~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/selinux/hooks.c

Version: ~ [ linux-5.9 ] ~ [ linux-5.8.14 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.70 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.150 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.200 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.238 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.238 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  *  NSA Security-Enhanced Linux (SELinux) security module
  3  *
  4  *  This file contains the SELinux hook function implementations.
  5  *
  6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
  7  *            Chris Vance, <cvance@nai.com>
  8  *            Wayne Salamon, <wsalamon@nai.com>
  9  *            James Morris <jmorris@redhat.com>
 10  *
 11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
 12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
 13  *                                         Eric Paris <eparis@redhat.com>
 14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
 15  *                          <dgoeddel@trustedcs.com>
 16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
 17  *      Paul Moore <paul@paul-moore.com>
 18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
 19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
 20  *
 21  *      This program is free software; you can redistribute it and/or modify
 22  *      it under the terms of the GNU General Public License version 2,
 23  *      as published by the Free Software Foundation.
 24  */
 25 
 26 #include <linux/init.h>
 27 #include <linux/kd.h>
 28 #include <linux/kernel.h>
 29 #include <linux/tracehook.h>
 30 #include <linux/errno.h>
 31 #include <linux/sched.h>
 32 #include <linux/lsm_hooks.h>
 33 #include <linux/xattr.h>
 34 #include <linux/capability.h>
 35 #include <linux/unistd.h>
 36 #include <linux/mm.h>
 37 #include <linux/mman.h>
 38 #include <linux/slab.h>
 39 #include <linux/pagemap.h>
 40 #include <linux/proc_fs.h>
 41 #include <linux/swap.h>
 42 #include <linux/spinlock.h>
 43 #include <linux/syscalls.h>
 44 #include <linux/dcache.h>
 45 #include <linux/file.h>
 46 #include <linux/fdtable.h>
 47 #include <linux/namei.h>
 48 #include <linux/mount.h>
 49 #include <linux/netfilter_ipv4.h>
 50 #include <linux/netfilter_ipv6.h>
 51 #include <linux/tty.h>
 52 #include <net/icmp.h>
 53 #include <net/ip.h>             /* for local_port_range[] */
 54 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 55 #include <net/inet_connection_sock.h>
 56 #include <net/net_namespace.h>
 57 #include <net/netlabel.h>
 58 #include <linux/uaccess.h>
 59 #include <asm/ioctls.h>
 60 #include <linux/atomic.h>
 61 #include <linux/bitops.h>
 62 #include <linux/interrupt.h>
 63 #include <linux/netdevice.h>    /* for network interface checks */
 64 #include <net/netlink.h>
 65 #include <linux/tcp.h>
 66 #include <linux/udp.h>
 67 #include <linux/dccp.h>
 68 #include <linux/quota.h>
 69 #include <linux/un.h>           /* for Unix socket types */
 70 #include <net/af_unix.h>        /* for Unix socket types */
 71 #include <linux/parser.h>
 72 #include <linux/nfs_mount.h>
 73 #include <net/ipv6.h>
 74 #include <linux/hugetlb.h>
 75 #include <linux/personality.h>
 76 #include <linux/audit.h>
 77 #include <linux/string.h>
 78 #include <linux/selinux.h>
 79 #include <linux/mutex.h>
 80 #include <linux/posix-timers.h>
 81 #include <linux/syslog.h>
 82 #include <linux/user_namespace.h>
 83 #include <linux/export.h>
 84 #include <linux/msg.h>
 85 #include <linux/shm.h>
 86 
 87 #include "avc.h"
 88 #include "objsec.h"
 89 #include "netif.h"
 90 #include "netnode.h"
 91 #include "netport.h"
 92 #include "xfrm.h"
 93 #include "netlabel.h"
 94 #include "audit.h"
 95 #include "avc_ss.h"
 96 
 97 /* SECMARK reference count */
 98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 99 
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102 
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!kstrtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112 
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!kstrtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127 
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
139  * policy capability is enabled, SECMARK is always considered enabled.
140  *
141  */
142 static int selinux_secmark_enabled(void)
143 {
144         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146 
147 /**
148  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149  *
150  * Description:
151  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
152  * (1) if any are enabled or false (0) if neither are enabled.  If the
153  * always_check_network policy capability is enabled, peer labeling
154  * is always considered enabled.
155  *
156  */
157 static int selinux_peerlbl_enabled(void)
158 {
159         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161 
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164         if (event == AVC_CALLBACK_RESET) {
165                 sel_netif_flush();
166                 sel_netnode_flush();
167                 sel_netport_flush();
168                 synchronize_net();
169         }
170         return 0;
171 }
172 
173 /*
174  * initialise the security for the init task
175  */
176 static void cred_init_security(void)
177 {
178         struct cred *cred = (struct cred *) current->real_cred;
179         struct task_security_struct *tsec;
180 
181         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182         if (!tsec)
183                 panic("SELinux:  Failed to initialize initial task.\n");
184 
185         tsec->osid = tsec->sid = SECINITSID_KERNEL;
186         cred->security = tsec;
187 }
188 
189 /*
190  * get the security ID of a set of credentials
191  */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194         const struct task_security_struct *tsec;
195 
196         tsec = cred->security;
197         return tsec->sid;
198 }
199 
200 /*
201  * get the objective security ID of a task
202  */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205         u32 sid;
206 
207         rcu_read_lock();
208         sid = cred_sid(__task_cred(task));
209         rcu_read_unlock();
210         return sid;
211 }
212 
213 /*
214  * get the subjective security ID of the current task
215  */
216 static inline u32 current_sid(void)
217 {
218         const struct task_security_struct *tsec = current_security();
219 
220         return tsec->sid;
221 }
222 
223 /* Allocate and free functions for each kind of security blob. */
224 
225 static int inode_alloc_security(struct inode *inode)
226 {
227         struct inode_security_struct *isec;
228         u32 sid = current_sid();
229 
230         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231         if (!isec)
232                 return -ENOMEM;
233 
234         mutex_init(&isec->lock);
235         INIT_LIST_HEAD(&isec->list);
236         isec->inode = inode;
237         isec->sid = SECINITSID_UNLABELED;
238         isec->sclass = SECCLASS_FILE;
239         isec->task_sid = sid;
240         inode->i_security = isec;
241 
242         return 0;
243 }
244 
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246 
247 /*
248  * Try reloading inode security labels that have been marked as invalid.  The
249  * @may_sleep parameter indicates when sleeping and thus reloading labels is
250  * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
252  * when no dentry is available, set it to NULL instead.
253  */
254 static int __inode_security_revalidate(struct inode *inode,
255                                        struct dentry *opt_dentry,
256                                        bool may_sleep)
257 {
258         struct inode_security_struct *isec = inode->i_security;
259 
260         might_sleep_if(may_sleep);
261 
262         if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263                 if (!may_sleep)
264                         return -ECHILD;
265 
266                 /*
267                  * Try reloading the inode security label.  This will fail if
268                  * @opt_dentry is NULL and no dentry for this inode can be
269                  * found; in that case, continue using the old label.
270                  */
271                 inode_doinit_with_dentry(inode, opt_dentry);
272         }
273         return 0;
274 }
275 
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278         return inode->i_security;
279 }
280 
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283         int error;
284 
285         error = __inode_security_revalidate(inode, NULL, !rcu);
286         if (error)
287                 return ERR_PTR(error);
288         return inode->i_security;
289 }
290 
291 /*
292  * Get the security label of an inode.
293  */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296         __inode_security_revalidate(inode, NULL, true);
297         return inode->i_security;
298 }
299 
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302         struct inode *inode = d_backing_inode(dentry);
303 
304         return inode->i_security;
305 }
306 
307 /*
308  * Get the security label of a dentry's backing inode.
309  */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312         struct inode *inode = d_backing_inode(dentry);
313 
314         __inode_security_revalidate(inode, dentry, true);
315         return inode->i_security;
316 }
317 
318 static void inode_free_rcu(struct rcu_head *head)
319 {
320         struct inode_security_struct *isec;
321 
322         isec = container_of(head, struct inode_security_struct, rcu);
323         kmem_cache_free(sel_inode_cache, isec);
324 }
325 
326 static void inode_free_security(struct inode *inode)
327 {
328         struct inode_security_struct *isec = inode->i_security;
329         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330 
331         /*
332          * As not all inode security structures are in a list, we check for
333          * empty list outside of the lock to make sure that we won't waste
334          * time taking a lock doing nothing.
335          *
336          * The list_del_init() function can be safely called more than once.
337          * It should not be possible for this function to be called with
338          * concurrent list_add(), but for better safety against future changes
339          * in the code, we use list_empty_careful() here.
340          */
341         if (!list_empty_careful(&isec->list)) {
342                 spin_lock(&sbsec->isec_lock);
343                 list_del_init(&isec->list);
344                 spin_unlock(&sbsec->isec_lock);
345         }
346 
347         /*
348          * The inode may still be referenced in a path walk and
349          * a call to selinux_inode_permission() can be made
350          * after inode_free_security() is called. Ideally, the VFS
351          * wouldn't do this, but fixing that is a much harder
352          * job. For now, simply free the i_security via RCU, and
353          * leave the current inode->i_security pointer intact.
354          * The inode will be freed after the RCU grace period too.
355          */
356         call_rcu(&isec->rcu, inode_free_rcu);
357 }
358 
359 static int file_alloc_security(struct file *file)
360 {
361         struct file_security_struct *fsec;
362         u32 sid = current_sid();
363 
364         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
365         if (!fsec)
366                 return -ENOMEM;
367 
368         fsec->sid = sid;
369         fsec->fown_sid = sid;
370         file->f_security = fsec;
371 
372         return 0;
373 }
374 
375 static void file_free_security(struct file *file)
376 {
377         struct file_security_struct *fsec = file->f_security;
378         file->f_security = NULL;
379         kmem_cache_free(file_security_cache, fsec);
380 }
381 
382 static int superblock_alloc_security(struct super_block *sb)
383 {
384         struct superblock_security_struct *sbsec;
385 
386         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
387         if (!sbsec)
388                 return -ENOMEM;
389 
390         mutex_init(&sbsec->lock);
391         INIT_LIST_HEAD(&sbsec->isec_head);
392         spin_lock_init(&sbsec->isec_lock);
393         sbsec->sb = sb;
394         sbsec->sid = SECINITSID_UNLABELED;
395         sbsec->def_sid = SECINITSID_FILE;
396         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397         sb->s_security = sbsec;
398 
399         return 0;
400 }
401 
402 static void superblock_free_security(struct super_block *sb)
403 {
404         struct superblock_security_struct *sbsec = sb->s_security;
405         sb->s_security = NULL;
406         kfree(sbsec);
407 }
408 
409 /* The file system's label must be initialized prior to use. */
410 
411 static const char *labeling_behaviors[7] = {
412         "uses xattr",
413         "uses transition SIDs",
414         "uses task SIDs",
415         "uses genfs_contexts",
416         "not configured for labeling",
417         "uses mountpoint labeling",
418         "uses native labeling",
419 };
420 
421 static inline int inode_doinit(struct inode *inode)
422 {
423         return inode_doinit_with_dentry(inode, NULL);
424 }
425 
426 enum {
427         Opt_error = -1,
428         Opt_context = 1,
429         Opt_fscontext = 2,
430         Opt_defcontext = 3,
431         Opt_rootcontext = 4,
432         Opt_labelsupport = 5,
433         Opt_nextmntopt = 6,
434 };
435 
436 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
437 
438 static const match_table_t tokens = {
439         {Opt_context, CONTEXT_STR "%s"},
440         {Opt_fscontext, FSCONTEXT_STR "%s"},
441         {Opt_defcontext, DEFCONTEXT_STR "%s"},
442         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
443         {Opt_labelsupport, LABELSUPP_STR},
444         {Opt_error, NULL},
445 };
446 
447 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
448 
449 static int may_context_mount_sb_relabel(u32 sid,
450                         struct superblock_security_struct *sbsec,
451                         const struct cred *cred)
452 {
453         const struct task_security_struct *tsec = cred->security;
454         int rc;
455 
456         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457                           FILESYSTEM__RELABELFROM, NULL);
458         if (rc)
459                 return rc;
460 
461         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462                           FILESYSTEM__RELABELTO, NULL);
463         return rc;
464 }
465 
466 static int may_context_mount_inode_relabel(u32 sid,
467                         struct superblock_security_struct *sbsec,
468                         const struct cred *cred)
469 {
470         const struct task_security_struct *tsec = cred->security;
471         int rc;
472         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473                           FILESYSTEM__RELABELFROM, NULL);
474         if (rc)
475                 return rc;
476 
477         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478                           FILESYSTEM__ASSOCIATE, NULL);
479         return rc;
480 }
481 
482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484         struct superblock_security_struct *sbsec = sb->s_security;
485 
486         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488                 sbsec->behavior == SECURITY_FS_USE_TASK ||
489                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
490                 /* Special handling. Genfs but also in-core setxattr handler */
491                 !strcmp(sb->s_type->name, "sysfs") ||
492                 !strcmp(sb->s_type->name, "pstore") ||
493                 !strcmp(sb->s_type->name, "debugfs") ||
494                 !strcmp(sb->s_type->name, "rootfs");
495 }
496 
497 static int sb_finish_set_opts(struct super_block *sb)
498 {
499         struct superblock_security_struct *sbsec = sb->s_security;
500         struct dentry *root = sb->s_root;
501         struct inode *root_inode = d_backing_inode(root);
502         int rc = 0;
503 
504         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505                 /* Make sure that the xattr handler exists and that no
506                    error other than -ENODATA is returned by getxattr on
507                    the root directory.  -ENODATA is ok, as this may be
508                    the first boot of the SELinux kernel before we have
509                    assigned xattr values to the filesystem. */
510                 if (!root_inode->i_op->getxattr) {
511                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512                                "xattr support\n", sb->s_id, sb->s_type->name);
513                         rc = -EOPNOTSUPP;
514                         goto out;
515                 }
516                 rc = root_inode->i_op->getxattr(root, root_inode,
517                                                 XATTR_NAME_SELINUX, NULL, 0);
518                 if (rc < 0 && rc != -ENODATA) {
519                         if (rc == -EOPNOTSUPP)
520                                 printk(KERN_WARNING "SELinux: (dev %s, type "
521                                        "%s) has no security xattr handler\n",
522                                        sb->s_id, sb->s_type->name);
523                         else
524                                 printk(KERN_WARNING "SELinux: (dev %s, type "
525                                        "%s) getxattr errno %d\n", sb->s_id,
526                                        sb->s_type->name, -rc);
527                         goto out;
528                 }
529         }
530 
531         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
532                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533                        sb->s_id, sb->s_type->name);
534 
535         sbsec->flags |= SE_SBINITIALIZED;
536         if (selinux_is_sblabel_mnt(sb))
537                 sbsec->flags |= SBLABEL_MNT;
538 
539         /* Initialize the root inode. */
540         rc = inode_doinit_with_dentry(root_inode, root);
541 
542         /* Initialize any other inodes associated with the superblock, e.g.
543            inodes created prior to initial policy load or inodes created
544            during get_sb by a pseudo filesystem that directly
545            populates itself. */
546         spin_lock(&sbsec->isec_lock);
547 next_inode:
548         if (!list_empty(&sbsec->isec_head)) {
549                 struct inode_security_struct *isec =
550                                 list_entry(sbsec->isec_head.next,
551                                            struct inode_security_struct, list);
552                 struct inode *inode = isec->inode;
553                 list_del_init(&isec->list);
554                 spin_unlock(&sbsec->isec_lock);
555                 inode = igrab(inode);
556                 if (inode) {
557                         if (!IS_PRIVATE(inode))
558                                 inode_doinit(inode);
559                         iput(inode);
560                 }
561                 spin_lock(&sbsec->isec_lock);
562                 goto next_inode;
563         }
564         spin_unlock(&sbsec->isec_lock);
565 out:
566         return rc;
567 }
568 
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575                                 struct security_mnt_opts *opts)
576 {
577         int rc = 0, i;
578         struct superblock_security_struct *sbsec = sb->s_security;
579         char *context = NULL;
580         u32 len;
581         char tmp;
582 
583         security_init_mnt_opts(opts);
584 
585         if (!(sbsec->flags & SE_SBINITIALIZED))
586                 return -EINVAL;
587 
588         if (!ss_initialized)
589                 return -EINVAL;
590 
591         /* make sure we always check enough bits to cover the mask */
592         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593 
594         tmp = sbsec->flags & SE_MNTMASK;
595         /* count the number of mount options for this sb */
596         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597                 if (tmp & 0x01)
598                         opts->num_mnt_opts++;
599                 tmp >>= 1;
600         }
601         /* Check if the Label support flag is set */
602         if (sbsec->flags & SBLABEL_MNT)
603                 opts->num_mnt_opts++;
604 
605         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606         if (!opts->mnt_opts) {
607                 rc = -ENOMEM;
608                 goto out_free;
609         }
610 
611         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612         if (!opts->mnt_opts_flags) {
613                 rc = -ENOMEM;
614                 goto out_free;
615         }
616 
617         i = 0;
618         if (sbsec->flags & FSCONTEXT_MNT) {
619                 rc = security_sid_to_context(sbsec->sid, &context, &len);
620                 if (rc)
621                         goto out_free;
622                 opts->mnt_opts[i] = context;
623                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624         }
625         if (sbsec->flags & CONTEXT_MNT) {
626                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627                 if (rc)
628                         goto out_free;
629                 opts->mnt_opts[i] = context;
630                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631         }
632         if (sbsec->flags & DEFCONTEXT_MNT) {
633                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634                 if (rc)
635                         goto out_free;
636                 opts->mnt_opts[i] = context;
637                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638         }
639         if (sbsec->flags & ROOTCONTEXT_MNT) {
640                 struct dentry *root = sbsec->sb->s_root;
641                 struct inode_security_struct *isec = backing_inode_security(root);
642 
643                 rc = security_sid_to_context(isec->sid, &context, &len);
644                 if (rc)
645                         goto out_free;
646                 opts->mnt_opts[i] = context;
647                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648         }
649         if (sbsec->flags & SBLABEL_MNT) {
650                 opts->mnt_opts[i] = NULL;
651                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652         }
653 
654         BUG_ON(i != opts->num_mnt_opts);
655 
656         return 0;
657 
658 out_free:
659         security_free_mnt_opts(opts);
660         return rc;
661 }
662 
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664                       u32 old_sid, u32 new_sid)
665 {
666         char mnt_flags = sbsec->flags & SE_MNTMASK;
667 
668         /* check if the old mount command had the same options */
669         if (sbsec->flags & SE_SBINITIALIZED)
670                 if (!(sbsec->flags & flag) ||
671                     (old_sid != new_sid))
672                         return 1;
673 
674         /* check if we were passed the same options twice,
675          * aka someone passed context=a,context=b
676          */
677         if (!(sbsec->flags & SE_SBINITIALIZED))
678                 if (mnt_flags & flag)
679                         return 1;
680         return 0;
681 }
682 
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688                                 struct security_mnt_opts *opts,
689                                 unsigned long kern_flags,
690                                 unsigned long *set_kern_flags)
691 {
692         const struct cred *cred = current_cred();
693         int rc = 0, i;
694         struct superblock_security_struct *sbsec = sb->s_security;
695         const char *name = sb->s_type->name;
696         struct dentry *root = sbsec->sb->s_root;
697         struct inode_security_struct *root_isec;
698         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699         u32 defcontext_sid = 0;
700         char **mount_options = opts->mnt_opts;
701         int *flags = opts->mnt_opts_flags;
702         int num_opts = opts->num_mnt_opts;
703 
704         mutex_lock(&sbsec->lock);
705 
706         if (!ss_initialized) {
707                 if (!num_opts) {
708                         /* Defer initialization until selinux_complete_init,
709                            after the initial policy is loaded and the security
710                            server is ready to handle calls. */
711                         goto out;
712                 }
713                 rc = -EINVAL;
714                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715                         "before the security server is initialized\n");
716                 goto out;
717         }
718         if (kern_flags && !set_kern_flags) {
719                 /* Specifying internal flags without providing a place to
720                  * place the results is not allowed */
721                 rc = -EINVAL;
722                 goto out;
723         }
724 
725         /*
726          * Binary mount data FS will come through this function twice.  Once
727          * from an explicit call and once from the generic calls from the vfs.
728          * Since the generic VFS calls will not contain any security mount data
729          * we need to skip the double mount verification.
730          *
731          * This does open a hole in which we will not notice if the first
732          * mount using this sb set explict options and a second mount using
733          * this sb does not set any security options.  (The first options
734          * will be used for both mounts)
735          */
736         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737             && (num_opts == 0))
738                 goto out;
739 
740         root_isec = backing_inode_security_novalidate(root);
741 
742         /*
743          * parse the mount options, check if they are valid sids.
744          * also check if someone is trying to mount the same sb more
745          * than once with different security options.
746          */
747         for (i = 0; i < num_opts; i++) {
748                 u32 sid;
749 
750                 if (flags[i] == SBLABEL_MNT)
751                         continue;
752                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753                 if (rc) {
754                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755                                "(%s) failed for (dev %s, type %s) errno=%d\n",
756                                mount_options[i], sb->s_id, name, rc);
757                         goto out;
758                 }
759                 switch (flags[i]) {
760                 case FSCONTEXT_MNT:
761                         fscontext_sid = sid;
762 
763                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764                                         fscontext_sid))
765                                 goto out_double_mount;
766 
767                         sbsec->flags |= FSCONTEXT_MNT;
768                         break;
769                 case CONTEXT_MNT:
770                         context_sid = sid;
771 
772                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773                                         context_sid))
774                                 goto out_double_mount;
775 
776                         sbsec->flags |= CONTEXT_MNT;
777                         break;
778                 case ROOTCONTEXT_MNT:
779                         rootcontext_sid = sid;
780 
781                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782                                         rootcontext_sid))
783                                 goto out_double_mount;
784 
785                         sbsec->flags |= ROOTCONTEXT_MNT;
786 
787                         break;
788                 case DEFCONTEXT_MNT:
789                         defcontext_sid = sid;
790 
791                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792                                         defcontext_sid))
793                                 goto out_double_mount;
794 
795                         sbsec->flags |= DEFCONTEXT_MNT;
796 
797                         break;
798                 default:
799                         rc = -EINVAL;
800                         goto out;
801                 }
802         }
803 
804         if (sbsec->flags & SE_SBINITIALIZED) {
805                 /* previously mounted with options, but not on this attempt? */
806                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807                         goto out_double_mount;
808                 rc = 0;
809                 goto out;
810         }
811 
812         if (strcmp(sb->s_type->name, "proc") == 0)
813                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814 
815         if (!strcmp(sb->s_type->name, "debugfs") ||
816             !strcmp(sb->s_type->name, "sysfs") ||
817             !strcmp(sb->s_type->name, "pstore"))
818                 sbsec->flags |= SE_SBGENFS;
819 
820         if (!sbsec->behavior) {
821                 /*
822                  * Determine the labeling behavior to use for this
823                  * filesystem type.
