xref: /openbmc/linux/security/selinux/hooks.c (revision 31b90347)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>		/* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h>		/* for Unix socket types */
71 #include <net/af_unix.h>	/* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/security.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 
89 #include "avc.h"
90 #include "objsec.h"
91 #include "netif.h"
92 #include "netnode.h"
93 #include "netport.h"
94 #include "xfrm.h"
95 #include "netlabel.h"
96 #include "audit.h"
97 #include "avc_ss.h"
98 
99 extern struct security_operations *security_ops;
100 
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106 
107 static int __init enforcing_setup(char *str)
108 {
109 	unsigned long enforcing;
110 	if (!strict_strtoul(str, 0, &enforcing))
111 		selinux_enforcing = enforcing ? 1 : 0;
112 	return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116 
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 
120 static int __init selinux_enabled_setup(char *str)
121 {
122 	unsigned long enabled;
123 	if (!strict_strtoul(str, 0, &enabled))
124 		selinux_enabled = enabled ? 1 : 0;
125 	return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131 
132 static struct kmem_cache *sel_inode_cache;
133 
134 /**
135  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136  *
137  * Description:
138  * This function checks the SECMARK reference counter to see if any SECMARK
139  * targets are currently configured, if the reference counter is greater than
140  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
141  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
142  * policy capability is enabled, SECMARK is always considered enabled.
143  *
144  */
145 static int selinux_secmark_enabled(void)
146 {
147 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 }
149 
150 /**
151  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152  *
153  * Description:
154  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
155  * (1) if any are enabled or false (0) if neither are enabled.  If the
156  * always_check_network policy capability is enabled, peer labeling
157  * is always considered enabled.
158  *
159  */
160 static int selinux_peerlbl_enabled(void)
161 {
162 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
163 }
164 
165 /*
166  * initialise the security for the init task
167  */
168 static void cred_init_security(void)
169 {
170 	struct cred *cred = (struct cred *) current->real_cred;
171 	struct task_security_struct *tsec;
172 
173 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
174 	if (!tsec)
175 		panic("SELinux:  Failed to initialize initial task.\n");
176 
177 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
178 	cred->security = tsec;
179 }
180 
181 /*
182  * get the security ID of a set of credentials
183  */
184 static inline u32 cred_sid(const struct cred *cred)
185 {
186 	const struct task_security_struct *tsec;
187 
188 	tsec = cred->security;
189 	return tsec->sid;
190 }
191 
192 /*
193  * get the objective security ID of a task
194  */
195 static inline u32 task_sid(const struct task_struct *task)
196 {
197 	u32 sid;
198 
199 	rcu_read_lock();
200 	sid = cred_sid(__task_cred(task));
201 	rcu_read_unlock();
202 	return sid;
203 }
204 
205 /*
206  * get the subjective security ID of the current task
207  */
208 static inline u32 current_sid(void)
209 {
210 	const struct task_security_struct *tsec = current_security();
211 
212 	return tsec->sid;
213 }
214 
215 /* Allocate and free functions for each kind of security blob. */
216 
217 static int inode_alloc_security(struct inode *inode)
218 {
219 	struct inode_security_struct *isec;
220 	u32 sid = current_sid();
221 
222 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
223 	if (!isec)
224 		return -ENOMEM;
225 
226 	mutex_init(&isec->lock);
227 	INIT_LIST_HEAD(&isec->list);
228 	isec->inode = inode;
229 	isec->sid = SECINITSID_UNLABELED;
230 	isec->sclass = SECCLASS_FILE;
231 	isec->task_sid = sid;
232 	inode->i_security = isec;
233 
234 	return 0;
235 }
236 
237 static void inode_free_rcu(struct rcu_head *head)
238 {
239 	struct inode_security_struct *isec;
240 
241 	isec = container_of(head, struct inode_security_struct, rcu);
242 	kmem_cache_free(sel_inode_cache, isec);
243 }
244 
245 static void inode_free_security(struct inode *inode)
246 {
247 	struct inode_security_struct *isec = inode->i_security;
248 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
249 
250 	spin_lock(&sbsec->isec_lock);
251 	if (!list_empty(&isec->list))
252 		list_del_init(&isec->list);
253 	spin_unlock(&sbsec->isec_lock);
254 
255 	/*
256 	 * The inode may still be referenced in a path walk and
257 	 * a call to selinux_inode_permission() can be made
258 	 * after inode_free_security() is called. Ideally, the VFS
259 	 * wouldn't do this, but fixing that is a much harder
260 	 * job. For now, simply free the i_security via RCU, and
261 	 * leave the current inode->i_security pointer intact.
262 	 * The inode will be freed after the RCU grace period too.
263 	 */
264 	call_rcu(&isec->rcu, inode_free_rcu);
265 }
266 
267 static int file_alloc_security(struct file *file)
268 {
269 	struct file_security_struct *fsec;
270 	u32 sid = current_sid();
271 
272 	fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
273 	if (!fsec)
274 		return -ENOMEM;
275 
276 	fsec->sid = sid;
277 	fsec->fown_sid = sid;
278 	file->f_security = fsec;
279 
280 	return 0;
281 }
282 
283 static void file_free_security(struct file *file)
284 {
285 	struct file_security_struct *fsec = file->f_security;
286 	file->f_security = NULL;
287 	kfree(fsec);
288 }
289 
290 static int superblock_alloc_security(struct super_block *sb)
291 {
292 	struct superblock_security_struct *sbsec;
293 
294 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
295 	if (!sbsec)
296 		return -ENOMEM;
297 
298 	mutex_init(&sbsec->lock);
299 	INIT_LIST_HEAD(&sbsec->isec_head);
300 	spin_lock_init(&sbsec->isec_lock);
301 	sbsec->sb = sb;
302 	sbsec->sid = SECINITSID_UNLABELED;
303 	sbsec->def_sid = SECINITSID_FILE;
304 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
305 	sb->s_security = sbsec;
306 
307 	return 0;
308 }
309 
310 static void superblock_free_security(struct super_block *sb)
311 {
312 	struct superblock_security_struct *sbsec = sb->s_security;
313 	sb->s_security = NULL;
314 	kfree(sbsec);
315 }
316 
317 /* The file system's label must be initialized prior to use. */
318 
319 static const char *labeling_behaviors[7] = {
320 	"uses xattr",
321 	"uses transition SIDs",
322 	"uses task SIDs",
323 	"uses genfs_contexts",
324 	"not configured for labeling",
325 	"uses mountpoint labeling",
326 	"uses native labeling",
327 };
328 
329 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
330 
331 static inline int inode_doinit(struct inode *inode)
332 {
333 	return inode_doinit_with_dentry(inode, NULL);
334 }
335 
336 enum {
337 	Opt_error = -1,
338 	Opt_context = 1,
339 	Opt_fscontext = 2,
340 	Opt_defcontext = 3,
341 	Opt_rootcontext = 4,
342 	Opt_labelsupport = 5,
343 	Opt_nextmntopt = 6,
344 };
345 
346 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
347 
348 static const match_table_t tokens = {
349 	{Opt_context, CONTEXT_STR "%s"},
350 	{Opt_fscontext, FSCONTEXT_STR "%s"},
351 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
352 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
353 	{Opt_labelsupport, LABELSUPP_STR},
354 	{Opt_error, NULL},
355 };
356 
357 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
358 
359 static int may_context_mount_sb_relabel(u32 sid,
360 			struct superblock_security_struct *sbsec,
361 			const struct cred *cred)
362 {
363 	const struct task_security_struct *tsec = cred->security;
364 	int rc;
365 
366 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
367 			  FILESYSTEM__RELABELFROM, NULL);
368 	if (rc)
369 		return rc;
370 
371 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
372 			  FILESYSTEM__RELABELTO, NULL);
373 	return rc;
374 }
375 
376 static int may_context_mount_inode_relabel(u32 sid,
377 			struct superblock_security_struct *sbsec,
378 			const struct cred *cred)
379 {
380 	const struct task_security_struct *tsec = cred->security;
381 	int rc;
382 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
383 			  FILESYSTEM__RELABELFROM, NULL);
384 	if (rc)
385 		return rc;
386 
387 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
388 			  FILESYSTEM__ASSOCIATE, NULL);
389 	return rc;
390 }
391 
392 static int selinux_is_sblabel_mnt(struct super_block *sb)
393 {
394 	struct superblock_security_struct *sbsec = sb->s_security;
395 
396 	if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
397 	    sbsec->behavior == SECURITY_FS_USE_TRANS ||
398 	    sbsec->behavior == SECURITY_FS_USE_TASK)
399 		return 1;
400 
401 	/* Special handling for sysfs. Is genfs but also has setxattr handler*/
402 	if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
403 		return 1;
404 
405 	/*
406 	 * Special handling for rootfs. Is genfs but supports
407 	 * setting SELinux context on in-core inodes.
408 	 */
409 	if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
410 		return 1;
411 
412 	return 0;
413 }
414 
415 static int sb_finish_set_opts(struct super_block *sb)
416 {
417 	struct superblock_security_struct *sbsec = sb->s_security;
418 	struct dentry *root = sb->s_root;
419 	struct inode *root_inode = root->d_inode;
420 	int rc = 0;
421 
422 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
423 		/* Make sure that the xattr handler exists and that no
424 		   error other than -ENODATA is returned by getxattr on
425 		   the root directory.  -ENODATA is ok, as this may be
426 		   the first boot of the SELinux kernel before we have
427 		   assigned xattr values to the filesystem. */
428 		if (!root_inode->i_op->getxattr) {
429 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
430 			       "xattr support\n", sb->s_id, sb->s_type->name);
431 			rc = -EOPNOTSUPP;
432 			goto out;
433 		}
434 		rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
435 		if (rc < 0 && rc != -ENODATA) {
436 			if (rc == -EOPNOTSUPP)
437 				printk(KERN_WARNING "SELinux: (dev %s, type "
438 				       "%s) has no security xattr handler\n",
439 				       sb->s_id, sb->s_type->name);
440 			else
441 				printk(KERN_WARNING "SELinux: (dev %s, type "
442 				       "%s) getxattr errno %d\n", sb->s_id,
443 				       sb->s_type->name, -rc);
444 			goto out;
445 		}
446 	}
447 
448 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
449 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
450 		       sb->s_id, sb->s_type->name);
451 	else
452 		printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
453 		       sb->s_id, sb->s_type->name,
454 		       labeling_behaviors[sbsec->behavior-1]);
455 
456 	sbsec->flags |= SE_SBINITIALIZED;
457 	if (selinux_is_sblabel_mnt(sb))
458 		sbsec->flags |= SBLABEL_MNT;
459 
460 	/* Initialize the root inode. */
461 	rc = inode_doinit_with_dentry(root_inode, root);
462 
463 	/* Initialize any other inodes associated with the superblock, e.g.
464 	   inodes created prior to initial policy load or inodes created
465 	   during get_sb by a pseudo filesystem that directly
466 	   populates itself. */
467 	spin_lock(&sbsec->isec_lock);
468 next_inode:
469 	if (!list_empty(&sbsec->isec_head)) {
470 		struct inode_security_struct *isec =
471 				list_entry(sbsec->isec_head.next,
472 					   struct inode_security_struct, list);
473 		struct inode *inode = isec->inode;
474 		spin_unlock(&sbsec->isec_lock);
475 		inode = igrab(inode);
476 		if (inode) {
477 			if (!IS_PRIVATE(inode))
478 				inode_doinit(inode);
479 			iput(inode);
480 		}
481 		spin_lock(&sbsec->isec_lock);
482 		list_del_init(&isec->list);
483 		goto next_inode;
484 	}
485 	spin_unlock(&sbsec->isec_lock);
486 out:
487 	return rc;
488 }
489 
490 /*
491  * This function should allow an FS to ask what it's mount security
492  * options were so it can use those later for submounts, displaying
493  * mount options, or whatever.
494  */
495 static int selinux_get_mnt_opts(const struct super_block *sb,
496 				struct security_mnt_opts *opts)
497 {
498 	int rc = 0, i;
499 	struct superblock_security_struct *sbsec = sb->s_security;
500 	char *context = NULL;
501 	u32 len;
502 	char tmp;
503 
504 	security_init_mnt_opts(opts);
505 
506 	if (!(sbsec->flags & SE_SBINITIALIZED))
507 		return -EINVAL;
508 
509 	if (!ss_initialized)
510 		return -EINVAL;
511 
512 	/* make sure we always check enough bits to cover the mask */
513 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
514 
515 	tmp = sbsec->flags & SE_MNTMASK;
516 	/* count the number of mount options for this sb */
517 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
518 		if (tmp & 0x01)
519 			opts->num_mnt_opts++;
520 		tmp >>= 1;
521 	}
522 	/* Check if the Label support flag is set */
523 	if (sbsec->flags & SBLABEL_MNT)
524 		opts->num_mnt_opts++;
525 
526 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
527 	if (!opts->mnt_opts) {
528 		rc = -ENOMEM;
529 		goto out_free;
530 	}
531 
532 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
533 	if (!opts->mnt_opts_flags) {
534 		rc = -ENOMEM;
535 		goto out_free;
536 	}
537 
538 	i = 0;
539 	if (sbsec->flags & FSCONTEXT_MNT) {
540 		rc = security_sid_to_context(sbsec->sid, &context, &len);
541 		if (rc)
542 			goto out_free;
543 		opts->mnt_opts[i] = context;
544 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
545 	}
546 	if (sbsec->flags & CONTEXT_MNT) {
547 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
548 		if (rc)
549 			goto out_free;
550 		opts->mnt_opts[i] = context;
551 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
552 	}
553 	if (sbsec->flags & DEFCONTEXT_MNT) {
554 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
555 		if (rc)
556 			goto out_free;
557 		opts->mnt_opts[i] = context;
558 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
559 	}
560 	if (sbsec->flags & ROOTCONTEXT_MNT) {
561 		struct inode *root = sbsec->sb->s_root->d_inode;
562 		struct inode_security_struct *isec = root->i_security;
563 
564 		rc = security_sid_to_context(isec->sid, &context, &len);
565 		if (rc)
566 			goto out_free;
567 		opts->mnt_opts[i] = context;
568 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
569 	}
570 	if (sbsec->flags & SBLABEL_MNT) {
571 		opts->mnt_opts[i] = NULL;
572 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
573 	}
574 
575 	BUG_ON(i != opts->num_mnt_opts);
576 
577 	return 0;
578 
579 out_free:
580 	security_free_mnt_opts(opts);
581 	return rc;
582 }
583 
584 static int bad_option(struct superblock_security_struct *sbsec, char flag,
585 		      u32 old_sid, u32 new_sid)
586 {
587 	char mnt_flags = sbsec->flags & SE_MNTMASK;
588 
589 	/* check if the old mount command had the same options */
590 	if (sbsec->flags & SE_SBINITIALIZED)
591 		if (!(sbsec->flags & flag) ||
592 		    (old_sid != new_sid))
593 			return 1;
594 
595 	/* check if we were passed the same options twice,
596 	 * aka someone passed context=a,context=b
597 	 */
598 	if (!(sbsec->flags & SE_SBINITIALIZED))
599 		if (mnt_flags & flag)
600 			return 1;
601 	return 0;
602 }
603 
604 /*
605  * Allow filesystems with binary mount data to explicitly set mount point
606  * labeling information.
607  */
608 static int selinux_set_mnt_opts(struct super_block *sb,
609 				struct security_mnt_opts *opts,
610 				unsigned long kern_flags,
611 				unsigned long *set_kern_flags)
612 {
613 	const struct cred *cred = current_cred();
614 	int rc = 0, i;
615 	struct superblock_security_struct *sbsec = sb->s_security;
616 	const char *name = sb->s_type->name;
617 	struct inode *inode = sbsec->sb->s_root->d_inode;
618 	struct inode_security_struct *root_isec = inode->i_security;
619 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
620 	u32 defcontext_sid = 0;
621 	char **mount_options = opts->mnt_opts;
622 	int *flags = opts->mnt_opts_flags;
623 	int num_opts = opts->num_mnt_opts;
624 
625 	mutex_lock(&sbsec->lock);
626 
627 	if (!ss_initialized) {
628 		if (!num_opts) {
629 			/* Defer initialization until selinux_complete_init,
630 			   after the initial policy is loaded and the security
631 			   server is ready to handle calls. */
632 			goto out;
633 		}
634 		rc = -EINVAL;
635 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
636 			"before the security server is initialized\n");
637 		goto out;
638 	}
639 	if (kern_flags && !set_kern_flags) {
640 		/* Specifying internal flags without providing a place to
641 		 * place the results is not allowed */
642 		rc = -EINVAL;
643 		goto out;
644 	}
645 
646 	/*
647 	 * Binary mount data FS will come through this function twice.  Once
648 	 * from an explicit call and once from the generic calls from the vfs.
649 	 * Since the generic VFS calls will not contain any security mount data
650 	 * we need to skip the double mount verification.
651 	 *
652 	 * This does open a hole in which we will not notice if the first
653 	 * mount using this sb set explict options and a second mount using
654 	 * this sb does not set any security options.  (The first options
655 	 * will be used for both mounts)
656 	 */
657 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
658 	    && (num_opts == 0))
659 		goto out;
660 
661 	/*
662 	 * parse the mount options, check if they are valid sids.
663 	 * also check if someone is trying to mount the same sb more
664 	 * than once with different security options.
665 	 */
666 	for (i = 0; i < num_opts; i++) {
667 		u32 sid;
668 
669 		if (flags[i] == SBLABEL_MNT)
670 			continue;
671 		rc = security_context_to_sid(mount_options[i],
672 					     strlen(mount_options[i]), &sid);
673 		if (rc) {
674 			printk(KERN_WARNING "SELinux: security_context_to_sid"
675 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
676 			       mount_options[i], sb->s_id, name, rc);
677 			goto out;
678 		}
679 		switch (flags[i]) {
680 		case FSCONTEXT_MNT:
681 			fscontext_sid = sid;
682 
683 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
684 					fscontext_sid))
685 				goto out_double_mount;
686 
687 			sbsec->flags |= FSCONTEXT_MNT;
688 			break;
689 		case CONTEXT_MNT:
690 			context_sid = sid;
691 
692 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
693 					context_sid))
694 				goto out_double_mount;
695 
696 			sbsec->flags |= CONTEXT_MNT;
697 			break;
698 		case ROOTCONTEXT_MNT:
699 			rootcontext_sid = sid;
700 
701 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
702 					rootcontext_sid))
703 				goto out_double_mount;
704 
705 			sbsec->flags |= ROOTCONTEXT_MNT;
706 
707 			break;
708 		case DEFCONTEXT_MNT:
709 			defcontext_sid = sid;
710 
711 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
712 					defcontext_sid))
713 				goto out_double_mount;
714 
715 			sbsec->flags |= DEFCONTEXT_MNT;
716 
717 			break;
718 		default:
719 			rc = -EINVAL;
720 			goto out;
721 		}
722 	}
723 
724 	if (sbsec->flags & SE_SBINITIALIZED) {
725 		/* previously mounted with options, but not on this attempt? */
726 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
727 			goto out_double_mount;
728 		rc = 0;
729 		goto out;
730 	}
731 
732 	if (strcmp(sb->s_type->name, "proc") == 0)
733 		sbsec->flags |= SE_SBPROC;
734 
735 	if (!sbsec->behavior) {
736 		/*
737 		 * Determine the labeling behavior to use for this
738 		 * filesystem type.
739 		 */
740 		rc = security_fs_use(sb);
741 		if (rc) {
742 			printk(KERN_WARNING
743 				"%s: security_fs_use(%s) returned %d\n",
744 					__func__, sb->s_type->name, rc);
745 			goto out;
746 		}
747 	}
748 	/* sets the context of the superblock for the fs being mounted. */
749 	if (fscontext_sid) {
750 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
751 		if (rc)
752 			goto out;
753 
754 		sbsec->sid = fscontext_sid;
755 	}
756 
757 	/*
758 	 * Switch to using mount point labeling behavior.
759 	 * sets the label used on all file below the mountpoint, and will set
760 	 * the superblock context if not already set.
