~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/selinux/hooks.c

Version: ~ [ linux-5.13-rc1 ] ~ [ linux-5.12.2 ] ~ [ linux-5.11.19 ] ~ [ linux-5.10.35 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.117 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.190 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.232 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.268 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.268 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  *  NSA Security-Enhanced Linux (SELinux) security module
  3  *
  4  *  This file contains the SELinux hook function implementations.
  5  *
  6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
  7  *            Chris Vance, <cvance@nai.com>
  8  *            Wayne Salamon, <wsalamon@nai.com>
  9  *            James Morris <jmorris@redhat.com>
 10  *
 11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
 12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
 13  *                                         Eric Paris <eparis@redhat.com>
 14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
 15  *                          <dgoeddel@trustedcs.com>
 16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
 17  *      Paul Moore <paul@paul-moore.com>
 18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
 19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
 20  *
 21  *      This program is free software; you can redistribute it and/or modify
 22  *      it under the terms of the GNU General Public License version 2,
 23  *      as published by the Free Software Foundation.
 24  */
 25 
 26 #include <linux/init.h>
 27 #include <linux/kd.h>
 28 #include <linux/kernel.h>
 29 #include <linux/tracehook.h>
 30 #include <linux/errno.h>
 31 #include <linux/sched.h>
 32 #include <linux/lsm_hooks.h>
 33 #include <linux/xattr.h>
 34 #include <linux/capability.h>
 35 #include <linux/unistd.h>
 36 #include <linux/mm.h>
 37 #include <linux/mman.h>
 38 #include <linux/slab.h>
 39 #include <linux/pagemap.h>
 40 #include <linux/proc_fs.h>
 41 #include <linux/swap.h>
 42 #include <linux/spinlock.h>
 43 #include <linux/syscalls.h>
 44 #include <linux/dcache.h>
 45 #include <linux/file.h>
 46 #include <linux/fdtable.h>
 47 #include <linux/namei.h>
 48 #include <linux/mount.h>
 49 #include <linux/netfilter_ipv4.h>
 50 #include <linux/netfilter_ipv6.h>
 51 #include <linux/tty.h>
 52 #include <net/icmp.h>
 53 #include <net/ip.h>             /* for local_port_range[] */
 54 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 55 #include <net/inet_connection_sock.h>
 56 #include <net/net_namespace.h>
 57 #include <net/netlabel.h>
 58 #include <linux/uaccess.h>
 59 #include <asm/ioctls.h>
 60 #include <linux/atomic.h>
 61 #include <linux/bitops.h>
 62 #include <linux/interrupt.h>
 63 #include <linux/netdevice.h>    /* for network interface checks */
 64 #include <net/netlink.h>
 65 #include <linux/tcp.h>
 66 #include <linux/udp.h>
 67 #include <linux/dccp.h>
 68 #include <linux/quota.h>
 69 #include <linux/un.h>           /* for Unix socket types */
 70 #include <net/af_unix.h>        /* for Unix socket types */
 71 #include <linux/parser.h>
 72 #include <linux/nfs_mount.h>
 73 #include <net/ipv6.h>
 74 #include <linux/hugetlb.h>
 75 #include <linux/personality.h>
 76 #include <linux/audit.h>
 77 #include <linux/string.h>
 78 #include <linux/selinux.h>
 79 #include <linux/mutex.h>
 80 #include <linux/posix-timers.h>
 81 #include <linux/syslog.h>
 82 #include <linux/user_namespace.h>
 83 #include <linux/export.h>
 84 #include <linux/msg.h>
 85 #include <linux/shm.h>
 86 
 87 #include "avc.h"
 88 #include "objsec.h"
 89 #include "netif.h"
 90 #include "netnode.h"
 91 #include "netport.h"
 92 #include "xfrm.h"
 93 #include "netlabel.h"
 94 #include "audit.h"
 95 #include "avc_ss.h"
 96 
 97 /* SECMARK reference count */
 98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 99 
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102 
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!kstrtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112 
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!kstrtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127 
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
139  * policy capability is enabled, SECMARK is always considered enabled.
140  *
141  */
142 static int selinux_secmark_enabled(void)
143 {
144         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146 
147 /**
148  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149  *
150  * Description:
151  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
152  * (1) if any are enabled or false (0) if neither are enabled.  If the
153  * always_check_network policy capability is enabled, peer labeling
154  * is always considered enabled.
155  *
156  */
157 static int selinux_peerlbl_enabled(void)
158 {
159         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161 
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164         if (event == AVC_CALLBACK_RESET) {
165                 sel_netif_flush();
166                 sel_netnode_flush();
167                 sel_netport_flush();
168                 synchronize_net();
169         }
170         return 0;
171 }
172 
173 /*
174  * initialise the security for the init task
175  */
176 static void cred_init_security(void)
177 {
178         struct cred *cred = (struct cred *) current->real_cred;
179         struct task_security_struct *tsec;
180 
181         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182         if (!tsec)
183                 panic("SELinux:  Failed to initialize initial task.\n");
184 
185         tsec->osid = tsec->sid = SECINITSID_KERNEL;
186         cred->security = tsec;
187 }
188 
189 /*
190  * get the security ID of a set of credentials
191  */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194         const struct task_security_struct *tsec;
195 
196         tsec = cred->security;
197         return tsec->sid;
198 }
199 
200 /*
201  * get the objective security ID of a task
202  */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205         u32 sid;
206 
207         rcu_read_lock();
208         sid = cred_sid(__task_cred(task));
209         rcu_read_unlock();
210         return sid;
211 }
212 
213 /*
214  * get the subjective security ID of the current task
215  */
216 static inline u32 current_sid(void)
217 {
218         const struct task_security_struct *tsec = current_security();
219 
220         return tsec->sid;
221 }
222 
223 /* Allocate and free functions for each kind of security blob. */
224 
225 static int inode_alloc_security(struct inode *inode)
226 {
227         struct inode_security_struct *isec;
228         u32 sid = current_sid();
229 
230         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231         if (!isec)
232                 return -ENOMEM;
233 
234         mutex_init(&isec->lock);
235         INIT_LIST_HEAD(&isec->list);
236         isec->inode = inode;
237         isec->sid = SECINITSID_UNLABELED;
238         isec->sclass = SECCLASS_FILE;
239         isec->task_sid = sid;
240         inode->i_security = isec;
241 
242         return 0;
243 }
244 
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246 
247 /*
248  * Try reloading inode security labels that have been marked as invalid.  The
249  * @may_sleep parameter indicates when sleeping and thus reloading labels is
250  * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
252  * when no dentry is available, set it to NULL instead.
253  */
254 static int __inode_security_revalidate(struct inode *inode,
255                                        struct dentry *opt_dentry,
256                                        bool may_sleep)
257 {
258         struct inode_security_struct *isec = inode->i_security;
259 
260         might_sleep_if(may_sleep);
261 
262         if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263                 if (!may_sleep)
264                         return -ECHILD;
265 
266                 /*
267                  * Try reloading the inode security label.  This will fail if
268                  * @opt_dentry is NULL and no dentry for this inode can be
269                  * found; in that case, continue using the old label.
270                  */
271                 inode_doinit_with_dentry(inode, opt_dentry);
272         }
273         return 0;
274 }
275 
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278         return inode->i_security;
279 }
280 
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283         int error;
284 
285         error = __inode_security_revalidate(inode, NULL, !rcu);
286         if (error)
287                 return ERR_PTR(error);
288         return inode->i_security;
289 }
290 
291 /*
292  * Get the security label of an inode.
293  */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296         __inode_security_revalidate(inode, NULL, true);
297         return inode->i_security;
298 }
299 
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302         struct inode *inode = d_backing_inode(dentry);
303 
304         return inode->i_security;
305 }
306 
307 /*
308  * Get the security label of a dentry's backing inode.
309  */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312         struct inode *inode = d_backing_inode(dentry);
313 
314         __inode_security_revalidate(inode, dentry, true);
315         return inode->i_security;
316 }
317 
318 static void inode_free_rcu(struct rcu_head *head)
319 {
320         struct inode_security_struct *isec;
321 
322         isec = container_of(head, struct inode_security_struct, rcu);
323         kmem_cache_free(sel_inode_cache, isec);
324 }
325 
326 static void inode_free_security(struct inode *inode)
327 {
328         struct inode_security_struct *isec = inode->i_security;
329         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330 
331         /*
332          * As not all inode security structures are in a list, we check for
333          * empty list outside of the lock to make sure that we won't waste
334          * time taking a lock doing nothing.
335          *
336          * The list_del_init() function can be safely called more than once.
337          * It should not be possible for this function to be called with
338          * concurrent list_add(), but for better safety against future changes
339          * in the code, we use list_empty_careful() here.
340          */
341         if (!list_empty_careful(&isec->list)) {
342                 spin_lock(&sbsec->isec_lock);
343                 list_del_init(&isec->list);
344                 spin_unlock(&sbsec->isec_lock);
345         }
346 
347         /*
348          * The inode may still be referenced in a path walk and
349          * a call to selinux_inode_permission() can be made
350          * after inode_free_security() is called. Ideally, the VFS
351          * wouldn't do this, but fixing that is a much harder
352          * job. For now, simply free the i_security via RCU, and
353          * leave the current inode->i_security pointer intact.
354          * The inode will be freed after the RCU grace period too.
355          */
356         call_rcu(&isec->rcu, inode_free_rcu);
357 }
358 
359 static int file_alloc_security(struct file *file)
360 {
361         struct file_security_struct *fsec;
362         u32 sid = current_sid();
363 
364         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
365         if (!fsec)
366                 return -ENOMEM;
367 
368         fsec->sid = sid;
369         fsec->fown_sid = sid;
370         file->f_security = fsec;
371 
372         return 0;
373 }
374 
375 static void file_free_security(struct file *file)
376 {
377         struct file_security_struct *fsec = file->f_security;
378         file->f_security = NULL;
379         kmem_cache_free(file_security_cache, fsec);
380 }
381 
382 static int superblock_alloc_security(struct super_block *sb)
383 {
384         struct superblock_security_struct *sbsec;
385 
386         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
387         if (!sbsec)
388                 return -ENOMEM;
389 
390         mutex_init(&sbsec->lock);
391         INIT_LIST_HEAD(&sbsec->isec_head);
392         spin_lock_init(&sbsec->isec_lock);
393         sbsec->sb = sb;
394         sbsec->sid = SECINITSID_UNLABELED;
395         sbsec->def_sid = SECINITSID_FILE;
396         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397         sb->s_security = sbsec;
398 
399         return 0;
400 }
401 
402 static void superblock_free_security(struct super_block *sb)
403 {
404         struct superblock_security_struct *sbsec = sb->s_security;
405         sb->s_security = NULL;
406         kfree(sbsec);
407 }
408 
409 /* The file system's label must be initialized prior to use. */
410 
411 static const char *labeling_behaviors[7] = {
412         "uses xattr",
413         "uses transition SIDs",
414         "uses task SIDs",
415         "uses genfs_contexts",
416         "not configured for labeling",
417         "uses mountpoint labeling",
418         "uses native labeling",
419 };
420 
421 static inline int inode_doinit(struct inode *inode)
422 {
423         return inode_doinit_with_dentry(inode, NULL);
424 }
425 
426 enum {
427         Opt_error = -1,
428         Opt_context = 1,
429         Opt_fscontext = 2,
430         Opt_defcontext = 3,
431         Opt_rootcontext = 4,
432         Opt_labelsupport = 5,
433         Opt_nextmntopt = 6,
434 };
435 
436 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
437 
438 static const match_table_t tokens = {
439         {Opt_context, CONTEXT_STR "%s"},
440         {Opt_fscontext, FSCONTEXT_STR "%s"},
441         {Opt_defcontext, DEFCONTEXT_STR "%s"},
442         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
443         {Opt_labelsupport, LABELSUPP_STR},
444         {Opt_error, NULL},
445 };
446 
447 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
448 
449 static int may_context_mount_sb_relabel(u32 sid,
450                         struct superblock_security_struct *sbsec,
451                         const struct cred *cred)
452 {
453         const struct task_security_struct *tsec = cred->security;
454         int rc;
455 
456         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457                           FILESYSTEM__RELABELFROM, NULL);
458         if (rc)
459                 return rc;
460 
461         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462                           FILESYSTEM__RELABELTO, NULL);
463         return rc;
464 }
465 
466 static int may_context_mount_inode_relabel(u32 sid,
467                         struct superblock_security_struct *sbsec,
468                         const struct cred *cred)
469 {
470         const struct task_security_struct *tsec = cred->security;
471         int rc;
472         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473                           FILESYSTEM__RELABELFROM, NULL);
474         if (rc)
475                 return rc;
476 
477         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478                           FILESYSTEM__ASSOCIATE, NULL);
479         return rc;
480 }
481 
482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484         struct superblock_security_struct *sbsec = sb->s_security;
485 
486         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488                 sbsec->behavior == SECURITY_FS_USE_TASK ||
489                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
490                 /* Special handling. Genfs but also in-core setxattr handler */
491                 !strcmp(sb->s_type->name, "sysfs") ||
492                 !strcmp(sb->s_type->name, "pstore") ||
493                 !strcmp(sb->s_type->name, "debugfs") ||
494                 !strcmp(sb->s_type->name, "rootfs");
495 }
496 
497 static int sb_finish_set_opts(struct super_block *sb)
498 {
499         struct superblock_security_struct *sbsec = sb->s_security;
500         struct dentry *root = sb->s_root;
501         struct inode *root_inode = d_backing_inode(root);
502         int rc = 0;
503 
504         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505                 /* Make sure that the xattr handler exists and that no
506                    error other than -ENODATA is returned by getxattr on
507                    the root directory.  -ENODATA is ok, as this may be
508                    the first boot of the SELinux kernel before we have
509                    assigned xattr values to the filesystem. */
510                 if (!root_inode->i_op->getxattr) {
511                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512                                "xattr support\n", sb->s_id, sb->s_type->name);
513                         rc = -EOPNOTSUPP;
514                         goto out;
515                 }
516                 rc = root_inode->i_op->getxattr(root, root_inode,
517                                                 XATTR_NAME_SELINUX, NULL, 0);
518                 if (rc < 0 && rc != -ENODATA) {
519                         if (rc == -EOPNOTSUPP)
520                                 printk(KERN_WARNING "SELinux: (dev %s, type "
521                                        "%s) has no security xattr handler\n",
522                                        sb->s_id, sb->s_type->name);
523                         else
524                                 printk(KERN_WARNING "SELinux: (dev %s, type "
525                                        "%s) getxattr errno %d\n", sb->s_id,
526                                        sb->s_type->name, -rc);
527                         goto out;
528                 }
529         }
530 
531         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
532                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533                        sb->s_id, sb->s_type->name);
534 
535         sbsec->flags |= SE_SBINITIALIZED;
536         if (selinux_is_sblabel_mnt(sb))
537                 sbsec->flags |= SBLABEL_MNT;
538 
539         /* Initialize the root inode. */
540         rc = inode_doinit_with_dentry(root_inode, root);
541 
542         /* Initialize any other inodes associated with the superblock, e.g.
543            inodes created prior to initial policy load or inodes created
544            during get_sb by a pseudo filesystem that directly
545            populates itself. */
546         spin_lock(&sbsec->isec_lock);
547 next_inode:
548         if (!list_empty(&sbsec->isec_head)) {
549                 struct inode_security_struct *isec =
550                                 list_entry(sbsec->isec_head.next,
551                                            struct inode_security_struct, list);
552                 struct inode *inode = isec->inode;
553                 list_del_init(&isec->list);
554                 spin_unlock(&sbsec->isec_lock);
555                 inode = igrab(inode);
556                 if (inode) {
557                         if (!IS_PRIVATE(inode))
558                                 inode_doinit(inode);
559                         iput(inode);
560                 }
561                 spin_lock(&sbsec->isec_lock);
562                 goto next_inode;
563         }
564         spin_unlock(&sbsec->isec_lock);
565 out:
566         return rc;
567 }
568 
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575                                 struct security_mnt_opts *opts)
576 {
577         int rc = 0, i;
578         struct superblock_security_struct *sbsec = sb->s_security;
579         char *context = NULL;
580         u32 len;
581         char tmp;
582 
583         security_init_mnt_opts(opts);
584 
585         if (!(sbsec->flags & SE_SBINITIALIZED))
586                 return -EINVAL;
587 
588         if (!ss_initialized)
589                 return -EINVAL;
590 
591         /* make sure we always check enough bits to cover the mask */
592         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593 
594         tmp = sbsec->flags & SE_MNTMASK;
595         /* count the number of mount options for this sb */
596         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597                 if (tmp & 0x01)
598                         opts->num_mnt_opts++;
599                 tmp >>= 1;
600         }
601         /* Check if the Label support flag is set */
602         if (sbsec->flags & SBLABEL_MNT)
603                 opts->num_mnt_opts++;
604 
605         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606         if (!opts->mnt_opts) {
607                 rc = -ENOMEM;
608                 goto out_free;
609         }
610 
611         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612         if (!opts->mnt_opts_flags) {
613                 rc = -ENOMEM;
614                 goto out_free;
615         }
616 
617         i = 0;
618         if (sbsec->flags & FSCONTEXT_MNT) {
619                 rc = security_sid_to_context(sbsec->sid, &context, &len);
620                 if (rc)
621                         goto out_free;
622                 opts->mnt_opts[i] = context;
623                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624         }
625         if (sbsec->flags & CONTEXT_MNT) {
626                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627                 if (rc)
628                         goto out_free;
629                 opts->mnt_opts[i] = context;
630                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631         }
632         if (sbsec->flags & DEFCONTEXT_MNT) {
633                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634                 if (rc)
635                         goto out_free;
636                 opts->mnt_opts[i] = context;
637                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638         }
639         if (sbsec->flags & ROOTCONTEXT_MNT) {
640                 struct dentry *root = sbsec->sb->s_root;
641                 struct inode_security_struct *isec = backing_inode_security(root);
642 
643                 rc = security_sid_to_context(isec->sid, &context, &len);
644                 if (rc)
645                         goto out_free;
646                 opts->mnt_opts[i] = context;
647                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648         }
649         if (sbsec->flags & SBLABEL_MNT) {
650                 opts->mnt_opts[i] = NULL;
651                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652         }
653 
654         BUG_ON(i != opts->num_mnt_opts);
655 
656         return 0;
657 
658 out_free:
659         security_free_mnt_opts(opts);
660         return rc;
661 }
662 
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664                       u32 old_sid, u32 new_sid)
665 {
666         char mnt_flags = sbsec->flags & SE_MNTMASK;
667 
668         /* check if the old mount command had the same options */
669         if (sbsec->flags & SE_SBINITIALIZED)
670                 if (!(sbsec->flags & flag) ||
671                     (old_sid != new_sid))
672                         return 1;
673 
674         /* check if we were passed the same options twice,
675          * aka someone passed context=a,context=b
676          */
677         if (!(sbsec->flags & SE_SBINITIALIZED))
678                 if (mnt_flags & flag)
679                         return 1;
680         return 0;
681 }
682 
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688                                 struct security_mnt_opts *opts,
689                                 unsigned long kern_flags,
690                                 unsigned long *set_kern_flags)
691 {
692         const struct cred *cred = current_cred();
693         int rc = 0, i;
694         struct superblock_security_struct *sbsec = sb->s_security;
695         const char *name = sb->s_type->name;
696         struct dentry *root = sbsec->sb->s_root;
697         struct inode_security_struct *root_isec;
698         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699         u32 defcontext_sid = 0;
700         char **mount_options = opts->mnt_opts;
701         int *flags = opts->mnt_opts_flags;
702         int num_opts = opts->num_mnt_opts;
703 
704         mutex_lock(&sbsec->lock);
705 
706         if (!ss_initialized) {
707                 if (!num_opts) {
708                         /* Defer initialization until selinux_complete_init,
709                            after the initial policy is loaded and the security
710                            server is ready to handle calls. */
711                         goto out;
712                 }
713                 rc = -EINVAL;
714                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715                         "before the security server is initialized\n");
716                 goto out;
717         }
718         if (kern_flags && !set_kern_flags) {
719                 /* Specifying internal flags without providing a place to
720                  * place the results is not allowed */
721                 rc = -EINVAL;
722                 goto out;
723         }
724 
725         /*
726          * Binary mount data FS will come through this function twice.  Once
727          * from an explicit call and once from the generic calls from the vfs.
728          * Since the generic VFS calls will not contain any security mount data
729          * we need to skip the double mount verification.
730          *
731          * This does open a hole in which we will not notice if the first
732          * mount using this sb set explict options and a second mount using
733          * this sb does not set any security options.  (The first options
734          * will be used for both mounts)
735          */
736         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737             && (num_opts == 0))
738                 goto out;
739 
740         root_isec = backing_inode_security_novalidate(root);
741 
742         /*
743          * parse the mount options, check if they are valid sids.
744          * also check if someone is trying to mount the same sb more
745          * than once with different security options.
746          */
747         for (i = 0; i < num_opts; i++) {
748                 u32 sid;
749 
750                 if (flags[i] == SBLABEL_MNT)
751                         continue;
752                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753                 if (rc) {
754                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755                                "(%s) failed for (dev %s, type %s) errno=%d\n",
756                                mount_options[i], sb->s_id, name, rc);
757                         goto out;
758                 }
759                 switch (flags[i]) {
760                 case FSCONTEXT_MNT:
761                         fscontext_sid = sid;
762 
763                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764                                         fscontext_sid))
765                                 goto out_double_mount;
766 
767                         sbsec->flags |= FSCONTEXT_MNT;
768                         break;
769                 case CONTEXT_MNT:
770                         context_sid = sid;
771 
772                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773                                         context_sid))
774                                 goto out_double_mount;
775 
776                         sbsec->flags |= CONTEXT_MNT;
777                         break;
778                 case ROOTCONTEXT_MNT:
779                         rootcontext_sid = sid;
780 
781                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782                                         rootcontext_sid))
783                                 goto out_double_mount;
784 
785                         sbsec->flags |= ROOTCONTEXT_MNT;
786 
787                         break;
788                 case DEFCONTEXT_MNT:
789                         defcontext_sid = sid;
790 
791                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792                                         defcontext_sid))
793                                 goto out_double_mount;
794 
795                         sbsec->flags |= DEFCONTEXT_MNT;
796 
797                         break;
798                 default:
799                         rc = -EINVAL;
800                         goto out;
801                 }
802         }
803 
804         if (sbsec->flags & SE_SBINITIALIZED) {
805                 /* previously mounted with options, but not on this attempt? */
806                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807                         goto out_double_mount;
808                 rc = 0;
809                 goto out;
810         }
811 
812         if (strcmp(sb->s_type->name, "proc") == 0)
813                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814 
815         if (!strcmp(sb->s_type->name, "debugfs") ||
816             !strcmp(sb->s_type->name, "sysfs") ||
817             !strcmp(sb->s_type->name, "pstore"))
818                 sbsec->flags |= SE_SBGENFS;
819 
820         if (!sbsec->behavior) {
821                 /*
822                  * Determine the labeling behavior to use for this
823                  * filesystem type.
