xref: /openbmc/linux/security/selinux/hooks.c (revision 8c749ce9)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>		/* for local_port_range[] */
54 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>	/* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>		/* for Unix socket types */
70 #include <net/af_unix.h>	/* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86 
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96 
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102 
103 static int __init enforcing_setup(char *str)
104 {
105 	unsigned long enforcing;
106 	if (!kstrtoul(str, 0, &enforcing))
107 		selinux_enforcing = enforcing ? 1 : 0;
108 	return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112 
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 
116 static int __init selinux_enabled_setup(char *str)
117 {
118 	unsigned long enabled;
119 	if (!kstrtoul(str, 0, &enabled))
120 		selinux_enabled = enabled ? 1 : 0;
121 	return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127 
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
139  * policy capability is enabled, SECMARK is always considered enabled.
140  *
141  */
142 static int selinux_secmark_enabled(void)
143 {
144 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146 
147 /**
148  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149  *
150  * Description:
151  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
152  * (1) if any are enabled or false (0) if neither are enabled.  If the
153  * always_check_network policy capability is enabled, peer labeling
154  * is always considered enabled.
155  *
156  */
157 static int selinux_peerlbl_enabled(void)
158 {
159 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161 
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 	if (event == AVC_CALLBACK_RESET) {
165 		sel_netif_flush();
166 		sel_netnode_flush();
167 		sel_netport_flush();
168 		synchronize_net();
169 	}
170 	return 0;
171 }
172 
173 /*
174  * initialise the security for the init task
175  */
176 static void cred_init_security(void)
177 {
178 	struct cred *cred = (struct cred *) current->real_cred;
179 	struct task_security_struct *tsec;
180 
181 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 	if (!tsec)
183 		panic("SELinux:  Failed to initialize initial task.\n");
184 
185 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 	cred->security = tsec;
187 }
188 
189 /*
190  * get the security ID of a set of credentials
191  */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 	const struct task_security_struct *tsec;
195 
196 	tsec = cred->security;
197 	return tsec->sid;
198 }
199 
200 /*
201  * get the objective security ID of a task
202  */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 	u32 sid;
206 
207 	rcu_read_lock();
208 	sid = cred_sid(__task_cred(task));
209 	rcu_read_unlock();
210 	return sid;
211 }
212 
213 /*
214  * get the subjective security ID of the current task
215  */
216 static inline u32 current_sid(void)
217 {
218 	const struct task_security_struct *tsec = current_security();
219 
220 	return tsec->sid;
221 }
222 
223 /* Allocate and free functions for each kind of security blob. */
224 
225 static int inode_alloc_security(struct inode *inode)
226 {
227 	struct inode_security_struct *isec;
228 	u32 sid = current_sid();
229 
230 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 	if (!isec)
232 		return -ENOMEM;
233 
234 	mutex_init(&isec->lock);
235 	INIT_LIST_HEAD(&isec->list);
236 	isec->inode = inode;
237 	isec->sid = SECINITSID_UNLABELED;
238 	isec->sclass = SECCLASS_FILE;
239 	isec->task_sid = sid;
240 	inode->i_security = isec;
241 
242 	return 0;
243 }
244 
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246 
247 /*
248  * Try reloading inode security labels that have been marked as invalid.  The
249  * @may_sleep parameter indicates when sleeping and thus reloading labels is
250  * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
252  * when no dentry is available, set it to NULL instead.
253  */
254 static int __inode_security_revalidate(struct inode *inode,
255 				       struct dentry *opt_dentry,
256 				       bool may_sleep)
257 {
258 	struct inode_security_struct *isec = inode->i_security;
259 
260 	might_sleep_if(may_sleep);
261 
262 	if (isec->initialized == LABEL_INVALID) {
263 		if (!may_sleep)
264 			return -ECHILD;
265 
266 		/*
267 		 * Try reloading the inode security label.  This will fail if
268 		 * @opt_dentry is NULL and no dentry for this inode can be
269 		 * found; in that case, continue using the old label.
270 		 */
271 		inode_doinit_with_dentry(inode, opt_dentry);
272 	}
273 	return 0;
274 }
275 
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 	return inode->i_security;
279 }
280 
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 	int error;
284 
285 	error = __inode_security_revalidate(inode, NULL, !rcu);
286 	if (error)
287 		return ERR_PTR(error);
288 	return inode->i_security;
289 }
290 
291 /*
292  * Get the security label of an inode.
293  */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 	__inode_security_revalidate(inode, NULL, true);
297 	return inode->i_security;
298 }
299 
300 /*
301  * Get the security label of a dentry's backing inode.
302  */
303 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
304 {
305 	struct inode *inode = d_backing_inode(dentry);
306 
307 	__inode_security_revalidate(inode, dentry, true);
308 	return inode->i_security;
309 }
310 
311 static void inode_free_rcu(struct rcu_head *head)
312 {
313 	struct inode_security_struct *isec;
314 
315 	isec = container_of(head, struct inode_security_struct, rcu);
316 	kmem_cache_free(sel_inode_cache, isec);
317 }
318 
319 static void inode_free_security(struct inode *inode)
320 {
321 	struct inode_security_struct *isec = inode->i_security;
322 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
323 
324 	/*
325 	 * As not all inode security structures are in a list, we check for
326 	 * empty list outside of the lock to make sure that we won't waste
327 	 * time taking a lock doing nothing.
328 	 *
329 	 * The list_del_init() function can be safely called more than once.
330 	 * It should not be possible for this function to be called with
331 	 * concurrent list_add(), but for better safety against future changes
332 	 * in the code, we use list_empty_careful() here.
333 	 */
334 	if (!list_empty_careful(&isec->list)) {
335 		spin_lock(&sbsec->isec_lock);
336 		list_del_init(&isec->list);
337 		spin_unlock(&sbsec->isec_lock);
338 	}
339 
340 	/*
341 	 * The inode may still be referenced in a path walk and
342 	 * a call to selinux_inode_permission() can be made
343 	 * after inode_free_security() is called. Ideally, the VFS
344 	 * wouldn't do this, but fixing that is a much harder
345 	 * job. For now, simply free the i_security via RCU, and
346 	 * leave the current inode->i_security pointer intact.
347 	 * The inode will be freed after the RCU grace period too.
348 	 */
349 	call_rcu(&isec->rcu, inode_free_rcu);
350 }
351 
352 static int file_alloc_security(struct file *file)
353 {
354 	struct file_security_struct *fsec;
355 	u32 sid = current_sid();
356 
357 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
358 	if (!fsec)
359 		return -ENOMEM;
360 
361 	fsec->sid = sid;
362 	fsec->fown_sid = sid;
363 	file->f_security = fsec;
364 
365 	return 0;
366 }
367 
368 static void file_free_security(struct file *file)
369 {
370 	struct file_security_struct *fsec = file->f_security;
371 	file->f_security = NULL;
372 	kmem_cache_free(file_security_cache, fsec);
373 }
374 
375 static int superblock_alloc_security(struct super_block *sb)
376 {
377 	struct superblock_security_struct *sbsec;
378 
379 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
380 	if (!sbsec)
381 		return -ENOMEM;
382 
383 	mutex_init(&sbsec->lock);
384 	INIT_LIST_HEAD(&sbsec->isec_head);
385 	spin_lock_init(&sbsec->isec_lock);
386 	sbsec->sb = sb;
387 	sbsec->sid = SECINITSID_UNLABELED;
388 	sbsec->def_sid = SECINITSID_FILE;
389 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
390 	sb->s_security = sbsec;
391 
392 	return 0;
393 }
394 
395 static void superblock_free_security(struct super_block *sb)
396 {
397 	struct superblock_security_struct *sbsec = sb->s_security;
398 	sb->s_security = NULL;
399 	kfree(sbsec);
400 }
401 
402 /* The file system's label must be initialized prior to use. */
403 
404 static const char *labeling_behaviors[7] = {
405 	"uses xattr",
406 	"uses transition SIDs",
407 	"uses task SIDs",
408 	"uses genfs_contexts",
409 	"not configured for labeling",
410 	"uses mountpoint labeling",
411 	"uses native labeling",
412 };
413 
414 static inline int inode_doinit(struct inode *inode)
415 {
416 	return inode_doinit_with_dentry(inode, NULL);
417 }
418 
419 enum {
420 	Opt_error = -1,
421 	Opt_context = 1,
422 	Opt_fscontext = 2,
423 	Opt_defcontext = 3,
424 	Opt_rootcontext = 4,
425 	Opt_labelsupport = 5,
426 	Opt_nextmntopt = 6,
427 };
428 
429 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
430 
431 static const match_table_t tokens = {
432 	{Opt_context, CONTEXT_STR "%s"},
433 	{Opt_fscontext, FSCONTEXT_STR "%s"},
434 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
435 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
436 	{Opt_labelsupport, LABELSUPP_STR},
437 	{Opt_error, NULL},
438 };
439 
440 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
441 
442 static int may_context_mount_sb_relabel(u32 sid,
443 			struct superblock_security_struct *sbsec,
444 			const struct cred *cred)
445 {
446 	const struct task_security_struct *tsec = cred->security;
447 	int rc;
448 
449 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 			  FILESYSTEM__RELABELFROM, NULL);
451 	if (rc)
452 		return rc;
453 
454 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 			  FILESYSTEM__RELABELTO, NULL);
456 	return rc;
457 }
458 
459 static int may_context_mount_inode_relabel(u32 sid,
460 			struct superblock_security_struct *sbsec,
461 			const struct cred *cred)
462 {
463 	const struct task_security_struct *tsec = cred->security;
464 	int rc;
465 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 			  FILESYSTEM__RELABELFROM, NULL);
467 	if (rc)
468 		return rc;
469 
470 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 			  FILESYSTEM__ASSOCIATE, NULL);
472 	return rc;
473 }
474 
475 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 {
477 	struct superblock_security_struct *sbsec = sb->s_security;
478 
479 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
481 		sbsec->behavior == SECURITY_FS_USE_TASK ||
482 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
483 		/* Special handling. Genfs but also in-core setxattr handler */
484 		!strcmp(sb->s_type->name, "sysfs") ||
485 		!strcmp(sb->s_type->name, "pstore") ||
486 		!strcmp(sb->s_type->name, "debugfs") ||
487 		!strcmp(sb->s_type->name, "rootfs");
488 }
489 
490 static int sb_finish_set_opts(struct super_block *sb)
491 {
492 	struct superblock_security_struct *sbsec = sb->s_security;
493 	struct dentry *root = sb->s_root;
494 	struct inode *root_inode = d_backing_inode(root);
495 	int rc = 0;
496 
497 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
498 		/* Make sure that the xattr handler exists and that no
499 		   error other than -ENODATA is returned by getxattr on
500 		   the root directory.  -ENODATA is ok, as this may be
501 		   the first boot of the SELinux kernel before we have
502 		   assigned xattr values to the filesystem. */
503 		if (!root_inode->i_op->getxattr) {
504 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
505 			       "xattr support\n", sb->s_id, sb->s_type->name);
506 			rc = -EOPNOTSUPP;
507 			goto out;
508 		}
509 		rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
510 		if (rc < 0 && rc != -ENODATA) {
511 			if (rc == -EOPNOTSUPP)
512 				printk(KERN_WARNING "SELinux: (dev %s, type "
513 				       "%s) has no security xattr handler\n",
514 				       sb->s_id, sb->s_type->name);
515 			else
516 				printk(KERN_WARNING "SELinux: (dev %s, type "
517 				       "%s) getxattr errno %d\n", sb->s_id,
518 				       sb->s_type->name, -rc);
519 			goto out;
520 		}
521 	}
522 
523 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
524 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
525 		       sb->s_id, sb->s_type->name);
526 
527 	sbsec->flags |= SE_SBINITIALIZED;
528 	if (selinux_is_sblabel_mnt(sb))
529 		sbsec->flags |= SBLABEL_MNT;
530 
531 	/* Initialize the root inode. */
532 	rc = inode_doinit_with_dentry(root_inode, root);
533 
534 	/* Initialize any other inodes associated with the superblock, e.g.
535 	   inodes created prior to initial policy load or inodes created
536 	   during get_sb by a pseudo filesystem that directly
537 	   populates itself. */
538 	spin_lock(&sbsec->isec_lock);
539 next_inode:
540 	if (!list_empty(&sbsec->isec_head)) {
541 		struct inode_security_struct *isec =
542 				list_entry(sbsec->isec_head.next,
543 					   struct inode_security_struct, list);
544 		struct inode *inode = isec->inode;
545 		list_del_init(&isec->list);
546 		spin_unlock(&sbsec->isec_lock);
547 		inode = igrab(inode);
548 		if (inode) {
549 			if (!IS_PRIVATE(inode))
550 				inode_doinit(inode);
551 			iput(inode);
552 		}
553 		spin_lock(&sbsec->isec_lock);
554 		goto next_inode;
555 	}
556 	spin_unlock(&sbsec->isec_lock);
557 out:
558 	return rc;
559 }
560 
561 /*
562  * This function should allow an FS to ask what it's mount security
563  * options were so it can use those later for submounts, displaying
564  * mount options, or whatever.
565  */
566 static int selinux_get_mnt_opts(const struct super_block *sb,
567 				struct security_mnt_opts *opts)
568 {
569 	int rc = 0, i;
570 	struct superblock_security_struct *sbsec = sb->s_security;
571 	char *context = NULL;
572 	u32 len;
573 	char tmp;
574 
575 	security_init_mnt_opts(opts);
576 
577 	if (!(sbsec->flags & SE_SBINITIALIZED))
578 		return -EINVAL;
579 
580 	if (!ss_initialized)
581 		return -EINVAL;
582 
583 	/* make sure we always check enough bits to cover the mask */
584 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
585 
586 	tmp = sbsec->flags & SE_MNTMASK;
587 	/* count the number of mount options for this sb */
588 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
589 		if (tmp & 0x01)
590 			opts->num_mnt_opts++;
591 		tmp >>= 1;
592 	}
593 	/* Check if the Label support flag is set */
594 	if (sbsec->flags & SBLABEL_MNT)
595 		opts->num_mnt_opts++;
596 
597 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
598 	if (!opts->mnt_opts) {
599 		rc = -ENOMEM;
600 		goto out_free;
601 	}
602 
603 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
604 	if (!opts->mnt_opts_flags) {
605 		rc = -ENOMEM;
606 		goto out_free;
607 	}
608 
609 	i = 0;
610 	if (sbsec->flags & FSCONTEXT_MNT) {
611 		rc = security_sid_to_context(sbsec->sid, &context, &len);
612 		if (rc)
613 			goto out_free;
614 		opts->mnt_opts[i] = context;
615 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
616 	}
617 	if (sbsec->flags & CONTEXT_MNT) {
618 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
619 		if (rc)
620 			goto out_free;
621 		opts->mnt_opts[i] = context;
622 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
623 	}
624 	if (sbsec->flags & DEFCONTEXT_MNT) {
625 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
626 		if (rc)
627 			goto out_free;
628 		opts->mnt_opts[i] = context;
629 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
630 	}
631 	if (sbsec->flags & ROOTCONTEXT_MNT) {
632 		struct dentry *root = sbsec->sb->s_root;
633 		struct inode_security_struct *isec = backing_inode_security(root);
634 
635 		rc = security_sid_to_context(isec->sid, &context, &len);
636 		if (rc)
637 			goto out_free;
638 		opts->mnt_opts[i] = context;
639 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
640 	}
641 	if (sbsec->flags & SBLABEL_MNT) {
642 		opts->mnt_opts[i] = NULL;
643 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
644 	}
645 
646 	BUG_ON(i != opts->num_mnt_opts);
647 
648 	return 0;
649 
650 out_free:
651 	security_free_mnt_opts(opts);
652 	return rc;
653 }
654 
655 static int bad_option(struct superblock_security_struct *sbsec, char flag,
656 		      u32 old_sid, u32 new_sid)
657 {
658 	char mnt_flags = sbsec->flags & SE_MNTMASK;
659 
660 	/* check if the old mount command had the same options */
661 	if (sbsec->flags & SE_SBINITIALIZED)
662 		if (!(sbsec->flags & flag) ||
663 		    (old_sid != new_sid))
664 			return 1;
665 
666 	/* check if we were passed the same options twice,
667 	 * aka someone passed context=a,context=b
668 	 */
669 	if (!(sbsec->flags & SE_SBINITIALIZED))
670 		if (mnt_flags & flag)
671 			return 1;
672 	return 0;
673 }
674 
675 /*
676  * Allow filesystems with binary mount data to explicitly set mount point
677  * labeling information.