761 	 */
762 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
763 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
764 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
765 	}
766 
767 	if (context_sid) {
768 		if (!fscontext_sid) {
769 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
770 							  cred);
771 			if (rc)
772 				goto out;
773 			sbsec->sid = context_sid;
774 		} else {
775 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
776 							     cred);
777 			if (rc)
778 				goto out;
779 		}
780 		if (!rootcontext_sid)
781 			rootcontext_sid = context_sid;
782 
783 		sbsec->mntpoint_sid = context_sid;
784 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
785 	}
786 
787 	if (rootcontext_sid) {
788 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
789 						     cred);
790 		if (rc)
791 			goto out;
792 
793 		root_isec->sid = rootcontext_sid;
794 		root_isec->initialized = 1;
795 	}
796 
797 	if (defcontext_sid) {
798 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
799 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
800 			rc = -EINVAL;
801 			printk(KERN_WARNING "SELinux: defcontext option is "
802 			       "invalid for this filesystem type\n");
803 			goto out;
804 		}
805 
806 		if (defcontext_sid != sbsec->def_sid) {
807 			rc = may_context_mount_inode_relabel(defcontext_sid,
808 							     sbsec, cred);
809 			if (rc)
810 				goto out;
811 		}
812 
813 		sbsec->def_sid = defcontext_sid;
814 	}
815 
816 	rc = sb_finish_set_opts(sb);
817 out:
818 	mutex_unlock(&sbsec->lock);
819 	return rc;
820 out_double_mount:
821 	rc = -EINVAL;
822 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
823 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
824 	goto out;
825 }
826 
827 static int selinux_cmp_sb_context(const struct super_block *oldsb,
828 				    const struct super_block *newsb)
829 {
830 	struct superblock_security_struct *old = oldsb->s_security;
831 	struct superblock_security_struct *new = newsb->s_security;
832 	char oldflags = old->flags & SE_MNTMASK;
833 	char newflags = new->flags & SE_MNTMASK;
834 
835 	if (oldflags != newflags)
836 		goto mismatch;
837 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
838 		goto mismatch;
839 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
840 		goto mismatch;
841 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
842 		goto mismatch;
843 	if (oldflags & ROOTCONTEXT_MNT) {
844 		struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
845 		struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
846 		if (oldroot->sid != newroot->sid)
847 			goto mismatch;
848 	}
849 	return 0;
850 mismatch:
851 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
852 			    "different security settings for (dev %s, "
853 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
854 	return -EBUSY;
855 }
856 
857 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
858 					struct super_block *newsb)
859 {
860 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
861 	struct superblock_security_struct *newsbsec = newsb->s_security;
862 
863 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
864 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
865 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
866 
867 	/*
868 	 * if the parent was able to be mounted it clearly had no special lsm
869 	 * mount options.  thus we can safely deal with this superblock later
870 	 */
871 	if (!ss_initialized)
872 		return 0;
873 
874 	/* how can we clone if the old one wasn't set up?? */
875 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
876 
877 	/* if fs is reusing a sb, make sure that the contexts match */
878 	if (newsbsec->flags & SE_SBINITIALIZED)
879 		return selinux_cmp_sb_context(oldsb, newsb);
880 
881 	mutex_lock(&newsbsec->lock);
882 
883 	newsbsec->flags = oldsbsec->flags;
884 
885 	newsbsec->sid = oldsbsec->sid;
886 	newsbsec->def_sid = oldsbsec->def_sid;
887 	newsbsec->behavior = oldsbsec->behavior;
888 
889 	if (set_context) {
890 		u32 sid = oldsbsec->mntpoint_sid;
891 
892 		if (!set_fscontext)
893 			newsbsec->sid = sid;
894 		if (!set_rootcontext) {
895 			struct inode *newinode = newsb->s_root->d_inode;
896 			struct inode_security_struct *newisec = newinode->i_security;
897 			newisec->sid = sid;
898 		}
899 		newsbsec->mntpoint_sid = sid;
900 	}
901 	if (set_rootcontext) {
902 		const struct inode *oldinode = oldsb->s_root->d_inode;
903 		const struct inode_security_struct *oldisec = oldinode->i_security;
904 		struct inode *newinode = newsb->s_root->d_inode;
905 		struct inode_security_struct *newisec = newinode->i_security;
906 
907 		newisec->sid = oldisec->sid;
908 	}
909 
910 	sb_finish_set_opts(newsb);
911 	mutex_unlock(&newsbsec->lock);
912 	return 0;
913 }
914 
915 static int selinux_parse_opts_str(char *options,
916 				  struct security_mnt_opts *opts)
917 {
918 	char *p;
919 	char *context = NULL, *defcontext = NULL;
920 	char *fscontext = NULL, *rootcontext = NULL;
921 	int rc, num_mnt_opts = 0;
922 
923 	opts->num_mnt_opts = 0;
924 
925 	/* Standard string-based options. */
926 	while ((p = strsep(&options, "|")) != NULL) {
927 		int token;
928 		substring_t args[MAX_OPT_ARGS];
929 
930 		if (!*p)
931 			continue;
932 
933 		token = match_token(p, tokens, args);
934 
935 		switch (token) {
936 		case Opt_context:
937 			if (context || defcontext) {
938 				rc = -EINVAL;
939 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
940 				goto out_err;
941 			}
942 			context = match_strdup(&args[0]);
943 			if (!context) {
944 				rc = -ENOMEM;
945 				goto out_err;
946 			}
947 			break;
948 
949 		case Opt_fscontext:
950 			if (fscontext) {
951 				rc = -EINVAL;
952 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
953 				goto out_err;
954 			}
955 			fscontext = match_strdup(&args[0]);
956 			if (!fscontext) {
957 				rc = -ENOMEM;
958 				goto out_err;
959 			}
960 			break;
961 
962 		case Opt_rootcontext:
963 			if (rootcontext) {
964 				rc = -EINVAL;
965 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
966 				goto out_err;
967 			}
968 			rootcontext = match_strdup(&args[0]);
969 			if (!rootcontext) {
970 				rc = -ENOMEM;
971 				goto out_err;
972 			}
973 			break;
974 
975 		case Opt_defcontext:
976 			if (context || defcontext) {
977 				rc = -EINVAL;
978 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
979 				goto out_err;
980 			}
981 			defcontext = match_strdup(&args[0]);
982 			if (!defcontext) {
983 				rc = -ENOMEM;
984 				goto out_err;
985 			}
986 			break;
987 		case Opt_labelsupport:
988 			break;
989 		default:
990 			rc = -EINVAL;
991 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
992 			goto out_err;
993 
994 		}
995 	}
996 
997 	rc = -ENOMEM;
998 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
999 	if (!opts->mnt_opts)
1000 		goto out_err;
1001 
1002 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1003 	if (!opts->mnt_opts_flags) {
1004 		kfree(opts->mnt_opts);
1005 		goto out_err;
1006 	}
1007 
1008 	if (fscontext) {
1009 		opts->mnt_opts[num_mnt_opts] = fscontext;
1010 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1011 	}
1012 	if (context) {
1013 		opts->mnt_opts[num_mnt_opts] = context;
1014 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1015 	}
1016 	if (rootcontext) {
1017 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1018 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1019 	}
1020 	if (defcontext) {
1021 		opts->mnt_opts[num_mnt_opts] = defcontext;
1022 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1023 	}
1024 
1025 	opts->num_mnt_opts = num_mnt_opts;
1026 	return 0;
1027 
1028 out_err:
1029 	kfree(context);
1030 	kfree(defcontext);
1031 	kfree(fscontext);
1032 	kfree(rootcontext);
1033 	return rc;
1034 }
1035 /*
1036  * string mount options parsing and call set the sbsec
1037  */
1038 static int superblock_doinit(struct super_block *sb, void *data)
1039 {
1040 	int rc = 0;
1041 	char *options = data;
1042 	struct security_mnt_opts opts;
1043 
1044 	security_init_mnt_opts(&opts);
1045 
1046 	if (!data)
1047 		goto out;
1048 
1049 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1050 
1051 	rc = selinux_parse_opts_str(options, &opts);
1052 	if (rc)
1053 		goto out_err;
1054 
1055 out:
1056 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1057 
1058 out_err:
1059 	security_free_mnt_opts(&opts);
1060 	return rc;
1061 }
1062 
1063 static void selinux_write_opts(struct seq_file *m,
1064 			       struct security_mnt_opts *opts)
1065 {
1066 	int i;
1067 	char *prefix;
1068 
1069 	for (i = 0; i < opts->num_mnt_opts; i++) {
1070 		char *has_comma;
1071 
1072 		if (opts->mnt_opts[i])
1073 			has_comma = strchr(opts->mnt_opts[i], ',');
1074 		else
1075 			has_comma = NULL;
1076 
1077 		switch (opts->mnt_opts_flags[i]) {
1078 		case CONTEXT_MNT:
1079 			prefix = CONTEXT_STR;
1080 			break;
1081 		case FSCONTEXT_MNT:
1082 			prefix = FSCONTEXT_STR;
1083 			break;
1084 		case ROOTCONTEXT_MNT:
1085 			prefix = ROOTCONTEXT_STR;
1086 			break;
1087 		case DEFCONTEXT_MNT:
1088 			prefix = DEFCONTEXT_STR;
1089 			break;
1090 		case SBLABEL_MNT:
1091 			seq_putc(m, ',');
1092 			seq_puts(m, LABELSUPP_STR);
1093 			continue;
1094 		default:
1095 			BUG();
1096 			return;
1097 		};
1098 		/* we need a comma before each option */
1099 		seq_putc(m, ',');
1100 		seq_puts(m, prefix);
1101 		if (has_comma)
1102 			seq_putc(m, '\"');
1103 		seq_puts(m, opts->mnt_opts[i]);
1104 		if (has_comma)
1105 			seq_putc(m, '\"');
1106 	}
1107 }
1108 
1109 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1110 {
1111 	struct security_mnt_opts opts;
1112 	int rc;
1113 
1114 	rc = selinux_get_mnt_opts(sb, &opts);
1115 	if (rc) {
1116 		/* before policy load we may get EINVAL, don't show anything */
1117 		if (rc == -EINVAL)
1118 			rc = 0;
1119 		return rc;
1120 	}
1121 
1122 	selinux_write_opts(m, &opts);
1123 
1124 	security_free_mnt_opts(&opts);
1125 
1126 	return rc;
1127 }
1128 
1129 static inline u16 inode_mode_to_security_class(umode_t mode)
1130 {
1131 	switch (mode & S_IFMT) {
1132 	case S_IFSOCK:
1133 		return SECCLASS_SOCK_FILE;
1134 	case S_IFLNK:
1135 		return SECCLASS_LNK_FILE;
1136 	case S_IFREG:
1137 		return SECCLASS_FILE;
1138 	case S_IFBLK:
1139 		return SECCLASS_BLK_FILE;
1140 	case S_IFDIR:
1141 		return SECCLASS_DIR;
1142 	case S_IFCHR:
1143 		return SECCLASS_CHR_FILE;
1144 	case S_IFIFO:
1145 		return SECCLASS_FIFO_FILE;
1146 
1147 	}
1148 
1149 	return SECCLASS_FILE;
1150 }
1151 
1152 static inline int default_protocol_stream(int protocol)
1153 {
1154 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1155 }
1156 
1157 static inline int default_protocol_dgram(int protocol)
1158 {
1159 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1160 }
1161 
1162 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1163 {
1164 	switch (family) {
1165 	case PF_UNIX:
1166 		switch (type) {
1167 		case SOCK_STREAM:
1168 		case SOCK_SEQPACKET:
1169 			return SECCLASS_UNIX_STREAM_SOCKET;
1170 		case SOCK_DGRAM:
1171 			return SECCLASS_UNIX_DGRAM_SOCKET;
1172 		}
1173 		break;
1174 	case PF_INET:
1175 	case PF_INET6:
1176 		switch (type) {
1177 		case SOCK_STREAM:
1178 			if (default_protocol_stream(protocol))
1179 				return SECCLASS_TCP_SOCKET;
1180 			else
1181 				return SECCLASS_RAWIP_SOCKET;
1182 		case SOCK_DGRAM:
1183 			if (default_protocol_dgram(protocol))
1184 				return SECCLASS_UDP_SOCKET;
1185 			else
1186 				return SECCLASS_RAWIP_SOCKET;
1187 		case SOCK_DCCP:
1188 			return SECCLASS_DCCP_SOCKET;
1189 		default:
1190 			return SECCLASS_RAWIP_SOCKET;
1191 		}
1192 		break;
1193 	case PF_NETLINK:
1194 		switch (protocol) {
1195 		case NETLINK_ROUTE:
1196 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1197 		case NETLINK_FIREWALL:
1198 			return SECCLASS_NETLINK_FIREWALL_SOCKET;
1199 		case NETLINK_SOCK_DIAG:
1200 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1201 		case NETLINK_NFLOG:
1202 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1203 		case NETLINK_XFRM:
1204 			return SECCLASS_NETLINK_XFRM_SOCKET;
1205 		case NETLINK_SELINUX:
1206 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1207 		case NETLINK_AUDIT:
1208 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1209 		case NETLINK_IP6_FW:
1210 			return SECCLASS_NETLINK_IP6FW_SOCKET;
1211 		case NETLINK_DNRTMSG:
1212 			return SECCLASS_NETLINK_DNRT_SOCKET;
1213 		case NETLINK_KOBJECT_UEVENT:
1214 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1215 		default:
1216 			return SECCLASS_NETLINK_SOCKET;
1217 		}
1218 	case PF_PACKET:
1219 		return SECCLASS_PACKET_SOCKET;
1220 	case PF_KEY:
1221 		return SECCLASS_KEY_SOCKET;
1222 	case PF_APPLETALK:
1223 		return SECCLASS_APPLETALK_SOCKET;
1224 	}
1225 
1226 	return SECCLASS_SOCKET;
1227 }
1228 
1229 #ifdef CONFIG_PROC_FS
1230 static int selinux_proc_get_sid(struct dentry *dentry,
1231 				u16 tclass,
1232 				u32 *sid)
1233 {
1234 	int rc;
1235 	char *buffer, *path;
1236 
1237 	buffer = (char *)__get_free_page(GFP_KERNEL);
1238 	if (!buffer)
1239 		return -ENOMEM;
1240 
1241 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1242 	if (IS_ERR(path))
1243 		rc = PTR_ERR(path);
1244 	else {
1245 		/* each process gets a /proc/PID/ entry. Strip off the
1246 		 * PID part to get a valid selinux labeling.
1247 		 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1248 		while (path[1] >= '0' && path[1] <= '9') {
1249 			path[1] = '/';
1250 			path++;
1251 		}
1252 		rc = security_genfs_sid("proc", path, tclass, sid);
1253 	}
1254 	free_page((unsigned long)buffer);
1255 	return rc;
1256 }
1257 #else
1258 static int selinux_proc_get_sid(struct dentry *dentry,
1259 				u16 tclass,
1260 				u32 *sid)
1261 {
1262 	return -EINVAL;
1263 }
1264 #endif
1265 
1266 /* The inode's security attributes must be initialized before first use. */
1267 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1268 {
1269 	struct superblock_security_struct *sbsec = NULL;
1270 	struct inode_security_struct *isec = inode->i_security;
1271 	u32 sid;
1272 	struct dentry *dentry;
1273 #define INITCONTEXTLEN 255
1274 	char *context = NULL;
1275 	unsigned len = 0;
1276 	int rc = 0;
1277 
1278 	if (isec->initialized)
1279 		goto out;
1280 
1281 	mutex_lock(&isec->lock);
1282 	if (isec->initialized)
1283 		goto out_unlock;
1284 
1285 	sbsec = inode->i_sb->s_security;
1286 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1287 		/* Defer initialization until selinux_complete_init,
1288 		   after the initial policy is loaded and the security
1289 		   server is ready to handle calls. */
1290 		spin_lock(&sbsec->isec_lock);
1291 		if (list_empty(&isec->list))
1292 			list_add(&isec->list, &sbsec->isec_head);
1293 		spin_unlock(&sbsec->isec_lock);
1294 		goto out_unlock;
1295 	}
1296 
1297 	switch (sbsec->behavior) {
1298 	case SECURITY_FS_USE_NATIVE:
1299 		break;
1300 	case SECURITY_FS_USE_XATTR:
1301 		if (!inode->i_op->getxattr) {
1302 			isec->sid = sbsec->def_sid;
1303 			break;
1304 		}
1305 
1306 		/* Need a dentry, since the xattr API requires one.
1307 		   Life would be simpler if we could just pass the inode. */
1308 		if (opt_dentry) {
1309 			/* Called from d_instantiate or d_splice_alias. */
1310 			dentry = dget(opt_dentry);
1311 		} else {
1312 			/* Called from selinux_complete_init, try to find a dentry. */
1313 			dentry = d_find_alias(inode);
1314 		}
1315 		if (!dentry) {
1316 			/*
1317 			 * this is can be hit on boot when a file is accessed
1318 			 * before the policy is loaded.  When we load policy we
1319 			 * may find inodes that have no dentry on the
1320 			 * sbsec->isec_head list.  No reason to complain as these
1321 			 * will get fixed up the next time we go through
1322 			 * inode_doinit with a dentry, before these inodes could
1323 			 * be used again by userspace.
1324 			 */
1325 			goto out_unlock;
1326 		}
1327 
1328 		len = INITCONTEXTLEN;
1329 		context = kmalloc(len+1, GFP_NOFS);
1330 		if (!context) {
1331 			rc = -ENOMEM;
1332 			dput(dentry);
1333 			goto out_unlock;
1334 		}
1335 		context[len] = '\0';
1336 		rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1337 					   context, len);
1338 		if (rc == -ERANGE) {
1339 			kfree(context);
1340 
1341 			/* Need a larger buffer.  Query for the right size. */
1342 			rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1343 						   NULL, 0);
1344 			if (rc < 0) {
1345 				dput(dentry);
1346 				goto out_unlock;
1347 			}
1348 			len = rc;
1349 			context = kmalloc(len+1, GFP_NOFS);
1350 			if (!context) {
1351 				rc = -ENOMEM;
1352 				dput(dentry);
1353 				goto out_unlock;
1354 			}
1355 			context[len] = '\0';
1356 			rc = inode->i_op->getxattr(dentry,
1357 						   XATTR_NAME_SELINUX,
1358 						   context, len);
1359 		}
1360 		dput(dentry);
1361 		if (rc < 0) {
1362 			if (rc != -ENODATA) {
1363 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1364 				       "%d for dev=%s ino=%ld\n", __func__,
1365 				       -rc, inode->i_sb->s_id, inode->i_ino);
1366 				kfree(context);
1367 				goto out_unlock;
1368 			}
1369 			/* Map ENODATA to the default file SID */
1370 			sid = sbsec->def_sid;
1371 			rc = 0;
1372 		} else {
1373 			rc = security_context_to_sid_default(context, rc, &sid,
1374 							     sbsec->def_sid,
1375 							     GFP_NOFS);
1376 			if (rc) {
1377 				char *dev = inode->i_sb->s_id;
1378 				unsigned long ino = inode->i_ino;
1379 
1380 				if (rc == -EINVAL) {
1381 					if (printk_ratelimit())
1382 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1383 							"context=%s.  This indicates you may need to relabel the inode or the "
1384 							"filesystem in question.\n", ino, dev, context);
1385 				} else {
1386 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1387 					       "returned %d for dev=%s ino=%ld\n",
1388 					       __func__, context, -rc, dev, ino);
1389 				}
1390 				kfree(context);
1391 				/* Leave with the unlabeled SID */
1392 				rc = 0;
1393 				break;
1394 			}
1395 		}
1396 		kfree(context);
1397 		isec->sid = sid;
1398 		break;
1399 	case SECURITY_FS_USE_TASK:
1400 		isec->sid = isec->task_sid;
1401 		break;
1402 	case SECURITY_FS_USE_TRANS:
1403 		/* Default to the fs SID. */
1404 		isec->sid = sbsec->sid;
1405 
1406 		/* Try to obtain a transition SID. */
1407 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1408 		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1409 					     isec->sclass, NULL, &sid);
1410 		if (rc)
1411 			goto out_unlock;
1412 		isec->sid = sid;
1413 		break;
1414 	case SECURITY_FS_USE_MNTPOINT:
1415 		isec->sid = sbsec->mntpoint_sid;
1416 		break;
1417 	default:
1418 		/* Default to the fs superblock SID. */
1419 		isec->sid = sbsec->sid;
1420 
1421 		if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1422 			if (opt_dentry) {
1423 				isec->sclass = inode_mode_to_security_class(inode->i_mode);
1424 				rc = selinux_proc_get_sid(opt_dentry,
1425 							  isec->sclass,
1426 							  &sid);
1427 				if (rc)
1428 					goto out_unlock;
1429 				isec->sid = sid;
1430 			}
1431 		}
1432 		break;
1433 	}
1434 
1435 	isec->initialized = 1;
1436 
1437 out_unlock:
1438 	mutex_unlock(&isec->lock);
1439 out:
1440 	if (isec->sclass == SECCLASS_FILE)
1441 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1442 	return rc;
1443 }
1444 
1445 /* Convert a Linux signal to an access vector. */
1446 static inline u32 signal_to_av(int sig)
1447 {
1448 	u32 perm = 0;
1449 
1450 	switch (sig) {
1451 	case SIGCHLD:
1452 		/* Commonly granted from child to parent. */
1453 		perm = PROCESS__SIGCHLD;
1454 		break;
1455 	case SIGKILL:
1456 		/* Cannot be caught or ignored */
1457 		perm = PROCESS__SIGKILL;
1458 		break;
1459 	case SIGSTOP:
1460 		/* Cannot be caught or ignored */
1461 		perm = PROCESS__SIGSTOP;
1462 		break;
1463 	default:
1464 		/* All other signals. */
1465 		perm = PROCESS__SIGNAL;
1466 		break;
1467 	}
1468 
1469 	return perm;
1470 }
1471 
1472 /*
1473  * Check permission between a pair of credentials
1474  * fork check, ptrace check, etc.
1475  */
1476 static int cred_has_perm(const struct cred *actor,
1477 			 const struct cred *target,
1478 			 u32 perms)
1479 {
1480 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1481 
1482 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1483 }
1484 
1485 /*
1486  * Check permission between a pair of tasks, e.g. signal checks,
1487  * fork check, ptrace check, etc.
1488  * tsk1 is the actor and tsk2 is the target
1489  * - this uses the default subjective creds of tsk1
1490  */
1491 static int task_has_perm(const struct task_struct *tsk1,
1492 			 const struct task_struct *tsk2,
1493 			 u32 perms)
1494 {
1495 	const struct task_security_struct *__tsec1, *__tsec2;
1496 	u32 sid1, sid2;
1497 
1498 	rcu_read_lock();
1499 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1500 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1501 	rcu_read_unlock();
1502 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1503 }
1504 
1505 /*
1506  * Check permission between current and another task, e.g. signal checks,
1507  * fork check, ptrace check, etc.
1508  * current is the actor and tsk2 is the target
1509  * - this uses current's subjective creds
1510  */
1511 static int current_has_perm(const struct task_struct *tsk,
1512 			    u32 perms)
1513 {
1514 	u32 sid, tsid;
1515 
1516 	sid = current_sid();
1517 	tsid = task_sid(tsk);
1518 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1519 }
1520 
1521 #if CAP_LAST_CAP > 63
1522 #error Fix SELinux to handle capabilities > 63.
1523 #endif
1524 
1525 /* Check whether a task is allowed to use a capability. */
1526 static int cred_has_capability(const struct cred *cred,
1527 			       int cap, int audit)
1528 {
1529 	struct common_audit_data ad;
1530 	struct av_decision avd;
1531 	u16 sclass;
1532 	u32 sid = cred_sid(cred);
1533 	u32 av = CAP_TO_MASK(cap);
1534 	int rc;
1535 
1536 	ad.type = LSM_AUDIT_DATA_CAP;
1537 	ad.u.cap = cap;
1538 
1539 	switch (CAP_TO_INDEX(cap)) {
1540 	case 0:
1541 		sclass = SECCLASS_CAPABILITY;
1542 		break;
1543 	case 1:
1544 		sclass = SECCLASS_CAPABILITY2;
1545 		break;
1546 	default:
1547 		printk(KERN_ERR
1548 		       "SELinux:  out of range capability %d\n", cap);
1549 		BUG();
1550 		return -EINVAL;
1551 	}
1552 
1553 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1554 	if (audit == SECURITY_CAP_AUDIT) {
1555 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1556 		if (rc2)
1557 			return rc2;
1558 	}
1559 	return rc;
1560 }
1561 
1562 /* Check whether a task is allowed to use a system operation. */
1563 static int task_has_system(struct task_struct *tsk,
1564 			   u32 perms)
1565 {
1566 	u32 sid = task_sid(tsk);
1567 
1568 	return avc_has_perm(sid, SECINITSID_KERNEL,
1569 			    SECCLASS_SYSTEM, perms, NULL);
1570 }
1571 
1572 /* Check whether a task has a particular permission to an inode.
1573    The 'adp' parameter is optional and allows other audit
1574    data to be passed (e.g. the dentry). */
1575 static int inode_has_perm(const struct cred *cred,
1576 			  struct inode *inode,
1577 			  u32 perms,
1578 			  struct common_audit_data *adp)
1579 {
1580 	struct inode_security_struct *isec;
1581 	u32 sid;
1582 
1583 	validate_creds(cred);
1584 
1585 	if (unlikely(IS_PRIVATE(inode)))
1586 		return 0;
1587 
1588 	sid = cred_sid(cred);
1589 	isec = inode->i_security;
1590 
1591 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1592 }
1593 
1594 /* Same as inode_has_perm, but pass explicit audit data containing
1595    the dentry to help the auditing code to more easily generate the
1596    pathname if needed. */
1597 static inline int dentry_has_perm(const struct cred *cred,
1598 				  struct dentry *dentry,
1599 				  u32 av)
1600 {
1601 	struct inode *inode = dentry->d_inode;
1602 	struct common_audit_data ad;
1603 
1604 	ad.type = LSM_AUDIT_DATA_DENTRY;
1605 	ad.u.dentry = dentry;
1606 	return inode_has_perm(cred, inode, av, &ad);
1607 }
1608 
1609 /* Same as inode_has_perm, but pass explicit audit data containing
1610    the path to help the auditing code to more easily generate the
1611    pathname if needed. */
1612 static inline int path_has_perm(const struct cred *cred,
1613 				struct path *path,
1614 				u32 av)
1615 {
1616 	struct inode *inode = path->dentry->d_inode;
1617 	struct common_audit_data ad;
1618 
1619 	ad.type = LSM_AUDIT_DATA_PATH;
1620 	ad.u.path = *path;
1621 	return inode_has_perm(cred, inode, av, &ad);
1622 }
1623 
1624 /* Same as path_has_perm, but uses the inode from the file struct. */
1625 static inline int file_path_has_perm(const struct cred *cred,
1626 				     struct file *file,
1627 				     u32 av)
1628 {
1629 	struct common_audit_data ad;
1630 
1631 	ad.type = LSM_AUDIT_DATA_PATH;
1632 	ad.u.path = file->f_path;
1633 	return inode_has_perm(cred, file_inode(file), av, &ad);
1634 }
1635 
1636 /* Check whether a task can use an open file descriptor to
1637    access an inode in a given way.  Check access to the
1638    descriptor itself, and then use dentry_has_perm to
1639    check a particular permission to the file.
