                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
800                         rc = -EINVAL;
801                         printk(KERN_WARNING "SELinux: defcontext option is "
802                                "invalid for this filesystem type\n");
803                         goto out;
804                 }
805 
806                 if (defcontext_sid != sbsec->def_sid) {
807                         rc = may_context_mount_inode_relabel(defcontext_sid,
808                                                              sbsec, cred);
809                         if (rc)
810                                 goto out;
811                 }
812 
813                 sbsec->def_sid = defcontext_sid;
814         }
815 
816         rc = sb_finish_set_opts(sb);
817 out:
818         mutex_unlock(&sbsec->lock);
819         return rc;
820 out_double_mount:
821         rc = -EINVAL;
822         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
823                "security settings for (dev %s, type %s)\n", sb->s_id, name);
824         goto out;
825 }
826 
827 static int selinux_cmp_sb_context(const struct super_block *oldsb,
828                                     const struct super_block *newsb)
829 {
830         struct superblock_security_struct *old = oldsb->s_security;
831         struct superblock_security_struct *new = newsb->s_security;
832         char oldflags = old->flags & SE_MNTMASK;
833         char newflags = new->flags & SE_MNTMASK;
834 
835         if (oldflags != newflags)
836                 goto mismatch;
837         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
838                 goto mismatch;
839         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
840                 goto mismatch;
841         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
842                 goto mismatch;
843         if (oldflags & ROOTCONTEXT_MNT) {
844                 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
845                 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
846                 if (oldroot->sid != newroot->sid)
847                         goto mismatch;
848         }
849         return 0;
850 mismatch:
851         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
852                             "different security settings for (dev %s, "
853                             "type %s)\n", newsb->s_id, newsb->s_type->name);
854         return -EBUSY;
855 }
856 
857 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
858                                         struct super_block *newsb)
859 {
860         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
861         struct superblock_security_struct *newsbsec = newsb->s_security;
862 
863         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
864         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
865         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
866 
867         /*
868          * if the parent was able to be mounted it clearly had no special lsm
869          * mount options.  thus we can safely deal with this superblock later
870          */
871         if (!ss_initialized)
872                 return 0;
873 
874         /* how can we clone if the old one wasn't set up?? */
875         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
876 
877         /* if fs is reusing a sb, make sure that the contexts match */
878         if (newsbsec->flags & SE_SBINITIALIZED)
879                 return selinux_cmp_sb_context(oldsb, newsb);
880 
881         mutex_lock(&newsbsec->lock);
882 
883         newsbsec->flags = oldsbsec->flags;
884 
885         newsbsec->sid = oldsbsec->sid;
886         newsbsec->def_sid = oldsbsec->def_sid;
887         newsbsec->behavior = oldsbsec->behavior;
888 
889         if (set_context) {
890                 u32 sid = oldsbsec->mntpoint_sid;
891 
892                 if (!set_fscontext)
893                         newsbsec->sid = sid;
894                 if (!set_rootcontext) {
895                         struct inode *newinode = d_backing_inode(newsb->s_root);
896                         struct inode_security_struct *newisec = newinode->i_security;
897                         newisec->sid = sid;
898                 }
899                 newsbsec->mntpoint_sid = sid;
900         }
901         if (set_rootcontext) {
902                 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
903                 const struct inode_security_struct *oldisec = oldinode->i_security;
904                 struct inode *newinode = d_backing_inode(newsb->s_root);
905                 struct inode_security_struct *newisec = newinode->i_security;
906 
907                 newisec->sid = oldisec->sid;
908         }
909 
910         sb_finish_set_opts(newsb);
911         mutex_unlock(&newsbsec->lock);
912         return 0;
913 }
914 
915 static int selinux_parse_opts_str(char *options,
916                                   struct security_mnt_opts *opts)
917 {
918         char *p;
919         char *context = NULL, *defcontext = NULL;
920         char *fscontext = NULL, *rootcontext = NULL;
921         int rc, num_mnt_opts = 0;
922 
923         opts->num_mnt_opts = 0;
924 
925         /* Standard string-based options. */
926         while ((p = strsep(&options, "|")) != NULL) {
927                 int token;
928                 substring_t args[MAX_OPT_ARGS];
929 
930                 if (!*p)
931                         continue;
932 
933                 token = match_token(p, tokens, args);
934 
935                 switch (token) {
936                 case Opt_context:
937                         if (context || defcontext) {
938                                 rc = -EINVAL;
939                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
940                                 goto out_err;
941                         }
942                         context = match_strdup(&args[0]);
943                         if (!context) {
944                                 rc = -ENOMEM;
945                                 goto out_err;
946                         }
947                         break;
948 
949                 case Opt_fscontext:
950                         if (fscontext) {
951                                 rc = -EINVAL;
952                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
953                                 goto out_err;
954                         }
955                         fscontext = match_strdup(&args[0]);
956                         if (!fscontext) {
957                                 rc = -ENOMEM;
958                                 goto out_err;
959                         }
960                         break;
961 
962                 case Opt_rootcontext:
963                         if (rootcontext) {
964                                 rc = -EINVAL;
965                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
966                                 goto out_err;
967                         }
968                         rootcontext = match_strdup(&args[0]);
969                         if (!rootcontext) {
970                                 rc = -ENOMEM;
971                                 goto out_err;
972                         }
973                         break;
974 
975                 case Opt_defcontext:
976                         if (context || defcontext) {
977                                 rc = -EINVAL;
978                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
979                                 goto out_err;
980                         }
981                         defcontext = match_strdup(&args[0]);
982                         if (!defcontext) {
983                                 rc = -ENOMEM;
984                                 goto out_err;
985                         }
986                         break;
987                 case Opt_labelsupport:
988                         break;
989                 default:
990                         rc = -EINVAL;
991                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
992                         goto out_err;
993 
994                 }
995         }
996 
997         rc = -ENOMEM;
998         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
999         if (!opts->mnt_opts)
1000                 goto out_err;
1001 
1002         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1003         if (!opts->mnt_opts_flags) {
1004                 kfree(opts->mnt_opts);
1005                 goto out_err;
1006         }
1007 
1008         if (fscontext) {
1009                 opts->mnt_opts[num_mnt_opts] = fscontext;
1010                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1011         }
1012         if (context) {
1013                 opts->mnt_opts[num_mnt_opts] = context;
1014                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1015         }
1016         if (rootcontext) {
1017                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1018                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1019         }
1020         if (defcontext) {
1021                 opts->mnt_opts[num_mnt_opts] = defcontext;
1022                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1023         }
1024 
1025         opts->num_mnt_opts = num_mnt_opts;
1026         return 0;
1027 
1028 out_err:
1029         kfree(context);
1030         kfree(defcontext);
1031         kfree(fscontext);
1032         kfree(rootcontext);
1033         return rc;
1034 }
1035 /*
1036  * string mount options parsing and call set the sbsec
1037  */
1038 static int superblock_doinit(struct super_block *sb, void *data)
1039 {
1040         int rc = 0;
1041         char *options = data;
1042         struct security_mnt_opts opts;
1043 
1044         security_init_mnt_opts(&opts);
1045 
1046         if (!data)
1047                 goto out;
1048 
1049         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1050 
1051         rc = selinux_parse_opts_str(options, &opts);
1052         if (rc)
1053                 goto out_err;
1054 
1055 out:
1056         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1057 
1058 out_err:
1059         security_free_mnt_opts(&opts);
1060         return rc;
1061 }
1062 
1063 static void selinux_write_opts(struct seq_file *m,
1064                                struct security_mnt_opts *opts)
1065 {
1066         int i;
1067         char *prefix;
1068 
1069         for (i = 0; i < opts->num_mnt_opts; i++) {
1070                 char *has_comma;
1071 
1072                 if (opts->mnt_opts[i])
1073                         has_comma = strchr(opts->mnt_opts[i], ',');
1074                 else
1075                         has_comma = NULL;
1076 
1077                 switch (opts->mnt_opts_flags[i]) {
1078                 case CONTEXT_MNT:
1079                         prefix = CONTEXT_STR;
1080                         break;
1081                 case FSCONTEXT_MNT:
1082                         prefix = FSCONTEXT_STR;
1083                         break;
1084                 case ROOTCONTEXT_MNT:
1085                         prefix = ROOTCONTEXT_STR;
1086                         break;
1087                 case DEFCONTEXT_MNT:
1088                         prefix = DEFCONTEXT_STR;
1089                         break;
1090                 case SBLABEL_MNT:
1091                         seq_putc(m, ',');
1092                         seq_puts(m, LABELSUPP_STR);
1093                         continue;
1094                 default:
1095                         BUG();
1096                         return;
1097                 };
1098                 /* we need a comma before each option */
1099                 seq_putc(m, ',');
1100                 seq_puts(m, prefix);
1101                 if (has_comma)
1102                         seq_putc(m, '\"');
1103                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1104                 if (has_comma)
1105                         seq_putc(m, '\"');
1106         }
1107 }
1108 
1109 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1110 {
1111         struct security_mnt_opts opts;
1112         int rc;
1113 
1114         rc = selinux_get_mnt_opts(sb, &opts);
1115         if (rc) {
1116                 /* before policy load we may get EINVAL, don't show anything */
1117                 if (rc == -EINVAL)
1118                         rc = 0;
1119                 return rc;
1120         }
1121 
1122         selinux_write_opts(m, &opts);
1123 
1124         security_free_mnt_opts(&opts);
1125 
1126         return rc;
1127 }
1128 
1129 static inline u16 inode_mode_to_security_class(umode_t mode)
1130 {
1131         switch (mode & S_IFMT) {
1132         case S_IFSOCK:
1133                 return SECCLASS_SOCK_FILE;
1134         case S_IFLNK:
1135                 return SECCLASS_LNK_FILE;
1136         case S_IFREG:
1137                 return SECCLASS_FILE;
1138         case S_IFBLK:
1139                 return SECCLASS_BLK_FILE;
1140         case S_IFDIR:
1141                 return SECCLASS_DIR;
1142         case S_IFCHR:
1143                 return SECCLASS_CHR_FILE;
1144         case S_IFIFO:
1145                 return SECCLASS_FIFO_FILE;
1146 
1147         }
1148 
1149         return SECCLASS_FILE;
1150 }
1151 
1152 static inline int default_protocol_stream(int protocol)
1153 {
1154         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1155 }
1156 
1157 static inline int default_protocol_dgram(int protocol)
1158 {
1159         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1160 }
1161 
1162 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1163 {
1164         switch (family) {
1165         case PF_UNIX:
1166                 switch (type) {
1167                 case SOCK_STREAM:
1168                 case SOCK_SEQPACKET:
1169                         return SECCLASS_UNIX_STREAM_SOCKET;
1170                 case SOCK_DGRAM:
1171                         return SECCLASS_UNIX_DGRAM_SOCKET;
1172                 }
1173                 break;
1174         case PF_INET:
1175         case PF_INET6:
1176                 switch (type) {
1177                 case SOCK_STREAM:
1178                         if (default_protocol_stream(protocol))
1179                                 return SECCLASS_TCP_SOCKET;
1180                         else
1181                                 return SECCLASS_RAWIP_SOCKET;
1182                 case SOCK_DGRAM:
1183                         if (default_protocol_dgram(protocol))
1184                                 return SECCLASS_UDP_SOCKET;
1185                         else
1186                                 return SECCLASS_RAWIP_SOCKET;
1187                 case SOCK_DCCP:
1188                         return SECCLASS_DCCP_SOCKET;
1189                 default:
1190                         return SECCLASS_RAWIP_SOCKET;
1191                 }
1192                 break;
1193         case PF_NETLINK:
1194                 switch (protocol) {
1195                 case NETLINK_ROUTE:
1196                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1197                 case NETLINK_SOCK_DIAG:
1198                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1199                 case NETLINK_NFLOG:
1200                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1201                 case NETLINK_XFRM:
1202                         return SECCLASS_NETLINK_XFRM_SOCKET;
1203                 case NETLINK_SELINUX:
1204                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1205                 case NETLINK_ISCSI:
1206                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1207                 case NETLINK_AUDIT:
1208                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1209                 case NETLINK_FIB_LOOKUP:
1210                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211                 case NETLINK_CONNECTOR:
1212                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213                 case NETLINK_NETFILTER:
1214                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1215                 case NETLINK_DNRTMSG:
1216                         return SECCLASS_NETLINK_DNRT_SOCKET;
1217                 case NETLINK_KOBJECT_UEVENT:
1218                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1219                 case NETLINK_GENERIC:
1220                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1221                 case NETLINK_SCSITRANSPORT:
1222                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223                 case NETLINK_RDMA:
1224                         return SECCLASS_NETLINK_RDMA_SOCKET;
1225                 case NETLINK_CRYPTO:
1226                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1227                 default:
1228                         return SECCLASS_NETLINK_SOCKET;
1229                 }
1230         case PF_PACKET:
1231                 return SECCLASS_PACKET_SOCKET;
1232         case PF_KEY:
1233                 return SECCLASS_KEY_SOCKET;
1234         case PF_APPLETALK:
1235                 return SECCLASS_APPLETALK_SOCKET;
1236         }
1237 
1238         return SECCLASS_SOCKET;
1239 }
1240 
1241 static int selinux_genfs_get_sid(struct dentry *dentry,
1242                                  u16 tclass,
1243                                  u16 flags,
1244                                  u32 *sid)
1245 {
1246         int rc;
1247         struct super_block *sb = dentry->d_inode->i_sb;
1248         char *buffer, *path;
1249 
1250         buffer = (char *)__get_free_page(GFP_KERNEL);
1251         if (!buffer)
1252                 return -ENOMEM;
1253 
1254         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1255         if (IS_ERR(path))
1256                 rc = PTR_ERR(path);
1257         else {
1258                 if (flags & SE_SBPROC) {
1259                         /* each process gets a /proc/PID/ entry. Strip off the
1260                          * PID part to get a valid selinux labeling.
1261                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1262                         while (path[1] >= '' && path[1] <= '9') {
1263                                 path[1] = '/';
1264                                 path++;
1265                         }
1266                 }
1267                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1268         }
1269         free_page((unsigned long)buffer);
1270         return rc;
1271 }
1272 
1273 /* The inode's security attributes must be initialized before first use. */
1274 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1275 {
1276         struct superblock_security_struct *sbsec = NULL;
1277         struct inode_security_struct *isec = inode->i_security;
1278         u32 sid;
1279         struct dentry *dentry;
1280 #define INITCONTEXTLEN 255
1281         char *context = NULL;
1282         unsigned len = 0;
1283         int rc = 0;
1284 
1285         if (isec->initialized)
1286                 goto out;
1287 
1288         mutex_lock(&isec->lock);
1289         if (isec->initialized)
1290                 goto out_unlock;
1291 
1292         sbsec = inode->i_sb->s_security;
1293         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1294                 /* Defer initialization until selinux_complete_init,
1295                    after the initial policy is loaded and the security
1296                    server is ready to handle calls. */
1297                 spin_lock(&sbsec->isec_lock);
1298                 if (list_empty(&isec->list))
1299                         list_add(&isec->list, &sbsec->isec_head);
1300                 spin_unlock(&sbsec->isec_lock);
1301                 goto out_unlock;
1302         }
1303 
1304         switch (sbsec->behavior) {
1305         case SECURITY_FS_USE_NATIVE:
1306                 break;
1307         case SECURITY_FS_USE_XATTR:
1308                 if (!inode->i_op->getxattr) {
1309                         isec->sid = sbsec->def_sid;
1310                         break;
1311                 }
1312 
1313                 /* Need a dentry, since the xattr API requires one.
1314                    Life would be simpler if we could just pass the inode. */
1315                 if (opt_dentry) {
1316                         /* Called from d_instantiate or d_splice_alias. */
1317                         dentry = dget(opt_dentry);
1318                 } else {
1319                         /* Called from selinux_complete_init, try to find a dentry. */
1320                         dentry = d_find_alias(inode);
1321                 }
1322                 if (!dentry) {
1323                         /*
1324                          * this is can be hit on boot when a file is accessed
1325                          * before the policy is loaded.  When we load policy we
1326                          * may find inodes that have no dentry on the
1327                          * sbsec->isec_head list.  No reason to complain as these
1328                          * will get fixed up the next time we go through
1329                          * inode_doinit with a dentry, before these inodes could
1330                          * be used again by userspace.
1331                          */
1332                         goto out_unlock;
1333                 }
1334 
1335                 len = INITCONTEXTLEN;
1336                 context = kmalloc(len+1, GFP_NOFS);
1337                 if (!context) {
1338                         rc = -ENOMEM;
1339                         dput(dentry);
1340                         goto out_unlock;
1341                 }
1342                 context[len] = '\0';
1343                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1344                                            context, len);
1345                 if (rc == -ERANGE) {
1346                         kfree(context);
1347 
1348                         /* Need a larger buffer.  Query for the right size. */
1349                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1350                                                    NULL, 0);
1351                         if (rc < 0) {
1352                                 dput(dentry);
1353                                 goto out_unlock;
1354                         }
1355                         len = rc;
1356                         context = kmalloc(len+1, GFP_NOFS);
1357                         if (!context) {
1358                                 rc = -ENOMEM;
1359                                 dput(dentry);
1360                                 goto out_unlock;
1361                         }
1362                         context[len] = '\0';
1363                         rc = inode->i_op->getxattr(dentry,
1364                                                    XATTR_NAME_SELINUX,
1365                                                    context, len);
1366                 }
1367                 dput(dentry);
1368                 if (rc < 0) {
1369                         if (rc != -ENODATA) {
1370                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1371                                        "%d for dev=%s ino=%ld\n", __func__,
1372                                        -rc, inode->i_sb->s_id, inode->i_ino);
1373                                 kfree(context);
1374                                 goto out_unlock;
1375                         }
1376                         /* Map ENODATA to the default file SID */
1377                         sid = sbsec->def_sid;
1378                         rc = 0;
1379                 } else {
1380                         rc = security_context_to_sid_default(context, rc, &sid,
1381                                                              sbsec->def_sid,
1382                                                              GFP_NOFS);
1383                         if (rc) {
1384                                 char *dev = inode->i_sb->s_id;
1385                                 unsigned long ino = inode->i_ino;
1386 
1387                                 if (rc == -EINVAL) {
1388                                         if (printk_ratelimit())
1389                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1390                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1391                                                         "filesystem in question.\n", ino, dev, context);
1392                                 } else {
1393                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1394                                                "returned %d for dev=%s ino=%ld\n",
1395                                                __func__, context, -rc, dev, ino);
1396                                 }
1397                                 kfree(context);
1398                                 /* Leave with the unlabeled SID */
1399                                 rc = 0;
1400                                 break;
1401                         }
1402                 }
1403                 kfree(context);
1404                 isec->sid = sid;
1405                 break;
1406         case SECURITY_FS_USE_TASK:
1407                 isec->sid = isec->task_sid;
1408                 break;
1409         case SECURITY_FS_USE_TRANS:
1410                 /* Default to the fs SID. */
1411                 isec->sid = sbsec->sid;
1412 
1413                 /* Try to obtain a transition SID. */
1414                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1415                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1416                                              isec->sclass, NULL, &sid);
1417                 if (rc)
1418                         goto out_unlock;
1419                 isec->sid = sid;
1420                 break;
1421         case SECURITY_FS_USE_MNTPOINT:
1422                 isec->sid = sbsec->mntpoint_sid;
1423                 break;
1424         default:
1425                 /* Default to the fs superblock SID. */
1426                 isec->sid = sbsec->sid;
1427 
1428                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1429                         /* We must have a dentry to determine the label on
1430                          * procfs inodes */
1431                         if (opt_dentry)
1432                                 /* Called from d_instantiate or
1433                                  * d_splice_alias. */
1434                                 dentry = dget(opt_dentry);
1435                         else
1436                                 /* Called from selinux_complete_init, try to
1437                                  * find a dentry. */
1438                                 dentry = d_find_alias(inode);
1439                         /*
1440                          * This can be hit on boot when a file is accessed
1441                          * before the policy is loaded.  When we load policy we
1442                          * may find inodes that have no dentry on the
1443                          * sbsec->isec_head list.  No reason to complain as
1444                          * these will get fixed up the next time we go through
1445                          * inode_doinit() with a dentry, before these inodes
1446                          * could be used again by userspace.