824                  */
825                 rc = security_fs_use(sb);
826                 if (rc) {
827                         printk(KERN_WARNING
828                                 "%s: security_fs_use(%s) returned %d\n",
829                                         __func__, sb->s_type->name, rc);
830                         goto out;
831                 }
832         }
833 
834         /*
835          * If this is a user namespace mount, no contexts are allowed
836          * on the command line and security labels must be ignored.
837          */
838         if (sb->s_user_ns != &init_user_ns) {
839                 if (context_sid || fscontext_sid || rootcontext_sid ||
840                     defcontext_sid) {
841                         rc = -EACCES;
842                         goto out;
843                 }
844                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
845                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
846                         rc = security_transition_sid(current_sid(), current_sid(),
847                                                      SECCLASS_FILE, NULL,
848                                                      &sbsec->mntpoint_sid);
849                         if (rc)
850                                 goto out;
851                 }
852                 goto out_set_opts;
853         }
854 
855         /* sets the context of the superblock for the fs being mounted. */
856         if (fscontext_sid) {
857                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
858                 if (rc)
859                         goto out;
860 
861                 sbsec->sid = fscontext_sid;
862         }
863 
864         /*
865          * Switch to using mount point labeling behavior.
866          * sets the label used on all file below the mountpoint, and will set
867          * the superblock context if not already set.
868          */
869         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
870                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
871                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
872         }
873 
874         if (context_sid) {
875                 if (!fscontext_sid) {
876                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
877                                                           cred);
878                         if (rc)
879                                 goto out;
880                         sbsec->sid = context_sid;
881                 } else {
882                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
883                                                              cred);
884                         if (rc)
885                                 goto out;
886                 }
887                 if (!rootcontext_sid)
888                         rootcontext_sid = context_sid;
889 
890                 sbsec->mntpoint_sid = context_sid;
891                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
892         }
893 
894         if (rootcontext_sid) {
895                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
896                                                      cred);
897                 if (rc)
898                         goto out;
899 
900                 root_isec->sid = rootcontext_sid;
901                 root_isec->initialized = LABEL_INITIALIZED;
902         }
903 
904         if (defcontext_sid) {
905                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
906                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
907                         rc = -EINVAL;
908                         printk(KERN_WARNING "SELinux: defcontext option is "
909                                "invalid for this filesystem type\n");
910                         goto out;
911                 }
912 
913                 if (defcontext_sid != sbsec->def_sid) {
914                         rc = may_context_mount_inode_relabel(defcontext_sid,
915                                                              sbsec, cred);
916                         if (rc)
917                                 goto out;
918                 }
919 
920                 sbsec->def_sid = defcontext_sid;
921         }
922 
923 out_set_opts:
924         rc = sb_finish_set_opts(sb);
925 out:
926         mutex_unlock(&sbsec->lock);
927         return rc;
928 out_double_mount:
929         rc = -EINVAL;
930         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
931                "security settings for (dev %s, type %s)\n", sb->s_id, name);
932         goto out;
933 }
934 
935 static int selinux_cmp_sb_context(const struct super_block *oldsb,
936                                     const struct super_block *newsb)
937 {
938         struct superblock_security_struct *old = oldsb->s_security;
939         struct superblock_security_struct *new = newsb->s_security;
940         char oldflags = old->flags & SE_MNTMASK;
941         char newflags = new->flags & SE_MNTMASK;
942 
943         if (oldflags != newflags)
944                 goto mismatch;
945         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
946                 goto mismatch;
947         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
948                 goto mismatch;
949         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
950                 goto mismatch;
951         if (oldflags & ROOTCONTEXT_MNT) {
952                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
953                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
954                 if (oldroot->sid != newroot->sid)
955                         goto mismatch;
956         }
957         return 0;
958 mismatch:
959         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
960                             "different security settings for (dev %s, "
961                             "type %s)\n", newsb->s_id, newsb->s_type->name);
962         return -EBUSY;
963 }
964 
965 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
966                                         struct super_block *newsb)
967 {
968         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
969         struct superblock_security_struct *newsbsec = newsb->s_security;
970 
971         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
972         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
973         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
974 
975         /*
976          * if the parent was able to be mounted it clearly had no special lsm
977          * mount options.  thus we can safely deal with this superblock later
978          */
979         if (!ss_initialized)
980                 return 0;
981 
982         /* how can we clone if the old one wasn't set up?? */
983         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
984 
985         /* if fs is reusing a sb, make sure that the contexts match */
986         if (newsbsec->flags & SE_SBINITIALIZED)
987                 return selinux_cmp_sb_context(oldsb, newsb);
988 
989         mutex_lock(&newsbsec->lock);
990 
991         newsbsec->flags = oldsbsec->flags;
992 
993         newsbsec->sid = oldsbsec->sid;
994         newsbsec->def_sid = oldsbsec->def_sid;
995         newsbsec->behavior = oldsbsec->behavior;
996 
997         if (set_context) {
998                 u32 sid = oldsbsec->mntpoint_sid;
999 
1000                 if (!set_fscontext)
1001                         newsbsec->sid = sid;
1002                 if (!set_rootcontext) {
1003                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1004                         newisec->sid = sid;
1005                 }
1006                 newsbsec->mntpoint_sid = sid;
1007         }
1008         if (set_rootcontext) {
1009                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1010                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1011 
1012                 newisec->sid = oldisec->sid;
1013         }
1014 
1015         sb_finish_set_opts(newsb);
1016         mutex_unlock(&newsbsec->lock);
1017         return 0;
1018 }
1019 
1020 static int selinux_parse_opts_str(char *options,
1021                                   struct security_mnt_opts *opts)
1022 {
1023         char *p;
1024         char *context = NULL, *defcontext = NULL;
1025         char *fscontext = NULL, *rootcontext = NULL;
1026         int rc, num_mnt_opts = 0;
1027 
1028         opts->num_mnt_opts = 0;
1029 
1030         /* Standard string-based options. */
1031         while ((p = strsep(&options, "|")) != NULL) {
1032                 int token;
1033                 substring_t args[MAX_OPT_ARGS];
1034 
1035                 if (!*p)
1036                         continue;
1037 
1038                 token = match_token(p, tokens, args);
1039 
1040                 switch (token) {
1041                 case Opt_context:
1042                         if (context || defcontext) {
1043                                 rc = -EINVAL;
1044                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1045                                 goto out_err;
1046                         }
1047                         context = match_strdup(&args[0]);
1048                         if (!context) {
1049                                 rc = -ENOMEM;
1050                                 goto out_err;
1051                         }
1052                         break;
1053 
1054                 case Opt_fscontext:
1055                         if (fscontext) {
1056                                 rc = -EINVAL;
1057                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1058                                 goto out_err;
1059                         }
1060                         fscontext = match_strdup(&args[0]);
1061                         if (!fscontext) {
1062                                 rc = -ENOMEM;
1063                                 goto out_err;
1064                         }
1065                         break;
1066 
1067                 case Opt_rootcontext:
1068                         if (rootcontext) {
1069                                 rc = -EINVAL;
1070                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1071                                 goto out_err;
1072                         }
1073                         rootcontext = match_strdup(&args[0]);
1074                         if (!rootcontext) {
1075                                 rc = -ENOMEM;
1076                                 goto out_err;
1077                         }
1078                         break;
1079 
1080                 case Opt_defcontext:
1081                         if (context || defcontext) {
1082                                 rc = -EINVAL;
1083                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1084                                 goto out_err;
1085                         }
1086                         defcontext = match_strdup(&args[0]);
1087                         if (!defcontext) {
1088                                 rc = -ENOMEM;
1089                                 goto out_err;
1090                         }
1091                         break;
1092                 case Opt_labelsupport:
1093                         break;
1094                 default:
1095                         rc = -EINVAL;
1096                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1097                         goto out_err;
1098 
1099                 }
1100         }
1101 
1102         rc = -ENOMEM;
1103         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1104         if (!opts->mnt_opts)
1105                 goto out_err;
1106 
1107         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1108         if (!opts->mnt_opts_flags) {
1109                 kfree(opts->mnt_opts);
1110                 goto out_err;
1111         }
1112 
1113         if (fscontext) {
1114                 opts->mnt_opts[num_mnt_opts] = fscontext;
1115                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1116         }
1117         if (context) {
1118                 opts->mnt_opts[num_mnt_opts] = context;
1119                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1120         }
1121         if (rootcontext) {
1122                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1123                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1124         }
1125         if (defcontext) {
1126                 opts->mnt_opts[num_mnt_opts] = defcontext;
1127                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1128         }
1129 
1130         opts->num_mnt_opts = num_mnt_opts;
1131         return 0;
1132 
1133 out_err:
1134         kfree(context);
1135         kfree(defcontext);
1136         kfree(fscontext);
1137         kfree(rootcontext);
1138         return rc;
1139 }
1140 /*
1141  * string mount options parsing and call set the sbsec
1142  */
1143 static int superblock_doinit(struct super_block *sb, void *data)
1144 {
1145         int rc = 0;
1146         char *options = data;
1147         struct security_mnt_opts opts;
1148 
1149         security_init_mnt_opts(&opts);
1150 
1151         if (!data)
1152                 goto out;
1153 
1154         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1155 
1156         rc = selinux_parse_opts_str(options, &opts);
1157         if (rc)
1158                 goto out_err;
1159 
1160 out:
1161         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1162 
1163 out_err:
1164         security_free_mnt_opts(&opts);
1165         return rc;
1166 }
1167 
1168 static void selinux_write_opts(struct seq_file *m,
1169                                struct security_mnt_opts *opts)
1170 {
1171         int i;
1172         char *prefix;
1173 
1174         for (i = 0; i < opts->num_mnt_opts; i++) {
1175                 char *has_comma;
1176 
1177                 if (opts->mnt_opts[i])
1178                         has_comma = strchr(opts->mnt_opts[i], ',');
1179                 else
1180                         has_comma = NULL;
1181 
1182                 switch (opts->mnt_opts_flags[i]) {
1183                 case CONTEXT_MNT:
1184                         prefix = CONTEXT_STR;
1185                         break;
1186                 case FSCONTEXT_MNT:
1187                         prefix = FSCONTEXT_STR;
1188                         break;
1189                 case ROOTCONTEXT_MNT:
1190                         prefix = ROOTCONTEXT_STR;
1191                         break;
1192                 case DEFCONTEXT_MNT:
1193                         prefix = DEFCONTEXT_STR;
1194                         break;
1195                 case SBLABEL_MNT:
1196                         seq_putc(m, ',');
1197                         seq_puts(m, LABELSUPP_STR);
1198                         continue;
1199                 default:
1200                         BUG();
1201                         return;
1202                 };
1203                 /* we need a comma before each option */
1204                 seq_putc(m, ',');
1205                 seq_puts(m, prefix);
1206                 if (has_comma)
1207                         seq_putc(m, '\"');
1208                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1209                 if (has_comma)
1210                         seq_putc(m, '\"');
1211         }
1212 }
1213 
1214 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1215 {
1216         struct security_mnt_opts opts;
1217         int rc;
1218 
1219         rc = selinux_get_mnt_opts(sb, &opts);
1220         if (rc) {
1221                 /* before policy load we may get EINVAL, don't show anything */
1222                 if (rc == -EINVAL)
1223                         rc = 0;
1224                 return rc;
1225         }
1226 
1227         selinux_write_opts(m, &opts);
1228 
1229         security_free_mnt_opts(&opts);
1230 
1231         return rc;
1232 }
1233 
1234 static inline u16 inode_mode_to_security_class(umode_t mode)
1235 {
1236         switch (mode & S_IFMT) {
1237         case S_IFSOCK:
1238                 return SECCLASS_SOCK_FILE;
1239         case S_IFLNK:
1240                 return SECCLASS_LNK_FILE;
1241         case S_IFREG:
1242                 return SECCLASS_FILE;
1243         case S_IFBLK:
1244                 return SECCLASS_BLK_FILE;
1245         case S_IFDIR:
1246                 return SECCLASS_DIR;
1247         case S_IFCHR:
1248                 return SECCLASS_CHR_FILE;
1249         case S_IFIFO:
1250                 return SECCLASS_FIFO_FILE;
1251 
1252         }
1253 
1254         return SECCLASS_FILE;
1255 }
1256 
1257 static inline int default_protocol_stream(int protocol)
1258 {
1259         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1260 }
1261 
1262 static inline int default_protocol_dgram(int protocol)
1263 {
1264         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1265 }
1266 
1267 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1268 {
1269         switch (family) {
1270         case PF_UNIX:
1271                 switch (type) {
1272                 case SOCK_STREAM:
1273                 case SOCK_SEQPACKET:
1274                         return SECCLASS_UNIX_STREAM_SOCKET;
1275                 case SOCK_DGRAM:
1276                         return SECCLASS_UNIX_DGRAM_SOCKET;
1277                 }
1278                 break;
1279         case PF_INET:
1280         case PF_INET6:
1281                 switch (type) {
1282                 case SOCK_STREAM:
1283                         if (default_protocol_stream(protocol))
1284                                 return SECCLASS_TCP_SOCKET;
1285                         else
1286                                 return SECCLASS_RAWIP_SOCKET;
1287                 case SOCK_DGRAM:
1288                         if (default_protocol_dgram(protocol))
1289                                 return SECCLASS_UDP_SOCKET;
1290                         else
1291                                 return SECCLASS_RAWIP_SOCKET;
1292                 case SOCK_DCCP:
1293                         return SECCLASS_DCCP_SOCKET;
1294                 default:
1295                         return SECCLASS_RAWIP_SOCKET;
1296                 }
1297                 break;
1298         case PF_NETLINK:
1299                 switch (protocol) {
1300                 case NETLINK_ROUTE:
1301                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1302                 case NETLINK_SOCK_DIAG:
1303                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1304                 case NETLINK_NFLOG:
1305                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1306                 case NETLINK_XFRM:
1307                         return SECCLASS_NETLINK_XFRM_SOCKET;
1308                 case NETLINK_SELINUX:
1309                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1310                 case NETLINK_ISCSI:
1311                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1312                 case NETLINK_AUDIT:
1313                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1314                 case NETLINK_FIB_LOOKUP:
1315                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1316                 case NETLINK_CONNECTOR:
1317                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1318                 case NETLINK_NETFILTER:
1319                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1320                 case NETLINK_DNRTMSG:
1321                         return SECCLASS_NETLINK_DNRT_SOCKET;
1322                 case NETLINK_KOBJECT_UEVENT:
1323                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1324                 case NETLINK_GENERIC:
1325                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1326                 case NETLINK_SCSITRANSPORT:
1327                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1328                 case NETLINK_RDMA:
1329                         return SECCLASS_NETLINK_RDMA_SOCKET;
1330                 case NETLINK_CRYPTO:
1331                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1332                 default:
1333                         return SECCLASS_NETLINK_SOCKET;
1334                 }
1335         case PF_PACKET:
1336                 return SECCLASS_PACKET_SOCKET;
1337         case PF_KEY:
1338                 return SECCLASS_KEY_SOCKET;
1339         case PF_APPLETALK:
1340                 return SECCLASS_APPLETALK_SOCKET;
1341         }
1342 
1343         return SECCLASS_SOCKET;
1344 }
1345 
1346 static int selinux_genfs_get_sid(struct dentry *dentry,
1347                                  u16 tclass,
1348                                  u16 flags,
1349                                  u32 *sid)
1350 {
1351         int rc;
1352         struct super_block *sb = dentry->d_sb;
1353         char *buffer, *path;
1354 
1355         buffer = (char *)__get_free_page(GFP_KERNEL);
1356         if (!buffer)
1357                 return -ENOMEM;
1358 
1359         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1360         if (IS_ERR(path))
1361                 rc = PTR_ERR(path);
1362         else {
1363                 if (flags & SE_SBPROC) {
1364                         /* each process gets a /proc/PID/ entry. Strip off the
1365                          * PID part to get a valid selinux labeling.
1366                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1367                         while (path[1] >= '' && path[1] <= '9') {
1368                                 path[1] = '/';
1369                                 path++;
1370                         }
1371                 }
1372                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1373         }
1374         free_page((unsigned long)buffer);
1375         return rc;
1376 }
1377 
1378 /* The inode's security attributes must be initialized before first use. */
1379 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1380 {
1381         struct superblock_security_struct *sbsec = NULL;
1382         struct inode_security_struct *isec = inode->i_security;
1383         u32 sid;
1384         struct dentry *dentry;
1385 #define INITCONTEXTLEN 255
1386         char *context = NULL;
1387         unsigned len = 0;
1388         int rc = 0;
1389 
1390         if (isec->initialized == LABEL_INITIALIZED)
1391                 goto out;
1392 
1393         mutex_lock(&isec->lock);
1394         if (isec->initialized == LABEL_INITIALIZED)
1395                 goto out_unlock;
1396 
1397         sbsec = inode->i_sb->s_security;
1398         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1399                 /* Defer initialization until selinux_complete_init,
1400                    after the initial policy is loaded and the security
1401                    server is ready to handle calls. */
1402                 spin_lock(&sbsec->isec_lock);
1403                 if (list_empty(&isec->list))
1404                         list_add(&isec->list, &sbsec->isec_head);
1405                 spin_unlock(&sbsec->isec_lock);
1406                 goto out_unlock;
1407         }
1408 
1409         switch (sbsec->behavior) {
1410         case SECURITY_FS_USE_NATIVE:
1411                 break;
1412         case SECURITY_FS_USE_XATTR:
1413                 if (!inode->i_op->getxattr) {
1414                         isec->sid = sbsec->def_sid;
1415                         break;
1416                 }
1417 
1418                 /* Need a dentry, since the xattr API requires one.
1419                    Life would be simpler if we could just pass the inode. */
1420                 if (opt_dentry) {
1421                         /* Called from d_instantiate or d_splice_alias. */
1422                         dentry = dget(opt_dentry);
1423                 } else {
1424                         /* Called from selinux_complete_init, try to find a dentry. */
1425                         dentry = d_find_alias(inode);
1426                 }
1427                 if (!dentry) {
1428                         /*
1429                          * this is can be hit on boot when a file is accessed
1430                          * before the policy is loaded.  When we load policy we
1431                          * may find inodes that have no dentry on the
1432                          * sbsec->isec_head list.  No reason to complain as these
1433                          * will get fixed up the next time we go through
1434                          * inode_doinit with a dentry, before these inodes could
1435                          * be used again by userspace.
1436                          */
1437                         goto out_unlock;
1438                 }
1439 
1440                 len = INITCONTEXTLEN;
1441                 context = kmalloc(len+1, GFP_NOFS);
1442                 if (!context) {
1443                         rc = -ENOMEM;
1444                         dput(dentry);
1445                         goto out_unlock;
1446                 }
1447                 context[len] = '\0';
1448                 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1449                                            context, len);
1450                 if (rc == -ERANGE) {
1451                         kfree(context);
1452 
1453                         /* Need a larger buffer.  Query for the right size. */
1454                         rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1455                                                    NULL, 0);
1456                         if (rc < 0) {
1457                                 dput(dentry);
1458                                 goto out_unlock;
1459                         }
1460                         len = rc;
1461                         context = kmalloc(len+1, GFP_NOFS);
1462                         if (!context) {
1463                                 rc = -ENOMEM;
1464                                 dput(dentry);
1465                                 goto out_unlock;
1466                         }
1467                         context[len] = '\0';
1468                         rc = inode->i_op->getxattr(dentry, inode,
1469                                                    XATTR_NAME_SELINUX,
1470                                                    context, len);
1471                 }
1472                 dput(dentry);
1473                 if (rc < 0) {
1474                         if (rc != -ENODATA) {
1475                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1476                                        "%d for dev=%s ino=%ld\n", __func__,
1477                                        -rc, inode->i_sb->s_id, inode->i_ino);
1478                                 kfree(context);
1479                                 goto out_unlock;
1480                         }
1481                         /* Map ENODATA to the default file SID */
1482                         sid = sbsec->def_sid;
1483                         rc = 0;
1484                 } else {
1485                         rc = security_context_to_sid_default(context, rc, &sid,
1486                                                              sbsec->def_sid,
1487                                                              GFP_NOFS);
1488                         if (rc) {
1489                                 char *dev = inode->i_sb->s_id;
1490                                 unsigned long ino = inode->i_ino;
1491 
1492                                 if (rc == -EINVAL) {
1493                                         if (printk_ratelimit())
1494                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1495                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1496                                                         "filesystem in question.\n", ino, dev, context);
1497                                 } else {
1498                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1499                                                "returned %d for dev=%s ino=%ld\n",
1500                                                __func__, context, -rc, dev, ino);
1501                                 }
1502                                 kfree(context);
1503                                 /* Leave with the unlabeled SID */
1504                                 rc = 0;
1505                                 break;
1506                         }
1507                 }
1508                 kfree(context);
1509                 isec->sid = sid;
1510                 break;
1511         case SECURITY_FS_USE_TASK:
1512                 isec->sid = isec->task_sid;
1513                 break;
1514         case SECURITY_FS_USE_TRANS:
1515                 /* Default to the fs SID. */
1516                 isec->sid = sbsec->sid;
1517 
1518                 /* Try to obtain a transition SID. */
1519                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1520                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1521                                              isec->sclass, NULL, &sid);
1522                 if (rc)
1523                         goto out_unlock;
1524                 isec->sid = sid;
1525                 break;
1526         case SECURITY_FS_USE_MNTPOINT:
1527                 isec->sid = sbsec->mntpoint_sid;
1528                 break;
1529         default:
1530                 /* Default to the fs superblock SID. */
1531                 isec->sid = sbsec->sid;
1532 
1533                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1534                         /* We must have a dentry to determine the label on
1535                          * procfs inodes */
1536                         if (opt_dentry)
1537                                 /* Called from d_instantiate or
1538                                  * d_splice_alias. */
1539                                 dentry = dget(opt_dentry);
1540                         else
1541                                 /* Called from selinux_complete_init, try to
1542                                  * find a dentry. */
1543                                 dentry = d_find_alias(inode);
1544                         /*
1545                          * This can be hit on boot when a file is accessed
1546                          * before the policy is loaded.  When we load policy we
1547                          * may find inodes that have no dentry on the
1548                          * sbsec->isec_head list.  No reason to complain as
1549                          * these will get fixed up the next time we go through
1550                          * inode_doinit() with a dentry, before these inodes
1551                          * could be used again by userspace.