1640    Access to the descriptor is implicitly granted if it
1641    has the same SID as the process.  If av is zero, then
1642    access to the file is not checked, e.g. for cases
1643    where only the descriptor is affected like seek. */
1644 static int file_has_perm(const struct cred *cred,
1645 			 struct file *file,
1646 			 u32 av)
1647 {
1648 	struct file_security_struct *fsec = file->f_security;
1649 	struct inode *inode = file_inode(file);
1650 	struct common_audit_data ad;
1651 	u32 sid = cred_sid(cred);
1652 	int rc;
1653 
1654 	ad.type = LSM_AUDIT_DATA_PATH;
1655 	ad.u.path = file->f_path;
1656 
1657 	if (sid != fsec->sid) {
1658 		rc = avc_has_perm(sid, fsec->sid,
1659 				  SECCLASS_FD,
1660 				  FD__USE,
1661 				  &ad);
1662 		if (rc)
1663 			goto out;
1664 	}
1665 
1666 	/* av is zero if only checking access to the descriptor. */
1667 	rc = 0;
1668 	if (av)
1669 		rc = inode_has_perm(cred, inode, av, &ad);
1670 
1671 out:
1672 	return rc;
1673 }
1674 
1675 /* Check whether a task can create a file. */
1676 static int may_create(struct inode *dir,
1677 		      struct dentry *dentry,
1678 		      u16 tclass)
1679 {
1680 	const struct task_security_struct *tsec = current_security();
1681 	struct inode_security_struct *dsec;
1682 	struct superblock_security_struct *sbsec;
1683 	u32 sid, newsid;
1684 	struct common_audit_data ad;
1685 	int rc;
1686 
1687 	dsec = dir->i_security;
1688 	sbsec = dir->i_sb->s_security;
1689 
1690 	sid = tsec->sid;
1691 	newsid = tsec->create_sid;
1692 
1693 	ad.type = LSM_AUDIT_DATA_DENTRY;
1694 	ad.u.dentry = dentry;
1695 
1696 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1697 			  DIR__ADD_NAME | DIR__SEARCH,
1698 			  &ad);
1699 	if (rc)
1700 		return rc;
1701 
1702 	if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1703 		rc = security_transition_sid(sid, dsec->sid, tclass,
1704 					     &dentry->d_name, &newsid);
1705 		if (rc)
1706 			return rc;
1707 	}
1708 
1709 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1710 	if (rc)
1711 		return rc;
1712 
1713 	return avc_has_perm(newsid, sbsec->sid,
1714 			    SECCLASS_FILESYSTEM,
1715 			    FILESYSTEM__ASSOCIATE, &ad);
1716 }
1717 
1718 /* Check whether a task can create a key. */
1719 static int may_create_key(u32 ksid,
1720 			  struct task_struct *ctx)
1721 {
1722 	u32 sid = task_sid(ctx);
1723 
1724 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1725 }
1726 
1727 #define MAY_LINK	0
1728 #define MAY_UNLINK	1
1729 #define MAY_RMDIR	2
1730 
1731 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1732 static int may_link(struct inode *dir,
1733 		    struct dentry *dentry,
1734 		    int kind)
1735 
1736 {
1737 	struct inode_security_struct *dsec, *isec;
1738 	struct common_audit_data ad;
1739 	u32 sid = current_sid();
1740 	u32 av;
1741 	int rc;
1742 
1743 	dsec = dir->i_security;
1744 	isec = dentry->d_inode->i_security;
1745 
1746 	ad.type = LSM_AUDIT_DATA_DENTRY;
1747 	ad.u.dentry = dentry;
1748 
1749 	av = DIR__SEARCH;
1750 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1751 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1752 	if (rc)
1753 		return rc;
1754 
1755 	switch (kind) {
1756 	case MAY_LINK:
1757 		av = FILE__LINK;
1758 		break;
1759 	case MAY_UNLINK:
1760 		av = FILE__UNLINK;
1761 		break;
1762 	case MAY_RMDIR:
1763 		av = DIR__RMDIR;
1764 		break;
1765 	default:
1766 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1767 			__func__, kind);
1768 		return 0;
1769 	}
1770 
1771 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1772 	return rc;
1773 }
1774 
1775 static inline int may_rename(struct inode *old_dir,
1776 			     struct dentry *old_dentry,
1777 			     struct inode *new_dir,
1778 			     struct dentry *new_dentry)
1779 {
1780 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1781 	struct common_audit_data ad;
1782 	u32 sid = current_sid();
1783 	u32 av;
1784 	int old_is_dir, new_is_dir;
1785 	int rc;
1786 
1787 	old_dsec = old_dir->i_security;
1788 	old_isec = old_dentry->d_inode->i_security;
1789 	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1790 	new_dsec = new_dir->i_security;
1791 
1792 	ad.type = LSM_AUDIT_DATA_DENTRY;
1793 
1794 	ad.u.dentry = old_dentry;
1795 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1796 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1797 	if (rc)
1798 		return rc;
1799 	rc = avc_has_perm(sid, old_isec->sid,
1800 			  old_isec->sclass, FILE__RENAME, &ad);
1801 	if (rc)
1802 		return rc;
1803 	if (old_is_dir && new_dir != old_dir) {
1804 		rc = avc_has_perm(sid, old_isec->sid,
1805 				  old_isec->sclass, DIR__REPARENT, &ad);
1806 		if (rc)
1807 			return rc;
1808 	}
1809 
1810 	ad.u.dentry = new_dentry;
1811 	av = DIR__ADD_NAME | DIR__SEARCH;
1812 	if (new_dentry->d_inode)
1813 		av |= DIR__REMOVE_NAME;
1814 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1815 	if (rc)
1816 		return rc;
1817 	if (new_dentry->d_inode) {
1818 		new_isec = new_dentry->d_inode->i_security;
1819 		new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1820 		rc = avc_has_perm(sid, new_isec->sid,
1821 				  new_isec->sclass,
1822 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1823 		if (rc)
1824 			return rc;
1825 	}
1826 
1827 	return 0;
1828 }
1829 
1830 /* Check whether a task can perform a filesystem operation. */
1831 static int superblock_has_perm(const struct cred *cred,
1832 			       struct super_block *sb,
1833 			       u32 perms,
1834 			       struct common_audit_data *ad)
1835 {
1836 	struct superblock_security_struct *sbsec;
1837 	u32 sid = cred_sid(cred);
1838 
1839 	sbsec = sb->s_security;
1840 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1841 }
1842 
1843 /* Convert a Linux mode and permission mask to an access vector. */
1844 static inline u32 file_mask_to_av(int mode, int mask)
1845 {
1846 	u32 av = 0;
1847 
1848 	if (!S_ISDIR(mode)) {
1849 		if (mask & MAY_EXEC)
1850 			av |= FILE__EXECUTE;
1851 		if (mask & MAY_READ)
1852 			av |= FILE__READ;
1853 
1854 		if (mask & MAY_APPEND)
1855 			av |= FILE__APPEND;
1856 		else if (mask & MAY_WRITE)
1857 			av |= FILE__WRITE;
1858 
1859 	} else {
1860 		if (mask & MAY_EXEC)
1861 			av |= DIR__SEARCH;
1862 		if (mask & MAY_WRITE)
1863 			av |= DIR__WRITE;
1864 		if (mask & MAY_READ)
1865 			av |= DIR__READ;
1866 	}
1867 
1868 	return av;
1869 }
1870 
1871 /* Convert a Linux file to an access vector. */
1872 static inline u32 file_to_av(struct file *file)
1873 {
1874 	u32 av = 0;
1875 
1876 	if (file->f_mode & FMODE_READ)
1877 		av |= FILE__READ;
1878 	if (file->f_mode & FMODE_WRITE) {
1879 		if (file->f_flags & O_APPEND)
1880 			av |= FILE__APPEND;
1881 		else
1882 			av |= FILE__WRITE;
1883 	}
1884 	if (!av) {
1885 		/*
1886 		 * Special file opened with flags 3 for ioctl-only use.
1887 		 */
1888 		av = FILE__IOCTL;
1889 	}
1890 
1891 	return av;
1892 }
1893 
1894 /*
1895  * Convert a file to an access vector and include the correct open
1896  * open permission.
1897  */
1898 static inline u32 open_file_to_av(struct file *file)
1899 {
1900 	u32 av = file_to_av(file);
1901 
1902 	if (selinux_policycap_openperm)
1903 		av |= FILE__OPEN;
1904 
1905 	return av;
1906 }
1907 
1908 /* Hook functions begin here. */
1909 
1910 static int selinux_ptrace_access_check(struct task_struct *child,
1911 				     unsigned int mode)
1912 {
1913 	int rc;
1914 
1915 	rc = cap_ptrace_access_check(child, mode);
1916 	if (rc)
1917 		return rc;
1918 
1919 	if (mode & PTRACE_MODE_READ) {
1920 		u32 sid = current_sid();
1921 		u32 csid = task_sid(child);
1922 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1923 	}
1924 
1925 	return current_has_perm(child, PROCESS__PTRACE);
1926 }
1927 
1928 static int selinux_ptrace_traceme(struct task_struct *parent)
1929 {
1930 	int rc;
1931 
1932 	rc = cap_ptrace_traceme(parent);
1933 	if (rc)
1934 		return rc;
1935 
1936 	return task_has_perm(parent, current, PROCESS__PTRACE);
1937 }
1938 
1939 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1940 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
1941 {
1942 	int error;
1943 
1944 	error = current_has_perm(target, PROCESS__GETCAP);
1945 	if (error)
1946 		return error;
1947 
1948 	return cap_capget(target, effective, inheritable, permitted);
1949 }
1950 
1951 static int selinux_capset(struct cred *new, const struct cred *old,
1952 			  const kernel_cap_t *effective,
1953 			  const kernel_cap_t *inheritable,
1954 			  const kernel_cap_t *permitted)
1955 {
1956 	int error;
1957 
1958 	error = cap_capset(new, old,
1959 				      effective, inheritable, permitted);
1960 	if (error)
1961 		return error;
1962 
1963 	return cred_has_perm(old, new, PROCESS__SETCAP);
1964 }
1965 
1966 /*
1967  * (This comment used to live with the selinux_task_setuid hook,
1968  * which was removed).
1969  *
1970  * Since setuid only affects the current process, and since the SELinux
1971  * controls are not based on the Linux identity attributes, SELinux does not
1972  * need to control this operation.  However, SELinux does control the use of
1973  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1974  */
1975 
1976 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1977 			   int cap, int audit)
1978 {
1979 	int rc;
1980 
1981 	rc = cap_capable(cred, ns, cap, audit);
1982 	if (rc)
1983 		return rc;
1984 
1985 	return cred_has_capability(cred, cap, audit);
1986 }
1987 
1988 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1989 {
1990 	const struct cred *cred = current_cred();
1991 	int rc = 0;
1992 
1993 	if (!sb)
1994 		return 0;
1995 
1996 	switch (cmds) {
1997 	case Q_SYNC:
1998 	case Q_QUOTAON:
1999 	case Q_QUOTAOFF:
2000 	case Q_SETINFO:
2001 	case Q_SETQUOTA:
2002 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2003 		break;
2004 	case Q_GETFMT:
2005 	case Q_GETINFO:
2006 	case Q_GETQUOTA:
2007 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2008 		break;
2009 	default:
2010 		rc = 0;  /* let the kernel handle invalid cmds */
2011 		break;
2012 	}
2013 	return rc;
2014 }
2015 
2016 static int selinux_quota_on(struct dentry *dentry)
2017 {
2018 	const struct cred *cred = current_cred();
2019 
2020 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2021 }
2022 
2023 static int selinux_syslog(int type)
2024 {
2025 	int rc;
2026 
2027 	switch (type) {
2028 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2029 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2030 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2031 		break;
2032 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2033 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2034 	/* Set level of messages printed to console */
2035 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2036 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2037 		break;
2038 	case SYSLOG_ACTION_CLOSE:	/* Close log */
2039 	case SYSLOG_ACTION_OPEN:	/* Open log */
2040 	case SYSLOG_ACTION_READ:	/* Read from log */
2041 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2042 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2043 	default:
2044 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2045 		break;
2046 	}
2047 	return rc;
2048 }
2049 
2050 /*
2051  * Check that a process has enough memory to allocate a new virtual
2052  * mapping. 0 means there is enough memory for the allocation to
2053  * succeed and -ENOMEM implies there is not.
2054  *
2055  * Do not audit the selinux permission check, as this is applied to all
2056  * processes that allocate mappings.
2057  */
2058 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2059 {
2060 	int rc, cap_sys_admin = 0;
2061 
2062 	rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2063 			     SECURITY_CAP_NOAUDIT);
2064 	if (rc == 0)
2065 		cap_sys_admin = 1;
2066 
2067 	return __vm_enough_memory(mm, pages, cap_sys_admin);
2068 }
2069 
2070 /* binprm security operations */
2071 
2072 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2073 {
2074 	const struct task_security_struct *old_tsec;
2075 	struct task_security_struct *new_tsec;
2076 	struct inode_security_struct *isec;
2077 	struct common_audit_data ad;
2078 	struct inode *inode = file_inode(bprm->file);
2079 	int rc;
2080 
2081 	rc = cap_bprm_set_creds(bprm);
2082 	if (rc)
2083 		return rc;
2084 
2085 	/* SELinux context only depends on initial program or script and not
2086 	 * the script interpreter */
2087 	if (bprm->cred_prepared)
2088 		return 0;
2089 
2090 	old_tsec = current_security();
2091 	new_tsec = bprm->cred->security;
2092 	isec = inode->i_security;
2093 
2094 	/* Default to the current task SID. */
2095 	new_tsec->sid = old_tsec->sid;
2096 	new_tsec->osid = old_tsec->sid;
2097 
2098 	/* Reset fs, key, and sock SIDs on execve. */
2099 	new_tsec->create_sid = 0;
2100 	new_tsec->keycreate_sid = 0;
2101 	new_tsec->sockcreate_sid = 0;
2102 
2103 	if (old_tsec->exec_sid) {
2104 		new_tsec->sid = old_tsec->exec_sid;
2105 		/* Reset exec SID on execve. */
2106 		new_tsec->exec_sid = 0;
2107 
2108 		/*
2109 		 * Minimize confusion: if no_new_privs and a transition is
2110 		 * explicitly requested, then fail the exec.
2111 		 */
2112 		if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2113 			return -EPERM;
2114 	} else {
2115 		/* Check for a default transition on this program. */
2116 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2117 					     SECCLASS_PROCESS, NULL,
2118 					     &new_tsec->sid);
2119 		if (rc)
2120 			return rc;
2121 	}
2122 
2123 	ad.type = LSM_AUDIT_DATA_PATH;
2124 	ad.u.path = bprm->file->f_path;
2125 
2126 	if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2127 	    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2128 		new_tsec->sid = old_tsec->sid;
2129 
2130 	if (new_tsec->sid == old_tsec->sid) {
2131 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2132 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2133 		if (rc)
2134 			return rc;
2135 	} else {
2136 		/* Check permissions for the transition. */
2137 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2138 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2139 		if (rc)
2140 			return rc;
2141 
2142 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2143 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2144 		if (rc)
2145 			return rc;
2146 
2147 		/* Check for shared state */
2148 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2149 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2150 					  SECCLASS_PROCESS, PROCESS__SHARE,
2151 					  NULL);
2152 			if (rc)
2153 				return -EPERM;
2154 		}
2155 
2156 		/* Make sure that anyone attempting to ptrace over a task that
2157 		 * changes its SID has the appropriate permit */
2158 		if (bprm->unsafe &
2159 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2160 			struct task_struct *tracer;
2161 			struct task_security_struct *sec;
2162 			u32 ptsid = 0;
2163 
2164 			rcu_read_lock();
2165 			tracer = ptrace_parent(current);
2166 			if (likely(tracer != NULL)) {
2167 				sec = __task_cred(tracer)->security;
2168 				ptsid = sec->sid;
2169 			}
2170 			rcu_read_unlock();
2171 
2172 			if (ptsid != 0) {
2173 				rc = avc_has_perm(ptsid, new_tsec->sid,
2174 						  SECCLASS_PROCESS,
2175 						  PROCESS__PTRACE, NULL);
2176 				if (rc)
2177 					return -EPERM;
2178 			}
2179 		}
2180 
2181 		/* Clear any possibly unsafe personality bits on exec: */
2182 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2183 	}
2184 
2185 	return 0;
2186 }
2187 
2188 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2189 {
2190 	const struct task_security_struct *tsec = current_security();
2191 	u32 sid, osid;
2192 	int atsecure = 0;
2193 
2194 	sid = tsec->sid;
2195 	osid = tsec->osid;
2196 
2197 	if (osid != sid) {
2198 		/* Enable secure mode for SIDs transitions unless
2199 		   the noatsecure permission is granted between
2200 		   the two SIDs, i.e. ahp returns 0. */
2201 		atsecure = avc_has_perm(osid, sid,
2202 					SECCLASS_PROCESS,
2203 					PROCESS__NOATSECURE, NULL);
2204 	}
2205 
2206 	return (atsecure || cap_bprm_secureexec(bprm));
2207 }
2208 
2209 static int match_file(const void *p, struct file *file, unsigned fd)
2210 {
2211 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2212 }
2213 
2214 /* Derived from fs/exec.c:flush_old_files. */
2215 static inline void flush_unauthorized_files(const struct cred *cred,
2216 					    struct files_struct *files)
2217 {
2218 	struct file *file, *devnull = NULL;
2219 	struct tty_struct *tty;
2220 	int drop_tty = 0;
2221 	unsigned n;
2222 
2223 	tty = get_current_tty();
2224 	if (tty) {
2225 		spin_lock(&tty_files_lock);
2226 		if (!list_empty(&tty->tty_files)) {
2227 			struct tty_file_private *file_priv;
2228 
2229 			/* Revalidate access to controlling tty.
2230 			   Use file_path_has_perm on the tty path directly
2231 			   rather than using file_has_perm, as this particular
2232 			   open file may belong to another process and we are
2233 			   only interested in the inode-based check here. */
2234 			file_priv = list_first_entry(&tty->tty_files,
2235 						struct tty_file_private, list);
2236 			file = file_priv->file;
2237 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2238 				drop_tty = 1;
2239 		}
2240 		spin_unlock(&tty_files_lock);
2241 		tty_kref_put(tty);
2242 	}
2243 	/* Reset controlling tty. */
2244 	if (drop_tty)
2245 		no_tty();
2246 
2247 	/* Revalidate access to inherited open files. */
2248 	n = iterate_fd(files, 0, match_file, cred);
2249 	if (!n) /* none found? */
2250 		return;
2251 
2252 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2253 	if (IS_ERR(devnull))
2254 		devnull = NULL;
2255 	/* replace all the matching ones with this */
2256 	do {
2257 		replace_fd(n - 1, devnull, 0);
2258 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2259 	if (devnull)
2260 		fput(devnull);
2261 }
2262 
2263 /*
2264  * Prepare a process for imminent new credential changes due to exec
2265  */
2266 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2267 {
2268 	struct task_security_struct *new_tsec;
2269 	struct rlimit *rlim, *initrlim;
2270 	int rc, i;
2271 
2272 	new_tsec = bprm->cred->security;
2273 	if (new_tsec->sid == new_tsec->osid)
2274 		return;
2275 
2276 	/* Close files for which the new task SID is not authorized. */
2277 	flush_unauthorized_files(bprm->cred, current->files);
2278 
2279 	/* Always clear parent death signal on SID transitions. */
2280 	current->pdeath_signal = 0;
2281 
2282 	/* Check whether the new SID can inherit resource limits from the old
2283 	 * SID.  If not, reset all soft limits to the lower of the current
2284 	 * task's hard limit and the init task's soft limit.
2285 	 *
2286 	 * Note that the setting of hard limits (even to lower them) can be
2287 	 * controlled by the setrlimit check.  The inclusion of the init task's
2288 	 * soft limit into the computation is to avoid resetting soft limits
2289 	 * higher than the default soft limit for cases where the default is
2290 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2291 	 */
2292 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2293 			  PROCESS__RLIMITINH, NULL);
2294 	if (rc) {
2295 		/* protect against do_prlimit() */
2296 		task_lock(current);
2297 		for (i = 0; i < RLIM_NLIMITS; i++) {
2298 			rlim = current->signal->rlim + i;
2299 			initrlim = init_task.signal->rlim + i;
2300 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2301 		}
2302 		task_unlock(current);
2303 		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2304 	}
2305 }
2306 
2307 /*
2308  * Clean up the process immediately after the installation of new credentials
2309  * due to exec
2310  */
2311 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2312 {
2313 	const struct task_security_struct *tsec = current_security();
2314 	struct itimerval itimer;
2315 	u32 osid, sid;
2316 	int rc, i;
2317 
2318 	osid = tsec->osid;
2319 	sid = tsec->sid;
2320 
2321 	if (sid == osid)
2322 		return;
2323 
2324 	/* Check whether the new SID can inherit signal state from the old SID.
2325 	 * If not, clear itimers to avoid subsequent signal generation and
2326 	 * flush and unblock signals.
2327 	 *
2328 	 * This must occur _after_ the task SID has been updated so that any
2329 	 * kill done after the flush will be checked against the new SID.