824                  */
825                 rc = security_fs_use(sb);
826                 if (rc) {
827                         printk(KERN_WARNING
828                                 "%s: security_fs_use(%s) returned %d\n",
829                                         __func__, sb->s_type->name, rc);
830                         goto out;
831                 }
832         }
833         /* sets the context of the superblock for the fs being mounted. */
834         if (fscontext_sid) {
835                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
836                 if (rc)
837                         goto out;
838 
839                 sbsec->sid = fscontext_sid;
840         }
841 
842         /*
843          * Switch to using mount point labeling behavior.
844          * sets the label used on all file below the mountpoint, and will set
845          * the superblock context if not already set.
846          */
847         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
848                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
849                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
850         }
851 
852         if (context_sid) {
853                 if (!fscontext_sid) {
854                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
855                                                           cred);
856                         if (rc)
857                                 goto out;
858                         sbsec->sid = context_sid;
859                 } else {
860                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
861                                                              cred);
862                         if (rc)
863                                 goto out;
864                 }
865                 if (!rootcontext_sid)
866                         rootcontext_sid = context_sid;
867 
868                 sbsec->mntpoint_sid = context_sid;
869                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
870         }
871 
872         if (rootcontext_sid) {
873                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
874                                                      cred);
875                 if (rc)
876                         goto out;
877 
878                 root_isec->sid = rootcontext_sid;
879                 root_isec->initialized = LABEL_INITIALIZED;
880         }
881 
882         if (defcontext_sid) {
883                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
884                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux: defcontext option is "
887                                "invalid for this filesystem type\n");
888                         goto out;
889                 }
890 
891                 if (defcontext_sid != sbsec->def_sid) {
892                         rc = may_context_mount_inode_relabel(defcontext_sid,
893                                                              sbsec, cred);
894                         if (rc)
895                                 goto out;
896                 }
897 
898                 sbsec->def_sid = defcontext_sid;
899         }
900 
901         rc = sb_finish_set_opts(sb);
902 out:
903         mutex_unlock(&sbsec->lock);
904         return rc;
905 out_double_mount:
906         rc = -EINVAL;
907         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
908                "security settings for (dev %s, type %s)\n", sb->s_id, name);
909         goto out;
910 }
911 
912 static int selinux_cmp_sb_context(const struct super_block *oldsb,
913                                     const struct super_block *newsb)
914 {
915         struct superblock_security_struct *old = oldsb->s_security;
916         struct superblock_security_struct *new = newsb->s_security;
917         char oldflags = old->flags & SE_MNTMASK;
918         char newflags = new->flags & SE_MNTMASK;
919 
920         if (oldflags != newflags)
921                 goto mismatch;
922         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
923                 goto mismatch;
924         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
925                 goto mismatch;
926         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
927                 goto mismatch;
928         if (oldflags & ROOTCONTEXT_MNT) {
929                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
930                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
931                 if (oldroot->sid != newroot->sid)
932                         goto mismatch;
933         }
934         return 0;
935 mismatch:
936         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
937                             "different security settings for (dev %s, "
938                             "type %s)\n", newsb->s_id, newsb->s_type->name);
939         return -EBUSY;
940 }
941 
942 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
943                                         struct super_block *newsb)
944 {
945         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
946         struct superblock_security_struct *newsbsec = newsb->s_security;
947 
948         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
949         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
950         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
951 
952         /*
953          * if the parent was able to be mounted it clearly had no special lsm
954          * mount options.  thus we can safely deal with this superblock later
955          */
956         if (!ss_initialized)
957                 return 0;
958 
959         /* how can we clone if the old one wasn't set up?? */
960         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
961 
962         /* if fs is reusing a sb, make sure that the contexts match */
963         if (newsbsec->flags & SE_SBINITIALIZED)
964                 return selinux_cmp_sb_context(oldsb, newsb);
965 
966         mutex_lock(&newsbsec->lock);
967 
968         newsbsec->flags = oldsbsec->flags;
969 
970         newsbsec->sid = oldsbsec->sid;
971         newsbsec->def_sid = oldsbsec->def_sid;
972         newsbsec->behavior = oldsbsec->behavior;
973 
974         if (set_context) {
975                 u32 sid = oldsbsec->mntpoint_sid;
976 
977                 if (!set_fscontext)
978                         newsbsec->sid = sid;
979                 if (!set_rootcontext) {
980                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
981                         newisec->sid = sid;
982                 }
983                 newsbsec->mntpoint_sid = sid;
984         }
985         if (set_rootcontext) {
986                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
987                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
988 
989                 newisec->sid = oldisec->sid;
990         }
991 
992         sb_finish_set_opts(newsb);
993         mutex_unlock(&newsbsec->lock);
994         return 0;
995 }
996 
997 static int selinux_parse_opts_str(char *options,
998                                   struct security_mnt_opts *opts)
999 {
1000         char *p;
1001         char *context = NULL, *defcontext = NULL;
1002         char *fscontext = NULL, *rootcontext = NULL;
1003         int rc, num_mnt_opts = 0;
1004 
1005         opts->num_mnt_opts = 0;
1006 
1007         /* Standard string-based options. */
1008         while ((p = strsep(&options, "|")) != NULL) {
1009                 int token;
1010                 substring_t args[MAX_OPT_ARGS];
1011 
1012                 if (!*p)
1013                         continue;
1014 
1015                 token = match_token(p, tokens, args);
1016 
1017                 switch (token) {
1018                 case Opt_context:
1019                         if (context || defcontext) {
1020                                 rc = -EINVAL;
1021                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1022                                 goto out_err;
1023                         }
1024                         context = match_strdup(&args[0]);
1025                         if (!context) {
1026                                 rc = -ENOMEM;
1027                                 goto out_err;
1028                         }
1029                         break;
1030 
1031                 case Opt_fscontext:
1032                         if (fscontext) {
1033                                 rc = -EINVAL;
1034                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1035                                 goto out_err;
1036                         }
1037                         fscontext = match_strdup(&args[0]);
1038                         if (!fscontext) {
1039                                 rc = -ENOMEM;
1040                                 goto out_err;
1041                         }
1042                         break;
1043 
1044                 case Opt_rootcontext:
1045                         if (rootcontext) {
1046                                 rc = -EINVAL;
1047                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1048                                 goto out_err;
1049                         }
1050                         rootcontext = match_strdup(&args[0]);
1051                         if (!rootcontext) {
1052                                 rc = -ENOMEM;
1053                                 goto out_err;
1054                         }
1055                         break;
1056 
1057                 case Opt_defcontext:
1058                         if (context || defcontext) {
1059                                 rc = -EINVAL;
1060                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1061                                 goto out_err;
1062                         }
1063                         defcontext = match_strdup(&args[0]);
1064                         if (!defcontext) {
1065                                 rc = -ENOMEM;
1066                                 goto out_err;
1067                         }
1068                         break;
1069                 case Opt_labelsupport:
1070                         break;
1071                 default:
1072                         rc = -EINVAL;
1073                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1074                         goto out_err;
1075 
1076                 }
1077         }
1078 
1079         rc = -ENOMEM;
1080         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1081         if (!opts->mnt_opts)
1082                 goto out_err;
1083 
1084         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1085         if (!opts->mnt_opts_flags) {
1086                 kfree(opts->mnt_opts);
1087                 goto out_err;
1088         }
1089 
1090         if (fscontext) {
1091                 opts->mnt_opts[num_mnt_opts] = fscontext;
1092                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1093         }
1094         if (context) {
1095                 opts->mnt_opts[num_mnt_opts] = context;
1096                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1097         }
1098         if (rootcontext) {
1099                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1100                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1101         }
1102         if (defcontext) {
1103                 opts->mnt_opts[num_mnt_opts] = defcontext;
1104                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1105         }
1106 
1107         opts->num_mnt_opts = num_mnt_opts;
1108         return 0;
1109 
1110 out_err:
1111         kfree(context);
1112         kfree(defcontext);
1113         kfree(fscontext);
1114         kfree(rootcontext);
1115         return rc;
1116 }
1117 /*
1118  * string mount options parsing and call set the sbsec
1119  */
1120 static int superblock_doinit(struct super_block *sb, void *data)
1121 {
1122         int rc = 0;
1123         char *options = data;
1124         struct security_mnt_opts opts;
1125 
1126         security_init_mnt_opts(&opts);
1127 
1128         if (!data)
1129                 goto out;
1130 
1131         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1132 
1133         rc = selinux_parse_opts_str(options, &opts);
1134         if (rc)
1135                 goto out_err;
1136 
1137 out:
1138         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1139 
1140 out_err:
1141         security_free_mnt_opts(&opts);
1142         return rc;
1143 }
1144 
1145 static void selinux_write_opts(struct seq_file *m,
1146                                struct security_mnt_opts *opts)
1147 {
1148         int i;
1149         char *prefix;
1150 
1151         for (i = 0; i < opts->num_mnt_opts; i++) {
1152                 char *has_comma;
1153 
1154                 if (opts->mnt_opts[i])
1155                         has_comma = strchr(opts->mnt_opts[i], ',');
1156                 else
1157                         has_comma = NULL;
1158 
1159                 switch (opts->mnt_opts_flags[i]) {
1160                 case CONTEXT_MNT:
1161                         prefix = CONTEXT_STR;
1162                         break;
1163                 case FSCONTEXT_MNT:
1164                         prefix = FSCONTEXT_STR;
1165                         break;
1166                 case ROOTCONTEXT_MNT:
1167                         prefix = ROOTCONTEXT_STR;
1168                         break;
1169                 case DEFCONTEXT_MNT:
1170                         prefix = DEFCONTEXT_STR;
1171                         break;
1172                 case SBLABEL_MNT:
1173                         seq_putc(m, ',');
1174                         seq_puts(m, LABELSUPP_STR);
1175                         continue;
1176                 default:
1177                         BUG();
1178                         return;
1179                 };
1180                 /* we need a comma before each option */
1181                 seq_putc(m, ',');
1182                 seq_puts(m, prefix);
1183                 if (has_comma)
1184                         seq_putc(m, '\"');
1185                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1186                 if (has_comma)
1187                         seq_putc(m, '\"');
1188         }
1189 }
1190 
1191 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1192 {
1193         struct security_mnt_opts opts;
1194         int rc;
1195 
1196         rc = selinux_get_mnt_opts(sb, &opts);
1197         if (rc) {
1198                 /* before policy load we may get EINVAL, don't show anything */
1199                 if (rc == -EINVAL)
1200                         rc = 0;
1201                 return rc;
1202         }
1203 
1204         selinux_write_opts(m, &opts);
1205 
1206         security_free_mnt_opts(&opts);
1207 
1208         return rc;
1209 }
1210 
1211 static inline u16 inode_mode_to_security_class(umode_t mode)
1212 {
1213         switch (mode & S_IFMT) {
1214         case S_IFSOCK:
1215                 return SECCLASS_SOCK_FILE;
1216         case S_IFLNK:
1217                 return SECCLASS_LNK_FILE;
1218         case S_IFREG:
1219                 return SECCLASS_FILE;
1220         case S_IFBLK:
1221                 return SECCLASS_BLK_FILE;
1222         case S_IFDIR:
1223                 return SECCLASS_DIR;
1224         case S_IFCHR:
1225                 return SECCLASS_CHR_FILE;
1226         case S_IFIFO:
1227                 return SECCLASS_FIFO_FILE;
1228 
1229         }
1230 
1231         return SECCLASS_FILE;
1232 }
1233 
1234 static inline int default_protocol_stream(int protocol)
1235 {
1236         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1237 }
1238 
1239 static inline int default_protocol_dgram(int protocol)
1240 {
1241         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1242 }
1243 
1244 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1245 {
1246         switch (family) {
1247         case PF_UNIX:
1248                 switch (type) {
1249                 case SOCK_STREAM:
1250                 case SOCK_SEQPACKET:
1251                         return SECCLASS_UNIX_STREAM_SOCKET;
1252                 case SOCK_DGRAM:
1253                         return SECCLASS_UNIX_DGRAM_SOCKET;
1254                 }
1255                 break;
1256         case PF_INET:
1257         case PF_INET6:
1258                 switch (type) {
1259                 case SOCK_STREAM:
1260                         if (default_protocol_stream(protocol))
1261                                 return SECCLASS_TCP_SOCKET;
1262                         else
1263                                 return SECCLASS_RAWIP_SOCKET;
1264                 case SOCK_DGRAM:
1265                         if (default_protocol_dgram(protocol))
1266                                 return SECCLASS_UDP_SOCKET;
1267                         else
1268                                 return SECCLASS_RAWIP_SOCKET;
1269                 case SOCK_DCCP:
1270                         return SECCLASS_DCCP_SOCKET;
1271                 default:
1272                         return SECCLASS_RAWIP_SOCKET;
1273                 }
1274                 break;
1275         case PF_NETLINK:
1276                 switch (protocol) {
1277                 case NETLINK_ROUTE:
1278                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1279                 case NETLINK_SOCK_DIAG:
1280                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1281                 case NETLINK_NFLOG:
1282                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1283                 case NETLINK_XFRM:
1284                         return SECCLASS_NETLINK_XFRM_SOCKET;
1285                 case NETLINK_SELINUX:
1286                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1287                 case NETLINK_ISCSI:
1288                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1289                 case NETLINK_AUDIT:
1290                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1291                 case NETLINK_FIB_LOOKUP:
1292                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1293                 case NETLINK_CONNECTOR:
1294                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1295                 case NETLINK_NETFILTER:
1296                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1297                 case NETLINK_DNRTMSG:
1298                         return SECCLASS_NETLINK_DNRT_SOCKET;
1299                 case NETLINK_KOBJECT_UEVENT:
1300                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1301                 case NETLINK_GENERIC:
1302                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1303                 case NETLINK_SCSITRANSPORT:
1304                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1305                 case NETLINK_RDMA:
1306                         return SECCLASS_NETLINK_RDMA_SOCKET;
1307                 case NETLINK_CRYPTO:
1308                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1309                 default:
1310                         return SECCLASS_NETLINK_SOCKET;
1311                 }
1312         case PF_PACKET:
1313                 return SECCLASS_PACKET_SOCKET;
1314         case PF_KEY:
1315                 return SECCLASS_KEY_SOCKET;
1316         case PF_APPLETALK:
1317                 return SECCLASS_APPLETALK_SOCKET;
1318         }
1319 
1320         return SECCLASS_SOCKET;
1321 }
1322 
1323 static int selinux_genfs_get_sid(struct dentry *dentry,
1324                                  u16 tclass,
1325                                  u16 flags,
1326                                  u32 *sid)
1327 {
1328         int rc;
1329         struct super_block *sb = dentry->d_sb;
1330         char *buffer, *path;
1331 
1332         buffer = (char *)__get_free_page(GFP_KERNEL);
1333         if (!buffer)
1334                 return -ENOMEM;
1335 
1336         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1337         if (IS_ERR(path))
1338                 rc = PTR_ERR(path);
1339         else {
1340                 if (flags & SE_SBPROC) {
1341                         /* each process gets a /proc/PID/ entry. Strip off the
1342                          * PID part to get a valid selinux labeling.
1343                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1344                         while (path[1] >= '' && path[1] <= '9') {
1345                                 path[1] = '/';
1346                                 path++;
1347                         }
1348                 }
1349                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1350         }
1351         free_page((unsigned long)buffer);
1352         return rc;
1353 }
1354 
1355 /* The inode's security attributes must be initialized before first use. */
1356 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1357 {
1358         struct superblock_security_struct *sbsec = NULL;
1359         struct inode_security_struct *isec = inode->i_security;
1360         u32 sid;
1361         struct dentry *dentry;
1362 #define INITCONTEXTLEN 255
1363         char *context = NULL;
1364         unsigned len = 0;
1365         int rc = 0;
1366 
1367         if (isec->initialized == LABEL_INITIALIZED)
1368                 goto out;
1369 
1370         mutex_lock(&isec->lock);
1371         if (isec->initialized == LABEL_INITIALIZED)
1372                 goto out_unlock;
1373 
1374         sbsec = inode->i_sb->s_security;
1375         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1376                 /* Defer initialization until selinux_complete_init,
1377                    after the initial policy is loaded and the security
1378                    server is ready to handle calls. */
1379                 spin_lock(&sbsec->isec_lock);
1380                 if (list_empty(&isec->list))
1381                         list_add(&isec->list, &sbsec->isec_head);
1382                 spin_unlock(&sbsec->isec_lock);
1383                 goto out_unlock;
1384         }
1385 
1386         switch (sbsec->behavior) {
1387         case SECURITY_FS_USE_NATIVE:
1388                 break;
1389         case SECURITY_FS_USE_XATTR:
1390                 if (!inode->i_op->getxattr) {
1391                         isec->sid = sbsec->def_sid;
1392                         break;
1393                 }
1394 
1395                 /* Need a dentry, since the xattr API requires one.
1396                    Life would be simpler if we could just pass the inode. */
1397                 if (opt_dentry) {
1398                         /* Called from d_instantiate or d_splice_alias. */
1399                         dentry = dget(opt_dentry);
1400                 } else {
1401                         /* Called from selinux_complete_init, try to find a dentry. */
1402                         dentry = d_find_alias(inode);
1403                 }
1404                 if (!dentry) {
1405                         /*
1406                          * this is can be hit on boot when a file is accessed
1407                          * before the policy is loaded.  When we load policy we
1408                          * may find inodes that have no dentry on the
1409                          * sbsec->isec_head list.  No reason to complain as these
1410                          * will get fixed up the next time we go through
1411                          * inode_doinit with a dentry, before these inodes could
1412                          * be used again by userspace.
1413                          */
1414                         goto out_unlock;
1415                 }
1416 
1417                 len = INITCONTEXTLEN;
1418                 context = kmalloc(len+1, GFP_NOFS);
1419                 if (!context) {
1420                         rc = -ENOMEM;
1421                         dput(dentry);
1422                         goto out_unlock;
1423                 }
1424                 context[len] = '\0';
1425                 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1426                                            context, len);
1427                 if (rc == -ERANGE) {
1428                         kfree(context);
1429 
1430                         /* Need a larger buffer.  Query for the right size. */
1431                         rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1432                                                    NULL, 0);
1433                         if (rc < 0) {
1434                                 dput(dentry);
1435                                 goto out_unlock;
1436                         }
1437                         len = rc;
1438                         context = kmalloc(len+1, GFP_NOFS);
1439                         if (!context) {
1440                                 rc = -ENOMEM;
1441                                 dput(dentry);
1442                                 goto out_unlock;
1443                         }
1444                         context[len] = '\0';
1445                         rc = inode->i_op->getxattr(dentry, inode,
1446                                                    XATTR_NAME_SELINUX,
1447                                                    context, len);
1448                 }
1449                 dput(dentry);
1450                 if (rc < 0) {
1451                         if (rc != -ENODATA) {
1452                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1453                                        "%d for dev=%s ino=%ld\n", __func__,
1454                                        -rc, inode->i_sb->s_id, inode->i_ino);
1455                                 kfree(context);
1456                                 goto out_unlock;
1457                         }
1458                         /* Map ENODATA to the default file SID */
1459                         sid = sbsec->def_sid;
1460                         rc = 0;
1461                 } else {
1462                         rc = security_context_to_sid_default(context, rc, &sid,
1463                                                              sbsec->def_sid,
1464                                                              GFP_NOFS);
1465                         if (rc) {
1466                                 char *dev = inode->i_sb->s_id;
1467                                 unsigned long ino = inode->i_ino;
1468 
1469                                 if (rc == -EINVAL) {
1470                                         if (printk_ratelimit())
1471                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1472                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1473                                                         "filesystem in question.\n", ino, dev, context);
1474                                 } else {
1475                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1476                                                "returned %d for dev=%s ino=%ld\n",
1477                                                __func__, context, -rc, dev, ino);
1478                                 }
1479                                 kfree(context);
1480                                 /* Leave with the unlabeled SID */
1481                                 rc = 0;
1482                                 break;
1483                         }
1484                 }
1485                 kfree(context);
1486                 isec->sid = sid;
1487                 break;
1488         case SECURITY_FS_USE_TASK:
1489                 isec->sid = isec->task_sid;
1490                 break;
1491         case SECURITY_FS_USE_TRANS:
1492                 /* Default to the fs SID. */
1493                 isec->sid = sbsec->sid;
1494 
1495                 /* Try to obtain a transition SID. */
1496                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1497                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1498                                              isec->sclass, NULL, &sid);
1499                 if (rc)
1500                         goto out_unlock;
1501                 isec->sid = sid;
1502                 break;
1503         case SECURITY_FS_USE_MNTPOINT:
1504                 isec->sid = sbsec->mntpoint_sid;
1505                 break;
1506         default:
1507                 /* Default to the fs superblock SID. */
1508                 isec->sid = sbsec->sid;
1509 
1510                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1511                         /* We must have a dentry to determine the label on
1512                          * procfs inodes */
1513                         if (opt_dentry)
1514                                 /* Called from d_instantiate or
1515                                  * d_splice_alias. */
1516                                 dentry = dget(opt_dentry);
1517                         else
1518                                 /* Called from selinux_complete_init, try to
1519                                  * find a dentry. */
1520                                 dentry = d_find_alias(inode);
1521                         /*
1522                          * This can be hit on boot when a file is accessed
1523                          * before the policy is loaded.  When we load policy we
1524                          * may find inodes that have no dentry on the
1525                          * sbsec->isec_head list.  No reason to complain as
1526                          * these will get fixed up the next time we go through
1527                          * inode_doinit() with a dentry, before these inodes
1528                          * could be used again by userspace.
1529                          */
1530                         if (!dentry)
1531                                 goto out_unlock;
1532                         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1533                         rc = selinux_genfs_get_sid(dentry, isec->sclass,
1534                                                    sbsec->flags, &sid);
1535                         dput(dentry);
1536                         if (rc)
1537                                 goto out_unlock;
1538                         isec->sid = sid;
1539                 }
1540                 break;
1541         }
1542 
1543         isec->initialized = LABEL_INITIALIZED;
1544 
1545 out_unlock:
1546         mutex_unlock(&isec->lock);
1547 out:
1548         if (isec->sclass == SECCLASS_FILE)
1549                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1550         return rc;
1551 }
1552 
1553 /* Convert a Linux signal to an access vector. */
1554 static inline u32 signal_to_av(int sig)
1555 {
1556         u32 perm = 0;
1557 
1558         switch (sig) {
1559         case SIGCHLD:
1560                 /* Commonly granted from child to parent. */
1561                 perm = PROCESS__SIGCHLD;
1562                 break;
1563         case SIGKILL:
1564                 /* Cannot be caught or ignored */
1565                 perm = PROCESS__SIGKILL;
1566                 break;
1567         case SIGSTOP:
1568                 /* Cannot be caught or ignored */
1569                 perm = PROCESS__SIGSTOP;
1570                 break;
1571         default:
1572                 /* All other signals. */
1573                 perm = PROCESS__SIGNAL;
1574                 break;
1575         }
1576 
1577         return perm;
1578 }
1579 
1580 /*
1581  * Check permission between a pair of credentials
1582  * fork check, ptrace check, etc.