1447                          */
1448                         if (!dentry)
1449                                 goto out_unlock;
1450                         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1451                         rc = selinux_genfs_get_sid(dentry, isec->sclass,
1452                                                    sbsec->flags, &sid);
1453                         dput(dentry);
1454                         if (rc)
1455                                 goto out_unlock;
1456                         isec->sid = sid;
1457                 }
1458                 break;
1459         }
1460 
1461         isec->initialized = 1;
1462 
1463 out_unlock:
1464         mutex_unlock(&isec->lock);
1465 out:
1466         if (isec->sclass == SECCLASS_FILE)
1467                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1468         return rc;
1469 }
1470 
1471 /* Convert a Linux signal to an access vector. */
1472 static inline u32 signal_to_av(int sig)
1473 {
1474         u32 perm = 0;
1475 
1476         switch (sig) {
1477         case SIGCHLD:
1478                 /* Commonly granted from child to parent. */
1479                 perm = PROCESS__SIGCHLD;
1480                 break;
1481         case SIGKILL:
1482                 /* Cannot be caught or ignored */
1483                 perm = PROCESS__SIGKILL;
1484                 break;
1485         case SIGSTOP:
1486                 /* Cannot be caught or ignored */
1487                 perm = PROCESS__SIGSTOP;
1488                 break;
1489         default:
1490                 /* All other signals. */
1491                 perm = PROCESS__SIGNAL;
1492                 break;
1493         }
1494 
1495         return perm;
1496 }
1497 
1498 /*
1499  * Check permission between a pair of credentials
1500  * fork check, ptrace check, etc.
1501  */
1502 static int cred_has_perm(const struct cred *actor,
1503                          const struct cred *target,
1504                          u32 perms)
1505 {
1506         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1507 
1508         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1509 }
1510 
1511 /*
1512  * Check permission between a pair of tasks, e.g. signal checks,
1513  * fork check, ptrace check, etc.
1514  * tsk1 is the actor and tsk2 is the target
1515  * - this uses the default subjective creds of tsk1
1516  */
1517 static int task_has_perm(const struct task_struct *tsk1,
1518                          const struct task_struct *tsk2,
1519                          u32 perms)
1520 {
1521         const struct task_security_struct *__tsec1, *__tsec2;
1522         u32 sid1, sid2;
1523 
1524         rcu_read_lock();
1525         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1526         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1527         rcu_read_unlock();
1528         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1529 }
1530 
1531 /*
1532  * Check permission between current and another task, e.g. signal checks,
1533  * fork check, ptrace check, etc.
1534  * current is the actor and tsk2 is the target
1535  * - this uses current's subjective creds
1536  */
1537 static int current_has_perm(const struct task_struct *tsk,
1538                             u32 perms)
1539 {
1540         u32 sid, tsid;
1541 
1542         sid = current_sid();
1543         tsid = task_sid(tsk);
1544         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1545 }
1546 
1547 #if CAP_LAST_CAP > 63
1548 #error Fix SELinux to handle capabilities > 63.
1549 #endif
1550 
1551 /* Check whether a task is allowed to use a capability. */
1552 static int cred_has_capability(const struct cred *cred,
1553                                int cap, int audit)
1554 {
1555         struct common_audit_data ad;
1556         struct av_decision avd;
1557         u16 sclass;
1558         u32 sid = cred_sid(cred);
1559         u32 av = CAP_TO_MASK(cap);
1560         int rc;
1561 
1562         ad.type = LSM_AUDIT_DATA_CAP;
1563         ad.u.cap = cap;
1564 
1565         switch (CAP_TO_INDEX(cap)) {
1566         case 0:
1567                 sclass = SECCLASS_CAPABILITY;
1568                 break;
1569         case 1:
1570                 sclass = SECCLASS_CAPABILITY2;
1571                 break;
1572         default:
1573                 printk(KERN_ERR
1574                        "SELinux:  out of range capability %d\n", cap);
1575                 BUG();
1576                 return -EINVAL;
1577         }
1578 
1579         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1580         if (audit == SECURITY_CAP_AUDIT) {
1581                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1582                 if (rc2)
1583                         return rc2;
1584         }
1585         return rc;
1586 }
1587 
1588 /* Check whether a task is allowed to use a system operation. */
1589 static int task_has_system(struct task_struct *tsk,
1590                            u32 perms)
1591 {
1592         u32 sid = task_sid(tsk);
1593 
1594         return avc_has_perm(sid, SECINITSID_KERNEL,
1595                             SECCLASS_SYSTEM, perms, NULL);
1596 }
1597 
1598 /* Check whether a task has a particular permission to an inode.
1599    The 'adp' parameter is optional and allows other audit
1600    data to be passed (e.g. the dentry). */
1601 static int inode_has_perm(const struct cred *cred,
1602                           struct inode *inode,
1603                           u32 perms,
1604                           struct common_audit_data *adp)
1605 {
1606         struct inode_security_struct *isec;
1607         u32 sid;
1608 
1609         validate_creds(cred);
1610 
1611         if (unlikely(IS_PRIVATE(inode)))
1612                 return 0;
1613 
1614         sid = cred_sid(cred);
1615         isec = inode->i_security;
1616 
1617         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1618 }
1619 
1620 /* Same as inode_has_perm, but pass explicit audit data containing
1621    the dentry to help the auditing code to more easily generate the
1622    pathname if needed. */
1623 static inline int dentry_has_perm(const struct cred *cred,
1624                                   struct dentry *dentry,
1625                                   u32 av)
1626 {
1627         struct inode *inode = d_backing_inode(dentry);
1628         struct common_audit_data ad;
1629 
1630         ad.type = LSM_AUDIT_DATA_DENTRY;
1631         ad.u.dentry = dentry;
1632         return inode_has_perm(cred, inode, av, &ad);
1633 }
1634 
1635 /* Same as inode_has_perm, but pass explicit audit data containing
1636    the path to help the auditing code to more easily generate the
1637    pathname if needed. */
1638 static inline int path_has_perm(const struct cred *cred,
1639                                 const struct path *path,
1640                                 u32 av)
1641 {
1642         struct inode *inode = d_backing_inode(path->dentry);
1643         struct common_audit_data ad;
1644 
1645         ad.type = LSM_AUDIT_DATA_PATH;
1646         ad.u.path = *path;
1647         return inode_has_perm(cred, inode, av, &ad);
1648 }
1649 
1650 /* Same as path_has_perm, but uses the inode from the file struct. */
1651 static inline int file_path_has_perm(const struct cred *cred,
1652                                      struct file *file,
1653                                      u32 av)
1654 {
1655         struct common_audit_data ad;
1656 
1657         ad.type = LSM_AUDIT_DATA_PATH;
1658         ad.u.path = file->f_path;
1659         return inode_has_perm(cred, file_inode(file), av, &ad);
1660 }
1661 
1662 /* Check whether a task can use an open file descriptor to
1663    access an inode in a given way.  Check access to the
1664    descriptor itself, and then use dentry_has_perm to
1665    check a particular permission to the file.
1666    Access to the descriptor is implicitly granted if it
1667    has the same SID as the process.  If av is zero, then
1668    access to the file is not checked, e.g. for cases
1669    where only the descriptor is affected like seek. */
1670 static int file_has_perm(const struct cred *cred,
1671                          struct file *file,
1672                          u32 av)
1673 {
1674         struct file_security_struct *fsec = file->f_security;
1675         struct inode *inode = file_inode(file);
1676         struct common_audit_data ad;
1677         u32 sid = cred_sid(cred);
1678         int rc;
1679 
1680         ad.type = LSM_AUDIT_DATA_PATH;
1681         ad.u.path = file->f_path;
1682 
1683         if (sid != fsec->sid) {
1684                 rc = avc_has_perm(sid, fsec->sid,
1685                                   SECCLASS_FD,
1686                                   FD__USE,
1687                                   &ad);
1688                 if (rc)
1689                         goto out;
1690         }
1691 
1692         /* av is zero if only checking access to the descriptor. */
1693         rc = 0;
1694         if (av)
1695                 rc = inode_has_perm(cred, inode, av, &ad);
1696 
1697 out:
1698         return rc;
1699 }
1700 
1701 /* Check whether a task can create a file. */
1702 static int may_create(struct inode *dir,
1703                       struct dentry *dentry,
1704                       u16 tclass)
1705 {
1706         const struct task_security_struct *tsec = current_security();
1707         struct inode_security_struct *dsec;
1708         struct superblock_security_struct *sbsec;
1709         u32 sid, newsid;
1710         struct common_audit_data ad;
1711         int rc;
1712 
1713         dsec = dir->i_security;
1714         sbsec = dir->i_sb->s_security;
1715 
1716         sid = tsec->sid;
1717         newsid = tsec->create_sid;
1718 
1719         ad.type = LSM_AUDIT_DATA_DENTRY;
1720         ad.u.dentry = dentry;
1721 
1722         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1723                           DIR__ADD_NAME | DIR__SEARCH,
1724                           &ad);
1725         if (rc)
1726                 return rc;
1727 
1728         if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1729                 rc = security_transition_sid(sid, dsec->sid, tclass,
1730                                              &dentry->d_name, &newsid);
1731                 if (rc)
1732                         return rc;
1733         }
1734 
1735         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1736         if (rc)
1737                 return rc;
1738 
1739         return avc_has_perm(newsid, sbsec->sid,
1740                             SECCLASS_FILESYSTEM,
1741                             FILESYSTEM__ASSOCIATE, &ad);
1742 }
1743 
1744 /* Check whether a task can create a key. */
1745 static int may_create_key(u32 ksid,
1746                           struct task_struct *ctx)
1747 {
1748         u32 sid = task_sid(ctx);
1749 
1750         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1751 }
1752 
1753 #define MAY_LINK        0
1754 #define MAY_UNLINK      1
1755 #define MAY_RMDIR       2
1756 
1757 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1758 static int may_link(struct inode *dir,
1759                     struct dentry *dentry,
1760                     int kind)
1761 
1762 {
1763         struct inode_security_struct *dsec, *isec;
1764         struct common_audit_data ad;
1765         u32 sid = current_sid();
1766         u32 av;
1767         int rc;
1768 
1769         dsec = dir->i_security;
1770         isec = d_backing_inode(dentry)->i_security;
1771 
1772         ad.type = LSM_AUDIT_DATA_DENTRY;
1773         ad.u.dentry = dentry;
1774 
1775         av = DIR__SEARCH;
1776         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1777         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1778         if (rc)
1779                 return rc;
1780 
1781         switch (kind) {
1782         case MAY_LINK:
1783                 av = FILE__LINK;
1784                 break;
1785         case MAY_UNLINK:
1786                 av = FILE__UNLINK;
1787                 break;
1788         case MAY_RMDIR:
1789                 av = DIR__RMDIR;
1790                 break;
1791         default:
1792                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1793                         __func__, kind);
1794                 return 0;
1795         }
1796 
1797         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1798         return rc;
1799 }
1800 
1801 static inline int may_rename(struct inode *old_dir,
1802                              struct dentry *old_dentry,
1803                              struct inode *new_dir,
1804                              struct dentry *new_dentry)
1805 {
1806         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1807         struct common_audit_data ad;
1808         u32 sid = current_sid();
1809         u32 av;
1810         int old_is_dir, new_is_dir;
1811         int rc;
1812 
1813         old_dsec = old_dir->i_security;
1814         old_isec = d_backing_inode(old_dentry)->i_security;
1815         old_is_dir = d_is_dir(old_dentry);
1816         new_dsec = new_dir->i_security;
1817 
1818         ad.type = LSM_AUDIT_DATA_DENTRY;
1819 
1820         ad.u.dentry = old_dentry;
1821         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1822                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1823         if (rc)
1824                 return rc;
1825         rc = avc_has_perm(sid, old_isec->sid,
1826                           old_isec->sclass, FILE__RENAME, &ad);
1827         if (rc)
1828                 return rc;
1829         if (old_is_dir && new_dir != old_dir) {
1830                 rc = avc_has_perm(sid, old_isec->sid,
1831                                   old_isec->sclass, DIR__REPARENT, &ad);
1832                 if (rc)
1833                         return rc;
1834         }
1835 
1836         ad.u.dentry = new_dentry;
1837         av = DIR__ADD_NAME | DIR__SEARCH;
1838         if (d_is_positive(new_dentry))
1839                 av |= DIR__REMOVE_NAME;
1840         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1841         if (rc)
1842                 return rc;
1843         if (d_is_positive(new_dentry)) {
1844                 new_isec = d_backing_inode(new_dentry)->i_security;
1845                 new_is_dir = d_is_dir(new_dentry);
1846                 rc = avc_has_perm(sid, new_isec->sid,
1847                                   new_isec->sclass,
1848                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1849                 if (rc)
1850                         return rc;
1851         }
1852 
1853         return 0;
1854 }
1855 
1856 /* Check whether a task can perform a filesystem operation. */
1857 static int superblock_has_perm(const struct cred *cred,
1858                                struct super_block *sb,
1859                                u32 perms,
1860                                struct common_audit_data *ad)
1861 {
1862         struct superblock_security_struct *sbsec;
1863         u32 sid = cred_sid(cred);
1864 
1865         sbsec = sb->s_security;
1866         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1867 }
1868 
1869 /* Convert a Linux mode and permission mask to an access vector. */
1870 static inline u32 file_mask_to_av(int mode, int mask)
1871 {
1872         u32 av = 0;
1873 
1874         if (!S_ISDIR(mode)) {
1875                 if (mask & MAY_EXEC)
1876                         av |= FILE__EXECUTE;
1877                 if (mask & MAY_READ)
1878                         av |= FILE__READ;
1879 
1880                 if (mask & MAY_APPEND)
1881                         av |= FILE__APPEND;
1882                 else if (mask & MAY_WRITE)
1883                         av |= FILE__WRITE;
1884 
1885         } else {
1886                 if (mask & MAY_EXEC)
1887                         av |= DIR__SEARCH;
1888                 if (mask & MAY_WRITE)
1889                         av |= DIR__WRITE;
1890                 if (mask & MAY_READ)
1891                         av |= DIR__READ;
1892         }
1893 
1894         return av;
1895 }
1896 
1897 /* Convert a Linux file to an access vector. */
1898 static inline u32 file_to_av(struct file *file)
1899 {
1900         u32 av = 0;
1901 
1902         if (file->f_mode & FMODE_READ)
1903                 av |= FILE__READ;
1904         if (file->f_mode & FMODE_WRITE) {
1905                 if (file->f_flags & O_APPEND)
1906                         av |= FILE__APPEND;
1907                 else
1908                         av |= FILE__WRITE;
1909         }
1910         if (!av) {
1911                 /*
1912                  * Special file opened with flags 3 for ioctl-only use.
1913                  */
1914                 av = FILE__IOCTL;
1915         }
1916 
1917         return av;
1918 }
1919 
1920 /*
1921  * Convert a file to an access vector and include the correct open
1922  * open permission.
1923  */
1924 static inline u32 open_file_to_av(struct file *file)
1925 {
1926         u32 av = file_to_av(file);
1927 
1928         if (selinux_policycap_openperm)
1929                 av |= FILE__OPEN;
1930 
1931         return av;
1932 }
1933 
1934 /* Hook functions begin here. */
1935 
1936 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1937 {
1938         u32 mysid = current_sid();
1939         u32 mgrsid = task_sid(mgr);
1940 
1941         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1942                             BINDER__SET_CONTEXT_MGR, NULL);
1943 }
1944 
1945 static int selinux_binder_transaction(struct task_struct *from,
1946                                       struct task_struct *to)
1947 {
1948         u32 mysid = current_sid();
1949         u32 fromsid = task_sid(from);
1950         u32 tosid = task_sid(to);
1951         int rc;
1952 
1953         if (mysid != fromsid) {
1954                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1955                                   BINDER__IMPERSONATE, NULL);
1956                 if (rc)
1957                         return rc;
1958         }
1959 
1960         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1961                             NULL);
1962 }
1963 
1964 static int selinux_binder_transfer_binder(struct task_struct *from,
1965                                           struct task_struct *to)
1966 {
1967         u32 fromsid = task_sid(from);
1968         u32 tosid = task_sid(to);
1969 
1970         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1971                             NULL);
1972 }
1973 
1974 static int selinux_binder_transfer_file(struct task_struct *from,
1975                                         struct task_struct *to,
1976                                         struct file *file)
1977 {
1978         u32 sid = task_sid(to);
1979         struct file_security_struct *fsec = file->f_security;
1980         struct inode *inode = d_backing_inode(file->f_path.dentry);
1981         struct inode_security_struct *isec = inode->i_security;
1982         struct common_audit_data ad;
1983         int rc;
1984 
1985         ad.type = LSM_AUDIT_DATA_PATH;
1986         ad.u.path = file->f_path;
1987 
1988         if (sid != fsec->sid) {
1989                 rc = avc_has_perm(sid, fsec->sid,
1990                                   SECCLASS_FD,
1991                                   FD__USE,
1992                                   &ad);
1993                 if (rc)
1994                         return rc;
1995         }
1996 
1997         if (unlikely(IS_PRIVATE(inode)))
1998                 return 0;
1999 
2000         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2001                             &ad);
2002 }
2003 
2004 static int selinux_ptrace_access_check(struct task_struct *child,
2005                                      unsigned int mode)
2006 {
2007         if (mode & PTRACE_MODE_READ) {
2008                 u32 sid = current_sid();
2009                 u32 csid = task_sid(child);
2010                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2011         }
2012 
2013         return current_has_perm(child, PROCESS__PTRACE);
2014 }
2015 
2016 static int selinux_ptrace_traceme(struct task_struct *parent)
2017 {
2018         return task_has_perm(parent, current, PROCESS__PTRACE);
2019 }
2020 
2021 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2022                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2023 {
2024         return current_has_perm(target, PROCESS__GETCAP);
2025 }
2026 
2027 static int selinux_capset(struct cred *new, const struct cred *old,
2028                           const kernel_cap_t *effective,
2029                           const kernel_cap_t *inheritable,
2030                           const kernel_cap_t *permitted)
2031 {
2032         return cred_has_perm(old, new, PROCESS__SETCAP);
2033 }
2034 
2035 /*
2036  * (This comment used to live with the selinux_task_setuid hook,
2037  * which was removed).