2330 	 */
2331 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2332 	if (rc) {
2333 		memset(&itimer, 0, sizeof itimer);
2334 		for (i = 0; i < 3; i++)
2335 			do_setitimer(i, &itimer, NULL);
2336 		spin_lock_irq(&current->sighand->siglock);
2337 		if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2338 			__flush_signals(current);
2339 			flush_signal_handlers(current, 1);
2340 			sigemptyset(&current->blocked);
2341 		}
2342 		spin_unlock_irq(&current->sighand->siglock);
2343 	}
2344 
2345 	/* Wake up the parent if it is waiting so that it can recheck
2346 	 * wait permission to the new task SID. */
2347 	read_lock(&tasklist_lock);
2348 	__wake_up_parent(current, current->real_parent);
2349 	read_unlock(&tasklist_lock);
2350 }
2351 
2352 /* superblock security operations */
2353 
2354 static int selinux_sb_alloc_security(struct super_block *sb)
2355 {
2356 	return superblock_alloc_security(sb);
2357 }
2358 
2359 static void selinux_sb_free_security(struct super_block *sb)
2360 {
2361 	superblock_free_security(sb);
2362 }
2363 
2364 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2365 {
2366 	if (plen > olen)
2367 		return 0;
2368 
2369 	return !memcmp(prefix, option, plen);
2370 }
2371 
2372 static inline int selinux_option(char *option, int len)
2373 {
2374 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2375 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2376 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2377 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2378 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2379 }
2380 
2381 static inline void take_option(char **to, char *from, int *first, int len)
2382 {
2383 	if (!*first) {
2384 		**to = ',';
2385 		*to += 1;
2386 	} else
2387 		*first = 0;
2388 	memcpy(*to, from, len);
2389 	*to += len;
2390 }
2391 
2392 static inline void take_selinux_option(char **to, char *from, int *first,
2393 				       int len)
2394 {
2395 	int current_size = 0;
2396 
2397 	if (!*first) {
2398 		**to = '|';
2399 		*to += 1;
2400 	} else
2401 		*first = 0;
2402 
2403 	while (current_size < len) {
2404 		if (*from != '"') {
2405 			**to = *from;
2406 			*to += 1;
2407 		}
2408 		from += 1;
2409 		current_size += 1;
2410 	}
2411 }
2412 
2413 static int selinux_sb_copy_data(char *orig, char *copy)
2414 {
2415 	int fnosec, fsec, rc = 0;
2416 	char *in_save, *in_curr, *in_end;
2417 	char *sec_curr, *nosec_save, *nosec;
2418 	int open_quote = 0;
2419 
2420 	in_curr = orig;
2421 	sec_curr = copy;
2422 
2423 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2424 	if (!nosec) {
2425 		rc = -ENOMEM;
2426 		goto out;
2427 	}
2428 
2429 	nosec_save = nosec;
2430 	fnosec = fsec = 1;
2431 	in_save = in_end = orig;
2432 
2433 	do {
2434 		if (*in_end == '"')
2435 			open_quote = !open_quote;
2436 		if ((*in_end == ',' && open_quote == 0) ||
2437 				*in_end == '\0') {
2438 			int len = in_end - in_curr;
2439 
2440 			if (selinux_option(in_curr, len))
2441 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2442 			else
2443 				take_option(&nosec, in_curr, &fnosec, len);
2444 
2445 			in_curr = in_end + 1;
2446 		}
2447 	} while (*in_end++);
2448 
2449 	strcpy(in_save, nosec_save);
2450 	free_page((unsigned long)nosec_save);
2451 out:
2452 	return rc;
2453 }
2454 
2455 static int selinux_sb_remount(struct super_block *sb, void *data)
2456 {
2457 	int rc, i, *flags;
2458 	struct security_mnt_opts opts;
2459 	char *secdata, **mount_options;
2460 	struct superblock_security_struct *sbsec = sb->s_security;
2461 
2462 	if (!(sbsec->flags & SE_SBINITIALIZED))
2463 		return 0;
2464 
2465 	if (!data)
2466 		return 0;
2467 
2468 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2469 		return 0;
2470 
2471 	security_init_mnt_opts(&opts);
2472 	secdata = alloc_secdata();
2473 	if (!secdata)
2474 		return -ENOMEM;
2475 	rc = selinux_sb_copy_data(data, secdata);
2476 	if (rc)
2477 		goto out_free_secdata;
2478 
2479 	rc = selinux_parse_opts_str(secdata, &opts);
2480 	if (rc)
2481 		goto out_free_secdata;
2482 
2483 	mount_options = opts.mnt_opts;
2484 	flags = opts.mnt_opts_flags;
2485 
2486 	for (i = 0; i < opts.num_mnt_opts; i++) {
2487 		u32 sid;
2488 		size_t len;
2489 
2490 		if (flags[i] == SBLABEL_MNT)
2491 			continue;
2492 		len = strlen(mount_options[i]);
2493 		rc = security_context_to_sid(mount_options[i], len, &sid);
2494 		if (rc) {
2495 			printk(KERN_WARNING "SELinux: security_context_to_sid"
2496 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2497 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2498 			goto out_free_opts;
2499 		}
2500 		rc = -EINVAL;
2501 		switch (flags[i]) {
2502 		case FSCONTEXT_MNT:
2503 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2504 				goto out_bad_option;
2505 			break;
2506 		case CONTEXT_MNT:
2507 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2508 				goto out_bad_option;
2509 			break;
2510 		case ROOTCONTEXT_MNT: {
2511 			struct inode_security_struct *root_isec;
2512 			root_isec = sb->s_root->d_inode->i_security;
2513 
2514 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2515 				goto out_bad_option;
2516 			break;
2517 		}
2518 		case DEFCONTEXT_MNT:
2519 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2520 				goto out_bad_option;
2521 			break;
2522 		default:
2523 			goto out_free_opts;
2524 		}
2525 	}
2526 
2527 	rc = 0;
2528 out_free_opts:
2529 	security_free_mnt_opts(&opts);
2530 out_free_secdata:
2531 	free_secdata(secdata);
2532 	return rc;
2533 out_bad_option:
2534 	printk(KERN_WARNING "SELinux: unable to change security options "
2535 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2536 	       sb->s_type->name);
2537 	goto out_free_opts;
2538 }
2539 
2540 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2541 {
2542 	const struct cred *cred = current_cred();
2543 	struct common_audit_data ad;
2544 	int rc;
2545 
2546 	rc = superblock_doinit(sb, data);
2547 	if (rc)
2548 		return rc;
2549 
2550 	/* Allow all mounts performed by the kernel */
2551 	if (flags & MS_KERNMOUNT)
2552 		return 0;
2553 
2554 	ad.type = LSM_AUDIT_DATA_DENTRY;
2555 	ad.u.dentry = sb->s_root;
2556 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2557 }
2558 
2559 static int selinux_sb_statfs(struct dentry *dentry)
2560 {
2561 	const struct cred *cred = current_cred();
2562 	struct common_audit_data ad;
2563 
2564 	ad.type = LSM_AUDIT_DATA_DENTRY;
2565 	ad.u.dentry = dentry->d_sb->s_root;
2566 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2567 }
2568 
2569 static int selinux_mount(const char *dev_name,
2570 			 struct path *path,
2571 			 const char *type,
2572 			 unsigned long flags,
2573 			 void *data)
2574 {
2575 	const struct cred *cred = current_cred();
2576 
2577 	if (flags & MS_REMOUNT)
2578 		return superblock_has_perm(cred, path->dentry->d_sb,
2579 					   FILESYSTEM__REMOUNT, NULL);
2580 	else
2581 		return path_has_perm(cred, path, FILE__MOUNTON);
2582 }
2583 
2584 static int selinux_umount(struct vfsmount *mnt, int flags)
2585 {
2586 	const struct cred *cred = current_cred();
2587 
2588 	return superblock_has_perm(cred, mnt->mnt_sb,
2589 				   FILESYSTEM__UNMOUNT, NULL);
2590 }
2591 
2592 /* inode security operations */
2593 
2594 static int selinux_inode_alloc_security(struct inode *inode)
2595 {
2596 	return inode_alloc_security(inode);
2597 }
2598 
2599 static void selinux_inode_free_security(struct inode *inode)
2600 {
2601 	inode_free_security(inode);
2602 }
2603 
2604 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2605 					struct qstr *name, void **ctx,
2606 					u32 *ctxlen)
2607 {
2608 	const struct cred *cred = current_cred();
2609 	struct task_security_struct *tsec;
2610 	struct inode_security_struct *dsec;
2611 	struct superblock_security_struct *sbsec;
2612 	struct inode *dir = dentry->d_parent->d_inode;
2613 	u32 newsid;
2614 	int rc;
2615 
2616 	tsec = cred->security;
2617 	dsec = dir->i_security;
2618 	sbsec = dir->i_sb->s_security;
2619 
2620 	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2621 		newsid = tsec->create_sid;
2622 	} else {
2623 		rc = security_transition_sid(tsec->sid, dsec->sid,
2624 					     inode_mode_to_security_class(mode),
2625 					     name,
2626 					     &newsid);
2627 		if (rc) {
2628 			printk(KERN_WARNING
2629 				"%s: security_transition_sid failed, rc=%d\n",
2630 			       __func__, -rc);
2631 			return rc;
2632 		}
2633 	}
2634 
2635 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2636 }
2637 
2638 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2639 				       const struct qstr *qstr,
2640 				       const char **name,
2641 				       void **value, size_t *len)
2642 {
2643 	const struct task_security_struct *tsec = current_security();
2644 	struct inode_security_struct *dsec;
2645 	struct superblock_security_struct *sbsec;
2646 	u32 sid, newsid, clen;
2647 	int rc;
2648 	char *context;
2649 
2650 	dsec = dir->i_security;
2651 	sbsec = dir->i_sb->s_security;
2652 
2653 	sid = tsec->sid;
2654 	newsid = tsec->create_sid;
2655 
2656 	if ((sbsec->flags & SE_SBINITIALIZED) &&
2657 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2658 		newsid = sbsec->mntpoint_sid;
2659 	else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2660 		rc = security_transition_sid(sid, dsec->sid,
2661 					     inode_mode_to_security_class(inode->i_mode),
2662 					     qstr, &newsid);
2663 		if (rc) {
2664 			printk(KERN_WARNING "%s:  "
2665 			       "security_transition_sid failed, rc=%d (dev=%s "
2666 			       "ino=%ld)\n",
2667 			       __func__,
2668 			       -rc, inode->i_sb->s_id, inode->i_ino);
2669 			return rc;
2670 		}
2671 	}
2672 
2673 	/* Possibly defer initialization to selinux_complete_init. */
2674 	if (sbsec->flags & SE_SBINITIALIZED) {
2675 		struct inode_security_struct *isec = inode->i_security;
2676 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2677 		isec->sid = newsid;
2678 		isec->initialized = 1;
2679 	}
2680 
2681 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2682 		return -EOPNOTSUPP;
2683 
2684 	if (name)
2685 		*name = XATTR_SELINUX_SUFFIX;
2686 
2687 	if (value && len) {
2688 		rc = security_sid_to_context_force(newsid, &context, &clen);
2689 		if (rc)
2690 			return rc;
2691 		*value = context;
2692 		*len = clen;
2693 	}
2694 
2695 	return 0;
2696 }
2697 
2698 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2699 {
2700 	return may_create(dir, dentry, SECCLASS_FILE);
2701 }
2702 
2703 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2704 {
2705 	return may_link(dir, old_dentry, MAY_LINK);
2706 }
2707 
2708 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2709 {
2710 	return may_link(dir, dentry, MAY_UNLINK);
2711 }
2712 
2713 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2714 {
2715 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2716 }
2717 
2718 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2719 {
2720 	return may_create(dir, dentry, SECCLASS_DIR);
2721 }
2722 
2723 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2724 {
2725 	return may_link(dir, dentry, MAY_RMDIR);
2726 }
2727 
2728 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2729 {
2730 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2731 }
2732 
2733 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2734 				struct inode *new_inode, struct dentry *new_dentry)
2735 {
2736 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2737 }
2738 
2739 static int selinux_inode_readlink(struct dentry *dentry)
2740 {
2741 	const struct cred *cred = current_cred();
2742 
2743 	return dentry_has_perm(cred, dentry, FILE__READ);
2744 }
2745 
2746 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2747 {
2748 	const struct cred *cred = current_cred();
2749 
2750 	return dentry_has_perm(cred, dentry, FILE__READ);
2751 }
2752 
2753 static noinline int audit_inode_permission(struct inode *inode,
2754 					   u32 perms, u32 audited, u32 denied,
2755 					   unsigned flags)
2756 {
2757 	struct common_audit_data ad;
2758 	struct inode_security_struct *isec = inode->i_security;
2759 	int rc;
2760 
2761 	ad.type = LSM_AUDIT_DATA_INODE;
2762 	ad.u.inode = inode;
2763 
2764 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2765 			    audited, denied, &ad, flags);
2766 	if (rc)
2767 		return rc;
2768 	return 0;
2769 }
2770 
2771 static int selinux_inode_permission(struct inode *inode, int mask)
2772 {
2773 	const struct cred *cred = current_cred();
2774 	u32 perms;
2775 	bool from_access;
2776 	unsigned flags = mask & MAY_NOT_BLOCK;
2777 	struct inode_security_struct *isec;
2778 	u32 sid;
2779 	struct av_decision avd;
2780 	int rc, rc2;
2781 	u32 audited, denied;
2782 
2783 	from_access = mask & MAY_ACCESS;
2784 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2785 
2786 	/* No permission to check.  Existence test. */
2787 	if (!mask)
2788 		return 0;
2789 
2790 	validate_creds(cred);
2791 
2792 	if (unlikely(IS_PRIVATE(inode)))
2793 		return 0;
2794 
2795 	perms = file_mask_to_av(inode->i_mode, mask);
2796 
2797 	sid = cred_sid(cred);
2798 	isec = inode->i_security;
2799 
2800 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2801 	audited = avc_audit_required(perms, &avd, rc,
2802 				     from_access ? FILE__AUDIT_ACCESS : 0,
2803 				     &denied);
2804 	if (likely(!audited))
2805 		return rc;
2806 
2807 	rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2808 	if (rc2)
2809 		return rc2;
2810 	return rc;
2811 }
2812 
2813 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2814 {
2815 	const struct cred *cred = current_cred();
2816 	unsigned int ia_valid = iattr->ia_valid;
2817 	__u32 av = FILE__WRITE;
2818 
2819 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2820 	if (ia_valid & ATTR_FORCE) {
2821 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2822 			      ATTR_FORCE);
2823 		if (!ia_valid)
2824 			return 0;
2825 	}
2826 
2827 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2828 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2829 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
2830 
2831 	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2832 		av |= FILE__OPEN;
2833 
2834 	return dentry_has_perm(cred, dentry, av);
2835 }
2836 
2837 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2838 {
2839 	const struct cred *cred = current_cred();
2840 	struct path path;
2841 
2842 	path.dentry = dentry;
2843 	path.mnt = mnt;
2844 
2845 	return path_has_perm(cred, &path, FILE__GETATTR);
2846 }
2847 
2848 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2849 {
2850 	const struct cred *cred = current_cred();
2851 
2852 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
2853 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
2854 		if (!strcmp(name, XATTR_NAME_CAPS)) {
2855 			if (!capable(CAP_SETFCAP))
2856 				return -EPERM;
2857 		} else if (!capable(CAP_SYS_ADMIN)) {
2858 			/* A different attribute in the security namespace.
2859 			   Restrict to administrator. */
2860 			return -EPERM;
2861 		}
2862 	}
2863 
2864 	/* Not an attribute we recognize, so just check the
2865 	   ordinary setattr permission. */
2866 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
2867 }
2868 
2869 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2870 				  const void *value, size_t size, int flags)
2871 {
2872 	struct inode *inode = dentry->d_inode;
2873 	struct inode_security_struct *isec = inode->i_security;
2874 	struct superblock_security_struct *sbsec;
2875 	struct common_audit_data ad;
2876 	u32 newsid, sid = current_sid();
2877 	int rc = 0;
2878 
2879 	if (strcmp(name, XATTR_NAME_SELINUX))
2880 		return selinux_inode_setotherxattr(dentry, name);
2881 
2882 	sbsec = inode->i_sb->s_security;
2883 	if (!(sbsec->flags & SBLABEL_MNT))
2884 		return -EOPNOTSUPP;
2885 
2886 	if (!inode_owner_or_capable(inode))
2887 		return -EPERM;
2888 
2889 	ad.type = LSM_AUDIT_DATA_DENTRY;
2890 	ad.u.dentry = dentry;
2891 
2892 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
2893 			  FILE__RELABELFROM, &ad);
2894 	if (rc)
2895 		return rc;
2896 
2897 	rc = security_context_to_sid(value, size, &newsid);
2898 	if (rc == -EINVAL) {
2899 		if (!capable(CAP_MAC_ADMIN)) {
2900 			struct audit_buffer *ab;
2901 			size_t audit_size;
2902 			const char *str;
2903 
2904 			/* We strip a nul only if it is at the end, otherwise the
2905 			 * context contains a nul and we should audit that */
2906 			if (value) {
2907 				str = value;
2908 				if (str[size - 1] == '\0')
2909 					audit_size = size - 1;
2910 				else
2911 					audit_size = size;
2912 			} else {
2913 				str = "";
2914 				audit_size = 0;
2915 			}
2916 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2917 			audit_log_format(ab, "op=setxattr invalid_context=");
2918 			audit_log_n_untrustedstring(ab, value, audit_size);
2919 			audit_log_end(ab);
2920 
2921 			return rc;
2922 		}
2923 		rc = security_context_to_sid_force(value, size, &newsid);
2924 	}
2925 	if (rc)
2926 		return rc;
2927 
2928 	rc = avc_has_perm(sid, newsid, isec->sclass,
2929 			  FILE__RELABELTO, &ad);
2930 	if (rc)
2931 		return rc;
2932 
2933 	rc = security_validate_transition(isec->sid, newsid, sid,
2934 					  isec->sclass);
2935 	if (rc)
2936 		return rc;
2937 
2938 	return avc_has_perm(newsid,
2939 			    sbsec->sid,
2940 			    SECCLASS_FILESYSTEM,
2941 			    FILESYSTEM__ASSOCIATE,
2942 			    &ad);
2943 }
2944 
2945 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2946 					const void *value, size_t size,
2947 					int flags)
2948 {
2949 	struct inode *inode = dentry->d_inode;
2950 	struct inode_security_struct *isec = inode->i_security;
2951 	u32 newsid;
2952 	int rc;
2953 
2954 	if (strcmp(name, XATTR_NAME_SELINUX)) {
2955 		/* Not an attribute we recognize, so nothing to do. */
2956 		return;
2957 	}
2958 
2959 	rc = security_context_to_sid_force(value, size, &newsid);
2960 	if (rc) {
2961 		printk(KERN_ERR "SELinux:  unable to map context to SID"
2962 		       "for (%s, %lu), rc=%d\n",
2963 		       inode->i_sb->s_id, inode->i_ino, -rc);
2964 		return;
2965 	}
2966 
2967 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
2968 	isec->sid = newsid;
2969 	isec->initialized = 1;
2970 
2971 	return;
2972 }
2973 
2974 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2975 {
2976 	const struct cred *cred = current_cred();
2977 
2978 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
2979 }
2980 
2981 static int selinux_inode_listxattr(struct dentry *dentry)
2982 {
2983 	const struct cred *cred = current_cred();
2984 
2985 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
2986 }
2987 
2988 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2989 {
2990 	if (strcmp(name, XATTR_NAME_SELINUX))
2991 		return selinux_inode_setotherxattr(dentry, name);
2992 
2993 	/* No one is allowed to remove a SELinux security label.
2994 	   You can change the label, but all data must be labeled. */
2995 	return -EACCES;
2996 }
2997 
2998 /*
2999  * Copy the inode security context value to the user.
3000  *
3001  * Permission check is handled by selinux_inode_getxattr hook.
3002  */
3003 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3004 {
3005 	u32 size;
3006 	int error;
3007 	char *context = NULL;
3008 	struct inode_security_struct *isec = inode->i_security;
3009 
3010 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3011 		return -EOPNOTSUPP;
3012 
3013 	/*
3014 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3015 	 * value even if it is not defined by current policy; otherwise,
3016 	 * use the in-core value under current policy.
3017 	 * Use the non-auditing forms of the permission checks since
3018 	 * getxattr may be called by unprivileged processes commonly
3019 	 * and lack of permission just means that we fall back to the
3020 	 * in-core context value, not a denial.
3021 	 */
3022 	error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3023 				SECURITY_CAP_NOAUDIT);
3024 	if (!error)
3025 		error = security_sid_to_context_force(isec->sid, &context,
3026 						      &size);
3027 	else
3028 		error = security_sid_to_context(isec->sid, &context, &size);
3029 	if (error)
3030 		return error;
3031 	error = size;
3032 	if (alloc) {
3033 		*buffer = context;
3034 		goto out_nofree;
3035 	}
3036 	kfree(context);
3037 out_nofree:
3038 	return error;
3039 }
3040 
3041 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3042 				     const void *value, size_t size, int flags)
3043 {
3044 	struct inode_security_struct *isec = inode->i_security;
3045 	u32 newsid;
3046 	int rc;
3047 
3048 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3049 		return -EOPNOTSUPP;
3050 
3051 	if (!value || !size)
3052 		return -EACCES;
3053 
3054 	rc = security_context_to_sid((void *)value, size, &newsid);
3055 	if (rc)
3056 		return rc;
3057 
3058 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3059 	isec->sid = newsid;
3060 	isec->initialized = 1;
3061 	return 0;
3062 }
3063 
3064 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3065 {
3066 	const int len = sizeof(XATTR_NAME_SELINUX);
3067 	if (buffer && len <= buffer_size)
3068 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3069 	return len;
3070 }
3071 
3072 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3073 {
3074 	struct inode_security_struct *isec = inode->i_security;
3075 	*secid = isec->sid;
3076 }
3077 
3078 /* file security operations */
3079 
3080 static int selinux_revalidate_file_permission(struct file *file, int mask)
3081 {
3082 	const struct cred *cred = current_cred();
3083 	struct inode *inode = file_inode(file);
3084 
3085 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3086 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3087 		mask |= MAY_APPEND;
3088 
3089 	return file_has_perm(cred, file,
3090 			     file_mask_to_av(inode->i_mode, mask));
3091 }
3092 
3093 static int selinux_file_permission(struct file *file, int mask)
3094 {
3095 	struct inode *inode = file_inode(file);
3096 	struct file_security_struct *fsec = file->f_security;
3097 	struct inode_security_struct *isec = inode->i_security;
3098 	u32 sid = current_sid();
3099 
3100 	if (!mask)
3101 		/* No permission to check.  Existence test. */
3102 		return 0;
3103 
3104 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3105 	    fsec->pseqno == avc_policy_seqno())
3106 		/* No change since file_open check. */
3107 		return 0;
3108 
3109 	return selinux_revalidate_file_permission(file, mask);
3110 }
3111 
3112 static int selinux_file_alloc_security(struct file *file)
3113 {
3114 	return file_alloc_security(file);
3115 }
3116 
3117 static void selinux_file_free_security(struct file *file)
3118 {
3119 	file_free_security(file);
3120 }
3121 
3122 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3123 			      unsigned long arg)
3124 {
3125 	const struct cred *cred = current_cred();
3126 	int error = 0;
3127 
3128 	switch (cmd) {
3129 	case FIONREAD:
3130 	/* fall through */
3131 	case FIBMAP:
3132 	/* fall through */
3133 	case FIGETBSZ:
3134 	/* fall through */
3135 	case FS_IOC_GETFLAGS:
3136 	/* fall through */
3137 	case FS_IOC_GETVERSION:
3138 		error = file_has_perm(cred, file, FILE__GETATTR);
3139 		break;
3140 
3141 	case FS_IOC_SETFLAGS:
3142 	/* fall through */
3143 	case FS_IOC_SETVERSION:
3144 		error = file_has_perm(cred, file, FILE__SETATTR);
3145 		break;
3146 
3147 	/* sys_ioctl() checks */
3148 	case FIONBIO:
3149 	/* fall through */
3150 	case FIOASYNC:
3151 		error = file_has_perm(cred, file, 0);
3152 		break;
3153 
3154 	case KDSKBENT:
3155 	case KDSKBSENT:
3156 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3157 					    SECURITY_CAP_AUDIT);
3158 		break;
3159 
3160 	/* default case assumes that the command will go
3161 	 * to the file's ioctl() function.