678  */
679 static int selinux_set_mnt_opts(struct super_block *sb,
680 				struct security_mnt_opts *opts,
681 				unsigned long kern_flags,
682 				unsigned long *set_kern_flags)
683 {
684 	const struct cred *cred = current_cred();
685 	int rc = 0, i;
686 	struct superblock_security_struct *sbsec = sb->s_security;
687 	const char *name = sb->s_type->name;
688 	struct dentry *root = sbsec->sb->s_root;
689 	struct inode_security_struct *root_isec = backing_inode_security(root);
690 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
691 	u32 defcontext_sid = 0;
692 	char **mount_options = opts->mnt_opts;
693 	int *flags = opts->mnt_opts_flags;
694 	int num_opts = opts->num_mnt_opts;
695 
696 	mutex_lock(&sbsec->lock);
697 
698 	if (!ss_initialized) {
699 		if (!num_opts) {
700 			/* Defer initialization until selinux_complete_init,
701 			   after the initial policy is loaded and the security
702 			   server is ready to handle calls. */
703 			goto out;
704 		}
705 		rc = -EINVAL;
706 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
707 			"before the security server is initialized\n");
708 		goto out;
709 	}
710 	if (kern_flags && !set_kern_flags) {
711 		/* Specifying internal flags without providing a place to
712 		 * place the results is not allowed */
713 		rc = -EINVAL;
714 		goto out;
715 	}
716 
717 	/*
718 	 * Binary mount data FS will come through this function twice.  Once
719 	 * from an explicit call and once from the generic calls from the vfs.
720 	 * Since the generic VFS calls will not contain any security mount data
721 	 * we need to skip the double mount verification.
722 	 *
723 	 * This does open a hole in which we will not notice if the first
724 	 * mount using this sb set explict options and a second mount using
725 	 * this sb does not set any security options.  (The first options
726 	 * will be used for both mounts)
727 	 */
728 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
729 	    && (num_opts == 0))
730 		goto out;
731 
732 	/*
733 	 * parse the mount options, check if they are valid sids.
734 	 * also check if someone is trying to mount the same sb more
735 	 * than once with different security options.
736 	 */
737 	for (i = 0; i < num_opts; i++) {
738 		u32 sid;
739 
740 		if (flags[i] == SBLABEL_MNT)
741 			continue;
742 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
743 		if (rc) {
744 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
745 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
746 			       mount_options[i], sb->s_id, name, rc);
747 			goto out;
748 		}
749 		switch (flags[i]) {
750 		case FSCONTEXT_MNT:
751 			fscontext_sid = sid;
752 
753 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
754 					fscontext_sid))
755 				goto out_double_mount;
756 
757 			sbsec->flags |= FSCONTEXT_MNT;
758 			break;
759 		case CONTEXT_MNT:
760 			context_sid = sid;
761 
762 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
763 					context_sid))
764 				goto out_double_mount;
765 
766 			sbsec->flags |= CONTEXT_MNT;
767 			break;
768 		case ROOTCONTEXT_MNT:
769 			rootcontext_sid = sid;
770 
771 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
772 					rootcontext_sid))
773 				goto out_double_mount;
774 
775 			sbsec->flags |= ROOTCONTEXT_MNT;
776 
777 			break;
778 		case DEFCONTEXT_MNT:
779 			defcontext_sid = sid;
780 
781 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
782 					defcontext_sid))
783 				goto out_double_mount;
784 
785 			sbsec->flags |= DEFCONTEXT_MNT;
786 
787 			break;
788 		default:
789 			rc = -EINVAL;
790 			goto out;
791 		}
792 	}
793 
794 	if (sbsec->flags & SE_SBINITIALIZED) {
795 		/* previously mounted with options, but not on this attempt? */
796 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
797 			goto out_double_mount;
798 		rc = 0;
799 		goto out;
800 	}
801 
802 	if (strcmp(sb->s_type->name, "proc") == 0)
803 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
804 
805 	if (!strcmp(sb->s_type->name, "debugfs") ||
806 	    !strcmp(sb->s_type->name, "sysfs") ||
807 	    !strcmp(sb->s_type->name, "pstore"))
808 		sbsec->flags |= SE_SBGENFS;
809 
810 	if (!sbsec->behavior) {
811 		/*
812 		 * Determine the labeling behavior to use for this
813 		 * filesystem type.
814 		 */
815 		rc = security_fs_use(sb);
816 		if (rc) {
817 			printk(KERN_WARNING
818 				"%s: security_fs_use(%s) returned %d\n",
819 					__func__, sb->s_type->name, rc);
820 			goto out;
821 		}
822 	}
823 	/* sets the context of the superblock for the fs being mounted. */
824 	if (fscontext_sid) {
825 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
826 		if (rc)
827 			goto out;
828 
829 		sbsec->sid = fscontext_sid;
830 	}
831 
832 	/*
833 	 * Switch to using mount point labeling behavior.
834 	 * sets the label used on all file below the mountpoint, and will set
835 	 * the superblock context if not already set.
836 	 */
837 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
838 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
839 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
840 	}
841 
842 	if (context_sid) {
843 		if (!fscontext_sid) {
844 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
845 							  cred);
846 			if (rc)
847 				goto out;
848 			sbsec->sid = context_sid;
849 		} else {
850 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
851 							     cred);
852 			if (rc)
853 				goto out;
854 		}
855 		if (!rootcontext_sid)
856 			rootcontext_sid = context_sid;
857 
858 		sbsec->mntpoint_sid = context_sid;
859 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
860 	}
861 
862 	if (rootcontext_sid) {
863 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
864 						     cred);
865 		if (rc)
866 			goto out;
867 
868 		root_isec->sid = rootcontext_sid;
869 		root_isec->initialized = LABEL_INITIALIZED;
870 	}
871 
872 	if (defcontext_sid) {
873 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
874 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
875 			rc = -EINVAL;
876 			printk(KERN_WARNING "SELinux: defcontext option is "
877 			       "invalid for this filesystem type\n");
878 			goto out;
879 		}
880 
881 		if (defcontext_sid != sbsec->def_sid) {
882 			rc = may_context_mount_inode_relabel(defcontext_sid,
883 							     sbsec, cred);
884 			if (rc)
885 				goto out;
886 		}
887 
888 		sbsec->def_sid = defcontext_sid;
889 	}
890 
891 	rc = sb_finish_set_opts(sb);
892 out:
893 	mutex_unlock(&sbsec->lock);
894 	return rc;
895 out_double_mount:
896 	rc = -EINVAL;
897 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
898 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
899 	goto out;
900 }
901 
902 static int selinux_cmp_sb_context(const struct super_block *oldsb,
903 				    const struct super_block *newsb)
904 {
905 	struct superblock_security_struct *old = oldsb->s_security;
906 	struct superblock_security_struct *new = newsb->s_security;
907 	char oldflags = old->flags & SE_MNTMASK;
908 	char newflags = new->flags & SE_MNTMASK;
909 
910 	if (oldflags != newflags)
911 		goto mismatch;
912 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
913 		goto mismatch;
914 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
915 		goto mismatch;
916 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
917 		goto mismatch;
918 	if (oldflags & ROOTCONTEXT_MNT) {
919 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
920 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
921 		if (oldroot->sid != newroot->sid)
922 			goto mismatch;
923 	}
924 	return 0;
925 mismatch:
926 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
927 			    "different security settings for (dev %s, "
928 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
929 	return -EBUSY;
930 }
931 
932 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
933 					struct super_block *newsb)
934 {
935 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
936 	struct superblock_security_struct *newsbsec = newsb->s_security;
937 
938 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
939 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
940 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
941 
942 	/*
943 	 * if the parent was able to be mounted it clearly had no special lsm
944 	 * mount options.  thus we can safely deal with this superblock later
945 	 */
946 	if (!ss_initialized)
947 		return 0;
948 
949 	/* how can we clone if the old one wasn't set up?? */
950 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
951 
952 	/* if fs is reusing a sb, make sure that the contexts match */
953 	if (newsbsec->flags & SE_SBINITIALIZED)
954 		return selinux_cmp_sb_context(oldsb, newsb);
955 
956 	mutex_lock(&newsbsec->lock);
957 
958 	newsbsec->flags = oldsbsec->flags;
959 
960 	newsbsec->sid = oldsbsec->sid;
961 	newsbsec->def_sid = oldsbsec->def_sid;
962 	newsbsec->behavior = oldsbsec->behavior;
963 
964 	if (set_context) {
965 		u32 sid = oldsbsec->mntpoint_sid;
966 
967 		if (!set_fscontext)
968 			newsbsec->sid = sid;
969 		if (!set_rootcontext) {
970 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
971 			newisec->sid = sid;
972 		}
973 		newsbsec->mntpoint_sid = sid;
974 	}
975 	if (set_rootcontext) {
976 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
977 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
978 
979 		newisec->sid = oldisec->sid;
980 	}
981 
982 	sb_finish_set_opts(newsb);
983 	mutex_unlock(&newsbsec->lock);
984 	return 0;
985 }
986 
987 static int selinux_parse_opts_str(char *options,
988 				  struct security_mnt_opts *opts)
989 {
990 	char *p;
991 	char *context = NULL, *defcontext = NULL;
992 	char *fscontext = NULL, *rootcontext = NULL;
993 	int rc, num_mnt_opts = 0;
994 
995 	opts->num_mnt_opts = 0;
996 
997 	/* Standard string-based options. */
998 	while ((p = strsep(&options, "|")) != NULL) {
999 		int token;
1000 		substring_t args[MAX_OPT_ARGS];
1001 
1002 		if (!*p)
1003 			continue;
1004 
1005 		token = match_token(p, tokens, args);
1006 
1007 		switch (token) {
1008 		case Opt_context:
1009 			if (context || defcontext) {
1010 				rc = -EINVAL;
1011 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1012 				goto out_err;
1013 			}
1014 			context = match_strdup(&args[0]);
1015 			if (!context) {
1016 				rc = -ENOMEM;
1017 				goto out_err;
1018 			}
1019 			break;
1020 
1021 		case Opt_fscontext:
1022 			if (fscontext) {
1023 				rc = -EINVAL;
1024 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1025 				goto out_err;
1026 			}
1027 			fscontext = match_strdup(&args[0]);
1028 			if (!fscontext) {
1029 				rc = -ENOMEM;
1030 				goto out_err;
1031 			}
1032 			break;
1033 
1034 		case Opt_rootcontext:
1035 			if (rootcontext) {
1036 				rc = -EINVAL;
1037 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1038 				goto out_err;
1039 			}
1040 			rootcontext = match_strdup(&args[0]);
1041 			if (!rootcontext) {
1042 				rc = -ENOMEM;
1043 				goto out_err;
1044 			}
1045 			break;
1046 
1047 		case Opt_defcontext:
1048 			if (context || defcontext) {
1049 				rc = -EINVAL;
1050 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1051 				goto out_err;
1052 			}
1053 			defcontext = match_strdup(&args[0]);
1054 			if (!defcontext) {
1055 				rc = -ENOMEM;
1056 				goto out_err;
1057 			}
1058 			break;
1059 		case Opt_labelsupport:
1060 			break;
1061 		default:
1062 			rc = -EINVAL;
1063 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1064 			goto out_err;
1065 
1066 		}
1067 	}
1068 
1069 	rc = -ENOMEM;
1070 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1071 	if (!opts->mnt_opts)
1072 		goto out_err;
1073 
1074 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1075 	if (!opts->mnt_opts_flags) {
1076 		kfree(opts->mnt_opts);
1077 		goto out_err;
1078 	}
1079 
1080 	if (fscontext) {
1081 		opts->mnt_opts[num_mnt_opts] = fscontext;
1082 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1083 	}
1084 	if (context) {
1085 		opts->mnt_opts[num_mnt_opts] = context;
1086 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1087 	}
1088 	if (rootcontext) {
1089 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1090 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1091 	}
1092 	if (defcontext) {
1093 		opts->mnt_opts[num_mnt_opts] = defcontext;
1094 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1095 	}
1096 
1097 	opts->num_mnt_opts = num_mnt_opts;
1098 	return 0;
1099 
1100 out_err:
1101 	kfree(context);
1102 	kfree(defcontext);
1103 	kfree(fscontext);
1104 	kfree(rootcontext);
1105 	return rc;
1106 }
1107 /*
1108  * string mount options parsing and call set the sbsec
1109  */
1110 static int superblock_doinit(struct super_block *sb, void *data)
1111 {
1112 	int rc = 0;
1113 	char *options = data;
1114 	struct security_mnt_opts opts;
1115 
1116 	security_init_mnt_opts(&opts);
1117 
1118 	if (!data)
1119 		goto out;
1120 
1121 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1122 
1123 	rc = selinux_parse_opts_str(options, &opts);
1124 	if (rc)
1125 		goto out_err;
1126 
1127 out:
1128 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1129 
1130 out_err:
1131 	security_free_mnt_opts(&opts);
1132 	return rc;
1133 }
1134 
1135 static void selinux_write_opts(struct seq_file *m,
1136 			       struct security_mnt_opts *opts)
1137 {
1138 	int i;
1139 	char *prefix;
1140 
1141 	for (i = 0; i < opts->num_mnt_opts; i++) {
1142 		char *has_comma;
1143 
1144 		if (opts->mnt_opts[i])
1145 			has_comma = strchr(opts->mnt_opts[i], ',');
1146 		else
1147 			has_comma = NULL;
1148 
1149 		switch (opts->mnt_opts_flags[i]) {
1150 		case CONTEXT_MNT:
1151 			prefix = CONTEXT_STR;
1152 			break;
1153 		case FSCONTEXT_MNT:
1154 			prefix = FSCONTEXT_STR;
1155 			break;
1156 		case ROOTCONTEXT_MNT:
1157 			prefix = ROOTCONTEXT_STR;
1158 			break;
1159 		case DEFCONTEXT_MNT:
1160 			prefix = DEFCONTEXT_STR;
1161 			break;
1162 		case SBLABEL_MNT:
1163 			seq_putc(m, ',');
1164 			seq_puts(m, LABELSUPP_STR);
1165 			continue;
1166 		default:
1167 			BUG();
1168 			return;
1169 		};
1170 		/* we need a comma before each option */
1171 		seq_putc(m, ',');
1172 		seq_puts(m, prefix);
1173 		if (has_comma)
1174 			seq_putc(m, '\"');
1175 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1176 		if (has_comma)
1177 			seq_putc(m, '\"');
1178 	}
1179 }
1180 
1181 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1182 {
1183 	struct security_mnt_opts opts;
1184 	int rc;
1185 
1186 	rc = selinux_get_mnt_opts(sb, &opts);
1187 	if (rc) {
1188 		/* before policy load we may get EINVAL, don't show anything */
1189 		if (rc == -EINVAL)
1190 			rc = 0;
1191 		return rc;
1192 	}
1193 
1194 	selinux_write_opts(m, &opts);
1195 
1196 	security_free_mnt_opts(&opts);
1197 
1198 	return rc;
1199 }
1200 
1201 static inline u16 inode_mode_to_security_class(umode_t mode)
1202 {
1203 	switch (mode & S_IFMT) {
1204 	case S_IFSOCK:
1205 		return SECCLASS_SOCK_FILE;
1206 	case S_IFLNK:
1207 		return SECCLASS_LNK_FILE;
1208 	case S_IFREG:
1209 		return SECCLASS_FILE;
1210 	case S_IFBLK:
1211 		return SECCLASS_BLK_FILE;
1212 	case S_IFDIR:
1213 		return SECCLASS_DIR;
1214 	case S_IFCHR:
1215 		return SECCLASS_CHR_FILE;
1216 	case S_IFIFO:
1217 		return SECCLASS_FIFO_FILE;
1218 
1219 	}
1220 
1221 	return SECCLASS_FILE;
1222 }
1223 
1224 static inline int default_protocol_stream(int protocol)
1225 {
1226 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1227 }
1228 
1229 static inline int default_protocol_dgram(int protocol)
1230 {
1231 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1232 }
1233 
1234 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1235 {
1236 	switch (family) {
1237 	case PF_UNIX:
1238 		switch (type) {
1239 		case SOCK_STREAM:
1240 		case SOCK_SEQPACKET:
1241 			return SECCLASS_UNIX_STREAM_SOCKET;
1242 		case SOCK_DGRAM:
1243 			return SECCLASS_UNIX_DGRAM_SOCKET;
1244 		}
1245 		break;
1246 	case PF_INET:
1247 	case PF_INET6:
1248 		switch (type) {
1249 		case SOCK_STREAM:
1250 			if (default_protocol_stream(protocol))
1251 				return SECCLASS_TCP_SOCKET;
1252 			else
1253 				return SECCLASS_RAWIP_SOCKET;
1254 		case SOCK_DGRAM:
1255 			if (default_protocol_dgram(protocol))
1256 				return SECCLASS_UDP_SOCKET;
1257 			else
1258 				return SECCLASS_RAWIP_SOCKET;
1259 		case SOCK_DCCP:
1260 			return SECCLASS_DCCP_SOCKET;
1261 		default:
1262 			return SECCLASS_RAWIP_SOCKET;
1263 		}
1264 		break;
1265 	case PF_NETLINK:
1266 		switch (protocol) {
1267 		case NETLINK_ROUTE:
1268 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1269 		case NETLINK_SOCK_DIAG:
1270 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1271 		case NETLINK_NFLOG:
1272 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1273 		case NETLINK_XFRM:
1274 			return SECCLASS_NETLINK_XFRM_SOCKET;
1275 		case NETLINK_SELINUX:
1276 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1277 		case NETLINK_ISCSI:
1278 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1279 		case NETLINK_AUDIT:
1280 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1281 		case NETLINK_FIB_LOOKUP:
1282 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1283 		case NETLINK_CONNECTOR:
1284 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1285 		case NETLINK_NETFILTER:
1286 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1287 		case NETLINK_DNRTMSG:
1288 			return SECCLASS_NETLINK_DNRT_SOCKET;
1289 		case NETLINK_KOBJECT_UEVENT:
1290 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1291 		case NETLINK_GENERIC:
1292 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1293 		case NETLINK_SCSITRANSPORT:
1294 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1295 		case NETLINK_RDMA:
1296 			return SECCLASS_NETLINK_RDMA_SOCKET;
1297 		case NETLINK_CRYPTO:
1298 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1299 		default:
1300 			return SECCLASS_NETLINK_SOCKET;
1301 		}
1302 	case PF_PACKET:
1303 		return SECCLASS_PACKET_SOCKET;
1304 	case PF_KEY:
1305 		return SECCLASS_KEY_SOCKET;
1306 	case PF_APPLETALK:
1307 		return SECCLASS_APPLETALK_SOCKET;
1308 	}
1309 
1310 	return SECCLASS_SOCKET;
1311 }
1312 
1313 static int selinux_genfs_get_sid(struct dentry *dentry,
1314 				 u16 tclass,
1315 				 u16 flags,
1316 				 u32 *sid)
1317 {
1318 	int rc;
1319 	struct super_block *sb = dentry->d_inode->i_sb;
1320 	char *buffer, *path;
1321 
1322 	buffer = (char *)__get_free_page(GFP_KERNEL);
1323 	if (!buffer)
1324 		return -ENOMEM;
1325 
1326 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1327 	if (IS_ERR(path))
1328 		rc = PTR_ERR(path);
1329 	else {
1330 		if (flags & SE_SBPROC) {
1331 			/* each process gets a /proc/PID/ entry. Strip off the
1332 			 * PID part to get a valid selinux labeling.
1333 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1334 			while (path[1] >= '0' && path[1] <= '9') {
1335 				path[1] = '/';
1336 				path++;
1337 			}
1338 		}
1339 		rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1340 	}
1341 	free_page((unsigned long)buffer);
1342 	return rc;
1343 }
1344 
1345 /* The inode's security attributes must be initialized before first use. */
1346 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1347 {
1348 	struct superblock_security_struct *sbsec = NULL;
1349 	struct inode_security_struct *isec = inode->i_security;
1350 	u32 sid;
1351 	struct dentry *dentry;
1352 #define INITCONTEXTLEN 255
1353 	char *context = NULL;
1354 	unsigned len = 0;
1355 	int rc = 0;
1356 
1357 	if (isec->initialized == LABEL_INITIALIZED)
1358 		goto out;
1359 
1360 	mutex_lock(&isec->lock);
1361 	if (isec->initialized == LABEL_INITIALIZED)
1362 		goto out_unlock;
1363 
1364 	sbsec = inode->i_sb->s_security;
1365 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1366 		/* Defer initialization until selinux_complete_init,
1367 		   after the initial policy is loaded and the security
1368 		   server is ready to handle calls. */
1369 		spin_lock(&sbsec->isec_lock);
1370 		if (list_empty(&isec->list))
1371 			list_add(&isec->list, &sbsec->isec_head);
1372 		spin_unlock(&sbsec->isec_lock);
1373 		goto out_unlock;
1374 	}
1375 
1376 	switch (sbsec->behavior) {
1377 	case SECURITY_FS_USE_NATIVE:
1378 		break;
1379 	case SECURITY_FS_USE_XATTR:
1380 		if (!inode->i_op->getxattr) {
1381 			isec->sid = sbsec->def_sid;
1382 			break;
1383 		}
1384 
1385 		/* Need a dentry, since the xattr API requires one.
1386 		   Life would be simpler if we could just pass the inode. */
1387 		if (opt_dentry) {
1388 			/* Called from d_instantiate or d_splice_alias. */
1389 			dentry = dget(opt_dentry);
1390 		} else {
1391 			/* Called from selinux_complete_init, try to find a dentry. */
1392 			dentry = d_find_alias(inode);
1393 		}
1394 		if (!dentry) {
1395 			/*
1396 			 * this is can be hit on boot when a file is accessed
1397 			 * before the policy is loaded.  When we load policy we
1398 			 * may find inodes that have no dentry on the
1399 			 * sbsec->isec_head list.  No reason to complain as these
1400 			 * will get fixed up the next time we go through
1401 			 * inode_doinit with a dentry, before these inodes could
1402 			 * be used again by userspace.
1403 			 */
1404 			goto out_unlock;
1405 		}
1406 
1407 		len = INITCONTEXTLEN;
1408 		context = kmalloc(len+1, GFP_NOFS);
1409 		if (!context) {
1410 			rc = -ENOMEM;
1411 			dput(dentry);
1412 			goto out_unlock;
1413 		}
1414 		context[len] = '\0';
1415 		rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1416 					   context, len);
1417 		if (rc == -ERANGE) {
1418 			kfree(context);
1419 
1420 			/* Need a larger buffer.  Query for the right size. */
1421 			rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1422 						   NULL, 0);
1423 			if (rc < 0) {
1424 				dput(dentry);
1425 				goto out_unlock;
1426 			}
1427 			len = rc;
1428 			context = kmalloc(len+1, GFP_NOFS);
1429 			if (!context) {
1430 				rc = -ENOMEM;
1431 				dput(dentry);
1432 				goto out_unlock;
1433 			}
1434 			context[len] = '\0';
1435 			rc = inode->i_op->getxattr(dentry,
1436 						   XATTR_NAME_SELINUX,
1437 						   context, len);
1438 		}
1439 		dput(dentry);
1440 		if (rc < 0) {
1441 			if (rc != -ENODATA) {
1442 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1443 				       "%d for dev=%s ino=%ld\n", __func__,
1444 				       -rc, inode->i_sb->s_id, inode->i_ino);
1445 				kfree(context);
1446 				goto out_unlock;
1447 			}
1448 			/* Map ENODATA to the default file SID */
1449 			sid = sbsec->def_sid;
1450 			rc = 0;
1451 		} else {
1452 			rc = security_context_to_sid_default(context, rc, &sid,
1453 							     sbsec->def_sid,
1454 							     GFP_NOFS);
1455 			if (rc) {
1456 				char *dev = inode->i_sb->s_id;
1457 				unsigned long ino = inode->i_ino;
1458 
1459 				if (rc == -EINVAL) {
1460 					if (printk_ratelimit())
1461 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1462 							"context=%s.  This indicates you may need to relabel the inode or the "
1463 							"filesystem in question.\n", ino, dev, context);
1464 				} else {
1465 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1466 					       "returned %d for dev=%s ino=%ld\n",
1467 					       __func__, context, -rc, dev, ino);
1468 				}
1469 				kfree(context);
1470 				/* Leave with the unlabeled SID */
1471 				rc = 0;
1472 				break;
1473 			}
1474 		}
1475 		kfree(context);
1476 		isec->sid = sid;
1477 		break;
1478 	case SECURITY_FS_USE_TASK:
1479 		isec->sid = isec->task_sid;
1480 		break;
1481 	case SECURITY_FS_USE_TRANS:
1482 		/* Default to the fs SID. */
1483 		isec->sid = sbsec->sid;
1484 
1485 		/* Try to obtain a transition SID. */
1486 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1487 		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1488 					     isec->sclass, NULL, &sid);
1489 		if (rc)
1490 			goto out_unlock;
1491 		isec->sid = sid;
1492 		break;
1493 	case SECURITY_FS_USE_MNTPOINT:
1494 		isec->sid = sbsec->mntpoint_sid;
1495 		break;
1496 	default:
1497 		/* Default to the fs superblock SID. */
1498 		isec->sid = sbsec->sid;
1499 
1500 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1501 			/* We must have a dentry to determine the label on
1502 			 * procfs inodes */
1503 			if (opt_dentry)
1504 				/* Called from d_instantiate or
1505 				 * d_splice_alias. */
1506 				dentry = dget(opt_dentry);
1507 			else
1508 				/* Called from selinux_complete_init, try to
1509 				 * find a dentry. */
1510 				dentry = d_find_alias(inode);
1511 			/*
1512 			 * This can be hit on boot when a file is accessed
1513 			 * before the policy is loaded.  When we load policy we
1514 			 * may find inodes that have no dentry on the
1515 			 * sbsec->isec_head list.  No reason to complain as
1516 			 * these will get fixed up the next time we go through
1517 			 * inode_doinit() with a dentry, before these inodes
1518 			 * could be used again by userspace.
1519 			 */
1520 			if (!dentry)
1521 				goto out_unlock;
1522 			isec->sclass = inode_mode_to_security_class(inode->i_mode);
1523 			rc = selinux_genfs_get_sid(dentry, isec->sclass,
1524 						   sbsec->flags, &sid);
1525 			dput(dentry);
1526 			if (rc)
1527 				goto out_unlock;
1528 			isec->sid = sid;
1529 		}
1530 		break;
1531 	}
1532 
1533 	isec->initialized = LABEL_INITIALIZED;
1534 
1535 out_unlock:
1536 	mutex_unlock(&isec->lock);
1537 out:
1538 	if (isec->sclass == SECCLASS_FILE)
1539 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1540 	return rc;
1541 }
1542 
1543 /* Convert a Linux signal to an access vector. */
1544 static inline u32 signal_to_av(int sig)
1545 {
1546 	u32 perm = 0;
1547 
1548 	switch (sig) {
1549 	case SIGCHLD:
1550 		/* Commonly granted from child to parent. */
1551 		perm = PROCESS__SIGCHLD;
1552 		break;
1553 	case SIGKILL:
1554 		/* Cannot be caught or ignored */
1555 		perm = PROCESS__SIGKILL;
1556 		break;
1557 	case SIGSTOP:
1558 		/* Cannot be caught or ignored */
1559 		perm = PROCESS__SIGSTOP;
1560 		break;
1561 	default:
1562 		/* All other signals. */
1563 		perm = PROCESS__SIGNAL;
1564 		break;
1565 	}
1566 
1567 	return perm;
1568 }
1569 
1570 /*
1571  * Check permission between a pair of credentials
1572  * fork check, ptrace check, etc.
1573  */
1574 static int cred_has_perm(const struct cred *actor,
1575 			 const struct cred *target,
1576 			 u32 perms)
1577 {
1578 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1579 
1580 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1581 }
1582 
1583 /*
1584  * Check permission between a pair of tasks, e.g. signal checks,
1585  * fork check, ptrace check, etc.
1586  * tsk1 is the actor and tsk2 is the target
1587  * - this uses the default subjective creds of tsk1
1588  */
1589 static int task_has_perm(const struct task_struct *tsk1,
1590 			 const struct task_struct *tsk2,
1591 			 u32 perms)
1592 {
1593 	const struct task_security_struct *__tsec1, *__tsec2;
1594 	u32 sid1, sid2;
1595 
1596 	rcu_read_lock();
1597 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1598 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1599 	rcu_read_unlock();
1600 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1601 }
1602 
1603 /*
1604  * Check permission between current and another task, e.g. signal checks,
1605  * fork check, ptrace check, etc.
1606  * current is the actor and tsk2 is the target
1607  * - this uses current's subjective creds
1608  */
1609 static int current_has_perm(const struct task_struct *tsk,
1610 			    u32 perms)
1611 {
1612 	u32 sid, tsid;
1613 
1614 	sid = current_sid();
1615 	tsid = task_sid(tsk);
1616 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1617 }
1618 
1619 #if CAP_LAST_CAP > 63
1620 #error Fix SELinux to handle capabilities > 63.