1583  */
1584 static int cred_has_perm(const struct cred *actor,
1585                          const struct cred *target,
1586                          u32 perms)
1587 {
1588         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1589 
1590         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1591 }
1592 
1593 /*
1594  * Check permission between a pair of tasks, e.g. signal checks,
1595  * fork check, ptrace check, etc.
1596  * tsk1 is the actor and tsk2 is the target
1597  * - this uses the default subjective creds of tsk1
1598  */
1599 static int task_has_perm(const struct task_struct *tsk1,
1600                          const struct task_struct *tsk2,
1601                          u32 perms)
1602 {
1603         const struct task_security_struct *__tsec1, *__tsec2;
1604         u32 sid1, sid2;
1605 
1606         rcu_read_lock();
1607         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1608         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1609         rcu_read_unlock();
1610         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1611 }
1612 
1613 /*
1614  * Check permission between current and another task, e.g. signal checks,
1615  * fork check, ptrace check, etc.
1616  * current is the actor and tsk2 is the target
1617  * - this uses current's subjective creds
1618  */
1619 static int current_has_perm(const struct task_struct *tsk,
1620                             u32 perms)
1621 {
1622         u32 sid, tsid;
1623 
1624         sid = current_sid();
1625         tsid = task_sid(tsk);
1626         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1627 }
1628 
1629 #if CAP_LAST_CAP > 63
1630 #error Fix SELinux to handle capabilities > 63.
1631 #endif
1632 
1633 /* Check whether a task is allowed to use a capability. */
1634 static int cred_has_capability(const struct cred *cred,
1635                                int cap, int audit, bool initns)
1636 {
1637         struct common_audit_data ad;
1638         struct av_decision avd;
1639         u16 sclass;
1640         u32 sid = cred_sid(cred);
1641         u32 av = CAP_TO_MASK(cap);
1642         int rc;
1643 
1644         ad.type = LSM_AUDIT_DATA_CAP;
1645         ad.u.cap = cap;
1646 
1647         switch (CAP_TO_INDEX(cap)) {
1648         case 0:
1649                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1650                 break;
1651         case 1:
1652                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1653                 break;
1654         default:
1655                 printk(KERN_ERR
1656                        "SELinux:  out of range capability %d\n", cap);
1657                 BUG();
1658                 return -EINVAL;
1659         }
1660 
1661         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1662         if (audit == SECURITY_CAP_AUDIT) {
1663                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1664                 if (rc2)
1665                         return rc2;
1666         }
1667         return rc;
1668 }
1669 
1670 /* Check whether a task is allowed to use a system operation. */
1671 static int task_has_system(struct task_struct *tsk,
1672                            u32 perms)
1673 {
1674         u32 sid = task_sid(tsk);
1675 
1676         return avc_has_perm(sid, SECINITSID_KERNEL,
1677                             SECCLASS_SYSTEM, perms, NULL);
1678 }
1679 
1680 /* Check whether a task has a particular permission to an inode.
1681    The 'adp' parameter is optional and allows other audit
1682    data to be passed (e.g. the dentry). */
1683 static int inode_has_perm(const struct cred *cred,
1684                           struct inode *inode,
1685                           u32 perms,
1686                           struct common_audit_data *adp)
1687 {
1688         struct inode_security_struct *isec;
1689         u32 sid;
1690 
1691         validate_creds(cred);
1692 
1693         if (unlikely(IS_PRIVATE(inode)))
1694                 return 0;
1695 
1696         sid = cred_sid(cred);
1697         isec = inode->i_security;
1698 
1699         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1700 }
1701 
1702 /* Same as inode_has_perm, but pass explicit audit data containing
1703    the dentry to help the auditing code to more easily generate the
1704    pathname if needed. */
1705 static inline int dentry_has_perm(const struct cred *cred,
1706                                   struct dentry *dentry,
1707                                   u32 av)
1708 {
1709         struct inode *inode = d_backing_inode(dentry);
1710         struct common_audit_data ad;
1711 
1712         ad.type = LSM_AUDIT_DATA_DENTRY;
1713         ad.u.dentry = dentry;
1714         __inode_security_revalidate(inode, dentry, true);
1715         return inode_has_perm(cred, inode, av, &ad);
1716 }
1717 
1718 /* Same as inode_has_perm, but pass explicit audit data containing
1719    the path to help the auditing code to more easily generate the
1720    pathname if needed. */
1721 static inline int path_has_perm(const struct cred *cred,
1722                                 const struct path *path,
1723                                 u32 av)
1724 {
1725         struct inode *inode = d_backing_inode(path->dentry);
1726         struct common_audit_data ad;
1727 
1728         ad.type = LSM_AUDIT_DATA_PATH;
1729         ad.u.path = *path;
1730         __inode_security_revalidate(inode, path->dentry, true);
1731         return inode_has_perm(cred, inode, av, &ad);
1732 }
1733 
1734 /* Same as path_has_perm, but uses the inode from the file struct. */
1735 static inline int file_path_has_perm(const struct cred *cred,
1736                                      struct file *file,
1737                                      u32 av)
1738 {
1739         struct common_audit_data ad;
1740 
1741         ad.type = LSM_AUDIT_DATA_PATH;
1742         ad.u.path = file->f_path;
1743         return inode_has_perm(cred, file_inode(file), av, &ad);
1744 }
1745 
1746 /* Check whether a task can use an open file descriptor to
1747    access an inode in a given way.  Check access to the
1748    descriptor itself, and then use dentry_has_perm to
1749    check a particular permission to the file.
1750    Access to the descriptor is implicitly granted if it
1751    has the same SID as the process.  If av is zero, then
1752    access to the file is not checked, e.g. for cases
1753    where only the descriptor is affected like seek. */
1754 static int file_has_perm(const struct cred *cred,
1755                          struct file *file,
1756                          u32 av)
1757 {
1758         struct file_security_struct *fsec = file->f_security;
1759         struct inode *inode = file_inode(file);
1760         struct common_audit_data ad;
1761         u32 sid = cred_sid(cred);
1762         int rc;
1763 
1764         ad.type = LSM_AUDIT_DATA_PATH;
1765         ad.u.path = file->f_path;
1766 
1767         if (sid != fsec->sid) {
1768                 rc = avc_has_perm(sid, fsec->sid,
1769                                   SECCLASS_FD,
1770                                   FD__USE,
1771                                   &ad);
1772                 if (rc)
1773                         goto out;
1774         }
1775 
1776         /* av is zero if only checking access to the descriptor. */
1777         rc = 0;
1778         if (av)
1779                 rc = inode_has_perm(cred, inode, av, &ad);
1780 
1781 out:
1782         return rc;
1783 }
1784 
1785 /*
1786  * Determine the label for an inode that might be unioned.
1787  */
1788 static int selinux_determine_inode_label(struct inode *dir,
1789                                          const struct qstr *name,
1790                                          u16 tclass,
1791                                          u32 *_new_isid)
1792 {
1793         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1794         const struct task_security_struct *tsec = current_security();
1795 
1796         if ((sbsec->flags & SE_SBINITIALIZED) &&
1797             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1798                 *_new_isid = sbsec->mntpoint_sid;
1799         } else if ((sbsec->flags & SBLABEL_MNT) &&
1800                    tsec->create_sid) {
1801                 *_new_isid = tsec->create_sid;
1802         } else {
1803                 const struct inode_security_struct *dsec = inode_security(dir);
1804                 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1805                                                name, _new_isid);
1806         }
1807 
1808         return 0;
1809 }
1810 
1811 /* Check whether a task can create a file. */
1812 static int may_create(struct inode *dir,
1813                       struct dentry *dentry,
1814                       u16 tclass)
1815 {
1816         const struct task_security_struct *tsec = current_security();
1817         struct inode_security_struct *dsec;
1818         struct superblock_security_struct *sbsec;
1819         u32 sid, newsid;
1820         struct common_audit_data ad;
1821         int rc;
1822 
1823         dsec = inode_security(dir);
1824         sbsec = dir->i_sb->s_security;
1825 
1826         sid = tsec->sid;
1827 
1828         ad.type = LSM_AUDIT_DATA_DENTRY;
1829         ad.u.dentry = dentry;
1830 
1831         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1832                           DIR__ADD_NAME | DIR__SEARCH,
1833                           &ad);
1834         if (rc)
1835                 return rc;
1836 
1837         rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1838                                            &newsid);
1839         if (rc)
1840                 return rc;
1841 
1842         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1843         if (rc)
1844                 return rc;
1845 
1846         return avc_has_perm(newsid, sbsec->sid,
1847                             SECCLASS_FILESYSTEM,
1848                             FILESYSTEM__ASSOCIATE, &ad);
1849 }
1850 
1851 /* Check whether a task can create a key. */
1852 static int may_create_key(u32 ksid,
1853                           struct task_struct *ctx)
1854 {
1855         u32 sid = task_sid(ctx);
1856 
1857         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1858 }
1859 
1860 #define MAY_LINK        0
1861 #define MAY_UNLINK      1
1862 #define MAY_RMDIR       2
1863 
1864 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1865 static int may_link(struct inode *dir,
1866                     struct dentry *dentry,
1867                     int kind)
1868 
1869 {
1870         struct inode_security_struct *dsec, *isec;
1871         struct common_audit_data ad;
1872         u32 sid = current_sid();
1873         u32 av;
1874         int rc;
1875 
1876         dsec = inode_security(dir);
1877         isec = backing_inode_security(dentry);
1878 
1879         ad.type = LSM_AUDIT_DATA_DENTRY;
1880         ad.u.dentry = dentry;
1881 
1882         av = DIR__SEARCH;
1883         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1884         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1885         if (rc)
1886                 return rc;
1887 
1888         switch (kind) {
1889         case MAY_LINK:
1890                 av = FILE__LINK;
1891                 break;
1892         case MAY_UNLINK:
1893                 av = FILE__UNLINK;
1894                 break;
1895         case MAY_RMDIR:
1896                 av = DIR__RMDIR;
1897                 break;
1898         default:
1899                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1900                         __func__, kind);
1901                 return 0;
1902         }
1903 
1904         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1905         return rc;
1906 }
1907 
1908 static inline int may_rename(struct inode *old_dir,
1909                              struct dentry *old_dentry,
1910                              struct inode *new_dir,
1911                              struct dentry *new_dentry)
1912 {
1913         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1914         struct common_audit_data ad;
1915         u32 sid = current_sid();
1916         u32 av;
1917         int old_is_dir, new_is_dir;
1918         int rc;
1919 
1920         old_dsec = inode_security(old_dir);
1921         old_isec = backing_inode_security(old_dentry);
1922         old_is_dir = d_is_dir(old_dentry);
1923         new_dsec = inode_security(new_dir);
1924 
1925         ad.type = LSM_AUDIT_DATA_DENTRY;
1926 
1927         ad.u.dentry = old_dentry;
1928         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1929                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1930         if (rc)
1931                 return rc;
1932         rc = avc_has_perm(sid, old_isec->sid,
1933                           old_isec->sclass, FILE__RENAME, &ad);
1934         if (rc)
1935                 return rc;
1936         if (old_is_dir && new_dir != old_dir) {
1937                 rc = avc_has_perm(sid, old_isec->sid,
1938                                   old_isec->sclass, DIR__REPARENT, &ad);
1939                 if (rc)
1940                         return rc;
1941         }
1942 
1943         ad.u.dentry = new_dentry;
1944         av = DIR__ADD_NAME | DIR__SEARCH;
1945         if (d_is_positive(new_dentry))
1946                 av |= DIR__REMOVE_NAME;
1947         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1948         if (rc)
1949                 return rc;
1950         if (d_is_positive(new_dentry)) {
1951                 new_isec = backing_inode_security(new_dentry);
1952                 new_is_dir = d_is_dir(new_dentry);
1953                 rc = avc_has_perm(sid, new_isec->sid,
1954                                   new_isec->sclass,
1955                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1956                 if (rc)
1957                         return rc;
1958         }
1959 
1960         return 0;
1961 }
1962 
1963 /* Check whether a task can perform a filesystem operation. */
1964 static int superblock_has_perm(const struct cred *cred,
1965                                struct super_block *sb,
1966                                u32 perms,
1967                                struct common_audit_data *ad)
1968 {
1969         struct superblock_security_struct *sbsec;
1970         u32 sid = cred_sid(cred);
1971 
1972         sbsec = sb->s_security;
1973         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1974 }
1975 
1976 /* Convert a Linux mode and permission mask to an access vector. */
1977 static inline u32 file_mask_to_av(int mode, int mask)
1978 {
1979         u32 av = 0;
1980 
1981         if (!S_ISDIR(mode)) {
1982                 if (mask & MAY_EXEC)
1983                         av |= FILE__EXECUTE;
1984                 if (mask & MAY_READ)
1985                         av |= FILE__READ;
1986 
1987                 if (mask & MAY_APPEND)
1988                         av |= FILE__APPEND;
1989                 else if (mask & MAY_WRITE)
1990                         av |= FILE__WRITE;
1991 
1992         } else {
1993                 if (mask & MAY_EXEC)
1994                         av |= DIR__SEARCH;
1995                 if (mask & MAY_WRITE)
1996                         av |= DIR__WRITE;
1997                 if (mask & MAY_READ)
1998                         av |= DIR__READ;
1999         }
2000 
2001         return av;
2002 }
2003 
2004 /* Convert a Linux file to an access vector. */
2005 static inline u32 file_to_av(struct file *file)
2006 {
2007         u32 av = 0;
2008 
2009         if (file->f_mode & FMODE_READ)
2010                 av |= FILE__READ;
2011         if (file->f_mode & FMODE_WRITE) {
2012                 if (file->f_flags & O_APPEND)
2013                         av |= FILE__APPEND;
2014                 else
2015                         av |= FILE__WRITE;
2016         }
2017         if (!av) {
2018                 /*
2019                  * Special file opened with flags 3 for ioctl-only use.
2020                  */
2021                 av = FILE__IOCTL;
2022         }
2023 
2024         return av;
2025 }
2026 
2027 /*
2028  * Convert a file to an access vector and include the correct open
2029  * open permission.
2030  */
2031 static inline u32 open_file_to_av(struct file *file)
2032 {
2033         u32 av = file_to_av(file);
2034 
2035         if (selinux_policycap_openperm)
2036                 av |= FILE__OPEN;
2037 
2038         return av;
2039 }
2040 
2041 /* Hook functions begin here. */
2042 
2043 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2044 {
2045         u32 mysid = current_sid();
2046         u32 mgrsid = task_sid(mgr);
2047 
2048         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2049                             BINDER__SET_CONTEXT_MGR, NULL);
2050 }
2051 
2052 static int selinux_binder_transaction(struct task_struct *from,
2053                                       struct task_struct *to)
2054 {
2055         u32 mysid = current_sid();
2056         u32 fromsid = task_sid(from);
2057         u32 tosid = task_sid(to);
2058         int rc;
2059 
2060         if (mysid != fromsid) {
2061                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2062                                   BINDER__IMPERSONATE, NULL);
2063                 if (rc)
2064                         return rc;
2065         }
2066 
2067         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2068                             NULL);
2069 }
2070 
2071 static int selinux_binder_transfer_binder(struct task_struct *from,
2072                                           struct task_struct *to)
2073 {
2074         u32 fromsid = task_sid(from);
2075         u32 tosid = task_sid(to);
2076 
2077         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2078                             NULL);
2079 }
2080 
2081 static int selinux_binder_transfer_file(struct task_struct *from,
2082                                         struct task_struct *to,
2083                                         struct file *file)
2084 {
2085         u32 sid = task_sid(to);
2086         struct file_security_struct *fsec = file->f_security;
2087         struct dentry *dentry = file->f_path.dentry;
2088         struct inode_security_struct *isec;
2089         struct common_audit_data ad;
2090         int rc;
2091 
2092         ad.type = LSM_AUDIT_DATA_PATH;
2093         ad.u.path = file->f_path;
2094 
2095         if (sid != fsec->sid) {
2096                 rc = avc_has_perm(sid, fsec->sid,
2097                                   SECCLASS_FD,
2098                                   FD__USE,
2099                                   &ad);
2100                 if (rc)
2101                         return rc;
2102         }
2103 
2104         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2105                 return 0;
2106 
2107         isec = backing_inode_security(dentry);
2108         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2109                             &ad);
2110 }
2111 
2112 static int selinux_ptrace_access_check(struct task_struct *child,
2113                                      unsigned int mode)
2114 {
2115         if (mode & PTRACE_MODE_READ) {
2116                 u32 sid = current_sid();
2117                 u32 csid = task_sid(child);
2118                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2119         }
2120 
2121         return current_has_perm(child, PROCESS__PTRACE);
2122 }
2123 
2124 static int selinux_ptrace_traceme(struct task_struct *parent)
2125 {
2126         return task_has_perm(parent, current, PROCESS__PTRACE);
2127 }
2128 
2129 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2130                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2131 {
2132         return current_has_perm(target, PROCESS__GETCAP);
2133 }
2134 
2135 static int selinux_capset(struct cred *new, const struct cred *old,
2136                           const kernel_cap_t *effective,
2137                           const kernel_cap_t *inheritable,
2138                           const kernel_cap_t *permitted)
2139 {
2140         return cred_has_perm(old, new, PROCESS__SETCAP);
2141 }
2142 
2143 /*
2144  * (This comment used to live with the selinux_task_setuid hook,
2145  * which was removed).
2146  *
2147  * Since setuid only affects the current process, and since the SELinux
2148  * controls are not based on the Linux identity attributes, SELinux does not
2149  * need to control this operation.  However, SELinux does control the use of
2150  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2151  */
2152 
2153 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2154                            int cap, int audit)
2155 {
2156         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2157 }
2158 
2159 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2160 {
2161         const struct cred *cred = current_cred();
2162         int rc = 0;
2163 
2164         if (!sb)
2165                 return 0;
2166 
2167         switch (cmds) {
2168         case Q_SYNC:
2169         case Q_QUOTAON:
2170         case Q_QUOTAOFF:
2171         case Q_SETINFO:
2172         case Q_SETQUOTA:
2173                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2174                 break;
2175         case Q_GETFMT:
2176         case Q_GETINFO:
2177         case Q_GETQUOTA:
2178                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2179                 break;
2180         default:
2181                 rc = 0;  /* let the kernel handle invalid cmds */
2182                 break;
2183         }
2184         return rc;
2185 }
2186 
2187 static int selinux_quota_on(struct dentry *dentry)
2188 {
2189         const struct cred *cred = current_cred();
2190 
2191         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2192 }
2193 
2194 static int selinux_syslog(int type)
2195 {
2196         int rc;
2197 
2198         switch (type) {
2199         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2200         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2201                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2202                 break;
2203         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2204         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2205         /* Set level of messages printed to console */
2206         case SYSLOG_ACTION_CONSOLE_LEVEL:
2207                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2208                 break;
2209         case SYSLOG_ACTION_CLOSE:       /* Close log */
2210         case SYSLOG_ACTION_OPEN:        /* Open log */
2211         case SYSLOG_ACTION_READ:        /* Read from log */
2212         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
2213         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
2214         default:
2215                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2216                 break;
2217         }
2218         return rc;
2219 }
2220 
2221 /*
2222  * Check that a process has enough memory to allocate a new virtual
2223  * mapping. 0 means there is enough memory for the allocation to
2224  * succeed and -ENOMEM implies there is not.
2225  *
2226  * Do not audit the selinux permission check, as this is applied to all
2227  * processes that allocate mappings.
2228  */
2229 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2230 {
2231         int rc, cap_sys_admin = 0;
2232 
2233         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2234                                  SECURITY_CAP_NOAUDIT, true);
2235         if (rc == 0)
2236                 cap_sys_admin = 1;
2237 
2238         return cap_sys_admin;
2239 }
2240 
2241 /* binprm security operations */
2242 
2243 static u32 ptrace_parent_sid(struct task_struct *task)
2244 {
2245         u32 sid = 0;
2246         struct task_struct *tracer;
2247 
2248         rcu_read_lock();
2249         tracer = ptrace_parent(task);
2250         if (tracer)
2251                 sid = task_sid(tracer);
2252         rcu_read_unlock();
2253 
2254         return sid;
2255 }
2256 
2257 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2258                             const struct task_security_struct *old_tsec,
2259                             const struct task_security_struct *new_tsec)
2260 {
2261         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2262         int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2263         int rc;
2264 
2265         if (!nnp && !nosuid)
2266                 return 0; /* neither NNP nor nosuid */
2267 
2268         if (new_tsec->sid == old_tsec->sid)
2269                 return 0; /* No change in credentials */
2270 
2271         /*
2272          * The only transitions we permit under NNP or nosuid
2273          * are transitions to bounded SIDs, i.e. SIDs that are
2274          * guaranteed to only be allowed a subset of the permissions
2275          * of the current SID.
2276          */
2277         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2278         if (rc) {
2279                 /*
2280                  * On failure, preserve the errno values for NNP vs nosuid.
2281                  * NNP:  Operation not permitted for caller.
2282                  * nosuid:  Permission denied to file.
2283                  */
2284                 if (nnp)
2285                         return -EPERM;
2286                 else
2287                         return -EACCES;
2288         }
2289         return 0;
2290 }
2291 
2292 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2293 {
2294         const struct task_security_struct *old_tsec;
2295         struct task_security_struct *new_tsec;
2296         struct inode_security_struct *isec;
2297         struct common_audit_data ad;
2298         struct inode *inode = file_inode(bprm->file);
2299         int rc;
2300 
2301         /* SELinux context only depends on initial program or script and not
2302          * the script interpreter */
2303         if (bprm->cred_prepared)
2304                 return 0;
2305 
2306         old_tsec = current_security();
2307         new_tsec = bprm->cred->security;
2308         isec = inode_security(inode);
2309 
2310         /* Default to the current task SID. */
2311         new_tsec->sid = old_tsec->sid;
2312         new_tsec->osid = old_tsec->sid;
2313 
2314         /* Reset fs, key, and sock SIDs on execve. */
2315         new_tsec->create_sid = 0;
2316         new_tsec->keycreate_sid = 0;
2317         new_tsec->sockcreate_sid = 0;
2318 
2319         if (old_tsec->exec_sid) {
2320                 new_tsec->sid = old_tsec->exec_sid;
2321                 /* Reset exec SID on execve. */
2322                 new_tsec->exec_sid = 0;
2323 
2324                 /* Fail on NNP or nosuid if not an allowed transition. */
2325                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2326                 if (rc)
2327                         return rc;
2328         } else {
2329                 /* Check for a default transition on this program. */
2330                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2331                                              SECCLASS_PROCESS, NULL,
2332                                              &new_tsec->sid);
2333                 if (rc)
2334                         return rc;
2335 
2336                 /*
2337                  * Fallback to old SID on NNP or nosuid if not an allowed
2338                  * transition.