3162 	 */
3163 	default:
3164 		error = file_has_perm(cred, file, FILE__IOCTL);
3165 	}
3166 	return error;
3167 }
3168 
3169 static int default_noexec;
3170 
3171 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3172 {
3173 	const struct cred *cred = current_cred();
3174 	int rc = 0;
3175 
3176 	if (default_noexec &&
3177 	    (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3178 		/*
3179 		 * We are making executable an anonymous mapping or a
3180 		 * private file mapping that will also be writable.
3181 		 * This has an additional check.
3182 		 */
3183 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3184 		if (rc)
3185 			goto error;
3186 	}
3187 
3188 	if (file) {
3189 		/* read access is always possible with a mapping */
3190 		u32 av = FILE__READ;
3191 
3192 		/* write access only matters if the mapping is shared */
3193 		if (shared && (prot & PROT_WRITE))
3194 			av |= FILE__WRITE;
3195 
3196 		if (prot & PROT_EXEC)
3197 			av |= FILE__EXECUTE;
3198 
3199 		return file_has_perm(cred, file, av);
3200 	}
3201 
3202 error:
3203 	return rc;
3204 }
3205 
3206 static int selinux_mmap_addr(unsigned long addr)
3207 {
3208 	int rc = 0;
3209 	u32 sid = current_sid();
3210 
3211 	/*
3212 	 * notice that we are intentionally putting the SELinux check before
3213 	 * the secondary cap_file_mmap check.  This is such a likely attempt
3214 	 * at bad behaviour/exploit that we always want to get the AVC, even
3215 	 * if DAC would have also denied the operation.
3216 	 */
3217 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3218 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3219 				  MEMPROTECT__MMAP_ZERO, NULL);
3220 		if (rc)
3221 			return rc;
3222 	}
3223 
3224 	/* do DAC check on address space usage */
3225 	return cap_mmap_addr(addr);
3226 }
3227 
3228 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3229 			     unsigned long prot, unsigned long flags)
3230 {
3231 	if (selinux_checkreqprot)
3232 		prot = reqprot;
3233 
3234 	return file_map_prot_check(file, prot,
3235 				   (flags & MAP_TYPE) == MAP_SHARED);
3236 }
3237 
3238 static int selinux_file_mprotect(struct vm_area_struct *vma,
3239 				 unsigned long reqprot,
3240 				 unsigned long prot)
3241 {
3242 	const struct cred *cred = current_cred();
3243 
3244 	if (selinux_checkreqprot)
3245 		prot = reqprot;
3246 
3247 	if (default_noexec &&
3248 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3249 		int rc = 0;
3250 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3251 		    vma->vm_end <= vma->vm_mm->brk) {
3252 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3253 		} else if (!vma->vm_file &&
3254 			   vma->vm_start <= vma->vm_mm->start_stack &&
3255 			   vma->vm_end >= vma->vm_mm->start_stack) {
3256 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3257 		} else if (vma->vm_file && vma->anon_vma) {
3258 			/*
3259 			 * We are making executable a file mapping that has
3260 			 * had some COW done. Since pages might have been
3261 			 * written, check ability to execute the possibly
3262 			 * modified content.  This typically should only
3263 			 * occur for text relocations.
3264 			 */
3265 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3266 		}
3267 		if (rc)
3268 			return rc;
3269 	}
3270 
3271 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3272 }
3273 
3274 static int selinux_file_lock(struct file *file, unsigned int cmd)
3275 {
3276 	const struct cred *cred = current_cred();
3277 
3278 	return file_has_perm(cred, file, FILE__LOCK);
3279 }
3280 
3281 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3282 			      unsigned long arg)
3283 {
3284 	const struct cred *cred = current_cred();
3285 	int err = 0;
3286 
3287 	switch (cmd) {
3288 	case F_SETFL:
3289 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3290 			err = file_has_perm(cred, file, FILE__WRITE);
3291 			break;
3292 		}
3293 		/* fall through */
3294 	case F_SETOWN:
3295 	case F_SETSIG:
3296 	case F_GETFL:
3297 	case F_GETOWN:
3298 	case F_GETSIG:
3299 	case F_GETOWNER_UIDS:
3300 		/* Just check FD__USE permission */
3301 		err = file_has_perm(cred, file, 0);
3302 		break;
3303 	case F_GETLK:
3304 	case F_SETLK:
3305 	case F_SETLKW:
3306 #if BITS_PER_LONG == 32
3307 	case F_GETLK64:
3308 	case F_SETLK64:
3309 	case F_SETLKW64:
3310 #endif
3311 		err = file_has_perm(cred, file, FILE__LOCK);
3312 		break;
3313 	}
3314 
3315 	return err;
3316 }
3317 
3318 static int selinux_file_set_fowner(struct file *file)
3319 {
3320 	struct file_security_struct *fsec;
3321 
3322 	fsec = file->f_security;
3323 	fsec->fown_sid = current_sid();
3324 
3325 	return 0;
3326 }
3327 
3328 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3329 				       struct fown_struct *fown, int signum)
3330 {
3331 	struct file *file;
3332 	u32 sid = task_sid(tsk);
3333 	u32 perm;
3334 	struct file_security_struct *fsec;
3335 
3336 	/* struct fown_struct is never outside the context of a struct file */
3337 	file = container_of(fown, struct file, f_owner);
3338 
3339 	fsec = file->f_security;
3340 
3341 	if (!signum)
3342 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3343 	else
3344 		perm = signal_to_av(signum);
3345 
3346 	return avc_has_perm(fsec->fown_sid, sid,
3347 			    SECCLASS_PROCESS, perm, NULL);
3348 }
3349 
3350 static int selinux_file_receive(struct file *file)
3351 {
3352 	const struct cred *cred = current_cred();
3353 
3354 	return file_has_perm(cred, file, file_to_av(file));
3355 }
3356 
3357 static int selinux_file_open(struct file *file, const struct cred *cred)
3358 {
3359 	struct file_security_struct *fsec;
3360 	struct inode_security_struct *isec;
3361 
3362 	fsec = file->f_security;
3363 	isec = file_inode(file)->i_security;
3364 	/*
3365 	 * Save inode label and policy sequence number
3366 	 * at open-time so that selinux_file_permission
3367 	 * can determine whether revalidation is necessary.
3368 	 * Task label is already saved in the file security
3369 	 * struct as its SID.
3370 	 */
3371 	fsec->isid = isec->sid;
3372 	fsec->pseqno = avc_policy_seqno();
3373 	/*
3374 	 * Since the inode label or policy seqno may have changed
3375 	 * between the selinux_inode_permission check and the saving
3376 	 * of state above, recheck that access is still permitted.
3377 	 * Otherwise, access might never be revalidated against the
3378 	 * new inode label or new policy.
3379 	 * This check is not redundant - do not remove.
3380 	 */
3381 	return file_path_has_perm(cred, file, open_file_to_av(file));
3382 }
3383 
3384 /* task security operations */
3385 
3386 static int selinux_task_create(unsigned long clone_flags)
3387 {
3388 	return current_has_perm(current, PROCESS__FORK);
3389 }
3390 
3391 /*
3392  * allocate the SELinux part of blank credentials
3393  */
3394 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3395 {
3396 	struct task_security_struct *tsec;
3397 
3398 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3399 	if (!tsec)
3400 		return -ENOMEM;
3401 
3402 	cred->security = tsec;
3403 	return 0;
3404 }
3405 
3406 /*
3407  * detach and free the LSM part of a set of credentials
3408  */
3409 static void selinux_cred_free(struct cred *cred)
3410 {
3411 	struct task_security_struct *tsec = cred->security;
3412 
3413 	/*
3414 	 * cred->security == NULL if security_cred_alloc_blank() or
3415 	 * security_prepare_creds() returned an error.
3416 	 */
3417 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3418 	cred->security = (void *) 0x7UL;
3419 	kfree(tsec);
3420 }
3421 
3422 /*
3423  * prepare a new set of credentials for modification
3424  */
3425 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3426 				gfp_t gfp)
3427 {
3428 	const struct task_security_struct *old_tsec;
3429 	struct task_security_struct *tsec;
3430 
3431 	old_tsec = old->security;
3432 
3433 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3434 	if (!tsec)
3435 		return -ENOMEM;
3436 
3437 	new->security = tsec;
3438 	return 0;
3439 }
3440 
3441 /*
3442  * transfer the SELinux data to a blank set of creds
3443  */
3444 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3445 {
3446 	const struct task_security_struct *old_tsec = old->security;
3447 	struct task_security_struct *tsec = new->security;
3448 
3449 	*tsec = *old_tsec;
3450 }
3451 
3452 /*
3453  * set the security data for a kernel service
3454  * - all the creation contexts are set to unlabelled
3455  */
3456 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3457 {
3458 	struct task_security_struct *tsec = new->security;
3459 	u32 sid = current_sid();
3460 	int ret;
3461 
3462 	ret = avc_has_perm(sid, secid,
3463 			   SECCLASS_KERNEL_SERVICE,
3464 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3465 			   NULL);
3466 	if (ret == 0) {
3467 		tsec->sid = secid;
3468 		tsec->create_sid = 0;
3469 		tsec->keycreate_sid = 0;
3470 		tsec->sockcreate_sid = 0;
3471 	}
3472 	return ret;
3473 }
3474 
3475 /*
3476  * set the file creation context in a security record to the same as the
3477  * objective context of the specified inode
3478  */
3479 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3480 {
3481 	struct inode_security_struct *isec = inode->i_security;
3482 	struct task_security_struct *tsec = new->security;
3483 	u32 sid = current_sid();
3484 	int ret;
3485 
3486 	ret = avc_has_perm(sid, isec->sid,
3487 			   SECCLASS_KERNEL_SERVICE,
3488 			   KERNEL_SERVICE__CREATE_FILES_AS,
3489 			   NULL);
3490 
3491 	if (ret == 0)
3492 		tsec->create_sid = isec->sid;
3493 	return ret;
3494 }
3495 
3496 static int selinux_kernel_module_request(char *kmod_name)
3497 {
3498 	u32 sid;
3499 	struct common_audit_data ad;
3500 
3501 	sid = task_sid(current);
3502 
3503 	ad.type = LSM_AUDIT_DATA_KMOD;
3504 	ad.u.kmod_name = kmod_name;
3505 
3506 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3507 			    SYSTEM__MODULE_REQUEST, &ad);
3508 }
3509 
3510 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3511 {
3512 	return current_has_perm(p, PROCESS__SETPGID);
3513 }
3514 
3515 static int selinux_task_getpgid(struct task_struct *p)
3516 {
3517 	return current_has_perm(p, PROCESS__GETPGID);
3518 }
3519 
3520 static int selinux_task_getsid(struct task_struct *p)
3521 {
3522 	return current_has_perm(p, PROCESS__GETSESSION);
3523 }
3524 
3525 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3526 {
3527 	*secid = task_sid(p);
3528 }
3529 
3530 static int selinux_task_setnice(struct task_struct *p, int nice)
3531 {
3532 	int rc;
3533 
3534 	rc = cap_task_setnice(p, nice);
3535 	if (rc)
3536 		return rc;
3537 
3538 	return current_has_perm(p, PROCESS__SETSCHED);
3539 }
3540 
3541 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3542 {
3543 	int rc;
3544 
3545 	rc = cap_task_setioprio(p, ioprio);
3546 	if (rc)
3547 		return rc;
3548 
3549 	return current_has_perm(p, PROCESS__SETSCHED);
3550 }
3551 
3552 static int selinux_task_getioprio(struct task_struct *p)
3553 {
3554 	return current_has_perm(p, PROCESS__GETSCHED);
3555 }
3556 
3557 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3558 		struct rlimit *new_rlim)
3559 {
3560 	struct rlimit *old_rlim = p->signal->rlim + resource;
3561 
3562 	/* Control the ability to change the hard limit (whether
3563 	   lowering or raising it), so that the hard limit can
3564 	   later be used as a safe reset point for the soft limit
3565 	   upon context transitions.  See selinux_bprm_committing_creds. */
3566 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3567 		return current_has_perm(p, PROCESS__SETRLIMIT);
3568 
3569 	return 0;
3570 }
3571 
3572 static int selinux_task_setscheduler(struct task_struct *p)
3573 {
3574 	int rc;
3575 
3576 	rc = cap_task_setscheduler(p);
3577 	if (rc)
3578 		return rc;
3579 
3580 	return current_has_perm(p, PROCESS__SETSCHED);
3581 }
3582 
3583 static int selinux_task_getscheduler(struct task_struct *p)
3584 {
3585 	return current_has_perm(p, PROCESS__GETSCHED);
3586 }
3587 
3588 static int selinux_task_movememory(struct task_struct *p)
3589 {
3590 	return current_has_perm(p, PROCESS__SETSCHED);
3591 }
3592 
3593 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3594 				int sig, u32 secid)
3595 {
3596 	u32 perm;
3597 	int rc;
3598 
3599 	if (!sig)
3600 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3601 	else
3602 		perm = signal_to_av(sig);
3603 	if (secid)
3604 		rc = avc_has_perm(secid, task_sid(p),
3605 				  SECCLASS_PROCESS, perm, NULL);
3606 	else
3607 		rc = current_has_perm(p, perm);
3608 	return rc;
3609 }
3610 
3611 static int selinux_task_wait(struct task_struct *p)
3612 {
3613 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3614 }
3615 
3616 static void selinux_task_to_inode(struct task_struct *p,
3617 				  struct inode *inode)
3618 {
3619 	struct inode_security_struct *isec = inode->i_security;
3620 	u32 sid = task_sid(p);
3621 
3622 	isec->sid = sid;
3623 	isec->initialized = 1;
3624 }
3625 
3626 /* Returns error only if unable to parse addresses */
3627 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3628 			struct common_audit_data *ad, u8 *proto)
3629 {
3630 	int offset, ihlen, ret = -EINVAL;
3631 	struct iphdr _iph, *ih;
3632 
3633 	offset = skb_network_offset(skb);
3634 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3635 	if (ih == NULL)
3636 		goto out;
3637 
3638 	ihlen = ih->ihl * 4;
3639 	if (ihlen < sizeof(_iph))
3640 		goto out;
3641 
3642 	ad->u.net->v4info.saddr = ih->saddr;
3643 	ad->u.net->v4info.daddr = ih->daddr;
3644 	ret = 0;
3645 
3646 	if (proto)
3647 		*proto = ih->protocol;
3648 
3649 	switch (ih->protocol) {
3650 	case IPPROTO_TCP: {
3651 		struct tcphdr _tcph, *th;
3652 
3653 		if (ntohs(ih->frag_off) & IP_OFFSET)
3654 			break;
3655 
3656 		offset += ihlen;
3657 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3658 		if (th == NULL)
3659 			break;
3660 
3661 		ad->u.net->sport = th->source;
3662 		ad->u.net->dport = th->dest;
3663 		break;
3664 	}
3665 
3666 	case IPPROTO_UDP: {
3667 		struct udphdr _udph, *uh;
3668 
3669 		if (ntohs(ih->frag_off) & IP_OFFSET)
3670 			break;
3671 
3672 		offset += ihlen;
3673 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3674 		if (uh == NULL)
3675 			break;
3676 
3677 		ad->u.net->sport = uh->source;
3678 		ad->u.net->dport = uh->dest;
3679 		break;
3680 	}
3681 
3682 	case IPPROTO_DCCP: {
3683 		struct dccp_hdr _dccph, *dh;
3684 
3685 		if (ntohs(ih->frag_off) & IP_OFFSET)
3686 			break;
3687 
3688 		offset += ihlen;
3689 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3690 		if (dh == NULL)
3691 			break;
3692 
3693 		ad->u.net->sport = dh->dccph_sport;
3694 		ad->u.net->dport = dh->dccph_dport;
3695 		break;
3696 	}
3697 
3698 	default:
3699 		break;
3700 	}
3701 out:
3702 	return ret;
3703 }
3704 
3705 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3706 
3707 /* Returns error only if unable to parse addresses */
3708 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3709 			struct common_audit_data *ad, u8 *proto)
3710 {
3711 	u8 nexthdr;
3712 	int ret = -EINVAL, offset;
3713 	struct ipv6hdr _ipv6h, *ip6;
3714 	__be16 frag_off;
3715 
3716 	offset = skb_network_offset(skb);
3717 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3718 	if (ip6 == NULL)
3719 		goto out;
3720 
3721 	ad->u.net->v6info.saddr = ip6->saddr;
3722 	ad->u.net->v6info.daddr = ip6->daddr;
3723 	ret = 0;
3724 
3725 	nexthdr = ip6->nexthdr;
3726 	offset += sizeof(_ipv6h);
3727 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3728 	if (offset < 0)
3729 		goto out;
3730 
3731 	if (proto)
3732 		*proto = nexthdr;
3733 
3734 	switch (nexthdr) {
3735 	case IPPROTO_TCP: {
3736 		struct tcphdr _tcph, *th;
3737 
3738 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3739 		if (th == NULL)
3740 			break;
3741 
3742 		ad->u.net->sport = th->source;
3743 		ad->u.net->dport = th->dest;
3744 		break;
3745 	}
3746 
3747 	case IPPROTO_UDP: {
3748 		struct udphdr _udph, *uh;
3749 
3750 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3751 		if (uh == NULL)
3752 			break;
3753 
3754 		ad->u.net->sport = uh->source;
3755 		ad->u.net->dport = uh->dest;
3756 		break;
3757 	}
3758 
3759 	case IPPROTO_DCCP: {
3760 		struct dccp_hdr _dccph, *dh;
3761 
3762 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3763 		if (dh == NULL)
3764 			break;
3765 
3766 		ad->u.net->sport = dh->dccph_sport;
3767 		ad->u.net->dport = dh->dccph_dport;
3768 		break;
3769 	}
3770 
3771 	/* includes fragments */
3772 	default:
3773 		break;
3774 	}
3775 out:
3776 	return ret;
3777 }
3778 
3779 #endif /* IPV6 */
3780 
3781 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3782 			     char **_addrp, int src, u8 *proto)
3783 {
3784 	char *addrp;
3785 	int ret;
3786 
3787 	switch (ad->u.net->family) {
3788 	case PF_INET:
3789 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
3790 		if (ret)
3791 			goto parse_error;
3792 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3793 				       &ad->u.net->v4info.daddr);
3794 		goto okay;
3795 
3796 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3797 	case PF_INET6:
3798 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
3799 		if (ret)
3800 			goto parse_error;
3801 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3802 				       &ad->u.net->v6info.daddr);
3803 		goto okay;
3804 #endif	/* IPV6 */
3805 	default:
3806 		addrp = NULL;
3807 		goto okay;
3808 	}
3809 
3810 parse_error:
3811 	printk(KERN_WARNING
3812 	       "SELinux: failure in selinux_parse_skb(),"
3813 	       " unable to parse packet\n");
3814 	return ret;
3815 
3816 okay:
3817 	if (_addrp)
3818 		*_addrp = addrp;
3819 	return 0;
3820 }
3821 
3822 /**
3823  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3824  * @skb: the packet
3825  * @family: protocol family
3826  * @sid: the packet's peer label SID
3827  *
3828  * Description:
3829  * Check the various different forms of network peer labeling and determine
3830  * the peer label/SID for the packet; most of the magic actually occurs in
3831  * the security server function security_net_peersid_cmp().  The function
3832  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3833  * or -EACCES if @sid is invalid due to inconsistencies with the different
3834  * peer labels.
3835  *
3836  */
3837 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3838 {
3839 	int err;
3840 	u32 xfrm_sid;
3841 	u32 nlbl_sid;
3842 	u32 nlbl_type;
3843 
3844 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3845 	if (unlikely(err))
3846 		return -EACCES;
3847 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3848 	if (unlikely(err))
3849 		return -EACCES;
3850 
3851 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3852 	if (unlikely(err)) {
3853 		printk(KERN_WARNING
3854 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3855 		       " unable to determine packet's peer label\n");
3856 		return -EACCES;
3857 	}
3858 
3859 	return 0;
3860 }
3861 
3862 /**
3863  * selinux_conn_sid - Determine the child socket label for a connection
3864  * @sk_sid: the parent socket's SID
3865  * @skb_sid: the packet's SID
3866  * @conn_sid: the resulting connection SID
3867  *
3868  * If @skb_sid is valid then the user:role:type information from @sk_sid is
3869  * combined with the MLS information from @skb_sid in order to create
3870  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
3871  * of @sk_sid.  Returns zero on success, negative values on failure.
3872  *
3873  */
3874 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3875 {
3876 	int err = 0;
3877 
3878 	if (skb_sid != SECSID_NULL)
3879 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3880 	else
3881 		*conn_sid = sk_sid;
3882 
3883 	return err;
3884 }
3885 
3886 /* socket security operations */
3887 
3888 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3889 				 u16 secclass, u32 *socksid)
3890 {
3891 	if (tsec->sockcreate_sid > SECSID_NULL) {
3892 		*socksid = tsec->sockcreate_sid;
3893 		return 0;
3894 	}
3895 
3896 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3897 				       socksid);
3898 }
3899 
3900 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3901 {
3902 	struct sk_security_struct *sksec = sk->sk_security;
3903 	struct common_audit_data ad;
3904 	struct lsm_network_audit net = {0,};
3905 	u32 tsid = task_sid(task);
3906 
3907 	if (sksec->sid == SECINITSID_KERNEL)
3908 		return 0;
3909 
3910 	ad.type = LSM_AUDIT_DATA_NET;
3911 	ad.u.net = &net;
3912 	ad.u.net->sk = sk;
3913 
3914 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3915 }
3916 
3917 static int selinux_socket_create(int family, int type,
3918 				 int protocol, int kern)
3919 {
3920 	const struct task_security_struct *tsec = current_security();
3921 	u32 newsid;
3922 	u16 secclass;
3923 	int rc;
3924 
3925 	if (kern)
3926 		return 0;
3927 
3928 	secclass = socket_type_to_security_class(family, type, protocol);
3929 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3930 	if (rc)
3931 		return rc;
3932 
3933 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3934 }
3935 
3936 static int selinux_socket_post_create(struct socket *sock, int family,
3937 				      int type, int protocol, int kern)
3938 {
3939 	const struct task_security_struct *tsec = current_security();
3940 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3941 	struct sk_security_struct *sksec;
3942 	int err = 0;
3943 
3944 	isec->sclass = socket_type_to_security_class(family, type, protocol);
3945 
3946 	if (kern)
3947 		isec->sid = SECINITSID_KERNEL;
3948 	else {
3949 		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3950 		if (err)
3951 			return err;
3952 	}
3953 
3954 	isec->initialized = 1;
3955 
3956 	if (sock->sk) {
3957 		sksec = sock->sk->sk_security;
3958 		sksec->sid = isec->sid;
3959 		sksec->sclass = isec->sclass;
3960 		err = selinux_netlbl_socket_post_create(sock->sk, family);
3961 	}
3962 
3963 	return err;
3964 }
3965 
3966 /* Range of port numbers used to automatically bind.