2038  *
2039  * Since setuid only affects the current process, and since the SELinux
2040  * controls are not based on the Linux identity attributes, SELinux does not
2041  * need to control this operation.  However, SELinux does control the use of
2042  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2043  */
2044 
2045 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2046                            int cap, int audit)
2047 {
2048         return cred_has_capability(cred, cap, audit);
2049 }
2050 
2051 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2052 {
2053         const struct cred *cred = current_cred();
2054         int rc = 0;
2055 
2056         if (!sb)
2057                 return 0;
2058 
2059         switch (cmds) {
2060         case Q_SYNC:
2061         case Q_QUOTAON:
2062         case Q_QUOTAOFF:
2063         case Q_SETINFO:
2064         case Q_SETQUOTA:
2065                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2066                 break;
2067         case Q_GETFMT:
2068         case Q_GETINFO:
2069         case Q_GETQUOTA:
2070                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2071                 break;
2072         default:
2073                 rc = 0;  /* let the kernel handle invalid cmds */
2074                 break;
2075         }
2076         return rc;
2077 }
2078 
2079 static int selinux_quota_on(struct dentry *dentry)
2080 {
2081         const struct cred *cred = current_cred();
2082 
2083         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2084 }
2085 
2086 static int selinux_syslog(int type)
2087 {
2088         int rc;
2089 
2090         switch (type) {
2091         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2092         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2093                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2094                 break;
2095         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2096         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2097         /* Set level of messages printed to console */
2098         case SYSLOG_ACTION_CONSOLE_LEVEL:
2099                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2100                 break;
2101         case SYSLOG_ACTION_CLOSE:       /* Close log */
2102         case SYSLOG_ACTION_OPEN:        /* Open log */
2103         case SYSLOG_ACTION_READ:        /* Read from log */
2104         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
2105         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
2106         default:
2107                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2108                 break;
2109         }
2110         return rc;
2111 }
2112 
2113 /*
2114  * Check that a process has enough memory to allocate a new virtual
2115  * mapping. 0 means there is enough memory for the allocation to
2116  * succeed and -ENOMEM implies there is not.
2117  *
2118  * Do not audit the selinux permission check, as this is applied to all
2119  * processes that allocate mappings.
2120  */
2121 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2122 {
2123         int rc, cap_sys_admin = 0;
2124 
2125         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2126                                         SECURITY_CAP_NOAUDIT);
2127         if (rc == 0)
2128                 cap_sys_admin = 1;
2129 
2130         return cap_sys_admin;
2131 }
2132 
2133 /* binprm security operations */
2134 
2135 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2136                             const struct task_security_struct *old_tsec,
2137                             const struct task_security_struct *new_tsec)
2138 {
2139         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2140         int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2141         int rc;
2142 
2143         if (!nnp && !nosuid)
2144                 return 0; /* neither NNP nor nosuid */
2145 
2146         if (new_tsec->sid == old_tsec->sid)
2147                 return 0; /* No change in credentials */
2148 
2149         /*
2150          * The only transitions we permit under NNP or nosuid
2151          * are transitions to bounded SIDs, i.e. SIDs that are
2152          * guaranteed to only be allowed a subset of the permissions
2153          * of the current SID.
2154          */
2155         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2156         if (rc) {
2157                 /*
2158                  * On failure, preserve the errno values for NNP vs nosuid.
2159                  * NNP:  Operation not permitted for caller.
2160                  * nosuid:  Permission denied to file.
2161                  */
2162                 if (nnp)
2163                         return -EPERM;
2164                 else
2165                         return -EACCES;
2166         }
2167         return 0;
2168 }
2169 
2170 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2171 {
2172         const struct task_security_struct *old_tsec;
2173         struct task_security_struct *new_tsec;
2174         struct inode_security_struct *isec;
2175         struct common_audit_data ad;
2176         struct inode *inode = file_inode(bprm->file);
2177         int rc;
2178 
2179         /* SELinux context only depends on initial program or script and not
2180          * the script interpreter */
2181         if (bprm->cred_prepared)
2182                 return 0;
2183 
2184         old_tsec = current_security();
2185         new_tsec = bprm->cred->security;
2186         isec = inode->i_security;
2187 
2188         /* Default to the current task SID. */
2189         new_tsec->sid = old_tsec->sid;
2190         new_tsec->osid = old_tsec->sid;
2191 
2192         /* Reset fs, key, and sock SIDs on execve. */
2193         new_tsec->create_sid = 0;
2194         new_tsec->keycreate_sid = 0;
2195         new_tsec->sockcreate_sid = 0;
2196 
2197         if (old_tsec->exec_sid) {
2198                 new_tsec->sid = old_tsec->exec_sid;
2199                 /* Reset exec SID on execve. */
2200                 new_tsec->exec_sid = 0;
2201 
2202                 /* Fail on NNP or nosuid if not an allowed transition. */
2203                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2204                 if (rc)
2205                         return rc;
2206         } else {
2207                 /* Check for a default transition on this program. */
2208                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2209                                              SECCLASS_PROCESS, NULL,
2210                                              &new_tsec->sid);
2211                 if (rc)
2212                         return rc;
2213 
2214                 /*
2215                  * Fallback to old SID on NNP or nosuid if not an allowed
2216                  * transition.
2217                  */
2218                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2219                 if (rc)
2220                         new_tsec->sid = old_tsec->sid;
2221         }
2222 
2223         ad.type = LSM_AUDIT_DATA_PATH;
2224         ad.u.path = bprm->file->f_path;
2225 
2226         if (new_tsec->sid == old_tsec->sid) {
2227                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2228                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2229                 if (rc)
2230                         return rc;
2231         } else {
2232                 /* Check permissions for the transition. */
2233                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2234                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2235                 if (rc)
2236                         return rc;
2237 
2238                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2239                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2240                 if (rc)
2241                         return rc;
2242 
2243                 /* Check for shared state */
2244                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2245                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2246                                           SECCLASS_PROCESS, PROCESS__SHARE,
2247                                           NULL);
2248                         if (rc)
2249                                 return -EPERM;
2250                 }
2251 
2252                 /* Make sure that anyone attempting to ptrace over a task that
2253                  * changes its SID has the appropriate permit */
2254                 if (bprm->unsafe &
2255                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2256                         struct task_struct *tracer;
2257                         struct task_security_struct *sec;
2258                         u32 ptsid = 0;
2259 
2260                         rcu_read_lock();
2261                         tracer = ptrace_parent(current);
2262                         if (likely(tracer != NULL)) {
2263                                 sec = __task_cred(tracer)->security;
2264                                 ptsid = sec->sid;
2265                         }
2266                         rcu_read_unlock();
2267 
2268                         if (ptsid != 0) {
2269                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2270                                                   SECCLASS_PROCESS,
2271                                                   PROCESS__PTRACE, NULL);
2272                                 if (rc)
2273                                         return -EPERM;
2274                         }
2275                 }
2276 
2277                 /* Clear any possibly unsafe personality bits on exec: */
2278                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2279         }
2280 
2281         return 0;
2282 }
2283 
2284 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2285 {
2286         const struct task_security_struct *tsec = current_security();
2287         u32 sid, osid;
2288         int atsecure = 0;
2289 
2290         sid = tsec->sid;
2291         osid = tsec->osid;
2292 
2293         if (osid != sid) {
2294                 /* Enable secure mode for SIDs transitions unless
2295                    the noatsecure permission is granted between
2296                    the two SIDs, i.e. ahp returns 0. */
2297                 atsecure = avc_has_perm(osid, sid,
2298                                         SECCLASS_PROCESS,
2299                                         PROCESS__NOATSECURE, NULL);
2300         }
2301 
2302         return !!atsecure;
2303 }
2304 
2305 static int match_file(const void *p, struct file *file, unsigned fd)
2306 {
2307         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2308 }
2309 
2310 /* Derived from fs/exec.c:flush_old_files. */
2311 static inline void flush_unauthorized_files(const struct cred *cred,
2312                                             struct files_struct *files)
2313 {
2314         struct file *file, *devnull = NULL;
2315         struct tty_struct *tty;
2316         int drop_tty = 0;
2317         unsigned n;
2318 
2319         tty = get_current_tty();
2320         if (tty) {
2321                 spin_lock(&tty_files_lock);
2322                 if (!list_empty(&tty->tty_files)) {
2323                         struct tty_file_private *file_priv;
2324 
2325                         /* Revalidate access to controlling tty.
2326                            Use file_path_has_perm on the tty path directly
2327                            rather than using file_has_perm, as this particular
2328                            open file may belong to another process and we are
2329                            only interested in the inode-based check here. */
2330                         file_priv = list_first_entry(&tty->tty_files,
2331                                                 struct tty_file_private, list);
2332                         file = file_priv->file;
2333                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2334                                 drop_tty = 1;
2335                 }
2336                 spin_unlock(&tty_files_lock);
2337                 tty_kref_put(tty);
2338         }
2339         /* Reset controlling tty. */
2340         if (drop_tty)
2341                 no_tty();
2342 
2343         /* Revalidate access to inherited open files. */
2344         n = iterate_fd(files, 0, match_file, cred);
2345         if (!n) /* none found? */
2346                 return;
2347 
2348         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2349         if (IS_ERR(devnull))
2350                 devnull = NULL;
2351         /* replace all the matching ones with this */
2352         do {
2353                 replace_fd(n - 1, devnull, 0);
2354         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2355         if (devnull)
2356                 fput(devnull);
2357 }
2358 
2359 /*
2360  * Prepare a process for imminent new credential changes due to exec
2361  */
2362 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2363 {
2364         struct task_security_struct *new_tsec;
2365         struct rlimit *rlim, *initrlim;
2366         int rc, i;
2367 
2368         new_tsec = bprm->cred->security;
2369         if (new_tsec->sid == new_tsec->osid)
2370                 return;
2371 
2372         /* Close files for which the new task SID is not authorized. */
2373         flush_unauthorized_files(bprm->cred, current->files);
2374 
2375         /* Always clear parent death signal on SID transitions. */
2376         current->pdeath_signal = 0;
2377 
2378         /* Check whether the new SID can inherit resource limits from the old
2379          * SID.  If not, reset all soft limits to the lower of the current
2380          * task's hard limit and the init task's soft limit.
2381          *
2382          * Note that the setting of hard limits (even to lower them) can be
2383          * controlled by the setrlimit check.  The inclusion of the init task's
2384          * soft limit into the computation is to avoid resetting soft limits
2385          * higher than the default soft limit for cases where the default is
2386          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2387          */
2388         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2389                           PROCESS__RLIMITINH, NULL);
2390         if (rc) {
2391                 /* protect against do_prlimit() */
2392                 task_lock(current);
2393                 for (i = 0; i < RLIM_NLIMITS; i++) {
2394                         rlim = current->signal->rlim + i;
2395                         initrlim = init_task.signal->rlim + i;
2396                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2397                 }
2398                 task_unlock(current);
2399                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2400         }
2401 }
2402 
2403 /*
2404  * Clean up the process immediately after the installation of new credentials
2405  * due to exec
2406  */
2407 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2408 {
2409         const struct task_security_struct *tsec = current_security();
2410         struct itimerval itimer;
2411         u32 osid, sid;
2412         int rc, i;
2413 
2414         osid = tsec->osid;
2415         sid = tsec->sid;
2416 
2417         if (sid == osid)
2418                 return;
2419 
2420         /* Check whether the new SID can inherit signal state from the old SID.
2421          * If not, clear itimers to avoid subsequent signal generation and
2422          * flush and unblock signals.
2423          *
2424          * This must occur _after_ the task SID has been updated so that any
2425          * kill done after the flush will be checked against the new SID.
2426          */
2427         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2428         if (rc) {
2429                 memset(&itimer, 0, sizeof itimer);
2430                 for (i = 0; i < 3; i++)
2431                         do_setitimer(i, &itimer, NULL);
2432                 spin_lock_irq(&current->sighand->siglock);
2433                 if (!fatal_signal_pending(current)) {
2434                         flush_sigqueue(&current->pending);
2435                         flush_sigqueue(&current->signal->shared_pending);
2436                         flush_signal_handlers(current, 1);
2437                         sigemptyset(&current->blocked);
2438                         recalc_sigpending();
2439                 }
2440                 spin_unlock_irq(&current->sighand->siglock);
2441         }
2442 
2443         /* Wake up the parent if it is waiting so that it can recheck
2444          * wait permission to the new task SID. */
2445         read_lock(&tasklist_lock);
2446         __wake_up_parent(current, current->real_parent);
2447         read_unlock(&tasklist_lock);
2448 }
2449 
2450 /* superblock security operations */
2451 
2452 static int selinux_sb_alloc_security(struct super_block *sb)
2453 {
2454         return superblock_alloc_security(sb);
2455 }
2456 
2457 static void selinux_sb_free_security(struct super_block *sb)
2458 {
2459         superblock_free_security(sb);
2460 }
2461 
2462 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2463 {
2464         if (plen > olen)
2465                 return 0;
2466 
2467         return !memcmp(prefix, option, plen);
2468 }
2469 
2470 static inline int selinux_option(char *option, int len)
2471 {
2472         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2473                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2474                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2475                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2476                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2477 }
2478 
2479 static inline void take_option(char **to, char *from, int *first, int len)
2480 {
2481         if (!*first) {
2482                 **to = ',';
2483                 *to += 1;
2484         } else
2485                 *first = 0;
2486         memcpy(*to, from, len);
2487         *to += len;
2488 }
2489 
2490 static inline void take_selinux_option(char **to, char *from, int *first,
2491                                        int len)
2492 {
2493         int current_size = 0;
2494 
2495         if (!*first) {
2496                 **to = '|';
2497                 *to += 1;
2498         } else
2499                 *first = 0;
2500 
2501         while (current_size < len) {
2502                 if (*from != '"') {
2503                         **to = *from;
2504                         *to += 1;
2505                 }
2506                 from += 1;
2507                 current_size += 1;
2508         }
2509 }
2510 
2511 static int selinux_sb_copy_data(char *orig, char *copy)
2512 {
2513         int fnosec, fsec, rc = 0;
2514         char *in_save, *in_curr, *in_end;
2515         char *sec_curr, *nosec_save, *nosec;
2516         int open_quote = 0;
2517 
2518         in_curr = orig;
2519         sec_curr = copy;
2520 
2521         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2522         if (!nosec) {
2523                 rc = -ENOMEM;
2524                 goto out;
2525         }
2526 
2527         nosec_save = nosec;
2528         fnosec = fsec = 1;
2529         in_save = in_end = orig;
2530 
2531         do {
2532                 if (*in_end == '"')
2533                         open_quote = !open_quote;
2534                 if ((*in_end == ',' && open_quote == 0) ||
2535                                 *in_end == '\0') {
2536                         int len = in_end - in_curr;
2537 
2538                         if (selinux_option(in_curr, len))
2539                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2540                         else
2541                                 take_option(&nosec, in_curr, &fnosec, len);
2542 
2543                         in_curr = in_end + 1;
2544                 }
2545         } while (*in_end++);
2546 
2547         strcpy(in_save, nosec_save);
2548         free_page((unsigned long)nosec_save);
2549 out:
2550         return rc;
2551 }
2552 
2553 static int selinux_sb_remount(struct super_block *sb, void *data)
2554 {
2555         int rc, i, *flags;
2556         struct security_mnt_opts opts;
2557         char *secdata, **mount_options;
2558         struct superblock_security_struct *sbsec = sb->s_security;
2559 
2560         if (!(sbsec->flags & SE_SBINITIALIZED))
2561                 return 0;
2562 
2563         if (!data)
2564                 return 0;
2565 
2566         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2567                 return 0;
2568 
2569         security_init_mnt_opts(&opts);
2570         secdata = alloc_secdata();
2571         if (!secdata)
2572                 return -ENOMEM;
2573         rc = selinux_sb_copy_data(data, secdata);
2574         if (rc)
2575                 goto out_free_secdata;
2576 
2577         rc = selinux_parse_opts_str(secdata, &opts);
2578         if (rc)
2579                 goto out_free_secdata;
2580 
2581         mount_options = opts.mnt_opts;
2582         flags = opts.mnt_opts_flags;
2583 
2584         for (i = 0; i < opts.num_mnt_opts; i++) {
2585                 u32 sid;
2586                 size_t len;
2587 
2588                 if (flags[i] == SBLABEL_MNT)
2589                         continue;
2590                 len = strlen(mount_options[i]);
2591                 rc = security_context_to_sid(mount_options[i], len, &sid,
2592                                              GFP_KERNEL);
2593                 if (rc) {
2594                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2595                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2596                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2597                         goto out_free_opts;
2598                 }
2599                 rc = -EINVAL;
2600                 switch (flags[i]) {
2601                 case FSCONTEXT_MNT:
2602                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2603                                 goto out_bad_option;
2604                         break;
2605                 case CONTEXT_MNT:
2606                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2607                                 goto out_bad_option;
2608                         break;
2609                 case ROOTCONTEXT_MNT: {
2610                         struct inode_security_struct *root_isec;
2611                         root_isec = d_backing_inode(sb->s_root)->i_security;
2612 
2613                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2614                                 goto out_bad_option;
2615                         break;
2616                 }
2617                 case DEFCONTEXT_MNT:
2618                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2619                                 goto out_bad_option;
2620                         break;
2621                 default:
2622                         goto out_free_opts;
2623                 }
2624         }
2625 
2626         rc = 0;
2627 out_free_opts:
2628         security_free_mnt_opts(&opts);
2629 out_free_secdata:
2630         free_secdata(secdata);
2631         return rc;
2632 out_bad_option:
2633         printk(KERN_WARNING "SELinux: unable to change security options "
2634                "during remount (dev %s, type=%s)\n", sb->s_id,
2635                sb->s_type->name);
2636         goto out_free_opts;
2637 }
2638 
2639 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2640 {
2641         const struct cred *cred = current_cred();
2642         struct common_audit_data ad;
2643         int rc;
2644 
2645         rc = superblock_doinit(sb, data);