2339                  */
2340                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2341                 if (rc)
2342                         new_tsec->sid = old_tsec->sid;
2343         }
2344 
2345         ad.type = LSM_AUDIT_DATA_PATH;
2346         ad.u.path = bprm->file->f_path;
2347 
2348         if (new_tsec->sid == old_tsec->sid) {
2349                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2350                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2351                 if (rc)
2352                         return rc;
2353         } else {
2354                 /* Check permissions for the transition. */
2355                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2356                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2357                 if (rc)
2358                         return rc;
2359 
2360                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2361                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2362                 if (rc)
2363                         return rc;
2364 
2365                 /* Check for shared state */
2366                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2367                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2368                                           SECCLASS_PROCESS, PROCESS__SHARE,
2369                                           NULL);
2370                         if (rc)
2371                                 return -EPERM;
2372                 }
2373 
2374                 /* Make sure that anyone attempting to ptrace over a task that
2375                  * changes its SID has the appropriate permit */
2376                 if (bprm->unsafe &
2377                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2378                         u32 ptsid = ptrace_parent_sid(current);
2379                         if (ptsid != 0) {
2380                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2381                                                   SECCLASS_PROCESS,
2382                                                   PROCESS__PTRACE, NULL);
2383                                 if (rc)
2384                                         return -EPERM;
2385                         }
2386                 }
2387 
2388                 /* Clear any possibly unsafe personality bits on exec: */
2389                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2390         }
2391 
2392         return 0;
2393 }
2394 
2395 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2396 {
2397         const struct task_security_struct *tsec = current_security();
2398         u32 sid, osid;
2399         int atsecure = 0;
2400 
2401         sid = tsec->sid;
2402         osid = tsec->osid;
2403 
2404         if (osid != sid) {
2405                 /* Enable secure mode for SIDs transitions unless
2406                    the noatsecure permission is granted between
2407                    the two SIDs, i.e. ahp returns 0. */
2408                 atsecure = avc_has_perm(osid, sid,
2409                                         SECCLASS_PROCESS,
2410                                         PROCESS__NOATSECURE, NULL);
2411         }
2412 
2413         return !!atsecure;
2414 }
2415 
2416 static int match_file(const void *p, struct file *file, unsigned fd)
2417 {
2418         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2419 }
2420 
2421 /* Derived from fs/exec.c:flush_old_files. */
2422 static inline void flush_unauthorized_files(const struct cred *cred,
2423                                             struct files_struct *files)
2424 {
2425         struct file *file, *devnull = NULL;
2426         struct tty_struct *tty;
2427         int drop_tty = 0;
2428         unsigned n;
2429 
2430         tty = get_current_tty();
2431         if (tty) {
2432                 spin_lock(&tty->files_lock);
2433                 if (!list_empty(&tty->tty_files)) {
2434                         struct tty_file_private *file_priv;
2435 
2436                         /* Revalidate access to controlling tty.
2437                            Use file_path_has_perm on the tty path directly
2438                            rather than using file_has_perm, as this particular
2439                            open file may belong to another process and we are
2440                            only interested in the inode-based check here. */
2441                         file_priv = list_first_entry(&tty->tty_files,
2442                                                 struct tty_file_private, list);
2443                         file = file_priv->file;
2444                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2445                                 drop_tty = 1;
2446                 }
2447                 spin_unlock(&tty->files_lock);
2448                 tty_kref_put(tty);
2449         }
2450         /* Reset controlling tty. */
2451         if (drop_tty)
2452                 no_tty();
2453 
2454         /* Revalidate access to inherited open files. */
2455         n = iterate_fd(files, 0, match_file, cred);
2456         if (!n) /* none found? */
2457                 return;
2458 
2459         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2460         if (IS_ERR(devnull))
2461                 devnull = NULL;
2462         /* replace all the matching ones with this */
2463         do {
2464                 replace_fd(n - 1, devnull, 0);
2465         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2466         if (devnull)
2467                 fput(devnull);
2468 }
2469 
2470 /*
2471  * Prepare a process for imminent new credential changes due to exec
2472  */
2473 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2474 {
2475         struct task_security_struct *new_tsec;
2476         struct rlimit *rlim, *initrlim;
2477         int rc, i;
2478 
2479         new_tsec = bprm->cred->security;
2480         if (new_tsec->sid == new_tsec->osid)
2481                 return;
2482 
2483         /* Close files for which the new task SID is not authorized. */
2484         flush_unauthorized_files(bprm->cred, current->files);
2485 
2486         /* Always clear parent death signal on SID transitions. */
2487         current->pdeath_signal = 0;
2488 
2489         /* Check whether the new SID can inherit resource limits from the old
2490          * SID.  If not, reset all soft limits to the lower of the current
2491          * task's hard limit and the init task's soft limit.
2492          *
2493          * Note that the setting of hard limits (even to lower them) can be
2494          * controlled by the setrlimit check.  The inclusion of the init task's
2495          * soft limit into the computation is to avoid resetting soft limits
2496          * higher than the default soft limit for cases where the default is
2497          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2498          */
2499         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2500                           PROCESS__RLIMITINH, NULL);
2501         if (rc) {
2502                 /* protect against do_prlimit() */
2503                 task_lock(current);
2504                 for (i = 0; i < RLIM_NLIMITS; i++) {
2505                         rlim = current->signal->rlim + i;
2506                         initrlim = init_task.signal->rlim + i;
2507                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2508                 }
2509                 task_unlock(current);
2510                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2511         }
2512 }
2513 
2514 /*
2515  * Clean up the process immediately after the installation of new credentials
2516  * due to exec
2517  */
2518 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2519 {
2520         const struct task_security_struct *tsec = current_security();
2521         struct itimerval itimer;
2522         u32 osid, sid;
2523         int rc, i;
2524 
2525         osid = tsec->osid;
2526         sid = tsec->sid;
2527 
2528         if (sid == osid)
2529                 return;
2530 
2531         /* Check whether the new SID can inherit signal state from the old SID.
2532          * If not, clear itimers to avoid subsequent signal generation and
2533          * flush and unblock signals.
2534          *
2535          * This must occur _after_ the task SID has been updated so that any
2536          * kill done after the flush will be checked against the new SID.
2537          */
2538         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2539         if (rc) {
2540                 memset(&itimer, 0, sizeof itimer);
2541                 for (i = 0; i < 3; i++)
2542                         do_setitimer(i, &itimer, NULL);
2543                 spin_lock_irq(&current->sighand->siglock);
2544                 if (!fatal_signal_pending(current)) {
2545                         flush_sigqueue(&current->pending);
2546                         flush_sigqueue(&current->signal->shared_pending);
2547                         flush_signal_handlers(current, 1);
2548                         sigemptyset(&current->blocked);
2549                         recalc_sigpending();
2550                 }
2551                 spin_unlock_irq(&current->sighand->siglock);
2552         }
2553 
2554         /* Wake up the parent if it is waiting so that it can recheck
2555          * wait permission to the new task SID. */
2556         read_lock(&tasklist_lock);
2557         __wake_up_parent(current, current->real_parent);
2558         read_unlock(&tasklist_lock);
2559 }
2560 
2561 /* superblock security operations */
2562 
2563 static int selinux_sb_alloc_security(struct super_block *sb)
2564 {
2565         return superblock_alloc_security(sb);
2566 }
2567 
2568 static void selinux_sb_free_security(struct super_block *sb)
2569 {
2570         superblock_free_security(sb);
2571 }
2572 
2573 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2574 {
2575         if (plen > olen)
2576                 return 0;
2577 
2578         return !memcmp(prefix, option, plen);
2579 }
2580 
2581 static inline int selinux_option(char *option, int len)
2582 {
2583         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2584                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2585                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2586                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2587                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2588 }
2589 
2590 static inline void take_option(char **to, char *from, int *first, int len)
2591 {
2592         if (!*first) {
2593                 **to = ',';
2594                 *to += 1;
2595         } else
2596                 *first = 0;
2597         memcpy(*to, from, len);
2598         *to += len;
2599 }
2600 
2601 static inline void take_selinux_option(char **to, char *from, int *first,
2602                                        int len)
2603 {
2604         int current_size = 0;
2605 
2606         if (!*first) {
2607                 **to = '|';
2608                 *to += 1;
2609         } else
2610                 *first = 0;
2611 
2612         while (current_size < len) {
2613                 if (*from != '"') {
2614                         **to = *from;
2615                         *to += 1;
2616                 }
2617                 from += 1;
2618                 current_size += 1;
2619         }
2620 }
2621 
2622 static int selinux_sb_copy_data(char *orig, char *copy)
2623 {
2624         int fnosec, fsec, rc = 0;
2625         char *in_save, *in_curr, *in_end;
2626         char *sec_curr, *nosec_save, *nosec;
2627         int open_quote = 0;
2628 
2629         in_curr = orig;
2630         sec_curr = copy;
2631 
2632         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2633         if (!nosec) {
2634                 rc = -ENOMEM;
2635                 goto out;
2636         }
2637 
2638         nosec_save = nosec;
2639         fnosec = fsec = 1;
2640         in_save = in_end = orig;
2641 
2642         do {
2643                 if (*in_end == '"')
2644                         open_quote = !open_quote;
2645                 if ((*in_end == ',' && open_quote == 0) ||
2646                                 *in_end == '\0') {
2647                         int len = in_end - in_curr;
2648 
2649                         if (selinux_option(in_curr, len))
2650                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2651                         else
2652                                 take_option(&nosec, in_curr, &fnosec, len);
2653 
2654                         in_curr = in_end + 1;
2655                 }
2656         } while (*in_end++);
2657 
2658         strcpy(in_save, nosec_save);
2659         free_page((unsigned long)nosec_save);
2660 out:
2661         return rc;
2662 }
2663 
2664 static int selinux_sb_remount(struct super_block *sb, void *data)
2665 {
2666         int rc, i, *flags;
2667         struct security_mnt_opts opts;
2668         char *secdata, **mount_options;
2669         struct superblock_security_struct *sbsec = sb->s_security;
2670 
2671         if (!(sbsec->flags & SE_SBINITIALIZED))
2672                 return 0;
2673 
2674         if (!data)
2675                 return 0;
2676 
2677         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2678                 return 0;
2679 
2680         security_init_mnt_opts(&opts);
2681         secdata = alloc_secdata();
2682         if (!secdata)
2683                 return -ENOMEM;
2684         rc = selinux_sb_copy_data(data, secdata);
2685         if (rc)
2686                 goto out_free_secdata;
2687 
2688         rc = selinux_parse_opts_str(secdata, &opts);
2689         if (rc)
2690                 goto out_free_secdata;
2691 
2692         mount_options = opts.mnt_opts;
2693         flags = opts.mnt_opts_flags;
2694 
2695         for (i = 0; i < opts.num_mnt_opts; i++) {
2696                 u32 sid;
2697 
2698                 if (flags[i] == SBLABEL_MNT)
2699                         continue;
2700                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2701                 if (rc) {
2702                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2703                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2704                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2705                         goto out_free_opts;
2706                 }
2707                 rc = -EINVAL;
2708                 switch (flags[i]) {
2709                 case FSCONTEXT_MNT:
2710                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2711                                 goto out_bad_option;
2712                         break;
2713                 case CONTEXT_MNT:
2714                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2715                                 goto out_bad_option;
2716                         break;
2717                 case ROOTCONTEXT_MNT: {
2718                         struct inode_security_struct *root_isec;
2719                         root_isec = backing_inode_security(sb->s_root);
2720 
2721                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2722                                 goto out_bad_option;
2723                         break;
2724                 }
2725                 case DEFCONTEXT_MNT:
2726                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2727                                 goto out_bad_option;
2728                         break;
2729                 default:
2730                         goto out_free_opts;
2731                 }
2732         }
2733 
2734         rc = 0;
2735 out_free_opts:
2736         security_free_mnt_opts(&opts);
2737 out_free_secdata:
2738         free_secdata(secdata);
2739         return rc;
2740 out_bad_option:
2741         printk(KERN_WARNING "SELinux: unable to change security options "
2742                "during remount (dev %s, type=%s)\n", sb->s_id,
2743                sb->s_type->name);
2744         goto out_free_opts;
2745 }
2746 
2747 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2748 {
2749         const struct cred *cred = current_cred();
2750         struct common_audit_data ad;
2751         int rc;
2752 
2753         rc = superblock_doinit(sb, data);
2754         if (rc)
2755                 return rc;
2756 
2757         /* Allow all mounts performed by the kernel */
2758         if (flags & MS_KERNMOUNT)
2759                 return 0;
2760 
2761         ad.type = LSM_AUDIT_DATA_DENTRY;
2762         ad.u.dentry = sb->s_root;
2763         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2764 }
2765 
2766 static int selinux_sb_statfs(struct dentry *dentry)
2767 {
2768         const struct cred *cred = current_cred();
2769         struct common_audit_data ad;
2770 
2771         ad.type = LSM_AUDIT_DATA_DENTRY;
2772         ad.u.dentry = dentry->d_sb->s_root;
2773         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2774 }
2775 
2776 static int selinux_mount(const char *dev_name,
2777                          const struct path *path,
2778                          const char *type,
2779                          unsigned long flags,
2780                          void *data)
2781 {
2782         const struct cred *cred = current_cred();
2783 
2784         if (flags & MS_REMOUNT)
2785                 return superblock_has_perm(cred, path->dentry->d_sb,
2786                                            FILESYSTEM__REMOUNT, NULL);
2787         else
2788                 return path_has_perm(cred, path, FILE__MOUNTON);
2789 }
2790 
2791 static int selinux_umount(struct vfsmount *mnt, int flags)
2792 {
2793         const struct cred *cred = current_cred();
2794 
2795         return superblock_has_perm(cred, mnt->mnt_sb,
2796                                    FILESYSTEM__UNMOUNT, NULL);
2797 }
2798 
2799 /* inode security operations */
2800 
2801 static int selinux_inode_alloc_security(struct inode *inode)
2802 {
2803         return inode_alloc_security(inode);
2804 }
2805 
2806 static void selinux_inode_free_security(struct inode *inode)
2807 {
2808         inode_free_security(inode);
2809 }
2810 
2811 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2812                                         struct qstr *name, void **ctx,
2813                                         u32 *ctxlen)
2814 {
2815         u32 newsid;
2816         int rc;
2817 
2818         rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2819                                            inode_mode_to_security_class(mode),
2820                                            &newsid);
2821         if (rc)
2822                 return rc;
2823 
2824         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2825 }
2826 
2827 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2828                                        const struct qstr *qstr,
2829                                        const char **name,
2830                                        void **value, size_t *len)
2831 {
2832         const struct task_security_struct *tsec = current_security();
2833         struct superblock_security_struct *sbsec;
2834         u32 sid, newsid, clen;
2835         int rc;
2836         char *context;
2837 
2838         sbsec = dir->i_sb->s_security;
2839 
2840         sid = tsec->sid;
2841         newsid = tsec->create_sid;
2842 
2843         rc = selinux_determine_inode_label(
2844                 dir, qstr,
2845                 inode_mode_to_security_class(inode->i_mode),
2846                 &newsid);
2847         if (rc)
2848                 return rc;
2849 
2850         /* Possibly defer initialization to selinux_complete_init. */
2851         if (sbsec->flags & SE_SBINITIALIZED) {
2852                 struct inode_security_struct *isec = inode->i_security;
2853                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2854                 isec->sid = newsid;
2855                 isec->initialized = LABEL_INITIALIZED;
2856         }
2857 
2858         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2859                 return -EOPNOTSUPP;
2860 
2861         if (name)
2862                 *name = XATTR_SELINUX_SUFFIX;
2863 
2864         if (value && len) {
2865                 rc = security_sid_to_context_force(newsid, &context, &clen);
2866                 if (rc)
2867                         return rc;
2868                 *value = context;
2869                 *len = clen;
2870         }
2871 
2872         return 0;
2873 }
2874 
2875 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2876 {
2877         return may_create(dir, dentry, SECCLASS_FILE);
2878 }
2879 
2880 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2881 {
2882         return may_link(dir, old_dentry, MAY_LINK);
2883 }
2884 
2885 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2886 {
2887         return may_link(dir, dentry, MAY_UNLINK);
2888 }
2889 
2890 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2891 {
2892         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2893 }
2894 
2895 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2896 {
2897         return may_create(dir, dentry, SECCLASS_DIR);
2898 }
2899 
2900 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2901 {
2902         return may_link(dir, dentry, MAY_RMDIR);
2903 }
2904 
2905 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2906 {
2907         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2908 }
2909 
2910 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2911                                 struct inode *new_inode, struct dentry *new_dentry)
2912 {
2913         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2914 }
2915 
2916 static int selinux_inode_readlink(struct dentry *dentry)
2917 {
2918         const struct cred *cred = current_cred();
2919 
2920         return dentry_has_perm(cred, dentry, FILE__READ);
2921 }
2922 
2923 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2924                                      bool rcu)
2925 {
2926         const struct cred *cred = current_cred();
2927         struct common_audit_data ad;
2928         struct inode_security_struct *isec;
2929         u32 sid;
2930 
2931         validate_creds(cred);
2932 
2933         ad.type = LSM_AUDIT_DATA_DENTRY;
2934         ad.u.dentry = dentry;
2935         sid = cred_sid(cred);
2936         isec = inode_security_rcu(inode, rcu);
2937         if (IS_ERR(isec))
2938                 return PTR_ERR(isec);
2939 
2940         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2941                                   rcu ? MAY_NOT_BLOCK : 0);
2942 }
2943 
2944 static noinline int audit_inode_permission(struct inode *inode,
2945                                            u32 perms, u32 audited, u32 denied,
2946                                            int result,
2947                                            unsigned flags)
2948 {
2949         struct common_audit_data ad;
2950         struct inode_security_struct *isec = inode->i_security;
2951         int rc;
2952 
2953         ad.type = LSM_AUDIT_DATA_INODE;
2954         ad.u.inode = inode;
2955 
2956         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2957                             audited, denied, result, &ad, flags);
2958         if (rc)
2959                 return rc;
2960         return 0;
2961 }
2962 
2963 static int selinux_inode_permission(struct inode *inode, int mask)
2964 {
2965         const struct cred *cred = current_cred();
2966         u32 perms;
2967         bool from_access;
2968         unsigned flags = mask & MAY_NOT_BLOCK;
2969         struct inode_security_struct *isec;
2970         u32 sid;
2971         struct av_decision avd;
2972         int rc, rc2;
2973         u32 audited, denied;
2974 
2975         from_access = mask & MAY_ACCESS;
2976         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2977 
2978         /* No permission to check.  Existence test. */
2979         if (!mask)
2980                 return 0;
2981 
2982         validate_creds(cred);
2983 
2984         if (unlikely(IS_PRIVATE(inode)))
2985                 return 0;
2986 
2987         perms = file_mask_to_av(inode->i_mode, mask);
2988 
2989         sid = cred_sid(cred);
2990         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2991         if (IS_ERR(isec))
2992                 return PTR_ERR(isec);
2993 
2994         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2995         audited = avc_audit_required(perms, &avd, rc,
2996                                      from_access ? FILE__AUDIT_ACCESS : 0,
2997                                      &denied);
2998         if (likely(!audited))
2999                 return rc;
3000 
3001         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3002         if (rc2)
3003                 return rc2;
3004         return rc;
3005 }
3006 
3007 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3008 {
3009         const struct cred *cred = current_cred();
3010         unsigned int ia_valid = iattr->ia_valid;
3011         __u32 av = FILE__WRITE;
3012 
3013         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3014         if (ia_valid & ATTR_FORCE) {
3015                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3016                               ATTR_FORCE);
3017                 if (!ia_valid)
3018                         return 0;
3019         }
3020 
3021         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3022                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3023                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3024 
3025         if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3026                         && !(ia_valid & ATTR_FILE))
3027                 av |= FILE__OPEN;
3028 
3029         return dentry_has_perm(cred, dentry, av);
3030 }
3031 
3032 static int selinux_inode_getattr(const struct path *path)
3033 {
3034         return path_has_perm(current_cred(), path, FILE__GETATTR);
3035 }
3036 
3037 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3038 {
3039         const struct cred *cred = current_cred();
3040 
3041         if (!strncmp(name, XATTR_SECURITY_PREFIX,
3042                      sizeof XATTR_SECURITY_PREFIX - 1)) {
3043                 if (!strcmp(name, XATTR_NAME_CAPS)) {
3044                         if (!capable(CAP_SETFCAP))
3045                                 return -EPERM;
3046                 } else if (!capable(CAP_SYS_ADMIN)) {
3047                         /* A different attribute in the security namespace.
3048                            Restrict to administrator. */
3049                         return -EPERM;
3050                 }
3051         }
3052 
3053         /* Not an attribute we recognize, so just check the
3054            ordinary setattr permission. */
3055         return dentry_has_perm(cred, dentry, FILE__SETATTR);
3056 }
3057 
3058 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3059                                   const void *value, size_t size, int flags)
3060 {
3061         struct inode *inode = d_backing_inode(dentry);
3062         struct inode_security_struct *isec;
3063         struct superblock_security_struct *sbsec;
3064         struct common_audit_data ad;
3065         u32 newsid, sid = current_sid();
3066         int rc = 0;
3067 
3068         if (strcmp(name, XATTR_NAME_SELINUX))
3069                 return selinux_inode_setotherxattr(dentry, name);
3070 
3071         sbsec = inode->i_sb->s_security;
3072         if (!(sbsec->flags & SBLABEL_MNT))
3073                 return -EOPNOTSUPP;
3074 
3075         if (!inode_owner_or_capable(inode))
3076                 return -EPERM;
3077 
3078         ad.type = LSM_AUDIT_DATA_DENTRY;
3079         ad.u.dentry = dentry;
3080 
3081         isec = backing_inode_security(dentry);
3082         rc = avc_has_perm(sid, isec->sid, isec->sclass,
3083                           FILE__RELABELFROM, &ad);
3084         if (rc)
3085                 return rc;
3086 
3087         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3088         if (rc == -EINVAL) {
3089                 if (!capable(CAP_MAC_ADMIN)) {
3090                         struct audit_buffer *ab;
3091                         size_t audit_size;
3092                         const char *str;
3093 
3094                         /* We strip a nul only if it is at the end, otherwise the
3095                          * context contains a nul and we should audit that */
3096                         if (value) {
3097                                 str = value;
3098                                 if (str[size - 1] == '\0')
3099                                         audit_size = size - 1;
3100                                 else
3101                                         audit_size = size;
3102                         } else {
3103                                 str = "";
3104                                 audit_size = 0;
3105                         }
3106                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3107                         audit_log_format(ab, "op=setxattr invalid_context=");
3108                         audit_log_n_untrustedstring(ab, value, audit_size);
3109                         audit_log_end(ab);
3110 
3111                         return rc;
3112                 }
3113                 rc = security_context_to_sid_force(value, size, &newsid);
3114         }
3115         if (rc)
3116                 return rc;
3117 
3118         rc = avc_has_perm(sid, newsid, isec->sclass,
3119                           FILE__RELABELTO, &ad);
3120         if (rc)
3121                 return rc;
3122 
3123         rc = security_validate_transition(isec->sid, newsid, sid,
3124                                           isec->sclass);
3125         if (rc)
3126                 return rc;
3127 
3128         return avc_has_perm(newsid,
3129                             sbsec->sid,
3130                             SECCLASS_FILESYSTEM,
3131                             FILESYSTEM__ASSOCIATE,
3132                             &ad);
3133 }
3134 
3135 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3136                                         const void *value, size_t size,
3137                                         int flags)
3138 {
3139         struct inode *inode = d_backing_inode(dentry);
3140         struct inode_security_struct *isec;
3141         u32 newsid;
3142         int rc;
3143 
3144         if (strcmp(name, XATTR_NAME_SELINUX)) {
3145                 /* Not an attribute we recognize, so nothing to do. */
3146                 return;
3147         }
3148 
3149         rc = security_context_to_sid_force(value, size, &newsid);
3150         if (rc) {
3151                 printk(KERN_ERR "SELinux:  unable to map context to SID"
3152                        "for (%s, %lu), rc=%d\n",
3153                        inode->i_sb->s_id, inode->i_ino, -rc);
3154                 return;
3155         }
3156 
3157         isec = backing_inode_security(dentry);
3158         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3159         isec->sid = newsid;
3160         isec->initialized = LABEL_INITIALIZED;
3161 
3162         return;
3163 }
3164 
3165 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3166 {
3167         const struct cred *cred = current_cred();
3168 
3169         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3170 }
3171 
3172 static int selinux_inode_listxattr(struct dentry *dentry)
3173 {
3174         const struct cred *cred = current_cred();
3175 
3176         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3177 }
3178 
3179 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3180 {
3181         if (strcmp(name, XATTR_NAME_SELINUX))
3182                 return selinux_inode_setotherxattr(dentry, name);
3183 
3184         /* No one is allowed to remove a SELinux security label.