1552                          */
1553                         if (!dentry)
1554                                 goto out_unlock;
1555                         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1556                         rc = selinux_genfs_get_sid(dentry, isec->sclass,
1557                                                    sbsec->flags, &sid);
1558                         dput(dentry);
1559                         if (rc)
1560                                 goto out_unlock;
1561                         isec->sid = sid;
1562                 }
1563                 break;
1564         }
1565 
1566         isec->initialized = LABEL_INITIALIZED;
1567 
1568 out_unlock:
1569         mutex_unlock(&isec->lock);
1570 out:
1571         if (isec->sclass == SECCLASS_FILE)
1572                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1573         return rc;
1574 }
1575 
1576 /* Convert a Linux signal to an access vector. */
1577 static inline u32 signal_to_av(int sig)
1578 {
1579         u32 perm = 0;
1580 
1581         switch (sig) {
1582         case SIGCHLD:
1583                 /* Commonly granted from child to parent. */
1584                 perm = PROCESS__SIGCHLD;
1585                 break;
1586         case SIGKILL:
1587                 /* Cannot be caught or ignored */
1588                 perm = PROCESS__SIGKILL;
1589                 break;
1590         case SIGSTOP:
1591                 /* Cannot be caught or ignored */
1592                 perm = PROCESS__SIGSTOP;
1593                 break;
1594         default:
1595                 /* All other signals. */
1596                 perm = PROCESS__SIGNAL;
1597                 break;
1598         }
1599 
1600         return perm;
1601 }
1602 
1603 /*
1604  * Check permission between a pair of credentials
1605  * fork check, ptrace check, etc.
1606  */
1607 static int cred_has_perm(const struct cred *actor,
1608                          const struct cred *target,
1609                          u32 perms)
1610 {
1611         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1612 
1613         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1614 }
1615 
1616 /*
1617  * Check permission between a pair of tasks, e.g. signal checks,
1618  * fork check, ptrace check, etc.
1619  * tsk1 is the actor and tsk2 is the target
1620  * - this uses the default subjective creds of tsk1
1621  */
1622 static int task_has_perm(const struct task_struct *tsk1,
1623                          const struct task_struct *tsk2,
1624                          u32 perms)
1625 {
1626         const struct task_security_struct *__tsec1, *__tsec2;
1627         u32 sid1, sid2;
1628 
1629         rcu_read_lock();
1630         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1631         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1632         rcu_read_unlock();
1633         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1634 }
1635 
1636 /*
1637  * Check permission between current and another task, e.g. signal checks,
1638  * fork check, ptrace check, etc.
1639  * current is the actor and tsk2 is the target
1640  * - this uses current's subjective creds
1641  */
1642 static int current_has_perm(const struct task_struct *tsk,
1643                             u32 perms)
1644 {
1645         u32 sid, tsid;
1646 
1647         sid = current_sid();
1648         tsid = task_sid(tsk);
1649         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1650 }
1651 
1652 #if CAP_LAST_CAP > 63
1653 #error Fix SELinux to handle capabilities > 63.
1654 #endif
1655 
1656 /* Check whether a task is allowed to use a capability. */
1657 static int cred_has_capability(const struct cred *cred,
1658                                int cap, int audit, bool initns)
1659 {
1660         struct common_audit_data ad;
1661         struct av_decision avd;
1662         u16 sclass;
1663         u32 sid = cred_sid(cred);
1664         u32 av = CAP_TO_MASK(cap);
1665         int rc;
1666 
1667         ad.type = LSM_AUDIT_DATA_CAP;
1668         ad.u.cap = cap;
1669 
1670         switch (CAP_TO_INDEX(cap)) {
1671         case 0:
1672                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1673                 break;
1674         case 1:
1675                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1676                 break;
1677         default:
1678                 printk(KERN_ERR
1679                        "SELinux:  out of range capability %d\n", cap);
1680                 BUG();
1681                 return -EINVAL;
1682         }
1683 
1684         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1685         if (audit == SECURITY_CAP_AUDIT) {
1686                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1687                 if (rc2)
1688                         return rc2;
1689         }
1690         return rc;
1691 }
1692 
1693 /* Check whether a task is allowed to use a system operation. */
1694 static int task_has_system(struct task_struct *tsk,
1695                            u32 perms)
1696 {
1697         u32 sid = task_sid(tsk);
1698 
1699         return avc_has_perm(sid, SECINITSID_KERNEL,
1700                             SECCLASS_SYSTEM, perms, NULL);
1701 }
1702 
1703 /* Check whether a task has a particular permission to an inode.
1704    The 'adp' parameter is optional and allows other audit
1705    data to be passed (e.g. the dentry). */
1706 static int inode_has_perm(const struct cred *cred,
1707                           struct inode *inode,
1708                           u32 perms,
1709                           struct common_audit_data *adp)
1710 {
1711         struct inode_security_struct *isec;
1712         u32 sid;
1713 
1714         validate_creds(cred);
1715 
1716         if (unlikely(IS_PRIVATE(inode)))
1717                 return 0;
1718 
1719         sid = cred_sid(cred);
1720         isec = inode->i_security;
1721 
1722         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1723 }
1724 
1725 /* Same as inode_has_perm, but pass explicit audit data containing
1726    the dentry to help the auditing code to more easily generate the
1727    pathname if needed. */
1728 static inline int dentry_has_perm(const struct cred *cred,
1729                                   struct dentry *dentry,
1730                                   u32 av)
1731 {
1732         struct inode *inode = d_backing_inode(dentry);
1733         struct common_audit_data ad;
1734 
1735         ad.type = LSM_AUDIT_DATA_DENTRY;
1736         ad.u.dentry = dentry;
1737         __inode_security_revalidate(inode, dentry, true);
1738         return inode_has_perm(cred, inode, av, &ad);
1739 }
1740 
1741 /* Same as inode_has_perm, but pass explicit audit data containing
1742    the path to help the auditing code to more easily generate the
1743    pathname if needed. */
1744 static inline int path_has_perm(const struct cred *cred,
1745                                 const struct path *path,
1746                                 u32 av)
1747 {
1748         struct inode *inode = d_backing_inode(path->dentry);
1749         struct common_audit_data ad;
1750 
1751         ad.type = LSM_AUDIT_DATA_PATH;
1752         ad.u.path = *path;
1753         __inode_security_revalidate(inode, path->dentry, true);
1754         return inode_has_perm(cred, inode, av, &ad);
1755 }
1756 
1757 /* Same as path_has_perm, but uses the inode from the file struct. */
1758 static inline int file_path_has_perm(const struct cred *cred,
1759                                      struct file *file,
1760                                      u32 av)
1761 {
1762         struct common_audit_data ad;
1763 
1764         ad.type = LSM_AUDIT_DATA_PATH;
1765         ad.u.path = file->f_path;
1766         return inode_has_perm(cred, file_inode(file), av, &ad);
1767 }
1768 
1769 /* Check whether a task can use an open file descriptor to
1770    access an inode in a given way.  Check access to the
1771    descriptor itself, and then use dentry_has_perm to
1772    check a particular permission to the file.
1773    Access to the descriptor is implicitly granted if it
1774    has the same SID as the process.  If av is zero, then
1775    access to the file is not checked, e.g. for cases
1776    where only the descriptor is affected like seek. */
1777 static int file_has_perm(const struct cred *cred,
1778                          struct file *file,
1779                          u32 av)
1780 {
1781         struct file_security_struct *fsec = file->f_security;
1782         struct inode *inode = file_inode(file);
1783         struct common_audit_data ad;
1784         u32 sid = cred_sid(cred);
1785         int rc;
1786 
1787         ad.type = LSM_AUDIT_DATA_PATH;
1788         ad.u.path = file->f_path;
1789 
1790         if (sid != fsec->sid) {
1791                 rc = avc_has_perm(sid, fsec->sid,
1792                                   SECCLASS_FD,
1793                                   FD__USE,
1794                                   &ad);
1795                 if (rc)
1796                         goto out;
1797         }
1798 
1799         /* av is zero if only checking access to the descriptor. */
1800         rc = 0;
1801         if (av)
1802                 rc = inode_has_perm(cred, inode, av, &ad);
1803 
1804 out:
1805         return rc;
1806 }
1807 
1808 /*
1809  * Determine the label for an inode that might be unioned.
1810  */
1811 static int selinux_determine_inode_label(struct inode *dir,
1812                                          const struct qstr *name,
1813                                          u16 tclass,
1814                                          u32 *_new_isid)
1815 {
1816         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1817         const struct task_security_struct *tsec = current_security();
1818 
1819         if ((sbsec->flags & SE_SBINITIALIZED) &&
1820             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1821                 *_new_isid = sbsec->mntpoint_sid;
1822         } else if ((sbsec->flags & SBLABEL_MNT) &&
1823                    tsec->create_sid) {
1824                 *_new_isid = tsec->create_sid;
1825         } else {
1826                 const struct inode_security_struct *dsec = inode_security(dir);
1827                 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1828                                                name, _new_isid);
1829         }
1830 
1831         return 0;
1832 }
1833 
1834 /* Check whether a task can create a file. */
1835 static int may_create(struct inode *dir,
1836                       struct dentry *dentry,
1837                       u16 tclass)
1838 {
1839         const struct task_security_struct *tsec = current_security();
1840         struct inode_security_struct *dsec;
1841         struct superblock_security_struct *sbsec;
1842         u32 sid, newsid;
1843         struct common_audit_data ad;
1844         int rc;
1845 
1846         dsec = inode_security(dir);
1847         sbsec = dir->i_sb->s_security;
1848 
1849         sid = tsec->sid;
1850 
1851         ad.type = LSM_AUDIT_DATA_DENTRY;
1852         ad.u.dentry = dentry;
1853 
1854         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1855                           DIR__ADD_NAME | DIR__SEARCH,
1856                           &ad);
1857         if (rc)
1858                 return rc;
1859 
1860         rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1861                                            &newsid);
1862         if (rc)
1863                 return rc;
1864 
1865         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1866         if (rc)
1867                 return rc;
1868 
1869         return avc_has_perm(newsid, sbsec->sid,
1870                             SECCLASS_FILESYSTEM,
1871                             FILESYSTEM__ASSOCIATE, &ad);
1872 }
1873 
1874 /* Check whether a task can create a key. */
1875 static int may_create_key(u32 ksid,
1876                           struct task_struct *ctx)
1877 {
1878         u32 sid = task_sid(ctx);
1879 
1880         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1881 }
1882 
1883 #define MAY_LINK        0
1884 #define MAY_UNLINK      1
1885 #define MAY_RMDIR       2
1886 
1887 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1888 static int may_link(struct inode *dir,
1889                     struct dentry *dentry,
1890                     int kind)
1891 
1892 {
1893         struct inode_security_struct *dsec, *isec;
1894         struct common_audit_data ad;
1895         u32 sid = current_sid();
1896         u32 av;
1897         int rc;
1898 
1899         dsec = inode_security(dir);
1900         isec = backing_inode_security(dentry);
1901 
1902         ad.type = LSM_AUDIT_DATA_DENTRY;
1903         ad.u.dentry = dentry;
1904 
1905         av = DIR__SEARCH;
1906         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1907         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1908         if (rc)
1909                 return rc;
1910 
1911         switch (kind) {
1912         case MAY_LINK:
1913                 av = FILE__LINK;
1914                 break;
1915         case MAY_UNLINK:
1916                 av = FILE__UNLINK;
1917                 break;
1918         case MAY_RMDIR:
1919                 av = DIR__RMDIR;
1920                 break;
1921         default:
1922                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1923                         __func__, kind);
1924                 return 0;
1925         }
1926 
1927         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1928         return rc;
1929 }
1930 
1931 static inline int may_rename(struct inode *old_dir,
1932                              struct dentry *old_dentry,
1933                              struct inode *new_dir,
1934                              struct dentry *new_dentry)
1935 {
1936         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1937         struct common_audit_data ad;
1938         u32 sid = current_sid();
1939         u32 av;
1940         int old_is_dir, new_is_dir;
1941         int rc;
1942 
1943         old_dsec = inode_security(old_dir);
1944         old_isec = backing_inode_security(old_dentry);
1945         old_is_dir = d_is_dir(old_dentry);
1946         new_dsec = inode_security(new_dir);
1947 
1948         ad.type = LSM_AUDIT_DATA_DENTRY;
1949 
1950         ad.u.dentry = old_dentry;
1951         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1952                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1953         if (rc)
1954                 return rc;
1955         rc = avc_has_perm(sid, old_isec->sid,
1956                           old_isec->sclass, FILE__RENAME, &ad);
1957         if (rc)
1958                 return rc;
1959         if (old_is_dir && new_dir != old_dir) {
1960                 rc = avc_has_perm(sid, old_isec->sid,
1961                                   old_isec->sclass, DIR__REPARENT, &ad);
1962                 if (rc)
1963                         return rc;
1964         }
1965 
1966         ad.u.dentry = new_dentry;
1967         av = DIR__ADD_NAME | DIR__SEARCH;
1968         if (d_is_positive(new_dentry))
1969                 av |= DIR__REMOVE_NAME;
1970         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1971         if (rc)
1972                 return rc;
1973         if (d_is_positive(new_dentry)) {
1974                 new_isec = backing_inode_security(new_dentry);
1975                 new_is_dir = d_is_dir(new_dentry);
1976                 rc = avc_has_perm(sid, new_isec->sid,
1977                                   new_isec->sclass,
1978                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1979                 if (rc)
1980                         return rc;
1981         }
1982 
1983         return 0;
1984 }
1985 
1986 /* Check whether a task can perform a filesystem operation. */
1987 static int superblock_has_perm(const struct cred *cred,
1988                                struct super_block *sb,
1989                                u32 perms,
1990                                struct common_audit_data *ad)
1991 {
1992         struct superblock_security_struct *sbsec;
1993         u32 sid = cred_sid(cred);
1994 
1995         sbsec = sb->s_security;
1996         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1997 }
1998 
1999 /* Convert a Linux mode and permission mask to an access vector. */
2000 static inline u32 file_mask_to_av(int mode, int mask)
2001 {
2002         u32 av = 0;
2003 
2004         if (!S_ISDIR(mode)) {
2005                 if (mask & MAY_EXEC)
2006                         av |= FILE__EXECUTE;
2007                 if (mask & MAY_READ)
2008                         av |= FILE__READ;
2009 
2010                 if (mask & MAY_APPEND)
2011                         av |= FILE__APPEND;
2012                 else if (mask & MAY_WRITE)
2013                         av |= FILE__WRITE;
2014 
2015         } else {
2016                 if (mask & MAY_EXEC)
2017                         av |= DIR__SEARCH;
2018                 if (mask & MAY_WRITE)
2019                         av |= DIR__WRITE;
2020                 if (mask & MAY_READ)
2021                         av |= DIR__READ;
2022         }
2023 
2024         return av;
2025 }
2026 
2027 /* Convert a Linux file to an access vector. */
2028 static inline u32 file_to_av(struct file *file)
2029 {
2030         u32 av = 0;
2031 
2032         if (file->f_mode & FMODE_READ)
2033                 av |= FILE__READ;
2034         if (file->f_mode & FMODE_WRITE) {
2035                 if (file->f_flags & O_APPEND)
2036                         av |= FILE__APPEND;
2037                 else
2038                         av |= FILE__WRITE;
2039         }
2040         if (!av) {
2041                 /*
2042                  * Special file opened with flags 3 for ioctl-only use.
2043                  */
2044                 av = FILE__IOCTL;
2045         }
2046 
2047         return av;
2048 }
2049 
2050 /*
2051  * Convert a file to an access vector and include the correct open
2052  * open permission.
2053  */
2054 static inline u32 open_file_to_av(struct file *file)
2055 {
2056         u32 av = file_to_av(file);
2057 
2058         if (selinux_policycap_openperm)
2059                 av |= FILE__OPEN;
2060 
2061         return av;
2062 }
2063 
2064 /* Hook functions begin here. */
2065 
2066 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2067 {
2068         u32 mysid = current_sid();
2069         u32 mgrsid = task_sid(mgr);
2070 
2071         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2072                             BINDER__SET_CONTEXT_MGR, NULL);
2073 }
2074 
2075 static int selinux_binder_transaction(struct task_struct *from,
2076                                       struct task_struct *to)
2077 {
2078         u32 mysid = current_sid();
2079         u32 fromsid = task_sid(from);
2080         u32 tosid = task_sid(to);
2081         int rc;
2082 
2083         if (mysid != fromsid) {
2084                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2085                                   BINDER__IMPERSONATE, NULL);
2086                 if (rc)
2087                         return rc;
2088         }
2089 
2090         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2091                             NULL);
2092 }
2093 
2094 static int selinux_binder_transfer_binder(struct task_struct *from,
2095                                           struct task_struct *to)
2096 {
2097         u32 fromsid = task_sid(from);
2098         u32 tosid = task_sid(to);
2099 
2100         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2101                             NULL);
2102 }
2103 
2104 static int selinux_binder_transfer_file(struct task_struct *from,
2105                                         struct task_struct *to,
2106                                         struct file *file)
2107 {
2108         u32 sid = task_sid(to);
2109         struct file_security_struct *fsec = file->f_security;
2110         struct dentry *dentry = file->f_path.dentry;
2111         struct inode_security_struct *isec;
2112         struct common_audit_data ad;
2113         int rc;
2114 
2115         ad.type = LSM_AUDIT_DATA_PATH;
2116         ad.u.path = file->f_path;
2117 
2118         if (sid != fsec->sid) {
2119                 rc = avc_has_perm(sid, fsec->sid,
2120                                   SECCLASS_FD,
2121                                   FD__USE,
2122                                   &ad);
2123                 if (rc)
2124                         return rc;
2125         }
2126 
2127         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2128                 return 0;
2129 
2130         isec = backing_inode_security(dentry);
2131         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2132                             &ad);
2133 }
2134 
2135 static int selinux_ptrace_access_check(struct task_struct *child,
2136                                      unsigned int mode)
2137 {
2138         if (mode & PTRACE_MODE_READ) {
2139                 u32 sid = current_sid();
2140                 u32 csid = task_sid(child);
2141                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2142         }
2143 
2144         return current_has_perm(child, PROCESS__PTRACE);
2145 }
2146 
2147 static int selinux_ptrace_traceme(struct task_struct *parent)
2148 {
2149         return task_has_perm(parent, current, PROCESS__PTRACE);
2150 }
2151 
2152 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2153                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2154 {
2155         return current_has_perm(target, PROCESS__GETCAP);
2156 }
2157 
2158 static int selinux_capset(struct cred *new, const struct cred *old,
2159                           const kernel_cap_t *effective,
2160                           const kernel_cap_t *inheritable,
2161                           const kernel_cap_t *permitted)
2162 {
2163         return cred_has_perm(old, new, PROCESS__SETCAP);
2164 }
2165 
2166 /*
2167  * (This comment used to live with the selinux_task_setuid hook,
2168  * which was removed).
2169  *
2170  * Since setuid only affects the current process, and since the SELinux
2171  * controls are not based on the Linux identity attributes, SELinux does not
2172  * need to control this operation.  However, SELinux does control the use of
2173  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2174  */
2175 
2176 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2177                            int cap, int audit)
2178 {
2179         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2180 }
2181 
2182 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2183 {
2184         const struct cred *cred = current_cred();
2185         int rc = 0;
2186 
2187         if (!sb)
2188                 return 0;
2189 
2190         switch (cmds) {
2191         case Q_SYNC:
2192         case Q_QUOTAON:
2193         case Q_QUOTAOFF:
2194         case Q_SETINFO:
2195         case Q_SETQUOTA:
2196                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2197                 break;
2198         case Q_GETFMT:
2199         case Q_GETINFO:
2200         case Q_GETQUOTA:
2201                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2202                 break;
2203         default:
2204                 rc = 0;  /* let the kernel handle invalid cmds */
2205                 break;
2206         }
2207         return rc;
2208 }
2209 
2210 static int selinux_quota_on(struct dentry *dentry)
2211 {
2212         const struct cred *cred = current_cred();
2213 
2214         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2215 }
2216 
2217 static int selinux_syslog(int type)
2218 {
2219         int rc;
2220 
2221         switch (type) {
2222         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2223         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2224                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2225                 break;
2226         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2227         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2228         /* Set level of messages printed to console */
2229         case SYSLOG_ACTION_CONSOLE_LEVEL:
2230                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2231                 break;
2232         case SYSLOG_ACTION_CLOSE:       /* Close log */
2233         case SYSLOG_ACTION_OPEN:        /* Open log */
2234         case SYSLOG_ACTION_READ:        /* Read from log */
2235         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
2236         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
2237         default:
2238                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2239                 break;
2240         }
2241         return rc;
2242 }
2243 
2244 /*
2245  * Check that a process has enough memory to allocate a new virtual
2246  * mapping. 0 means there is enough memory for the allocation to
2247  * succeed and -ENOMEM implies there is not.
2248  *
2249  * Do not audit the selinux permission check, as this is applied to all
2250  * processes that allocate mappings.
2251  */
2252 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2253 {
2254         int rc, cap_sys_admin = 0;
2255 
2256         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2257                                  SECURITY_CAP_NOAUDIT, true);
2258         if (rc == 0)
2259                 cap_sys_admin = 1;
2260 
2261         return cap_sys_admin;
2262 }
2263 
2264 /* binprm security operations */
2265 
2266 static u32 ptrace_parent_sid(struct task_struct *task)
2267 {
2268         u32 sid = 0;
2269         struct task_struct *tracer;
2270 
2271         rcu_read_lock();
2272         tracer = ptrace_parent(task);
2273         if (tracer)
2274                 sid = task_sid(tracer);
2275         rcu_read_unlock();
2276 
2277         return sid;
2278 }
2279 
2280 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2281                             const struct task_security_struct *old_tsec,
2282                             const struct task_security_struct *new_tsec)
2283 {
2284         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2285         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2286         int rc;
2287 
2288         if (!nnp && !nosuid)
2289                 return 0; /* neither NNP nor nosuid */
2290 
2291         if (new_tsec->sid == old_tsec->sid)
2292                 return 0; /* No change in credentials */
2293 
2294         /*
2295          * The only transitions we permit under NNP or nosuid
2296          * are transitions to bounded SIDs, i.e. SIDs that are
2297          * guaranteed to only be allowed a subset of the permissions
2298          * of the current SID.
2299          */
2300         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2301         if (rc) {
2302                 /*
2303                  * On failure, preserve the errno values for NNP vs nosuid.
2304                  * NNP:  Operation not permitted for caller.
2305                  * nosuid:  Permission denied to file.
2306                  */
2307                 if (nnp)
2308                         return -EPERM;
2309                 else
2310                         return -EACCES;
2311         }
2312         return 0;
2313 }
2314 
2315 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2316 {
2317         const struct task_security_struct *old_tsec;
2318         struct task_security_struct *new_tsec;
2319         struct inode_security_struct *isec;
2320         struct common_audit_data ad;
2321         struct inode *inode = file_inode(bprm->file);
2322         int rc;
2323 
2324         /* SELinux context only depends on initial program or script and not
2325          * the script interpreter */
2326         if (bprm->cred_prepared)
2327                 return 0;
2328 
2329         old_tsec = current_security();
2330         new_tsec = bprm->cred->security;
2331         isec = inode_security(inode);
2332 
2333         /* Default to the current task SID. */
2334         new_tsec->sid = old_tsec->sid;
2335         new_tsec->osid = old_tsec->sid;
2336 
2337         /* Reset fs, key, and sock SIDs on execve. */
2338         new_tsec->create_sid = 0;
2339         new_tsec->keycreate_sid = 0;
2340         new_tsec->sockcreate_sid = 0;
2341 
2342         if (old_tsec->exec_sid) {
2343                 new_tsec->sid = old_tsec->exec_sid;
2344                 /* Reset exec SID on execve. */
2345                 new_tsec->exec_sid = 0;
2346 
2347                 /* Fail on NNP or nosuid if not an allowed transition. */
2348                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2349                 if (rc)
2350                         return rc;
2351         } else {
2352                 /* Check for a default transition on this program. */
2353                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2354                                              SECCLASS_PROCESS, NULL,
2355                                              &new_tsec->sid);
2356                 if (rc)
2357                         return rc;
2358 
2359                 /*
2360                  * Fallback to old SID on NNP or nosuid if not an allowed
2361                  * transition.