3967    Need to determine whether we should perform a name_bind
3968    permission check between the socket and the port number. */
3969 
3970 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3971 {
3972 	struct sock *sk = sock->sk;
3973 	u16 family;
3974 	int err;
3975 
3976 	err = sock_has_perm(current, sk, SOCKET__BIND);
3977 	if (err)
3978 		goto out;
3979 
3980 	/*
3981 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
3982 	 * Multiple address binding for SCTP is not supported yet: we just
3983 	 * check the first address now.
3984 	 */
3985 	family = sk->sk_family;
3986 	if (family == PF_INET || family == PF_INET6) {
3987 		char *addrp;
3988 		struct sk_security_struct *sksec = sk->sk_security;
3989 		struct common_audit_data ad;
3990 		struct lsm_network_audit net = {0,};
3991 		struct sockaddr_in *addr4 = NULL;
3992 		struct sockaddr_in6 *addr6 = NULL;
3993 		unsigned short snum;
3994 		u32 sid, node_perm;
3995 
3996 		if (family == PF_INET) {
3997 			addr4 = (struct sockaddr_in *)address;
3998 			snum = ntohs(addr4->sin_port);
3999 			addrp = (char *)&addr4->sin_addr.s_addr;
4000 		} else {
4001 			addr6 = (struct sockaddr_in6 *)address;
4002 			snum = ntohs(addr6->sin6_port);
4003 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4004 		}
4005 
4006 		if (snum) {
4007 			int low, high;
4008 
4009 			inet_get_local_port_range(sock_net(sk), &low, &high);
4010 
4011 			if (snum < max(PROT_SOCK, low) || snum > high) {
4012 				err = sel_netport_sid(sk->sk_protocol,
4013 						      snum, &sid);
4014 				if (err)
4015 					goto out;
4016 				ad.type = LSM_AUDIT_DATA_NET;
4017 				ad.u.net = &net;
4018 				ad.u.net->sport = htons(snum);
4019 				ad.u.net->family = family;
4020 				err = avc_has_perm(sksec->sid, sid,
4021 						   sksec->sclass,
4022 						   SOCKET__NAME_BIND, &ad);
4023 				if (err)
4024 					goto out;
4025 			}
4026 		}
4027 
4028 		switch (sksec->sclass) {
4029 		case SECCLASS_TCP_SOCKET:
4030 			node_perm = TCP_SOCKET__NODE_BIND;
4031 			break;
4032 
4033 		case SECCLASS_UDP_SOCKET:
4034 			node_perm = UDP_SOCKET__NODE_BIND;
4035 			break;
4036 
4037 		case SECCLASS_DCCP_SOCKET:
4038 			node_perm = DCCP_SOCKET__NODE_BIND;
4039 			break;
4040 
4041 		default:
4042 			node_perm = RAWIP_SOCKET__NODE_BIND;
4043 			break;
4044 		}
4045 
4046 		err = sel_netnode_sid(addrp, family, &sid);
4047 		if (err)
4048 			goto out;
4049 
4050 		ad.type = LSM_AUDIT_DATA_NET;
4051 		ad.u.net = &net;
4052 		ad.u.net->sport = htons(snum);
4053 		ad.u.net->family = family;
4054 
4055 		if (family == PF_INET)
4056 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4057 		else
4058 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4059 
4060 		err = avc_has_perm(sksec->sid, sid,
4061 				   sksec->sclass, node_perm, &ad);
4062 		if (err)
4063 			goto out;
4064 	}
4065 out:
4066 	return err;
4067 }
4068 
4069 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4070 {
4071 	struct sock *sk = sock->sk;
4072 	struct sk_security_struct *sksec = sk->sk_security;
4073 	int err;
4074 
4075 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4076 	if (err)
4077 		return err;
4078 
4079 	/*
4080 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4081 	 */
4082 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4083 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4084 		struct common_audit_data ad;
4085 		struct lsm_network_audit net = {0,};
4086 		struct sockaddr_in *addr4 = NULL;
4087 		struct sockaddr_in6 *addr6 = NULL;
4088 		unsigned short snum;
4089 		u32 sid, perm;
4090 
4091 		if (sk->sk_family == PF_INET) {
4092 			addr4 = (struct sockaddr_in *)address;
4093 			if (addrlen < sizeof(struct sockaddr_in))
4094 				return -EINVAL;
4095 			snum = ntohs(addr4->sin_port);
4096 		} else {
4097 			addr6 = (struct sockaddr_in6 *)address;
4098 			if (addrlen < SIN6_LEN_RFC2133)
4099 				return -EINVAL;
4100 			snum = ntohs(addr6->sin6_port);
4101 		}
4102 
4103 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4104 		if (err)
4105 			goto out;
4106 
4107 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4108 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4109 
4110 		ad.type = LSM_AUDIT_DATA_NET;
4111 		ad.u.net = &net;
4112 		ad.u.net->dport = htons(snum);
4113 		ad.u.net->family = sk->sk_family;
4114 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4115 		if (err)
4116 			goto out;
4117 	}
4118 
4119 	err = selinux_netlbl_socket_connect(sk, address);
4120 
4121 out:
4122 	return err;
4123 }
4124 
4125 static int selinux_socket_listen(struct socket *sock, int backlog)
4126 {
4127 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4128 }
4129 
4130 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4131 {
4132 	int err;
4133 	struct inode_security_struct *isec;
4134 	struct inode_security_struct *newisec;
4135 
4136 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4137 	if (err)
4138 		return err;
4139 
4140 	newisec = SOCK_INODE(newsock)->i_security;
4141 
4142 	isec = SOCK_INODE(sock)->i_security;
4143 	newisec->sclass = isec->sclass;
4144 	newisec->sid = isec->sid;
4145 	newisec->initialized = 1;
4146 
4147 	return 0;
4148 }
4149 
4150 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4151 				  int size)
4152 {
4153 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4154 }
4155 
4156 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4157 				  int size, int flags)
4158 {
4159 	return sock_has_perm(current, sock->sk, SOCKET__READ);
4160 }
4161 
4162 static int selinux_socket_getsockname(struct socket *sock)
4163 {
4164 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4165 }
4166 
4167 static int selinux_socket_getpeername(struct socket *sock)
4168 {
4169 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4170 }
4171 
4172 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4173 {
4174 	int err;
4175 
4176 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4177 	if (err)
4178 		return err;
4179 
4180 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4181 }
4182 
4183 static int selinux_socket_getsockopt(struct socket *sock, int level,
4184 				     int optname)
4185 {
4186 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4187 }
4188 
4189 static int selinux_socket_shutdown(struct socket *sock, int how)
4190 {
4191 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4192 }
4193 
4194 static int selinux_socket_unix_stream_connect(struct sock *sock,
4195 					      struct sock *other,
4196 					      struct sock *newsk)
4197 {
4198 	struct sk_security_struct *sksec_sock = sock->sk_security;
4199 	struct sk_security_struct *sksec_other = other->sk_security;
4200 	struct sk_security_struct *sksec_new = newsk->sk_security;
4201 	struct common_audit_data ad;
4202 	struct lsm_network_audit net = {0,};
4203 	int err;
4204 
4205 	ad.type = LSM_AUDIT_DATA_NET;
4206 	ad.u.net = &net;
4207 	ad.u.net->sk = other;
4208 
4209 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4210 			   sksec_other->sclass,
4211 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4212 	if (err)
4213 		return err;
4214 
4215 	/* server child socket */
4216 	sksec_new->peer_sid = sksec_sock->sid;
4217 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4218 				    &sksec_new->sid);
4219 	if (err)
4220 		return err;
4221 
4222 	/* connecting socket */
4223 	sksec_sock->peer_sid = sksec_new->sid;
4224 
4225 	return 0;
4226 }
4227 
4228 static int selinux_socket_unix_may_send(struct socket *sock,
4229 					struct socket *other)
4230 {
4231 	struct sk_security_struct *ssec = sock->sk->sk_security;
4232 	struct sk_security_struct *osec = other->sk->sk_security;
4233 	struct common_audit_data ad;
4234 	struct lsm_network_audit net = {0,};
4235 
4236 	ad.type = LSM_AUDIT_DATA_NET;
4237 	ad.u.net = &net;
4238 	ad.u.net->sk = other->sk;
4239 
4240 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4241 			    &ad);
4242 }
4243 
4244 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4245 				    u32 peer_sid,
4246 				    struct common_audit_data *ad)
4247 {
4248 	int err;
4249 	u32 if_sid;
4250 	u32 node_sid;
4251 
4252 	err = sel_netif_sid(ifindex, &if_sid);
4253 	if (err)
4254 		return err;
4255 	err = avc_has_perm(peer_sid, if_sid,
4256 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4257 	if (err)
4258 		return err;
4259 
4260 	err = sel_netnode_sid(addrp, family, &node_sid);
4261 	if (err)
4262 		return err;
4263 	return avc_has_perm(peer_sid, node_sid,
4264 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4265 }
4266 
4267 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4268 				       u16 family)
4269 {
4270 	int err = 0;
4271 	struct sk_security_struct *sksec = sk->sk_security;
4272 	u32 sk_sid = sksec->sid;
4273 	struct common_audit_data ad;
4274 	struct lsm_network_audit net = {0,};
4275 	char *addrp;
4276 
4277 	ad.type = LSM_AUDIT_DATA_NET;
4278 	ad.u.net = &net;
4279 	ad.u.net->netif = skb->skb_iif;
4280 	ad.u.net->family = family;
4281 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4282 	if (err)
4283 		return err;
4284 
4285 	if (selinux_secmark_enabled()) {
4286 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4287 				   PACKET__RECV, &ad);
4288 		if (err)
4289 			return err;
4290 	}
4291 
4292 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4293 	if (err)
4294 		return err;
4295 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4296 
4297 	return err;
4298 }
4299 
4300 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4301 {
4302 	int err;
4303 	struct sk_security_struct *sksec = sk->sk_security;
4304 	u16 family = sk->sk_family;
4305 	u32 sk_sid = sksec->sid;
4306 	struct common_audit_data ad;
4307 	struct lsm_network_audit net = {0,};
4308 	char *addrp;
4309 	u8 secmark_active;
4310 	u8 peerlbl_active;
4311 
4312 	if (family != PF_INET && family != PF_INET6)
4313 		return 0;
4314 
4315 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4316 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4317 		family = PF_INET;
4318 
4319 	/* If any sort of compatibility mode is enabled then handoff processing
4320 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4321 	 * special handling.  We do this in an attempt to keep this function
4322 	 * as fast and as clean as possible. */
4323 	if (!selinux_policycap_netpeer)
4324 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4325 
4326 	secmark_active = selinux_secmark_enabled();
4327 	peerlbl_active = selinux_peerlbl_enabled();
4328 	if (!secmark_active && !peerlbl_active)
4329 		return 0;
4330 
4331 	ad.type = LSM_AUDIT_DATA_NET;
4332 	ad.u.net = &net;
4333 	ad.u.net->netif = skb->skb_iif;
4334 	ad.u.net->family = family;
4335 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4336 	if (err)
4337 		return err;
4338 
4339 	if (peerlbl_active) {
4340 		u32 peer_sid;
4341 
4342 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4343 		if (err)
4344 			return err;
4345 		err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4346 					       peer_sid, &ad);
4347 		if (err) {
4348 			selinux_netlbl_err(skb, err, 0);
4349 			return err;
4350 		}
4351 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4352 				   PEER__RECV, &ad);
4353 		if (err) {
4354 			selinux_netlbl_err(skb, err, 0);
4355 			return err;
4356 		}
4357 	}
4358 
4359 	if (secmark_active) {
4360 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4361 				   PACKET__RECV, &ad);
4362 		if (err)
4363 			return err;
4364 	}
4365 
4366 	return err;
4367 }
4368 
4369 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4370 					    int __user *optlen, unsigned len)
4371 {
4372 	int err = 0;
4373 	char *scontext;
4374 	u32 scontext_len;
4375 	struct sk_security_struct *sksec = sock->sk->sk_security;
4376 	u32 peer_sid = SECSID_NULL;
4377 
4378 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4379 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4380 		peer_sid = sksec->peer_sid;
4381 	if (peer_sid == SECSID_NULL)
4382 		return -ENOPROTOOPT;
4383 
4384 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4385 	if (err)
4386 		return err;
4387 
4388 	if (scontext_len > len) {
4389 		err = -ERANGE;
4390 		goto out_len;
4391 	}
4392 
4393 	if (copy_to_user(optval, scontext, scontext_len))
4394 		err = -EFAULT;
4395 
4396 out_len:
4397 	if (put_user(scontext_len, optlen))
4398 		err = -EFAULT;
4399 	kfree(scontext);
4400 	return err;
4401 }
4402 
4403 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4404 {
4405 	u32 peer_secid = SECSID_NULL;
4406 	u16 family;
4407 
4408 	if (skb && skb->protocol == htons(ETH_P_IP))
4409 		family = PF_INET;
4410 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4411 		family = PF_INET6;
4412 	else if (sock)
4413 		family = sock->sk->sk_family;
4414 	else
4415 		goto out;
4416 
4417 	if (sock && family == PF_UNIX)
4418 		selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4419 	else if (skb)
4420 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4421 
4422 out:
4423 	*secid = peer_secid;
4424 	if (peer_secid == SECSID_NULL)
4425 		return -EINVAL;
4426 	return 0;
4427 }
4428 
4429 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4430 {
4431 	struct sk_security_struct *sksec;
4432 
4433 	sksec = kzalloc(sizeof(*sksec), priority);
4434 	if (!sksec)
4435 		return -ENOMEM;
4436 
4437 	sksec->peer_sid = SECINITSID_UNLABELED;
4438 	sksec->sid = SECINITSID_UNLABELED;
4439 	selinux_netlbl_sk_security_reset(sksec);
4440 	sk->sk_security = sksec;
4441 
4442 	return 0;
4443 }
4444 
4445 static void selinux_sk_free_security(struct sock *sk)
4446 {
4447 	struct sk_security_struct *sksec = sk->sk_security;
4448 
4449 	sk->sk_security = NULL;
4450 	selinux_netlbl_sk_security_free(sksec);
4451 	kfree(sksec);
4452 }
4453 
4454 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4455 {
4456 	struct sk_security_struct *sksec = sk->sk_security;
4457 	struct sk_security_struct *newsksec = newsk->sk_security;
4458 
4459 	newsksec->sid = sksec->sid;
4460 	newsksec->peer_sid = sksec->peer_sid;
4461 	newsksec->sclass = sksec->sclass;
4462 
4463 	selinux_netlbl_sk_security_reset(newsksec);
4464 }
4465 
4466 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4467 {
4468 	if (!sk)
4469 		*secid = SECINITSID_ANY_SOCKET;
4470 	else {
4471 		struct sk_security_struct *sksec = sk->sk_security;
4472 
4473 		*secid = sksec->sid;
4474 	}
4475 }
4476 
4477 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4478 {
4479 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4480 	struct sk_security_struct *sksec = sk->sk_security;
4481 
4482 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4483 	    sk->sk_family == PF_UNIX)
4484 		isec->sid = sksec->sid;
4485 	sksec->sclass = isec->sclass;
4486 }
4487 
4488 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4489 				     struct request_sock *req)
4490 {
4491 	struct sk_security_struct *sksec = sk->sk_security;
4492 	int err;
4493 	u16 family = sk->sk_family;
4494 	u32 connsid;
4495 	u32 peersid;
4496 
4497 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4498 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4499 		family = PF_INET;
4500 
4501 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4502 	if (err)
4503 		return err;
4504 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4505 	if (err)
4506 		return err;
4507 	req->secid = connsid;
4508 	req->peer_secid = peersid;
4509 
4510 	return selinux_netlbl_inet_conn_request(req, family);
4511 }
4512 
4513 static void selinux_inet_csk_clone(struct sock *newsk,
4514 				   const struct request_sock *req)
4515 {
4516 	struct sk_security_struct *newsksec = newsk->sk_security;
4517 
4518 	newsksec->sid = req->secid;
4519 	newsksec->peer_sid = req->peer_secid;
4520 	/* NOTE: Ideally, we should also get the isec->sid for the
4521 	   new socket in sync, but we don't have the isec available yet.
4522 	   So we will wait until sock_graft to do it, by which
4523 	   time it will have been created and available. */
4524 
4525 	/* We don't need to take any sort of lock here as we are the only
4526 	 * thread with access to newsksec */
4527 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4528 }
4529 
4530 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4531 {
4532 	u16 family = sk->sk_family;
4533 	struct sk_security_struct *sksec = sk->sk_security;
4534 
4535 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4536 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4537 		family = PF_INET;
4538 
4539 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4540 }
4541 
4542 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4543 {
4544 	skb_set_owner_w(skb, sk);
4545 }
4546 
4547 static int selinux_secmark_relabel_packet(u32 sid)
4548 {
4549 	const struct task_security_struct *__tsec;
4550 	u32 tsid;
4551 
4552 	__tsec = current_security();
4553 	tsid = __tsec->sid;
4554 
4555 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4556 }
4557 
4558 static void selinux_secmark_refcount_inc(void)
4559 {
4560 	atomic_inc(&selinux_secmark_refcount);
4561 }
4562 
4563 static void selinux_secmark_refcount_dec(void)
4564 {
4565 	atomic_dec(&selinux_secmark_refcount);
4566 }
4567 
4568 static void selinux_req_classify_flow(const struct request_sock *req,
4569 				      struct flowi *fl)
4570 {
4571 	fl->flowi_secid = req->secid;
4572 }
4573 
4574 static int selinux_tun_dev_alloc_security(void **security)
4575 {
4576 	struct tun_security_struct *tunsec;
4577 
4578 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4579 	if (!tunsec)
4580 		return -ENOMEM;
4581 	tunsec->sid = current_sid();
4582 
4583 	*security = tunsec;
4584 	return 0;
4585 }
4586 
4587 static void selinux_tun_dev_free_security(void *security)
4588 {
4589 	kfree(security);
4590 }
4591 
4592 static int selinux_tun_dev_create(void)
4593 {
4594 	u32 sid = current_sid();
4595 
4596 	/* we aren't taking into account the "sockcreate" SID since the socket
4597 	 * that is being created here is not a socket in the traditional sense,
4598 	 * instead it is a private sock, accessible only to the kernel, and
4599 	 * representing a wide range of network traffic spanning multiple
4600 	 * connections unlike traditional sockets - check the TUN driver to
4601 	 * get a better understanding of why this socket is special */
4602 
4603 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4604 			    NULL);
4605 }
4606 
4607 static int selinux_tun_dev_attach_queue(void *security)
4608 {
4609 	struct tun_security_struct *tunsec = security;
4610 
4611 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4612 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4613 }
4614 
4615 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4616 {
4617 	struct tun_security_struct *tunsec = security;
4618 	struct sk_security_struct *sksec = sk->sk_security;
4619 
4620 	/* we don't currently perform any NetLabel based labeling here and it
4621 	 * isn't clear that we would want to do so anyway; while we could apply
4622 	 * labeling without the support of the TUN user the resulting labeled
4623 	 * traffic from the other end of the connection would almost certainly
4624 	 * cause confusion to the TUN user that had no idea network labeling
4625 	 * protocols were being used */
4626 
4627 	sksec->sid = tunsec->sid;
4628 	sksec->sclass = SECCLASS_TUN_SOCKET;
4629 
4630 	return 0;
4631 }
4632 
4633 static int selinux_tun_dev_open(void *security)
4634 {
4635 	struct tun_security_struct *tunsec = security;
4636 	u32 sid = current_sid();
4637 	int err;
4638 
4639 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4640 			   TUN_SOCKET__RELABELFROM, NULL);
4641 	if (err)
4642 		return err;
4643 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4644 			   TUN_SOCKET__RELABELTO, NULL);
4645 	if (err)
4646 		return err;
4647 	tunsec->sid = sid;
4648 
4649 	return 0;
4650 }
4651 
4652 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4653 {
4654 	int err = 0;
4655 	u32 perm;
4656 	struct nlmsghdr *nlh;
4657 	struct sk_security_struct *sksec = sk->sk_security;
4658 
4659 	if (skb->len < NLMSG_HDRLEN) {
4660 		err = -EINVAL;
4661 		goto out;
4662 	}
4663 	nlh = nlmsg_hdr(skb);
4664 
4665 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4666 	if (err) {
4667 		if (err == -EINVAL) {
4668 			audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4669 				  "SELinux:  unrecognized netlink message"
4670 				  " type=%hu for sclass=%hu\n",
4671 				  nlh->nlmsg_type, sksec->sclass);
4672 			if (!selinux_enforcing || security_get_allow_unknown())
4673 				err = 0;
4674 		}
4675 
4676 		/* Ignore */
4677 		if (err == -ENOENT)
4678 			err = 0;
4679 		goto out;
4680 	}
4681 
4682 	err = sock_has_perm(current, sk, perm);
4683 out:
4684 	return err;
4685 }
4686 
4687 #ifdef CONFIG_NETFILTER
4688 
4689 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4690 				       u16 family)
4691 {
4692 	int err;
4693 	char *addrp;
4694 	u32 peer_sid;
4695 	struct common_audit_data ad;
4696 	struct lsm_network_audit net = {0,};
4697 	u8 secmark_active;
4698 	u8 netlbl_active;
4699 	u8 peerlbl_active;
4700 
4701 	if (!selinux_policycap_netpeer)
4702 		return NF_ACCEPT;
4703 
4704 	secmark_active = selinux_secmark_enabled();
4705 	netlbl_active = netlbl_enabled();
4706 	peerlbl_active = selinux_peerlbl_enabled();
4707 	if (!secmark_active && !peerlbl_active)
4708 		return NF_ACCEPT;
4709 
4710 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4711 		return NF_DROP;
4712 
4713 	ad.type = LSM_AUDIT_DATA_NET;
4714 	ad.u.net = &net;
4715 	ad.u.net->netif = ifindex;
4716 	ad.u.net->family = family;
4717 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4718 		return NF_DROP;
4719 
4720 	if (peerlbl_active) {
4721 		err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4722 					       peer_sid, &ad);
4723 		if (err) {
4724 			selinux_netlbl_err(skb, err, 1);
4725 			return NF_DROP;
4726 		}
4727 	}
4728 
4729 	if (secmark_active)
4730 		if (avc_has_perm(peer_sid, skb->secmark,
4731 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4732 			return NF_DROP;
4733 
4734 	if (netlbl_active)
4735 		/* we do this in the FORWARD path and not the POST_ROUTING
4736 		 * path because we want to make sure we apply the necessary
4737 		 * labeling before IPsec is applied so we can leverage AH
4738 		 * protection */
4739 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4740 			return NF_DROP;
4741 
4742 	return NF_ACCEPT;
4743 }
4744 
4745 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4746 					 struct sk_buff *skb,
4747 					 const struct net_device *in,
4748 					 const struct net_device *out,
4749 					 int (*okfn)(struct sk_buff *))
4750 {
4751 	return selinux_ip_forward(skb, in->ifindex, PF_INET);
4752 }
4753 
4754 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4755 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4756 					 struct sk_buff *skb,
4757 					 const struct net_device *in,
4758 					 const struct net_device *out,
4759 					 int (*okfn)(struct sk_buff *))
4760 {
4761 	return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4762 }
4763 #endif	/* IPV6 */
4764 
4765 static unsigned int selinux_ip_output(struct sk_buff *skb,
4766 				      u16 family)
4767 {
4768 	struct sock *sk;
4769 	u32 sid;
4770 
4771 	if (!netlbl_enabled())
4772 		return NF_ACCEPT;
4773 
4774 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4775 	 * because we want to make sure we apply the necessary labeling
4776 	 * before IPsec is applied so we can leverage AH protection */
4777 	sk = skb->sk;
4778 	if (sk) {
4779 		struct sk_security_struct *sksec;
4780 
4781 		if (sk->sk_state == TCP_LISTEN)
4782 			/* if the socket is the listening state then this
4783 			 * packet is a SYN-ACK packet which means it needs to
4784 			 * be labeled based on the connection/request_sock and
4785 			 * not the parent socket.  unfortunately, we can't
4786 			 * lookup the request_sock yet as it isn't queued on
4787 			 * the parent socket until after the SYN-ACK is sent.