3185            You can change the label, but all data must be labeled. */
3186         return -EACCES;
3187 }
3188 
3189 /*
3190  * Copy the inode security context value to the user.
3191  *
3192  * Permission check is handled by selinux_inode_getxattr hook.
3193  */
3194 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3195 {
3196         u32 size;
3197         int error;
3198         char *context = NULL;
3199         struct inode_security_struct *isec;
3200 
3201         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3202                 return -EOPNOTSUPP;
3203 
3204         /*
3205          * If the caller has CAP_MAC_ADMIN, then get the raw context
3206          * value even if it is not defined by current policy; otherwise,
3207          * use the in-core value under current policy.
3208          * Use the non-auditing forms of the permission checks since
3209          * getxattr may be called by unprivileged processes commonly
3210          * and lack of permission just means that we fall back to the
3211          * in-core context value, not a denial.
3212          */
3213         error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3214                             SECURITY_CAP_NOAUDIT);
3215         if (!error)
3216                 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3217                                             SECURITY_CAP_NOAUDIT, true);
3218         isec = inode_security(inode);
3219         if (!error)
3220                 error = security_sid_to_context_force(isec->sid, &context,
3221                                                       &size);
3222         else
3223                 error = security_sid_to_context(isec->sid, &context, &size);
3224         if (error)
3225                 return error;
3226         error = size;
3227         if (alloc) {
3228                 *buffer = context;
3229                 goto out_nofree;
3230         }
3231         kfree(context);
3232 out_nofree:
3233         return error;
3234 }
3235 
3236 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3237                                      const void *value, size_t size, int flags)
3238 {
3239         struct inode_security_struct *isec = inode_security_novalidate(inode);
3240         u32 newsid;
3241         int rc;
3242 
3243         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3244                 return -EOPNOTSUPP;
3245 
3246         if (!value || !size)
3247                 return -EACCES;
3248 
3249         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3250         if (rc)
3251                 return rc;
3252 
3253         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3254         isec->sid = newsid;
3255         isec->initialized = LABEL_INITIALIZED;
3256         return 0;
3257 }
3258 
3259 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3260 {
3261         const int len = sizeof(XATTR_NAME_SELINUX);
3262         if (buffer && len <= buffer_size)
3263                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3264         return len;
3265 }
3266 
3267 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3268 {
3269         struct inode_security_struct *isec = inode_security_novalidate(inode);
3270         *secid = isec->sid;
3271 }
3272 
3273 /* file security operations */
3274 
3275 static int selinux_revalidate_file_permission(struct file *file, int mask)
3276 {
3277         const struct cred *cred = current_cred();
3278         struct inode *inode = file_inode(file);
3279 
3280         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3281         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3282                 mask |= MAY_APPEND;
3283 
3284         return file_has_perm(cred, file,
3285                              file_mask_to_av(inode->i_mode, mask));
3286 }
3287 
3288 static int selinux_file_permission(struct file *file, int mask)
3289 {
3290         struct inode *inode = file_inode(file);
3291         struct file_security_struct *fsec = file->f_security;
3292         struct inode_security_struct *isec;
3293         u32 sid = current_sid();
3294 
3295         if (!mask)
3296                 /* No permission to check.  Existence test. */
3297                 return 0;
3298 
3299         isec = inode_security(inode);
3300         if (sid == fsec->sid && fsec->isid == isec->sid &&
3301             fsec->pseqno == avc_policy_seqno())
3302                 /* No change since file_open check. */
3303                 return 0;
3304 
3305         return selinux_revalidate_file_permission(file, mask);
3306 }
3307 
3308 static int selinux_file_alloc_security(struct file *file)
3309 {
3310         return file_alloc_security(file);
3311 }
3312 
3313 static void selinux_file_free_security(struct file *file)
3314 {
3315         file_free_security(file);
3316 }
3317 
3318 /*
3319  * Check whether a task has the ioctl permission and cmd
3320  * operation to an inode.
3321  */
3322 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3323                 u32 requested, u16 cmd)
3324 {
3325         struct common_audit_data ad;
3326         struct file_security_struct *fsec = file->f_security;
3327         struct inode *inode = file_inode(file);
3328         struct inode_security_struct *isec;
3329         struct lsm_ioctlop_audit ioctl;
3330         u32 ssid = cred_sid(cred);
3331         int rc;
3332         u8 driver = cmd >> 8;
3333         u8 xperm = cmd & 0xff;
3334 
3335         ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3336         ad.u.op = &ioctl;
3337         ad.u.op->cmd = cmd;
3338         ad.u.op->path = file->f_path;
3339 
3340         if (ssid != fsec->sid) {
3341                 rc = avc_has_perm(ssid, fsec->sid,
3342                                 SECCLASS_FD,
3343                                 FD__USE,
3344                                 &ad);
3345                 if (rc)
3346                         goto out;
3347         }
3348 
3349         if (unlikely(IS_PRIVATE(inode)))
3350                 return 0;
3351 
3352         isec = inode_security(inode);
3353         rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3354                         requested, driver, xperm, &ad);
3355 out:
3356         return rc;
3357 }
3358 
3359 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3360                               unsigned long arg)
3361 {
3362         const struct cred *cred = current_cred();
3363         int error = 0;
3364 
3365         switch (cmd) {
3366         case FIONREAD:
3367         /* fall through */
3368         case FIBMAP:
3369         /* fall through */
3370         case FIGETBSZ:
3371         /* fall through */
3372         case FS_IOC_GETFLAGS:
3373         /* fall through */
3374         case FS_IOC_GETVERSION:
3375                 error = file_has_perm(cred, file, FILE__GETATTR);
3376                 break;
3377 
3378         case FS_IOC_SETFLAGS:
3379         /* fall through */
3380         case FS_IOC_SETVERSION:
3381                 error = file_has_perm(cred, file, FILE__SETATTR);
3382                 break;
3383 
3384         /* sys_ioctl() checks */
3385         case FIONBIO:
3386         /* fall through */
3387         case FIOASYNC:
3388                 error = file_has_perm(cred, file, 0);
3389                 break;
3390 
3391         case KDSKBENT:
3392         case KDSKBSENT:
3393                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3394                                             SECURITY_CAP_AUDIT, true);
3395                 break;
3396 
3397         /* default case assumes that the command will go
3398          * to the file's ioctl() function.
3399          */
3400         default:
3401                 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3402         }
3403         return error;
3404 }
3405 
3406 static int default_noexec;
3407 
3408 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3409 {
3410         const struct cred *cred = current_cred();
3411         int rc = 0;
3412 
3413         if (default_noexec &&
3414             (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3415                                    (!shared && (prot & PROT_WRITE)))) {
3416                 /*
3417                  * We are making executable an anonymous mapping or a
3418                  * private file mapping that will also be writable.
3419                  * This has an additional check.
3420                  */
3421                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3422                 if (rc)
3423                         goto error;
3424         }
3425 
3426         if (file) {
3427                 /* read access is always possible with a mapping */
3428                 u32 av = FILE__READ;
3429 
3430                 /* write access only matters if the mapping is shared */
3431                 if (shared && (prot & PROT_WRITE))
3432                         av |= FILE__WRITE;
3433 
3434                 if (prot & PROT_EXEC)
3435                         av |= FILE__EXECUTE;
3436 
3437                 return file_has_perm(cred, file, av);
3438         }
3439 
3440 error:
3441         return rc;
3442 }
3443 
3444 static int selinux_mmap_addr(unsigned long addr)
3445 {
3446         int rc = 0;
3447 
3448         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3449                 u32 sid = current_sid();
3450                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3451                                   MEMPROTECT__MMAP_ZERO, NULL);
3452         }
3453 
3454         return rc;
3455 }
3456 
3457 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3458                              unsigned long prot, unsigned long flags)
3459 {
3460         if (selinux_checkreqprot)
3461                 prot = reqprot;
3462 
3463         return file_map_prot_check(file, prot,
3464                                    (flags & MAP_TYPE) == MAP_SHARED);
3465 }
3466 
3467 static int selinux_file_mprotect(struct vm_area_struct *vma,
3468                                  unsigned long reqprot,
3469                                  unsigned long prot)
3470 {
3471         const struct cred *cred = current_cred();
3472 
3473         if (selinux_checkreqprot)
3474                 prot = reqprot;
3475 
3476         if (default_noexec &&
3477             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3478                 int rc = 0;
3479                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3480                     vma->vm_end <= vma->vm_mm->brk) {
3481                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3482                 } else if (!vma->vm_file &&
3483                            ((vma->vm_start <= vma->vm_mm->start_stack &&
3484                              vma->vm_end >= vma->vm_mm->start_stack) ||
3485                             vma_is_stack_for_task(vma, current))) {
3486                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3487                 } else if (vma->vm_file && vma->anon_vma) {
3488                         /*
3489                          * We are making executable a file mapping that has
3490                          * had some COW done. Since pages might have been
3491                          * written, check ability to execute the possibly
3492                          * modified content.  This typically should only
3493                          * occur for text relocations.
3494                          */
3495                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3496                 }
3497                 if (rc)
3498                         return rc;
3499         }
3500 
3501         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3502 }
3503 
3504 static int selinux_file_lock(struct file *file, unsigned int cmd)
3505 {
3506         const struct cred *cred = current_cred();
3507 
3508         return file_has_perm(cred, file, FILE__LOCK);
3509 }
3510 
3511 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3512                               unsigned long arg)
3513 {
3514         const struct cred *cred = current_cred();
3515         int err = 0;
3516 
3517         switch (cmd) {
3518         case F_SETFL:
3519                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3520                         err = file_has_perm(cred, file, FILE__WRITE);
3521                         break;
3522                 }
3523                 /* fall through */
3524         case F_SETOWN:
3525         case F_SETSIG:
3526         case F_GETFL:
3527         case F_GETOWN:
3528         case F_GETSIG:
3529         case F_GETOWNER_UIDS:
3530                 /* Just check FD__USE permission */
3531                 err = file_has_perm(cred, file, 0);
3532                 break;
3533         case F_GETLK:
3534         case F_SETLK:
3535         case F_SETLKW:
3536         case F_OFD_GETLK:
3537         case F_OFD_SETLK:
3538         case F_OFD_SETLKW:
3539 #if BITS_PER_LONG == 32
3540         case F_GETLK64:
3541         case F_SETLK64:
3542         case F_SETLKW64:
3543 #endif
3544                 err = file_has_perm(cred, file, FILE__LOCK);
3545                 break;
3546         }
3547 
3548         return err;
3549 }
3550 
3551 static void selinux_file_set_fowner(struct file *file)
3552 {
3553         struct file_security_struct *fsec;
3554 
3555         fsec = file->f_security;
3556         fsec->fown_sid = current_sid();
3557 }
3558 
3559 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3560                                        struct fown_struct *fown, int signum)
3561 {
3562         struct file *file;
3563         u32 sid = task_sid(tsk);
3564         u32 perm;
3565         struct file_security_struct *fsec;
3566 
3567         /* struct fown_struct is never outside the context of a struct file */
3568         file = container_of(fown, struct file, f_owner);
3569 
3570         fsec = file->f_security;
3571 
3572         if (!signum)
3573                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3574         else
3575                 perm = signal_to_av(signum);
3576 
3577         return avc_has_perm(fsec->fown_sid, sid,
3578                             SECCLASS_PROCESS, perm, NULL);
3579 }
3580 
3581 static int selinux_file_receive(struct file *file)
3582 {
3583         const struct cred *cred = current_cred();
3584 
3585         return file_has_perm(cred, file, file_to_av(file));
3586 }
3587 
3588 static int selinux_file_open(struct file *file, const struct cred *cred)
3589 {
3590         struct file_security_struct *fsec;
3591         struct inode_security_struct *isec;
3592 
3593         fsec = file->f_security;
3594         isec = inode_security(file_inode(file));
3595         /*
3596          * Save inode label and policy sequence number
3597          * at open-time so that selinux_file_permission
3598          * can determine whether revalidation is necessary.
3599          * Task label is already saved in the file security
3600          * struct as its SID.
3601          */
3602         fsec->isid = isec->sid;
3603         fsec->pseqno = avc_policy_seqno();
3604         /*
3605          * Since the inode label or policy seqno may have changed
3606          * between the selinux_inode_permission check and the saving
3607          * of state above, recheck that access is still permitted.
3608          * Otherwise, access might never be revalidated against the
3609          * new inode label or new policy.
3610          * This check is not redundant - do not remove.
3611          */
3612         return file_path_has_perm(cred, file, open_file_to_av(file));
3613 }
3614 
3615 /* task security operations */
3616 
3617 static int selinux_task_create(unsigned long clone_flags)
3618 {
3619         return current_has_perm(current, PROCESS__FORK);
3620 }
3621 
3622 /*
3623  * allocate the SELinux part of blank credentials
3624  */
3625 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3626 {
3627         struct task_security_struct *tsec;
3628 
3629         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3630         if (!tsec)
3631                 return -ENOMEM;
3632 
3633         cred->security = tsec;
3634         return 0;
3635 }
3636 
3637 /*
3638  * detach and free the LSM part of a set of credentials
3639  */
3640 static void selinux_cred_free(struct cred *cred)
3641 {
3642         struct task_security_struct *tsec = cred->security;
3643 
3644         /*
3645          * cred->security == NULL if security_cred_alloc_blank() or
3646          * security_prepare_creds() returned an error.
3647          */
3648         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3649         cred->security = (void *) 0x7UL;
3650         kfree(tsec);
3651 }
3652 
3653 /*
3654  * prepare a new set of credentials for modification
3655  */
3656 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3657                                 gfp_t gfp)
3658 {
3659         const struct task_security_struct *old_tsec;
3660         struct task_security_struct *tsec;
3661 
3662         old_tsec = old->security;
3663 
3664         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3665         if (!tsec)
3666                 return -ENOMEM;
3667 
3668         new->security = tsec;
3669         return 0;
3670 }
3671 
3672 /*
3673  * transfer the SELinux data to a blank set of creds
3674  */
3675 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3676 {
3677         const struct task_security_struct *old_tsec = old->security;
3678         struct task_security_struct *tsec = new->security;
3679 
3680         *tsec = *old_tsec;
3681 }
3682 
3683 /*
3684  * set the security data for a kernel service
3685  * - all the creation contexts are set to unlabelled
3686  */
3687 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3688 {
3689         struct task_security_struct *tsec = new->security;
3690         u32 sid = current_sid();
3691         int ret;
3692 
3693         ret = avc_has_perm(sid, secid,
3694                            SECCLASS_KERNEL_SERVICE,
3695                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3696                            NULL);
3697         if (ret == 0) {
3698                 tsec->sid = secid;
3699                 tsec->create_sid = 0;
3700                 tsec->keycreate_sid = 0;
3701                 tsec->sockcreate_sid = 0;
3702         }
3703         return ret;
3704 }
3705 
3706 /*
3707  * set the file creation context in a security record to the same as the
3708  * objective context of the specified inode
3709  */
3710 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3711 {
3712         struct inode_security_struct *isec = inode_security(inode);
3713         struct task_security_struct *tsec = new->security;
3714         u32 sid = current_sid();
3715         int ret;
3716 
3717         ret = avc_has_perm(sid, isec->sid,
3718                            SECCLASS_KERNEL_SERVICE,
3719                            KERNEL_SERVICE__CREATE_FILES_AS,
3720                            NULL);
3721 
3722         if (ret == 0)
3723                 tsec->create_sid = isec->sid;
3724         return ret;
3725 }
3726 
3727 static int selinux_kernel_module_request(char *kmod_name)
3728 {
3729         u32 sid;
3730         struct common_audit_data ad;
3731 
3732         sid = task_sid(current);
3733 
3734         ad.type = LSM_AUDIT_DATA_KMOD;
3735         ad.u.kmod_name = kmod_name;
3736 
3737         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3738                             SYSTEM__MODULE_REQUEST, &ad);
3739 }
3740 
3741 static int selinux_kernel_module_from_file(struct file *file)
3742 {
3743         struct common_audit_data ad;
3744         struct inode_security_struct *isec;
3745         struct file_security_struct *fsec;
3746         u32 sid = current_sid();
3747         int rc;
3748 
3749         /* init_module */
3750         if (file == NULL)
3751                 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3752                                         SYSTEM__MODULE_LOAD, NULL);
3753 
3754         /* finit_module */
3755 
3756         ad.type = LSM_AUDIT_DATA_PATH;
3757         ad.u.path = file->f_path;
3758 
3759         fsec = file->f_security;
3760         if (sid != fsec->sid) {
3761                 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3762                 if (rc)
3763                         return rc;
3764         }
3765 
3766         isec = inode_security(file_inode(file));
3767         return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3768                                 SYSTEM__MODULE_LOAD, &ad);
3769 }
3770 
3771 static int selinux_kernel_read_file(struct file *file,
3772                                     enum kernel_read_file_id id)
3773 {
3774         int rc = 0;
3775 
3776         switch (id) {
3777         case READING_MODULE:
3778                 rc = selinux_kernel_module_from_file(file);
3779                 break;
3780         default:
3781                 break;
3782         }
3783 
3784         return rc;
3785 }
3786 
3787 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3788 {
3789         return current_has_perm(p, PROCESS__SETPGID);
3790 }
3791 
3792 static int selinux_task_getpgid(struct task_struct *p)
3793 {
3794         return current_has_perm(p, PROCESS__GETPGID);
3795 }
3796 
3797 static int selinux_task_getsid(struct task_struct *p)
3798 {
3799         return current_has_perm(p, PROCESS__GETSESSION);
3800 }
3801 
3802 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3803 {
3804         *secid = task_sid(p);
3805 }
3806 
3807 static int selinux_task_setnice(struct task_struct *p, int nice)
3808 {
3809         return current_has_perm(p, PROCESS__SETSCHED);
3810 }
3811 
3812 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3813 {
3814         return current_has_perm(p, PROCESS__SETSCHED);
3815 }
3816 
3817 static int selinux_task_getioprio(struct task_struct *p)
3818 {
3819         return current_has_perm(p, PROCESS__GETSCHED);
3820 }
3821 
3822 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3823                 struct rlimit *new_rlim)
3824 {
3825         struct rlimit *old_rlim = p->signal->rlim + resource;
3826 
3827         /* Control the ability to change the hard limit (whether
3828            lowering or raising it), so that the hard limit can
3829            later be used as a safe reset point for the soft limit
3830            upon context transitions.  See selinux_bprm_committing_creds. */
3831         if (old_rlim->rlim_max != new_rlim->rlim_max)
3832                 return current_has_perm(p, PROCESS__SETRLIMIT);
3833 
3834         return 0;
3835 }
3836 
3837 static int selinux_task_setscheduler(struct task_struct *p)
3838 {
3839         return current_has_perm(p, PROCESS__SETSCHED);
3840 }
3841 
3842 static int selinux_task_getscheduler(struct task_struct *p)
3843 {
3844         return current_has_perm(p, PROCESS__GETSCHED);
3845 }
3846 
3847 static int selinux_task_movememory(struct task_struct *p)
3848 {
3849         return current_has_perm(p, PROCESS__SETSCHED);
3850 }
3851 
3852 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3853                                 int sig, u32 secid)
3854 {
3855         u32 perm;
3856         int rc;
3857 
3858         if (!sig)
3859                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3860         else
3861                 perm = signal_to_av(sig);
3862         if (secid)
3863                 rc = avc_has_perm(secid, task_sid(p),
3864                                   SECCLASS_PROCESS, perm, NULL);
3865         else
3866                 rc = current_has_perm(p, perm);
3867         return rc;
3868 }
3869 
3870 static int selinux_task_wait(struct task_struct *p)
3871 {
3872         return task_has_perm(p, current, PROCESS__SIGCHLD);
3873 }
3874 
3875 static void selinux_task_to_inode(struct task_struct *p,
3876                                   struct inode *inode)
3877 {
3878         struct inode_security_struct *isec = inode->i_security;
3879         u32 sid = task_sid(p);
3880 
3881         isec->sid = sid;
3882         isec->initialized = LABEL_INITIALIZED;
3883 }
3884 
3885 /* Returns error only if unable to parse addresses */
3886 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3887                         struct common_audit_data *ad, u8 *proto)
3888 {
3889         int offset, ihlen, ret = -EINVAL;
3890         struct iphdr _iph, *ih;
3891 
3892         offset = skb_network_offset(skb);
3893         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3894         if (ih == NULL)
3895                 goto out;
3896 
3897         ihlen = ih->ihl * 4;
3898         if (ihlen < sizeof(_iph))
3899                 goto out;
3900 
3901         ad->u.net->v4info.saddr = ih->saddr;
3902         ad->u.net->v4info.daddr = ih->daddr;
3903         ret = 0;
3904 
3905         if (proto)
3906                 *proto = ih->protocol;
3907 
3908         switch (ih->protocol) {
3909         case IPPROTO_TCP: {
3910                 struct tcphdr _tcph, *th;
3911 
3912                 if (ntohs(ih->frag_off) & IP_OFFSET)
3913                         break;
3914 
3915                 offset += ihlen;
3916                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3917                 if (th == NULL)
3918                         break;
3919 
3920                 ad->u.net->sport = th->source;
3921                 ad->u.net->dport = th->dest;
3922                 break;
3923         }
3924 
3925         case IPPROTO_UDP: {
3926                 struct udphdr _udph, *uh;
3927 
3928                 if (ntohs(ih->frag_off) & IP_OFFSET)
3929                         break;
3930 
3931                 offset += ihlen;
3932                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3933                 if (uh == NULL)
3934                         break;
3935 
3936                 ad->u.net->sport = uh->source;
3937                 ad->u.net->dport = uh->dest;
3938                 break;
3939         }
3940 
3941         case IPPROTO_DCCP: {
3942                 struct dccp_hdr _dccph, *dh;
3943 
3944                 if (ntohs(ih->frag_off) & IP_OFFSET)
3945                         break;
3946 
3947                 offset += ihlen;
3948                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3949                 if (dh == NULL)
3950                         break;
3951 
3952                 ad->u.net->sport = dh->dccph_sport;
3953                 ad->u.net->dport = dh->dccph_dport;
3954                 break;
3955         }
3956 
3957         default:
3958                 break;
3959         }
3960 out:
3961         return ret;
3962 }
3963 
3964 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3965 
3966 /* Returns error only if unable to parse addresses */
3967 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3968                         struct common_audit_data *ad, u8 *proto)
3969 {
3970         u8 nexthdr;
3971         int ret = -EINVAL, offset;
3972         struct ipv6hdr _ipv6h, *ip6;
3973         __be16 frag_off;
3974 
3975         offset = skb_network_offset(skb);
3976         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3977         if (ip6 == NULL)
3978                 goto out;
3979 
3980         ad->u.net->v6info.saddr = ip6->saddr;
3981         ad->u.net->v6info.daddr = ip6->daddr;
3982         ret = 0;
3983 
3984         nexthdr = ip6->nexthdr;
3985         offset += sizeof(_ipv6h);
3986         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3987         if (offset < 0)
3988                 goto out;
3989 
3990         if (proto)
3991                 *proto = nexthdr;
3992 
3993         switch (nexthdr) {
3994         case IPPROTO_TCP: {
3995                 struct tcphdr _tcph, *th;
3996 
3997                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3998                 if (th == NULL)
3999                         break;
4000 
4001                 ad->u.net->sport = th->source;
4002                 ad->u.net->dport = th->dest;
4003                 break;
4004         }
4005 
4006         case IPPROTO_UDP: {
4007                 struct udphdr _udph, *uh;
4008 
4009                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4010                 if (uh == NULL)
4011                         break;
4012 
4013                 ad->u.net->sport = uh->source;
4014                 ad->u.net->dport = uh->dest;
4015                 break;
4016         }
4017 
4018         case IPPROTO_DCCP: {
4019                 struct dccp_hdr _dccph, *dh;
4020 
4021                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4022                 if (dh == NULL)
4023                         break;
4024 
4025                 ad->u.net->sport = dh->dccph_sport;
4026                 ad->u.net->dport = dh->dccph_dport;
4027                 break;
4028         }
4029 
4030         /* includes fragments */
4031         default:
4032                 break;
4033         }
4034 out:
4035         return ret;
4036 }
4037 
4038 #endif /* IPV6 */
4039 
4040 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4041                              char **_addrp, int src, u8 *proto)
4042 {
4043         char *addrp;
4044         int ret;
4045 
4046         switch (ad->u.net->family) {
4047         case PF_INET:
4048                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4049                 if (ret)
4050                         goto parse_error;
4051                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4052                                        &ad->u.net->v4info.daddr);
4053                 goto okay;
4054 
4055 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4056         case PF_INET6:
4057                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4058                 if (ret)
4059                         goto parse_error;
4060                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4061                                        &ad->u.net->v6info.daddr);
4062                 goto okay;
4063 #endif  /* IPV6 */
4064         default:
4065                 addrp = NULL;
4066                 goto okay;
4067         }
4068 
4069 parse_error:
4070         printk(KERN_WARNING
4071                "SELinux: failure in selinux_parse_skb(),"
4072                " unable to parse packet\n");
4073         return ret;
4074 
4075 okay:
4076         if (_addrp)
4077                 *_addrp = addrp;
4078         return 0;
4079 }
4080 
4081 /**
4082  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4083  * @skb: the packet
4084  * @family: protocol family
4085  * @sid: the packet's peer label SID
4086  *
4087  * Description:
4088  * Check the various different forms of network peer labeling and determine
4089  * the peer label/SID for the packet; most of the magic actually occurs in
4090  * the security server function security_net_peersid_cmp().  The function
4091  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4092  * or -EACCES if @sid is invalid due to inconsistencies with the different
4093  * peer labels.