2646         if (rc)
2647                 return rc;
2648 
2649         /* Allow all mounts performed by the kernel */
2650         if (flags & MS_KERNMOUNT)
2651                 return 0;
2652 
2653         ad.type = LSM_AUDIT_DATA_DENTRY;
2654         ad.u.dentry = sb->s_root;
2655         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2656 }
2657 
2658 static int selinux_sb_statfs(struct dentry *dentry)
2659 {
2660         const struct cred *cred = current_cred();
2661         struct common_audit_data ad;
2662 
2663         ad.type = LSM_AUDIT_DATA_DENTRY;
2664         ad.u.dentry = dentry->d_sb->s_root;
2665         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2666 }
2667 
2668 static int selinux_mount(const char *dev_name,
2669                          struct path *path,
2670                          const char *type,
2671                          unsigned long flags,
2672                          void *data)
2673 {
2674         const struct cred *cred = current_cred();
2675 
2676         if (flags & MS_REMOUNT)
2677                 return superblock_has_perm(cred, path->dentry->d_sb,
2678                                            FILESYSTEM__REMOUNT, NULL);
2679         else
2680                 return path_has_perm(cred, path, FILE__MOUNTON);
2681 }
2682 
2683 static int selinux_umount(struct vfsmount *mnt, int flags)
2684 {
2685         const struct cred *cred = current_cred();
2686 
2687         return superblock_has_perm(cred, mnt->mnt_sb,
2688                                    FILESYSTEM__UNMOUNT, NULL);
2689 }
2690 
2691 /* inode security operations */
2692 
2693 static int selinux_inode_alloc_security(struct inode *inode)
2694 {
2695         return inode_alloc_security(inode);
2696 }
2697 
2698 static void selinux_inode_free_security(struct inode *inode)
2699 {
2700         inode_free_security(inode);
2701 }
2702 
2703 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2704                                         struct qstr *name, void **ctx,
2705                                         u32 *ctxlen)
2706 {
2707         const struct cred *cred = current_cred();
2708         struct task_security_struct *tsec;
2709         struct inode_security_struct *dsec;
2710         struct superblock_security_struct *sbsec;
2711         struct inode *dir = d_backing_inode(dentry->d_parent);
2712         u32 newsid;
2713         int rc;
2714 
2715         tsec = cred->security;
2716         dsec = dir->i_security;
2717         sbsec = dir->i_sb->s_security;
2718 
2719         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2720                 newsid = tsec->create_sid;
2721         } else {
2722                 rc = security_transition_sid(tsec->sid, dsec->sid,
2723                                              inode_mode_to_security_class(mode),
2724                                              name,
2725                                              &newsid);
2726                 if (rc) {
2727                         printk(KERN_WARNING
2728                                 "%s: security_transition_sid failed, rc=%d\n",
2729                                __func__, -rc);
2730                         return rc;
2731                 }
2732         }
2733 
2734         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2735 }
2736 
2737 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2738                                        const struct qstr *qstr,
2739                                        const char **name,
2740                                        void **value, size_t *len)
2741 {
2742         const struct task_security_struct *tsec = current_security();
2743         struct inode_security_struct *dsec;
2744         struct superblock_security_struct *sbsec;
2745         u32 sid, newsid, clen;
2746         int rc;
2747         char *context;
2748 
2749         dsec = dir->i_security;
2750         sbsec = dir->i_sb->s_security;
2751 
2752         sid = tsec->sid;
2753         newsid = tsec->create_sid;
2754 
2755         if ((sbsec->flags & SE_SBINITIALIZED) &&
2756             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2757                 newsid = sbsec->mntpoint_sid;
2758         else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2759                 rc = security_transition_sid(sid, dsec->sid,
2760                                              inode_mode_to_security_class(inode->i_mode),
2761                                              qstr, &newsid);
2762                 if (rc) {
2763                         printk(KERN_WARNING "%s:  "
2764                                "security_transition_sid failed, rc=%d (dev=%s "
2765                                "ino=%ld)\n",
2766                                __func__,
2767                                -rc, inode->i_sb->s_id, inode->i_ino);
2768                         return rc;
2769                 }
2770         }
2771 
2772         /* Possibly defer initialization to selinux_complete_init. */
2773         if (sbsec->flags & SE_SBINITIALIZED) {
2774                 struct inode_security_struct *isec = inode->i_security;
2775                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2776                 isec->sid = newsid;
2777                 isec->initialized = 1;
2778         }
2779 
2780         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2781                 return -EOPNOTSUPP;
2782 
2783         if (name)
2784                 *name = XATTR_SELINUX_SUFFIX;
2785 
2786         if (value && len) {
2787                 rc = security_sid_to_context_force(newsid, &context, &clen);
2788                 if (rc)
2789                         return rc;
2790                 *value = context;
2791                 *len = clen;
2792         }
2793 
2794         return 0;
2795 }
2796 
2797 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2798 {
2799         return may_create(dir, dentry, SECCLASS_FILE);
2800 }
2801 
2802 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2803 {
2804         return may_link(dir, old_dentry, MAY_LINK);
2805 }
2806 
2807 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2808 {
2809         return may_link(dir, dentry, MAY_UNLINK);
2810 }
2811 
2812 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2813 {
2814         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2815 }
2816 
2817 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2818 {
2819         return may_create(dir, dentry, SECCLASS_DIR);
2820 }
2821 
2822 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2823 {
2824         return may_link(dir, dentry, MAY_RMDIR);
2825 }
2826 
2827 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2828 {
2829         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2830 }
2831 
2832 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2833                                 struct inode *new_inode, struct dentry *new_dentry)
2834 {
2835         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2836 }
2837 
2838 static int selinux_inode_readlink(struct dentry *dentry)
2839 {
2840         const struct cred *cred = current_cred();
2841 
2842         return dentry_has_perm(cred, dentry, FILE__READ);
2843 }
2844 
2845 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2846                                      bool rcu)
2847 {
2848         const struct cred *cred = current_cred();
2849         struct common_audit_data ad;
2850         struct inode_security_struct *isec;
2851         u32 sid;
2852 
2853         validate_creds(cred);
2854 
2855         ad.type = LSM_AUDIT_DATA_DENTRY;
2856         ad.u.dentry = dentry;
2857         sid = cred_sid(cred);
2858         isec = inode->i_security;
2859 
2860         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2861                                   rcu ? MAY_NOT_BLOCK : 0);
2862 }
2863 
2864 static noinline int audit_inode_permission(struct inode *inode,
2865                                            u32 perms, u32 audited, u32 denied,
2866                                            int result,
2867                                            unsigned flags)
2868 {
2869         struct common_audit_data ad;
2870         struct inode_security_struct *isec = inode->i_security;
2871         int rc;
2872 
2873         ad.type = LSM_AUDIT_DATA_INODE;
2874         ad.u.inode = inode;
2875 
2876         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2877                             audited, denied, result, &ad, flags);
2878         if (rc)
2879                 return rc;
2880         return 0;
2881 }
2882 
2883 static int selinux_inode_permission(struct inode *inode, int mask)
2884 {
2885         const struct cred *cred = current_cred();
2886         u32 perms;
2887         bool from_access;
2888         unsigned flags = mask & MAY_NOT_BLOCK;
2889         struct inode_security_struct *isec;
2890         u32 sid;
2891         struct av_decision avd;
2892         int rc, rc2;
2893         u32 audited, denied;
2894 
2895         from_access = mask & MAY_ACCESS;
2896         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2897 
2898         /* No permission to check.  Existence test. */
2899         if (!mask)
2900                 return 0;
2901 
2902         validate_creds(cred);
2903 
2904         if (unlikely(IS_PRIVATE(inode)))
2905                 return 0;
2906 
2907         perms = file_mask_to_av(inode->i_mode, mask);
2908 
2909         sid = cred_sid(cred);
2910         isec = inode->i_security;
2911 
2912         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2913         audited = avc_audit_required(perms, &avd, rc,
2914                                      from_access ? FILE__AUDIT_ACCESS : 0,
2915                                      &denied);
2916         if (likely(!audited))
2917                 return rc;
2918 
2919         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2920         if (rc2)
2921                 return rc2;
2922         return rc;
2923 }
2924 
2925 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2926 {
2927         const struct cred *cred = current_cred();
2928         unsigned int ia_valid = iattr->ia_valid;
2929         __u32 av = FILE__WRITE;
2930 
2931         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2932         if (ia_valid & ATTR_FORCE) {
2933                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2934                               ATTR_FORCE);
2935                 if (!ia_valid)
2936                         return 0;
2937         }
2938 
2939         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2940                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2941                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2942 
2943         if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2944                 av |= FILE__OPEN;
2945 
2946         return dentry_has_perm(cred, dentry, av);
2947 }
2948 
2949 static int selinux_inode_getattr(const struct path *path)
2950 {
2951         return path_has_perm(current_cred(), path, FILE__GETATTR);
2952 }
2953 
2954 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2955 {
2956         const struct cred *cred = current_cred();
2957 
2958         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2959                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2960                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2961                         if (!capable(CAP_SETFCAP))
2962                                 return -EPERM;
2963                 } else if (!capable(CAP_SYS_ADMIN)) {
2964                         /* A different attribute in the security namespace.
2965                            Restrict to administrator. */
2966                         return -EPERM;
2967                 }
2968         }
2969 
2970         /* Not an attribute we recognize, so just check the
2971            ordinary setattr permission. */
2972         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2973 }
2974 
2975 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2976                                   const void *value, size_t size, int flags)
2977 {
2978         struct inode *inode = d_backing_inode(dentry);
2979         struct inode_security_struct *isec = inode->i_security;
2980         struct superblock_security_struct *sbsec;
2981         struct common_audit_data ad;
2982         u32 newsid, sid = current_sid();
2983         int rc = 0;
2984 
2985         if (strcmp(name, XATTR_NAME_SELINUX))
2986                 return selinux_inode_setotherxattr(dentry, name);
2987 
2988         sbsec = inode->i_sb->s_security;
2989         if (!(sbsec->flags & SBLABEL_MNT))
2990                 return -EOPNOTSUPP;
2991 
2992         if (!inode_owner_or_capable(inode))
2993                 return -EPERM;
2994 
2995         ad.type = LSM_AUDIT_DATA_DENTRY;
2996         ad.u.dentry = dentry;
2997 
2998         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2999                           FILE__RELABELFROM, &ad);
3000         if (rc)
3001                 return rc;
3002 
3003         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3004         if (rc == -EINVAL) {
3005                 if (!capable(CAP_MAC_ADMIN)) {
3006                         struct audit_buffer *ab;
3007                         size_t audit_size;
3008                         const char *str;
3009 
3010                         /* We strip a nul only if it is at the end, otherwise the
3011                          * context contains a nul and we should audit that */
3012                         if (value) {
3013                                 str = value;
3014                                 if (str[size - 1] == '\0')
3015                                         audit_size = size - 1;
3016                                 else
3017                                         audit_size = size;
3018                         } else {
3019                                 str = "";
3020                                 audit_size = 0;
3021                         }
3022                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3023                         audit_log_format(ab, "op=setxattr invalid_context=");
3024                         audit_log_n_untrustedstring(ab, value, audit_size);
3025                         audit_log_end(ab);
3026 
3027                         return rc;
3028                 }
3029                 rc = security_context_to_sid_force(value, size, &newsid);
3030         }
3031         if (rc)
3032                 return rc;
3033 
3034         rc = avc_has_perm(sid, newsid, isec->sclass,
3035                           FILE__RELABELTO, &ad);
3036         if (rc)
3037                 return rc;
3038 
3039         rc = security_validate_transition(isec->sid, newsid, sid,
3040                                           isec->sclass);
3041         if (rc)
3042                 return rc;
3043 
3044         return avc_has_perm(newsid,
3045                             sbsec->sid,
3046                             SECCLASS_FILESYSTEM,
3047                             FILESYSTEM__ASSOCIATE,
3048                             &ad);
3049 }
3050 
3051 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3052                                         const void *value, size_t size,
3053                                         int flags)
3054 {
3055         struct inode *inode = d_backing_inode(dentry);
3056         struct inode_security_struct *isec = inode->i_security;
3057         u32 newsid;
3058         int rc;
3059 
3060         if (strcmp(name, XATTR_NAME_SELINUX)) {
3061                 /* Not an attribute we recognize, so nothing to do. */
3062                 return;
3063         }
3064 
3065         rc = security_context_to_sid_force(value, size, &newsid);
3066         if (rc) {
3067                 printk(KERN_ERR "SELinux:  unable to map context to SID"
3068                        "for (%s, %lu), rc=%d\n",
3069                        inode->i_sb->s_id, inode->i_ino, -rc);
3070                 return;
3071         }
3072 
3073         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3074         isec->sid = newsid;
3075         isec->initialized = 1;
3076 
3077         return;
3078 }
3079 
3080 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3081 {
3082         const struct cred *cred = current_cred();
3083 
3084         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3085 }
3086 
3087 static int selinux_inode_listxattr(struct dentry *dentry)
3088 {
3089         const struct cred *cred = current_cred();
3090 
3091         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3092 }
3093 
3094 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3095 {
3096         if (strcmp(name, XATTR_NAME_SELINUX))
3097                 return selinux_inode_setotherxattr(dentry, name);
3098 
3099         /* No one is allowed to remove a SELinux security label.
3100            You can change the label, but all data must be labeled. */
3101         return -EACCES;
3102 }
3103 
3104 /*
3105  * Copy the inode security context value to the user.
3106  *
3107  * Permission check is handled by selinux_inode_getxattr hook.
3108  */
3109 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3110 {
3111         u32 size;
3112         int error;
3113         char *context = NULL;
3114         struct inode_security_struct *isec = inode->i_security;
3115 
3116         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3117                 return -EOPNOTSUPP;
3118 
3119         /*
3120          * If the caller has CAP_MAC_ADMIN, then get the raw context
3121          * value even if it is not defined by current policy; otherwise,
3122          * use the in-core value under current policy.
3123          * Use the non-auditing forms of the permission checks since
3124          * getxattr may be called by unprivileged processes commonly
3125          * and lack of permission just means that we fall back to the
3126          * in-core context value, not a denial.
3127          */
3128         error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3129                             SECURITY_CAP_NOAUDIT);
3130         if (!error)
3131                 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3132                                             SECURITY_CAP_NOAUDIT);
3133         if (!error)
3134                 error = security_sid_to_context_force(isec->sid, &context,
3135                                                       &size);
3136         else
3137                 error = security_sid_to_context(isec->sid, &context, &size);
3138         if (error)
3139                 return error;
3140         error = size;
3141         if (alloc) {
3142                 *buffer = context;
3143                 goto out_nofree;
3144         }
3145         kfree(context);
3146 out_nofree:
3147         return error;
3148 }
3149 
3150 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3151                                      const void *value, size_t size, int flags)
3152 {
3153         struct inode_security_struct *isec = inode->i_security;
3154         u32 newsid;
3155         int rc;
3156 
3157         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3158                 return -EOPNOTSUPP;
3159 
3160         if (!value || !size)
3161                 return -EACCES;
3162 
3163         rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3164         if (rc)
3165                 return rc;
3166 
3167         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3168         isec->sid = newsid;
3169         isec->initialized = 1;
3170         return 0;
3171 }
3172 
3173 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3174 {
3175         const int len = sizeof(XATTR_NAME_SELINUX);
3176         if (buffer && len <= buffer_size)
3177                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3178         return len;
3179 }
3180 
3181 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3182 {
3183         struct inode_security_struct *isec = inode->i_security;
3184         *secid = isec->sid;
3185 }
3186 
3187 /* file security operations */
3188 
3189 static int selinux_revalidate_file_permission(struct file *file, int mask)
3190 {
3191         const struct cred *cred = current_cred();
3192         struct inode *inode = file_inode(file);
3193 
3194         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3195         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3196                 mask |= MAY_APPEND;
3197 
3198         return file_has_perm(cred, file,
3199                              file_mask_to_av(inode->i_mode, mask));
3200 }
3201 
3202 static int selinux_file_permission(struct file *file, int mask)
3203 {
3204         struct inode *inode = file_inode(file);
3205         struct file_security_struct *fsec = file->f_security;
3206         struct inode_security_struct *isec = inode->i_security;
3207         u32 sid = current_sid();
3208 
3209         if (!mask)
3210                 /* No permission to check.  Existence test. */
3211                 return 0;
3212 
3213         if (sid == fsec->sid && fsec->isid == isec->sid &&
3214             fsec->pseqno == avc_policy_seqno())
3215                 /* No change since file_open check. */
3216                 return 0;
3217 
3218         return selinux_revalidate_file_permission(file, mask);
3219 }
3220 
3221 static int selinux_file_alloc_security(struct file *file)
3222 {
3223         return file_alloc_security(file);
3224 }
3225 
3226 static void selinux_file_free_security(struct file *file)
3227 {
3228         file_free_security(file);
3229 }
3230 
3231 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3232                               unsigned long arg)
3233 {
3234         const struct cred *cred = current_cred();
3235         int error = 0;
3236 
3237         switch (cmd) {
3238         case FIONREAD:
3239         /* fall through */
3240         case FIBMAP:
3241         /* fall through */
3242         case FIGETBSZ:
3243         /* fall through */
3244         case FS_IOC_GETFLAGS:
3245         /* fall through */
3246         case FS_IOC_GETVERSION:
3247                 error = file_has_perm(cred, file, FILE__GETATTR);
3248                 break;
3249 
3250         case FS_IOC_SETFLAGS:
3251         /* fall through */
3252         case FS_IOC_SETVERSION:
3253                 error = file_has_perm(cred, file, FILE__SETATTR);
3254                 break;
3255 
3256         /* sys_ioctl() checks */
3257         case FIONBIO:
3258         /* fall through */
3259         case FIOASYNC:
3260                 error = file_has_perm(cred, file, 0);
3261                 break;
3262 
3263         case KDSKBENT:
3264         case KDSKBSENT:
3265                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3266                                             SECURITY_CAP_AUDIT);
3267                 break;
3268 
3269         /* default case assumes that the command will go
3270          * to the file's ioctl() function.
3271          */
3272         default:
3273                 error = file_has_perm(cred, file, FILE__IOCTL);
3274         }
3275         return error;
3276 }
3277 
3278 static int default_noexec;
3279 
3280 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3281 {
3282         const struct cred *cred = current_cred();
3283         int rc = 0;
3284 
3285         if (default_noexec &&
3286             (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3287                                    (!shared && (prot & PROT_WRITE)))) {
3288                 /*
3289                  * We are making executable an anonymous mapping or a
3290                  * private file mapping that will also be writable.
3291                  * This has an additional check.