1621 #endif
1622 
1623 /* Check whether a task is allowed to use a capability. */
1624 static int cred_has_capability(const struct cred *cred,
1625 			       int cap, int audit)
1626 {
1627 	struct common_audit_data ad;
1628 	struct av_decision avd;
1629 	u16 sclass;
1630 	u32 sid = cred_sid(cred);
1631 	u32 av = CAP_TO_MASK(cap);
1632 	int rc;
1633 
1634 	ad.type = LSM_AUDIT_DATA_CAP;
1635 	ad.u.cap = cap;
1636 
1637 	switch (CAP_TO_INDEX(cap)) {
1638 	case 0:
1639 		sclass = SECCLASS_CAPABILITY;
1640 		break;
1641 	case 1:
1642 		sclass = SECCLASS_CAPABILITY2;
1643 		break;
1644 	default:
1645 		printk(KERN_ERR
1646 		       "SELinux:  out of range capability %d\n", cap);
1647 		BUG();
1648 		return -EINVAL;
1649 	}
1650 
1651 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1652 	if (audit == SECURITY_CAP_AUDIT) {
1653 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1654 		if (rc2)
1655 			return rc2;
1656 	}
1657 	return rc;
1658 }
1659 
1660 /* Check whether a task is allowed to use a system operation. */
1661 static int task_has_system(struct task_struct *tsk,
1662 			   u32 perms)
1663 {
1664 	u32 sid = task_sid(tsk);
1665 
1666 	return avc_has_perm(sid, SECINITSID_KERNEL,
1667 			    SECCLASS_SYSTEM, perms, NULL);
1668 }
1669 
1670 /* Check whether a task has a particular permission to an inode.
1671    The 'adp' parameter is optional and allows other audit
1672    data to be passed (e.g. the dentry). */
1673 static int inode_has_perm(const struct cred *cred,
1674 			  struct inode *inode,
1675 			  u32 perms,
1676 			  struct common_audit_data *adp)
1677 {
1678 	struct inode_security_struct *isec;
1679 	u32 sid;
1680 
1681 	validate_creds(cred);
1682 
1683 	if (unlikely(IS_PRIVATE(inode)))
1684 		return 0;
1685 
1686 	sid = cred_sid(cred);
1687 	isec = inode->i_security;
1688 
1689 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1690 }
1691 
1692 /* Same as inode_has_perm, but pass explicit audit data containing
1693    the dentry to help the auditing code to more easily generate the
1694    pathname if needed. */
1695 static inline int dentry_has_perm(const struct cred *cred,
1696 				  struct dentry *dentry,
1697 				  u32 av)
1698 {
1699 	struct inode *inode = d_backing_inode(dentry);
1700 	struct common_audit_data ad;
1701 
1702 	ad.type = LSM_AUDIT_DATA_DENTRY;
1703 	ad.u.dentry = dentry;
1704 	__inode_security_revalidate(inode, dentry, true);
1705 	return inode_has_perm(cred, inode, av, &ad);
1706 }
1707 
1708 /* Same as inode_has_perm, but pass explicit audit data containing
1709    the path to help the auditing code to more easily generate the
1710    pathname if needed. */
1711 static inline int path_has_perm(const struct cred *cred,
1712 				const struct path *path,
1713 				u32 av)
1714 {
1715 	struct inode *inode = d_backing_inode(path->dentry);
1716 	struct common_audit_data ad;
1717 
1718 	ad.type = LSM_AUDIT_DATA_PATH;
1719 	ad.u.path = *path;
1720 	__inode_security_revalidate(inode, path->dentry, true);
1721 	return inode_has_perm(cred, inode, av, &ad);
1722 }
1723 
1724 /* Same as path_has_perm, but uses the inode from the file struct. */
1725 static inline int file_path_has_perm(const struct cred *cred,
1726 				     struct file *file,
1727 				     u32 av)
1728 {
1729 	struct common_audit_data ad;
1730 
1731 	ad.type = LSM_AUDIT_DATA_PATH;
1732 	ad.u.path = file->f_path;
1733 	return inode_has_perm(cred, file_inode(file), av, &ad);
1734 }
1735 
1736 /* Check whether a task can use an open file descriptor to
1737    access an inode in a given way.  Check access to the
1738    descriptor itself, and then use dentry_has_perm to
1739    check a particular permission to the file.
1740    Access to the descriptor is implicitly granted if it
1741    has the same SID as the process.  If av is zero, then
1742    access to the file is not checked, e.g. for cases
1743    where only the descriptor is affected like seek. */
1744 static int file_has_perm(const struct cred *cred,
1745 			 struct file *file,
1746 			 u32 av)
1747 {
1748 	struct file_security_struct *fsec = file->f_security;
1749 	struct inode *inode = file_inode(file);
1750 	struct common_audit_data ad;
1751 	u32 sid = cred_sid(cred);
1752 	int rc;
1753 
1754 	ad.type = LSM_AUDIT_DATA_PATH;
1755 	ad.u.path = file->f_path;
1756 
1757 	if (sid != fsec->sid) {
1758 		rc = avc_has_perm(sid, fsec->sid,
1759 				  SECCLASS_FD,
1760 				  FD__USE,
1761 				  &ad);
1762 		if (rc)
1763 			goto out;
1764 	}
1765 
1766 	/* av is zero if only checking access to the descriptor. */
1767 	rc = 0;
1768 	if (av)
1769 		rc = inode_has_perm(cred, inode, av, &ad);
1770 
1771 out:
1772 	return rc;
1773 }
1774 
1775 /*
1776  * Determine the label for an inode that might be unioned.
1777  */
1778 static int selinux_determine_inode_label(struct inode *dir,
1779 					 const struct qstr *name,
1780 					 u16 tclass,
1781 					 u32 *_new_isid)
1782 {
1783 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1784 	const struct inode_security_struct *dsec = inode_security(dir);
1785 	const struct task_security_struct *tsec = current_security();
1786 
1787 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1788 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1789 		*_new_isid = sbsec->mntpoint_sid;
1790 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1791 		   tsec->create_sid) {
1792 		*_new_isid = tsec->create_sid;
1793 	} else {
1794 		return security_transition_sid(tsec->sid, dsec->sid, tclass,
1795 					       name, _new_isid);
1796 	}
1797 
1798 	return 0;
1799 }
1800 
1801 /* Check whether a task can create a file. */
1802 static int may_create(struct inode *dir,
1803 		      struct dentry *dentry,
1804 		      u16 tclass)
1805 {
1806 	const struct task_security_struct *tsec = current_security();
1807 	struct inode_security_struct *dsec;
1808 	struct superblock_security_struct *sbsec;
1809 	u32 sid, newsid;
1810 	struct common_audit_data ad;
1811 	int rc;
1812 
1813 	dsec = inode_security(dir);
1814 	sbsec = dir->i_sb->s_security;
1815 
1816 	sid = tsec->sid;
1817 
1818 	ad.type = LSM_AUDIT_DATA_DENTRY;
1819 	ad.u.dentry = dentry;
1820 
1821 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1822 			  DIR__ADD_NAME | DIR__SEARCH,
1823 			  &ad);
1824 	if (rc)
1825 		return rc;
1826 
1827 	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1828 					   &newsid);
1829 	if (rc)
1830 		return rc;
1831 
1832 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1833 	if (rc)
1834 		return rc;
1835 
1836 	return avc_has_perm(newsid, sbsec->sid,
1837 			    SECCLASS_FILESYSTEM,
1838 			    FILESYSTEM__ASSOCIATE, &ad);
1839 }
1840 
1841 /* Check whether a task can create a key. */
1842 static int may_create_key(u32 ksid,
1843 			  struct task_struct *ctx)
1844 {
1845 	u32 sid = task_sid(ctx);
1846 
1847 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1848 }
1849 
1850 #define MAY_LINK	0
1851 #define MAY_UNLINK	1
1852 #define MAY_RMDIR	2
1853 
1854 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1855 static int may_link(struct inode *dir,
1856 		    struct dentry *dentry,
1857 		    int kind)
1858 
1859 {
1860 	struct inode_security_struct *dsec, *isec;
1861 	struct common_audit_data ad;
1862 	u32 sid = current_sid();
1863 	u32 av;
1864 	int rc;
1865 
1866 	dsec = inode_security(dir);
1867 	isec = backing_inode_security(dentry);
1868 
1869 	ad.type = LSM_AUDIT_DATA_DENTRY;
1870 	ad.u.dentry = dentry;
1871 
1872 	av = DIR__SEARCH;
1873 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1874 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1875 	if (rc)
1876 		return rc;
1877 
1878 	switch (kind) {
1879 	case MAY_LINK:
1880 		av = FILE__LINK;
1881 		break;
1882 	case MAY_UNLINK:
1883 		av = FILE__UNLINK;
1884 		break;
1885 	case MAY_RMDIR:
1886 		av = DIR__RMDIR;
1887 		break;
1888 	default:
1889 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1890 			__func__, kind);
1891 		return 0;
1892 	}
1893 
1894 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1895 	return rc;
1896 }
1897 
1898 static inline int may_rename(struct inode *old_dir,
1899 			     struct dentry *old_dentry,
1900 			     struct inode *new_dir,
1901 			     struct dentry *new_dentry)
1902 {
1903 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1904 	struct common_audit_data ad;
1905 	u32 sid = current_sid();
1906 	u32 av;
1907 	int old_is_dir, new_is_dir;
1908 	int rc;
1909 
1910 	old_dsec = inode_security(old_dir);
1911 	old_isec = backing_inode_security(old_dentry);
1912 	old_is_dir = d_is_dir(old_dentry);
1913 	new_dsec = inode_security(new_dir);
1914 
1915 	ad.type = LSM_AUDIT_DATA_DENTRY;
1916 
1917 	ad.u.dentry = old_dentry;
1918 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1919 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1920 	if (rc)
1921 		return rc;
1922 	rc = avc_has_perm(sid, old_isec->sid,
1923 			  old_isec->sclass, FILE__RENAME, &ad);
1924 	if (rc)
1925 		return rc;
1926 	if (old_is_dir && new_dir != old_dir) {
1927 		rc = avc_has_perm(sid, old_isec->sid,
1928 				  old_isec->sclass, DIR__REPARENT, &ad);
1929 		if (rc)
1930 			return rc;
1931 	}
1932 
1933 	ad.u.dentry = new_dentry;
1934 	av = DIR__ADD_NAME | DIR__SEARCH;
1935 	if (d_is_positive(new_dentry))
1936 		av |= DIR__REMOVE_NAME;
1937 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1938 	if (rc)
1939 		return rc;
1940 	if (d_is_positive(new_dentry)) {
1941 		new_isec = backing_inode_security(new_dentry);
1942 		new_is_dir = d_is_dir(new_dentry);
1943 		rc = avc_has_perm(sid, new_isec->sid,
1944 				  new_isec->sclass,
1945 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1946 		if (rc)
1947 			return rc;
1948 	}
1949 
1950 	return 0;
1951 }
1952 
1953 /* Check whether a task can perform a filesystem operation. */
1954 static int superblock_has_perm(const struct cred *cred,
1955 			       struct super_block *sb,
1956 			       u32 perms,
1957 			       struct common_audit_data *ad)
1958 {
1959 	struct superblock_security_struct *sbsec;
1960 	u32 sid = cred_sid(cred);
1961 
1962 	sbsec = sb->s_security;
1963 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1964 }
1965 
1966 /* Convert a Linux mode and permission mask to an access vector. */
1967 static inline u32 file_mask_to_av(int mode, int mask)
1968 {
1969 	u32 av = 0;
1970 
1971 	if (!S_ISDIR(mode)) {
1972 		if (mask & MAY_EXEC)
1973 			av |= FILE__EXECUTE;
1974 		if (mask & MAY_READ)
1975 			av |= FILE__READ;
1976 
1977 		if (mask & MAY_APPEND)
1978 			av |= FILE__APPEND;
1979 		else if (mask & MAY_WRITE)
1980 			av |= FILE__WRITE;
1981 
1982 	} else {
1983 		if (mask & MAY_EXEC)
1984 			av |= DIR__SEARCH;
1985 		if (mask & MAY_WRITE)
1986 			av |= DIR__WRITE;
1987 		if (mask & MAY_READ)
1988 			av |= DIR__READ;
1989 	}
1990 
1991 	return av;
1992 }
1993 
1994 /* Convert a Linux file to an access vector. */
1995 static inline u32 file_to_av(struct file *file)
1996 {
1997 	u32 av = 0;
1998 
1999 	if (file->f_mode & FMODE_READ)
2000 		av |= FILE__READ;
2001 	if (file->f_mode & FMODE_WRITE) {
2002 		if (file->f_flags & O_APPEND)
2003 			av |= FILE__APPEND;
2004 		else
2005 			av |= FILE__WRITE;
2006 	}
2007 	if (!av) {
2008 		/*
2009 		 * Special file opened with flags 3 for ioctl-only use.
2010 		 */
2011 		av = FILE__IOCTL;
2012 	}
2013 
2014 	return av;
2015 }
2016 
2017 /*
2018  * Convert a file to an access vector and include the correct open
2019  * open permission.
2020  */
2021 static inline u32 open_file_to_av(struct file *file)
2022 {
2023 	u32 av = file_to_av(file);
2024 
2025 	if (selinux_policycap_openperm)
2026 		av |= FILE__OPEN;
2027 
2028 	return av;
2029 }
2030 
2031 /* Hook functions begin here. */
2032 
2033 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2034 {
2035 	u32 mysid = current_sid();
2036 	u32 mgrsid = task_sid(mgr);
2037 
2038 	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2039 			    BINDER__SET_CONTEXT_MGR, NULL);
2040 }
2041 
2042 static int selinux_binder_transaction(struct task_struct *from,
2043 				      struct task_struct *to)
2044 {
2045 	u32 mysid = current_sid();
2046 	u32 fromsid = task_sid(from);
2047 	u32 tosid = task_sid(to);
2048 	int rc;
2049 
2050 	if (mysid != fromsid) {
2051 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2052 				  BINDER__IMPERSONATE, NULL);
2053 		if (rc)
2054 			return rc;
2055 	}
2056 
2057 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2058 			    NULL);
2059 }
2060 
2061 static int selinux_binder_transfer_binder(struct task_struct *from,
2062 					  struct task_struct *to)
2063 {
2064 	u32 fromsid = task_sid(from);
2065 	u32 tosid = task_sid(to);
2066 
2067 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2068 			    NULL);
2069 }
2070 
2071 static int selinux_binder_transfer_file(struct task_struct *from,
2072 					struct task_struct *to,
2073 					struct file *file)
2074 {
2075 	u32 sid = task_sid(to);
2076 	struct file_security_struct *fsec = file->f_security;
2077 	struct dentry *dentry = file->f_path.dentry;
2078 	struct inode_security_struct *isec = backing_inode_security(dentry);
2079 	struct common_audit_data ad;
2080 	int rc;
2081 
2082 	ad.type = LSM_AUDIT_DATA_PATH;
2083 	ad.u.path = file->f_path;
2084 
2085 	if (sid != fsec->sid) {
2086 		rc = avc_has_perm(sid, fsec->sid,
2087 				  SECCLASS_FD,
2088 				  FD__USE,
2089 				  &ad);
2090 		if (rc)
2091 			return rc;
2092 	}
2093 
2094 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2095 		return 0;
2096 
2097 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2098 			    &ad);
2099 }
2100 
2101 static int selinux_ptrace_access_check(struct task_struct *child,
2102 				     unsigned int mode)
2103 {
2104 	if (mode & PTRACE_MODE_READ) {
2105 		u32 sid = current_sid();
2106 		u32 csid = task_sid(child);
2107 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2108 	}
2109 
2110 	return current_has_perm(child, PROCESS__PTRACE);
2111 }
2112 
2113 static int selinux_ptrace_traceme(struct task_struct *parent)
2114 {
2115 	return task_has_perm(parent, current, PROCESS__PTRACE);
2116 }
2117 
2118 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2119 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2120 {
2121 	return current_has_perm(target, PROCESS__GETCAP);
2122 }
2123 
2124 static int selinux_capset(struct cred *new, const struct cred *old,
2125 			  const kernel_cap_t *effective,
2126 			  const kernel_cap_t *inheritable,
2127 			  const kernel_cap_t *permitted)
2128 {
2129 	return cred_has_perm(old, new, PROCESS__SETCAP);
2130 }
2131 
2132 /*
2133  * (This comment used to live with the selinux_task_setuid hook,
2134  * which was removed).