2362                  */
2363                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2364                 if (rc)
2365                         new_tsec->sid = old_tsec->sid;
2366         }
2367 
2368         ad.type = LSM_AUDIT_DATA_PATH;
2369         ad.u.path = bprm->file->f_path;
2370 
2371         if (new_tsec->sid == old_tsec->sid) {
2372                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2373                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2374                 if (rc)
2375                         return rc;
2376         } else {
2377                 /* Check permissions for the transition. */
2378                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2379                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2380                 if (rc)
2381                         return rc;
2382 
2383                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2384                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2385                 if (rc)
2386                         return rc;
2387 
2388                 /* Check for shared state */
2389                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2390                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2391                                           SECCLASS_PROCESS, PROCESS__SHARE,
2392                                           NULL);
2393                         if (rc)
2394                                 return -EPERM;
2395                 }
2396 
2397                 /* Make sure that anyone attempting to ptrace over a task that
2398                  * changes its SID has the appropriate permit */
2399                 if (bprm->unsafe &
2400                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2401                         u32 ptsid = ptrace_parent_sid(current);
2402                         if (ptsid != 0) {
2403                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2404                                                   SECCLASS_PROCESS,
2405                                                   PROCESS__PTRACE, NULL);
2406                                 if (rc)
2407                                         return -EPERM;
2408                         }
2409                 }
2410 
2411                 /* Clear any possibly unsafe personality bits on exec: */
2412                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2413         }
2414 
2415         return 0;
2416 }
2417 
2418 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2419 {
2420         const struct task_security_struct *tsec = current_security();
2421         u32 sid, osid;
2422         int atsecure = 0;
2423 
2424         sid = tsec->sid;
2425         osid = tsec->osid;
2426 
2427         if (osid != sid) {
2428                 /* Enable secure mode for SIDs transitions unless
2429                    the noatsecure permission is granted between
2430                    the two SIDs, i.e. ahp returns 0. */
2431                 atsecure = avc_has_perm(osid, sid,
2432                                         SECCLASS_PROCESS,
2433                                         PROCESS__NOATSECURE, NULL);
2434         }
2435 
2436         return !!atsecure;
2437 }
2438 
2439 static int match_file(const void *p, struct file *file, unsigned fd)
2440 {
2441         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2442 }
2443 
2444 /* Derived from fs/exec.c:flush_old_files. */
2445 static inline void flush_unauthorized_files(const struct cred *cred,
2446                                             struct files_struct *files)
2447 {
2448         struct file *file, *devnull = NULL;
2449         struct tty_struct *tty;
2450         int drop_tty = 0;
2451         unsigned n;
2452 
2453         tty = get_current_tty();
2454         if (tty) {
2455                 spin_lock(&tty->files_lock);
2456                 if (!list_empty(&tty->tty_files)) {
2457                         struct tty_file_private *file_priv;
2458 
2459                         /* Revalidate access to controlling tty.
2460                            Use file_path_has_perm on the tty path directly
2461                            rather than using file_has_perm, as this particular
2462                            open file may belong to another process and we are
2463                            only interested in the inode-based check here. */
2464                         file_priv = list_first_entry(&tty->tty_files,
2465                                                 struct tty_file_private, list);
2466                         file = file_priv->file;
2467                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2468                                 drop_tty = 1;
2469                 }
2470                 spin_unlock(&tty->files_lock);
2471                 tty_kref_put(tty);
2472         }
2473         /* Reset controlling tty. */
2474         if (drop_tty)
2475                 no_tty();
2476 
2477         /* Revalidate access to inherited open files. */
2478         n = iterate_fd(files, 0, match_file, cred);
2479         if (!n) /* none found? */
2480                 return;
2481 
2482         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2483         if (IS_ERR(devnull))
2484                 devnull = NULL;
2485         /* replace all the matching ones with this */
2486         do {
2487                 replace_fd(n - 1, devnull, 0);
2488         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2489         if (devnull)
2490                 fput(devnull);
2491 }
2492 
2493 /*
2494  * Prepare a process for imminent new credential changes due to exec
2495  */
2496 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2497 {
2498         struct task_security_struct *new_tsec;
2499         struct rlimit *rlim, *initrlim;
2500         int rc, i;
2501 
2502         new_tsec = bprm->cred->security;
2503         if (new_tsec->sid == new_tsec->osid)
2504                 return;
2505 
2506         /* Close files for which the new task SID is not authorized. */
2507         flush_unauthorized_files(bprm->cred, current->files);
2508 
2509         /* Always clear parent death signal on SID transitions. */
2510         current->pdeath_signal = 0;
2511 
2512         /* Check whether the new SID can inherit resource limits from the old
2513          * SID.  If not, reset all soft limits to the lower of the current
2514          * task's hard limit and the init task's soft limit.
2515          *
2516          * Note that the setting of hard limits (even to lower them) can be
2517          * controlled by the setrlimit check.  The inclusion of the init task's
2518          * soft limit into the computation is to avoid resetting soft limits
2519          * higher than the default soft limit for cases where the default is
2520          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2521          */
2522         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2523                           PROCESS__RLIMITINH, NULL);
2524         if (rc) {
2525                 /* protect against do_prlimit() */
2526                 task_lock(current);
2527                 for (i = 0; i < RLIM_NLIMITS; i++) {
2528                         rlim = current->signal->rlim + i;
2529                         initrlim = init_task.signal->rlim + i;
2530                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2531                 }
2532                 task_unlock(current);
2533                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2534         }
2535 }
2536 
2537 /*
2538  * Clean up the process immediately after the installation of new credentials
2539  * due to exec
2540  */
2541 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2542 {
2543         const struct task_security_struct *tsec = current_security();
2544         struct itimerval itimer;
2545         u32 osid, sid;
2546         int rc, i;
2547 
2548         osid = tsec->osid;
2549         sid = tsec->sid;
2550 
2551         if (sid == osid)
2552                 return;
2553 
2554         /* Check whether the new SID can inherit signal state from the old SID.
2555          * If not, clear itimers to avoid subsequent signal generation and
2556          * flush and unblock signals.
2557          *
2558          * This must occur _after_ the task SID has been updated so that any
2559          * kill done after the flush will be checked against the new SID.
2560          */
2561         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2562         if (rc) {
2563                 memset(&itimer, 0, sizeof itimer);
2564                 for (i = 0; i < 3; i++)
2565                         do_setitimer(i, &itimer, NULL);
2566                 spin_lock_irq(&current->sighand->siglock);
2567                 if (!fatal_signal_pending(current)) {
2568                         flush_sigqueue(&current->pending);
2569                         flush_sigqueue(&current->signal->shared_pending);
2570                         flush_signal_handlers(current, 1);
2571                         sigemptyset(&current->blocked);
2572                         recalc_sigpending();
2573                 }
2574                 spin_unlock_irq(&current->sighand->siglock);
2575         }
2576 
2577         /* Wake up the parent if it is waiting so that it can recheck
2578          * wait permission to the new task SID. */
2579         read_lock(&tasklist_lock);
2580         __wake_up_parent(current, current->real_parent);
2581         read_unlock(&tasklist_lock);
2582 }
2583 
2584 /* superblock security operations */
2585 
2586 static int selinux_sb_alloc_security(struct super_block *sb)
2587 {
2588         return superblock_alloc_security(sb);
2589 }
2590 
2591 static void selinux_sb_free_security(struct super_block *sb)
2592 {
2593         superblock_free_security(sb);
2594 }
2595 
2596 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2597 {
2598         if (plen > olen)
2599                 return 0;
2600 
2601         return !memcmp(prefix, option, plen);
2602 }
2603 
2604 static inline int selinux_option(char *option, int len)
2605 {
2606         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2607                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2608                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2609                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2610                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2611 }
2612 
2613 static inline void take_option(char **to, char *from, int *first, int len)
2614 {
2615         if (!*first) {
2616                 **to = ',';
2617                 *to += 1;
2618         } else
2619                 *first = 0;
2620         memcpy(*to, from, len);
2621         *to += len;
2622 }
2623 
2624 static inline void take_selinux_option(char **to, char *from, int *first,
2625                                        int len)
2626 {
2627         int current_size = 0;
2628 
2629         if (!*first) {
2630                 **to = '|';
2631                 *to += 1;
2632         } else
2633                 *first = 0;
2634 
2635         while (current_size < len) {
2636                 if (*from != '"') {
2637                         **to = *from;
2638                         *to += 1;
2639                 }
2640                 from += 1;
2641                 current_size += 1;
2642         }
2643 }
2644 
2645 static int selinux_sb_copy_data(char *orig, char *copy)
2646 {
2647         int fnosec, fsec, rc = 0;
2648         char *in_save, *in_curr, *in_end;
2649         char *sec_curr, *nosec_save, *nosec;
2650         int open_quote = 0;
2651 
2652         in_curr = orig;
2653         sec_curr = copy;
2654 
2655         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2656         if (!nosec) {
2657                 rc = -ENOMEM;
2658                 goto out;
2659         }
2660 
2661         nosec_save = nosec;
2662         fnosec = fsec = 1;
2663         in_save = in_end = orig;
2664 
2665         do {
2666                 if (*in_end == '"')
2667                         open_quote = !open_quote;
2668                 if ((*in_end == ',' && open_quote == 0) ||
2669                                 *in_end == '\0') {
2670                         int len = in_end - in_curr;
2671 
2672                         if (selinux_option(in_curr, len))
2673                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2674                         else
2675                                 take_option(&nosec, in_curr, &fnosec, len);
2676 
2677                         in_curr = in_end + 1;
2678                 }
2679         } while (*in_end++);
2680 
2681         strcpy(in_save, nosec_save);
2682         free_page((unsigned long)nosec_save);
2683 out:
2684         return rc;
2685 }
2686 
2687 static int selinux_sb_remount(struct super_block *sb, void *data)
2688 {
2689         int rc, i, *flags;
2690         struct security_mnt_opts opts;
2691         char *secdata, **mount_options;
2692         struct superblock_security_struct *sbsec = sb->s_security;
2693 
2694         if (!(sbsec->flags & SE_SBINITIALIZED))
2695                 return 0;
2696 
2697         if (!data)
2698                 return 0;
2699 
2700         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2701                 return 0;
2702 
2703         security_init_mnt_opts(&opts);
2704         secdata = alloc_secdata();
2705         if (!secdata)
2706                 return -ENOMEM;
2707         rc = selinux_sb_copy_data(data, secdata);
2708         if (rc)
2709                 goto out_free_secdata;
2710 
2711         rc = selinux_parse_opts_str(secdata, &opts);
2712         if (rc)
2713                 goto out_free_secdata;
2714 
2715         mount_options = opts.mnt_opts;
2716         flags = opts.mnt_opts_flags;
2717 
2718         for (i = 0; i < opts.num_mnt_opts; i++) {
2719                 u32 sid;
2720 
2721                 if (flags[i] == SBLABEL_MNT)
2722                         continue;
2723                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2724                 if (rc) {
2725                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2726                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2727                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2728                         goto out_free_opts;
2729                 }
2730                 rc = -EINVAL;
2731                 switch (flags[i]) {
2732                 case FSCONTEXT_MNT:
2733                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2734                                 goto out_bad_option;
2735                         break;
2736                 case CONTEXT_MNT:
2737                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2738                                 goto out_bad_option;
2739                         break;
2740                 case ROOTCONTEXT_MNT: {
2741                         struct inode_security_struct *root_isec;
2742                         root_isec = backing_inode_security(sb->s_root);
2743 
2744                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2745                                 goto out_bad_option;
2746                         break;
2747                 }
2748                 case DEFCONTEXT_MNT:
2749                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2750                                 goto out_bad_option;
2751                         break;
2752                 default:
2753                         goto out_free_opts;
2754                 }
2755         }
2756 
2757         rc = 0;
2758 out_free_opts:
2759         security_free_mnt_opts(&opts);
2760 out_free_secdata:
2761         free_secdata(secdata);
2762         return rc;
2763 out_bad_option:
2764         printk(KERN_WARNING "SELinux: unable to change security options "
2765                "during remount (dev %s, type=%s)\n", sb->s_id,
2766                sb->s_type->name);
2767         goto out_free_opts;
2768 }
2769 
2770 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2771 {
2772         const struct cred *cred = current_cred();
2773         struct common_audit_data ad;
2774         int rc;
2775 
2776         rc = superblock_doinit(sb, data);
2777         if (rc)
2778                 return rc;
2779 
2780         /* Allow all mounts performed by the kernel */
2781         if (flags & MS_KERNMOUNT)
2782                 return 0;
2783 
2784         ad.type = LSM_AUDIT_DATA_DENTRY;
2785         ad.u.dentry = sb->s_root;
2786         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2787 }
2788 
2789 static int selinux_sb_statfs(struct dentry *dentry)
2790 {
2791         const struct cred *cred = current_cred();
2792         struct common_audit_data ad;
2793 
2794         ad.type = LSM_AUDIT_DATA_DENTRY;
2795         ad.u.dentry = dentry->d_sb->s_root;
2796         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2797 }
2798 
2799 static int selinux_mount(const char *dev_name,
2800                          const struct path *path,
2801                          const char *type,
2802                          unsigned long flags,
2803                          void *data)
2804 {
2805         const struct cred *cred = current_cred();
2806 
2807         if (flags & MS_REMOUNT)
2808                 return superblock_has_perm(cred, path->dentry->d_sb,
2809                                            FILESYSTEM__REMOUNT, NULL);
2810         else
2811                 return path_has_perm(cred, path, FILE__MOUNTON);
2812 }
2813 
2814 static int selinux_umount(struct vfsmount *mnt, int flags)
2815 {
2816         const struct cred *cred = current_cred();
2817 
2818         return superblock_has_perm(cred, mnt->mnt_sb,
2819                                    FILESYSTEM__UNMOUNT, NULL);
2820 }
2821 
2822 /* inode security operations */
2823 
2824 static int selinux_inode_alloc_security(struct inode *inode)
2825 {
2826         return inode_alloc_security(inode);
2827 }
2828 
2829 static void selinux_inode_free_security(struct inode *inode)
2830 {
2831         inode_free_security(inode);
2832 }
2833 
2834 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2835                                         const struct qstr *name, void **ctx,
2836                                         u32 *ctxlen)
2837 {
2838         u32 newsid;
2839         int rc;
2840 
2841         rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2842                                            inode_mode_to_security_class(mode),
2843                                            &newsid);
2844         if (rc)
2845                 return rc;
2846 
2847         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2848 }
2849 
2850 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2851                                        const struct qstr *qstr,
2852                                        const char **name,
2853                                        void **value, size_t *len)
2854 {
2855         const struct task_security_struct *tsec = current_security();
2856         struct superblock_security_struct *sbsec;
2857         u32 sid, newsid, clen;
2858         int rc;
2859         char *context;
2860 
2861         sbsec = dir->i_sb->s_security;
2862 
2863         sid = tsec->sid;
2864         newsid = tsec->create_sid;
2865 
2866         rc = selinux_determine_inode_label(
2867                 dir, qstr,
2868                 inode_mode_to_security_class(inode->i_mode),
2869                 &newsid);
2870         if (rc)
2871                 return rc;
2872 
2873         /* Possibly defer initialization to selinux_complete_init. */
2874         if (sbsec->flags & SE_SBINITIALIZED) {
2875                 struct inode_security_struct *isec = inode->i_security;
2876                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2877                 isec->sid = newsid;
2878                 isec->initialized = LABEL_INITIALIZED;
2879         }
2880 
2881         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2882                 return -EOPNOTSUPP;
2883 
2884         if (name)
2885                 *name = XATTR_SELINUX_SUFFIX;
2886 
2887         if (value && len) {
2888                 rc = security_sid_to_context_force(newsid, &context, &clen);
2889                 if (rc)
2890                         return rc;
2891                 *value = context;
2892                 *len = clen;
2893         }
2894 
2895         return 0;
2896 }
2897 
2898 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2899 {
2900         return may_create(dir, dentry, SECCLASS_FILE);
2901 }
2902 
2903 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2904 {
2905         return may_link(dir, old_dentry, MAY_LINK);
2906 }
2907 
2908 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2909 {
2910         return may_link(dir, dentry, MAY_UNLINK);
2911 }
2912 
2913 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2914 {
2915         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2916 }
2917 
2918 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2919 {
2920         return may_create(dir, dentry, SECCLASS_DIR);
2921 }
2922 
2923 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2924 {
2925         return may_link(dir, dentry, MAY_RMDIR);
2926 }
2927 
2928 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2929 {
2930         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2931 }
2932 
2933 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2934                                 struct inode *new_inode, struct dentry *new_dentry)
2935 {
2936         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2937 }
2938 
2939 static int selinux_inode_readlink(struct dentry *dentry)
2940 {
2941         const struct cred *cred = current_cred();
2942 
2943         return dentry_has_perm(cred, dentry, FILE__READ);
2944 }
2945 
2946 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2947                                      bool rcu)
2948 {
2949         const struct cred *cred = current_cred();
2950         struct common_audit_data ad;
2951         struct inode_security_struct *isec;
2952         u32 sid;
2953 
2954         validate_creds(cred);
2955 
2956         ad.type = LSM_AUDIT_DATA_DENTRY;
2957         ad.u.dentry = dentry;
2958         sid = cred_sid(cred);
2959         isec = inode_security_rcu(inode, rcu);
2960         if (IS_ERR(isec))
2961                 return PTR_ERR(isec);
2962 
2963         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2964                                   rcu ? MAY_NOT_BLOCK : 0);
2965 }
2966 
2967 static noinline int audit_inode_permission(struct inode *inode,
2968                                            u32 perms, u32 audited, u32 denied,
2969                                            int result,
2970                                            unsigned flags)
2971 {
2972         struct common_audit_data ad;
2973         struct inode_security_struct *isec = inode->i_security;
2974         int rc;
2975 
2976         ad.type = LSM_AUDIT_DATA_INODE;
2977         ad.u.inode = inode;
2978 
2979         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2980                             audited, denied, result, &ad, flags);
2981         if (rc)
2982                 return rc;
2983         return 0;
2984 }
2985 
2986 static int selinux_inode_permission(struct inode *inode, int mask)
2987 {
2988         const struct cred *cred = current_cred();
2989         u32 perms;
2990         bool from_access;
2991         unsigned flags = mask & MAY_NOT_BLOCK;
2992         struct inode_security_struct *isec;
2993         u32 sid;
2994         struct av_decision avd;
2995         int rc, rc2;
2996         u32 audited, denied;
2997 
2998         from_access = mask & MAY_ACCESS;
2999         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3000 
3001         /* No permission to check.  Existence test. */
3002         if (!mask)
3003                 return 0;
3004 
3005         validate_creds(cred);
3006 
3007         if (unlikely(IS_PRIVATE(inode)))
3008                 return 0;
3009 
3010         perms = file_mask_to_av(inode->i_mode, mask);
3011 
3012         sid = cred_sid(cred);
3013         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3014         if (IS_ERR(isec))
3015                 return PTR_ERR(isec);
3016 
3017         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3018         audited = avc_audit_required(perms, &avd, rc,
3019                                      from_access ? FILE__AUDIT_ACCESS : 0,
3020                                      &denied);
3021         if (likely(!audited))
3022                 return rc;
3023 
3024         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3025         if (rc2)
3026                 return rc2;
3027         return rc;
3028 }
3029 
3030 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3031 {
3032         const struct cred *cred = current_cred();
3033         unsigned int ia_valid = iattr->ia_valid;
3034         __u32 av = FILE__WRITE;
3035 
3036         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3037         if (ia_valid & ATTR_FORCE) {
3038                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3039                               ATTR_FORCE);
3040                 if (!ia_valid)
3041                         return 0;
3042         }
3043 
3044         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3045                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3046                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3047 
3048         if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3049                         && !(ia_valid & ATTR_FILE))
3050                 av |= FILE__OPEN;
3051 
3052         return dentry_has_perm(cred, dentry, av);
3053 }
3054 
3055 static int selinux_inode_getattr(const struct path *path)
3056 {
3057         return path_has_perm(current_cred(), path, FILE__GETATTR);
3058 }
3059 
3060 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3061 {
3062         const struct cred *cred = current_cred();
3063 
3064         if (!strncmp(name, XATTR_SECURITY_PREFIX,
3065                      sizeof XATTR_SECURITY_PREFIX - 1)) {
3066                 if (!strcmp(name, XATTR_NAME_CAPS)) {
3067                         if (!capable(CAP_SETFCAP))
3068                                 return -EPERM;
3069                 } else if (!capable(CAP_SYS_ADMIN)) {
3070                         /* A different attribute in the security namespace.