4788 			 * the "solution" is to simply pass the packet as-is
4789 			 * as any IP option based labeling should be copied
4790 			 * from the initial connection request (in the IP
4791 			 * layer).  it is far from ideal, but until we get a
4792 			 * security label in the packet itself this is the
4793 			 * best we can do. */
4794 			return NF_ACCEPT;
4795 
4796 		/* standard practice, label using the parent socket */
4797 		sksec = sk->sk_security;
4798 		sid = sksec->sid;
4799 	} else
4800 		sid = SECINITSID_KERNEL;
4801 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4802 		return NF_DROP;
4803 
4804 	return NF_ACCEPT;
4805 }
4806 
4807 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4808 					struct sk_buff *skb,
4809 					const struct net_device *in,
4810 					const struct net_device *out,
4811 					int (*okfn)(struct sk_buff *))
4812 {
4813 	return selinux_ip_output(skb, PF_INET);
4814 }
4815 
4816 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4817 						int ifindex,
4818 						u16 family)
4819 {
4820 	struct sock *sk = skb->sk;
4821 	struct sk_security_struct *sksec;
4822 	struct common_audit_data ad;
4823 	struct lsm_network_audit net = {0,};
4824 	char *addrp;
4825 	u8 proto;
4826 
4827 	if (sk == NULL)
4828 		return NF_ACCEPT;
4829 	sksec = sk->sk_security;
4830 
4831 	ad.type = LSM_AUDIT_DATA_NET;
4832 	ad.u.net = &net;
4833 	ad.u.net->netif = ifindex;
4834 	ad.u.net->family = family;
4835 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4836 		return NF_DROP;
4837 
4838 	if (selinux_secmark_enabled())
4839 		if (avc_has_perm(sksec->sid, skb->secmark,
4840 				 SECCLASS_PACKET, PACKET__SEND, &ad))
4841 			return NF_DROP_ERR(-ECONNREFUSED);
4842 
4843 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4844 		return NF_DROP_ERR(-ECONNREFUSED);
4845 
4846 	return NF_ACCEPT;
4847 }
4848 
4849 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4850 					 u16 family)
4851 {
4852 	u32 secmark_perm;
4853 	u32 peer_sid;
4854 	struct sock *sk;
4855 	struct common_audit_data ad;
4856 	struct lsm_network_audit net = {0,};
4857 	char *addrp;
4858 	u8 secmark_active;
4859 	u8 peerlbl_active;
4860 
4861 	/* If any sort of compatibility mode is enabled then handoff processing
4862 	 * to the selinux_ip_postroute_compat() function to deal with the
4863 	 * special handling.  We do this in an attempt to keep this function
4864 	 * as fast and as clean as possible. */
4865 	if (!selinux_policycap_netpeer)
4866 		return selinux_ip_postroute_compat(skb, ifindex, family);
4867 
4868 	secmark_active = selinux_secmark_enabled();
4869 	peerlbl_active = selinux_peerlbl_enabled();
4870 	if (!secmark_active && !peerlbl_active)
4871 		return NF_ACCEPT;
4872 
4873 	sk = skb->sk;
4874 
4875 #ifdef CONFIG_XFRM
4876 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4877 	 * packet transformation so allow the packet to pass without any checks
4878 	 * since we'll have another chance to perform access control checks
4879 	 * when the packet is on it's final way out.
4880 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4881 	 *       is NULL, in this case go ahead and apply access control.
4882 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4883 	 *       TCP listening state we cannot wait until the XFRM processing
4884 	 *       is done as we will miss out on the SA label if we do;
4885 	 *       unfortunately, this means more work, but it is only once per
4886 	 *       connection. */
4887 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4888 	    !(sk != NULL && sk->sk_state == TCP_LISTEN))
4889 		return NF_ACCEPT;
4890 #endif
4891 
4892 	if (sk == NULL) {
4893 		/* Without an associated socket the packet is either coming
4894 		 * from the kernel or it is being forwarded; check the packet
4895 		 * to determine which and if the packet is being forwarded
4896 		 * query the packet directly to determine the security label. */
4897 		if (skb->skb_iif) {
4898 			secmark_perm = PACKET__FORWARD_OUT;
4899 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4900 				return NF_DROP;
4901 		} else {
4902 			secmark_perm = PACKET__SEND;
4903 			peer_sid = SECINITSID_KERNEL;
4904 		}
4905 	} else if (sk->sk_state == TCP_LISTEN) {
4906 		/* Locally generated packet but the associated socket is in the
4907 		 * listening state which means this is a SYN-ACK packet.  In
4908 		 * this particular case the correct security label is assigned
4909 		 * to the connection/request_sock but unfortunately we can't
4910 		 * query the request_sock as it isn't queued on the parent
4911 		 * socket until after the SYN-ACK packet is sent; the only
4912 		 * viable choice is to regenerate the label like we do in
4913 		 * selinux_inet_conn_request().  See also selinux_ip_output()
4914 		 * for similar problems. */
4915 		u32 skb_sid;
4916 		struct sk_security_struct *sksec = sk->sk_security;
4917 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4918 			return NF_DROP;
4919 		/* At this point, if the returned skb peerlbl is SECSID_NULL
4920 		 * and the packet has been through at least one XFRM
4921 		 * transformation then we must be dealing with the "final"
4922 		 * form of labeled IPsec packet; since we've already applied
4923 		 * all of our access controls on this packet we can safely
4924 		 * pass the packet. */
4925 		if (skb_sid == SECSID_NULL) {
4926 			switch (family) {
4927 			case PF_INET:
4928 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4929 					return NF_ACCEPT;
4930 				break;
4931 			case PF_INET6:
4932 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4933 					return NF_ACCEPT;
4934 			default:
4935 				return NF_DROP_ERR(-ECONNREFUSED);
4936 			}
4937 		}
4938 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4939 			return NF_DROP;
4940 		secmark_perm = PACKET__SEND;
4941 	} else {
4942 		/* Locally generated packet, fetch the security label from the
4943 		 * associated socket. */
4944 		struct sk_security_struct *sksec = sk->sk_security;
4945 		peer_sid = sksec->sid;
4946 		secmark_perm = PACKET__SEND;
4947 	}
4948 
4949 	ad.type = LSM_AUDIT_DATA_NET;
4950 	ad.u.net = &net;
4951 	ad.u.net->netif = ifindex;
4952 	ad.u.net->family = family;
4953 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4954 		return NF_DROP;
4955 
4956 	if (secmark_active)
4957 		if (avc_has_perm(peer_sid, skb->secmark,
4958 				 SECCLASS_PACKET, secmark_perm, &ad))
4959 			return NF_DROP_ERR(-ECONNREFUSED);
4960 
4961 	if (peerlbl_active) {
4962 		u32 if_sid;
4963 		u32 node_sid;
4964 
4965 		if (sel_netif_sid(ifindex, &if_sid))
4966 			return NF_DROP;
4967 		if (avc_has_perm(peer_sid, if_sid,
4968 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4969 			return NF_DROP_ERR(-ECONNREFUSED);
4970 
4971 		if (sel_netnode_sid(addrp, family, &node_sid))
4972 			return NF_DROP;
4973 		if (avc_has_perm(peer_sid, node_sid,
4974 				 SECCLASS_NODE, NODE__SENDTO, &ad))
4975 			return NF_DROP_ERR(-ECONNREFUSED);
4976 	}
4977 
4978 	return NF_ACCEPT;
4979 }
4980 
4981 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
4982 					   struct sk_buff *skb,
4983 					   const struct net_device *in,
4984 					   const struct net_device *out,
4985 					   int (*okfn)(struct sk_buff *))
4986 {
4987 	return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4988 }
4989 
4990 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4991 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
4992 					   struct sk_buff *skb,
4993 					   const struct net_device *in,
4994 					   const struct net_device *out,
4995 					   int (*okfn)(struct sk_buff *))
4996 {
4997 	return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4998 }
4999 #endif	/* IPV6 */
5000 
5001 #endif	/* CONFIG_NETFILTER */
5002 
5003 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5004 {
5005 	int err;
5006 
5007 	err = cap_netlink_send(sk, skb);
5008 	if (err)
5009 		return err;
5010 
5011 	return selinux_nlmsg_perm(sk, skb);
5012 }
5013 
5014 static int ipc_alloc_security(struct task_struct *task,
5015 			      struct kern_ipc_perm *perm,
5016 			      u16 sclass)
5017 {
5018 	struct ipc_security_struct *isec;
5019 	u32 sid;
5020 
5021 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5022 	if (!isec)
5023 		return -ENOMEM;
5024 
5025 	sid = task_sid(task);
5026 	isec->sclass = sclass;
5027 	isec->sid = sid;
5028 	perm->security = isec;
5029 
5030 	return 0;
5031 }
5032 
5033 static void ipc_free_security(struct kern_ipc_perm *perm)
5034 {
5035 	struct ipc_security_struct *isec = perm->security;
5036 	perm->security = NULL;
5037 	kfree(isec);
5038 }
5039 
5040 static int msg_msg_alloc_security(struct msg_msg *msg)
5041 {
5042 	struct msg_security_struct *msec;
5043 
5044 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5045 	if (!msec)
5046 		return -ENOMEM;
5047 
5048 	msec->sid = SECINITSID_UNLABELED;
5049 	msg->security = msec;
5050 
5051 	return 0;
5052 }
5053 
5054 static void msg_msg_free_security(struct msg_msg *msg)
5055 {
5056 	struct msg_security_struct *msec = msg->security;
5057 
5058 	msg->security = NULL;
5059 	kfree(msec);
5060 }
5061 
5062 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5063 			u32 perms)
5064 {
5065 	struct ipc_security_struct *isec;
5066 	struct common_audit_data ad;
5067 	u32 sid = current_sid();
5068 
5069 	isec = ipc_perms->security;
5070 
5071 	ad.type = LSM_AUDIT_DATA_IPC;
5072 	ad.u.ipc_id = ipc_perms->key;
5073 
5074 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5075 }
5076 
5077 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5078 {
5079 	return msg_msg_alloc_security(msg);
5080 }
5081 
5082 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5083 {
5084 	msg_msg_free_security(msg);
5085 }
5086 
5087 /* message queue security operations */
5088 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5089 {
5090 	struct ipc_security_struct *isec;
5091 	struct common_audit_data ad;
5092 	u32 sid = current_sid();
5093 	int rc;
5094 
5095 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5096 	if (rc)
5097 		return rc;
5098 
5099 	isec = msq->q_perm.security;
5100 
5101 	ad.type = LSM_AUDIT_DATA_IPC;
5102 	ad.u.ipc_id = msq->q_perm.key;
5103 
5104 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5105 			  MSGQ__CREATE, &ad);
5106 	if (rc) {
5107 		ipc_free_security(&msq->q_perm);
5108 		return rc;
5109 	}
5110 	return 0;
5111 }
5112 
5113 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5114 {
5115 	ipc_free_security(&msq->q_perm);
5116 }
5117 
5118 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5119 {
5120 	struct ipc_security_struct *isec;
5121 	struct common_audit_data ad;
5122 	u32 sid = current_sid();
5123 
5124 	isec = msq->q_perm.security;
5125 
5126 	ad.type = LSM_AUDIT_DATA_IPC;
5127 	ad.u.ipc_id = msq->q_perm.key;
5128 
5129 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5130 			    MSGQ__ASSOCIATE, &ad);
5131 }
5132 
5133 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5134 {
5135 	int err;
5136 	int perms;
5137 
5138 	switch (cmd) {
5139 	case IPC_INFO:
5140 	case MSG_INFO:
5141 		/* No specific object, just general system-wide information. */
5142 		return task_has_system(current, SYSTEM__IPC_INFO);
5143 	case IPC_STAT:
5144 	case MSG_STAT:
5145 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5146 		break;
5147 	case IPC_SET:
5148 		perms = MSGQ__SETATTR;
5149 		break;
5150 	case IPC_RMID:
5151 		perms = MSGQ__DESTROY;
5152 		break;
5153 	default:
5154 		return 0;
5155 	}
5156 
5157 	err = ipc_has_perm(&msq->q_perm, perms);
5158 	return err;
5159 }
5160 
5161 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5162 {
5163 	struct ipc_security_struct *isec;
5164 	struct msg_security_struct *msec;
5165 	struct common_audit_data ad;
5166 	u32 sid = current_sid();
5167 	int rc;
5168 
5169 	isec = msq->q_perm.security;
5170 	msec = msg->security;
5171 
5172 	/*
5173 	 * First time through, need to assign label to the message
5174 	 */
5175 	if (msec->sid == SECINITSID_UNLABELED) {
5176 		/*
5177 		 * Compute new sid based on current process and
5178 		 * message queue this message will be stored in
5179 		 */
5180 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5181 					     NULL, &msec->sid);
5182 		if (rc)
5183 			return rc;
5184 	}
5185 
5186 	ad.type = LSM_AUDIT_DATA_IPC;
5187 	ad.u.ipc_id = msq->q_perm.key;
5188 
5189 	/* Can this process write to the queue? */
5190 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5191 			  MSGQ__WRITE, &ad);
5192 	if (!rc)
5193 		/* Can this process send the message */
5194 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5195 				  MSG__SEND, &ad);
5196 	if (!rc)
5197 		/* Can the message be put in the queue? */
5198 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5199 				  MSGQ__ENQUEUE, &ad);
5200 
5201 	return rc;
5202 }
5203 
5204 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5205 				    struct task_struct *target,
5206 				    long type, int mode)
5207 {
5208 	struct ipc_security_struct *isec;
5209 	struct msg_security_struct *msec;
5210 	struct common_audit_data ad;
5211 	u32 sid = task_sid(target);
5212 	int rc;
5213 
5214 	isec = msq->q_perm.security;
5215 	msec = msg->security;
5216 
5217 	ad.type = LSM_AUDIT_DATA_IPC;
5218 	ad.u.ipc_id = msq->q_perm.key;
5219 
5220 	rc = avc_has_perm(sid, isec->sid,
5221 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5222 	if (!rc)
5223 		rc = avc_has_perm(sid, msec->sid,
5224 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5225 	return rc;
5226 }
5227 
5228 /* Shared Memory security operations */
5229 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5230 {
5231 	struct ipc_security_struct *isec;
5232 	struct common_audit_data ad;
5233 	u32 sid = current_sid();
5234 	int rc;
5235 
5236 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5237 	if (rc)
5238 		return rc;
5239 
5240 	isec = shp->shm_perm.security;
5241 
5242 	ad.type = LSM_AUDIT_DATA_IPC;
5243 	ad.u.ipc_id = shp->shm_perm.key;
5244 
5245 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5246 			  SHM__CREATE, &ad);
5247 	if (rc) {
5248 		ipc_free_security(&shp->shm_perm);
5249 		return rc;
5250 	}
5251 	return 0;
5252 }
5253 
5254 static void selinux_shm_free_security(struct shmid_kernel *shp)
5255 {
5256 	ipc_free_security(&shp->shm_perm);
5257 }
5258 
5259 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5260 {
5261 	struct ipc_security_struct *isec;
5262 	struct common_audit_data ad;
5263 	u32 sid = current_sid();
5264 
5265 	isec = shp->shm_perm.security;
5266 
5267 	ad.type = LSM_AUDIT_DATA_IPC;
5268 	ad.u.ipc_id = shp->shm_perm.key;
5269 
5270 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5271 			    SHM__ASSOCIATE, &ad);
5272 }
5273 
5274 /* Note, at this point, shp is locked down */
5275 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5276 {
5277 	int perms;
5278 	int err;
5279 
5280 	switch (cmd) {
5281 	case IPC_INFO:
5282 	case SHM_INFO:
5283 		/* No specific object, just general system-wide information. */
5284 		return task_has_system(current, SYSTEM__IPC_INFO);
5285 	case IPC_STAT:
5286 	case SHM_STAT:
5287 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5288 		break;
5289 	case IPC_SET:
5290 		perms = SHM__SETATTR;
5291 		break;
5292 	case SHM_LOCK:
5293 	case SHM_UNLOCK:
5294 		perms = SHM__LOCK;
5295 		break;
5296 	case IPC_RMID:
5297 		perms = SHM__DESTROY;
5298 		break;
5299 	default:
5300 		return 0;
5301 	}
5302 
5303 	err = ipc_has_perm(&shp->shm_perm, perms);
5304 	return err;
5305 }
5306 
5307 static int selinux_shm_shmat(struct shmid_kernel *shp,
5308 			     char __user *shmaddr, int shmflg)
5309 {
5310 	u32 perms;
5311 
5312 	if (shmflg & SHM_RDONLY)
5313 		perms = SHM__READ;
5314 	else
5315 		perms = SHM__READ | SHM__WRITE;
5316 
5317 	return ipc_has_perm(&shp->shm_perm, perms);
5318 }
5319 
5320 /* Semaphore security operations */
5321 static int selinux_sem_alloc_security(struct sem_array *sma)
5322 {
5323 	struct ipc_security_struct *isec;
5324 	struct common_audit_data ad;
5325 	u32 sid = current_sid();
5326 	int rc;
5327 
5328 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5329 	if (rc)
5330 		return rc;
5331 
5332 	isec = sma->sem_perm.security;
5333 
5334 	ad.type = LSM_AUDIT_DATA_IPC;
5335 	ad.u.ipc_id = sma->sem_perm.key;
5336 
5337 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5338 			  SEM__CREATE, &ad);
5339 	if (rc) {
5340 		ipc_free_security(&sma->sem_perm);
5341 		return rc;
5342 	}
5343 	return 0;
5344 }
5345 
5346 static void selinux_sem_free_security(struct sem_array *sma)
5347 {
5348 	ipc_free_security(&sma->sem_perm);
5349 }
5350 
5351 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5352 {
5353 	struct ipc_security_struct *isec;
5354 	struct common_audit_data ad;
5355 	u32 sid = current_sid();
5356 
5357 	isec = sma->sem_perm.security;
5358 
5359 	ad.type = LSM_AUDIT_DATA_IPC;
5360 	ad.u.ipc_id = sma->sem_perm.key;
5361 
5362 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5363 			    SEM__ASSOCIATE, &ad);
5364 }
5365 
5366 /* Note, at this point, sma is locked down */
5367 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5368 {
5369 	int err;
5370 	u32 perms;
5371 
5372 	switch (cmd) {
5373 	case IPC_INFO:
5374 	case SEM_INFO:
5375 		/* No specific object, just general system-wide information. */
5376 		return task_has_system(current, SYSTEM__IPC_INFO);
5377 	case GETPID:
5378 	case GETNCNT:
5379 	case GETZCNT:
5380 		perms = SEM__GETATTR;
5381 		break;
5382 	case GETVAL:
5383 	case GETALL:
5384 		perms = SEM__READ;
5385 		break;
5386 	case SETVAL:
5387 	case SETALL:
5388 		perms = SEM__WRITE;
5389 		break;
5390 	case IPC_RMID:
5391 		perms = SEM__DESTROY;
5392 		break;
5393 	case IPC_SET:
5394 		perms = SEM__SETATTR;
5395 		break;
5396 	case IPC_STAT:
5397 	case SEM_STAT:
5398 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5399 		break;
5400 	default:
5401 		return 0;
5402 	}
5403 
5404 	err = ipc_has_perm(&sma->sem_perm, perms);
5405 	return err;
5406 }
5407 
5408 static int selinux_sem_semop(struct sem_array *sma,
5409 			     struct sembuf *sops, unsigned nsops, int alter)
5410 {
5411 	u32 perms;
5412 
5413 	if (alter)
5414 		perms = SEM__READ | SEM__WRITE;
5415 	else
5416 		perms = SEM__READ;
5417 
5418 	return ipc_has_perm(&sma->sem_perm, perms);
5419 }
5420 
5421 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5422 {
5423 	u32 av = 0;
5424 
5425 	av = 0;
5426 	if (flag & S_IRUGO)
5427 		av |= IPC__UNIX_READ;
5428 	if (flag & S_IWUGO)
5429 		av |= IPC__UNIX_WRITE;
5430 
5431 	if (av == 0)
5432 		return 0;
5433 
5434 	return ipc_has_perm(ipcp, av);
5435 }
5436 
5437 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5438 {
5439 	struct ipc_security_struct *isec = ipcp->security;
5440 	*secid = isec->sid;
5441 }
5442 
5443 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5444 {
5445 	if (inode)
5446 		inode_doinit_with_dentry(inode, dentry);
5447 }
5448 
5449 static int selinux_getprocattr(struct task_struct *p,
5450 			       char *name, char **value)
5451 {
5452 	const struct task_security_struct *__tsec;
5453 	u32 sid;
5454 	int error;
5455 	unsigned len;
5456 
5457 	if (current != p) {
5458 		error = current_has_perm(p, PROCESS__GETATTR);
5459 		if (error)
5460 			return error;
5461 	}
5462 
5463 	rcu_read_lock();
5464 	__tsec = __task_cred(p)->security;
5465 
5466 	if (!strcmp(name, "current"))
5467 		sid = __tsec->sid;
5468 	else if (!strcmp(name, "prev"))
5469 		sid = __tsec->osid;
5470 	else if (!strcmp(name, "exec"))
5471 		sid = __tsec->exec_sid;
5472 	else if (!strcmp(name, "fscreate"))
5473 		sid = __tsec->create_sid;
5474 	else if (!strcmp(name, "keycreate"))
5475 		sid = __tsec->keycreate_sid;
5476 	else if (!strcmp(name, "sockcreate"))
5477 		sid = __tsec->sockcreate_sid;
5478 	else
5479 		goto invalid;
5480 	rcu_read_unlock();
5481 
5482 	if (!sid)
5483 		return 0;
5484 
5485 	error = security_sid_to_context(sid, value, &len);
5486 	if (error)
5487 		return error;
5488 	return len;
5489 
5490 invalid:
5491 	rcu_read_unlock();
5492 	return -EINVAL;
5493 }
5494 
5495 static int selinux_setprocattr(struct task_struct *p,
5496 			       char *name, void *value, size_t size)
5497 {
5498 	struct task_security_struct *tsec;
5499 	struct task_struct *tracer;
5500 	struct cred *new;
5501 	u32 sid = 0, ptsid;
5502 	int error;
5503 	char *str = value;
5504 
5505 	if (current != p) {
5506 		/* SELinux only allows a process to change its own
5507 		   security attributes. */
5508 		return -EACCES;
5509 	}
5510 
5511 	/*
5512 	 * Basic control over ability to set these attributes at all.
5513 	 * current == p, but we'll pass them separately in case the
5514 	 * above restriction is ever removed.