2135  *
2136  * Since setuid only affects the current process, and since the SELinux
2137  * controls are not based on the Linux identity attributes, SELinux does not
2138  * need to control this operation.  However, SELinux does control the use of
2139  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2140  */
2141 
2142 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2143 			   int cap, int audit)
2144 {
2145 	return cred_has_capability(cred, cap, audit);
2146 }
2147 
2148 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2149 {
2150 	const struct cred *cred = current_cred();
2151 	int rc = 0;
2152 
2153 	if (!sb)
2154 		return 0;
2155 
2156 	switch (cmds) {
2157 	case Q_SYNC:
2158 	case Q_QUOTAON:
2159 	case Q_QUOTAOFF:
2160 	case Q_SETINFO:
2161 	case Q_SETQUOTA:
2162 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2163 		break;
2164 	case Q_GETFMT:
2165 	case Q_GETINFO:
2166 	case Q_GETQUOTA:
2167 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2168 		break;
2169 	default:
2170 		rc = 0;  /* let the kernel handle invalid cmds */
2171 		break;
2172 	}
2173 	return rc;
2174 }
2175 
2176 static int selinux_quota_on(struct dentry *dentry)
2177 {
2178 	const struct cred *cred = current_cred();
2179 
2180 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2181 }
2182 
2183 static int selinux_syslog(int type)
2184 {
2185 	int rc;
2186 
2187 	switch (type) {
2188 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2189 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2190 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2191 		break;
2192 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2193 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2194 	/* Set level of messages printed to console */
2195 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2196 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2197 		break;
2198 	case SYSLOG_ACTION_CLOSE:	/* Close log */
2199 	case SYSLOG_ACTION_OPEN:	/* Open log */
2200 	case SYSLOG_ACTION_READ:	/* Read from log */
2201 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2202 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2203 	default:
2204 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2205 		break;
2206 	}
2207 	return rc;
2208 }
2209 
2210 /*
2211  * Check that a process has enough memory to allocate a new virtual
2212  * mapping. 0 means there is enough memory for the allocation to
2213  * succeed and -ENOMEM implies there is not.
2214  *
2215  * Do not audit the selinux permission check, as this is applied to all
2216  * processes that allocate mappings.
2217  */
2218 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2219 {
2220 	int rc, cap_sys_admin = 0;
2221 
2222 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2223 					SECURITY_CAP_NOAUDIT);
2224 	if (rc == 0)
2225 		cap_sys_admin = 1;
2226 
2227 	return cap_sys_admin;
2228 }
2229 
2230 /* binprm security operations */
2231 
2232 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2233 			    const struct task_security_struct *old_tsec,
2234 			    const struct task_security_struct *new_tsec)
2235 {
2236 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2237 	int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2238 	int rc;
2239 
2240 	if (!nnp && !nosuid)
2241 		return 0; /* neither NNP nor nosuid */
2242 
2243 	if (new_tsec->sid == old_tsec->sid)
2244 		return 0; /* No change in credentials */
2245 
2246 	/*
2247 	 * The only transitions we permit under NNP or nosuid
2248 	 * are transitions to bounded SIDs, i.e. SIDs that are
2249 	 * guaranteed to only be allowed a subset of the permissions
2250 	 * of the current SID.
2251 	 */
2252 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2253 	if (rc) {
2254 		/*
2255 		 * On failure, preserve the errno values for NNP vs nosuid.
2256 		 * NNP:  Operation not permitted for caller.
2257 		 * nosuid:  Permission denied to file.
2258 		 */
2259 		if (nnp)
2260 			return -EPERM;
2261 		else
2262 			return -EACCES;
2263 	}
2264 	return 0;
2265 }
2266 
2267 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2268 {
2269 	const struct task_security_struct *old_tsec;
2270 	struct task_security_struct *new_tsec;
2271 	struct inode_security_struct *isec;
2272 	struct common_audit_data ad;
2273 	struct inode *inode = file_inode(bprm->file);
2274 	int rc;
2275 
2276 	/* SELinux context only depends on initial program or script and not
2277 	 * the script interpreter */
2278 	if (bprm->cred_prepared)
2279 		return 0;
2280 
2281 	old_tsec = current_security();
2282 	new_tsec = bprm->cred->security;
2283 	isec = inode_security(inode);
2284 
2285 	/* Default to the current task SID. */
2286 	new_tsec->sid = old_tsec->sid;
2287 	new_tsec->osid = old_tsec->sid;
2288 
2289 	/* Reset fs, key, and sock SIDs on execve. */
2290 	new_tsec->create_sid = 0;
2291 	new_tsec->keycreate_sid = 0;
2292 	new_tsec->sockcreate_sid = 0;
2293 
2294 	if (old_tsec->exec_sid) {
2295 		new_tsec->sid = old_tsec->exec_sid;
2296 		/* Reset exec SID on execve. */
2297 		new_tsec->exec_sid = 0;
2298 
2299 		/* Fail on NNP or nosuid if not an allowed transition. */
2300 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2301 		if (rc)
2302 			return rc;
2303 	} else {
2304 		/* Check for a default transition on this program. */
2305 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2306 					     SECCLASS_PROCESS, NULL,
2307 					     &new_tsec->sid);
2308 		if (rc)
2309 			return rc;
2310 
2311 		/*
2312 		 * Fallback to old SID on NNP or nosuid if not an allowed
2313 		 * transition.
2314 		 */
2315 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2316 		if (rc)
2317 			new_tsec->sid = old_tsec->sid;
2318 	}
2319 
2320 	ad.type = LSM_AUDIT_DATA_PATH;
2321 	ad.u.path = bprm->file->f_path;
2322 
2323 	if (new_tsec->sid == old_tsec->sid) {
2324 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2325 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2326 		if (rc)
2327 			return rc;
2328 	} else {
2329 		/* Check permissions for the transition. */
2330 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2331 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2332 		if (rc)
2333 			return rc;
2334 
2335 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2336 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2337 		if (rc)
2338 			return rc;
2339 
2340 		/* Check for shared state */
2341 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2342 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2343 					  SECCLASS_PROCESS, PROCESS__SHARE,
2344 					  NULL);
2345 			if (rc)
2346 				return -EPERM;
2347 		}
2348 
2349 		/* Make sure that anyone attempting to ptrace over a task that
2350 		 * changes its SID has the appropriate permit */
2351 		if (bprm->unsafe &
2352 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2353 			struct task_struct *tracer;
2354 			struct task_security_struct *sec;
2355 			u32 ptsid = 0;
2356 
2357 			rcu_read_lock();
2358 			tracer = ptrace_parent(current);
2359 			if (likely(tracer != NULL)) {
2360 				sec = __task_cred(tracer)->security;
2361 				ptsid = sec->sid;
2362 			}
2363 			rcu_read_unlock();
2364 
2365 			if (ptsid != 0) {
2366 				rc = avc_has_perm(ptsid, new_tsec->sid,
2367 						  SECCLASS_PROCESS,
2368 						  PROCESS__PTRACE, NULL);
2369 				if (rc)
2370 					return -EPERM;
2371 			}
2372 		}
2373 
2374 		/* Clear any possibly unsafe personality bits on exec: */
2375 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2376 	}
2377 
2378 	return 0;
2379 }
2380 
2381 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2382 {
2383 	const struct task_security_struct *tsec = current_security();
2384 	u32 sid, osid;
2385 	int atsecure = 0;
2386 
2387 	sid = tsec->sid;
2388 	osid = tsec->osid;
2389 
2390 	if (osid != sid) {
2391 		/* Enable secure mode for SIDs transitions unless
2392 		   the noatsecure permission is granted between
2393 		   the two SIDs, i.e. ahp returns 0. */
2394 		atsecure = avc_has_perm(osid, sid,
2395 					SECCLASS_PROCESS,
2396 					PROCESS__NOATSECURE, NULL);
2397 	}
2398 
2399 	return !!atsecure;
2400 }
2401 
2402 static int match_file(const void *p, struct file *file, unsigned fd)
2403 {
2404 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2405 }
2406 
2407 /* Derived from fs/exec.c:flush_old_files. */
2408 static inline void flush_unauthorized_files(const struct cred *cred,
2409 					    struct files_struct *files)
2410 {
2411 	struct file *file, *devnull = NULL;
2412 	struct tty_struct *tty;
2413 	int drop_tty = 0;
2414 	unsigned n;
2415 
2416 	tty = get_current_tty();
2417 	if (tty) {
2418 		spin_lock(&tty_files_lock);
2419 		if (!list_empty(&tty->tty_files)) {
2420 			struct tty_file_private *file_priv;
2421 
2422 			/* Revalidate access to controlling tty.
2423 			   Use file_path_has_perm on the tty path directly
2424 			   rather than using file_has_perm, as this particular
2425 			   open file may belong to another process and we are
2426 			   only interested in the inode-based check here. */
2427 			file_priv = list_first_entry(&tty->tty_files,
2428 						struct tty_file_private, list);
2429 			file = file_priv->file;
2430 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2431 				drop_tty = 1;
2432 		}
2433 		spin_unlock(&tty_files_lock);
2434 		tty_kref_put(tty);
2435 	}
2436 	/* Reset controlling tty. */
2437 	if (drop_tty)
2438 		no_tty();
2439 
2440 	/* Revalidate access to inherited open files. */
2441 	n = iterate_fd(files, 0, match_file, cred);
2442 	if (!n) /* none found? */
2443 		return;
2444 
2445 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2446 	if (IS_ERR(devnull))
2447 		devnull = NULL;
2448 	/* replace all the matching ones with this */
2449 	do {
2450 		replace_fd(n - 1, devnull, 0);
2451 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2452 	if (devnull)
2453 		fput(devnull);
2454 }
2455 
2456 /*
2457  * Prepare a process for imminent new credential changes due to exec
2458  */
2459 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2460 {
2461 	struct task_security_struct *new_tsec;
2462 	struct rlimit *rlim, *initrlim;
2463 	int rc, i;
2464 
2465 	new_tsec = bprm->cred->security;
2466 	if (new_tsec->sid == new_tsec->osid)
2467 		return;
2468 
2469 	/* Close files for which the new task SID is not authorized. */
2470 	flush_unauthorized_files(bprm->cred, current->files);
2471 
2472 	/* Always clear parent death signal on SID transitions. */
2473 	current->pdeath_signal = 0;
2474 
2475 	/* Check whether the new SID can inherit resource limits from the old
2476 	 * SID.  If not, reset all soft limits to the lower of the current
2477 	 * task's hard limit and the init task's soft limit.
2478 	 *
2479 	 * Note that the setting of hard limits (even to lower them) can be
2480 	 * controlled by the setrlimit check.  The inclusion of the init task's
2481 	 * soft limit into the computation is to avoid resetting soft limits
2482 	 * higher than the default soft limit for cases where the default is
2483 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2484 	 */
2485 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2486 			  PROCESS__RLIMITINH, NULL);
2487 	if (rc) {
2488 		/* protect against do_prlimit() */
2489 		task_lock(current);
2490 		for (i = 0; i < RLIM_NLIMITS; i++) {
2491 			rlim = current->signal->rlim + i;
2492 			initrlim = init_task.signal->rlim + i;
2493 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2494 		}
2495 		task_unlock(current);
2496 		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2497 	}
2498 }
2499 
2500 /*
2501  * Clean up the process immediately after the installation of new credentials
2502  * due to exec
2503  */
2504 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2505 {
2506 	const struct task_security_struct *tsec = current_security();
2507 	struct itimerval itimer;
2508 	u32 osid, sid;
2509 	int rc, i;
2510 
2511 	osid = tsec->osid;
2512 	sid = tsec->sid;
2513 
2514 	if (sid == osid)
2515 		return;
2516 
2517 	/* Check whether the new SID can inherit signal state from the old SID.
2518 	 * If not, clear itimers to avoid subsequent signal generation and
2519 	 * flush and unblock signals.
2520 	 *
2521 	 * This must occur _after_ the task SID has been updated so that any
2522 	 * kill done after the flush will be checked against the new SID.