3071                            Restrict to administrator. */
3072                         return -EPERM;
3073                 }
3074         }
3075 
3076         /* Not an attribute we recognize, so just check the
3077            ordinary setattr permission. */
3078         return dentry_has_perm(cred, dentry, FILE__SETATTR);
3079 }
3080 
3081 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3082                                   const void *value, size_t size, int flags)
3083 {
3084         struct inode *inode = d_backing_inode(dentry);
3085         struct inode_security_struct *isec;
3086         struct superblock_security_struct *sbsec;
3087         struct common_audit_data ad;
3088         u32 newsid, sid = current_sid();
3089         int rc = 0;
3090 
3091         if (strcmp(name, XATTR_NAME_SELINUX))
3092                 return selinux_inode_setotherxattr(dentry, name);
3093 
3094         sbsec = inode->i_sb->s_security;
3095         if (!(sbsec->flags & SBLABEL_MNT))
3096                 return -EOPNOTSUPP;
3097 
3098         if (!inode_owner_or_capable(inode))
3099                 return -EPERM;
3100 
3101         ad.type = LSM_AUDIT_DATA_DENTRY;
3102         ad.u.dentry = dentry;
3103 
3104         isec = backing_inode_security(dentry);
3105         rc = avc_has_perm(sid, isec->sid, isec->sclass,
3106                           FILE__RELABELFROM, &ad);
3107         if (rc)
3108                 return rc;
3109 
3110         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3111         if (rc == -EINVAL) {
3112                 if (!capable(CAP_MAC_ADMIN)) {
3113                         struct audit_buffer *ab;
3114                         size_t audit_size;
3115                         const char *str;
3116 
3117                         /* We strip a nul only if it is at the end, otherwise the
3118                          * context contains a nul and we should audit that */
3119                         if (value) {
3120                                 str = value;
3121                                 if (str[size - 1] == '\0')
3122                                         audit_size = size - 1;
3123                                 else
3124                                         audit_size = size;
3125                         } else {
3126                                 str = "";
3127                                 audit_size = 0;
3128                         }
3129                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3130                         audit_log_format(ab, "op=setxattr invalid_context=");
3131                         audit_log_n_untrustedstring(ab, value, audit_size);
3132                         audit_log_end(ab);
3133 
3134                         return rc;
3135                 }
3136                 rc = security_context_to_sid_force(value, size, &newsid);
3137         }
3138         if (rc)
3139                 return rc;
3140 
3141         rc = avc_has_perm(sid, newsid, isec->sclass,
3142                           FILE__RELABELTO, &ad);
3143         if (rc)
3144                 return rc;
3145 
3146         rc = security_validate_transition(isec->sid, newsid, sid,
3147                                           isec->sclass);
3148         if (rc)
3149                 return rc;
3150 
3151         return avc_has_perm(newsid,
3152                             sbsec->sid,
3153                             SECCLASS_FILESYSTEM,
3154                             FILESYSTEM__ASSOCIATE,
3155                             &ad);
3156 }
3157 
3158 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3159                                         const void *value, size_t size,
3160                                         int flags)
3161 {
3162         struct inode *inode = d_backing_inode(dentry);
3163         struct inode_security_struct *isec;
3164         u32 newsid;
3165         int rc;
3166 
3167         if (strcmp(name, XATTR_NAME_SELINUX)) {
3168                 /* Not an attribute we recognize, so nothing to do. */
3169                 return;
3170         }
3171 
3172         rc = security_context_to_sid_force(value, size, &newsid);
3173         if (rc) {
3174                 printk(KERN_ERR "SELinux:  unable to map context to SID"
3175                        "for (%s, %lu), rc=%d\n",
3176                        inode->i_sb->s_id, inode->i_ino, -rc);
3177                 return;
3178         }
3179 
3180         isec = backing_inode_security(dentry);
3181         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3182         isec->sid = newsid;
3183         isec->initialized = LABEL_INITIALIZED;
3184 
3185         return;
3186 }
3187 
3188 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3189 {
3190         const struct cred *cred = current_cred();
3191 
3192         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3193 }
3194 
3195 static int selinux_inode_listxattr(struct dentry *dentry)
3196 {
3197         const struct cred *cred = current_cred();
3198 
3199         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3200 }
3201 
3202 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3203 {
3204         if (strcmp(name, XATTR_NAME_SELINUX))
3205                 return selinux_inode_setotherxattr(dentry, name);
3206 
3207         /* No one is allowed to remove a SELinux security label.
3208            You can change the label, but all data must be labeled. */
3209         return -EACCES;
3210 }
3211 
3212 /*
3213  * Copy the inode security context value to the user.
3214  *
3215  * Permission check is handled by selinux_inode_getxattr hook.
3216  */
3217 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3218 {
3219         u32 size;
3220         int error;
3221         char *context = NULL;
3222         struct inode_security_struct *isec;
3223 
3224         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3225                 return -EOPNOTSUPP;
3226 
3227         /*
3228          * If the caller has CAP_MAC_ADMIN, then get the raw context
3229          * value even if it is not defined by current policy; otherwise,
3230          * use the in-core value under current policy.
3231          * Use the non-auditing forms of the permission checks since
3232          * getxattr may be called by unprivileged processes commonly
3233          * and lack of permission just means that we fall back to the
3234          * in-core context value, not a denial.
3235          */
3236         error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3237                             SECURITY_CAP_NOAUDIT);
3238         if (!error)
3239                 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3240                                             SECURITY_CAP_NOAUDIT, true);
3241         isec = inode_security(inode);
3242         if (!error)
3243                 error = security_sid_to_context_force(isec->sid, &context,
3244                                                       &size);
3245         else
3246                 error = security_sid_to_context(isec->sid, &context, &size);
3247         if (error)
3248                 return error;
3249         error = size;
3250         if (alloc) {
3251                 *buffer = context;
3252                 goto out_nofree;
3253         }
3254         kfree(context);
3255 out_nofree:
3256         return error;
3257 }
3258 
3259 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3260                                      const void *value, size_t size, int flags)
3261 {
3262         struct inode_security_struct *isec = inode_security_novalidate(inode);
3263         u32 newsid;
3264         int rc;
3265 
3266         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3267                 return -EOPNOTSUPP;
3268 
3269         if (!value || !size)
3270                 return -EACCES;
3271 
3272         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3273         if (rc)
3274                 return rc;
3275 
3276         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3277         isec->sid = newsid;
3278         isec->initialized = LABEL_INITIALIZED;
3279         return 0;
3280 }
3281 
3282 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3283 {
3284         const int len = sizeof(XATTR_NAME_SELINUX);
3285         if (buffer && len <= buffer_size)
3286                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3287         return len;
3288 }
3289 
3290 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3291 {
3292         struct inode_security_struct *isec = inode_security_novalidate(inode);
3293         *secid = isec->sid;
3294 }
3295 
3296 /* file security operations */
3297 
3298 static int selinux_revalidate_file_permission(struct file *file, int mask)
3299 {
3300         const struct cred *cred = current_cred();
3301         struct inode *inode = file_inode(file);
3302 
3303         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3304         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3305                 mask |= MAY_APPEND;
3306 
3307         return file_has_perm(cred, file,
3308                              file_mask_to_av(inode->i_mode, mask));
3309 }
3310 
3311 static int selinux_file_permission(struct file *file, int mask)
3312 {
3313         struct inode *inode = file_inode(file);
3314         struct file_security_struct *fsec = file->f_security;
3315         struct inode_security_struct *isec;
3316         u32 sid = current_sid();
3317 
3318         if (!mask)
3319                 /* No permission to check.  Existence test. */
3320                 return 0;
3321 
3322         isec = inode_security(inode);
3323         if (sid == fsec->sid && fsec->isid == isec->sid &&
3324             fsec->pseqno == avc_policy_seqno())
3325                 /* No change since file_open check. */
3326                 return 0;
3327 
3328         return selinux_revalidate_file_permission(file, mask);
3329 }
3330 
3331 static int selinux_file_alloc_security(struct file *file)
3332 {
3333         return file_alloc_security(file);
3334 }
3335 
3336 static void selinux_file_free_security(struct file *file)
3337 {
3338         file_free_security(file);
3339 }
3340 
3341 /*
3342  * Check whether a task has the ioctl permission and cmd
3343  * operation to an inode.
3344  */
3345 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3346                 u32 requested, u16 cmd)
3347 {
3348         struct common_audit_data ad;
3349         struct file_security_struct *fsec = file->f_security;
3350         struct inode *inode = file_inode(file);
3351         struct inode_security_struct *isec;
3352         struct lsm_ioctlop_audit ioctl;
3353         u32 ssid = cred_sid(cred);
3354         int rc;
3355         u8 driver = cmd >> 8;
3356         u8 xperm = cmd & 0xff;
3357 
3358         ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3359         ad.u.op = &ioctl;
3360         ad.u.op->cmd = cmd;
3361         ad.u.op->path = file->f_path;
3362 
3363         if (ssid != fsec->sid) {
3364                 rc = avc_has_perm(ssid, fsec->sid,
3365                                 SECCLASS_FD,
3366                                 FD__USE,
3367                                 &ad);
3368                 if (rc)
3369                         goto out;
3370         }
3371 
3372         if (unlikely(IS_PRIVATE(inode)))
3373                 return 0;
3374 
3375         isec = inode_security(inode);
3376         rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3377                         requested, driver, xperm, &ad);
3378 out:
3379         return rc;
3380 }
3381 
3382 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3383                               unsigned long arg)
3384 {
3385         const struct cred *cred = current_cred();
3386         int error = 0;
3387 
3388         switch (cmd) {
3389         case FIONREAD:
3390         /* fall through */
3391         case FIBMAP:
3392         /* fall through */
3393         case FIGETBSZ:
3394         /* fall through */
3395         case FS_IOC_GETFLAGS:
3396         /* fall through */
3397         case FS_IOC_GETVERSION:
3398                 error = file_has_perm(cred, file, FILE__GETATTR);
3399                 break;
3400 
3401         case FS_IOC_SETFLAGS:
3402         /* fall through */
3403         case FS_IOC_SETVERSION:
3404                 error = file_has_perm(cred, file, FILE__SETATTR);
3405                 break;
3406 
3407         /* sys_ioctl() checks */
3408         case FIONBIO:
3409         /* fall through */
3410         case FIOASYNC:
3411                 error = file_has_perm(cred, file, 0);
3412                 break;
3413 
3414         case KDSKBENT:
3415         case KDSKBSENT:
3416                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3417                                             SECURITY_CAP_AUDIT, true);
3418                 break;
3419 
3420         /* default case assumes that the command will go
3421          * to the file's ioctl() function.
3422          */
3423         default:
3424                 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3425         }
3426         return error;
3427 }
3428 
3429 static int default_noexec;
3430 
3431 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3432 {
3433         const struct cred *cred = current_cred();
3434         int rc = 0;
3435 
3436         if (default_noexec &&
3437             (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3438                                    (!shared && (prot & PROT_WRITE)))) {
3439                 /*
3440                  * We are making executable an anonymous mapping or a
3441                  * private file mapping that will also be writable.
3442                  * This has an additional check.
3443                  */
3444                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3445                 if (rc)
3446                         goto error;
3447         }
3448 
3449         if (file) {
3450                 /* read access is always possible with a mapping */
3451                 u32 av = FILE__READ;
3452 
3453                 /* write access only matters if the mapping is shared */
3454                 if (shared && (prot & PROT_WRITE))
3455                         av |= FILE__WRITE;
3456 
3457                 if (prot & PROT_EXEC)
3458                         av |= FILE__EXECUTE;
3459 
3460                 return file_has_perm(cred, file, av);
3461         }
3462 
3463 error:
3464         return rc;
3465 }
3466 
3467 static int selinux_mmap_addr(unsigned long addr)
3468 {
3469         int rc = 0;
3470 
3471         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3472                 u32 sid = current_sid();
3473                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3474                                   MEMPROTECT__MMAP_ZERO, NULL);
3475         }
3476 
3477         return rc;
3478 }
3479 
3480 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3481                              unsigned long prot, unsigned long flags)
3482 {
3483         if (selinux_checkreqprot)
3484                 prot = reqprot;
3485 
3486         return file_map_prot_check(file, prot,
3487                                    (flags & MAP_TYPE) == MAP_SHARED);
3488 }
3489 
3490 static int selinux_file_mprotect(struct vm_area_struct *vma,
3491                                  unsigned long reqprot,
3492                                  unsigned long prot)
3493 {
3494         const struct cred *cred = current_cred();
3495 
3496         if (selinux_checkreqprot)
3497                 prot = reqprot;
3498 
3499         if (default_noexec &&
3500             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3501                 int rc = 0;
3502                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3503                     vma->vm_end <= vma->vm_mm->brk) {
3504                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3505                 } else if (!vma->vm_file &&
3506                            ((vma->vm_start <= vma->vm_mm->start_stack &&
3507                              vma->vm_end >= vma->vm_mm->start_stack) ||
3508                             vma_is_stack_for_task(vma, current))) {
3509                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3510                 } else if (vma->vm_file && vma->anon_vma) {
3511                         /*
3512                          * We are making executable a file mapping that has
3513                          * had some COW done. Since pages might have been
3514                          * written, check ability to execute the possibly
3515                          * modified content.  This typically should only
3516                          * occur for text relocations.
3517                          */
3518                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3519                 }
3520                 if (rc)
3521                         return rc;
3522         }
3523 
3524         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3525 }
3526 
3527 static int selinux_file_lock(struct file *file, unsigned int cmd)
3528 {
3529         const struct cred *cred = current_cred();
3530 
3531         return file_has_perm(cred, file, FILE__LOCK);
3532 }
3533 
3534 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3535                               unsigned long arg)
3536 {
3537         const struct cred *cred = current_cred();
3538         int err = 0;
3539 
3540         switch (cmd) {
3541         case F_SETFL:
3542                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3543                         err = file_has_perm(cred, file, FILE__WRITE);
3544                         break;
3545                 }
3546                 /* fall through */
3547         case F_SETOWN:
3548         case F_SETSIG:
3549         case F_GETFL:
3550         case F_GETOWN:
3551         case F_GETSIG:
3552         case F_GETOWNER_UIDS:
3553                 /* Just check FD__USE permission */
3554                 err = file_has_perm(cred, file, 0);
3555                 break;
3556         case F_GETLK:
3557         case F_SETLK:
3558         case F_SETLKW:
3559         case F_OFD_GETLK:
3560         case F_OFD_SETLK:
3561         case F_OFD_SETLKW:
3562 #if BITS_PER_LONG == 32
3563         case F_GETLK64:
3564         case F_SETLK64:
3565         case F_SETLKW64:
3566 #endif
3567                 err = file_has_perm(cred, file, FILE__LOCK);
3568                 break;
3569         }
3570 
3571         return err;
3572 }
3573 
3574 static void selinux_file_set_fowner(struct file *file)
3575 {
3576         struct file_security_struct *fsec;
3577 
3578         fsec = file->f_security;
3579         fsec->fown_sid = current_sid();
3580 }
3581 
3582 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3583                                        struct fown_struct *fown, int signum)
3584 {
3585         struct file *file;
3586         u32 sid = task_sid(tsk);
3587         u32 perm;
3588         struct file_security_struct *fsec;
3589 
3590         /* struct fown_struct is never outside the context of a struct file */
3591         file = container_of(fown, struct file, f_owner);
3592 
3593         fsec = file->f_security;
3594 
3595         if (!signum)
3596                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3597         else
3598                 perm = signal_to_av(signum);
3599 
3600         return avc_has_perm(fsec->fown_sid, sid,
3601                             SECCLASS_PROCESS, perm, NULL);
3602 }
3603 
3604 static int selinux_file_receive(struct file *file)
3605 {
3606         const struct cred *cred = current_cred();
3607 
3608         return file_has_perm(cred, file, file_to_av(file));
3609 }
3610 
3611 static int selinux_file_open(struct file *file, const struct cred *cred)
3612 {
3613         struct file_security_struct *fsec;
3614         struct inode_security_struct *isec;
3615 
3616         fsec = file->f_security;
3617         isec = inode_security(file_inode(file));
3618         /*
3619          * Save inode label and policy sequence number
3620          * at open-time so that selinux_file_permission
3621          * can determine whether revalidation is necessary.
3622          * Task label is already saved in the file security
3623          * struct as its SID.
3624          */
3625         fsec->isid = isec->sid;
3626         fsec->pseqno = avc_policy_seqno();
3627         /*
3628          * Since the inode label or policy seqno may have changed
3629          * between the selinux_inode_permission check and the saving
3630          * of state above, recheck that access is still permitted.
3631          * Otherwise, access might never be revalidated against the
3632          * new inode label or new policy.
3633          * This check is not redundant - do not remove.
3634          */
3635         return file_path_has_perm(cred, file, open_file_to_av(file));
3636 }
3637 
3638 /* task security operations */
3639 
3640 static int selinux_task_create(unsigned long clone_flags)
3641 {
3642         return current_has_perm(current, PROCESS__FORK);
3643 }
3644 
3645 /*
3646  * allocate the SELinux part of blank credentials
3647  */
3648 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3649 {
3650         struct task_security_struct *tsec;
3651 
3652         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3653         if (!tsec)
3654                 return -ENOMEM;
3655 
3656         cred->security = tsec;
3657         return 0;
3658 }
3659 
3660 /*
3661  * detach and free the LSM part of a set of credentials
3662  */
3663 static void selinux_cred_free(struct cred *cred)
3664 {
3665         struct task_security_struct *tsec = cred->security;
3666 
3667         /*
3668          * cred->security == NULL if security_cred_alloc_blank() or
3669          * security_prepare_creds() returned an error.
3670          */
3671         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3672         cred->security = (void *) 0x7UL;
3673         kfree(tsec);
3674 }
3675 
3676 /*
3677  * prepare a new set of credentials for modification
3678  */
3679 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3680                                 gfp_t gfp)
3681 {
3682         const struct task_security_struct *old_tsec;
3683         struct task_security_struct *tsec;
3684 
3685         old_tsec = old->security;
3686 
3687         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3688         if (!tsec)
3689                 return -ENOMEM;
3690 
3691         new->security = tsec;
3692         return 0;
3693 }
3694 
3695 /*
3696  * transfer the SELinux data to a blank set of creds
3697  */
3698 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3699 {
3700         const struct task_security_struct *old_tsec = old->security;
3701         struct task_security_struct *tsec = new->security;
3702 
3703         *tsec = *old_tsec;
3704 }
3705 
3706 /*
3707  * set the security data for a kernel service
3708  * - all the creation contexts are set to unlabelled
3709  */
3710 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3711 {
3712         struct task_security_struct *tsec = new->security;
3713         u32 sid = current_sid();
3714         int ret;
3715 
3716         ret = avc_has_perm(sid, secid,
3717                            SECCLASS_KERNEL_SERVICE,
3718                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3719                            NULL);
3720         if (ret == 0) {
3721                 tsec->sid = secid;
3722                 tsec->create_sid = 0;
3723                 tsec->keycreate_sid = 0;
3724                 tsec->sockcreate_sid = 0;
3725         }
3726         return ret;
3727 }
3728 
3729 /*
3730  * set the file creation context in a security record to the same as the
3731  * objective context of the specified inode
3732  */
3733 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3734 {
3735         struct inode_security_struct *isec = inode_security(inode);
3736         struct task_security_struct *tsec = new->security;
3737         u32 sid = current_sid();
3738         int ret;
3739 
3740         ret = avc_has_perm(sid, isec->sid,
3741                            SECCLASS_KERNEL_SERVICE,
3742                            KERNEL_SERVICE__CREATE_FILES_AS,
3743                            NULL);
3744 
3745         if (ret == 0)
3746                 tsec->create_sid = isec->sid;
3747         return ret;
3748 }
3749 
3750 static int selinux_kernel_module_request(char *kmod_name)
3751 {
3752         u32 sid;
3753         struct common_audit_data ad;
3754 
3755         sid = task_sid(current);
3756 
3757         ad.type = LSM_AUDIT_DATA_KMOD;
3758         ad.u.kmod_name = kmod_name;
3759 
3760         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3761                             SYSTEM__MODULE_REQUEST, &ad);
3762 }
3763 
3764 static int selinux_kernel_module_from_file(struct file *file)
3765 {
3766         struct common_audit_data ad;
3767         struct inode_security_struct *isec;
3768         struct file_security_struct *fsec;
3769         u32 sid = current_sid();
3770         int rc;
3771 
3772         /* init_module */
3773         if (file == NULL)
3774                 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3775                                         SYSTEM__MODULE_LOAD, NULL);
3776 
3777         /* finit_module */
3778 
3779         ad.type = LSM_AUDIT_DATA_PATH;
3780         ad.u.path = file->f_path;
3781 
3782         fsec = file->f_security;
3783         if (sid != fsec->sid) {
3784                 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3785                 if (rc)
3786                         return rc;
3787         }
3788 
3789         isec = inode_security(file_inode(file));
3790         return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3791                                 SYSTEM__MODULE_LOAD, &ad);
3792 }
3793 
3794 static int selinux_kernel_read_file(struct file *file,
3795                                     enum kernel_read_file_id id)
3796 {
3797         int rc = 0;
3798 
3799         switch (id) {
3800         case READING_MODULE:
3801                 rc = selinux_kernel_module_from_file(file);
3802                 break;
3803         default:
3804                 break;
3805         }
3806 
3807         return rc;
3808 }
3809 
3810 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3811 {
3812         return current_has_perm(p, PROCESS__SETPGID);
3813 }
3814 
3815 static int selinux_task_getpgid(struct task_struct *p)
3816 {
3817         return current_has_perm(p, PROCESS__GETPGID);
3818 }
3819 
3820 static int selinux_task_getsid(struct task_struct *p)
3821 {
3822         return current_has_perm(p, PROCESS__GETSESSION);
3823 }
3824 
3825 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3826 {
3827         *secid = task_sid(p);
3828 }
3829 
3830 static int selinux_task_setnice(struct task_struct *p, int nice)
3831 {
3832         return current_has_perm(p, PROCESS__SETSCHED);
3833 }
3834 
3835 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3836 {
3837         return current_has_perm(p, PROCESS__SETSCHED);
3838 }
3839 
3840 static int selinux_task_getioprio(struct task_struct *p)
3841 {
3842         return current_has_perm(p, PROCESS__GETSCHED);
3843 }
3844 
3845 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3846                 struct rlimit *new_rlim)
3847 {
3848         struct rlimit *old_rlim = p->signal->rlim + resource;
3849 
3850         /* Control the ability to change the hard limit (whether
3851            lowering or raising it), so that the hard limit can
3852            later be used as a safe reset point for the soft limit
3853            upon context transitions.  See selinux_bprm_committing_creds. */
3854         if (old_rlim->rlim_max != new_rlim->rlim_max)
3855                 return current_has_perm(p, PROCESS__SETRLIMIT);
3856 
3857         return 0;
3858 }
3859 
3860 static int selinux_task_setscheduler(struct task_struct *p)
3861 {
3862         return current_has_perm(p, PROCESS__SETSCHED);
3863 }
3864 
3865 static int selinux_task_getscheduler(struct task_struct *p)
3866 {
3867         return current_has_perm(p, PROCESS__GETSCHED);
3868 }
3869 
3870 static int selinux_task_movememory(struct task_struct *p)
3871 {
3872         return current_has_perm(p, PROCESS__SETSCHED);
3873 }
3874 
3875 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3876                                 int sig, u32 secid)
3877 {
3878         u32 perm;
3879         int rc;
3880 
3881         if (!sig)
3882                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3883         else
3884                 perm = signal_to_av(sig);
3885         if (secid)
3886                 rc = avc_has_perm(secid, task_sid(p),
3887                                   SECCLASS_PROCESS, perm, NULL);
3888         else
3889                 rc = current_has_perm(p, perm);
3890         return rc;
3891 }
3892 
3893 static int selinux_task_wait(struct task_struct *p)
3894 {
3895         return task_has_perm(p, current, PROCESS__SIGCHLD);
3896 }
3897 
3898 static void selinux_task_to_inode(struct task_struct *p,
3899                                   struct inode *inode)
3900 {
3901         struct inode_security_struct *isec = inode->i_security;
3902         u32 sid = task_sid(p);
3903 
3904         isec->sid = sid;
3905         isec->initialized = LABEL_INITIALIZED;
3906 }
3907 
3908 /* Returns error only if unable to parse addresses */
3909 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3910                         struct common_audit_data *ad, u8 *proto)
3911 {
3912         int offset, ihlen, ret = -EINVAL;
3913         struct iphdr _iph, *ih;
3914 
3915         offset = skb_network_offset(skb);
3916         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3917         if (ih == NULL)
3918                 goto out;
3919 
3920         ihlen = ih->ihl * 4;
3921         if (ihlen < sizeof(_iph))
3922                 goto out;
3923 
3924         ad->u.net->v4info.saddr = ih->saddr;
3925         ad->u.net->v4info.daddr = ih->daddr;
3926         ret = 0;
3927 
3928         if (proto)
3929                 *proto = ih->protocol;
3930 
3931         switch (ih->protocol) {
3932         case IPPROTO_TCP: {
3933                 struct tcphdr _tcph, *th;
3934 
3935                 if (ntohs(ih->frag_off) & IP_OFFSET)
3936                         break;
3937 
3938                 offset += ihlen;
3939                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3940                 if (th == NULL)
3941                         break;
3942 
3943                 ad->u.net->sport = th->source;
3944                 ad->u.net->dport = th->dest;
3945                 break;
3946         }
3947 
3948         case IPPROTO_UDP: {
3949                 struct udphdr _udph, *uh;
3950 
3951                 if (ntohs(ih->frag_off) & IP_OFFSET)
3952                         break;
3953 
3954                 offset += ihlen;
3955                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3956                 if (uh == NULL)
3957                         break;
3958 
3959                 ad->u.net->sport = uh->source;
3960                 ad->u.net->dport = uh->dest;
3961                 break;
3962         }
3963 
3964         case IPPROTO_DCCP: {
3965                 struct dccp_hdr _dccph, *dh;
3966 
3967                 if (ntohs(ih->frag_off) & IP_OFFSET)
3968                         break;
3969 
3970                 offset += ihlen;
3971                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3972                 if (dh == NULL)
3973                         break;
3974 
3975                 ad->u.net->sport = dh->dccph_sport;
3976                 ad->u.net->dport = dh->dccph_dport;
3977                 break;
3978         }
3979 
3980         default:
3981                 break;
3982         }
3983 out:
3984         return ret;
3985 }
3986 
3987 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3988 
3989 /* Returns error only if unable to parse addresses */
3990 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3991                         struct common_audit_data *ad, u8 *proto)
3992 {
3993         u8 nexthdr;
3994         int ret = -EINVAL, offset;
3995         struct ipv6hdr _ipv6h, *ip6;
3996         __be16 frag_off;
3997 
3998         offset = skb_network_offset(skb);
3999         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4000         if (ip6 == NULL)
4001                 goto out;
4002 
4003         ad->u.net->v6info.saddr = ip6->saddr;
4004         ad->u.net->v6info.daddr = ip6->daddr;
4005         ret = 0;
4006 
4007         nexthdr = ip6->nexthdr;
4008         offset += sizeof(_ipv6h);
4009         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4010         if (offset < 0)
4011                 goto out;
4012 
4013         if (proto)
4014                 *proto = nexthdr;
4015 
4016         switch (nexthdr) {
4017         case IPPROTO_TCP: {
4018                 struct tcphdr _tcph, *th;
4019 
4020                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4021                 if (th == NULL)
4022                         break;
4023 
4024                 ad->u.net->sport = th->source;
4025                 ad->u.net->dport = th->dest;
4026                 break;
4027         }
4028 
4029         case IPPROTO_UDP: {
4030                 struct udphdr _udph, *uh;
4031 
4032                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4033                 if (uh == NULL)
4034                         break;
4035 
4036                 ad->u.net->sport = uh->source;
4037                 ad->u.net->dport = uh->dest;
4038                 break;
4039         }
4040 
4041         case IPPROTO_DCCP: {
4042                 struct dccp_hdr _dccph, *dh;
4043 
4044                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4045                 if (dh == NULL)
4046                         break;
4047 
4048                 ad->u.net->sport = dh->dccph_sport;
4049                 ad->u.net->dport = dh->dccph_dport;
4050                 break;
4051         }
4052 
4053         /* includes fragments */
4054         default:
4055                 break;
4056         }
4057 out:
4058         return ret;
4059 }
4060 
4061 #endif /* IPV6 */
4062 
4063 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4064                              char **_addrp, int src, u8 *proto)
4065 {
4066         char *addrp;
4067         int ret;
4068 
4069         switch (ad->u.net->family) {
4070         case PF_INET:
4071                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4072                 if (ret)
4073                         goto parse_error;
4074                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4075                                        &ad->u.net->v4info.daddr);
4076                 goto okay;
4077 
4078 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4079         case PF_INET6:
4080                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4081                 if (ret)
4082                         goto parse_error;
4083                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4084                                        &ad->u.net->v6info.daddr);
4085                 goto okay;
4086 #endif  /* IPV6 */
4087         default:
4088                 addrp = NULL;
4089                 goto okay;
4090         }
4091 
4092 parse_error:
4093         printk(KERN_WARNING
4094                "SELinux: failure in selinux_parse_skb(),"
4095                " unable to parse packet\n");
4096         return ret;
4097 
4098 okay:
4099         if (_addrp)
4100                 *_addrp = addrp;
4101         return 0;
4102 }
4103 
4104 /**
4105  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4106  * @skb: the packet
4107  * @family: protocol family
4108  * @sid: the packet's peer label SID
4109  *
4110  * Description:
4111  * Check the various different forms of network peer labeling and determine
4112  * the peer label/SID for the packet; most of the magic actually occurs in
4113  * the security server function security_net_peersid_cmp().  The function
4114  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4115  * or -EACCES if @sid is invalid due to inconsistencies with the different
4116  * peer labels.