5515 	 */
5516 	if (!strcmp(name, "exec"))
5517 		error = current_has_perm(p, PROCESS__SETEXEC);
5518 	else if (!strcmp(name, "fscreate"))
5519 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5520 	else if (!strcmp(name, "keycreate"))
5521 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5522 	else if (!strcmp(name, "sockcreate"))
5523 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5524 	else if (!strcmp(name, "current"))
5525 		error = current_has_perm(p, PROCESS__SETCURRENT);
5526 	else
5527 		error = -EINVAL;
5528 	if (error)
5529 		return error;
5530 
5531 	/* Obtain a SID for the context, if one was specified. */
5532 	if (size && str[1] && str[1] != '\n') {
5533 		if (str[size-1] == '\n') {
5534 			str[size-1] = 0;
5535 			size--;
5536 		}
5537 		error = security_context_to_sid(value, size, &sid);
5538 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5539 			if (!capable(CAP_MAC_ADMIN)) {
5540 				struct audit_buffer *ab;
5541 				size_t audit_size;
5542 
5543 				/* We strip a nul only if it is at the end, otherwise the
5544 				 * context contains a nul and we should audit that */
5545 				if (str[size - 1] == '\0')
5546 					audit_size = size - 1;
5547 				else
5548 					audit_size = size;
5549 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5550 				audit_log_format(ab, "op=fscreate invalid_context=");
5551 				audit_log_n_untrustedstring(ab, value, audit_size);
5552 				audit_log_end(ab);
5553 
5554 				return error;
5555 			}
5556 			error = security_context_to_sid_force(value, size,
5557 							      &sid);
5558 		}
5559 		if (error)
5560 			return error;
5561 	}
5562 
5563 	new = prepare_creds();
5564 	if (!new)
5565 		return -ENOMEM;
5566 
5567 	/* Permission checking based on the specified context is
5568 	   performed during the actual operation (execve,
5569 	   open/mkdir/...), when we know the full context of the
5570 	   operation.  See selinux_bprm_set_creds for the execve
5571 	   checks and may_create for the file creation checks. The
5572 	   operation will then fail if the context is not permitted. */
5573 	tsec = new->security;
5574 	if (!strcmp(name, "exec")) {
5575 		tsec->exec_sid = sid;
5576 	} else if (!strcmp(name, "fscreate")) {
5577 		tsec->create_sid = sid;
5578 	} else if (!strcmp(name, "keycreate")) {
5579 		error = may_create_key(sid, p);
5580 		if (error)
5581 			goto abort_change;
5582 		tsec->keycreate_sid = sid;
5583 	} else if (!strcmp(name, "sockcreate")) {
5584 		tsec->sockcreate_sid = sid;
5585 	} else if (!strcmp(name, "current")) {
5586 		error = -EINVAL;
5587 		if (sid == 0)
5588 			goto abort_change;
5589 
5590 		/* Only allow single threaded processes to change context */
5591 		error = -EPERM;
5592 		if (!current_is_single_threaded()) {
5593 			error = security_bounded_transition(tsec->sid, sid);
5594 			if (error)
5595 				goto abort_change;
5596 		}
5597 
5598 		/* Check permissions for the transition. */
5599 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5600 				     PROCESS__DYNTRANSITION, NULL);
5601 		if (error)
5602 			goto abort_change;
5603 
5604 		/* Check for ptracing, and update the task SID if ok.
5605 		   Otherwise, leave SID unchanged and fail. */
5606 		ptsid = 0;
5607 		rcu_read_lock();
5608 		tracer = ptrace_parent(p);
5609 		if (tracer)
5610 			ptsid = task_sid(tracer);
5611 		rcu_read_unlock();
5612 
5613 		if (tracer) {
5614 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5615 					     PROCESS__PTRACE, NULL);
5616 			if (error)
5617 				goto abort_change;
5618 		}
5619 
5620 		tsec->sid = sid;
5621 	} else {
5622 		error = -EINVAL;
5623 		goto abort_change;
5624 	}
5625 
5626 	commit_creds(new);
5627 	return size;
5628 
5629 abort_change:
5630 	abort_creds(new);
5631 	return error;
5632 }
5633 
5634 static int selinux_ismaclabel(const char *name)
5635 {
5636 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5637 }
5638 
5639 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5640 {
5641 	return security_sid_to_context(secid, secdata, seclen);
5642 }
5643 
5644 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5645 {
5646 	return security_context_to_sid(secdata, seclen, secid);
5647 }
5648 
5649 static void selinux_release_secctx(char *secdata, u32 seclen)
5650 {
5651 	kfree(secdata);
5652 }
5653 
5654 /*
5655  *	called with inode->i_mutex locked
5656  */
5657 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5658 {
5659 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5660 }
5661 
5662 /*
5663  *	called with inode->i_mutex locked
5664  */
5665 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5666 {
5667 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5668 }
5669 
5670 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5671 {
5672 	int len = 0;
5673 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5674 						ctx, true);
5675 	if (len < 0)
5676 		return len;
5677 	*ctxlen = len;
5678 	return 0;
5679 }
5680 #ifdef CONFIG_KEYS
5681 
5682 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5683 			     unsigned long flags)
5684 {
5685 	const struct task_security_struct *tsec;
5686 	struct key_security_struct *ksec;
5687 
5688 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5689 	if (!ksec)
5690 		return -ENOMEM;
5691 
5692 	tsec = cred->security;
5693 	if (tsec->keycreate_sid)
5694 		ksec->sid = tsec->keycreate_sid;
5695 	else
5696 		ksec->sid = tsec->sid;
5697 
5698 	k->security = ksec;
5699 	return 0;
5700 }
5701 
5702 static void selinux_key_free(struct key *k)
5703 {
5704 	struct key_security_struct *ksec = k->security;
5705 
5706 	k->security = NULL;
5707 	kfree(ksec);
5708 }
5709 
5710 static int selinux_key_permission(key_ref_t key_ref,
5711 				  const struct cred *cred,
5712 				  key_perm_t perm)
5713 {
5714 	struct key *key;
5715 	struct key_security_struct *ksec;
5716 	u32 sid;
5717 
5718 	/* if no specific permissions are requested, we skip the
5719 	   permission check. No serious, additional covert channels
5720 	   appear to be created. */
5721 	if (perm == 0)
5722 		return 0;
5723 
5724 	sid = cred_sid(cred);
5725 
5726 	key = key_ref_to_ptr(key_ref);
5727 	ksec = key->security;
5728 
5729 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5730 }
5731 
5732 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5733 {
5734 	struct key_security_struct *ksec = key->security;
5735 	char *context = NULL;
5736 	unsigned len;
5737 	int rc;
5738 
5739 	rc = security_sid_to_context(ksec->sid, &context, &len);
5740 	if (!rc)
5741 		rc = len;
5742 	*_buffer = context;
5743 	return rc;
5744 }
5745 
5746 #endif
5747 
5748 static struct security_operations selinux_ops = {
5749 	.name =				"selinux",
5750 
5751 	.ptrace_access_check =		selinux_ptrace_access_check,
5752 	.ptrace_traceme =		selinux_ptrace_traceme,
5753 	.capget =			selinux_capget,
5754 	.capset =			selinux_capset,
5755 	.capable =			selinux_capable,
5756 	.quotactl =			selinux_quotactl,
5757 	.quota_on =			selinux_quota_on,
5758 	.syslog =			selinux_syslog,
5759 	.vm_enough_memory =		selinux_vm_enough_memory,
5760 
5761 	.netlink_send =			selinux_netlink_send,
5762 
5763 	.bprm_set_creds =		selinux_bprm_set_creds,
5764 	.bprm_committing_creds =	selinux_bprm_committing_creds,
5765 	.bprm_committed_creds =		selinux_bprm_committed_creds,
5766 	.bprm_secureexec =		selinux_bprm_secureexec,
5767 
5768 	.sb_alloc_security =		selinux_sb_alloc_security,
5769 	.sb_free_security =		selinux_sb_free_security,
5770 	.sb_copy_data =			selinux_sb_copy_data,
5771 	.sb_remount =			selinux_sb_remount,
5772 	.sb_kern_mount =		selinux_sb_kern_mount,
5773 	.sb_show_options =		selinux_sb_show_options,
5774 	.sb_statfs =			selinux_sb_statfs,
5775 	.sb_mount =			selinux_mount,
5776 	.sb_umount =			selinux_umount,
5777 	.sb_set_mnt_opts =		selinux_set_mnt_opts,
5778 	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
5779 	.sb_parse_opts_str = 		selinux_parse_opts_str,
5780 
5781 	.dentry_init_security =		selinux_dentry_init_security,
5782 
5783 	.inode_alloc_security =		selinux_inode_alloc_security,
5784 	.inode_free_security =		selinux_inode_free_security,
5785 	.inode_init_security =		selinux_inode_init_security,
5786 	.inode_create =			selinux_inode_create,
5787 	.inode_link =			selinux_inode_link,
5788 	.inode_unlink =			selinux_inode_unlink,
5789 	.inode_symlink =		selinux_inode_symlink,
5790 	.inode_mkdir =			selinux_inode_mkdir,
5791 	.inode_rmdir =			selinux_inode_rmdir,
5792 	.inode_mknod =			selinux_inode_mknod,
5793 	.inode_rename =			selinux_inode_rename,
5794 	.inode_readlink =		selinux_inode_readlink,
5795 	.inode_follow_link =		selinux_inode_follow_link,
5796 	.inode_permission =		selinux_inode_permission,
5797 	.inode_setattr =		selinux_inode_setattr,
5798 	.inode_getattr =		selinux_inode_getattr,
5799 	.inode_setxattr =		selinux_inode_setxattr,
5800 	.inode_post_setxattr =		selinux_inode_post_setxattr,
5801 	.inode_getxattr =		selinux_inode_getxattr,
5802 	.inode_listxattr =		selinux_inode_listxattr,
5803 	.inode_removexattr =		selinux_inode_removexattr,
5804 	.inode_getsecurity =		selinux_inode_getsecurity,
5805 	.inode_setsecurity =		selinux_inode_setsecurity,
5806 	.inode_listsecurity =		selinux_inode_listsecurity,
5807 	.inode_getsecid =		selinux_inode_getsecid,
5808 
5809 	.file_permission =		selinux_file_permission,
5810 	.file_alloc_security =		selinux_file_alloc_security,
5811 	.file_free_security =		selinux_file_free_security,
5812 	.file_ioctl =			selinux_file_ioctl,
5813 	.mmap_file =			selinux_mmap_file,
5814 	.mmap_addr =			selinux_mmap_addr,
5815 	.file_mprotect =		selinux_file_mprotect,
5816 	.file_lock =			selinux_file_lock,
5817 	.file_fcntl =			selinux_file_fcntl,
5818 	.file_set_fowner =		selinux_file_set_fowner,
5819 	.file_send_sigiotask =		selinux_file_send_sigiotask,
5820 	.file_receive =			selinux_file_receive,
5821 
5822 	.file_open =			selinux_file_open,
5823 
5824 	.task_create =			selinux_task_create,
5825 	.cred_alloc_blank =		selinux_cred_alloc_blank,
5826 	.cred_free =			selinux_cred_free,
5827 	.cred_prepare =			selinux_cred_prepare,
5828 	.cred_transfer =		selinux_cred_transfer,
5829 	.kernel_act_as =		selinux_kernel_act_as,
5830 	.kernel_create_files_as =	selinux_kernel_create_files_as,
5831 	.kernel_module_request =	selinux_kernel_module_request,
5832 	.task_setpgid =			selinux_task_setpgid,
5833 	.task_getpgid =			selinux_task_getpgid,
5834 	.task_getsid =			selinux_task_getsid,
5835 	.task_getsecid =		selinux_task_getsecid,
5836 	.task_setnice =			selinux_task_setnice,
5837 	.task_setioprio =		selinux_task_setioprio,
5838 	.task_getioprio =		selinux_task_getioprio,
5839 	.task_setrlimit =		selinux_task_setrlimit,
5840 	.task_setscheduler =		selinux_task_setscheduler,
5841 	.task_getscheduler =		selinux_task_getscheduler,
5842 	.task_movememory =		selinux_task_movememory,
5843 	.task_kill =			selinux_task_kill,
5844 	.task_wait =			selinux_task_wait,
5845 	.task_to_inode =		selinux_task_to_inode,
5846 
5847 	.ipc_permission =		selinux_ipc_permission,
5848 	.ipc_getsecid =			selinux_ipc_getsecid,
5849 
5850 	.msg_msg_alloc_security =	selinux_msg_msg_alloc_security,
5851 	.msg_msg_free_security =	selinux_msg_msg_free_security,
5852 
5853 	.msg_queue_alloc_security =	selinux_msg_queue_alloc_security,
5854 	.msg_queue_free_security =	selinux_msg_queue_free_security,
5855 	.msg_queue_associate =		selinux_msg_queue_associate,
5856 	.msg_queue_msgctl =		selinux_msg_queue_msgctl,
5857 	.msg_queue_msgsnd =		selinux_msg_queue_msgsnd,
5858 	.msg_queue_msgrcv =		selinux_msg_queue_msgrcv,
5859 
5860 	.shm_alloc_security =		selinux_shm_alloc_security,
5861 	.shm_free_security =		selinux_shm_free_security,
5862 	.shm_associate =		selinux_shm_associate,
5863 	.shm_shmctl =			selinux_shm_shmctl,
5864 	.shm_shmat =			selinux_shm_shmat,
5865 
5866 	.sem_alloc_security =		selinux_sem_alloc_security,
5867 	.sem_free_security =		selinux_sem_free_security,
5868 	.sem_associate =		selinux_sem_associate,
5869 	.sem_semctl =			selinux_sem_semctl,
5870 	.sem_semop =			selinux_sem_semop,
5871 
5872 	.d_instantiate =		selinux_d_instantiate,
5873 
5874 	.getprocattr =			selinux_getprocattr,
5875 	.setprocattr =			selinux_setprocattr,
5876 
5877 	.ismaclabel =			selinux_ismaclabel,
5878 	.secid_to_secctx =		selinux_secid_to_secctx,
5879 	.secctx_to_secid =		selinux_secctx_to_secid,
5880 	.release_secctx =		selinux_release_secctx,
5881 	.inode_notifysecctx =		selinux_inode_notifysecctx,
5882 	.inode_setsecctx =		selinux_inode_setsecctx,
5883 	.inode_getsecctx =		selinux_inode_getsecctx,
5884 
5885 	.unix_stream_connect =		selinux_socket_unix_stream_connect,
5886 	.unix_may_send =		selinux_socket_unix_may_send,
5887 
5888 	.socket_create =		selinux_socket_create,
5889 	.socket_post_create =		selinux_socket_post_create,
5890 	.socket_bind =			selinux_socket_bind,
5891 	.socket_connect =		selinux_socket_connect,
5892 	.socket_listen =		selinux_socket_listen,
5893 	.socket_accept =		selinux_socket_accept,
5894 	.socket_sendmsg =		selinux_socket_sendmsg,
5895 	.socket_recvmsg =		selinux_socket_recvmsg,
5896 	.socket_getsockname =		selinux_socket_getsockname,
5897 	.socket_getpeername =		selinux_socket_getpeername,
5898 	.socket_getsockopt =		selinux_socket_getsockopt,
5899 	.socket_setsockopt =		selinux_socket_setsockopt,
5900 	.socket_shutdown =		selinux_socket_shutdown,
5901 	.socket_sock_rcv_skb =		selinux_socket_sock_rcv_skb,
5902 	.socket_getpeersec_stream =	selinux_socket_getpeersec_stream,
5903 	.socket_getpeersec_dgram =	selinux_socket_getpeersec_dgram,
5904 	.sk_alloc_security =		selinux_sk_alloc_security,
5905 	.sk_free_security =		selinux_sk_free_security,
5906 	.sk_clone_security =		selinux_sk_clone_security,
5907 	.sk_getsecid =			selinux_sk_getsecid,
5908 	.sock_graft =			selinux_sock_graft,
5909 	.inet_conn_request =		selinux_inet_conn_request,
5910 	.inet_csk_clone =		selinux_inet_csk_clone,
5911 	.inet_conn_established =	selinux_inet_conn_established,
5912 	.secmark_relabel_packet =	selinux_secmark_relabel_packet,
5913 	.secmark_refcount_inc =		selinux_secmark_refcount_inc,
5914 	.secmark_refcount_dec =		selinux_secmark_refcount_dec,
5915 	.req_classify_flow =		selinux_req_classify_flow,
5916 	.tun_dev_alloc_security =	selinux_tun_dev_alloc_security,
5917 	.tun_dev_free_security =	selinux_tun_dev_free_security,
5918 	.tun_dev_create =		selinux_tun_dev_create,
5919 	.tun_dev_attach_queue =		selinux_tun_dev_attach_queue,
5920 	.tun_dev_attach =		selinux_tun_dev_attach,
5921 	.tun_dev_open =			selinux_tun_dev_open,
5922 	.skb_owned_by =			selinux_skb_owned_by,
5923 
5924 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5925 	.xfrm_policy_alloc_security =	selinux_xfrm_policy_alloc,
5926 	.xfrm_policy_clone_security =	selinux_xfrm_policy_clone,
5927 	.xfrm_policy_free_security =	selinux_xfrm_policy_free,
5928 	.xfrm_policy_delete_security =	selinux_xfrm_policy_delete,
5929 	.xfrm_state_alloc =		selinux_xfrm_state_alloc,
5930 	.xfrm_state_alloc_acquire =	selinux_xfrm_state_alloc_acquire,
5931 	.xfrm_state_free_security =	selinux_xfrm_state_free,
5932 	.xfrm_state_delete_security =	selinux_xfrm_state_delete,
5933 	.xfrm_policy_lookup =		selinux_xfrm_policy_lookup,
5934 	.xfrm_state_pol_flow_match =	selinux_xfrm_state_pol_flow_match,
5935 	.xfrm_decode_session =		selinux_xfrm_decode_session,
5936 #endif
5937 
5938 #ifdef CONFIG_KEYS
5939 	.key_alloc =			selinux_key_alloc,
5940 	.key_free =			selinux_key_free,
5941 	.key_permission =		selinux_key_permission,
5942 	.key_getsecurity =		selinux_key_getsecurity,
5943 #endif
5944 
5945 #ifdef CONFIG_AUDIT
5946 	.audit_rule_init =		selinux_audit_rule_init,
5947 	.audit_rule_known =		selinux_audit_rule_known,
5948 	.audit_rule_match =		selinux_audit_rule_match,
5949 	.audit_rule_free =		selinux_audit_rule_free,
5950 #endif
5951 };
5952 
5953 static __init int selinux_init(void)
5954 {
5955 	if (!security_module_enable(&selinux_ops)) {
5956 		selinux_enabled = 0;
5957 		return 0;
5958 	}
5959 
5960 	if (!selinux_enabled) {
5961 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5962 		return 0;
5963 	}
5964 
5965 	printk(KERN_INFO "SELinux:  Initializing.\n");
5966 
5967 	/* Set the security state for the initial task. */
5968 	cred_init_security();
5969 
5970 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5971 
5972 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
5973 					    sizeof(struct inode_security_struct),
5974 					    0, SLAB_PANIC, NULL);
5975 	avc_init();
5976 
5977 	if (register_security(&selinux_ops))
5978 		panic("SELinux: Unable to register with kernel.\n");
5979 
5980 	if (selinux_enforcing)
5981 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5982 	else
5983 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5984 
5985 	return 0;
5986 }
5987 
5988 static void delayed_superblock_init(struct super_block *sb, void *unused)
5989 {
5990 	superblock_doinit(sb, NULL);
5991 }
5992 
5993 void selinux_complete_init(void)
5994 {
5995 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5996 
5997 	/* Set up any superblocks initialized prior to the policy load. */
5998 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5999 	iterate_supers(delayed_superblock_init, NULL);
6000 }
6001 
6002 /* SELinux requires early initialization in order to label
6003    all processes and objects when they are created. */
6004 security_initcall(selinux_init);
6005 
6006 #if defined(CONFIG_NETFILTER)
6007 
6008 static struct nf_hook_ops selinux_ipv4_ops[] = {
6009 	{
6010 		.hook =		selinux_ipv4_postroute,
6011 		.owner =	THIS_MODULE,
6012 		.pf =		NFPROTO_IPV4,
6013 		.hooknum =	NF_INET_POST_ROUTING,
6014 		.priority =	NF_IP_PRI_SELINUX_LAST,
6015 	},
6016 	{
6017 		.hook =		selinux_ipv4_forward,
6018 		.owner =	THIS_MODULE,
6019 		.pf =		NFPROTO_IPV4,
6020 		.hooknum =	NF_INET_FORWARD,
6021 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6022 	},
6023 	{
6024 		.hook =		selinux_ipv4_output,
6025 		.owner =	THIS_MODULE,
6026 		.pf =		NFPROTO_IPV4,
6027 		.hooknum =	NF_INET_LOCAL_OUT,
6028 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6029 	}
6030 };
6031 
6032 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6033 
6034 static struct nf_hook_ops selinux_ipv6_ops[] = {
6035 	{
6036 		.hook =		selinux_ipv6_postroute,
6037 		.owner =	THIS_MODULE,
6038 		.pf =		NFPROTO_IPV6,
6039 		.hooknum =	NF_INET_POST_ROUTING,
6040 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6041 	},
6042 	{
6043 		.hook =		selinux_ipv6_forward,
6044 		.owner =	THIS_MODULE,
6045 		.pf =		NFPROTO_IPV6,
6046 		.hooknum =	NF_INET_FORWARD,
6047 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6048 	}
6049 };
6050 
6051 #endif	/* IPV6 */
6052 
6053 static int __init selinux_nf_ip_init(void)
6054 {
6055 	int err = 0;
6056 
6057 	if (!selinux_enabled)
6058 		goto out;
6059 
6060 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6061 
6062 	err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
6063 	if (err)
6064 		panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
6065 
6066 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6067 	err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6068 	if (err)
6069 		panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
6070 #endif	/* IPV6 */
6071 
6072 out:
6073 	return err;
6074 }
6075 
6076 __initcall(selinux_nf_ip_init);
6077 
6078 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6079 static void selinux_nf_ip_exit(void)
6080 {
6081 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6082 
6083 	nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
6084 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6085 	nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6086 #endif	/* IPV6 */
6087 }
6088 #endif
6089 
6090 #else /* CONFIG_NETFILTER */
6091 
6092 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6093 #define selinux_nf_ip_exit()
6094 #endif
6095 
6096 #endif /* CONFIG_NETFILTER */
6097 
6098 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6099 static int selinux_disabled;
6100 
6101 int selinux_disable(void)
6102 {
6103 	if (ss_initialized) {
6104 		/* Not permitted after initial policy load. */
6105 		return -EINVAL;
6106 	}
6107 
6108 	if (selinux_disabled) {
6109 		/* Only do this once. */
6110 		return -EINVAL;
6111 	}
6112 
6113 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6114 
6115 	selinux_disabled = 1;
6116 	selinux_enabled = 0;
6117 
6118 	reset_security_ops();
6119 
6120 	/* Try to destroy the avc node cache */
6121 	avc_disable();
6122 
6123 	/* Unregister netfilter hooks. */
6124 	selinux_nf_ip_exit();
6125 
6126 	/* Unregister selinuxfs. */
6127 	exit_sel_fs();
6128 
6129 	return 0;
6130 }
6131 #endif
6132