3292                  */
3293                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3294                 if (rc)
3295                         goto error;
3296         }
3297 
3298         if (file) {
3299                 /* read access is always possible with a mapping */
3300                 u32 av = FILE__READ;
3301 
3302                 /* write access only matters if the mapping is shared */
3303                 if (shared && (prot & PROT_WRITE))
3304                         av |= FILE__WRITE;
3305 
3306                 if (prot & PROT_EXEC)
3307                         av |= FILE__EXECUTE;
3308 
3309                 return file_has_perm(cred, file, av);
3310         }
3311 
3312 error:
3313         return rc;
3314 }
3315 
3316 static int selinux_mmap_addr(unsigned long addr)
3317 {
3318         int rc = 0;
3319 
3320         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3321                 u32 sid = current_sid();
3322                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3323                                   MEMPROTECT__MMAP_ZERO, NULL);
3324         }
3325 
3326         return rc;
3327 }
3328 
3329 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3330                              unsigned long prot, unsigned long flags)
3331 {
3332         if (selinux_checkreqprot)
3333                 prot = reqprot;
3334 
3335         return file_map_prot_check(file, prot,
3336                                    (flags & MAP_TYPE) == MAP_SHARED);
3337 }
3338 
3339 static int selinux_file_mprotect(struct vm_area_struct *vma,
3340                                  unsigned long reqprot,
3341                                  unsigned long prot)
3342 {
3343         const struct cred *cred = current_cred();
3344 
3345         if (selinux_checkreqprot)
3346                 prot = reqprot;
3347 
3348         if (default_noexec &&
3349             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3350                 int rc = 0;
3351                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3352                     vma->vm_end <= vma->vm_mm->brk) {
3353                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3354                 } else if (!vma->vm_file &&
3355                            vma->vm_start <= vma->vm_mm->start_stack &&
3356                            vma->vm_end >= vma->vm_mm->start_stack) {
3357                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3358                 } else if (vma->vm_file && vma->anon_vma) {
3359                         /*
3360                          * We are making executable a file mapping that has
3361                          * had some COW done. Since pages might have been
3362                          * written, check ability to execute the possibly
3363                          * modified content.  This typically should only
3364                          * occur for text relocations.
3365                          */
3366                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3367                 }
3368                 if (rc)
3369                         return rc;
3370         }
3371 
3372         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3373 }
3374 
3375 static int selinux_file_lock(struct file *file, unsigned int cmd)
3376 {
3377         const struct cred *cred = current_cred();
3378 
3379         return file_has_perm(cred, file, FILE__LOCK);
3380 }
3381 
3382 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3383                               unsigned long arg)
3384 {
3385         const struct cred *cred = current_cred();
3386         int err = 0;
3387 
3388         switch (cmd) {
3389         case F_SETFL:
3390                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3391                         err = file_has_perm(cred, file, FILE__WRITE);
3392                         break;
3393                 }
3394                 /* fall through */
3395         case F_SETOWN:
3396         case F_SETSIG:
3397         case F_GETFL:
3398         case F_GETOWN:
3399         case F_GETSIG:
3400         case F_GETOWNER_UIDS:
3401                 /* Just check FD__USE permission */
3402                 err = file_has_perm(cred, file, 0);
3403                 break;
3404         case F_GETLK:
3405         case F_SETLK:
3406         case F_SETLKW:
3407         case F_OFD_GETLK:
3408         case F_OFD_SETLK:
3409         case F_OFD_SETLKW:
3410 #if BITS_PER_LONG == 32
3411         case F_GETLK64:
3412         case F_SETLK64:
3413         case F_SETLKW64:
3414 #endif
3415                 err = file_has_perm(cred, file, FILE__LOCK);
3416                 break;
3417         }
3418 
3419         return err;
3420 }
3421 
3422 static void selinux_file_set_fowner(struct file *file)
3423 {
3424         struct file_security_struct *fsec;
3425 
3426         fsec = file->f_security;
3427         fsec->fown_sid = current_sid();
3428 }
3429 
3430 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3431                                        struct fown_struct *fown, int signum)
3432 {
3433         struct file *file;
3434         u32 sid = task_sid(tsk);
3435         u32 perm;
3436         struct file_security_struct *fsec;
3437 
3438         /* struct fown_struct is never outside the context of a struct file */
3439         file = container_of(fown, struct file, f_owner);
3440 
3441         fsec = file->f_security;
3442 
3443         if (!signum)
3444                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3445         else
3446                 perm = signal_to_av(signum);
3447 
3448         return avc_has_perm(fsec->fown_sid, sid,
3449                             SECCLASS_PROCESS, perm, NULL);
3450 }
3451 
3452 static int selinux_file_receive(struct file *file)
3453 {
3454         const struct cred *cred = current_cred();
3455 
3456         return file_has_perm(cred, file, file_to_av(file));
3457 }
3458 
3459 static int selinux_file_open(struct file *file, const struct cred *cred)
3460 {
3461         struct file_security_struct *fsec;
3462         struct inode_security_struct *isec;
3463 
3464         fsec = file->f_security;
3465         isec = file_inode(file)->i_security;
3466         /*
3467          * Save inode label and policy sequence number
3468          * at open-time so that selinux_file_permission
3469          * can determine whether revalidation is necessary.
3470          * Task label is already saved in the file security
3471          * struct as its SID.
3472          */
3473         fsec->isid = isec->sid;
3474         fsec->pseqno = avc_policy_seqno();
3475         /*
3476          * Since the inode label or policy seqno may have changed
3477          * between the selinux_inode_permission check and the saving
3478          * of state above, recheck that access is still permitted.
3479          * Otherwise, access might never be revalidated against the
3480          * new inode label or new policy.
3481          * This check is not redundant - do not remove.
3482          */
3483         return file_path_has_perm(cred, file, open_file_to_av(file));
3484 }
3485 
3486 /* task security operations */
3487 
3488 static int selinux_task_create(unsigned long clone_flags)
3489 {
3490         return current_has_perm(current, PROCESS__FORK);
3491 }
3492 
3493 /*
3494  * allocate the SELinux part of blank credentials
3495  */
3496 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3497 {
3498         struct task_security_struct *tsec;
3499 
3500         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3501         if (!tsec)
3502                 return -ENOMEM;
3503 
3504         cred->security = tsec;
3505         return 0;
3506 }
3507 
3508 /*
3509  * detach and free the LSM part of a set of credentials
3510  */
3511 static void selinux_cred_free(struct cred *cred)
3512 {
3513         struct task_security_struct *tsec = cred->security;
3514 
3515         /*
3516          * cred->security == NULL if security_cred_alloc_blank() or
3517          * security_prepare_creds() returned an error.
3518          */
3519         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3520         cred->security = (void *) 0x7UL;
3521         kfree(tsec);
3522 }
3523 
3524 /*
3525  * prepare a new set of credentials for modification
3526  */
3527 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3528                                 gfp_t gfp)
3529 {
3530         const struct task_security_struct *old_tsec;
3531         struct task_security_struct *tsec;
3532 
3533         old_tsec = old->security;
3534 
3535         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3536         if (!tsec)
3537                 return -ENOMEM;
3538 
3539         new->security = tsec;
3540         return 0;
3541 }
3542 
3543 /*
3544  * transfer the SELinux data to a blank set of creds
3545  */
3546 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3547 {
3548         const struct task_security_struct *old_tsec = old->security;
3549         struct task_security_struct *tsec = new->security;
3550 
3551         *tsec = *old_tsec;
3552 }
3553 
3554 /*
3555  * set the security data for a kernel service
3556  * - all the creation contexts are set to unlabelled
3557  */
3558 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3559 {
3560         struct task_security_struct *tsec = new->security;
3561         u32 sid = current_sid();
3562         int ret;
3563 
3564         ret = avc_has_perm(sid, secid,
3565                            SECCLASS_KERNEL_SERVICE,
3566                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3567                            NULL);
3568         if (ret == 0) {
3569                 tsec->sid = secid;
3570                 tsec->create_sid = 0;
3571                 tsec->keycreate_sid = 0;
3572                 tsec->sockcreate_sid = 0;
3573         }
3574         return ret;
3575 }
3576 
3577 /*
3578  * set the file creation context in a security record to the same as the
3579  * objective context of the specified inode
3580  */
3581 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3582 {
3583         struct inode_security_struct *isec = inode->i_security;
3584         struct task_security_struct *tsec = new->security;
3585         u32 sid = current_sid();
3586         int ret;
3587 
3588         ret = avc_has_perm(sid, isec->sid,
3589                            SECCLASS_KERNEL_SERVICE,
3590                            KERNEL_SERVICE__CREATE_FILES_AS,
3591                            NULL);
3592 
3593         if (ret == 0)
3594                 tsec->create_sid = isec->sid;
3595         return ret;
3596 }
3597 
3598 static int selinux_kernel_module_request(char *kmod_name)
3599 {
3600         u32 sid;
3601         struct common_audit_data ad;
3602 
3603         sid = task_sid(current);
3604 
3605         ad.type = LSM_AUDIT_DATA_KMOD;
3606         ad.u.kmod_name = kmod_name;
3607 
3608         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3609                             SYSTEM__MODULE_REQUEST, &ad);
3610 }
3611 
3612 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3613 {
3614         return current_has_perm(p, PROCESS__SETPGID);
3615 }
3616 
3617 static int selinux_task_getpgid(struct task_struct *p)
3618 {
3619         return current_has_perm(p, PROCESS__GETPGID);
3620 }
3621 
3622 static int selinux_task_getsid(struct task_struct *p)
3623 {
3624         return current_has_perm(p, PROCESS__GETSESSION);
3625 }
3626 
3627 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3628 {
3629         *secid = task_sid(p);
3630 }
3631 
3632 static int selinux_task_setnice(struct task_struct *p, int nice)
3633 {
3634         return current_has_perm(p, PROCESS__SETSCHED);
3635 }
3636 
3637 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3638 {
3639         return current_has_perm(p, PROCESS__SETSCHED);
3640 }
3641 
3642 static int selinux_task_getioprio(struct task_struct *p)
3643 {
3644         return current_has_perm(p, PROCESS__GETSCHED);
3645 }
3646 
3647 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3648                 struct rlimit *new_rlim)
3649 {
3650         struct rlimit *old_rlim = p->signal->rlim + resource;
3651 
3652         /* Control the ability to change the hard limit (whether
3653            lowering or raising it), so that the hard limit can
3654            later be used as a safe reset point for the soft limit
3655            upon context transitions.  See selinux_bprm_committing_creds. */
3656         if (old_rlim->rlim_max != new_rlim->rlim_max)
3657                 return current_has_perm(p, PROCESS__SETRLIMIT);
3658 
3659         return 0;
3660 }
3661 
3662 static int selinux_task_setscheduler(struct task_struct *p)
3663 {
3664         return current_has_perm(p, PROCESS__SETSCHED);
3665 }
3666 
3667 static int selinux_task_getscheduler(struct task_struct *p)
3668 {
3669         return current_has_perm(p, PROCESS__GETSCHED);
3670 }
3671 
3672 static int selinux_task_movememory(struct task_struct *p)
3673 {
3674         return current_has_perm(p, PROCESS__SETSCHED);
3675 }
3676 
3677 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3678                                 int sig, u32 secid)
3679 {
3680         u32 perm;
3681         int rc;
3682 
3683         if (!sig)
3684                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3685         else
3686                 perm = signal_to_av(sig);
3687         if (secid)
3688                 rc = avc_has_perm(secid, task_sid(p),
3689                                   SECCLASS_PROCESS, perm, NULL);
3690         else
3691                 rc = current_has_perm(p, perm);
3692         return rc;
3693 }
3694 
3695 static int selinux_task_wait(struct task_struct *p)
3696 {
3697         return task_has_perm(p, current, PROCESS__SIGCHLD);
3698 }
3699 
3700 static void selinux_task_to_inode(struct task_struct *p,
3701                                   struct inode *inode)
3702 {
3703         struct inode_security_struct *isec = inode->i_security;
3704         u32 sid = task_sid(p);
3705 
3706         isec->sid = sid;
3707         isec->initialized = 1;
3708 }
3709 
3710 /* Returns error only if unable to parse addresses */
3711 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3712                         struct common_audit_data *ad, u8 *proto)
3713 {
3714         int offset, ihlen, ret = -EINVAL;
3715         struct iphdr _iph, *ih;
3716 
3717         offset = skb_network_offset(skb);
3718         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3719         if (ih == NULL)
3720                 goto out;
3721 
3722         ihlen = ih->ihl * 4;
3723         if (ihlen < sizeof(_iph))
3724                 goto out;
3725 
3726         ad->u.net->v4info.saddr = ih->saddr;
3727         ad->u.net->v4info.daddr = ih->daddr;
3728         ret = 0;
3729 
3730         if (proto)
3731                 *proto = ih->protocol;
3732 
3733         switch (ih->protocol) {
3734         case IPPROTO_TCP: {
3735                 struct tcphdr _tcph, *th;
3736 
3737                 if (ntohs(ih->frag_off) & IP_OFFSET)
3738                         break;
3739 
3740                 offset += ihlen;
3741                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3742                 if (th == NULL)
3743                         break;
3744 
3745                 ad->u.net->sport = th->source;
3746                 ad->u.net->dport = th->dest;
3747                 break;
3748         }
3749 
3750         case IPPROTO_UDP: {
3751                 struct udphdr _udph, *uh;
3752 
3753                 if (ntohs(ih->frag_off) & IP_OFFSET)
3754                         break;
3755 
3756                 offset += ihlen;
3757                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3758                 if (uh == NULL)
3759                         break;
3760 
3761                 ad->u.net->sport = uh->source;
3762                 ad->u.net->dport = uh->dest;
3763                 break;
3764         }
3765 
3766         case IPPROTO_DCCP: {
3767                 struct dccp_hdr _dccph, *dh;
3768 
3769                 if (ntohs(ih->frag_off) & IP_OFFSET)
3770                         break;
3771 
3772                 offset += ihlen;
3773                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3774                 if (dh == NULL)
3775                         break;
3776 
3777                 ad->u.net->sport = dh->dccph_sport;
3778                 ad->u.net->dport = dh->dccph_dport;
3779                 break;
3780         }
3781 
3782         default:
3783                 break;
3784         }
3785 out:
3786         return ret;
3787 }
3788 
3789 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3790 
3791 /* Returns error only if unable to parse addresses */
3792 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3793                         struct common_audit_data *ad, u8 *proto)
3794 {
3795         u8 nexthdr;
3796         int ret = -EINVAL, offset;
3797         struct ipv6hdr _ipv6h, *ip6;
3798         __be16 frag_off;
3799 
3800         offset = skb_network_offset(skb);
3801         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3802         if (ip6 == NULL)
3803                 goto out;
3804 
3805         ad->u.net->v6info.saddr = ip6->saddr;
3806         ad->u.net->v6info.daddr = ip6->daddr;
3807         ret = 0;
3808 
3809         nexthdr = ip6->nexthdr;
3810         offset += sizeof(_ipv6h);
3811         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3812         if (offset < 0)
3813                 goto out;
3814 
3815         if (proto)
3816                 *proto = nexthdr;
3817 
3818         switch (nexthdr) {
3819         case IPPROTO_TCP: {
3820                 struct tcphdr _tcph, *th;
3821 
3822                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3823                 if (th == NULL)
3824                         break;
3825 
3826                 ad->u.net->sport = th->source;
3827                 ad->u.net->dport = th->dest;
3828                 break;
3829         }
3830 
3831         case IPPROTO_UDP: {
3832                 struct udphdr _udph, *uh;
3833 
3834                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3835                 if (uh == NULL)
3836                         break;
3837 
3838                 ad->u.net->sport = uh->source;
3839                 ad->u.net->dport = uh->dest;
3840                 break;
3841         }
3842 
3843         case IPPROTO_DCCP: {
3844                 struct dccp_hdr _dccph, *dh;
3845 
3846                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3847                 if (dh == NULL)
3848                         break;
3849 
3850                 ad->u.net->sport = dh->dccph_sport;
3851                 ad->u.net->dport = dh->dccph_dport;
3852                 break;
3853         }
3854 
3855         /* includes fragments */
3856         default:
3857                 break;
3858         }
3859 out:
3860         return ret;
3861 }
3862 
3863 #endif /* IPV6 */
3864 
3865 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3866                              char **_addrp, int src, u8 *proto)
3867 {
3868         char *addrp;
3869         int ret;
3870 
3871         switch (ad->u.net->family) {
3872         case PF_INET:
3873                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3874                 if (ret)
3875                         goto parse_error;
3876                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3877                                        &ad->u.net->v4info.daddr);
3878                 goto okay;
3879 
3880 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3881         case PF_INET6:
3882                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3883                 if (ret)
3884                         goto parse_error;
3885                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3886                                        &ad->u.net->v6info.daddr);
3887                 goto okay;
3888 #endif  /* IPV6 */
3889         default:
3890                 addrp = NULL;
3891                 goto okay;
3892         }
3893 
3894 parse_error:
3895         printk(KERN_WARNING
3896                "SELinux: failure in selinux_parse_skb(),"
3897                " unable to parse packet\n");
3898         return ret;
3899 
3900 okay:
3901         if (_addrp)
3902                 *_addrp = addrp;
3903         return 0;
3904 }
3905 
3906 /**
3907  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3908  * @skb: the packet
3909  * @family: protocol family
3910  * @sid: the packet's peer label SID
3911  *
3912  * Description:
3913  * Check the various different forms of network peer labeling and determine
3914  * the peer label/SID for the packet; most of the magic actually occurs in
3915  * the security server function security_net_peersid_cmp().  The function
3916  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3917  * or -EACCES if @sid is invalid due to inconsistencies with the different
3918  * peer labels.
3919  *
3920  */
3921 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3922 {
3923         int err;
3924         u32 xfrm_sid;
3925         u32 nlbl_sid;
3926         u32 nlbl_type;
3927 
3928         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3929         if (unlikely(err))
3930                 return -EACCES;
3931         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3932         if (unlikely(err))
3933                 return -EACCES;
3934 
3935         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3936         if (unlikely(err)) {
3937                 printk(KERN_WARNING
3938                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3939                        " unable to determine packet's peer label\n");
3940                 return -EACCES;
3941         }
3942 
3943         return 0;
3944 }
3945 
3946 /**
3947  * selinux_conn_sid - Determine the child socket label for a connection
3948  * @sk_sid: the parent socket's SID
3949  * @skb_sid: the packet's SID
3950  * @conn_sid: the resulting connection SID
3951  *
3952  * If @skb_sid is valid then the user:role:type information from @sk_sid is
3953  * combined with the MLS information from @skb_sid in order to create
3954  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
3955  * of @sk_sid.  Returns zero on success, negative values on failure.