4117  *
4118  */
4119 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4120 {
4121         int err;
4122         u32 xfrm_sid;
4123         u32 nlbl_sid;
4124         u32 nlbl_type;
4125 
4126         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4127         if (unlikely(err))
4128                 return -EACCES;
4129         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4130         if (unlikely(err))
4131                 return -EACCES;
4132 
4133         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4134         if (unlikely(err)) {
4135                 printk(KERN_WARNING
4136                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
4137                        " unable to determine packet's peer label\n");
4138                 return -EACCES;
4139         }
4140 
4141         return 0;
4142 }
4143 
4144 /**
4145  * selinux_conn_sid - Determine the child socket label for a connection
4146  * @sk_sid: the parent socket's SID
4147  * @skb_sid: the packet's SID
4148  * @conn_sid: the resulting connection SID
4149  *
4150  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4151  * combined with the MLS information from @skb_sid in order to create
4152  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4153  * of @sk_sid.  Returns zero on success, negative values on failure.
4154  *
4155  */
4156 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4157 {
4158         int err = 0;
4159 
4160         if (skb_sid != SECSID_NULL)
4161                 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4162         else
4163                 *conn_sid = sk_sid;
4164 
4165         return err;
4166 }
4167 
4168 /* socket security operations */
4169 
4170 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4171                                  u16 secclass, u32 *socksid)
4172 {
4173         if (tsec->sockcreate_sid > SECSID_NULL) {
4174                 *socksid = tsec->sockcreate_sid;
4175                 return 0;
4176         }
4177 
4178         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4179                                        socksid);
4180 }
4181 
4182 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4183 {
4184         struct sk_security_struct *sksec = sk->sk_security;
4185         struct common_audit_data ad;
4186         struct lsm_network_audit net = {0,};
4187         u32 tsid = task_sid(task);
4188 
4189         if (sksec->sid == SECINITSID_KERNEL)
4190                 return 0;
4191 
4192         ad.type = LSM_AUDIT_DATA_NET;
4193         ad.u.net = &net;
4194         ad.u.net->sk = sk;
4195 
4196         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4197 }
4198 
4199 static int selinux_socket_create(int family, int type,
4200                                  int protocol, int kern)
4201 {
4202         const struct task_security_struct *tsec = current_security();
4203         u32 newsid;
4204         u16 secclass;
4205         int rc;
4206 
4207         if (kern)
4208                 return 0;
4209 
4210         secclass = socket_type_to_security_class(family, type, protocol);
4211         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4212         if (rc)
4213                 return rc;
4214 
4215         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4216 }
4217 
4218 static int selinux_socket_post_create(struct socket *sock, int family,
4219                                       int type, int protocol, int kern)
4220 {
4221         const struct task_security_struct *tsec = current_security();
4222         struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4223         struct sk_security_struct *sksec;
4224         int err = 0;
4225 
4226         isec->sclass = socket_type_to_security_class(family, type, protocol);
4227 
4228         if (kern)
4229                 isec->sid = SECINITSID_KERNEL;
4230         else {
4231                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4232                 if (err)
4233                         return err;
4234         }
4235 
4236         isec->initialized = LABEL_INITIALIZED;
4237 
4238         if (sock->sk) {
4239                 sksec = sock->sk->sk_security;
4240                 sksec->sid = isec->sid;
4241                 sksec->sclass = isec->sclass;
4242                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4243         }
4244 
4245         return err;
4246 }
4247 
4248 /* Range of port numbers used to automatically bind.
4249    Need to determine whether we should perform a name_bind
4250    permission check between the socket and the port number. */
4251 
4252 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4253 {
4254         struct sock *sk = sock->sk;
4255         u16 family;
4256         int err;
4257 
4258         err = sock_has_perm(current, sk, SOCKET__BIND);
4259         if (err)
4260                 goto out;
4261 
4262         /*
4263          * If PF_INET or PF_INET6, check name_bind permission for the port.
4264          * Multiple address binding for SCTP is not supported yet: we just
4265          * check the first address now.
4266          */
4267         family = sk->sk_family;
4268         if (family == PF_INET || family == PF_INET6) {
4269                 char *addrp;
4270                 struct sk_security_struct *sksec = sk->sk_security;
4271                 struct common_audit_data ad;
4272                 struct lsm_network_audit net = {0,};
4273                 struct sockaddr_in *addr4 = NULL;
4274                 struct sockaddr_in6 *addr6 = NULL;
4275                 unsigned short snum;
4276                 u32 sid, node_perm;
4277 
4278                 if (family == PF_INET) {
4279                         addr4 = (struct sockaddr_in *)address;
4280                         snum = ntohs(addr4->sin_port);
4281                         addrp = (char *)&addr4->sin_addr.s_addr;
4282                 } else {
4283                         addr6 = (struct sockaddr_in6 *)address;
4284                         snum = ntohs(addr6->sin6_port);
4285                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4286                 }
4287 
4288                 if (snum) {
4289                         int low, high;
4290 
4291                         inet_get_local_port_range(sock_net(sk), &low, &high);
4292 
4293                         if (snum < max(PROT_SOCK, low) || snum > high) {
4294                                 err = sel_netport_sid(sk->sk_protocol,
4295                                                       snum, &sid);
4296                                 if (err)
4297                                         goto out;
4298                                 ad.type = LSM_AUDIT_DATA_NET;
4299                                 ad.u.net = &net;
4300                                 ad.u.net->sport = htons(snum);
4301                                 ad.u.net->family = family;
4302                                 err = avc_has_perm(sksec->sid, sid,
4303                                                    sksec->sclass,
4304                                                    SOCKET__NAME_BIND, &ad);
4305                                 if (err)
4306                                         goto out;
4307                         }
4308                 }
4309 
4310                 switch (sksec->sclass) {
4311                 case SECCLASS_TCP_SOCKET:
4312                         node_perm = TCP_SOCKET__NODE_BIND;
4313                         break;
4314 
4315                 case SECCLASS_UDP_SOCKET:
4316                         node_perm = UDP_SOCKET__NODE_BIND;
4317                         break;
4318 
4319                 case SECCLASS_DCCP_SOCKET:
4320                         node_perm = DCCP_SOCKET__NODE_BIND;
4321                         break;
4322 
4323                 default:
4324                         node_perm = RAWIP_SOCKET__NODE_BIND;
4325                         break;
4326                 }
4327 
4328                 err = sel_netnode_sid(addrp, family, &sid);
4329                 if (err)
4330                         goto out;
4331 
4332                 ad.type = LSM_AUDIT_DATA_NET;
4333                 ad.u.net = &net;
4334                 ad.u.net->sport = htons(snum);
4335                 ad.u.net->family = family;
4336 
4337                 if (family == PF_INET)
4338                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4339                 else
4340                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4341 
4342                 err = avc_has_perm(sksec->sid, sid,
4343                                    sksec->sclass, node_perm, &ad);
4344                 if (err)
4345                         goto out;
4346         }
4347 out:
4348         return err;
4349 }
4350 
4351 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4352 {
4353         struct sock *sk = sock->sk;
4354         struct sk_security_struct *sksec = sk->sk_security;
4355         int err;
4356 
4357         err = sock_has_perm(current, sk, SOCKET__CONNECT);
4358         if (err)
4359                 return err;
4360 
4361         /*
4362          * If a TCP or DCCP socket, check name_connect permission for the port.
4363          */
4364         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4365             sksec->sclass == SECCLASS_DCCP_SOCKET) {
4366                 struct common_audit_data ad;
4367                 struct lsm_network_audit net = {0,};
4368                 struct sockaddr_in *addr4 = NULL;
4369                 struct sockaddr_in6 *addr6 = NULL;
4370                 unsigned short snum;
4371                 u32 sid, perm;
4372 
4373                 if (sk->sk_family == PF_INET) {
4374                         addr4 = (struct sockaddr_in *)address;
4375                         if (addrlen < sizeof(struct sockaddr_in))
4376                                 return -EINVAL;
4377                         snum = ntohs(addr4->sin_port);
4378                 } else {
4379                         addr6 = (struct sockaddr_in6 *)address;
4380                         if (addrlen < SIN6_LEN_RFC2133)
4381                                 return -EINVAL;
4382                         snum = ntohs(addr6->sin6_port);
4383                 }
4384 
4385                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4386                 if (err)
4387                         goto out;
4388 
4389                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4390                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4391 
4392                 ad.type = LSM_AUDIT_DATA_NET;
4393                 ad.u.net = &net;
4394                 ad.u.net->dport = htons(snum);
4395                 ad.u.net->family = sk->sk_family;
4396                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4397                 if (err)
4398                         goto out;
4399         }
4400 
4401         err = selinux_netlbl_socket_connect(sk, address);
4402 
4403 out:
4404         return err;
4405 }
4406 
4407 static int selinux_socket_listen(struct socket *sock, int backlog)
4408 {
4409         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4410 }
4411 
4412 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4413 {
4414         int err;
4415         struct inode_security_struct *isec;
4416         struct inode_security_struct *newisec;
4417 
4418         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4419         if (err)
4420                 return err;
4421 
4422         newisec = inode_security_novalidate(SOCK_INODE(newsock));
4423 
4424         isec = inode_security_novalidate(SOCK_INODE(sock));
4425         newisec->sclass = isec->sclass;
4426         newisec->sid = isec->sid;
4427         newisec->initialized = LABEL_INITIALIZED;
4428 
4429         return 0;
4430 }
4431 
4432 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4433                                   int size)
4434 {
4435         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4436 }
4437 
4438 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4439                                   int size, int flags)
4440 {
4441         return sock_has_perm(current, sock->sk, SOCKET__READ);
4442 }
4443 
4444 static int selinux_socket_getsockname(struct socket *sock)
4445 {
4446         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4447 }
4448 
4449 static int selinux_socket_getpeername(struct socket *sock)
4450 {
4451         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4452 }
4453 
4454 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4455 {
4456         int err;
4457 
4458         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4459         if (err)
4460                 return err;
4461 
4462         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4463 }
4464 
4465 static int selinux_socket_getsockopt(struct socket *sock, int level,
4466                                      int optname)
4467 {
4468         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4469 }
4470 
4471 static int selinux_socket_shutdown(struct socket *sock, int how)
4472 {
4473         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4474 }
4475 
4476 static int selinux_socket_unix_stream_connect(struct sock *sock,
4477                                               struct sock *other,
4478                                               struct sock *newsk)
4479 {
4480         struct sk_security_struct *sksec_sock = sock->sk_security;
4481         struct sk_security_struct *sksec_other = other->sk_security;
4482         struct sk_security_struct *sksec_new = newsk->sk_security;
4483         struct common_audit_data ad;
4484         struct lsm_network_audit net = {0,};
4485         int err;
4486 
4487         ad.type = LSM_AUDIT_DATA_NET;
4488         ad.u.net = &net;
4489         ad.u.net->sk = other;
4490 
4491         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4492                            sksec_other->sclass,
4493                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4494         if (err)
4495                 return err;
4496 
4497         /* server child socket */
4498         sksec_new->peer_sid = sksec_sock->sid;
4499         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4500                                     &sksec_new->sid);
4501         if (err)
4502                 return err;
4503 
4504         /* connecting socket */
4505         sksec_sock->peer_sid = sksec_new->sid;
4506 
4507         return 0;
4508 }
4509 
4510 static int selinux_socket_unix_may_send(struct socket *sock,
4511                                         struct socket *other)
4512 {
4513         struct sk_security_struct *ssec = sock->sk->sk_security;
4514         struct sk_security_struct *osec = other->sk->sk_security;
4515         struct common_audit_data ad;
4516         struct lsm_network_audit net = {0,};
4517 
4518         ad.type = LSM_AUDIT_DATA_NET;
4519         ad.u.net = &net;
4520         ad.u.net->sk = other->sk;
4521 
4522         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4523                             &ad);
4524 }
4525 
4526 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4527                                     char *addrp, u16 family, u32 peer_sid,
4528                                     struct common_audit_data *ad)
4529 {
4530         int err;
4531         u32 if_sid;
4532         u32 node_sid;
4533 
4534         err = sel_netif_sid(ns, ifindex, &if_sid);
4535         if (err)
4536                 return err;
4537         err = avc_has_perm(peer_sid, if_sid,
4538                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4539         if (err)
4540                 return err;
4541 
4542         err = sel_netnode_sid(addrp, family, &node_sid);
4543         if (err)
4544                 return err;
4545         return avc_has_perm(peer_sid, node_sid,
4546                             SECCLASS_NODE, NODE__RECVFROM, ad);
4547 }
4548 
4549 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4550                                        u16 family)
4551 {
4552         int err = 0;
4553         struct sk_security_struct *sksec = sk->sk_security;
4554         u32 sk_sid = sksec->sid;
4555         struct common_audit_data ad;
4556         struct lsm_network_audit net = {0,};
4557         char *addrp;
4558 
4559         ad.type = LSM_AUDIT_DATA_NET;
4560         ad.u.net = &net;
4561         ad.u.net->netif = skb->skb_iif;
4562         ad.u.net->family = family;
4563         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4564         if (err)
4565                 return err;
4566 
4567         if (selinux_secmark_enabled()) {
4568                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4569                                    PACKET__RECV, &ad);
4570                 if (err)
4571                         return err;
4572         }
4573 
4574         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4575         if (err)
4576                 return err;
4577         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4578 
4579         return err;
4580 }
4581 
4582 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4583 {
4584         int err;
4585         struct sk_security_struct *sksec = sk->sk_security;
4586         u16 family = sk->sk_family;
4587         u32 sk_sid = sksec->sid;
4588         struct common_audit_data ad;
4589         struct lsm_network_audit net = {0,};
4590         char *addrp;
4591         u8 secmark_active;
4592         u8 peerlbl_active;
4593 
4594         if (family != PF_INET && family != PF_INET6)
4595                 return 0;
4596 
4597         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4598         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4599                 family = PF_INET;
4600 
4601         /* If any sort of compatibility mode is enabled then handoff processing
4602          * to the selinux_sock_rcv_skb_compat() function to deal with the
4603          * special handling.  We do this in an attempt to keep this function
4604          * as fast and as clean as possible. */
4605         if (!selinux_policycap_netpeer)
4606                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4607 
4608         secmark_active = selinux_secmark_enabled();
4609         peerlbl_active = selinux_peerlbl_enabled();
4610         if (!secmark_active && !peerlbl_active)
4611                 return 0;
4612 
4613         ad.type = LSM_AUDIT_DATA_NET;
4614         ad.u.net = &net;
4615         ad.u.net->netif = skb->skb_iif;
4616         ad.u.net->family = family;
4617         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4618         if (err)
4619                 return err;
4620 
4621         if (peerlbl_active) {
4622                 u32 peer_sid;
4623 
4624                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4625                 if (err)
4626                         return err;
4627                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4628                                                addrp, family, peer_sid, &ad);
4629                 if (err) {
4630                         selinux_netlbl_err(skb, family, err, 0);
4631                         return err;
4632                 }
4633                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4634                                    PEER__RECV, &ad);
4635                 if (err) {
4636                         selinux_netlbl_err(skb, family, err, 0);
4637                         return err;
4638                 }
4639         }
4640 
4641         if (secmark_active) {
4642                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4643                                    PACKET__RECV, &ad);
4644                 if (err)
4645                         return err;
4646         }
4647 
4648         return err;
4649 }
4650 
4651 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4652                                             int __user *optlen, unsigned len)
4653 {
4654         int err = 0;
4655         char *scontext;
4656         u32 scontext_len;
4657         struct sk_security_struct *sksec = sock->sk->sk_security;
4658         u32 peer_sid = SECSID_NULL;
4659 
4660         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4661             sksec->sclass == SECCLASS_TCP_SOCKET)
4662                 peer_sid = sksec->peer_sid;
4663         if (peer_sid == SECSID_NULL)
4664                 return -ENOPROTOOPT;
4665 
4666         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4667         if (err)
4668                 return err;
4669 
4670         if (scontext_len > len) {
4671                 err = -ERANGE;
4672                 goto out_len;
4673         }
4674 
4675         if (copy_to_user(optval, scontext, scontext_len))
4676                 err = -EFAULT;
4677 
4678 out_len:
4679         if (put_user(scontext_len, optlen))
4680                 err = -EFAULT;
4681         kfree(scontext);
4682         return err;
4683 }
4684 
4685 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4686 {
4687         u32 peer_secid = SECSID_NULL;
4688         u16 family;
4689         struct inode_security_struct *isec;
4690 
4691         if (skb && skb->protocol == htons(ETH_P_IP))
4692                 family = PF_INET;
4693         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4694                 family = PF_INET6;
4695         else if (sock)
4696                 family = sock->sk->sk_family;
4697         else
4698                 goto out;
4699 
4700         if (sock && family == PF_UNIX) {
4701                 isec = inode_security_novalidate(SOCK_INODE(sock));
4702                 peer_secid = isec->sid;
4703         } else if (skb)
4704                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4705 
4706 out:
4707         *secid = peer_secid;
4708         if (peer_secid == SECSID_NULL)
4709                 return -EINVAL;
4710         return 0;
4711 }
4712 
4713 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4714 {
4715         struct sk_security_struct *sksec;
4716 
4717         sksec = kzalloc(sizeof(*sksec), priority);
4718         if (!sksec)
4719                 return -ENOMEM;
4720 
4721         sksec->peer_sid = SECINITSID_UNLABELED;
4722         sksec->sid = SECINITSID_UNLABELED;
4723         sksec->sclass = SECCLASS_SOCKET;
4724         selinux_netlbl_sk_security_reset(sksec);
4725         sk->sk_security = sksec;
4726 
4727         return 0;
4728 }
4729 
4730 static void selinux_sk_free_security(struct sock *sk)
4731 {
4732         struct sk_security_struct *sksec = sk->sk_security;
4733 
4734         sk->sk_security = NULL;
4735         selinux_netlbl_sk_security_free(sksec);
4736         kfree(sksec);
4737 }
4738 
4739 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4740 {
4741         struct sk_security_struct *sksec = sk->sk_security;
4742         struct sk_security_struct *newsksec = newsk->sk_security;
4743 
4744         newsksec->sid = sksec->sid;
4745         newsksec->peer_sid = sksec->peer_sid;
4746         newsksec->sclass = sksec->sclass;
4747 
4748         selinux_netlbl_sk_security_reset(newsksec);
4749 }
4750 
4751 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4752 {
4753         if (!sk)
4754                 *secid = SECINITSID_ANY_SOCKET;
4755         else {
4756                 struct sk_security_struct *sksec = sk->sk_security;
4757 
4758                 *secid = sksec->sid;
4759         }
4760 }
4761 
4762 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4763 {
4764         struct inode_security_struct *isec =
4765                 inode_security_novalidate(SOCK_INODE(parent));
4766         struct sk_security_struct *sksec = sk->sk_security;
4767 
4768         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4769             sk->sk_family == PF_UNIX)
4770                 isec->sid = sksec->sid;
4771         sksec->sclass = isec->sclass;
4772 }
4773 
4774 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4775                                      struct request_sock *req)
4776 {
4777         struct sk_security_struct *sksec = sk->sk_security;
4778         int err;
4779         u16 family = req->rsk_ops->family;
4780         u32 connsid;
4781         u32 peersid;
4782 
4783         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4784         if (err)
4785                 return err;
4786         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4787         if (err)
4788                 return err;
4789         req->secid = connsid;
4790         req->peer_secid = peersid;
4791 
4792         return selinux_netlbl_inet_conn_request(req, family);
4793 }
4794 
4795 static void selinux_inet_csk_clone(struct sock *newsk,
4796                                    const struct request_sock *req)
4797 {
4798         struct sk_security_struct *newsksec = newsk->sk_security;
4799 
4800         newsksec->sid = req->secid;
4801         newsksec->peer_sid = req->peer_secid;
4802         /* NOTE: Ideally, we should also get the isec->sid for the
4803            new socket in sync, but we don't have the isec available yet.