2523 	 */
2524 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2525 	if (rc) {
2526 		memset(&itimer, 0, sizeof itimer);
2527 		for (i = 0; i < 3; i++)
2528 			do_setitimer(i, &itimer, NULL);
2529 		spin_lock_irq(&current->sighand->siglock);
2530 		if (!fatal_signal_pending(current)) {
2531 			flush_sigqueue(&current->pending);
2532 			flush_sigqueue(&current->signal->shared_pending);
2533 			flush_signal_handlers(current, 1);
2534 			sigemptyset(&current->blocked);
2535 			recalc_sigpending();
2536 		}
2537 		spin_unlock_irq(&current->sighand->siglock);
2538 	}
2539 
2540 	/* Wake up the parent if it is waiting so that it can recheck
2541 	 * wait permission to the new task SID. */
2542 	read_lock(&tasklist_lock);
2543 	__wake_up_parent(current, current->real_parent);
2544 	read_unlock(&tasklist_lock);
2545 }
2546 
2547 /* superblock security operations */
2548 
2549 static int selinux_sb_alloc_security(struct super_block *sb)
2550 {
2551 	return superblock_alloc_security(sb);
2552 }
2553 
2554 static void selinux_sb_free_security(struct super_block *sb)
2555 {
2556 	superblock_free_security(sb);
2557 }
2558 
2559 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2560 {
2561 	if (plen > olen)
2562 		return 0;
2563 
2564 	return !memcmp(prefix, option, plen);
2565 }
2566 
2567 static inline int selinux_option(char *option, int len)
2568 {
2569 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2570 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2571 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2572 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2573 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2574 }
2575 
2576 static inline void take_option(char **to, char *from, int *first, int len)
2577 {
2578 	if (!*first) {
2579 		**to = ',';
2580 		*to += 1;
2581 	} else
2582 		*first = 0;
2583 	memcpy(*to, from, len);
2584 	*to += len;
2585 }
2586 
2587 static inline void take_selinux_option(char **to, char *from, int *first,
2588 				       int len)
2589 {
2590 	int current_size = 0;
2591 
2592 	if (!*first) {
2593 		**to = '|';
2594 		*to += 1;
2595 	} else
2596 		*first = 0;
2597 
2598 	while (current_size < len) {
2599 		if (*from != '"') {
2600 			**to = *from;
2601 			*to += 1;
2602 		}
2603 		from += 1;
2604 		current_size += 1;
2605 	}
2606 }
2607 
2608 static int selinux_sb_copy_data(char *orig, char *copy)
2609 {
2610 	int fnosec, fsec, rc = 0;
2611 	char *in_save, *in_curr, *in_end;
2612 	char *sec_curr, *nosec_save, *nosec;
2613 	int open_quote = 0;
2614 
2615 	in_curr = orig;
2616 	sec_curr = copy;
2617 
2618 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2619 	if (!nosec) {
2620 		rc = -ENOMEM;
2621 		goto out;
2622 	}
2623 
2624 	nosec_save = nosec;
2625 	fnosec = fsec = 1;
2626 	in_save = in_end = orig;
2627 
2628 	do {
2629 		if (*in_end == '"')
2630 			open_quote = !open_quote;
2631 		if ((*in_end == ',' && open_quote == 0) ||
2632 				*in_end == '\0') {
2633 			int len = in_end - in_curr;
2634 
2635 			if (selinux_option(in_curr, len))
2636 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2637 			else
2638 				take_option(&nosec, in_curr, &fnosec, len);
2639 
2640 			in_curr = in_end + 1;
2641 		}
2642 	} while (*in_end++);
2643 
2644 	strcpy(in_save, nosec_save);
2645 	free_page((unsigned long)nosec_save);
2646 out:
2647 	return rc;
2648 }
2649 
2650 static int selinux_sb_remount(struct super_block *sb, void *data)
2651 {
2652 	int rc, i, *flags;
2653 	struct security_mnt_opts opts;
2654 	char *secdata, **mount_options;
2655 	struct superblock_security_struct *sbsec = sb->s_security;
2656 
2657 	if (!(sbsec->flags & SE_SBINITIALIZED))
2658 		return 0;
2659 
2660 	if (!data)
2661 		return 0;
2662 
2663 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2664 		return 0;
2665 
2666 	security_init_mnt_opts(&opts);
2667 	secdata = alloc_secdata();
2668 	if (!secdata)
2669 		return -ENOMEM;
2670 	rc = selinux_sb_copy_data(data, secdata);
2671 	if (rc)
2672 		goto out_free_secdata;
2673 
2674 	rc = selinux_parse_opts_str(secdata, &opts);
2675 	if (rc)
2676 		goto out_free_secdata;
2677 
2678 	mount_options = opts.mnt_opts;
2679 	flags = opts.mnt_opts_flags;
2680 
2681 	for (i = 0; i < opts.num_mnt_opts; i++) {
2682 		u32 sid;
2683 
2684 		if (flags[i] == SBLABEL_MNT)
2685 			continue;
2686 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2687 		if (rc) {
2688 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2689 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2690 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2691 			goto out_free_opts;
2692 		}
2693 		rc = -EINVAL;
2694 		switch (flags[i]) {
2695 		case FSCONTEXT_MNT:
2696 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2697 				goto out_bad_option;
2698 			break;
2699 		case CONTEXT_MNT:
2700 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2701 				goto out_bad_option;
2702 			break;
2703 		case ROOTCONTEXT_MNT: {
2704 			struct inode_security_struct *root_isec;
2705 			root_isec = backing_inode_security(sb->s_root);
2706 
2707 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2708 				goto out_bad_option;
2709 			break;
2710 		}
2711 		case DEFCONTEXT_MNT:
2712 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2713 				goto out_bad_option;
2714 			break;
2715 		default:
2716 			goto out_free_opts;
2717 		}
2718 	}
2719 
2720 	rc = 0;
2721 out_free_opts:
2722 	security_free_mnt_opts(&opts);
2723 out_free_secdata:
2724 	free_secdata(secdata);
2725 	return rc;
2726 out_bad_option:
2727 	printk(KERN_WARNING "SELinux: unable to change security options "
2728 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2729 	       sb->s_type->name);
2730 	goto out_free_opts;
2731 }
2732 
2733 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2734 {
2735 	const struct cred *cred = current_cred();
2736 	struct common_audit_data ad;
2737 	int rc;
2738 
2739 	rc = superblock_doinit(sb, data);
2740 	if (rc)
2741 		return rc;
2742 
2743 	/* Allow all mounts performed by the kernel */
2744 	if (flags & MS_KERNMOUNT)
2745 		return 0;
2746 
2747 	ad.type = LSM_AUDIT_DATA_DENTRY;
2748 	ad.u.dentry = sb->s_root;
2749 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2750 }
2751 
2752 static int selinux_sb_statfs(struct dentry *dentry)
2753 {
2754 	const struct cred *cred = current_cred();
2755 	struct common_audit_data ad;
2756 
2757 	ad.type = LSM_AUDIT_DATA_DENTRY;
2758 	ad.u.dentry = dentry->d_sb->s_root;
2759 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2760 }
2761 
2762 static int selinux_mount(const char *dev_name,
2763 			 struct path *path,
2764 			 const char *type,
2765 			 unsigned long flags,
2766 			 void *data)
2767 {
2768 	const struct cred *cred = current_cred();
2769 
2770 	if (flags & MS_REMOUNT)
2771 		return superblock_has_perm(cred, path->dentry->d_sb,
2772 					   FILESYSTEM__REMOUNT, NULL);
2773 	else
2774 		return path_has_perm(cred, path, FILE__MOUNTON);
2775 }
2776 
2777 static int selinux_umount(struct vfsmount *mnt, int flags)
2778 {
2779 	const struct cred *cred = current_cred();
2780 
2781 	return superblock_has_perm(cred, mnt->mnt_sb,
2782 				   FILESYSTEM__UNMOUNT, NULL);
2783 }
2784 
2785 /* inode security operations */
2786 
2787 static int selinux_inode_alloc_security(struct inode *inode)
2788 {
2789 	return inode_alloc_security(inode);
2790 }
2791 
2792 static void selinux_inode_free_security(struct inode *inode)
2793 {
2794 	inode_free_security(inode);
2795 }
2796 
2797 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2798 					struct qstr *name, void **ctx,
2799 					u32 *ctxlen)
2800 {
2801 	u32 newsid;
2802 	int rc;
2803 
2804 	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2805 					   inode_mode_to_security_class(mode),
2806 					   &newsid);
2807 	if (rc)
2808 		return rc;
2809 
2810 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2811 }
2812 
2813 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2814 				       const struct qstr *qstr,
2815 				       const char **name,
2816 				       void **value, size_t *len)
2817 {
2818 	const struct task_security_struct *tsec = current_security();
2819 	struct superblock_security_struct *sbsec;
2820 	u32 sid, newsid, clen;
2821 	int rc;
2822 	char *context;
2823 
2824 	sbsec = dir->i_sb->s_security;
2825 
2826 	sid = tsec->sid;
2827 	newsid = tsec->create_sid;
2828 
2829 	rc = selinux_determine_inode_label(
2830 		dir, qstr,
2831 		inode_mode_to_security_class(inode->i_mode),
2832 		&newsid);
2833 	if (rc)
2834 		return rc;
2835 
2836 	/* Possibly defer initialization to selinux_complete_init. */
2837 	if (sbsec->flags & SE_SBINITIALIZED) {
2838 		struct inode_security_struct *isec = inode->i_security;
2839 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2840 		isec->sid = newsid;
2841 		isec->initialized = LABEL_INITIALIZED;
2842 	}
2843 
2844 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2845 		return -EOPNOTSUPP;
2846 
2847 	if (name)
2848 		*name = XATTR_SELINUX_SUFFIX;
2849 
2850 	if (value && len) {
2851 		rc = security_sid_to_context_force(newsid, &context, &clen);
2852 		if (rc)
2853 			return rc;
2854 		*value = context;
2855 		*len = clen;
2856 	}
2857 
2858 	return 0;
2859 }
2860 
2861 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2862 {
2863 	return may_create(dir, dentry, SECCLASS_FILE);
2864 }
2865 
2866 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2867 {
2868 	return may_link(dir, old_dentry, MAY_LINK);
2869 }
2870 
2871 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2872 {
2873 	return may_link(dir, dentry, MAY_UNLINK);
2874 }
2875 
2876 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2877 {
2878 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2879 }
2880 
2881 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2882 {
2883 	return may_create(dir, dentry, SECCLASS_DIR);
2884 }
2885 
2886 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2887 {
2888 	return may_link(dir, dentry, MAY_RMDIR);
2889 }
2890 
2891 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2892 {
2893 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2894 }
2895 
2896 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2897 				struct inode *new_inode, struct dentry *new_dentry)
2898 {
2899 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2900 }
2901 
2902 static int selinux_inode_readlink(struct dentry *dentry)
2903 {
2904 	const struct cred *cred = current_cred();
2905 
2906 	return dentry_has_perm(cred, dentry, FILE__READ);
2907 }
2908 
2909 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2910 				     bool rcu)
2911 {
2912 	const struct cred *cred = current_cred();
2913 	struct common_audit_data ad;
2914 	struct inode_security_struct *isec;
2915 	u32 sid;
2916 
2917 	validate_creds(cred);
2918 
2919 	ad.type = LSM_AUDIT_DATA_DENTRY;
2920 	ad.u.dentry = dentry;
2921 	sid = cred_sid(cred);
2922 	isec = inode_security_rcu(inode, rcu);
2923 	if (IS_ERR(isec))
2924 		return PTR_ERR(isec);
2925 
2926 	return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2927 				  rcu ? MAY_NOT_BLOCK : 0);
2928 }
2929 
2930 static noinline int audit_inode_permission(struct inode *inode,
2931 					   u32 perms, u32 audited, u32 denied,
2932 					   int result,
2933 					   unsigned flags)
2934 {
2935 	struct common_audit_data ad;
2936 	struct inode_security_struct *isec = inode->i_security;
2937 	int rc;
2938 
2939 	ad.type = LSM_AUDIT_DATA_INODE;
2940 	ad.u.inode = inode;
2941 
2942 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2943 			    audited, denied, result, &ad, flags);
2944 	if (rc)
2945 		return rc;
2946 	return 0;
2947 }
2948 
2949 static int selinux_inode_permission(struct inode *inode, int mask)
2950 {
2951 	const struct cred *cred = current_cred();
2952 	u32 perms;
2953 	bool from_access;
2954 	unsigned flags = mask & MAY_NOT_BLOCK;
2955 	struct inode_security_struct *isec;
2956 	u32 sid;
2957 	struct av_decision avd;
2958 	int rc, rc2;
2959 	u32 audited, denied;
2960 
2961 	from_access = mask & MAY_ACCESS;
2962 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2963 
2964 	/* No permission to check.  Existence test. */
2965 	if (!mask)
2966 		return 0;
2967 
2968 	validate_creds(cred);
2969 
2970 	if (unlikely(IS_PRIVATE(inode)))
2971 		return 0;
2972 
2973 	perms = file_mask_to_av(inode->i_mode, mask);
2974 
2975 	sid = cred_sid(cred);
2976 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2977 	if (IS_ERR(isec))
2978 		return PTR_ERR(isec);
2979 
2980 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2981 	audited = avc_audit_required(perms, &avd, rc,
2982 				     from_access ? FILE__AUDIT_ACCESS : 0,
2983 				     &denied);
2984 	if (likely(!audited))
2985 		return rc;
2986 
2987 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2988 	if (rc2)
2989 		return rc2;
2990 	return rc;
2991 }
2992 
2993 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2994 {
2995 	const struct cred *cred = current_cred();
2996 	unsigned int ia_valid = iattr->ia_valid;
2997 	__u32 av = FILE__WRITE;
2998 
2999 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3000 	if (ia_valid & ATTR_FORCE) {
3001 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3002 			      ATTR_FORCE);
3003 		if (!ia_valid)
3004 			return 0;
3005 	}
3006 
3007 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3008 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3009 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3010 
3011 	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3012 			&& !(ia_valid & ATTR_FILE))
3013 		av |= FILE__OPEN;
3014 
3015 	return dentry_has_perm(cred, dentry, av);
3016 }
3017 
3018 static int selinux_inode_getattr(const struct path *path)
3019 {
3020 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3021 }
3022 
3023 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3024 {
3025 	const struct cred *cred = current_cred();
3026 
3027 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
3028 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
3029 		if (!strcmp(name, XATTR_NAME_CAPS)) {
3030 			if (!capable(CAP_SETFCAP))
3031 				return -EPERM;
3032 		} else if (!capable(CAP_SYS_ADMIN)) {
3033 			/* A different attribute in the security namespace.
3034 			   Restrict to administrator. */
3035 			return -EPERM;
3036 		}
3037 	}
3038 
3039 	/* Not an attribute we recognize, so just check the
3040 	   ordinary setattr permission. */
3041 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
3042 }
3043 
3044 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3045 				  const void *value, size_t size, int flags)
3046 {
3047 	struct inode *inode = d_backing_inode(dentry);
3048 	struct inode_security_struct *isec = backing_inode_security(dentry);
3049 	struct superblock_security_struct *sbsec;
3050 	struct common_audit_data ad;
3051 	u32 newsid, sid = current_sid();
3052 	int rc = 0;
3053 
3054 	if (strcmp(name, XATTR_NAME_SELINUX))
3055 		return selinux_inode_setotherxattr(dentry, name);
3056 
3057 	sbsec = inode->i_sb->s_security;
3058 	if (!(sbsec->flags & SBLABEL_MNT))
3059 		return -EOPNOTSUPP;
3060 
3061 	if (!inode_owner_or_capable(inode))
3062 		return -EPERM;
3063 
3064 	ad.type = LSM_AUDIT_DATA_DENTRY;
3065 	ad.u.dentry = dentry;
3066 
3067 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3068 			  FILE__RELABELFROM, &ad);
3069 	if (rc)
3070 		return rc;
3071 
3072 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3073 	if (rc == -EINVAL) {
3074 		if (!capable(CAP_MAC_ADMIN)) {
3075 			struct audit_buffer *ab;
3076 			size_t audit_size;
3077 			const char *str;
3078 
3079 			/* We strip a nul only if it is at the end, otherwise the
3080 			 * context contains a nul and we should audit that */
3081 			if (value) {
3082 				str = value;
3083 				if (str[size - 1] == '\0')
3084 					audit_size = size - 1;
3085 				else
3086 					audit_size = size;
3087 			} else {
3088 				str = "";
3089 				audit_size = 0;
3090 			}
3091 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3092 			audit_log_format(ab, "op=setxattr invalid_context=");
3093 			audit_log_n_untrustedstring(ab, value, audit_size);
3094 			audit_log_end(ab);
3095 
3096 			return rc;
3097 		}
3098 		rc = security_context_to_sid_force(value, size, &newsid);
3099 	}
3100 	if (rc)
3101 		return rc;
3102 
3103 	rc = avc_has_perm(sid, newsid, isec->sclass,
3104 			  FILE__RELABELTO, &ad);
3105 	if (rc)
3106 		return rc;
3107 
3108 	rc = security_validate_transition(isec->sid, newsid, sid,
3109 					  isec->sclass);
3110 	if (rc)
3111 		return rc;
3112 
3113 	return avc_has_perm(newsid,
3114 			    sbsec->sid,
3115 			    SECCLASS_FILESYSTEM,
3116 			    FILESYSTEM__ASSOCIATE,
3117 			    &ad);
3118 }
3119 
3120 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3121 					const void *value, size_t size,
3122 					int flags)
3123 {
3124 	struct inode *inode = d_backing_inode(dentry);
3125 	struct inode_security_struct *isec = backing_inode_security(dentry);
3126 	u32 newsid;
3127 	int rc;
3128 
3129 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3130 		/* Not an attribute we recognize, so nothing to do. */
3131 		return;
3132 	}
3133 
3134 	rc = security_context_to_sid_force(value, size, &newsid);
3135 	if (rc) {
3136 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3137 		       "for (%s, %lu), rc=%d\n",
3138 		       inode->i_sb->s_id, inode->i_ino, -rc);
3139 		return;
3140 	}
3141 
3142 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3143 	isec->sid = newsid;
3144 	isec->initialized = LABEL_INITIALIZED;
3145 
3146 	return;
3147 }
3148 
3149 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3150 {
3151 	const struct cred *cred = current_cred();
3152 
3153 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3154 }
3155 
3156 static int selinux_inode_listxattr(struct dentry *dentry)
3157 {
3158 	const struct cred *cred = current_cred();
3159 
3160 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3161 }
3162 
3163 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3164 {
3165 	if (strcmp(name, XATTR_NAME_SELINUX))
3166 		return selinux_inode_setotherxattr(dentry, name);
3167 
3168 	/* No one is allowed to remove a SELinux security label.