3956  *
3957  */
3958 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3959 {
3960         int err = 0;
3961 
3962         if (skb_sid != SECSID_NULL)
3963                 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3964         else
3965                 *conn_sid = sk_sid;
3966 
3967         return err;
3968 }
3969 
3970 /* socket security operations */
3971 
3972 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3973                                  u16 secclass, u32 *socksid)
3974 {
3975         if (tsec->sockcreate_sid > SECSID_NULL) {
3976                 *socksid = tsec->sockcreate_sid;
3977                 return 0;
3978         }
3979 
3980         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3981                                        socksid);
3982 }
3983 
3984 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3985 {
3986         struct sk_security_struct *sksec = sk->sk_security;
3987         struct common_audit_data ad;
3988         struct lsm_network_audit net = {0,};
3989         u32 tsid = task_sid(task);
3990 
3991         if (sksec->sid == SECINITSID_KERNEL)
3992                 return 0;
3993 
3994         ad.type = LSM_AUDIT_DATA_NET;
3995         ad.u.net = &net;
3996         ad.u.net->sk = sk;
3997 
3998         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3999 }
4000 
4001 static int selinux_socket_create(int family, int type,
4002                                  int protocol, int kern)
4003 {
4004         const struct task_security_struct *tsec = current_security();
4005         u32 newsid;
4006         u16 secclass;
4007         int rc;
4008 
4009         if (kern)
4010                 return 0;
4011 
4012         secclass = socket_type_to_security_class(family, type, protocol);
4013         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4014         if (rc)
4015                 return rc;
4016 
4017         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4018 }
4019 
4020 static int selinux_socket_post_create(struct socket *sock, int family,
4021                                       int type, int protocol, int kern)
4022 {
4023         const struct task_security_struct *tsec = current_security();
4024         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4025         struct sk_security_struct *sksec;
4026         int err = 0;
4027 
4028         isec->sclass = socket_type_to_security_class(family, type, protocol);
4029 
4030         if (kern)
4031                 isec->sid = SECINITSID_KERNEL;
4032         else {
4033                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4034                 if (err)
4035                         return err;
4036         }
4037 
4038         isec->initialized = 1;
4039 
4040         if (sock->sk) {
4041                 sksec = sock->sk->sk_security;
4042                 sksec->sid = isec->sid;
4043                 sksec->sclass = isec->sclass;
4044                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4045         }
4046 
4047         return err;
4048 }
4049 
4050 /* Range of port numbers used to automatically bind.
4051    Need to determine whether we should perform a name_bind
4052    permission check between the socket and the port number. */
4053 
4054 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4055 {
4056         struct sock *sk = sock->sk;
4057         u16 family;
4058         int err;
4059 
4060         err = sock_has_perm(current, sk, SOCKET__BIND);
4061         if (err)
4062                 goto out;
4063 
4064         /*
4065          * If PF_INET or PF_INET6, check name_bind permission for the port.
4066          * Multiple address binding for SCTP is not supported yet: we just
4067          * check the first address now.
4068          */
4069         family = sk->sk_family;
4070         if (family == PF_INET || family == PF_INET6) {
4071                 char *addrp;
4072                 struct sk_security_struct *sksec = sk->sk_security;
4073                 struct common_audit_data ad;
4074                 struct lsm_network_audit net = {0,};
4075                 struct sockaddr_in *addr4 = NULL;
4076                 struct sockaddr_in6 *addr6 = NULL;
4077                 unsigned short snum;
4078                 u32 sid, node_perm;
4079 
4080                 if (family == PF_INET) {
4081                         addr4 = (struct sockaddr_in *)address;
4082                         snum = ntohs(addr4->sin_port);
4083                         addrp = (char *)&addr4->sin_addr.s_addr;
4084                 } else {
4085                         addr6 = (struct sockaddr_in6 *)address;
4086                         snum = ntohs(addr6->sin6_port);
4087                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4088                 }
4089 
4090                 if (snum) {
4091                         int low, high;
4092 
4093                         inet_get_local_port_range(sock_net(sk), &low, &high);
4094 
4095                         if (snum < max(PROT_SOCK, low) || snum > high) {
4096                                 err = sel_netport_sid(sk->sk_protocol,
4097                                                       snum, &sid);
4098                                 if (err)
4099                                         goto out;
4100                                 ad.type = LSM_AUDIT_DATA_NET;
4101                                 ad.u.net = &net;
4102                                 ad.u.net->sport = htons(snum);
4103                                 ad.u.net->family = family;
4104                                 err = avc_has_perm(sksec->sid, sid,
4105                                                    sksec->sclass,
4106                                                    SOCKET__NAME_BIND, &ad);
4107                                 if (err)
4108                                         goto out;
4109                         }
4110                 }
4111 
4112                 switch (sksec->sclass) {
4113                 case SECCLASS_TCP_SOCKET:
4114                         node_perm = TCP_SOCKET__NODE_BIND;
4115                         break;
4116 
4117                 case SECCLASS_UDP_SOCKET:
4118                         node_perm = UDP_SOCKET__NODE_BIND;
4119                         break;
4120 
4121                 case SECCLASS_DCCP_SOCKET:
4122                         node_perm = DCCP_SOCKET__NODE_BIND;
4123                         break;
4124 
4125                 default:
4126                         node_perm = RAWIP_SOCKET__NODE_BIND;
4127                         break;
4128                 }
4129 
4130                 err = sel_netnode_sid(addrp, family, &sid);
4131                 if (err)
4132                         goto out;
4133 
4134                 ad.type = LSM_AUDIT_DATA_NET;
4135                 ad.u.net = &net;
4136                 ad.u.net->sport = htons(snum);
4137                 ad.u.net->family = family;
4138 
4139                 if (family == PF_INET)
4140                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4141                 else
4142                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4143 
4144                 err = avc_has_perm(sksec->sid, sid,
4145                                    sksec->sclass, node_perm, &ad);
4146                 if (err)
4147                         goto out;
4148         }
4149 out:
4150         return err;
4151 }
4152 
4153 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4154 {
4155         struct sock *sk = sock->sk;
4156         struct sk_security_struct *sksec = sk->sk_security;
4157         int err;
4158 
4159         err = sock_has_perm(current, sk, SOCKET__CONNECT);
4160         if (err)
4161                 return err;
4162 
4163         /*
4164          * If a TCP or DCCP socket, check name_connect permission for the port.
4165          */
4166         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4167             sksec->sclass == SECCLASS_DCCP_SOCKET) {
4168                 struct common_audit_data ad;
4169                 struct lsm_network_audit net = {0,};
4170                 struct sockaddr_in *addr4 = NULL;
4171                 struct sockaddr_in6 *addr6 = NULL;
4172                 unsigned short snum;
4173                 u32 sid, perm;
4174 
4175                 if (sk->sk_family == PF_INET) {
4176                         addr4 = (struct sockaddr_in *)address;
4177                         if (addrlen < sizeof(struct sockaddr_in))
4178                                 return -EINVAL;
4179                         snum = ntohs(addr4->sin_port);
4180                 } else {
4181                         addr6 = (struct sockaddr_in6 *)address;
4182                         if (addrlen < SIN6_LEN_RFC2133)
4183                                 return -EINVAL;
4184                         snum = ntohs(addr6->sin6_port);
4185                 }
4186 
4187                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4188                 if (err)
4189                         goto out;
4190 
4191                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4192                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4193 
4194                 ad.type = LSM_AUDIT_DATA_NET;
4195                 ad.u.net = &net;
4196                 ad.u.net->dport = htons(snum);
4197                 ad.u.net->family = sk->sk_family;
4198                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4199                 if (err)
4200                         goto out;
4201         }
4202 
4203         err = selinux_netlbl_socket_connect(sk, address);
4204 
4205 out:
4206         return err;
4207 }
4208 
4209 static int selinux_socket_listen(struct socket *sock, int backlog)
4210 {
4211         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4212 }
4213 
4214 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4215 {
4216         int err;
4217         struct inode_security_struct *isec;
4218         struct inode_security_struct *newisec;
4219 
4220         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4221         if (err)
4222                 return err;
4223 
4224         newisec = SOCK_INODE(newsock)->i_security;
4225 
4226         isec = SOCK_INODE(sock)->i_security;
4227         newisec->sclass = isec->sclass;
4228         newisec->sid = isec->sid;
4229         newisec->initialized = 1;
4230 
4231         return 0;
4232 }
4233 
4234 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4235                                   int size)
4236 {
4237         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4238 }
4239 
4240 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4241                                   int size, int flags)
4242 {
4243         return sock_has_perm(current, sock->sk, SOCKET__READ);
4244 }
4245 
4246 static int selinux_socket_getsockname(struct socket *sock)
4247 {
4248         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4249 }
4250 
4251 static int selinux_socket_getpeername(struct socket *sock)
4252 {
4253         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4254 }
4255 
4256 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4257 {
4258         int err;
4259 
4260         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4261         if (err)
4262                 return err;
4263 
4264         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4265 }
4266 
4267 static int selinux_socket_getsockopt(struct socket *sock, int level,
4268                                      int optname)
4269 {
4270         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4271 }
4272 
4273 static int selinux_socket_shutdown(struct socket *sock, int how)
4274 {
4275         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4276 }
4277 
4278 static int selinux_socket_unix_stream_connect(struct sock *sock,
4279                                               struct sock *other,
4280                                               struct sock *newsk)
4281 {
4282         struct sk_security_struct *sksec_sock = sock->sk_security;
4283         struct sk_security_struct *sksec_other = other->sk_security;
4284         struct sk_security_struct *sksec_new = newsk->sk_security;
4285         struct common_audit_data ad;
4286         struct lsm_network_audit net = {0,};
4287         int err;
4288 
4289         ad.type = LSM_AUDIT_DATA_NET;
4290         ad.u.net = &net;
4291         ad.u.net->sk = other;
4292 
4293         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4294                            sksec_other->sclass,
4295                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4296         if (err)
4297                 return err;
4298 
4299         /* server child socket */
4300         sksec_new->peer_sid = sksec_sock->sid;
4301         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4302                                     &sksec_new->sid);
4303         if (err)
4304                 return err;
4305 
4306         /* connecting socket */
4307         sksec_sock->peer_sid = sksec_new->sid;
4308 
4309         return 0;
4310 }
4311 
4312 static int selinux_socket_unix_may_send(struct socket *sock,
4313                                         struct socket *other)
4314 {
4315         struct sk_security_struct *ssec = sock->sk->sk_security;
4316         struct sk_security_struct *osec = other->sk->sk_security;
4317         struct common_audit_data ad;
4318         struct lsm_network_audit net = {0,};
4319 
4320         ad.type = LSM_AUDIT_DATA_NET;
4321         ad.u.net = &net;
4322         ad.u.net->sk = other->sk;
4323 
4324         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4325                             &ad);
4326 }
4327 
4328 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4329                                     char *addrp, u16 family, u32 peer_sid,
4330                                     struct common_audit_data *ad)
4331 {
4332         int err;
4333         u32 if_sid;
4334         u32 node_sid;
4335 
4336         err = sel_netif_sid(ns, ifindex, &if_sid);
4337         if (err)
4338                 return err;
4339         err = avc_has_perm(peer_sid, if_sid,
4340                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4341         if (err)
4342                 return err;
4343 
4344         err = sel_netnode_sid(addrp, family, &node_sid);
4345         if (err)
4346                 return err;
4347         return avc_has_perm(peer_sid, node_sid,
4348                             SECCLASS_NODE, NODE__RECVFROM, ad);
4349 }
4350 
4351 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4352                                        u16 family)
4353 {
4354         int err = 0;
4355         struct sk_security_struct *sksec = sk->sk_security;
4356         u32 sk_sid = sksec->sid;
4357         struct common_audit_data ad;
4358         struct lsm_network_audit net = {0,};
4359         char *addrp;
4360 
4361         ad.type = LSM_AUDIT_DATA_NET;
4362         ad.u.net = &net;
4363         ad.u.net->netif = skb->skb_iif;
4364         ad.u.net->family = family;
4365         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4366         if (err)
4367                 return err;
4368 
4369         if (selinux_secmark_enabled()) {
4370                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4371                                    PACKET__RECV, &ad);
4372                 if (err)
4373                         return err;
4374         }
4375 
4376         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4377         if (err)
4378                 return err;
4379         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4380 
4381         return err;
4382 }
4383 
4384 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4385 {
4386         int err;
4387         struct sk_security_struct *sksec = sk->sk_security;
4388         u16 family = sk->sk_family;
4389         u32 sk_sid = sksec->sid;
4390         struct common_audit_data ad;
4391         struct lsm_network_audit net = {0,};
4392         char *addrp;
4393         u8 secmark_active;
4394         u8 peerlbl_active;
4395 
4396         if (family != PF_INET && family != PF_INET6)
4397                 return 0;
4398 
4399         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4400         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4401                 family = PF_INET;
4402 
4403         /* If any sort of compatibility mode is enabled then handoff processing
4404          * to the selinux_sock_rcv_skb_compat() function to deal with the
4405          * special handling.  We do this in an attempt to keep this function
4406          * as fast and as clean as possible. */
4407         if (!selinux_policycap_netpeer)
4408                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4409 
4410         secmark_active = selinux_secmark_enabled();
4411         peerlbl_active = selinux_peerlbl_enabled();
4412         if (!secmark_active && !peerlbl_active)
4413                 return 0;
4414 
4415         ad.type = LSM_AUDIT_DATA_NET;
4416         ad.u.net = &net;
4417         ad.u.net->netif = skb->skb_iif;
4418         ad.u.net->family = family;
4419         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4420         if (err)
4421                 return err;
4422 
4423         if (peerlbl_active) {
4424                 u32 peer_sid;
4425 
4426                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4427                 if (err)
4428                         return err;
4429                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4430                                                addrp, family, peer_sid, &ad);
4431                 if (err) {
4432                         selinux_netlbl_err(skb, err, 0);
4433                         return err;
4434                 }
4435                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4436                                    PEER__RECV, &ad);
4437                 if (err) {
4438                         selinux_netlbl_err(skb, err, 0);
4439                         return err;
4440                 }
4441         }
4442 
4443         if (secmark_active) {
4444                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4445                                    PACKET__RECV, &ad);
4446                 if (err)
4447                         return err;
4448         }
4449 
4450         return err;
4451 }
4452 
4453 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4454                                             int __user *optlen, unsigned len)
4455 {
4456         int err = 0;
4457         char *scontext;
4458         u32 scontext_len;
4459         struct sk_security_struct *sksec = sock->sk->sk_security;
4460         u32 peer_sid = SECSID_NULL;
4461 
4462         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4463             sksec->sclass == SECCLASS_TCP_SOCKET)
4464                 peer_sid = sksec->peer_sid;
4465         if (peer_sid == SECSID_NULL)
4466                 return -ENOPROTOOPT;
4467 
4468         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4469         if (err)
4470                 return err;
4471 
4472         if (scontext_len > len) {
4473                 err = -ERANGE;
4474                 goto out_len;
4475         }
4476 
4477         if (copy_to_user(optval, scontext, scontext_len))
4478                 err = -EFAULT;
4479 
4480 out_len:
4481         if (put_user(scontext_len, optlen))
4482                 err = -EFAULT;
4483         kfree(scontext);
4484         return err;
4485 }
4486 
4487 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4488 {
4489         u32 peer_secid = SECSID_NULL;
4490         u16 family;
4491 
4492         if (skb && skb->protocol == htons(ETH_P_IP))
4493                 family = PF_INET;
4494         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4495                 family = PF_INET6;
4496         else if (sock)
4497                 family = sock->sk->sk_family;
4498         else
4499                 goto out;
4500 
4501         if (sock && family == PF_UNIX)
4502                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4503         else if (skb)
4504                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4505 
4506 out:
4507         *secid = peer_secid;
4508         if (peer_secid == SECSID_NULL)
4509                 return -EINVAL;
4510         return 0;
4511 }
4512 
4513 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4514 {
4515         struct sk_security_struct *sksec;
4516 
4517         sksec = kzalloc(sizeof(*sksec), priority);
4518         if (!sksec)
4519                 return -ENOMEM;
4520 
4521         sksec->peer_sid = SECINITSID_UNLABELED;
4522         sksec->sid = SECINITSID_UNLABELED;
4523         selinux_netlbl_sk_security_reset(sksec);
4524         sk->sk_security = sksec;
4525 
4526         return 0;
4527 }
4528 
4529 static void selinux_sk_free_security(struct sock *sk)
4530 {
4531         struct sk_security_struct *sksec = sk->sk_security;
4532 
4533         sk->sk_security = NULL;
4534         selinux_netlbl_sk_security_free(sksec);
4535         kfree(sksec);
4536 }
4537 
4538 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4539 {
4540         struct sk_security_struct *sksec = sk->sk_security;
4541         struct sk_security_struct *newsksec = newsk->sk_security;
4542 
4543         newsksec->sid = sksec->sid;
4544         newsksec->peer_sid = sksec->peer_sid;
4545         newsksec->sclass = sksec->sclass;
4546 
4547         selinux_netlbl_sk_security_reset(newsksec);
4548 }
4549 
4550 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4551 {
4552         if (!sk)
4553                 *secid = SECINITSID_ANY_SOCKET;
4554         else {
4555                 struct sk_security_struct *sksec = sk->sk_security;
4556 
4557                 *secid = sksec->sid;
4558         }
4559 }
4560 
4561 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4562 {
4563         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4564         struct sk_security_struct *sksec = sk->sk_security;
4565 
4566         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4567             sk->sk_family == PF_UNIX)
4568                 isec->sid = sksec->sid;
4569         sksec->sclass = isec->sclass;
4570 }
4571 
4572 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4573                                      struct request_sock *req)
4574 {
4575         struct sk_security_struct *sksec = sk->sk_security;
4576         int err;
4577         u16 family = req->rsk_ops->family;
4578         u32 connsid;
4579         u32 peersid;
4580 
4581         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4582         if (err)
4583                 return err;
4584         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4585         if (err)
4586                 return err;
4587         req->secid = connsid;
4588         req->peer_secid = peersid;
4589 
4590         return selinux_netlbl_inet_conn_request(req, family);
4591 }
4592 
4593 static void selinux_inet_csk_clone(struct sock *newsk,
4594                                    const struct request_sock *req)
4595 {
4596         struct sk_security_struct *newsksec = newsk->sk_security;
4597 
4598         newsksec->sid = req->secid;
4599         newsksec->peer_sid = req->peer_secid;
4600         /* NOTE: Ideally, we should also get the isec->sid for the
4601            new socket in sync, but we don't have the isec available yet.