4094  *
4095  */
4096 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4097 {
4098         int err;
4099         u32 xfrm_sid;
4100         u32 nlbl_sid;
4101         u32 nlbl_type;
4102 
4103         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4104         if (unlikely(err))
4105                 return -EACCES;
4106         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4107         if (unlikely(err))
4108                 return -EACCES;
4109 
4110         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4111         if (unlikely(err)) {
4112                 printk(KERN_WARNING
4113                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
4114                        " unable to determine packet's peer label\n");
4115                 return -EACCES;
4116         }
4117 
4118         return 0;
4119 }
4120 
4121 /**
4122  * selinux_conn_sid - Determine the child socket label for a connection
4123  * @sk_sid: the parent socket's SID
4124  * @skb_sid: the packet's SID
4125  * @conn_sid: the resulting connection SID
4126  *
4127  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4128  * combined with the MLS information from @skb_sid in order to create
4129  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4130  * of @sk_sid.  Returns zero on success, negative values on failure.
4131  *
4132  */
4133 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4134 {
4135         int err = 0;
4136 
4137         if (skb_sid != SECSID_NULL)
4138                 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4139         else
4140                 *conn_sid = sk_sid;
4141 
4142         return err;
4143 }
4144 
4145 /* socket security operations */
4146 
4147 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4148                                  u16 secclass, u32 *socksid)
4149 {
4150         if (tsec->sockcreate_sid > SECSID_NULL) {
4151                 *socksid = tsec->sockcreate_sid;
4152                 return 0;
4153         }
4154 
4155         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4156                                        socksid);
4157 }
4158 
4159 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4160 {
4161         struct sk_security_struct *sksec = sk->sk_security;
4162         struct common_audit_data ad;
4163         struct lsm_network_audit net = {0,};
4164         u32 tsid = task_sid(task);
4165 
4166         if (sksec->sid == SECINITSID_KERNEL)
4167                 return 0;
4168 
4169         ad.type = LSM_AUDIT_DATA_NET;
4170         ad.u.net = &net;
4171         ad.u.net->sk = sk;
4172 
4173         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4174 }
4175 
4176 static int selinux_socket_create(int family, int type,
4177                                  int protocol, int kern)
4178 {
4179         const struct task_security_struct *tsec = current_security();
4180         u32 newsid;
4181         u16 secclass;
4182         int rc;
4183 
4184         if (kern)
4185                 return 0;
4186 
4187         secclass = socket_type_to_security_class(family, type, protocol);
4188         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4189         if (rc)
4190                 return rc;
4191 
4192         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4193 }
4194 
4195 static int selinux_socket_post_create(struct socket *sock, int family,
4196                                       int type, int protocol, int kern)
4197 {
4198         const struct task_security_struct *tsec = current_security();
4199         struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4200         struct sk_security_struct *sksec;
4201         int err = 0;
4202 
4203         isec->sclass = socket_type_to_security_class(family, type, protocol);
4204 
4205         if (kern)
4206                 isec->sid = SECINITSID_KERNEL;
4207         else {
4208                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4209                 if (err)
4210                         return err;
4211         }
4212 
4213         isec->initialized = LABEL_INITIALIZED;
4214 
4215         if (sock->sk) {
4216                 sksec = sock->sk->sk_security;
4217                 sksec->sid = isec->sid;
4218                 sksec->sclass = isec->sclass;
4219                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4220         }
4221 
4222         return err;
4223 }
4224 
4225 /* Range of port numbers used to automatically bind.
4226    Need to determine whether we should perform a name_bind
4227    permission check between the socket and the port number. */
4228 
4229 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4230 {
4231         struct sock *sk = sock->sk;
4232         u16 family;
4233         int err;
4234 
4235         err = sock_has_perm(current, sk, SOCKET__BIND);
4236         if (err)
4237                 goto out;
4238 
4239         /*
4240          * If PF_INET or PF_INET6, check name_bind permission for the port.
4241          * Multiple address binding for SCTP is not supported yet: we just
4242          * check the first address now.
4243          */
4244         family = sk->sk_family;
4245         if (family == PF_INET || family == PF_INET6) {
4246                 char *addrp;
4247                 struct sk_security_struct *sksec = sk->sk_security;
4248                 struct common_audit_data ad;
4249                 struct lsm_network_audit net = {0,};
4250                 struct sockaddr_in *addr4 = NULL;
4251                 struct sockaddr_in6 *addr6 = NULL;
4252                 unsigned short snum;
4253                 u32 sid, node_perm;
4254 
4255                 if (family == PF_INET) {
4256                         addr4 = (struct sockaddr_in *)address;
4257                         snum = ntohs(addr4->sin_port);
4258                         addrp = (char *)&addr4->sin_addr.s_addr;
4259                 } else {
4260                         addr6 = (struct sockaddr_in6 *)address;
4261                         snum = ntohs(addr6->sin6_port);
4262                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4263                 }
4264 
4265                 if (snum) {
4266                         int low, high;
4267 
4268                         inet_get_local_port_range(sock_net(sk), &low, &high);
4269 
4270                         if (snum < max(PROT_SOCK, low) || snum > high) {
4271                                 err = sel_netport_sid(sk->sk_protocol,
4272                                                       snum, &sid);
4273                                 if (err)
4274                                         goto out;
4275                                 ad.type = LSM_AUDIT_DATA_NET;
4276                                 ad.u.net = &net;
4277                                 ad.u.net->sport = htons(snum);
4278                                 ad.u.net->family = family;
4279                                 err = avc_has_perm(sksec->sid, sid,
4280                                                    sksec->sclass,
4281                                                    SOCKET__NAME_BIND, &ad);
4282                                 if (err)
4283                                         goto out;
4284                         }
4285                 }
4286 
4287                 switch (sksec->sclass) {
4288                 case SECCLASS_TCP_SOCKET:
4289                         node_perm = TCP_SOCKET__NODE_BIND;
4290                         break;
4291 
4292                 case SECCLASS_UDP_SOCKET:
4293                         node_perm = UDP_SOCKET__NODE_BIND;
4294                         break;
4295 
4296                 case SECCLASS_DCCP_SOCKET:
4297                         node_perm = DCCP_SOCKET__NODE_BIND;
4298                         break;
4299 
4300                 default:
4301                         node_perm = RAWIP_SOCKET__NODE_BIND;
4302                         break;
4303                 }
4304 
4305                 err = sel_netnode_sid(addrp, family, &sid);
4306                 if (err)
4307                         goto out;
4308 
4309                 ad.type = LSM_AUDIT_DATA_NET;
4310                 ad.u.net = &net;
4311                 ad.u.net->sport = htons(snum);
4312                 ad.u.net->family = family;
4313 
4314                 if (family == PF_INET)
4315                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4316                 else
4317                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4318 
4319                 err = avc_has_perm(sksec->sid, sid,
4320                                    sksec->sclass, node_perm, &ad);
4321                 if (err)
4322                         goto out;
4323         }
4324 out:
4325         return err;
4326 }
4327 
4328 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4329 {
4330         struct sock *sk = sock->sk;
4331         struct sk_security_struct *sksec = sk->sk_security;
4332         int err;
4333 
4334         err = sock_has_perm(current, sk, SOCKET__CONNECT);
4335         if (err)
4336                 return err;
4337 
4338         /*
4339          * If a TCP or DCCP socket, check name_connect permission for the port.
4340          */
4341         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4342             sksec->sclass == SECCLASS_DCCP_SOCKET) {
4343                 struct common_audit_data ad;
4344                 struct lsm_network_audit net = {0,};
4345                 struct sockaddr_in *addr4 = NULL;
4346                 struct sockaddr_in6 *addr6 = NULL;
4347                 unsigned short snum;
4348                 u32 sid, perm;
4349 
4350                 if (sk->sk_family == PF_INET) {
4351                         addr4 = (struct sockaddr_in *)address;
4352                         if (addrlen < sizeof(struct sockaddr_in))
4353                                 return -EINVAL;
4354                         snum = ntohs(addr4->sin_port);
4355                 } else {
4356                         addr6 = (struct sockaddr_in6 *)address;
4357                         if (addrlen < SIN6_LEN_RFC2133)
4358                                 return -EINVAL;
4359                         snum = ntohs(addr6->sin6_port);
4360                 }
4361 
4362                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4363                 if (err)
4364                         goto out;
4365 
4366                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4367                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4368 
4369                 ad.type = LSM_AUDIT_DATA_NET;
4370                 ad.u.net = &net;
4371                 ad.u.net->dport = htons(snum);
4372                 ad.u.net->family = sk->sk_family;
4373                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4374                 if (err)
4375                         goto out;
4376         }
4377 
4378         err = selinux_netlbl_socket_connect(sk, address);
4379 
4380 out:
4381         return err;
4382 }
4383 
4384 static int selinux_socket_listen(struct socket *sock, int backlog)
4385 {
4386         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4387 }
4388 
4389 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4390 {
4391         int err;
4392         struct inode_security_struct *isec;
4393         struct inode_security_struct *newisec;
4394 
4395         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4396         if (err)
4397                 return err;
4398 
4399         newisec = inode_security_novalidate(SOCK_INODE(newsock));
4400 
4401         isec = inode_security_novalidate(SOCK_INODE(sock));
4402         newisec->sclass = isec->sclass;
4403         newisec->sid = isec->sid;
4404         newisec->initialized = LABEL_INITIALIZED;
4405 
4406         return 0;
4407 }
4408 
4409 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4410                                   int size)
4411 {
4412         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4413 }
4414 
4415 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4416                                   int size, int flags)
4417 {
4418         return sock_has_perm(current, sock->sk, SOCKET__READ);
4419 }
4420 
4421 static int selinux_socket_getsockname(struct socket *sock)
4422 {
4423         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4424 }
4425 
4426 static int selinux_socket_getpeername(struct socket *sock)
4427 {
4428         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4429 }
4430 
4431 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4432 {
4433         int err;
4434 
4435         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4436         if (err)
4437                 return err;
4438 
4439         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4440 }
4441 
4442 static int selinux_socket_getsockopt(struct socket *sock, int level,
4443                                      int optname)
4444 {
4445         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4446 }
4447 
4448 static int selinux_socket_shutdown(struct socket *sock, int how)
4449 {
4450         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4451 }
4452 
4453 static int selinux_socket_unix_stream_connect(struct sock *sock,
4454                                               struct sock *other,
4455                                               struct sock *newsk)
4456 {
4457         struct sk_security_struct *sksec_sock = sock->sk_security;
4458         struct sk_security_struct *sksec_other = other->sk_security;
4459         struct sk_security_struct *sksec_new = newsk->sk_security;
4460         struct common_audit_data ad;
4461         struct lsm_network_audit net = {0,};
4462         int err;
4463 
4464         ad.type = LSM_AUDIT_DATA_NET;
4465         ad.u.net = &net;
4466         ad.u.net->sk = other;
4467 
4468         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4469                            sksec_other->sclass,
4470                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4471         if (err)
4472                 return err;
4473 
4474         /* server child socket */
4475         sksec_new->peer_sid = sksec_sock->sid;
4476         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4477                                     &sksec_new->sid);
4478         if (err)
4479                 return err;
4480 
4481         /* connecting socket */
4482         sksec_sock->peer_sid = sksec_new->sid;
4483 
4484         return 0;
4485 }
4486 
4487 static int selinux_socket_unix_may_send(struct socket *sock,
4488                                         struct socket *other)
4489 {
4490         struct sk_security_struct *ssec = sock->sk->sk_security;
4491         struct sk_security_struct *osec = other->sk->sk_security;
4492         struct common_audit_data ad;
4493         struct lsm_network_audit net = {0,};
4494 
4495         ad.type = LSM_AUDIT_DATA_NET;
4496         ad.u.net = &net;
4497         ad.u.net->sk = other->sk;
4498 
4499         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4500                             &ad);
4501 }
4502 
4503 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4504                                     char *addrp, u16 family, u32 peer_sid,
4505                                     struct common_audit_data *ad)
4506 {
4507         int err;
4508         u32 if_sid;
4509         u32 node_sid;
4510 
4511         err = sel_netif_sid(ns, ifindex, &if_sid);
4512         if (err)
4513                 return err;
4514         err = avc_has_perm(peer_sid, if_sid,
4515                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4516         if (err)
4517                 return err;
4518 
4519         err = sel_netnode_sid(addrp, family, &node_sid);
4520         if (err)
4521                 return err;
4522         return avc_has_perm(peer_sid, node_sid,
4523                             SECCLASS_NODE, NODE__RECVFROM, ad);
4524 }
4525 
4526 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4527                                        u16 family)
4528 {
4529         int err = 0;
4530         struct sk_security_struct *sksec = sk->sk_security;
4531         u32 sk_sid = sksec->sid;
4532         struct common_audit_data ad;
4533         struct lsm_network_audit net = {0,};
4534         char *addrp;
4535 
4536         ad.type = LSM_AUDIT_DATA_NET;
4537         ad.u.net = &net;
4538         ad.u.net->netif = skb->skb_iif;
4539         ad.u.net->family = family;
4540         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4541         if (err)
4542                 return err;
4543 
4544         if (selinux_secmark_enabled()) {
4545                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4546                                    PACKET__RECV, &ad);
4547                 if (err)
4548                         return err;
4549         }
4550 
4551         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4552         if (err)
4553                 return err;
4554         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4555 
4556         return err;
4557 }
4558 
4559 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4560 {
4561         int err;
4562         struct sk_security_struct *sksec = sk->sk_security;
4563         u16 family = sk->sk_family;
4564         u32 sk_sid = sksec->sid;
4565         struct common_audit_data ad;
4566         struct lsm_network_audit net = {0,};
4567         char *addrp;
4568         u8 secmark_active;
4569         u8 peerlbl_active;
4570 
4571         if (family != PF_INET && family != PF_INET6)
4572                 return 0;
4573 
4574         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4575         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4576                 family = PF_INET;
4577 
4578         /* If any sort of compatibility mode is enabled then handoff processing
4579          * to the selinux_sock_rcv_skb_compat() function to deal with the
4580          * special handling.  We do this in an attempt to keep this function
4581          * as fast and as clean as possible. */
4582         if (!selinux_policycap_netpeer)
4583                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4584 
4585         secmark_active = selinux_secmark_enabled();
4586         peerlbl_active = selinux_peerlbl_enabled();
4587         if (!secmark_active && !peerlbl_active)
4588                 return 0;
4589 
4590         ad.type = LSM_AUDIT_DATA_NET;
4591         ad.u.net = &net;
4592         ad.u.net->netif = skb->skb_iif;
4593         ad.u.net->family = family;
4594         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4595         if (err)
4596                 return err;
4597 
4598         if (peerlbl_active) {
4599                 u32 peer_sid;
4600 
4601                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4602                 if (err)
4603                         return err;
4604                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4605                                                addrp, family, peer_sid, &ad);
4606                 if (err) {
4607                         selinux_netlbl_err(skb, err, 0);
4608                         return err;
4609                 }
4610                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4611                                    PEER__RECV, &ad);
4612                 if (err) {
4613                         selinux_netlbl_err(skb, err, 0);
4614                         return err;
4615                 }
4616         }
4617 
4618         if (secmark_active) {
4619                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4620                                    PACKET__RECV, &ad);
4621                 if (err)
4622                         return err;
4623         }
4624 
4625         return err;
4626 }
4627 
4628 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4629                                             int __user *optlen, unsigned len)
4630 {
4631         int err = 0;
4632         char *scontext;
4633         u32 scontext_len;
4634         struct sk_security_struct *sksec = sock->sk->sk_security;
4635         u32 peer_sid = SECSID_NULL;
4636 
4637         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4638             sksec->sclass == SECCLASS_TCP_SOCKET)
4639                 peer_sid = sksec->peer_sid;
4640         if (peer_sid == SECSID_NULL)
4641                 return -ENOPROTOOPT;
4642 
4643         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4644         if (err)
4645                 return err;
4646 
4647         if (scontext_len > len) {
4648                 err = -ERANGE;
4649                 goto out_len;
4650         }
4651 
4652         if (copy_to_user(optval, scontext, scontext_len))
4653                 err = -EFAULT;
4654 
4655 out_len:
4656         if (put_user(scontext_len, optlen))
4657                 err = -EFAULT;
4658         kfree(scontext);
4659         return err;
4660 }
4661 
4662 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4663 {
4664         u32 peer_secid = SECSID_NULL;
4665         u16 family;
4666         struct inode_security_struct *isec;
4667 
4668         if (skb && skb->protocol == htons(ETH_P_IP))
4669                 family = PF_INET;
4670         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4671                 family = PF_INET6;
4672         else if (sock)
4673                 family = sock->sk->sk_family;
4674         else
4675                 goto out;
4676 
4677         if (sock && family == PF_UNIX) {
4678                 isec = inode_security_novalidate(SOCK_INODE(sock));
4679                 peer_secid = isec->sid;
4680         } else if (skb)
4681                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4682 
4683 out:
4684         *secid = peer_secid;
4685         if (peer_secid == SECSID_NULL)
4686                 return -EINVAL;
4687         return 0;
4688 }
4689 
4690 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4691 {
4692         struct sk_security_struct *sksec;
4693 
4694         sksec = kzalloc(sizeof(*sksec), priority);
4695         if (!sksec)
4696                 return -ENOMEM;
4697 
4698         sksec->peer_sid = SECINITSID_UNLABELED;
4699         sksec->sid = SECINITSID_UNLABELED;
4700         sksec->sclass = SECCLASS_SOCKET;
4701         selinux_netlbl_sk_security_reset(sksec);
4702         sk->sk_security = sksec;
4703 
4704         return 0;
4705 }
4706 
4707 static void selinux_sk_free_security(struct sock *sk)
4708 {
4709         struct sk_security_struct *sksec = sk->sk_security;
4710 
4711         sk->sk_security = NULL;
4712         selinux_netlbl_sk_security_free(sksec);
4713         kfree(sksec);
4714 }
4715 
4716 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4717 {
4718         struct sk_security_struct *sksec = sk->sk_security;
4719         struct sk_security_struct *newsksec = newsk->sk_security;
4720 
4721         newsksec->sid = sksec->sid;
4722         newsksec->peer_sid = sksec->peer_sid;
4723         newsksec->sclass = sksec->sclass;
4724 
4725         selinux_netlbl_sk_security_reset(newsksec);
4726 }
4727 
4728 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4729 {
4730         if (!sk)
4731                 *secid = SECINITSID_ANY_SOCKET;
4732         else {
4733                 struct sk_security_struct *sksec = sk->sk_security;
4734 
4735                 *secid = sksec->sid;
4736         }
4737 }
4738 
4739 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4740 {
4741         struct inode_security_struct *isec =
4742                 inode_security_novalidate(SOCK_INODE(parent));
4743         struct sk_security_struct *sksec = sk->sk_security;
4744 
4745         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4746             sk->sk_family == PF_UNIX)
4747                 isec->sid = sksec->sid;
4748         sksec->sclass = isec->sclass;
4749 }
4750 
4751 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4752                                      struct request_sock *req)
4753 {
4754         struct sk_security_struct *sksec = sk->sk_security;
4755         int err;
4756         u16 family = req->rsk_ops->family;
4757         u32 connsid;
4758         u32 peersid;
4759 
4760         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4761         if (err)
4762                 return err;
4763         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4764         if (err)
4765                 return err;
4766         req->secid = connsid;
4767         req->peer_secid = peersid;
4768 
4769         return selinux_netlbl_inet_conn_request(req, family);
4770 }
4771 
4772 static void selinux_inet_csk_clone(struct sock *newsk,
4773                                    const struct request_sock *req)
4774 {
4775         struct sk_security_struct *newsksec = newsk->sk_security;
4776 
4777         newsksec->sid = req->secid;
4778         newsksec->peer_sid = req->peer_secid;
4779         /* NOTE: Ideally, we should also get the isec->sid for the
4780            new socket in sync, but we don't have the isec available yet.