3169 	   You can change the label, but all data must be labeled. */
3170 	return -EACCES;
3171 }
3172 
3173 /*
3174  * Copy the inode security context value to the user.
3175  *
3176  * Permission check is handled by selinux_inode_getxattr hook.
3177  */
3178 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3179 {
3180 	u32 size;
3181 	int error;
3182 	char *context = NULL;
3183 	struct inode_security_struct *isec = inode_security(inode);
3184 
3185 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3186 		return -EOPNOTSUPP;
3187 
3188 	/*
3189 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3190 	 * value even if it is not defined by current policy; otherwise,
3191 	 * use the in-core value under current policy.
3192 	 * Use the non-auditing forms of the permission checks since
3193 	 * getxattr may be called by unprivileged processes commonly
3194 	 * and lack of permission just means that we fall back to the
3195 	 * in-core context value, not a denial.
3196 	 */
3197 	error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3198 			    SECURITY_CAP_NOAUDIT);
3199 	if (!error)
3200 		error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3201 					    SECURITY_CAP_NOAUDIT);
3202 	if (!error)
3203 		error = security_sid_to_context_force(isec->sid, &context,
3204 						      &size);
3205 	else
3206 		error = security_sid_to_context(isec->sid, &context, &size);
3207 	if (error)
3208 		return error;
3209 	error = size;
3210 	if (alloc) {
3211 		*buffer = context;
3212 		goto out_nofree;
3213 	}
3214 	kfree(context);
3215 out_nofree:
3216 	return error;
3217 }
3218 
3219 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3220 				     const void *value, size_t size, int flags)
3221 {
3222 	struct inode_security_struct *isec = inode_security(inode);
3223 	u32 newsid;
3224 	int rc;
3225 
3226 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3227 		return -EOPNOTSUPP;
3228 
3229 	if (!value || !size)
3230 		return -EACCES;
3231 
3232 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3233 	if (rc)
3234 		return rc;
3235 
3236 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3237 	isec->sid = newsid;
3238 	isec->initialized = LABEL_INITIALIZED;
3239 	return 0;
3240 }
3241 
3242 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3243 {
3244 	const int len = sizeof(XATTR_NAME_SELINUX);
3245 	if (buffer && len <= buffer_size)
3246 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3247 	return len;
3248 }
3249 
3250 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3251 {
3252 	struct inode_security_struct *isec = inode_security(inode);
3253 	*secid = isec->sid;
3254 }
3255 
3256 /* file security operations */
3257 
3258 static int selinux_revalidate_file_permission(struct file *file, int mask)
3259 {
3260 	const struct cred *cred = current_cred();
3261 	struct inode *inode = file_inode(file);
3262 
3263 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3264 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3265 		mask |= MAY_APPEND;
3266 
3267 	return file_has_perm(cred, file,
3268 			     file_mask_to_av(inode->i_mode, mask));
3269 }
3270 
3271 static int selinux_file_permission(struct file *file, int mask)
3272 {
3273 	struct inode *inode = file_inode(file);
3274 	struct file_security_struct *fsec = file->f_security;
3275 	struct inode_security_struct *isec;
3276 	u32 sid = current_sid();
3277 
3278 	if (!mask)
3279 		/* No permission to check.  Existence test. */
3280 		return 0;
3281 
3282 	isec = inode_security(inode);
3283 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3284 	    fsec->pseqno == avc_policy_seqno())
3285 		/* No change since file_open check. */
3286 		return 0;
3287 
3288 	return selinux_revalidate_file_permission(file, mask);
3289 }
3290 
3291 static int selinux_file_alloc_security(struct file *file)
3292 {
3293 	return file_alloc_security(file);
3294 }
3295 
3296 static void selinux_file_free_security(struct file *file)
3297 {
3298 	file_free_security(file);
3299 }
3300 
3301 /*
3302  * Check whether a task has the ioctl permission and cmd
3303  * operation to an inode.
3304  */
3305 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3306 		u32 requested, u16 cmd)
3307 {
3308 	struct common_audit_data ad;
3309 	struct file_security_struct *fsec = file->f_security;
3310 	struct inode *inode = file_inode(file);
3311 	struct inode_security_struct *isec = inode_security(inode);
3312 	struct lsm_ioctlop_audit ioctl;
3313 	u32 ssid = cred_sid(cred);
3314 	int rc;
3315 	u8 driver = cmd >> 8;
3316 	u8 xperm = cmd & 0xff;
3317 
3318 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3319 	ad.u.op = &ioctl;
3320 	ad.u.op->cmd = cmd;
3321 	ad.u.op->path = file->f_path;
3322 
3323 	if (ssid != fsec->sid) {
3324 		rc = avc_has_perm(ssid, fsec->sid,
3325 				SECCLASS_FD,
3326 				FD__USE,
3327 				&ad);
3328 		if (rc)
3329 			goto out;
3330 	}
3331 
3332 	if (unlikely(IS_PRIVATE(inode)))
3333 		return 0;
3334 
3335 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3336 			requested, driver, xperm, &ad);
3337 out:
3338 	return rc;
3339 }
3340 
3341 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3342 			      unsigned long arg)
3343 {
3344 	const struct cred *cred = current_cred();
3345 	int error = 0;
3346 
3347 	switch (cmd) {
3348 	case FIONREAD:
3349 	/* fall through */
3350 	case FIBMAP:
3351 	/* fall through */
3352 	case FIGETBSZ:
3353 	/* fall through */
3354 	case FS_IOC_GETFLAGS:
3355 	/* fall through */
3356 	case FS_IOC_GETVERSION:
3357 		error = file_has_perm(cred, file, FILE__GETATTR);
3358 		break;
3359 
3360 	case FS_IOC_SETFLAGS:
3361 	/* fall through */
3362 	case FS_IOC_SETVERSION:
3363 		error = file_has_perm(cred, file, FILE__SETATTR);
3364 		break;
3365 
3366 	/* sys_ioctl() checks */
3367 	case FIONBIO:
3368 	/* fall through */
3369 	case FIOASYNC:
3370 		error = file_has_perm(cred, file, 0);
3371 		break;
3372 
3373 	case KDSKBENT:
3374 	case KDSKBSENT:
3375 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3376 					    SECURITY_CAP_AUDIT);
3377 		break;
3378 
3379 	/* default case assumes that the command will go
3380 	 * to the file's ioctl() function.
3381 	 */
3382 	default:
3383 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3384 	}
3385 	return error;
3386 }
3387 
3388 static int default_noexec;
3389 
3390 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3391 {
3392 	const struct cred *cred = current_cred();
3393 	int rc = 0;
3394 
3395 	if (default_noexec &&
3396 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3397 				   (!shared && (prot & PROT_WRITE)))) {
3398 		/*
3399 		 * We are making executable an anonymous mapping or a
3400 		 * private file mapping that will also be writable.
3401 		 * This has an additional check.
3402 		 */
3403 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3404 		if (rc)
3405 			goto error;
3406 	}
3407 
3408 	if (file) {
3409 		/* read access is always possible with a mapping */
3410 		u32 av = FILE__READ;
3411 
3412 		/* write access only matters if the mapping is shared */
3413 		if (shared && (prot & PROT_WRITE))
3414 			av |= FILE__WRITE;
3415 
3416 		if (prot & PROT_EXEC)
3417 			av |= FILE__EXECUTE;
3418 
3419 		return file_has_perm(cred, file, av);
3420 	}
3421 
3422 error:
3423 	return rc;
3424 }
3425 
3426 static int selinux_mmap_addr(unsigned long addr)
3427 {
3428 	int rc = 0;
3429 
3430 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3431 		u32 sid = current_sid();
3432 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3433 				  MEMPROTECT__MMAP_ZERO, NULL);
3434 	}
3435 
3436 	return rc;
3437 }
3438 
3439 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3440 			     unsigned long prot, unsigned long flags)
3441 {
3442 	if (selinux_checkreqprot)
3443 		prot = reqprot;
3444 
3445 	return file_map_prot_check(file, prot,
3446 				   (flags & MAP_TYPE) == MAP_SHARED);
3447 }
3448 
3449 static int selinux_file_mprotect(struct vm_area_struct *vma,
3450 				 unsigned long reqprot,
3451 				 unsigned long prot)
3452 {
3453 	const struct cred *cred = current_cred();
3454 
3455 	if (selinux_checkreqprot)
3456 		prot = reqprot;
3457 
3458 	if (default_noexec &&
3459 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3460 		int rc = 0;
3461 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3462 		    vma->vm_end <= vma->vm_mm->brk) {
3463 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3464 		} else if (!vma->vm_file &&
3465 			   vma->vm_start <= vma->vm_mm->start_stack &&
3466 			   vma->vm_end >= vma->vm_mm->start_stack) {
3467 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3468 		} else if (vma->vm_file && vma->anon_vma) {
3469 			/*
3470 			 * We are making executable a file mapping that has
3471 			 * had some COW done. Since pages might have been
3472 			 * written, check ability to execute the possibly
3473 			 * modified content.  This typically should only
3474 			 * occur for text relocations.
3475 			 */
3476 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3477 		}
3478 		if (rc)
3479 			return rc;
3480 	}
3481 
3482 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3483 }
3484 
3485 static int selinux_file_lock(struct file *file, unsigned int cmd)
3486 {
3487 	const struct cred *cred = current_cred();
3488 
3489 	return file_has_perm(cred, file, FILE__LOCK);
3490 }
3491 
3492 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3493 			      unsigned long arg)
3494 {
3495 	const struct cred *cred = current_cred();
3496 	int err = 0;
3497 
3498 	switch (cmd) {
3499 	case F_SETFL:
3500 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3501 			err = file_has_perm(cred, file, FILE__WRITE);
3502 			break;
3503 		}
3504 		/* fall through */
3505 	case F_SETOWN:
3506 	case F_SETSIG:
3507 	case F_GETFL:
3508 	case F_GETOWN:
3509 	case F_GETSIG:
3510 	case F_GETOWNER_UIDS:
3511 		/* Just check FD__USE permission */
3512 		err = file_has_perm(cred, file, 0);
3513 		break;
3514 	case F_GETLK:
3515 	case F_SETLK:
3516 	case F_SETLKW:
3517 	case F_OFD_GETLK:
3518 	case F_OFD_SETLK:
3519 	case F_OFD_SETLKW:
3520 #if BITS_PER_LONG == 32
3521 	case F_GETLK64:
3522 	case F_SETLK64:
3523 	case F_SETLKW64:
3524 #endif
3525 		err = file_has_perm(cred, file, FILE__LOCK);
3526 		break;
3527 	}
3528 
3529 	return err;
3530 }
3531 
3532 static void selinux_file_set_fowner(struct file *file)
3533 {
3534 	struct file_security_struct *fsec;
3535 
3536 	fsec = file->f_security;
3537 	fsec->fown_sid = current_sid();
3538 }
3539 
3540 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3541 				       struct fown_struct *fown, int signum)
3542 {
3543 	struct file *file;
3544 	u32 sid = task_sid(tsk);
3545 	u32 perm;
3546 	struct file_security_struct *fsec;
3547 
3548 	/* struct fown_struct is never outside the context of a struct file */
3549 	file = container_of(fown, struct file, f_owner);
3550 
3551 	fsec = file->f_security;
3552 
3553 	if (!signum)
3554 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3555 	else
3556 		perm = signal_to_av(signum);
3557 
3558 	return avc_has_perm(fsec->fown_sid, sid,
3559 			    SECCLASS_PROCESS, perm, NULL);
3560 }
3561 
3562 static int selinux_file_receive(struct file *file)
3563 {
3564 	const struct cred *cred = current_cred();
3565 
3566 	return file_has_perm(cred, file, file_to_av(file));
3567 }
3568 
3569 static int selinux_file_open(struct file *file, const struct cred *cred)
3570 {
3571 	struct file_security_struct *fsec;
3572 	struct inode_security_struct *isec;
3573 
3574 	fsec = file->f_security;
3575 	isec = inode_security(file_inode(file));
3576 	/*
3577 	 * Save inode label and policy sequence number
3578 	 * at open-time so that selinux_file_permission
3579 	 * can determine whether revalidation is necessary.
3580 	 * Task label is already saved in the file security
3581 	 * struct as its SID.
3582 	 */
3583 	fsec->isid = isec->sid;
3584 	fsec->pseqno = avc_policy_seqno();
3585 	/*
3586 	 * Since the inode label or policy seqno may have changed
3587 	 * between the selinux_inode_permission check and the saving
3588 	 * of state above, recheck that access is still permitted.
3589 	 * Otherwise, access might never be revalidated against the
3590 	 * new inode label or new policy.
3591 	 * This check is not redundant - do not remove.
3592 	 */
3593 	return file_path_has_perm(cred, file, open_file_to_av(file));
3594 }
3595 
3596 /* task security operations */
3597 
3598 static int selinux_task_create(unsigned long clone_flags)
3599 {
3600 	return current_has_perm(current, PROCESS__FORK);
3601 }
3602 
3603 /*
3604  * allocate the SELinux part of blank credentials
3605  */
3606 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3607 {
3608 	struct task_security_struct *tsec;
3609 
3610 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3611 	if (!tsec)
3612 		return -ENOMEM;
3613 
3614 	cred->security = tsec;
3615 	return 0;
3616 }
3617 
3618 /*
3619  * detach and free the LSM part of a set of credentials
3620  */
3621 static void selinux_cred_free(struct cred *cred)
3622 {
3623 	struct task_security_struct *tsec = cred->security;
3624 
3625 	/*
3626 	 * cred->security == NULL if security_cred_alloc_blank() or
3627 	 * security_prepare_creds() returned an error.