4602            So we will wait until sock_graft to do it, by which
4603            time it will have been created and available. */
4604 
4605         /* We don't need to take any sort of lock here as we are the only
4606          * thread with access to newsksec */
4607         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4608 }
4609 
4610 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4611 {
4612         u16 family = sk->sk_family;
4613         struct sk_security_struct *sksec = sk->sk_security;
4614 
4615         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4616         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4617                 family = PF_INET;
4618 
4619         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4620 }
4621 
4622 static int selinux_secmark_relabel_packet(u32 sid)
4623 {
4624         const struct task_security_struct *__tsec;
4625         u32 tsid;
4626 
4627         __tsec = current_security();
4628         tsid = __tsec->sid;
4629 
4630         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4631 }
4632 
4633 static void selinux_secmark_refcount_inc(void)
4634 {
4635         atomic_inc(&selinux_secmark_refcount);
4636 }
4637 
4638 static void selinux_secmark_refcount_dec(void)
4639 {
4640         atomic_dec(&selinux_secmark_refcount);
4641 }
4642 
4643 static void selinux_req_classify_flow(const struct request_sock *req,
4644                                       struct flowi *fl)
4645 {
4646         fl->flowi_secid = req->secid;
4647 }
4648 
4649 static int selinux_tun_dev_alloc_security(void **security)
4650 {
4651         struct tun_security_struct *tunsec;
4652 
4653         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4654         if (!tunsec)
4655                 return -ENOMEM;
4656         tunsec->sid = current_sid();
4657 
4658         *security = tunsec;
4659         return 0;
4660 }
4661 
4662 static void selinux_tun_dev_free_security(void *security)
4663 {
4664         kfree(security);
4665 }
4666 
4667 static int selinux_tun_dev_create(void)
4668 {
4669         u32 sid = current_sid();
4670 
4671         /* we aren't taking into account the "sockcreate" SID since the socket
4672          * that is being created here is not a socket in the traditional sense,
4673          * instead it is a private sock, accessible only to the kernel, and
4674          * representing a wide range of network traffic spanning multiple
4675          * connections unlike traditional sockets - check the TUN driver to
4676          * get a better understanding of why this socket is special */
4677 
4678         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4679                             NULL);
4680 }
4681 
4682 static int selinux_tun_dev_attach_queue(void *security)
4683 {
4684         struct tun_security_struct *tunsec = security;
4685 
4686         return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4687                             TUN_SOCKET__ATTACH_QUEUE, NULL);
4688 }
4689 
4690 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4691 {
4692         struct tun_security_struct *tunsec = security;
4693         struct sk_security_struct *sksec = sk->sk_security;
4694 
4695         /* we don't currently perform any NetLabel based labeling here and it
4696          * isn't clear that we would want to do so anyway; while we could apply
4697          * labeling without the support of the TUN user the resulting labeled
4698          * traffic from the other end of the connection would almost certainly
4699          * cause confusion to the TUN user that had no idea network labeling
4700          * protocols were being used */
4701 
4702         sksec->sid = tunsec->sid;
4703         sksec->sclass = SECCLASS_TUN_SOCKET;
4704 
4705         return 0;
4706 }
4707 
4708 static int selinux_tun_dev_open(void *security)
4709 {
4710         struct tun_security_struct *tunsec = security;
4711         u32 sid = current_sid();
4712         int err;
4713 
4714         err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4715                            TUN_SOCKET__RELABELFROM, NULL);
4716         if (err)
4717                 return err;
4718         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4719                            TUN_SOCKET__RELABELTO, NULL);
4720         if (err)
4721                 return err;
4722         tunsec->sid = sid;
4723 
4724         return 0;
4725 }
4726 
4727 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4728 {
4729         int err = 0;
4730         u32 perm;
4731         struct nlmsghdr *nlh;
4732         struct sk_security_struct *sksec = sk->sk_security;
4733 
4734         if (skb->len < NLMSG_HDRLEN) {
4735                 err = -EINVAL;
4736                 goto out;
4737         }
4738         nlh = nlmsg_hdr(skb);
4739 
4740         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4741         if (err) {
4742                 if (err == -EINVAL) {
4743                         printk(KERN_WARNING
4744                                "SELinux: unrecognized netlink message:"
4745                                " protocol=%hu nlmsg_type=%hu sclass=%s\n",
4746                                sk->sk_protocol, nlh->nlmsg_type,
4747                                secclass_map[sksec->sclass - 1].name);
4748                         if (!selinux_enforcing || security_get_allow_unknown())
4749                                 err = 0;
4750                 }
4751 
4752                 /* Ignore */
4753                 if (err == -ENOENT)
4754                         err = 0;
4755                 goto out;
4756         }
4757 
4758         err = sock_has_perm(current, sk, perm);
4759 out:
4760         return err;
4761 }
4762 
4763 #ifdef CONFIG_NETFILTER
4764 
4765 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4766                                        const struct net_device *indev,
4767                                        u16 family)
4768 {
4769         int err;
4770         char *addrp;
4771         u32 peer_sid;
4772         struct common_audit_data ad;
4773         struct lsm_network_audit net = {0,};
4774         u8 secmark_active;
4775         u8 netlbl_active;
4776         u8 peerlbl_active;
4777 
4778         if (!selinux_policycap_netpeer)
4779                 return NF_ACCEPT;
4780 
4781         secmark_active = selinux_secmark_enabled();
4782         netlbl_active = netlbl_enabled();
4783         peerlbl_active = selinux_peerlbl_enabled();
4784         if (!secmark_active && !peerlbl_active)
4785                 return NF_ACCEPT;
4786 
4787         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4788                 return NF_DROP;
4789 
4790         ad.type = LSM_AUDIT_DATA_NET;
4791         ad.u.net = &net;
4792         ad.u.net->netif = indev->ifindex;
4793         ad.u.net->family = family;
4794         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4795                 return NF_DROP;
4796 
4797         if (peerlbl_active) {
4798                 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4799                                                addrp, family, peer_sid, &ad);
4800                 if (err) {
4801                         selinux_netlbl_err(skb, err, 1);
4802                         return NF_DROP;
4803                 }
4804         }
4805 
4806         if (secmark_active)
4807                 if (avc_has_perm(peer_sid, skb->secmark,
4808                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4809                         return NF_DROP;
4810 
4811         if (netlbl_active)
4812                 /* we do this in the FORWARD path and not the POST_ROUTING
4813                  * path because we want to make sure we apply the necessary
4814                  * labeling before IPsec is applied so we can leverage AH
4815                  * protection */
4816                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4817                         return NF_DROP;
4818 
4819         return NF_ACCEPT;
4820 }
4821 
4822 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4823                                          struct sk_buff *skb,
4824                                          const struct nf_hook_state *state)
4825 {
4826         return selinux_ip_forward(skb, state->in, PF_INET);
4827 }
4828 
4829 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4830 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4831                                          struct sk_buff *skb,
4832                                          const struct nf_hook_state *state)
4833 {
4834         return selinux_ip_forward(skb, state->in, PF_INET6);
4835 }
4836 #endif  /* IPV6 */
4837 
4838 static unsigned int selinux_ip_output(struct sk_buff *skb,
4839                                       u16 family)
4840 {
4841         struct sock *sk;
4842         u32 sid;
4843 
4844         if (!netlbl_enabled())
4845                 return NF_ACCEPT;
4846 
4847         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4848          * because we want to make sure we apply the necessary labeling
4849          * before IPsec is applied so we can leverage AH protection */
4850         sk = skb->sk;
4851         if (sk) {
4852                 struct sk_security_struct *sksec;
4853 
4854                 if (sk->sk_state == TCP_LISTEN)
4855                         /* if the socket is the listening state then this
4856                          * packet is a SYN-ACK packet which means it needs to
4857                          * be labeled based on the connection/request_sock and
4858                          * not the parent socket.  unfortunately, we can't
4859                          * lookup the request_sock yet as it isn't queued on
4860                          * the parent socket until after the SYN-ACK is sent.
4861                          * the "solution" is to simply pass the packet as-is
4862                          * as any IP option based labeling should be copied
4863                          * from the initial connection request (in the IP
4864                          * layer).  it is far from ideal, but until we get a
4865                          * security label in the packet itself this is the
4866                          * best we can do. */
4867                         return NF_ACCEPT;
4868 
4869                 /* standard practice, label using the parent socket */
4870                 sksec = sk->sk_security;
4871                 sid = sksec->sid;
4872         } else
4873                 sid = SECINITSID_KERNEL;
4874         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4875                 return NF_DROP;
4876 
4877         return NF_ACCEPT;
4878 }
4879 
4880 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4881                                         struct sk_buff *skb,
4882                                         const struct nf_hook_state *state)
4883 {
4884         return selinux_ip_output(skb, PF_INET);
4885 }
4886 
4887 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4888                                                 int ifindex,
4889                                                 u16 family)
4890 {
4891         struct sock *sk = skb->sk;
4892         struct sk_security_struct *sksec;
4893         struct common_audit_data ad;
4894         struct lsm_network_audit net = {0,};
4895         char *addrp;
4896         u8 proto;
4897 
4898         if (sk == NULL)
4899                 return NF_ACCEPT;
4900         sksec = sk->sk_security;
4901 
4902         ad.type = LSM_AUDIT_DATA_NET;
4903         ad.u.net = &net;
4904         ad.u.net->netif = ifindex;
4905         ad.u.net->family = family;
4906         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4907                 return NF_DROP;
4908 
4909         if (selinux_secmark_enabled())
4910                 if (avc_has_perm(sksec->sid, skb->secmark,
4911                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4912                         return NF_DROP_ERR(-ECONNREFUSED);
4913 
4914         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4915                 return NF_DROP_ERR(-ECONNREFUSED);
4916 
4917         return NF_ACCEPT;
4918 }
4919 
4920 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4921                                          const struct net_device *outdev,
4922                                          u16 family)
4923 {
4924         u32 secmark_perm;
4925         u32 peer_sid;
4926         int ifindex = outdev->ifindex;
4927         struct sock *sk;
4928         struct common_audit_data ad;
4929         struct lsm_network_audit net = {0,};
4930         char *addrp;
4931         u8 secmark_active;
4932         u8 peerlbl_active;
4933 
4934         /* If any sort of compatibility mode is enabled then handoff processing
4935          * to the selinux_ip_postroute_compat() function to deal with the
4936          * special handling.  We do this in an attempt to keep this function
4937          * as fast and as clean as possible. */
4938         if (!selinux_policycap_netpeer)
4939                 return selinux_ip_postroute_compat(skb, ifindex, family);
4940 
4941         secmark_active = selinux_secmark_enabled();
4942         peerlbl_active = selinux_peerlbl_enabled();
4943         if (!secmark_active && !peerlbl_active)
4944                 return NF_ACCEPT;
4945 
4946         sk = skb->sk;
4947 
4948 #ifdef CONFIG_XFRM
4949         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4950          * packet transformation so allow the packet to pass without any checks
4951          * since we'll have another chance to perform access control checks
4952          * when the packet is on it's final way out.
4953          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4954          *       is NULL, in this case go ahead and apply access control.
4955          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4956          *       TCP listening state we cannot wait until the XFRM processing
4957          *       is done as we will miss out on the SA label if we do;
4958          *       unfortunately, this means more work, but it is only once per
4959          *       connection. */
4960         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4961             !(sk != NULL && sk->sk_state == TCP_LISTEN))
4962                 return NF_ACCEPT;
4963 #endif
4964 
4965         if (sk == NULL) {
4966                 /* Without an associated socket the packet is either coming
4967                  * from the kernel or it is being forwarded; check the packet
4968                  * to determine which and if the packet is being forwarded
4969                  * query the packet directly to determine the security label. */
4970                 if (skb->skb_iif) {
4971                         secmark_perm = PACKET__FORWARD_OUT;
4972                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4973                                 return NF_DROP;
4974                 } else {
4975                         secmark_perm = PACKET__SEND;
4976                         peer_sid = SECINITSID_KERNEL;
4977                 }
4978         } else if (sk->sk_state == TCP_LISTEN) {
4979                 /* Locally generated packet but the associated socket is in the
4980                  * listening state which means this is a SYN-ACK packet.  In
4981                  * this particular case the correct security label is assigned
4982                  * to the connection/request_sock but unfortunately we can't
4983                  * query the request_sock as it isn't queued on the parent
4984                  * socket until after the SYN-ACK packet is sent; the only
4985                  * viable choice is to regenerate the label like we do in
4986                  * selinux_inet_conn_request().  See also selinux_ip_output()
4987                  * for similar problems. */
4988                 u32 skb_sid;
4989                 struct sk_security_struct *sksec = sk->sk_security;
4990                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4991                         return NF_DROP;
4992                 /* At this point, if the returned skb peerlbl is SECSID_NULL
4993                  * and the packet has been through at least one XFRM
4994                  * transformation then we must be dealing with the "final"
4995                  * form of labeled IPsec packet; since we've already applied
4996                  * all of our access controls on this packet we can safely
4997                  * pass the packet. */
4998                 if (skb_sid == SECSID_NULL) {
4999                         switch (family) {
5000                         case PF_INET:
5001                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5002                                         return NF_ACCEPT;
5003                                 break;
5004                         case PF_INET6:
5005                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5006                                         return NF_ACCEPT;
5007                                 break;
5008                         default:
5009                                 return NF_DROP_ERR(-ECONNREFUSED);
5010                         }
5011                 }
5012                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5013                         return NF_DROP;
5014                 secmark_perm = PACKET__SEND;
5015         } else {
5016                 /* Locally generated packet, fetch the security label from the
5017                  * associated socket. */
5018                 struct sk_security_struct *sksec = sk->sk_security;
5019                 peer_sid = sksec->sid;
5020                 secmark_perm = PACKET__SEND;
5021         }
5022 
5023         ad.type = LSM_AUDIT_DATA_NET;
5024         ad.u.net = &net;
5025         ad.u.net->netif = ifindex;
5026         ad.u.net->family = family;
5027         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5028                 return NF_DROP;
5029 
5030         if (secmark_active)
5031                 if (avc_has_perm(peer_sid, skb->secmark,
5032                                  SECCLASS_PACKET, secmark_perm, &ad))
5033                         return NF_DROP_ERR(-ECONNREFUSED);
5034 
5035         if (peerlbl_active) {
5036                 u32 if_sid;
5037                 u32 node_sid;
5038 
5039                 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5040                         return NF_DROP;
5041                 if (avc_has_perm(peer_sid, if_sid,
5042                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5043                         return NF_DROP_ERR(-ECONNREFUSED);
5044 
5045                 if (sel_netnode_sid(addrp, family, &node_sid))
5046                         return NF_DROP;
5047                 if (avc_has_perm(peer_sid, node_sid,
5048                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5049                         return NF_DROP_ERR(-ECONNREFUSED);
5050         }
5051 
5052         return NF_ACCEPT;
5053 }
5054 
5055 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5056                                            struct sk_buff *skb,
5057                                            const struct nf_hook_state *state)
5058 {
5059         return selinux_ip_postroute(skb, state->out, PF_INET);
5060 }
5061 
5062 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5063 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5064                                            struct sk_buff *skb,
5065                                            const struct nf_hook_state *state)
5066 {
5067         return selinux_ip_postroute(skb, state->out, PF_INET6);
5068 }
5069 #endif  /* IPV6 */
5070 
5071 #endif  /* CONFIG_NETFILTER */
5072 
5073 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5074 {
5075         return selinux_nlmsg_perm(sk, skb);
5076 }
5077 
5078 static int ipc_alloc_security(struct task_struct *task,
5079                               struct kern_ipc_perm *perm,
5080                               u16 sclass)
5081 {
5082         struct ipc_security_struct *isec;
5083         u32 sid;
5084 
5085         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5086         if (!isec)
5087                 return -ENOMEM;
5088 
5089         sid = task_sid(task);
5090         isec->sclass = sclass;
5091         isec->sid = sid;
5092         perm->security = isec;
5093 
5094         return 0;
5095 }
5096 
5097 static void ipc_free_security(struct kern_ipc_perm *perm)
5098 {
5099         struct ipc_security_struct *isec = perm->security;
5100         perm->security = NULL;
5101         kfree(isec);
5102 }
5103 
5104 static int msg_msg_alloc_security(struct msg_msg *msg)
5105 {
5106         struct msg_security_struct *msec;
5107 
5108         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5109         if (!msec)
5110                 return -ENOMEM;
5111 
5112         msec->sid = SECINITSID_UNLABELED;
5113         msg->security = msec;
5114 
5115         return 0;
5116 }
5117 
5118 static void msg_msg_free_security(struct msg_msg *msg)
5119 {
5120         struct msg_security_struct *msec = msg->security;
5121 
5122         msg->security = NULL;
5123         kfree(msec);
5124 }
5125 
5126 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5127                         u32 perms)
5128 {
5129         struct ipc_security_struct *isec;
5130         struct common_audit_data ad;
5131         u32 sid = current_sid();
5132 
5133         isec = ipc_perms->security;
5134 
5135         ad.type = LSM_AUDIT_DATA_IPC;
5136         ad.u.ipc_id = ipc_perms->key;
5137 
5138         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5139 }
5140 
5141 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5142 {
5143         return msg_msg_alloc_security(msg);
5144 }
5145 
5146 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5147 {
5148         msg_msg_free_security(msg);
5149 }
5150 
5151 /* message queue security operations */
5152 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5153 {
5154         struct ipc_security_struct *isec;
5155         struct common_audit_data ad;
5156         u32 sid = current_sid();
5157         int rc;
5158 
5159         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5160         if (rc)
5161                 return rc;
5162 
5163         isec = msq->q_perm.security;
5164 
5165         ad.type = LSM_AUDIT_DATA_IPC;
5166         ad.u.ipc_id = msq->q_perm.key;
5167 
5168         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5169                           MSGQ__CREATE, &ad);
5170         if (rc) {
5171                 ipc_free_security(&msq->q_perm);
5172                 return rc;
5173         }
5174         return 0;
5175 }
5176 
5177 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5178 {
5179         ipc_free_security(&msq->q_perm);
5180 }
5181 
5182 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5183 {
5184         struct ipc_security_struct *isec;
5185         struct common_audit_data ad;
5186         u32 sid = current_sid();
5187 
5188         isec = msq->q_perm.security;
5189 
5190         ad.type = LSM_AUDIT_DATA_IPC;
5191         ad.u.ipc_id = msq->q_perm.key;
5192 
5193         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5194                             MSGQ__ASSOCIATE, &ad);
5195 }
5196 
5197 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5198 {
5199         int err;
5200         int perms;
5201 
5202         switch (cmd) {
5203         case IPC_INFO:
5204         case MSG_INFO:
5205                 /* No specific object, just general system-wide information. */
5206                 return task_has_system(current, SYSTEM__IPC_INFO);
5207         case IPC_STAT:
5208         case MSG_STAT:
5209                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5210                 break;
5211         case IPC_SET:
5212                 perms = MSGQ__SETATTR;
5213                 break;
5214         case IPC_RMID:
5215                 perms = MSGQ__DESTROY;
5216                 break;
5217         default:
5218                 return 0;
5219         }
5220 
5221         err = ipc_has_perm(&msq->q_perm, perms);
5222         return err;
5223 }
5224 
5225 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5226 {
5227         struct ipc_security_struct *isec;
5228         struct msg_security_struct *msec;
5229         struct common_audit_data ad;
5230         u32 sid = current_sid();
5231         int rc;
5232 
5233         isec = msq->q_perm.security;
5234         msec = msg->security;
5235 
5236         /*
5237          * First time through, need to assign label to the message
5238          */
5239         if (msec->sid == SECINITSID_UNLABELED) {
5240                 /*
5241                  * Compute new sid based on current process and
5242                  * message queue this message will be stored in
5243                  */
5244                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5245                                              NULL, &msec->sid);
5246                 if (rc)
5247                         return rc;
5248         }
5249 
5250         ad.type = LSM_AUDIT_DATA_IPC;
5251         ad.u.ipc_id = msq->q_perm.key;
5252 
5253         /* Can this process write to the queue? */
5254         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5255                           MSGQ__WRITE, &ad);
5256         if (!rc)
5257                 /* Can this process send the message */
5258                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5259                                   MSG__SEND, &ad);
5260         if (!rc)
5261                 /* Can the message be put in the queue? */
5262                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5263                                   MSGQ__ENQUEUE, &ad);
5264 
5265         return rc;
5266 }
5267 
5268 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5269                                     struct task_struct *target,
5270                                     long type, int mode)
5271 {
5272         struct ipc_security_struct *isec;
5273         struct msg_security_struct *msec;
5274         struct common_audit_data ad;
5275         u32 sid = task_sid(target);
5276         int rc;
5277 
5278         isec = msq->q_perm.security;
5279         msec = msg->security;
5280 
5281         ad.type = LSM_AUDIT_DATA_IPC;