4804            So we will wait until sock_graft to do it, by which
4805            time it will have been created and available. */
4806 
4807         /* We don't need to take any sort of lock here as we are the only
4808          * thread with access to newsksec */
4809         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4810 }
4811 
4812 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4813 {
4814         u16 family = sk->sk_family;
4815         struct sk_security_struct *sksec = sk->sk_security;
4816 
4817         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4818         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4819                 family = PF_INET;
4820 
4821         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4822 }
4823 
4824 static int selinux_secmark_relabel_packet(u32 sid)
4825 {
4826         const struct task_security_struct *__tsec;
4827         u32 tsid;
4828 
4829         __tsec = current_security();
4830         tsid = __tsec->sid;
4831 
4832         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4833 }
4834 
4835 static void selinux_secmark_refcount_inc(void)
4836 {
4837         atomic_inc(&selinux_secmark_refcount);
4838 }
4839 
4840 static void selinux_secmark_refcount_dec(void)
4841 {
4842         atomic_dec(&selinux_secmark_refcount);
4843 }
4844 
4845 static void selinux_req_classify_flow(const struct request_sock *req,
4846                                       struct flowi *fl)
4847 {
4848         fl->flowi_secid = req->secid;
4849 }
4850 
4851 static int selinux_tun_dev_alloc_security(void **security)
4852 {
4853         struct tun_security_struct *tunsec;
4854 
4855         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4856         if (!tunsec)
4857                 return -ENOMEM;
4858         tunsec->sid = current_sid();
4859 
4860         *security = tunsec;
4861         return 0;
4862 }
4863 
4864 static void selinux_tun_dev_free_security(void *security)
4865 {
4866         kfree(security);
4867 }
4868 
4869 static int selinux_tun_dev_create(void)
4870 {
4871         u32 sid = current_sid();
4872 
4873         /* we aren't taking into account the "sockcreate" SID since the socket
4874          * that is being created here is not a socket in the traditional sense,
4875          * instead it is a private sock, accessible only to the kernel, and
4876          * representing a wide range of network traffic spanning multiple
4877          * connections unlike traditional sockets - check the TUN driver to
4878          * get a better understanding of why this socket is special */
4879 
4880         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4881                             NULL);
4882 }
4883 
4884 static int selinux_tun_dev_attach_queue(void *security)
4885 {
4886         struct tun_security_struct *tunsec = security;
4887 
4888         return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4889                             TUN_SOCKET__ATTACH_QUEUE, NULL);
4890 }
4891 
4892 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4893 {
4894         struct tun_security_struct *tunsec = security;
4895         struct sk_security_struct *sksec = sk->sk_security;
4896 
4897         /* we don't currently perform any NetLabel based labeling here and it
4898          * isn't clear that we would want to do so anyway; while we could apply
4899          * labeling without the support of the TUN user the resulting labeled
4900          * traffic from the other end of the connection would almost certainly
4901          * cause confusion to the TUN user that had no idea network labeling
4902          * protocols were being used */
4903 
4904         sksec->sid = tunsec->sid;
4905         sksec->sclass = SECCLASS_TUN_SOCKET;
4906 
4907         return 0;
4908 }
4909 
4910 static int selinux_tun_dev_open(void *security)
4911 {
4912         struct tun_security_struct *tunsec = security;
4913         u32 sid = current_sid();
4914         int err;
4915 
4916         err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4917                            TUN_SOCKET__RELABELFROM, NULL);
4918         if (err)
4919                 return err;
4920         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4921                            TUN_SOCKET__RELABELTO, NULL);
4922         if (err)
4923                 return err;
4924         tunsec->sid = sid;
4925 
4926         return 0;
4927 }
4928 
4929 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4930 {
4931         int err = 0;
4932         u32 perm;
4933         struct nlmsghdr *nlh;
4934         struct sk_security_struct *sksec = sk->sk_security;
4935 
4936         if (skb->len < NLMSG_HDRLEN) {
4937                 err = -EINVAL;
4938                 goto out;
4939         }
4940         nlh = nlmsg_hdr(skb);
4941 
4942         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4943         if (err) {
4944                 if (err == -EINVAL) {
4945                         pr_warn_ratelimited("SELinux: unrecognized netlink"
4946                                " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4947                                " pig=%d comm=%s\n",
4948                                sk->sk_protocol, nlh->nlmsg_type,
4949                                secclass_map[sksec->sclass - 1].name,
4950                                task_pid_nr(current), current->comm);
4951                         if (!selinux_enforcing || security_get_allow_unknown())
4952                                 err = 0;
4953                 }
4954 
4955                 /* Ignore */
4956                 if (err == -ENOENT)
4957                         err = 0;
4958                 goto out;
4959         }
4960 
4961         err = sock_has_perm(current, sk, perm);
4962 out:
4963         return err;
4964 }
4965 
4966 #ifdef CONFIG_NETFILTER
4967 
4968 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4969                                        const struct net_device *indev,
4970                                        u16 family)
4971 {
4972         int err;
4973         char *addrp;
4974         u32 peer_sid;
4975         struct common_audit_data ad;
4976         struct lsm_network_audit net = {0,};
4977         u8 secmark_active;
4978         u8 netlbl_active;
4979         u8 peerlbl_active;
4980 
4981         if (!selinux_policycap_netpeer)
4982                 return NF_ACCEPT;
4983 
4984         secmark_active = selinux_secmark_enabled();
4985         netlbl_active = netlbl_enabled();
4986         peerlbl_active = selinux_peerlbl_enabled();
4987         if (!secmark_active && !peerlbl_active)
4988                 return NF_ACCEPT;
4989 
4990         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4991                 return NF_DROP;
4992 
4993         ad.type = LSM_AUDIT_DATA_NET;
4994         ad.u.net = &net;
4995         ad.u.net->netif = indev->ifindex;
4996         ad.u.net->family = family;
4997         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4998                 return NF_DROP;
4999 
5000         if (peerlbl_active) {
5001                 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5002                                                addrp, family, peer_sid, &ad);
5003                 if (err) {
5004                         selinux_netlbl_err(skb, family, err, 1);
5005                         return NF_DROP;
5006                 }
5007         }
5008 
5009         if (secmark_active)
5010                 if (avc_has_perm(peer_sid, skb->secmark,
5011                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5012                         return NF_DROP;
5013 
5014         if (netlbl_active)
5015                 /* we do this in the FORWARD path and not the POST_ROUTING
5016                  * path because we want to make sure we apply the necessary
5017                  * labeling before IPsec is applied so we can leverage AH
5018                  * protection */
5019                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5020                         return NF_DROP;
5021 
5022         return NF_ACCEPT;
5023 }
5024 
5025 static unsigned int selinux_ipv4_forward(void *priv,
5026                                          struct sk_buff *skb,
5027                                          const struct nf_hook_state *state)
5028 {
5029         return selinux_ip_forward(skb, state->in, PF_INET);
5030 }
5031 
5032 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5033 static unsigned int selinux_ipv6_forward(void *priv,
5034                                          struct sk_buff *skb,
5035                                          const struct nf_hook_state *state)
5036 {
5037         return selinux_ip_forward(skb, state->in, PF_INET6);
5038 }
5039 #endif  /* IPV6 */
5040 
5041 static unsigned int selinux_ip_output(struct sk_buff *skb,
5042                                       u16 family)
5043 {
5044         struct sock *sk;
5045         u32 sid;
5046 
5047         if (!netlbl_enabled())
5048                 return NF_ACCEPT;
5049 
5050         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5051          * because we want to make sure we apply the necessary labeling
5052          * before IPsec is applied so we can leverage AH protection */
5053         sk = skb->sk;
5054         if (sk) {
5055                 struct sk_security_struct *sksec;
5056 
5057                 if (sk_listener(sk))
5058                         /* if the socket is the listening state then this
5059                          * packet is a SYN-ACK packet which means it needs to
5060                          * be labeled based on the connection/request_sock and
5061                          * not the parent socket.  unfortunately, we can't
5062                          * lookup the request_sock yet as it isn't queued on
5063                          * the parent socket until after the SYN-ACK is sent.
5064                          * the "solution" is to simply pass the packet as-is
5065                          * as any IP option based labeling should be copied
5066                          * from the initial connection request (in the IP
5067                          * layer).  it is far from ideal, but until we get a
5068                          * security label in the packet itself this is the
5069                          * best we can do. */
5070                         return NF_ACCEPT;
5071 
5072                 /* standard practice, label using the parent socket */
5073                 sksec = sk->sk_security;
5074                 sid = sksec->sid;
5075         } else
5076                 sid = SECINITSID_KERNEL;
5077         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5078                 return NF_DROP;
5079 
5080         return NF_ACCEPT;
5081 }
5082 
5083 static unsigned int selinux_ipv4_output(void *priv,
5084                                         struct sk_buff *skb,
5085                                         const struct nf_hook_state *state)
5086 {
5087         return selinux_ip_output(skb, PF_INET);
5088 }
5089 
5090 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5091 static unsigned int selinux_ipv6_output(void *priv,
5092                                         struct sk_buff *skb,
5093                                         const struct nf_hook_state *state)
5094 {
5095         return selinux_ip_output(skb, PF_INET6);
5096 }
5097 #endif  /* IPV6 */
5098 
5099 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5100                                                 int ifindex,
5101                                                 u16 family)
5102 {
5103         struct sock *sk = skb_to_full_sk(skb);
5104         struct sk_security_struct *sksec;
5105         struct common_audit_data ad;
5106         struct lsm_network_audit net = {0,};
5107         char *addrp;
5108         u8 proto;
5109 
5110         if (sk == NULL)
5111                 return NF_ACCEPT;
5112         sksec = sk->sk_security;
5113 
5114         ad.type = LSM_AUDIT_DATA_NET;
5115         ad.u.net = &net;
5116         ad.u.net->netif = ifindex;
5117         ad.u.net->family = family;
5118         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5119                 return NF_DROP;
5120 
5121         if (selinux_secmark_enabled())
5122                 if (avc_has_perm(sksec->sid, skb->secmark,
5123                                  SECCLASS_PACKET, PACKET__SEND, &ad))
5124                         return NF_DROP_ERR(-ECONNREFUSED);
5125 
5126         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5127                 return NF_DROP_ERR(-ECONNREFUSED);
5128 
5129         return NF_ACCEPT;
5130 }
5131 
5132 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5133                                          const struct net_device *outdev,
5134                                          u16 family)
5135 {
5136         u32 secmark_perm;
5137         u32 peer_sid;
5138         int ifindex = outdev->ifindex;
5139         struct sock *sk;
5140         struct common_audit_data ad;
5141         struct lsm_network_audit net = {0,};
5142         char *addrp;
5143         u8 secmark_active;
5144         u8 peerlbl_active;
5145 
5146         /* If any sort of compatibility mode is enabled then handoff processing
5147          * to the selinux_ip_postroute_compat() function to deal with the
5148          * special handling.  We do this in an attempt to keep this function
5149          * as fast and as clean as possible. */
5150         if (!selinux_policycap_netpeer)
5151                 return selinux_ip_postroute_compat(skb, ifindex, family);
5152 
5153         secmark_active = selinux_secmark_enabled();
5154         peerlbl_active = selinux_peerlbl_enabled();
5155         if (!secmark_active && !peerlbl_active)
5156                 return NF_ACCEPT;
5157 
5158         sk = skb_to_full_sk(skb);
5159 
5160 #ifdef CONFIG_XFRM
5161         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5162          * packet transformation so allow the packet to pass without any checks
5163          * since we'll have another chance to perform access control checks
5164          * when the packet is on it's final way out.
5165          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5166          *       is NULL, in this case go ahead and apply access control.
5167          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5168          *       TCP listening state we cannot wait until the XFRM processing
5169          *       is done as we will miss out on the SA label if we do;
5170          *       unfortunately, this means more work, but it is only once per
5171          *       connection. */
5172         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5173             !(sk && sk_listener(sk)))
5174                 return NF_ACCEPT;
5175 #endif
5176 
5177         if (sk == NULL) {
5178                 /* Without an associated socket the packet is either coming
5179                  * from the kernel or it is being forwarded; check the packet
5180                  * to determine which and if the packet is being forwarded
5181                  * query the packet directly to determine the security label. */
5182                 if (skb->skb_iif) {
5183                         secmark_perm = PACKET__FORWARD_OUT;
5184                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5185                                 return NF_DROP;
5186                 } else {
5187                         secmark_perm = PACKET__SEND;
5188                         peer_sid = SECINITSID_KERNEL;
5189                 }
5190         } else if (sk_listener(sk)) {
5191                 /* Locally generated packet but the associated socket is in the
5192                  * listening state which means this is a SYN-ACK packet.  In
5193                  * this particular case the correct security label is assigned
5194                  * to the connection/request_sock but unfortunately we can't
5195                  * query the request_sock as it isn't queued on the parent
5196                  * socket until after the SYN-ACK packet is sent; the only
5197                  * viable choice is to regenerate the label like we do in
5198                  * selinux_inet_conn_request().  See also selinux_ip_output()
5199                  * for similar problems. */
5200                 u32 skb_sid;
5201                 struct sk_security_struct *sksec;
5202 
5203                 sksec = sk->sk_security;
5204                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5205                         return NF_DROP;
5206                 /* At this point, if the returned skb peerlbl is SECSID_NULL
5207                  * and the packet has been through at least one XFRM
5208                  * transformation then we must be dealing with the "final"
5209                  * form of labeled IPsec packet; since we've already applied
5210                  * all of our access controls on this packet we can safely
5211                  * pass the packet. */
5212                 if (skb_sid == SECSID_NULL) {
5213                         switch (family) {
5214                         case PF_INET:
5215                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5216                                         return NF_ACCEPT;
5217                                 break;
5218                         case PF_INET6:
5219                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5220                                         return NF_ACCEPT;
5221                                 break;
5222                         default:
5223                                 return NF_DROP_ERR(-ECONNREFUSED);
5224                         }
5225                 }
5226                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5227                         return NF_DROP;
5228                 secmark_perm = PACKET__SEND;
5229         } else {
5230                 /* Locally generated packet, fetch the security label from the
5231                  * associated socket. */
5232                 struct sk_security_struct *sksec = sk->sk_security;
5233                 peer_sid = sksec->sid;
5234                 secmark_perm = PACKET__SEND;
5235         }
5236 
5237         ad.type = LSM_AUDIT_DATA_NET;
5238         ad.u.net = &net;
5239         ad.u.net->netif = ifindex;
5240         ad.u.net->family = family;
5241         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5242                 return NF_DROP;
5243 
5244         if (secmark_active)
5245                 if (avc_has_perm(peer_sid, skb->secmark,
5246                                  SECCLASS_PACKET, secmark_perm, &ad))
5247                         return NF_DROP_ERR(-ECONNREFUSED);
5248 
5249         if (peerlbl_active) {
5250                 u32 if_sid;
5251                 u32 node_sid;
5252 
5253                 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5254                         return NF_DROP;
5255                 if (avc_has_perm(peer_sid, if_sid,
5256                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5257                         return NF_DROP_ERR(-ECONNREFUSED);
5258 
5259                 if (sel_netnode_sid(addrp, family, &node_sid))
5260                         return NF_DROP;
5261                 if (avc_has_perm(peer_sid, node_sid,
5262                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5263                         return NF_DROP_ERR(-ECONNREFUSED);
5264         }
5265 
5266         return NF_ACCEPT;
5267 }
5268 
5269 static unsigned int selinux_ipv4_postroute(void *priv,
5270                                            struct sk_buff *skb,
5271                                            const struct nf_hook_state *state)
5272 {
5273         return selinux_ip_postroute(skb, state->out, PF_INET);
5274 }
5275 
5276 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5277 static unsigned int selinux_ipv6_postroute(void *priv,
5278                                            struct sk_buff *skb,
5279                                            const struct nf_hook_state *state)
5280 {
5281         return selinux_ip_postroute(skb, state->out, PF_INET6);
5282 }
5283 #endif  /* IPV6 */
5284 
5285 #endif  /* CONFIG_NETFILTER */
5286 
5287 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5288 {
5289         return selinux_nlmsg_perm(sk, skb);
5290 }
5291 
5292 static int ipc_alloc_security(struct task_struct *task,
5293                               struct kern_ipc_perm *perm,
5294                               u16 sclass)
5295 {
5296         struct ipc_security_struct *isec;
5297         u32 sid;
5298 
5299         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5300         if (!isec)
5301                 return -ENOMEM;
5302 
5303         sid = task_sid(task);
5304         isec->sclass = sclass;
5305         isec->sid = sid;
5306         perm->security = isec;
5307 
5308         return 0;
5309 }
5310 
5311 static void ipc_free_security(struct kern_ipc_perm *perm)
5312 {
5313         struct ipc_security_struct *isec = perm->security;
5314         perm->security = NULL;
5315         kfree(isec);
5316 }
5317 
5318 static int msg_msg_alloc_security(struct msg_msg *msg)
5319 {
5320         struct msg_security_struct *msec;
5321 
5322         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5323         if (!msec)
5324                 return -ENOMEM;
5325 
5326         msec->sid = SECINITSID_UNLABELED;
5327         msg->security = msec;
5328 
5329         return 0;
5330 }
5331 
5332 static void msg_msg_free_security(struct msg_msg *msg)
5333 {
5334         struct msg_security_struct *msec = msg->security;
5335 
5336         msg->security = NULL;
5337         kfree(msec);
5338 }
5339 
5340 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5341                         u32 perms)
5342 {
5343         struct ipc_security_struct *isec;
5344         struct common_audit_data ad;
5345         u32 sid = current_sid();
5346 
5347         isec = ipc_perms->security;
5348 
5349         ad.type = LSM_AUDIT_DATA_IPC;
5350         ad.u.ipc_id = ipc_perms->key;
5351 
5352         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5353 }
5354 
5355 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5356 {
5357         return msg_msg_alloc_security(msg);
5358 }
5359 
5360 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5361 {
5362         msg_msg_free_security(msg);
5363 }
5364 
5365 /* message queue security operations */
5366 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5367 {
5368         struct ipc_security_struct *isec;
5369         struct common_audit_data ad;
5370         u32 sid = current_sid();
5371         int rc;
5372 
5373         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5374         if (rc)
5375                 return rc;
5376 
5377         isec = msq->q_perm.security;
5378 
5379         ad.type = LSM_AUDIT_DATA_IPC;
5380         ad.u.ipc_id = msq->q_perm.key;
5381 
5382         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5383                           MSGQ__CREATE, &ad);
5384         if (rc) {
5385                 ipc_free_security(&msq->q_perm);
5386                 return rc;
5387         }
5388         return 0;
5389 }
5390 
5391 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5392 {
5393         ipc_free_security(&msq->q_perm);
5394 }
5395 
5396 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5397 {
5398         struct ipc_security_struct *isec;
5399         struct common_audit_data ad;
5400         u32 sid = current_sid();
5401 
5402         isec = msq->q_perm.security;
5403 
5404         ad.type = LSM_AUDIT_DATA_IPC;
5405         ad.u.ipc_id = msq->q_perm.key;
5406 
5407         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5408                             MSGQ__ASSOCIATE, &ad);
5409 }
5410 
5411 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5412 {
5413         int err;
5414         int perms;
5415 
5416         switch (cmd) {
5417         case IPC_INFO:
5418         case MSG_INFO:
5419                 /* No specific object, just general system-wide information. */
5420                 return task_has_system(current, SYSTEM__IPC_INFO);
5421         case IPC_STAT:
5422         case MSG_STAT:
5423                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5424                 break;
5425         case IPC_SET:
5426                 perms = MSGQ__SETATTR;
5427                 break;
5428         case IPC_RMID:
5429                 perms = MSGQ__DESTROY;
5430                 break;
5431         default:
5432                 return 0;
5433         }
5434 
5435         err = ipc_has_perm(&msq->q_perm, perms);
5436         return err;
5437 }
5438 
5439 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5440 {
5441         struct ipc_security_struct *isec;
5442         struct msg_security_struct *msec;
5443         struct common_audit_data ad;
5444         u32 sid = current_sid();
5445         int rc;
5446 
5447         isec = msq->q_perm.security;
5448         msec = msg->security;
5449 
5450         /*
5451          * First time through, need to assign label to the message
5452          */
5453         if (msec->sid == SECINITSID_UNLABELED) {
5454                 /*
5455                  * Compute new sid based on current process and
5456                  * message queue this message will be stored in
5457                  */
5458                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5459                                              NULL, &msec->sid);
5460                 if (rc)
5461                         return rc;
5462         }
5463 
5464         ad.type = LSM_AUDIT_DATA_IPC;
5465         ad.u.ipc_id = msq->q_perm.key;
5466 
5467         /* Can this process write to the queue? */
5468         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5469                           MSGQ__WRITE, &ad);
5470         if (!rc)
5471                 /* Can this process send the message */
5472                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5473                                   MSG__SEND, &ad);
5474         if (!rc)
5475                 /* Can the message be put in the queue? */
5476                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5477                                   MSGQ__ENQUEUE, &ad);
5478 
5479         return rc;
5480 }
5481 
5482 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5483                                     struct task_struct *target,
5484                                     long type, int mode)
5485 {
5486         struct ipc_security_struct *isec;
5487         struct msg_security_struct *msec;
5488         struct common_audit_data ad;
5489         u32 sid = task_sid(target);
5490         int rc;
5491 
5492         isec = msq->q_perm.security;
5493         msec = msg->security;
5494 
5495         ad.type = LSM_AUDIT_DATA_IPC;
5496         ad.u.ipc_id = msq->q_perm.key;
5497 
5498         rc = avc_has_perm(sid, isec->sid,
5499                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5500         if (!rc)
5501                 rc = avc_has_perm(sid, msec->sid,
5502                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5503         return rc;
5504 }
5505 
5506 /* Shared Memory security operations */
5507 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5508 {
5509         struct ipc_security_struct *isec;
5510         struct common_audit_data ad;
5511         u32 sid = current_sid();
5512         int rc;
5513 
5514         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5515         if (rc)
5516                 return rc;
5517 
5518         isec = shp->shm_perm.security;
5519 
5520         ad.type = LSM_AUDIT_DATA_IPC;
5521         ad.u.ipc_id = shp->shm_perm.key;
5522 
5523         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5524                           SHM__CREATE, &ad);
5525         if (rc) {
5526                 ipc_free_security(&shp->shm_perm);
5527                 return rc;
5528         }
5529         return 0;
5530 }
5531 
5532 static void selinux_shm_free_security(struct shmid_kernel *shp)
5533 {
5534         ipc_free_security(&shp->shm_perm);
5535 }
5536 
5537 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5538 {
5539         struct ipc_security_struct *isec;
5540         struct common_audit_data ad;
5541         u32 sid = current_sid();
5542 
5543         isec = shp->shm_perm.security;
5544 
5545         ad.type = LSM_AUDIT_DATA_IPC;
5546         ad.u.ipc_id = shp->shm_perm.key;
5547 
5548         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5549                             SHM__ASSOCIATE, &ad);
5550 }
5551 
5552 /* Note, at this point, shp is locked down */
5553 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5554 {
5555         int perms;
5556         int err;
5557 
5558         switch (cmd) {
5559         case IPC_INFO:
5560         case SHM_INFO:
5561                 /* No specific object, just general system-wide information. */
5562                 return task_has_system(current, SYSTEM__IPC_INFO);
5563         case IPC_STAT:
5564         case SHM_STAT:
5565                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5566                 break;
5567         case IPC_SET:
5568                 perms = SHM__SETATTR;
5569                 break;
5570         case SHM_LOCK:
5571         case SHM_UNLOCK:
5572                 perms = SHM__LOCK;
5573                 break;
5574         case IPC_RMID:
5575                 perms = SHM__DESTROY;
5576                 break;
5577         default:
5578                 return 0;
5579         }
5580 
5581         err = ipc_has_perm(&shp->shm_perm, perms);
5582         return err;
5583 }
5584 
5585 static int selinux_shm_shmat(struct shmid_kernel *shp,
5586                              char __user *shmaddr, int shmflg)
5587 {
5588         u32 perms;
5589 
5590         if (shmflg & SHM_RDONLY)
5591                 perms = SHM__READ;
5592         else
5593                 perms = SHM__READ | SHM__WRITE;
5594 
5595         return ipc_has_perm(&shp->shm_perm, perms);
5596 }
5597 
5598 /* Semaphore security operations */
5599 static int selinux_sem_alloc_security(struct sem_array *sma)
5600 {
5601         struct ipc_security_struct *isec;
5602         struct common_audit_data ad;
5603         u32 sid = current_sid();
5604         int rc;
5605 
5606         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5607         if (rc)
5608                 return rc;
5609 
5610         isec = sma->sem_perm.security;
5611 
5612         ad.type = LSM_AUDIT_DATA_IPC;
5613         ad.u.ipc_id = sma->sem_perm.key;
5614 