4781            So we will wait until sock_graft to do it, by which
4782            time it will have been created and available. */
4783 
4784         /* We don't need to take any sort of lock here as we are the only
4785          * thread with access to newsksec */
4786         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4787 }
4788 
4789 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4790 {
4791         u16 family = sk->sk_family;
4792         struct sk_security_struct *sksec = sk->sk_security;
4793 
4794         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4795         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4796                 family = PF_INET;
4797 
4798         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4799 }
4800 
4801 static int selinux_secmark_relabel_packet(u32 sid)
4802 {
4803         const struct task_security_struct *__tsec;
4804         u32 tsid;
4805 
4806         __tsec = current_security();
4807         tsid = __tsec->sid;
4808 
4809         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4810 }
4811 
4812 static void selinux_secmark_refcount_inc(void)
4813 {
4814         atomic_inc(&selinux_secmark_refcount);
4815 }
4816 
4817 static void selinux_secmark_refcount_dec(void)
4818 {
4819         atomic_dec(&selinux_secmark_refcount);
4820 }
4821 
4822 static void selinux_req_classify_flow(const struct request_sock *req,
4823                                       struct flowi *fl)
4824 {
4825         fl->flowi_secid = req->secid;
4826 }
4827 
4828 static int selinux_tun_dev_alloc_security(void **security)
4829 {
4830         struct tun_security_struct *tunsec;
4831 
4832         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4833         if (!tunsec)
4834                 return -ENOMEM;
4835         tunsec->sid = current_sid();
4836 
4837         *security = tunsec;
4838         return 0;
4839 }
4840 
4841 static void selinux_tun_dev_free_security(void *security)
4842 {
4843         kfree(security);
4844 }
4845 
4846 static int selinux_tun_dev_create(void)
4847 {
4848         u32 sid = current_sid();
4849 
4850         /* we aren't taking into account the "sockcreate" SID since the socket
4851          * that is being created here is not a socket in the traditional sense,
4852          * instead it is a private sock, accessible only to the kernel, and
4853          * representing a wide range of network traffic spanning multiple
4854          * connections unlike traditional sockets - check the TUN driver to
4855          * get a better understanding of why this socket is special */
4856 
4857         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4858                             NULL);
4859 }
4860 
4861 static int selinux_tun_dev_attach_queue(void *security)
4862 {
4863         struct tun_security_struct *tunsec = security;
4864 
4865         return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4866                             TUN_SOCKET__ATTACH_QUEUE, NULL);
4867 }
4868 
4869 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4870 {
4871         struct tun_security_struct *tunsec = security;
4872         struct sk_security_struct *sksec = sk->sk_security;
4873 
4874         /* we don't currently perform any NetLabel based labeling here and it
4875          * isn't clear that we would want to do so anyway; while we could apply
4876          * labeling without the support of the TUN user the resulting labeled
4877          * traffic from the other end of the connection would almost certainly
4878          * cause confusion to the TUN user that had no idea network labeling
4879          * protocols were being used */
4880 
4881         sksec->sid = tunsec->sid;
4882         sksec->sclass = SECCLASS_TUN_SOCKET;
4883 
4884         return 0;
4885 }
4886 
4887 static int selinux_tun_dev_open(void *security)
4888 {
4889         struct tun_security_struct *tunsec = security;
4890         u32 sid = current_sid();
4891         int err;
4892 
4893         err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4894                            TUN_SOCKET__RELABELFROM, NULL);
4895         if (err)
4896                 return err;
4897         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4898                            TUN_SOCKET__RELABELTO, NULL);
4899         if (err)
4900                 return err;
4901         tunsec->sid = sid;
4902 
4903         return 0;
4904 }
4905 
4906 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4907 {
4908         int err = 0;
4909         u32 perm;
4910         struct nlmsghdr *nlh;
4911         struct sk_security_struct *sksec = sk->sk_security;
4912 
4913         if (skb->len < NLMSG_HDRLEN) {
4914                 err = -EINVAL;
4915                 goto out;
4916         }
4917         nlh = nlmsg_hdr(skb);
4918 
4919         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4920         if (err) {
4921                 if (err == -EINVAL) {
4922                         pr_warn_ratelimited("SELinux: unrecognized netlink"
4923                                " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4924                                " pig=%d comm=%s\n",
4925                                sk->sk_protocol, nlh->nlmsg_type,
4926                                secclass_map[sksec->sclass - 1].name,
4927                                task_pid_nr(current), current->comm);
4928                         if (!selinux_enforcing || security_get_allow_unknown())
4929                                 err = 0;
4930                 }
4931 
4932                 /* Ignore */
4933                 if (err == -ENOENT)
4934                         err = 0;
4935                 goto out;
4936         }
4937 
4938         err = sock_has_perm(current, sk, perm);
4939 out:
4940         return err;
4941 }
4942 
4943 #ifdef CONFIG_NETFILTER
4944 
4945 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4946                                        const struct net_device *indev,
4947                                        u16 family)
4948 {
4949         int err;
4950         char *addrp;
4951         u32 peer_sid;
4952         struct common_audit_data ad;
4953         struct lsm_network_audit net = {0,};
4954         u8 secmark_active;
4955         u8 netlbl_active;
4956         u8 peerlbl_active;
4957 
4958         if (!selinux_policycap_netpeer)
4959                 return NF_ACCEPT;
4960 
4961         secmark_active = selinux_secmark_enabled();
4962         netlbl_active = netlbl_enabled();
4963         peerlbl_active = selinux_peerlbl_enabled();
4964         if (!secmark_active && !peerlbl_active)
4965                 return NF_ACCEPT;
4966 
4967         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4968                 return NF_DROP;
4969 
4970         ad.type = LSM_AUDIT_DATA_NET;
4971         ad.u.net = &net;
4972         ad.u.net->netif = indev->ifindex;
4973         ad.u.net->family = family;
4974         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4975                 return NF_DROP;
4976 
4977         if (peerlbl_active) {
4978                 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4979                                                addrp, family, peer_sid, &ad);
4980                 if (err) {
4981                         selinux_netlbl_err(skb, err, 1);
4982                         return NF_DROP;
4983                 }
4984         }
4985 
4986         if (secmark_active)
4987                 if (avc_has_perm(peer_sid, skb->secmark,
4988                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4989                         return NF_DROP;
4990 
4991         if (netlbl_active)
4992                 /* we do this in the FORWARD path and not the POST_ROUTING
4993                  * path because we want to make sure we apply the necessary
4994                  * labeling before IPsec is applied so we can leverage AH
4995                  * protection */
4996                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4997                         return NF_DROP;
4998 
4999         return NF_ACCEPT;
5000 }
5001 
5002 static unsigned int selinux_ipv4_forward(void *priv,
5003                                          struct sk_buff *skb,
5004                                          const struct nf_hook_state *state)
5005 {
5006         return selinux_ip_forward(skb, state->in, PF_INET);
5007 }
5008 
5009 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5010 static unsigned int selinux_ipv6_forward(void *priv,
5011                                          struct sk_buff *skb,
5012                                          const struct nf_hook_state *state)
5013 {
5014         return selinux_ip_forward(skb, state->in, PF_INET6);
5015 }
5016 #endif  /* IPV6 */
5017 
5018 static unsigned int selinux_ip_output(struct sk_buff *skb,
5019                                       u16 family)
5020 {
5021         struct sock *sk;
5022         u32 sid;
5023 
5024         if (!netlbl_enabled())
5025                 return NF_ACCEPT;
5026 
5027         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5028          * because we want to make sure we apply the necessary labeling
5029          * before IPsec is applied so we can leverage AH protection */
5030         sk = skb->sk;
5031         if (sk) {
5032                 struct sk_security_struct *sksec;
5033 
5034                 if (sk_listener(sk))
5035                         /* if the socket is the listening state then this
5036                          * packet is a SYN-ACK packet which means it needs to
5037                          * be labeled based on the connection/request_sock and
5038                          * not the parent socket.  unfortunately, we can't
5039                          * lookup the request_sock yet as it isn't queued on
5040                          * the parent socket until after the SYN-ACK is sent.
5041                          * the "solution" is to simply pass the packet as-is
5042                          * as any IP option based labeling should be copied
5043                          * from the initial connection request (in the IP
5044                          * layer).  it is far from ideal, but until we get a
5045                          * security label in the packet itself this is the
5046                          * best we can do. */
5047                         return NF_ACCEPT;
5048 
5049                 /* standard practice, label using the parent socket */
5050                 sksec = sk->sk_security;
5051                 sid = sksec->sid;
5052         } else
5053                 sid = SECINITSID_KERNEL;
5054         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5055                 return NF_DROP;
5056 
5057         return NF_ACCEPT;
5058 }
5059 
5060 static unsigned int selinux_ipv4_output(void *priv,
5061                                         struct sk_buff *skb,
5062                                         const struct nf_hook_state *state)
5063 {
5064         return selinux_ip_output(skb, PF_INET);
5065 }
5066 
5067 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5068                                                 int ifindex,
5069                                                 u16 family)
5070 {
5071         struct sock *sk = skb_to_full_sk(skb);
5072         struct sk_security_struct *sksec;
5073         struct common_audit_data ad;
5074         struct lsm_network_audit net = {0,};
5075         char *addrp;
5076         u8 proto;
5077 
5078         if (sk == NULL)
5079                 return NF_ACCEPT;
5080         sksec = sk->sk_security;
5081 
5082         ad.type = LSM_AUDIT_DATA_NET;
5083         ad.u.net = &net;
5084         ad.u.net->netif = ifindex;
5085         ad.u.net->family = family;
5086         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5087                 return NF_DROP;
5088 
5089         if (selinux_secmark_enabled())
5090                 if (avc_has_perm(sksec->sid, skb->secmark,
5091                                  SECCLASS_PACKET, PACKET__SEND, &ad))
5092                         return NF_DROP_ERR(-ECONNREFUSED);
5093 
5094         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5095                 return NF_DROP_ERR(-ECONNREFUSED);
5096 
5097         return NF_ACCEPT;
5098 }
5099 
5100 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5101                                          const struct net_device *outdev,
5102                                          u16 family)
5103 {
5104         u32 secmark_perm;
5105         u32 peer_sid;
5106         int ifindex = outdev->ifindex;
5107         struct sock *sk;
5108         struct common_audit_data ad;
5109         struct lsm_network_audit net = {0,};
5110         char *addrp;
5111         u8 secmark_active;
5112         u8 peerlbl_active;
5113 
5114         /* If any sort of compatibility mode is enabled then handoff processing
5115          * to the selinux_ip_postroute_compat() function to deal with the
5116          * special handling.  We do this in an attempt to keep this function
5117          * as fast and as clean as possible. */
5118         if (!selinux_policycap_netpeer)
5119                 return selinux_ip_postroute_compat(skb, ifindex, family);
5120 
5121         secmark_active = selinux_secmark_enabled();
5122         peerlbl_active = selinux_peerlbl_enabled();
5123         if (!secmark_active && !peerlbl_active)
5124                 return NF_ACCEPT;
5125 
5126         sk = skb_to_full_sk(skb);
5127 
5128 #ifdef CONFIG_XFRM
5129         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5130          * packet transformation so allow the packet to pass without any checks
5131          * since we'll have another chance to perform access control checks
5132          * when the packet is on it's final way out.
5133          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5134          *       is NULL, in this case go ahead and apply access control.
5135          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5136          *       TCP listening state we cannot wait until the XFRM processing
5137          *       is done as we will miss out on the SA label if we do;
5138          *       unfortunately, this means more work, but it is only once per
5139          *       connection. */
5140         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5141             !(sk && sk_listener(sk)))
5142                 return NF_ACCEPT;
5143 #endif
5144 
5145         if (sk == NULL) {
5146                 /* Without an associated socket the packet is either coming
5147                  * from the kernel or it is being forwarded; check the packet
5148                  * to determine which and if the packet is being forwarded
5149                  * query the packet directly to determine the security label. */
5150                 if (skb->skb_iif) {
5151                         secmark_perm = PACKET__FORWARD_OUT;
5152                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5153                                 return NF_DROP;
5154                 } else {
5155                         secmark_perm = PACKET__SEND;
5156                         peer_sid = SECINITSID_KERNEL;
5157                 }
5158         } else if (sk_listener(sk)) {
5159                 /* Locally generated packet but the associated socket is in the
5160                  * listening state which means this is a SYN-ACK packet.  In
5161                  * this particular case the correct security label is assigned
5162                  * to the connection/request_sock but unfortunately we can't
5163                  * query the request_sock as it isn't queued on the parent
5164                  * socket until after the SYN-ACK packet is sent; the only
5165                  * viable choice is to regenerate the label like we do in
5166                  * selinux_inet_conn_request().  See also selinux_ip_output()
5167                  * for similar problems. */
5168                 u32 skb_sid;
5169                 struct sk_security_struct *sksec;
5170 
5171                 sksec = sk->sk_security;
5172                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5173                         return NF_DROP;
5174                 /* At this point, if the returned skb peerlbl is SECSID_NULL
5175                  * and the packet has been through at least one XFRM
5176                  * transformation then we must be dealing with the "final"
5177                  * form of labeled IPsec packet; since we've already applied
5178                  * all of our access controls on this packet we can safely
5179                  * pass the packet. */
5180                 if (skb_sid == SECSID_NULL) {
5181                         switch (family) {
5182                         case PF_INET:
5183                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5184                                         return NF_ACCEPT;
5185                                 break;
5186                         case PF_INET6:
5187                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5188                                         return NF_ACCEPT;
5189                                 break;
5190                         default:
5191                                 return NF_DROP_ERR(-ECONNREFUSED);
5192                         }
5193                 }
5194                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5195                         return NF_DROP;
5196                 secmark_perm = PACKET__SEND;
5197         } else {
5198                 /* Locally generated packet, fetch the security label from the
5199                  * associated socket. */
5200                 struct sk_security_struct *sksec = sk->sk_security;
5201                 peer_sid = sksec->sid;
5202                 secmark_perm = PACKET__SEND;
5203         }
5204 
5205         ad.type = LSM_AUDIT_DATA_NET;
5206         ad.u.net = &net;
5207         ad.u.net->netif = ifindex;
5208         ad.u.net->family = family;
5209         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5210                 return NF_DROP;
5211 
5212         if (secmark_active)
5213                 if (avc_has_perm(peer_sid, skb->secmark,
5214                                  SECCLASS_PACKET, secmark_perm, &ad))
5215                         return NF_DROP_ERR(-ECONNREFUSED);
5216 
5217         if (peerlbl_active) {
5218                 u32 if_sid;
5219                 u32 node_sid;
5220 
5221                 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5222                         return NF_DROP;
5223                 if (avc_has_perm(peer_sid, if_sid,
5224                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5225                         return NF_DROP_ERR(-ECONNREFUSED);
5226 
5227                 if (sel_netnode_sid(addrp, family, &node_sid))
5228                         return NF_DROP;
5229                 if (avc_has_perm(peer_sid, node_sid,
5230                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5231                         return NF_DROP_ERR(-ECONNREFUSED);
5232         }
5233 
5234         return NF_ACCEPT;
5235 }
5236 
5237 static unsigned int selinux_ipv4_postroute(void *priv,
5238                                            struct sk_buff *skb,
5239                                            const struct nf_hook_state *state)
5240 {
5241         return selinux_ip_postroute(skb, state->out, PF_INET);
5242 }
5243 
5244 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5245 static unsigned int selinux_ipv6_postroute(void *priv,
5246                                            struct sk_buff *skb,
5247                                            const struct nf_hook_state *state)
5248 {
5249         return selinux_ip_postroute(skb, state->out, PF_INET6);
5250 }
5251 #endif  /* IPV6 */
5252 
5253 #endif  /* CONFIG_NETFILTER */
5254 
5255 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5256 {
5257         return selinux_nlmsg_perm(sk, skb);
5258 }
5259 
5260 static int ipc_alloc_security(struct task_struct *task,
5261                               struct kern_ipc_perm *perm,
5262                               u16 sclass)
5263 {
5264         struct ipc_security_struct *isec;
5265         u32 sid;
5266 
5267         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5268         if (!isec)
5269                 return -ENOMEM;
5270 
5271         sid = task_sid(task);
5272         isec->sclass = sclass;
5273         isec->sid = sid;
5274         perm->security = isec;
5275 
5276         return 0;
5277 }
5278 
5279 static void ipc_free_security(struct kern_ipc_perm *perm)
5280 {
5281         struct ipc_security_struct *isec = perm->security;
5282         perm->security = NULL;
5283         kfree(isec);
5284 }
5285 
5286 static int msg_msg_alloc_security(struct msg_msg *msg)
5287 {
5288         struct msg_security_struct *msec;
5289 
5290         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5291         if (!msec)
5292                 return -ENOMEM;
5293 
5294         msec->sid = SECINITSID_UNLABELED;
5295         msg->security = msec;
5296 
5297         return 0;
5298 }
5299 
5300 static void msg_msg_free_security(struct msg_msg *msg)
5301 {
5302         struct msg_security_struct *msec = msg->security;
5303 
5304         msg->security = NULL;
5305         kfree(msec);
5306 }
5307 
5308 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5309                         u32 perms)
5310 {
5311         struct ipc_security_struct *isec;
5312         struct common_audit_data ad;
5313         u32 sid = current_sid();
5314 
5315         isec = ipc_perms->security;
5316 
5317         ad.type = LSM_AUDIT_DATA_IPC;
5318         ad.u.ipc_id = ipc_perms->key;
5319 
5320         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5321 }
5322 
5323 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5324 {
5325         return msg_msg_alloc_security(msg);
5326 }
5327 
5328 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5329 {
5330         msg_msg_free_security(msg);
5331 }
5332 
5333 /* message queue security operations */
5334 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5335 {
5336         struct ipc_security_struct *isec;
5337         struct common_audit_data ad;
5338         u32 sid = current_sid();
5339         int rc;
5340 
5341         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5342         if (rc)
5343                 return rc;
5344 
5345         isec = msq->q_perm.security;
5346 
5347         ad.type = LSM_AUDIT_DATA_IPC;
5348         ad.u.ipc_id = msq->q_perm.key;
5349 
5350         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5351                           MSGQ__CREATE, &ad);
5352         if (rc) {
5353                 ipc_free_security(&msq->q_perm);
5354                 return rc;
5355         }
5356         return 0;
5357 }
5358 
5359 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5360 {
5361         ipc_free_security(&msq->q_perm);
5362 }
5363 
5364 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5365 {
5366         struct ipc_security_struct *isec;
5367         struct common_audit_data ad;
5368         u32 sid = current_sid();
5369 
5370         isec = msq->q_perm.security;
5371 
5372         ad.type = LSM_AUDIT_DATA_IPC;
5373         ad.u.ipc_id = msq->q_perm.key;
5374 
5375         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5376                             MSGQ__ASSOCIATE, &ad);
5377 }
5378 
5379 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5380 {
5381         int err;
5382         int perms;
5383 
5384         switch (cmd) {
5385         case IPC_INFO:
5386         case MSG_INFO:
5387                 /* No specific object, just general system-wide information. */
5388                 return task_has_system(current, SYSTEM__IPC_INFO);
5389         case IPC_STAT:
5390         case MSG_STAT:
5391                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5392                 break;
5393         case IPC_SET:
5394                 perms = MSGQ__SETATTR;
5395                 break;
5396         case IPC_RMID:
5397                 perms = MSGQ__DESTROY;
5398                 break;
5399         default:
5400                 return 0;
5401         }
5402 
5403         err = ipc_has_perm(&msq->q_perm, perms);
5404         return err;
5405 }
5406 
5407 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5408 {
5409         struct ipc_security_struct *isec;
5410         struct msg_security_struct *msec;
5411         struct common_audit_data ad;
5412         u32 sid = current_sid();
5413         int rc;
5414 
5415         isec = msq->q_perm.security;
5416         msec = msg->security;
5417 
5418         /*
5419          * First time through, need to assign label to the message
5420          */
5421         if (msec->sid == SECINITSID_UNLABELED) {
5422                 /*
5423                  * Compute new sid based on current process and
5424                  * message queue this message will be stored in
5425                  */
5426                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5427                                              NULL, &msec->sid);
5428                 if (rc)
5429                         return rc;
5430         }
5431 
5432         ad.type = LSM_AUDIT_DATA_IPC;
5433         ad.u.ipc_id = msq->q_perm.key;
5434 
5435         /* Can this process write to the queue? */
5436         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5437                           MSGQ__WRITE, &ad);
5438         if (!rc)
5439                 /* Can this process send the message */
5440                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5441                                   MSG__SEND, &ad);
5442         if (!rc)
5443                 /* Can the message be put in the queue? */
5444                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5445                                   MSGQ__ENQUEUE, &ad);
5446 
5447         return rc;
5448 }
5449 
5450 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5451                                     struct task_struct *target,
5452                                     long type, int mode)
5453 {
5454         struct ipc_security_struct *isec;
5455         struct msg_security_struct *msec;
5456         struct common_audit_data ad;
5457         u32 sid = task_sid(target);
5458         int rc;
5459 
5460         isec = msq->q_perm.security;
5461         msec = msg->security;
5462 
5463         ad.type = LSM_AUDIT_DATA_IPC;
5464         ad.u.ipc_id = msq->q_perm.key;
5465 
5466         rc = avc_has_perm(sid, isec->sid,
5467                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5468         if (!rc)
5469                 rc = avc_has_perm(sid, msec->sid,
5470                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5471         return rc;
5472 }
5473 
5474 /* Shared Memory security operations */
5475 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5476 {
5477         struct ipc_security_struct *isec;
5478         struct common_audit_data ad;
5479         u32 sid = current_sid();
5480         int rc;
5481 
5482         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5483         if (rc)
5484                 return rc;
5485 
5486         isec = shp->shm_perm.security;
5487 
5488         ad.type = LSM_AUDIT_DATA_IPC;
5489         ad.u.ipc_id = shp->shm_perm.key;
5490 
5491         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5492                           SHM__CREATE, &ad);
5493         if (rc) {
5494                 ipc_free_security(&shp->shm_perm);
5495                 return rc;
5496         }
5497         return 0;
5498 }
5499 
5500 static void selinux_shm_free_security(struct shmid_kernel *shp)
5501 {
5502         ipc_free_security(&shp->shm_perm);
5503 }
5504 
5505 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5506 {
5507         struct ipc_security_struct *isec;
5508         struct common_audit_data ad;
5509         u32 sid = current_sid();
5510 
5511         isec = shp->shm_perm.security;
5512 
5513         ad.type = LSM_AUDIT_DATA_IPC;
5514         ad.u.ipc_id = shp->shm_perm.key;
5515 
5516         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5517                             SHM__ASSOCIATE, &ad);
5518 }
5519 
5520 /* Note, at this point, shp is locked down */
5521 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5522 {
5523         int perms;
5524         int err;
5525 
5526         switch (cmd) {
5527         case IPC_INFO:
5528         case SHM_INFO:
5529                 /* No specific object, just general system-wide information. */
5530                 return task_has_system(current, SYSTEM__IPC_INFO);
5531         case IPC_STAT:
5532         case SHM_STAT:
5533                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5534                 break;
5535         case IPC_SET:
5536                 perms = SHM__SETATTR;
5537                 break;
5538         case SHM_LOCK:
5539         case SHM_UNLOCK:
5540                 perms = SHM__LOCK;
5541                 break;
5542         case IPC_RMID:
5543                 perms = SHM__DESTROY;
5544                 break;
5545         default:
5546                 return 0;
5547         }
5548 
5549         err = ipc_has_perm(&shp->shm_perm, perms);
5550         return err;
5551 }
5552 
5553 static int selinux_shm_shmat(struct shmid_kernel *shp,
5554                              char __user *shmaddr, int shmflg)
5555 {
5556         u32 perms;
5557 
5558         if (shmflg & SHM_RDONLY)
5559                 perms = SHM__READ;
5560         else
5561                 perms = SHM__READ | SHM__WRITE;
5562 
5563         return ipc_has_perm(&shp->shm_perm, perms);
5564 }
5565 
5566 /* Semaphore security operations */
5567 static int selinux_sem_alloc_security(struct sem_array *sma)
5568 {
5569         struct ipc_security_struct *isec;
5570         struct common_audit_data ad;
5571         u32 sid = current_sid();
5572         int rc;
5573 
5574         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5575         if (rc)
5576                 return rc;
5577 
5578         isec = sma->sem_perm.security;
5579 
5580         ad.type = LSM_AUDIT_DATA_IPC;
5581         ad.u.ipc_id = sma->sem_perm.key;
5582 
5583         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5584                           SEM__CREATE, &ad);
5585         if (rc) {
5586                 ipc_free_security(&sma->sem_perm);
5587                 return rc;
5588         }
5589         return 0;
5590 }
5591 
5592 static void selinux_sem_free_security(struct sem_array *sma)
5593 {
5594         ipc_free_security(&sma->sem_perm);
5595 }
5596 
5597 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5598 {
5599         struct ipc_security_struct *isec;
5600         struct common_audit_data ad;
5601         u32 sid = current_sid();
5602 
5603         isec = sma->sem_perm.security;
5604 
5605         ad.type = LSM_AUDIT_DATA_IPC;
5606         ad.u.ipc_id = sma->sem_perm.key;
5607 