5282         ad.u.ipc_id = msq->q_perm.key;
5283 
5284         rc = avc_has_perm(sid, isec->sid,
5285                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5286         if (!rc)
5287                 rc = avc_has_perm(sid, msec->sid,
5288                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5289         return rc;
5290 }
5291 
5292 /* Shared Memory security operations */
5293 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5294 {
5295         struct ipc_security_struct *isec;
5296         struct common_audit_data ad;
5297         u32 sid = current_sid();
5298         int rc;
5299 
5300         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5301         if (rc)
5302                 return rc;
5303 
5304         isec = shp->shm_perm.security;
5305 
5306         ad.type = LSM_AUDIT_DATA_IPC;
5307         ad.u.ipc_id = shp->shm_perm.key;
5308 
5309         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5310                           SHM__CREATE, &ad);
5311         if (rc) {
5312                 ipc_free_security(&shp->shm_perm);
5313                 return rc;
5314         }
5315         return 0;
5316 }
5317 
5318 static void selinux_shm_free_security(struct shmid_kernel *shp)
5319 {
5320         ipc_free_security(&shp->shm_perm);
5321 }
5322 
5323 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5324 {
5325         struct ipc_security_struct *isec;
5326         struct common_audit_data ad;
5327         u32 sid = current_sid();
5328 
5329         isec = shp->shm_perm.security;
5330 
5331         ad.type = LSM_AUDIT_DATA_IPC;
5332         ad.u.ipc_id = shp->shm_perm.key;
5333 
5334         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5335                             SHM__ASSOCIATE, &ad);
5336 }
5337 
5338 /* Note, at this point, shp is locked down */
5339 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5340 {
5341         int perms;
5342         int err;
5343 
5344         switch (cmd) {
5345         case IPC_INFO:
5346         case SHM_INFO:
5347                 /* No specific object, just general system-wide information. */
5348                 return task_has_system(current, SYSTEM__IPC_INFO);
5349         case IPC_STAT:
5350         case SHM_STAT:
5351                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5352                 break;
5353         case IPC_SET:
5354                 perms = SHM__SETATTR;
5355                 break;
5356         case SHM_LOCK:
5357         case SHM_UNLOCK:
5358                 perms = SHM__LOCK;
5359                 break;
5360         case IPC_RMID:
5361                 perms = SHM__DESTROY;
5362                 break;
5363         default:
5364                 return 0;
5365         }
5366 
5367         err = ipc_has_perm(&shp->shm_perm, perms);
5368         return err;
5369 }
5370 
5371 static int selinux_shm_shmat(struct shmid_kernel *shp,
5372                              char __user *shmaddr, int shmflg)
5373 {
5374         u32 perms;
5375 
5376         if (shmflg & SHM_RDONLY)
5377                 perms = SHM__READ;
5378         else
5379                 perms = SHM__READ | SHM__WRITE;
5380 
5381         return ipc_has_perm(&shp->shm_perm, perms);
5382 }
5383 
5384 /* Semaphore security operations */
5385 static int selinux_sem_alloc_security(struct sem_array *sma)
5386 {
5387         struct ipc_security_struct *isec;
5388         struct common_audit_data ad;
5389         u32 sid = current_sid();
5390         int rc;
5391 
5392         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5393         if (rc)
5394                 return rc;
5395 
5396         isec = sma->sem_perm.security;
5397 
5398         ad.type = LSM_AUDIT_DATA_IPC;
5399         ad.u.ipc_id = sma->sem_perm.key;
5400 
5401         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5402                           SEM__CREATE, &ad);
5403         if (rc) {
5404                 ipc_free_security(&sma->sem_perm);
5405                 return rc;
5406         }
5407         return 0;
5408 }
5409 
5410 static void selinux_sem_free_security(struct sem_array *sma)
5411 {
5412         ipc_free_security(&sma->sem_perm);
5413 }
5414 
5415 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5416 {
5417         struct ipc_security_struct *isec;
5418         struct common_audit_data ad;
5419         u32 sid = current_sid();
5420 
5421         isec = sma->sem_perm.security;
5422 
5423         ad.type = LSM_AUDIT_DATA_IPC;
5424         ad.u.ipc_id = sma->sem_perm.key;
5425 
5426         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5427                             SEM__ASSOCIATE, &ad);
5428 }
5429 
5430 /* Note, at this point, sma is locked down */
5431 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5432 {
5433         int err;
5434         u32 perms;
5435 
5436         switch (cmd) {
5437         case IPC_INFO:
5438         case SEM_INFO:
5439                 /* No specific object, just general system-wide information. */
5440                 return task_has_system(current, SYSTEM__IPC_INFO);
5441         case GETPID:
5442         case GETNCNT:
5443         case GETZCNT:
5444                 perms = SEM__GETATTR;
5445                 break;
5446         case GETVAL:
5447         case GETALL:
5448                 perms = SEM__READ;
5449                 break;
5450         case SETVAL:
5451         case SETALL:
5452                 perms = SEM__WRITE;
5453                 break;
5454         case IPC_RMID:
5455                 perms = SEM__DESTROY;
5456                 break;
5457         case IPC_SET:
5458                 perms = SEM__SETATTR;
5459                 break;
5460         case IPC_STAT:
5461         case SEM_STAT:
5462                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5463                 break;
5464         default:
5465                 return 0;
5466         }
5467 
5468         err = ipc_has_perm(&sma->sem_perm, perms);
5469         return err;
5470 }
5471 
5472 static int selinux_sem_semop(struct sem_array *sma,
5473                              struct sembuf *sops, unsigned nsops, int alter)
5474 {
5475         u32 perms;
5476 
5477         if (alter)
5478                 perms = SEM__READ | SEM__WRITE;
5479         else
5480                 perms = SEM__READ;
5481 
5482         return ipc_has_perm(&sma->sem_perm, perms);
5483 }
5484 
5485 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5486 {
5487         u32 av = 0;
5488 
5489         av = 0;
5490         if (flag & S_IRUGO)
5491                 av |= IPC__UNIX_READ;
5492         if (flag & S_IWUGO)
5493                 av |= IPC__UNIX_WRITE;
5494 
5495         if (av == 0)
5496                 return 0;
5497 
5498         return ipc_has_perm(ipcp, av);
5499 }
5500 
5501 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5502 {
5503         struct ipc_security_struct *isec = ipcp->security;
5504         *secid = isec->sid;
5505 }
5506 
5507 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5508 {
5509         if (inode)
5510                 inode_doinit_with_dentry(inode, dentry);
5511 }
5512 
5513 static int selinux_getprocattr(struct task_struct *p,
5514                                char *name, char **value)
5515 {
5516         const struct task_security_struct *__tsec;
5517         u32 sid;
5518         int error;
5519         unsigned len;
5520 
5521         if (current != p) {
5522                 error = current_has_perm(p, PROCESS__GETATTR);
5523                 if (error)
5524                         return error;
5525         }
5526 
5527         rcu_read_lock();
5528         __tsec = __task_cred(p)->security;
5529 
5530         if (!strcmp(name, "current"))
5531                 sid = __tsec->sid;
5532         else if (!strcmp(name, "prev"))
5533                 sid = __tsec->osid;
5534         else if (!strcmp(name, "exec"))
5535                 sid = __tsec->exec_sid;
5536         else if (!strcmp(name, "fscreate"))
5537                 sid = __tsec->create_sid;
5538         else if (!strcmp(name, "keycreate"))
5539                 sid = __tsec->keycreate_sid;
5540         else if (!strcmp(name, "sockcreate"))
5541                 sid = __tsec->sockcreate_sid;
5542         else
5543                 goto invalid;
5544         rcu_read_unlock();
5545 
5546         if (!sid)
5547                 return 0;
5548 
5549         error = security_sid_to_context(sid, value, &len);
5550         if (error)
5551                 return error;
5552         return len;
5553 
5554 invalid:
5555         rcu_read_unlock();
5556         return -EINVAL;
5557 }
5558 
5559 static int selinux_setprocattr(struct task_struct *p,
5560                                char *name, void *value, size_t size)
5561 {
5562         struct task_security_struct *tsec;
5563         struct task_struct *tracer;
5564         struct cred *new;
5565         u32 sid = 0, ptsid;
5566         int error;
5567         char *str = value;
5568 
5569         if (current != p) {
5570                 /* SELinux only allows a process to change its own
5571                    security attributes. */
5572                 return -EACCES;
5573         }
5574 
5575         /*
5576          * Basic control over ability to set these attributes at all.
5577          * current == p, but we'll pass them separately in case the
5578          * above restriction is ever removed.
5579          */
5580         if (!strcmp(name, "exec"))
5581                 error = current_has_perm(p, PROCESS__SETEXEC);
5582         else if (!strcmp(name, "fscreate"))
5583                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5584         else if (!strcmp(name, "keycreate"))
5585                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5586         else if (!strcmp(name, "sockcreate"))
5587                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5588         else if (!strcmp(name, "current"))
5589                 error = current_has_perm(p, PROCESS__SETCURRENT);
5590         else
5591                 error = -EINVAL;
5592         if (error)
5593                 return error;
5594 
5595         /* Obtain a SID for the context, if one was specified. */
5596         if (size && str[1] && str[1] != '\n') {
5597                 if (str[size-1] == '\n') {
5598                         str[size-1] = 0;
5599                         size--;
5600                 }
5601                 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5602                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5603                         if (!capable(CAP_MAC_ADMIN)) {
5604                                 struct audit_buffer *ab;
5605                                 size_t audit_size;
5606 
5607                                 /* We strip a nul only if it is at the end, otherwise the
5608                                  * context contains a nul and we should audit that */
5609                                 if (str[size - 1] == '\0')
5610                                         audit_size = size - 1;
5611                                 else
5612                                         audit_size = size;
5613                                 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5614                                 audit_log_format(ab, "op=fscreate invalid_context=");
5615                                 audit_log_n_untrustedstring(ab, value, audit_size);
5616                                 audit_log_end(ab);
5617 
5618                                 return error;
5619                         }
5620                         error = security_context_to_sid_force(value, size,
5621                                                               &sid);
5622                 }
5623                 if (error)
5624                         return error;
5625         }
5626 
5627         new = prepare_creds();
5628         if (!new)
5629                 return -ENOMEM;
5630 
5631         /* Permission checking based on the specified context is
5632            performed during the actual operation (execve,
5633            open/mkdir/...), when we know the full context of the
5634            operation.  See selinux_bprm_set_creds for the execve
5635            checks and may_create for the file creation checks. The
5636            operation will then fail if the context is not permitted. */
5637         tsec = new->security;
5638         if (!strcmp(name, "exec")) {
5639                 tsec->exec_sid = sid;
5640         } else if (!strcmp(name, "fscreate")) {
5641                 tsec->create_sid = sid;
5642         } else if (!strcmp(name, "keycreate")) {
5643                 error = may_create_key(sid, p);
5644                 if (error)
5645                         goto abort_change;
5646                 tsec->keycreate_sid = sid;
5647         } else if (!strcmp(name, "sockcreate")) {
5648                 tsec->sockcreate_sid = sid;
5649         } else if (!strcmp(name, "current")) {
5650                 error = -EINVAL;
5651                 if (sid == 0)
5652                         goto abort_change;
5653 
5654                 /* Only allow single threaded processes to change context */
5655                 error = -EPERM;
5656                 if (!current_is_single_threaded()) {
5657                         error = security_bounded_transition(tsec->sid, sid);
5658                         if (error)
5659                                 goto abort_change;
5660                 }
5661 
5662                 /* Check permissions for the transition. */
5663                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5664                                      PROCESS__DYNTRANSITION, NULL);
5665                 if (error)
5666                         goto abort_change;
5667 
5668                 /* Check for ptracing, and update the task SID if ok.
5669                    Otherwise, leave SID unchanged and fail. */
5670                 ptsid = 0;
5671                 rcu_read_lock();
5672                 tracer = ptrace_parent(p);
5673                 if (tracer)
5674                         ptsid = task_sid(tracer);
5675                 rcu_read_unlock();
5676 
5677                 if (tracer) {
5678                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5679                                              PROCESS__PTRACE, NULL);
5680                         if (error)
5681                                 goto abort_change;
5682                 }
5683 
5684                 tsec->sid = sid;
5685         } else {
5686                 error = -EINVAL;
5687                 goto abort_change;
5688         }
5689 
5690         commit_creds(new);
5691         return size;
5692 
5693 abort_change:
5694         abort_creds(new);
5695         return error;
5696 }
5697 
5698 static int selinux_ismaclabel(const char *name)
5699 {
5700         return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5701 }
5702 
5703 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5704 {
5705         return security_sid_to_context(secid, secdata, seclen);
5706 }
5707 
5708 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5709 {
5710         return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5711 }
5712 
5713 static void selinux_release_secctx(char *secdata, u32 seclen)
5714 {
5715         kfree(secdata);
5716 }
5717 
5718 /*
5719  *      called with inode->i_mutex locked
5720  */
5721 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5722 {
5723         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5724 }
5725 
5726 /*
5727  *      called with inode->i_mutex locked
5728  */
5729 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5730 {
5731         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5732 }
5733 
5734 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5735 {
5736         int len = 0;
5737         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5738                                                 ctx, true);
5739         if (len < 0)
5740                 return len;
5741         *ctxlen = len;
5742         return 0;
5743 }
5744 #ifdef CONFIG_KEYS
5745 
5746 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5747                              unsigned long flags)
5748 {
5749         const struct task_security_struct *tsec;
5750         struct key_security_struct *ksec;
5751 
5752         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5753         if (!ksec)
5754                 return -ENOMEM;
5755 
5756         tsec = cred->security;
5757         if (tsec->keycreate_sid)
5758                 ksec->sid = tsec->keycreate_sid;
5759         else
5760                 ksec->sid = tsec->sid;
5761 
5762         k->security = ksec;
5763         return 0;
5764 }
5765 
5766 static void selinux_key_free(struct key *k)
5767 {
5768         struct key_security_struct *ksec = k->security;
5769 
5770         k->security = NULL;
5771         kfree(ksec);
5772 }
5773 
5774 static int selinux_key_permission(key_ref_t key_ref,
5775                                   const struct cred *cred,
5776                                   unsigned perm)
5777 {
5778         struct key *key;
5779         struct key_security_struct *ksec;
5780         u32 sid;
5781 
5782         /* if no specific permissions are requested, we skip the
5783            permission check. No serious, additional covert channels
5784            appear to be created. */
5785         if (perm == 0)
5786                 return 0;
5787 
5788         sid = cred_sid(cred);
5789 
5790         key = key_ref_to_ptr(key_ref);
5791         ksec = key->security;
5792 
5793         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5794 }
5795 
5796 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5797 {
5798         struct key_security_struct *ksec = key->security;
5799         char *context = NULL;
5800         unsigned len;
5801         int rc;
5802 
5803         rc = security_sid_to_context(ksec->sid, &context, &len);
5804         if (!rc)
5805                 rc = len;
5806         *_buffer = context;
5807         return rc;
5808 }
5809 
5810 #endif
5811 
5812 static struct security_hook_list selinux_hooks[] = {
5813         LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5814         LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5815         LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5816         LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5817 
5818         LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5819         LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5820         LSM_HOOK_INIT(capget, selinux_capget),
5821         LSM_HOOK_INIT(capset, selinux_capset),
5822         LSM_HOOK_INIT(capable, selinux_capable),
5823         LSM_HOOK_INIT(quotactl, selinux_quotactl),
5824         LSM_HOOK_INIT(quota_on, selinux_quota_on),
5825         LSM_HOOK_INIT(syslog, selinux_syslog),
5826         LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5827 
5828         LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5829 
5830         LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5831         LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5832         LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5833         LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5834 
5835         LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5836         LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5837         LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5838         LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5839         LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5840         LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5841         LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5842         LSM_HOOK_INIT(sb_mount, selinux_mount),
5843         LSM_HOOK_INIT(sb_umount, selinux_umount),
5844         LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5845         LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5846         LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5847 
5848         LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5849 
5850         LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5851         LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5852         LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5853         LSM_HOOK_INIT(inode_create, selinux_inode_create),
5854         LSM_HOOK_INIT(inode_link, selinux_inode_link),
5855         LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5856         LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5857         LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5858         LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5859         LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5860         LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5861         LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5862         LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5863         LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5864         LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5865         LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5866         LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5867         LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5868         LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5869         LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5870         LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5871         LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5872         LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5873         LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5874         LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
5875 
5876         LSM_HOOK_INIT(file_permission, selinux_file_permission),
5877         LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
5878         LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
5879         LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
5880         LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
5881         LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
5882         LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
5883         LSM_HOOK_INIT(file_lock, selinux_file_lock),
5884         LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
5885         LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
5886         LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
5887         LSM_HOOK_INIT(file_receive, selinux_file_receive),
5888 
5889         LSM_HOOK_INIT(file_open, selinux_file_open),
5890 
5891         LSM_HOOK_INIT(task_create, selinux_task_create),
5892         LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
5893         LSM_HOOK_INIT(cred_free, selinux_cred_free),
5894         LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
5895         LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
5896         LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
5897         LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
5898         LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
5899         LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
5900         LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
5901         LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
5902         LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
5903         LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
5904         LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
5905         LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
5906         LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
5907         LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
5908         LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
5909         LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
5910         LSM_HOOK_INIT(task_kill, selinux_task_kill),
5911         LSM_HOOK_INIT(task_wait, selinux_task_wait),
5912         LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
5913 
5914         LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
5915         LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
5916 
5917         LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
5918         LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
5919 
5920         LSM_HOOK_INIT(msg_queue_alloc_security,
5921                         selinux_msg_queue_alloc_security),
5922         LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
5923         LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
5924         LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
5925         LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
5926         LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
5927 
5928         LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
5929         LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
5930         LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
5931         LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
5932         LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
5933 
5934         LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
5935         LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
5936         LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
5937         LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
5938         LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
5939 
5940         LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
5941 
5942         LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
5943         LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
5944 
5945         LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
5946         LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
5947         LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
5948         LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
5949         LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
5950         LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
5951         LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
5952 
5953         LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
5954         LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),