5615         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5616                           SEM__CREATE, &ad);
5617         if (rc) {
5618                 ipc_free_security(&sma->sem_perm);
5619                 return rc;
5620         }
5621         return 0;
5622 }
5623 
5624 static void selinux_sem_free_security(struct sem_array *sma)
5625 {
5626         ipc_free_security(&sma->sem_perm);
5627 }
5628 
5629 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5630 {
5631         struct ipc_security_struct *isec;
5632         struct common_audit_data ad;
5633         u32 sid = current_sid();
5634 
5635         isec = sma->sem_perm.security;
5636 
5637         ad.type = LSM_AUDIT_DATA_IPC;
5638         ad.u.ipc_id = sma->sem_perm.key;
5639 
5640         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5641                             SEM__ASSOCIATE, &ad);
5642 }
5643 
5644 /* Note, at this point, sma is locked down */
5645 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5646 {
5647         int err;
5648         u32 perms;
5649 
5650         switch (cmd) {
5651         case IPC_INFO:
5652         case SEM_INFO:
5653                 /* No specific object, just general system-wide information. */
5654                 return task_has_system(current, SYSTEM__IPC_INFO);
5655         case GETPID:
5656         case GETNCNT:
5657         case GETZCNT:
5658                 perms = SEM__GETATTR;
5659                 break;
5660         case GETVAL:
5661         case GETALL:
5662                 perms = SEM__READ;
5663                 break;
5664         case SETVAL:
5665         case SETALL:
5666                 perms = SEM__WRITE;
5667                 break;
5668         case IPC_RMID:
5669                 perms = SEM__DESTROY;
5670                 break;
5671         case IPC_SET:
5672                 perms = SEM__SETATTR;
5673                 break;
5674         case IPC_STAT:
5675         case SEM_STAT:
5676                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5677                 break;
5678         default:
5679                 return 0;
5680         }
5681 
5682         err = ipc_has_perm(&sma->sem_perm, perms);
5683         return err;
5684 }
5685 
5686 static int selinux_sem_semop(struct sem_array *sma,
5687                              struct sembuf *sops, unsigned nsops, int alter)
5688 {
5689         u32 perms;
5690 
5691         if (alter)
5692                 perms = SEM__READ | SEM__WRITE;
5693         else
5694                 perms = SEM__READ;
5695 
5696         return ipc_has_perm(&sma->sem_perm, perms);
5697 }
5698 
5699 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5700 {
5701         u32 av = 0;
5702 
5703         av = 0;
5704         if (flag & S_IRUGO)
5705                 av |= IPC__UNIX_READ;
5706         if (flag & S_IWUGO)
5707                 av |= IPC__UNIX_WRITE;
5708 
5709         if (av == 0)
5710                 return 0;
5711 
5712         return ipc_has_perm(ipcp, av);
5713 }
5714 
5715 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5716 {
5717         struct ipc_security_struct *isec = ipcp->security;
5718         *secid = isec->sid;
5719 }
5720 
5721 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5722 {
5723         if (inode)
5724                 inode_doinit_with_dentry(inode, dentry);
5725 }
5726 
5727 static int selinux_getprocattr(struct task_struct *p,
5728                                char *name, char **value)
5729 {
5730         const struct task_security_struct *__tsec;
5731         u32 sid;
5732         int error;
5733         unsigned len;
5734 
5735         if (current != p) {
5736                 error = current_has_perm(p, PROCESS__GETATTR);
5737                 if (error)
5738                         return error;
5739         }
5740 
5741         rcu_read_lock();
5742         __tsec = __task_cred(p)->security;
5743 
5744         if (!strcmp(name, "current"))
5745                 sid = __tsec->sid;
5746         else if (!strcmp(name, "prev"))
5747                 sid = __tsec->osid;
5748         else if (!strcmp(name, "exec"))
5749                 sid = __tsec->exec_sid;
5750         else if (!strcmp(name, "fscreate"))
5751                 sid = __tsec->create_sid;
5752         else if (!strcmp(name, "keycreate"))
5753                 sid = __tsec->keycreate_sid;
5754         else if (!strcmp(name, "sockcreate"))
5755                 sid = __tsec->sockcreate_sid;
5756         else
5757                 goto invalid;
5758         rcu_read_unlock();
5759 
5760         if (!sid)
5761                 return 0;
5762 
5763         error = security_sid_to_context(sid, value, &len);
5764         if (error)
5765                 return error;
5766         return len;
5767 
5768 invalid:
5769         rcu_read_unlock();
5770         return -EINVAL;
5771 }
5772 
5773 static int selinux_setprocattr(struct task_struct *p,
5774                                char *name, void *value, size_t size)
5775 {
5776         struct task_security_struct *tsec;
5777         struct cred *new;
5778         u32 sid = 0, ptsid;
5779         int error;
5780         char *str = value;
5781 
5782         if (current != p) {
5783                 /* SELinux only allows a process to change its own
5784                    security attributes. */
5785                 return -EACCES;
5786         }
5787 
5788         /*
5789          * Basic control over ability to set these attributes at all.
5790          * current == p, but we'll pass them separately in case the
5791          * above restriction is ever removed.
5792          */
5793         if (!strcmp(name, "exec"))
5794                 error = current_has_perm(p, PROCESS__SETEXEC);
5795         else if (!strcmp(name, "fscreate"))
5796                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5797         else if (!strcmp(name, "keycreate"))
5798                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5799         else if (!strcmp(name, "sockcreate"))
5800                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5801         else if (!strcmp(name, "current"))
5802                 error = current_has_perm(p, PROCESS__SETCURRENT);
5803         else
5804                 error = -EINVAL;
5805         if (error)
5806                 return error;
5807 
5808         /* Obtain a SID for the context, if one was specified. */
5809         if (size && str[1] && str[1] != '\n') {
5810                 if (str[size-1] == '\n') {
5811                         str[size-1] = 0;
5812                         size--;
5813                 }
5814                 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5815                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5816                         if (!capable(CAP_MAC_ADMIN)) {
5817                                 struct audit_buffer *ab;
5818                                 size_t audit_size;
5819 
5820                                 /* We strip a nul only if it is at the end, otherwise the
5821                                  * context contains a nul and we should audit that */
5822                                 if (str[size - 1] == '\0')
5823                                         audit_size = size - 1;
5824                                 else
5825                                         audit_size = size;
5826                                 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5827                                 audit_log_format(ab, "op=fscreate invalid_context=");
5828                                 audit_log_n_untrustedstring(ab, value, audit_size);
5829                                 audit_log_end(ab);
5830 
5831                                 return error;
5832                         }
5833                         error = security_context_to_sid_force(value, size,
5834                                                               &sid);
5835                 }
5836                 if (error)
5837                         return error;
5838         }
5839 
5840         new = prepare_creds();
5841         if (!new)
5842                 return -ENOMEM;
5843 
5844         /* Permission checking based on the specified context is
5845            performed during the actual operation (execve,
5846            open/mkdir/...), when we know the full context of the
5847            operation.  See selinux_bprm_set_creds for the execve
5848            checks and may_create for the file creation checks. The
5849            operation will then fail if the context is not permitted. */
5850         tsec = new->security;
5851         if (!strcmp(name, "exec")) {
5852                 tsec->exec_sid = sid;
5853         } else if (!strcmp(name, "fscreate")) {
5854                 tsec->create_sid = sid;
5855         } else if (!strcmp(name, "keycreate")) {
5856                 error = may_create_key(sid, p);
5857                 if (error)
5858                         goto abort_change;
5859                 tsec->keycreate_sid = sid;
5860         } else if (!strcmp(name, "sockcreate")) {
5861                 tsec->sockcreate_sid = sid;
5862         } else if (!strcmp(name, "current")) {
5863                 error = -EINVAL;
5864                 if (sid == 0)
5865                         goto abort_change;
5866 
5867                 /* Only allow single threaded processes to change context */
5868                 error = -EPERM;
5869                 if (!current_is_single_threaded()) {
5870                         error = security_bounded_transition(tsec->sid, sid);
5871                         if (error)
5872                                 goto abort_change;
5873                 }
5874 
5875                 /* Check permissions for the transition. */
5876                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5877                                      PROCESS__DYNTRANSITION, NULL);
5878                 if (error)
5879                         goto abort_change;
5880 
5881                 /* Check for ptracing, and update the task SID if ok.
5882                    Otherwise, leave SID unchanged and fail. */
5883                 ptsid = ptrace_parent_sid(p);
5884                 if (ptsid != 0) {
5885                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5886                                              PROCESS__PTRACE, NULL);
5887                         if (error)
5888                                 goto abort_change;
5889                 }
5890 
5891                 tsec->sid = sid;
5892         } else {
5893                 error = -EINVAL;
5894                 goto abort_change;
5895         }
5896 
5897         commit_creds(new);
5898         return size;
5899 
5900 abort_change:
5901         abort_creds(new);
5902         return error;
5903 }
5904 
5905 static int selinux_ismaclabel(const char *name)
5906 {
5907         return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5908 }
5909 
5910 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5911 {
5912         return security_sid_to_context(secid, secdata, seclen);
5913 }
5914 
5915 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5916 {
5917         return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5918 }
5919 
5920 static void selinux_release_secctx(char *secdata, u32 seclen)
5921 {
5922         kfree(secdata);
5923 }
5924 
5925 static void selinux_inode_invalidate_secctx(struct inode *inode)
5926 {
5927         struct inode_security_struct *isec = inode->i_security;
5928 
5929         mutex_lock(&isec->lock);
5930         isec->initialized = LABEL_INVALID;
5931         mutex_unlock(&isec->lock);
5932 }
5933 
5934 /*
5935  *      called with inode->i_mutex locked
5936  */
5937 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5938 {
5939         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5940 }
5941 
5942 /*
5943  *      called with inode->i_mutex locked
5944  */
5945 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5946 {
5947         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5948 }
5949 
5950 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5951 {
5952         int len = 0;
5953         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5954                                                 ctx, true);
5955         if (len < 0)
5956                 return len;
5957         *ctxlen = len;
5958         return 0;
5959 }
5960 #ifdef CONFIG_KEYS
5961 
5962 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5963                              unsigned long flags)
5964 {
5965         const struct task_security_struct *tsec;
5966         struct key_security_struct *ksec;
5967 
5968         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5969         if (!ksec)
5970                 return -ENOMEM;
5971 
5972         tsec = cred->security;
5973         if (tsec->keycreate_sid)
5974                 ksec->sid = tsec->keycreate_sid;
5975         else
5976                 ksec->sid = tsec->sid;
5977 
5978         k->security = ksec;
5979         return 0;
5980 }
5981 
5982 static void selinux_key_free(struct key *k)
5983 {
5984         struct key_security_struct *ksec = k->security;
5985 
5986         k->security = NULL;
5987         kfree(ksec);
5988 }
5989 
5990 static int selinux_key_permission(key_ref_t key_ref,
5991                                   const struct cred *cred,
5992                                   unsigned perm)
5993 {
5994         struct key *key;
5995         struct key_security_struct *ksec;
5996         u32 sid;
5997 
5998         /* if no specific permissions are requested, we skip the
5999            permission check. No serious, additional covert channels
6000            appear to be created. */
6001         if (perm == 0)
6002                 return 0;
6003 
6004         sid = cred_sid(cred);
6005 
6006         key = key_ref_to_ptr(key_ref);
6007         ksec = key->security;
6008 
6009         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6010 }
6011 
6012 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6013 {
6014         struct key_security_struct *ksec = key->security;
6015         char *context = NULL;
6016         unsigned len;
6017         int rc;
6018 
6019         rc = security_sid_to_context(ksec->sid, &context, &len);
6020         if (!rc)
6021                 rc = len;
6022         *_buffer = context;
6023         return rc;
6024 }
6025 
6026 #endif
6027 
6028 static struct security_hook_list selinux_hooks[] = {
6029         LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6030         LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6031         LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6032         LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6033 
6034         LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6035         LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6036         LSM_HOOK_INIT(capget, selinux_capget),
6037         LSM_HOOK_INIT(capset, selinux_capset),
6038         LSM_HOOK_INIT(capable, selinux_capable),
6039         LSM_HOOK_INIT(quotactl, selinux_quotactl),
6040         LSM_HOOK_INIT(quota_on, selinux_quota_on),
6041         LSM_HOOK_INIT(syslog, selinux_syslog),
6042         LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6043 
6044         LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6045 
6046         LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6047         LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6048         LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6049         LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6050 
6051         LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6052         LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6053         LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6054         LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6055         LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6056         LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6057         LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6058         LSM_HOOK_INIT(sb_mount, selinux_mount),
6059         LSM_HOOK_INIT(sb_umount, selinux_umount),
6060         LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6061         LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6062         LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6063 
6064         LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6065 
6066         LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6067         LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6068         LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6069         LSM_HOOK_INIT(inode_create, selinux_inode_create),
6070         LSM_HOOK_INIT(inode_link, selinux_inode_link),
6071         LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6072         LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6073         LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6074         LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6075         LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6076         LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6077         LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6078         LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6079         LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6080         LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6081         LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6082         LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6083         LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6084         LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6085         LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6086         LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6087         LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6088         LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6089         LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6090         LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6091 
6092         LSM_HOOK_INIT(file_permission, selinux_file_permission),
6093         LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6094         LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6095         LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6096         LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6097         LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6098         LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6099         LSM_HOOK_INIT(file_lock, selinux_file_lock),
6100         LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6101         LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6102         LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6103         LSM_HOOK_INIT(file_receive, selinux_file_receive),
6104 
6105         LSM_HOOK_INIT(file_open, selinux_file_open),
6106 
6107         LSM_HOOK_INIT(task_create, selinux_task_create),
6108         LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6109         LSM_HOOK_INIT(cred_free, selinux_cred_free),
6110         LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6111         LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6112         LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6113         LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6114         LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6115         LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6116         LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6117         LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6118         LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6119         LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6120         LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6121         LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6122         LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6123         LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6124         LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6125         LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6126         LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6127         LSM_HOOK_INIT(task_kill, selinux_task_kill),
6128         LSM_HOOK_INIT(task_wait, selinux_task_wait),
6129         LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6130 
6131         LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6132         LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6133 
6134         LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6135         LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6136 
6137         LSM_HOOK_INIT(msg_queue_alloc_security,
6138                         selinux_msg_queue_alloc_security),
6139         LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6140         LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6141         LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6142         LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6143         LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6144 
6145         LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6146         LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6147         LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6148         LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6149         LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6150 
6151         LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6152         LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6153         LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6154         LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6155         LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6156 
6157         LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6158 
6159         LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6160         LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6161 
6162         LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6163         LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6164         LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6165         LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6166         LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6167         LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6168         LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6169         LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6170 
6171         LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6172         LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6173 
6174         LSM_HOOK_INIT(socket_create, selinux_socket_create),
6175         LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6176         LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6177         LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6178         LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6179         LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6180         LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6181         LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6182         LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6183         LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6184         LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6185         LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6186         LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6187         LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6188         LSM_HOOK_INIT(socket_getpeersec_stream,
6189                         selinux_socket_getpeersec_stream),
6190         LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6191         LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6192         LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6193         LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6194         LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6195         LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6196         LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6197         LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6198         LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6199         LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6200         LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6201         LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6202         LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6203         LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6204         LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6205         LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6206         LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6207         LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6208         LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6209 
6210 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6211         LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6212         LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6213         LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6214         LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6215         LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6216         LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6217                         selinux_xfrm_state_alloc_acquire),
6218         LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6219         LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6220         LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6221         LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6222                         selinux_xfrm_state_pol_flow_match),
6223         LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6224 #endif
6225 
6226 #ifdef CONFIG_KEYS
6227         LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6228         LSM_HOOK_INIT(key_free, selinux_key_free),
6229         LSM_HOOK_INIT(key_permission, selinux_key_permission),
6230         LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6231 #endif
6232 
6233 #ifdef CONFIG_AUDIT
6234         LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6235         LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6236         LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6237         LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6238 #endif
6239 };
6240 
6241 static __init int selinux_init(void)
6242 {
6243         if (!security_module_enable("selinux")) {
6244                 selinux_enabled = 0;
6245                 return 0;
6246         }
6247 
6248         if (!selinux_enabled) {
6249                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6250                 return 0;
6251         }
6252 
6253         printk(KERN_INFO "SELinux:  Initializing.\n");
6254 
6255         /* Set the security state for the initial task. */
6256         cred_init_security();
6257 
6258         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6259 
6260         sel_inode_cache = kmem_cache_create("selinux_inode_security",
6261                                             sizeof(struct inode_security_struct),
6262                                             0, SLAB_PANIC, NULL);
6263         file_security_cache = kmem_cache_create("selinux_file_security",
6264                                             sizeof(struct file_security_struct),
6265                                             0, SLAB_PANIC, NULL);
6266         avc_init();
6267 
6268         security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6269 
6270         if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6271                 panic("SELinux: Unable to register AVC netcache callback\n");
6272 
6273         if (selinux_enforcing)
6274                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6275         else
6276                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6277 
6278         return 0;
6279 }
6280 
6281 static void delayed_superblock_init(struct super_block *sb, void *unused)
6282 {
6283         superblock_doinit(sb, NULL);
6284 }
6285 
6286 void selinux_complete_init(void)
6287 {
6288         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6289 
6290         /* Set up any superblocks initialized prior to the policy load. */
6291         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6292         iterate_supers(delayed_superblock_init, NULL);
6293 }
6294 
6295 /* SELinux requires early initialization in order to label
6296    all processes and objects when they are created. */
6297 security_initcall(selinux_init);
6298 
6299 #if defined(CONFIG_NETFILTER)
6300 
6301 static struct nf_hook_ops selinux_nf_ops[] = {
6302         {
6303                 .hook =         selinux_ipv4_postroute,
6304                 .pf =           NFPROTO_IPV4,
6305                 .hooknum =      NF_INET_POST_ROUTING,
6306                 .priority =     NF_IP_PRI_SELINUX_LAST,
6307         },
6308         {
6309                 .hook =         selinux_ipv4_forward,
6310                 .pf =           NFPROTO_IPV4,
6311                 .hooknum =      NF_INET_FORWARD,
6312                 .priority =     NF_IP_PRI_SELINUX_FIRST,
6313         },
6314         {
6315                 .hook =         selinux_ipv4_output,
6316                 .pf =           NFPROTO_IPV4,
6317                 .hooknum =      NF_INET_LOCAL_OUT,
6318                 .priority =     NF_IP_PRI_SELINUX_FIRST,
6319         },
6320 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6321         {
6322                 .hook =         selinux_ipv6_postroute,
6323                 .pf =           NFPROTO_IPV6,
6324                 .hooknum =      NF_INET_POST_ROUTING,
6325                 .priority =     NF_IP6_PRI_SELINUX_LAST,
6326         },
6327         {
6328                 .hook =         selinux_ipv6_forward,
6329                 .pf =           NFPROTO_IPV6,
6330                 .hooknum =      NF_INET_FORWARD,
6331                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
6332         },
6333         {
6334                 .hook =         selinux_ipv6_output,
6335                 .pf =           NFPROTO_IPV6,
6336                 .hooknum =      NF_INET_LOCAL_OUT,
6337                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
6338         },
6339 #endif  /* IPV6 */
6340 };
6341 
6342 static int __init selinux_nf_ip_init(void)
6343 {
6344         int err;
6345 
6346         if (!selinux_enabled)
6347                 return 0;
6348