5608         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5609                             SEM__ASSOCIATE, &ad);
5610 }
5611 
5612 /* Note, at this point, sma is locked down */
5613 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5614 {
5615         int err;
5616         u32 perms;
5617 
5618         switch (cmd) {
5619         case IPC_INFO:
5620         case SEM_INFO:
5621                 /* No specific object, just general system-wide information. */
5622                 return task_has_system(current, SYSTEM__IPC_INFO);
5623         case GETPID:
5624         case GETNCNT:
5625         case GETZCNT:
5626                 perms = SEM__GETATTR;
5627                 break;
5628         case GETVAL:
5629         case GETALL:
5630                 perms = SEM__READ;
5631                 break;
5632         case SETVAL:
5633         case SETALL:
5634                 perms = SEM__WRITE;
5635                 break;
5636         case IPC_RMID:
5637                 perms = SEM__DESTROY;
5638                 break;
5639         case IPC_SET:
5640                 perms = SEM__SETATTR;
5641                 break;
5642         case IPC_STAT:
5643         case SEM_STAT:
5644                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5645                 break;
5646         default:
5647                 return 0;
5648         }
5649 
5650         err = ipc_has_perm(&sma->sem_perm, perms);
5651         return err;
5652 }
5653 
5654 static int selinux_sem_semop(struct sem_array *sma,
5655                              struct sembuf *sops, unsigned nsops, int alter)
5656 {
5657         u32 perms;
5658 
5659         if (alter)
5660                 perms = SEM__READ | SEM__WRITE;
5661         else
5662                 perms = SEM__READ;
5663 
5664         return ipc_has_perm(&sma->sem_perm, perms);
5665 }
5666 
5667 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5668 {
5669         u32 av = 0;
5670 
5671         av = 0;
5672         if (flag & S_IRUGO)
5673                 av |= IPC__UNIX_READ;
5674         if (flag & S_IWUGO)
5675                 av |= IPC__UNIX_WRITE;
5676 
5677         if (av == 0)
5678                 return 0;
5679 
5680         return ipc_has_perm(ipcp, av);
5681 }
5682 
5683 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5684 {
5685         struct ipc_security_struct *isec = ipcp->security;
5686         *secid = isec->sid;
5687 }
5688 
5689 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5690 {
5691         if (inode)
5692                 inode_doinit_with_dentry(inode, dentry);
5693 }
5694 
5695 static int selinux_getprocattr(struct task_struct *p,
5696                                char *name, char **value)
5697 {
5698         const struct task_security_struct *__tsec;
5699         u32 sid;
5700         int error;
5701         unsigned len;
5702 
5703         if (current != p) {
5704                 error = current_has_perm(p, PROCESS__GETATTR);
5705                 if (error)
5706                         return error;
5707         }
5708 
5709         rcu_read_lock();
5710         __tsec = __task_cred(p)->security;
5711 
5712         if (!strcmp(name, "current"))
5713                 sid = __tsec->sid;
5714         else if (!strcmp(name, "prev"))
5715                 sid = __tsec->osid;
5716         else if (!strcmp(name, "exec"))
5717                 sid = __tsec->exec_sid;
5718         else if (!strcmp(name, "fscreate"))
5719                 sid = __tsec->create_sid;
5720         else if (!strcmp(name, "keycreate"))
5721                 sid = __tsec->keycreate_sid;
5722         else if (!strcmp(name, "sockcreate"))
5723                 sid = __tsec->sockcreate_sid;
5724         else
5725                 goto invalid;
5726         rcu_read_unlock();
5727 
5728         if (!sid)
5729                 return 0;
5730 
5731         error = security_sid_to_context(sid, value, &len);
5732         if (error)
5733                 return error;
5734         return len;
5735 
5736 invalid:
5737         rcu_read_unlock();
5738         return -EINVAL;
5739 }
5740 
5741 static int selinux_setprocattr(struct task_struct *p,
5742                                char *name, void *value, size_t size)
5743 {
5744         struct task_security_struct *tsec;
5745         struct cred *new;
5746         u32 sid = 0, ptsid;
5747         int error;
5748         char *str = value;
5749 
5750         if (current != p) {
5751                 /* SELinux only allows a process to change its own
5752                    security attributes. */
5753                 return -EACCES;
5754         }
5755 
5756         /*
5757          * Basic control over ability to set these attributes at all.
5758          * current == p, but we'll pass them separately in case the
5759          * above restriction is ever removed.
5760          */
5761         if (!strcmp(name, "exec"))
5762                 error = current_has_perm(p, PROCESS__SETEXEC);
5763         else if (!strcmp(name, "fscreate"))
5764                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5765         else if (!strcmp(name, "keycreate"))
5766                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5767         else if (!strcmp(name, "sockcreate"))
5768                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5769         else if (!strcmp(name, "current"))
5770                 error = current_has_perm(p, PROCESS__SETCURRENT);
5771         else
5772                 error = -EINVAL;
5773         if (error)
5774                 return error;
5775 
5776         /* Obtain a SID for the context, if one was specified. */
5777         if (size && str[1] && str[1] != '\n') {
5778                 if (str[size-1] == '\n') {
5779                         str[size-1] = 0;
5780                         size--;
5781                 }
5782                 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5783                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5784                         if (!capable(CAP_MAC_ADMIN)) {
5785                                 struct audit_buffer *ab;
5786                                 size_t audit_size;
5787 
5788                                 /* We strip a nul only if it is at the end, otherwise the
5789                                  * context contains a nul and we should audit that */
5790                                 if (str[size - 1] == '\0')
5791                                         audit_size = size - 1;
5792                                 else
5793                                         audit_size = size;
5794                                 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5795                                 audit_log_format(ab, "op=fscreate invalid_context=");
5796                                 audit_log_n_untrustedstring(ab, value, audit_size);
5797                                 audit_log_end(ab);
5798 
5799                                 return error;
5800                         }
5801                         error = security_context_to_sid_force(value, size,
5802                                                               &sid);
5803                 }
5804                 if (error)
5805                         return error;
5806         }
5807 
5808         new = prepare_creds();
5809         if (!new)
5810                 return -ENOMEM;
5811 
5812         /* Permission checking based on the specified context is
5813            performed during the actual operation (execve,
5814            open/mkdir/...), when we know the full context of the
5815            operation.  See selinux_bprm_set_creds for the execve
5816            checks and may_create for the file creation checks. The
5817            operation will then fail if the context is not permitted. */
5818         tsec = new->security;
5819         if (!strcmp(name, "exec")) {
5820                 tsec->exec_sid = sid;
5821         } else if (!strcmp(name, "fscreate")) {
5822                 tsec->create_sid = sid;
5823         } else if (!strcmp(name, "keycreate")) {
5824                 error = may_create_key(sid, p);
5825                 if (error)
5826                         goto abort_change;
5827                 tsec->keycreate_sid = sid;
5828         } else if (!strcmp(name, "sockcreate")) {
5829                 tsec->sockcreate_sid = sid;
5830         } else if (!strcmp(name, "current")) {
5831                 error = -EINVAL;
5832                 if (sid == 0)
5833                         goto abort_change;
5834 
5835                 /* Only allow single threaded processes to change context */
5836                 error = -EPERM;
5837                 if (!current_is_single_threaded()) {
5838                         error = security_bounded_transition(tsec->sid, sid);
5839                         if (error)
5840                                 goto abort_change;
5841                 }
5842 
5843                 /* Check permissions for the transition. */
5844                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5845                                      PROCESS__DYNTRANSITION, NULL);
5846                 if (error)
5847                         goto abort_change;
5848 
5849                 /* Check for ptracing, and update the task SID if ok.
5850                    Otherwise, leave SID unchanged and fail. */
5851                 ptsid = ptrace_parent_sid(p);
5852                 if (ptsid != 0) {
5853                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5854                                              PROCESS__PTRACE, NULL);
5855                         if (error)
5856                                 goto abort_change;
5857                 }
5858 
5859                 tsec->sid = sid;
5860         } else {
5861                 error = -EINVAL;
5862                 goto abort_change;
5863         }
5864 
5865         commit_creds(new);
5866         return size;
5867 
5868 abort_change:
5869         abort_creds(new);
5870         return error;
5871 }
5872 
5873 static int selinux_ismaclabel(const char *name)
5874 {
5875         return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5876 }
5877 
5878 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5879 {
5880         return security_sid_to_context(secid, secdata, seclen);
5881 }
5882 
5883 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5884 {
5885         return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5886 }
5887 
5888 static void selinux_release_secctx(char *secdata, u32 seclen)
5889 {
5890         kfree(secdata);
5891 }
5892 
5893 static void selinux_inode_invalidate_secctx(struct inode *inode)
5894 {
5895         struct inode_security_struct *isec = inode->i_security;
5896 
5897         mutex_lock(&isec->lock);
5898         isec->initialized = LABEL_INVALID;
5899         mutex_unlock(&isec->lock);
5900 }
5901 
5902 /*
5903  *      called with inode->i_mutex locked
5904  */
5905 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5906 {
5907         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5908 }
5909 
5910 /*
5911  *      called with inode->i_mutex locked
5912  */
5913 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5914 {
5915         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5916 }
5917 
5918 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5919 {
5920         int len = 0;
5921         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5922                                                 ctx, true);
5923         if (len < 0)
5924                 return len;
5925         *ctxlen = len;
5926         return 0;
5927 }
5928 #ifdef CONFIG_KEYS
5929 
5930 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5931                              unsigned long flags)
5932 {
5933         const struct task_security_struct *tsec;
5934         struct key_security_struct *ksec;
5935 
5936         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5937         if (!ksec)
5938                 return -ENOMEM;
5939 
5940         tsec = cred->security;
5941         if (tsec->keycreate_sid)
5942                 ksec->sid = tsec->keycreate_sid;
5943         else
5944                 ksec->sid = tsec->sid;
5945 
5946         k->security = ksec;
5947         return 0;
5948 }
5949 
5950 static void selinux_key_free(struct key *k)
5951 {
5952         struct key_security_struct *ksec = k->security;
5953 
5954         k->security = NULL;
5955         kfree(ksec);
5956 }
5957 
5958 static int selinux_key_permission(key_ref_t key_ref,
5959                                   const struct cred *cred,
5960                                   unsigned perm)
5961 {
5962         struct key *key;
5963         struct key_security_struct *ksec;
5964         u32 sid;
5965 
5966         /* if no specific permissions are requested, we skip the
5967            permission check. No serious, additional covert channels
5968            appear to be created. */
5969         if (perm == 0)
5970                 return 0;
5971 
5972         sid = cred_sid(cred);
5973 
5974         key = key_ref_to_ptr(key_ref);
5975         ksec = key->security;
5976 
5977         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5978 }
5979 
5980 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5981 {
5982         struct key_security_struct *ksec = key->security;
5983         char *context = NULL;
5984         unsigned len;
5985         int rc;
5986 
5987         rc = security_sid_to_context(ksec->sid, &context, &len);
5988         if (!rc)
5989                 rc = len;
5990         *_buffer = context;
5991         return rc;
5992 }
5993 
5994 #endif
5995 
5996 static struct security_hook_list selinux_hooks[] = {
5997         LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5998         LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5999         LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6000         LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6001 
6002         LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6003         LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6004         LSM_HOOK_INIT(capget, selinux_capget),
6005         LSM_HOOK_INIT(capset, selinux_capset),
6006         LSM_HOOK_INIT(capable, selinux_capable),
6007         LSM_HOOK_INIT(quotactl, selinux_quotactl),
6008         LSM_HOOK_INIT(quota_on, selinux_quota_on),
6009         LSM_HOOK_INIT(syslog, selinux_syslog),
6010         LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6011 
6012         LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6013 
6014         LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6015         LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6016         LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6017         LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6018 
6019         LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6020         LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6021         LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6022         LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6023         LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6024         LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6025         LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6026         LSM_HOOK_INIT(sb_mount, selinux_mount),
6027         LSM_HOOK_INIT(sb_umount, selinux_umount),
6028         LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6029         LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6030         LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6031 
6032         LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6033 
6034         LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6035         LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6036         LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6037         LSM_HOOK_INIT(inode_create, selinux_inode_create),
6038         LSM_HOOK_INIT(inode_link, selinux_inode_link),
6039         LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6040         LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6041         LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6042         LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6043         LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6044         LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6045         LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6046         LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6047         LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6048         LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6049         LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6050         LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6051         LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6052         LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6053         LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6054         LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6055         LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6056         LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6057         LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6058         LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6059 
6060         LSM_HOOK_INIT(file_permission, selinux_file_permission),
6061         LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6062         LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6063         LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6064         LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6065         LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6066         LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6067         LSM_HOOK_INIT(file_lock, selinux_file_lock),
6068         LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6069         LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6070         LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6071         LSM_HOOK_INIT(file_receive, selinux_file_receive),
6072 
6073         LSM_HOOK_INIT(file_open, selinux_file_open),
6074 
6075         LSM_HOOK_INIT(task_create, selinux_task_create),
6076         LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6077         LSM_HOOK_INIT(cred_free, selinux_cred_free),
6078         LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6079         LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6080         LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6081         LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6082         LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6083         LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6084         LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6085         LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6086         LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6087         LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6088         LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6089         LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6090         LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6091         LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6092         LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6093         LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6094         LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6095         LSM_HOOK_INIT(task_kill, selinux_task_kill),
6096         LSM_HOOK_INIT(task_wait, selinux_task_wait),
6097         LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6098 
6099         LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6100         LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6101 
6102         LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6103         LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6104 
6105         LSM_HOOK_INIT(msg_queue_alloc_security,
6106                         selinux_msg_queue_alloc_security),
6107         LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6108         LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6109         LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6110         LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6111         LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6112 
6113         LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6114         LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6115         LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6116         LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6117         LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6118 
6119         LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6120         LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6121         LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6122         LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6123         LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6124 
6125         LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6126 
6127         LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6128         LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6129 
6130         LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6131         LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6132         LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6133         LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6134         LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6135         LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6136         LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6137         LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6138 
6139         LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6140         LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6141 
6142         LSM_HOOK_INIT(socket_create, selinux_socket_create),
6143         LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6144         LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6145         LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6146         LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6147         LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6148         LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6149         LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6150         LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6151         LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6152         LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6153         LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6154         LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6155         LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6156         LSM_HOOK_INIT(socket_getpeersec_stream,
6157                         selinux_socket_getpeersec_stream),
6158         LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6159         LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6160         LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6161         LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6162         LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6163         LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6164         LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6165         LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6166         LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6167         LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6168         LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6169         LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6170         LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6171         LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6172         LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6173         LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6174         LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6175         LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6176         LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6177 
6178 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6179         LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6180         LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6181         LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6182         LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6183         LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6184         LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6185                         selinux_xfrm_state_alloc_acquire),
6186         LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6187         LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6188         LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6189         LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6190                         selinux_xfrm_state_pol_flow_match),
6191         LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6192 #endif
6193 
6194 #ifdef CONFIG_KEYS
6195         LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6196         LSM_HOOK_INIT(key_free, selinux_key_free),
6197         LSM_HOOK_INIT(key_permission, selinux_key_permission),
6198         LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6199 #endif
6200 
6201 #ifdef CONFIG_AUDIT
6202         LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6203         LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6204         LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6205         LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6206 #endif
6207 };
6208 
6209 static __init int selinux_init(void)
6210 {
6211         if (!security_module_enable("selinux")) {
6212                 selinux_enabled = 0;
6213                 return 0;
6214         }
6215 
6216         if (!selinux_enabled) {
6217                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6218                 return 0;
6219         }
6220 
6221         printk(KERN_INFO "SELinux:  Initializing.\n");
6222 
6223         /* Set the security state for the initial task. */
6224         cred_init_security();
6225 
6226         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6227 
6228         sel_inode_cache = kmem_cache_create("selinux_inode_security",
6229                                             sizeof(struct inode_security_struct),
6230                                             0, SLAB_PANIC, NULL);
6231         file_security_cache = kmem_cache_create("selinux_file_security",
6232                                             sizeof(struct file_security_struct),
6233                                             0, SLAB_PANIC, NULL);
6234         avc_init();
6235 
6236         security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6237 
6238         if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6239                 panic("SELinux: Unable to register AVC netcache callback\n");
6240 
6241         if (selinux_enforcing)
6242                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6243         else
6244                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6245 
6246         return 0;
6247 }
6248 
6249 static void delayed_superblock_init(struct super_block *sb, void *unused)
6250 {
6251         superblock_doinit(sb, NULL);
6252 }
6253 
6254 void selinux_complete_init(void)
6255 {
6256         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6257 
6258         /* Set up any superblocks initialized prior to the policy load. */
6259         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6260         iterate_supers(delayed_superblock_init, NULL);
6261 }
6262 
6263 /* SELinux requires early initialization in order to label
6264    all processes and objects when they are created. */
6265 security_initcall(selinux_init);
6266 
6267 #if defined(CONFIG_NETFILTER)
6268 
6269 static struct nf_hook_ops selinux_nf_ops[] = {
6270         {
6271                 .hook =         selinux_ipv4_postroute,
6272                 .pf =           NFPROTO_IPV4,
6273                 .hooknum =      NF_INET_POST_ROUTING,
6274                 .priority =     NF_IP_PRI_SELINUX_LAST,
6275         },
6276         {
6277                 .hook =         selinux_ipv4_forward,
6278                 .pf =           NFPROTO_IPV4,
6279                 .hooknum =      NF_INET_FORWARD,
6280                 .priority =     NF_IP_PRI_SELINUX_FIRST,
6281         },
6282         {
6283                 .hook =         selinux_ipv4_output,
6284                 .pf =           NFPROTO_IPV4,
6285                 .hooknum =      NF_INET_LOCAL_OUT,
6286                 .priority =     NF_IP_PRI_SELINUX_FIRST,
6287         },
6288 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6289         {
6290                 .hook =         selinux_ipv6_postroute,
6291                 .pf =           NFPROTO_IPV6,
6292                 .hooknum =      NF_INET_POST_ROUTING,
6293                 .priority =     NF_IP6_PRI_SELINUX_LAST,
6294         },
6295         {
6296                 .hook =         selinux_ipv6_forward,
6297                 .pf =           NFPROTO_IPV6,
6298                 .hooknum =      NF_INET_FORWARD,
6299                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
6300         },
6301 #endif  /* IPV6 */
6302 };
6303 
6304 static int __init selinux_nf_ip_init(void)
6305 {
6306         int err;
6307 
6308         if (!selinux_enabled)
6309                 return 0;
6310 
6311         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6312 
6313         err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6314         if (err)
6315                 panic("SELinux: nf_register_hooks: error %d\n", err);
6316 
6317         return 0;
6318 }
6319 
6320 __initcall(selinux_nf_ip_init);
6321 
6322 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6323 static void selinux_nf_ip_exit(void)
6324 {
6325         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6326 
6327         nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6328 }
6329 #endif
6330 
6331 #else /* CONFIG_NETFILTER */
6332 
6333 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6334 #define selinux_nf_ip_exit()
6335 #endif
6336 
6337 #endif /* CONFIG_NETFILTER */
6338 
6339 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6340 static int selinux_disabled;
6341 
6342 int selinux_disable(void)
6343 {
6344         if (ss_initialized) {
6345                 /* Not permitted after initial policy load. */
6346                 return -EINVAL;
6347         }
6348 
6349         if (selinux_disabled) {
6350                 /* Only do this once. */
6351                 return -EINVAL;
6352         }
6353 
6354         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6355 
6356         selinux_disabled = 1;
6357         selinux_enabled = 0;
6358 
6359         security_delete_hooks(