3628 	 */
3629 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3630 	cred->security = (void *) 0x7UL;
3631 	kfree(tsec);
3632 }
3633 
3634 /*
3635  * prepare a new set of credentials for modification
3636  */
3637 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3638 				gfp_t gfp)
3639 {
3640 	const struct task_security_struct *old_tsec;
3641 	struct task_security_struct *tsec;
3642 
3643 	old_tsec = old->security;
3644 
3645 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3646 	if (!tsec)
3647 		return -ENOMEM;
3648 
3649 	new->security = tsec;
3650 	return 0;
3651 }
3652 
3653 /*
3654  * transfer the SELinux data to a blank set of creds
3655  */
3656 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3657 {
3658 	const struct task_security_struct *old_tsec = old->security;
3659 	struct task_security_struct *tsec = new->security;
3660 
3661 	*tsec = *old_tsec;
3662 }
3663 
3664 /*
3665  * set the security data for a kernel service
3666  * - all the creation contexts are set to unlabelled
3667  */
3668 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3669 {
3670 	struct task_security_struct *tsec = new->security;
3671 	u32 sid = current_sid();
3672 	int ret;
3673 
3674 	ret = avc_has_perm(sid, secid,
3675 			   SECCLASS_KERNEL_SERVICE,
3676 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3677 			   NULL);
3678 	if (ret == 0) {
3679 		tsec->sid = secid;
3680 		tsec->create_sid = 0;
3681 		tsec->keycreate_sid = 0;
3682 		tsec->sockcreate_sid = 0;
3683 	}
3684 	return ret;
3685 }
3686 
3687 /*
3688  * set the file creation context in a security record to the same as the
3689  * objective context of the specified inode
3690  */
3691 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3692 {
3693 	struct inode_security_struct *isec = inode_security(inode);
3694 	struct task_security_struct *tsec = new->security;
3695 	u32 sid = current_sid();
3696 	int ret;
3697 
3698 	ret = avc_has_perm(sid, isec->sid,
3699 			   SECCLASS_KERNEL_SERVICE,
3700 			   KERNEL_SERVICE__CREATE_FILES_AS,
3701 			   NULL);
3702 
3703 	if (ret == 0)
3704 		tsec->create_sid = isec->sid;
3705 	return ret;
3706 }
3707 
3708 static int selinux_kernel_module_request(char *kmod_name)
3709 {
3710 	u32 sid;
3711 	struct common_audit_data ad;
3712 
3713 	sid = task_sid(current);
3714 
3715 	ad.type = LSM_AUDIT_DATA_KMOD;
3716 	ad.u.kmod_name = kmod_name;
3717 
3718 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3719 			    SYSTEM__MODULE_REQUEST, &ad);
3720 }
3721 
3722 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3723 {
3724 	return current_has_perm(p, PROCESS__SETPGID);
3725 }
3726 
3727 static int selinux_task_getpgid(struct task_struct *p)
3728 {
3729 	return current_has_perm(p, PROCESS__GETPGID);
3730 }
3731 
3732 static int selinux_task_getsid(struct task_struct *p)
3733 {
3734 	return current_has_perm(p, PROCESS__GETSESSION);
3735 }
3736 
3737 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3738 {
3739 	*secid = task_sid(p);
3740 }
3741 
3742 static int selinux_task_setnice(struct task_struct *p, int nice)
3743 {
3744 	return current_has_perm(p, PROCESS__SETSCHED);
3745 }
3746 
3747 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3748 {
3749 	return current_has_perm(p, PROCESS__SETSCHED);
3750 }
3751 
3752 static int selinux_task_getioprio(struct task_struct *p)
3753 {
3754 	return current_has_perm(p, PROCESS__GETSCHED);
3755 }
3756 
3757 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3758 		struct rlimit *new_rlim)
3759 {
3760 	struct rlimit *old_rlim = p->signal->rlim + resource;
3761 
3762 	/* Control the ability to change the hard limit (whether
3763 	   lowering or raising it), so that the hard limit can
3764 	   later be used as a safe reset point for the soft limit
3765 	   upon context transitions.  See selinux_bprm_committing_creds. */
3766 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3767 		return current_has_perm(p, PROCESS__SETRLIMIT);
3768 
3769 	return 0;
3770 }
3771 
3772 static int selinux_task_setscheduler(struct task_struct *p)
3773 {
3774 	return current_has_perm(p, PROCESS__SETSCHED);
3775 }
3776 
3777 static int selinux_task_getscheduler(struct task_struct *p)
3778 {
3779 	return current_has_perm(p, PROCESS__GETSCHED);
3780 }
3781 
3782 static int selinux_task_movememory(struct task_struct *p)
3783 {
3784 	return current_has_perm(p, PROCESS__SETSCHED);
3785 }
3786 
3787 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3788 				int sig, u32 secid)
3789 {
3790 	u32 perm;
3791 	int rc;
3792 
3793 	if (!sig)
3794 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3795 	else
3796 		perm = signal_to_av(sig);
3797 	if (secid)
3798 		rc = avc_has_perm(secid, task_sid(p),
3799 				  SECCLASS_PROCESS, perm, NULL);
3800 	else
3801 		rc = current_has_perm(p, perm);
3802 	return rc;
3803 }
3804 
3805 static int selinux_task_wait(struct task_struct *p)
3806 {
3807 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3808 }
3809 
3810 static void selinux_task_to_inode(struct task_struct *p,
3811 				  struct inode *inode)
3812 {
3813 	struct inode_security_struct *isec = inode->i_security;
3814 	u32 sid = task_sid(p);
3815 
3816 	isec->sid = sid;
3817 	isec->initialized = LABEL_INITIALIZED;
3818 }
3819 
3820 /* Returns error only if unable to parse addresses */
3821 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3822 			struct common_audit_data *ad, u8 *proto)
3823 {
3824 	int offset, ihlen, ret = -EINVAL;
3825 	struct iphdr _iph, *ih;
3826 
3827 	offset = skb_network_offset(skb);
3828 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3829 	if (ih == NULL)
3830 		goto out;
3831 
3832 	ihlen = ih->ihl * 4;
3833 	if (ihlen < sizeof(_iph))
3834 		goto out;
3835 
3836 	ad->u.net->v4info.saddr = ih->saddr;
3837 	ad->u.net->v4info.daddr = ih->daddr;
3838 	ret = 0;
3839 
3840 	if (proto)
3841 		*proto = ih->protocol;
3842 
3843 	switch (ih->protocol) {
3844 	case IPPROTO_TCP: {
3845 		struct tcphdr _tcph, *th;
3846 
3847 		if (ntohs(ih->frag_off) & IP_OFFSET)
3848 			break;
3849 
3850 		offset += ihlen;
3851 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3852 		if (th == NULL)
3853 			break;
3854 
3855 		ad->u.net->sport = th->source;
3856 		ad->u.net->dport = th->dest;
3857 		break;
3858 	}
3859 
3860 	case IPPROTO_UDP: {
3861 		struct udphdr _udph, *uh;
3862 
3863 		if (ntohs(ih->frag_off) & IP_OFFSET)
3864 			break;
3865 
3866 		offset += ihlen;
3867 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3868 		if (uh == NULL)
3869 			break;
3870 
3871 		ad->u.net->sport = uh->source;
3872 		ad->u.net->dport = uh->dest;
3873 		break;
3874 	}
3875 
3876 	case IPPROTO_DCCP: {
3877 		struct dccp_hdr _dccph, *dh;
3878 
3879 		if (ntohs(ih->frag_off) & IP_OFFSET)
3880 			break;
3881 
3882 		offset += ihlen;
3883 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3884 		if (dh == NULL)
3885 			break;
3886 
3887 		ad->u.net->sport = dh->dccph_sport;
3888 		ad->u.net->dport = dh->dccph_dport;
3889 		break;
3890 	}
3891 
3892 	default:
3893 		break;
3894 	}
3895 out:
3896 	return ret;
3897 }
3898 
3899 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3900 
3901 /* Returns error only if unable to parse addresses */
3902 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3903 			struct common_audit_data *ad, u8 *proto)
3904 {
3905 	u8 nexthdr;
3906 	int ret = -EINVAL, offset;
3907 	struct ipv6hdr _ipv6h, *ip6;
3908 	__be16 frag_off;
3909 
3910 	offset = skb_network_offset(skb);
3911 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3912 	if (ip6 == NULL)
3913 		goto out;
3914 
3915 	ad->u.net->v6info.saddr = ip6->saddr;
3916 	ad->u.net->v6info.daddr = ip6->daddr;
3917 	ret = 0;
3918 
3919 	nexthdr = ip6->nexthdr;
3920 	offset += sizeof(_ipv6h);
3921 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3922 	if (offset < 0)
3923 		goto out;
3924 
3925 	if (proto)
3926 		*proto = nexthdr;
3927 
3928 	switch (nexthdr) {
3929 	case IPPROTO_TCP: {
3930 		struct tcphdr _tcph, *th;
3931 
3932 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3933 		if (th == NULL)
3934 			break;
3935 
3936 		ad->u.net->sport = th->source;
3937 		ad->u.net->dport = th->dest;
3938 		break;
3939 	}
3940 
3941 	case IPPROTO_UDP: {
3942 		struct udphdr _udph, *uh;
3943 
3944 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3945 		if (uh == NULL)
3946 			break;
3947 
3948 		ad->u.net->sport = uh->source;
3949 		ad->u.net->dport = uh->dest;
3950 		break;
3951 	}
3952 
3953 	case IPPROTO_DCCP: {
3954 		struct dccp_hdr _dccph, *dh;
3955 
3956 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3957 		if (dh == NULL)
3958 			break;
3959 
3960 		ad->u.net->sport = dh->dccph_sport;
3961 		ad->u.net->dport = dh->dccph_dport;
3962 		break;
3963 	}
3964 
3965 	/* includes fragments */
3966 	default:
3967 		break;
3968 	}
3969 out:
3970 	return ret;
3971 }
3972 
3973 #endif /* IPV6 */
3974 
3975 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3976 			     char **_addrp, int src, u8 *proto)
3977 {
3978 	char *addrp;
3979 	int ret;
3980 
3981 	switch (ad->u.net->family) {
3982 	case PF_INET:
3983 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
3984 		if (ret)
3985 			goto parse_error;
3986 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3987 				       &ad->u.net->v4info.daddr);
3988 		goto okay;
3989 
3990 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3991 	case PF_INET6:
3992 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
3993 		if (ret)
3994 			goto parse_error;
3995 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3996 				       &ad->u.net->v6info.daddr);
3997 		goto okay;
3998 #endif	/* IPV6 */
3999 	default:
4000 		addrp = NULL;
4001 		goto okay;
4002 	}
4003 
4004 parse_error:
4005 	printk(KERN_WARNING
4006 	       "SELinux: failure in selinux_parse_skb(),"
4007 	       " unable to parse packet\n");
4008 	return ret;
4009 
4010 okay:
4011 	if (_addrp)
4012 		*_addrp = addrp;
4013 	return 0;
4014 }
4015 
4016 /**
4017  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4018  * @skb: the packet
4019  * @family: protocol family
4020  * @sid: the packet's peer label SID
4021  *
4022  * Description:
4023  * Check the various different forms of network peer labeling and determine
4024  * the peer label/SID for the packet; most of the magic actually occurs in
4025  * the security server function security_net_peersid_cmp().  The function
4026  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4027  * or -EACCES if @sid is invalid due to inconsistencies with the different
4028  * peer labels.
4029  *
4030  */
4031 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4032 {
4033 	int err;
4034 	u32 xfrm_sid;
4035 	u32 nlbl_sid;
4036 	u32 nlbl_type;
4037 
4038 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4039 	if (unlikely(err))
4040 		return -EACCES;
4041 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4042 	if (unlikely(err))
4043 		return -EACCES;
4044 
4045 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4046 	if (unlikely(err)) {
4047 		printk(KERN_WARNING
4048 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4049 		       " unable to determine packet's peer label\n");
4050 		return -EACCES;
4051 	}
4052 
4053 	return 0;
4054 }
4055 
4056 /**
4057  * selinux_conn_sid - Determine the child socket label for a connection
4058  * @sk_sid: the parent socket's SID
4059  * @skb_sid: the packet's SID
4060  * @conn_sid: the resulting connection SID
4061  *
4062  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4063  * combined with the MLS information from @skb_sid in order to create
4064  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4065  * of @sk_sid.  Returns zero on success, negative values on failure.
4066  *
4067  */
4068 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4069 {
4070 	int err = 0;
4071 
4072 	if (skb_sid != SECSID_NULL)
4073 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4074 	else
4075 		*conn_sid = sk_sid;
4076 
4077 	return err;
4078 }
4079 
4080 /* socket security operations */
4081 
4082 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4083 				 u16 secclass, u32 *socksid)
4084 {
4085 	if (tsec->sockcreate_sid > SECSID_NULL) {
4086 		*socksid = tsec->sockcreate_sid;
4087 		return 0;
4088 	}
4089 
4090 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4091 				       socksid);
4092 }
4093 
4094 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4095 {
4096 	struct sk_security_struct *sksec = sk->sk_security;
4097 	struct common_audit_data ad;
4098 	struct lsm_network_audit net = {0,};
4099 	u32 tsid = task_sid(task);
4100 
4101 	if (sksec->sid == SECINITSID_KERNEL)
4102 		return 0;
4103 
4104 	ad.type = LSM_AUDIT_DATA_NET;
4105 	ad.u.net = &net;
4106 	ad.u.net->sk = sk;
4107 
4108 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4109 }
4110 
4111 static int selinux_socket_create(int family, int type,
4112 				 int protocol, int kern)
4113 {
4114 	const struct task_security_struct *tsec = current_security();
4115 	u32 newsid;
4116 	u16 secclass;
4117 	int rc;
4118 
4119 	if (kern)
4120 		return 0;
4121 
4122 	secclass = socket_type_to_security_class(family, type, protocol);
4123 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4124 	if (rc)
4125 		return rc;
4126 
4127 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4128 }
4129 
4130 static int selinux_socket_post_create(struct socket *sock, int family,
4131 				      int type, int protocol, int kern)
4132 {
4133 	const struct task_security_struct *tsec = current_security();
4134 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4135 	struct sk_security_struct *sksec;
4136 	int err = 0;
4137 
4138 	isec->sclass = socket_type_to_security_class(family, type, protocol);
4139 
4140 	if (kern)
4141 		isec->sid = SECINITSID_KERNEL;
4142 	else {
4143 		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4144 		if (err)
4145 			return err;
4146 	}
4147 
4148 	isec->initialized = LABEL_INITIALIZED;
4149 
4150 	if (sock->sk) {
4151 		sksec = sock->sk->sk_security;
4152 		sksec->sid = isec->sid;
4153 		sksec->sclass = isec->sclass;
4154 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4155 	}
4156 
4157 	return err;
4158 }
4159 
4160 /* Range of port numbers used to automatically bind.
4161    Need to determine whether we should perform a name_bind
4162    permission check between the socket and the port number. */
4163 
4164 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4165 {
4166 	struct sock *sk = sock->sk;
4167 	u16 family;
4168 	int err;
4169 
4170 	err = sock_has_perm(current, sk, SOCKET__BIND);
4171 	if (err)
4172 		goto out;
4173 
4174 	/*
4175 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4176 	 * Multiple address binding for SCTP is not supported yet: we just
4177 	 * check the first address now.
4178 	 */
4179 	family = sk->sk_family;
4180 	if (family == PF_INET || family == PF_INET6) {
4181 		char *addrp;
4182 		struct sk_security_struct *sksec = sk->sk_security;
4183 		struct common_audit_data ad;
4184 		struct lsm_network_audit net = {0,};
4185 		struct sockaddr_in *addr4 = NULL;
4186 		struct sockaddr_in6 *addr6 = NULL;
4187 		unsigned short snum;
4188 		u32 sid, node_perm;
4189 
4190 		if (family == PF_INET) {
4191 			addr4 = (struct sockaddr_in *)address;
4192 			snum = ntohs(addr4->sin_port);
4193 			addrp = (char *)&addr4->sin_addr.s_addr;
4194 		} else {
4195 			addr6 = (struct sockaddr_in6 *)address;
4196 			snum = ntohs(addr6->sin6_port);
4197 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4198 		}
4199 
4200 		if (snum) {
4201 			int low, high;
4202 
4203 			inet_get_local_port_range(sock_net(sk), &low, &high);
4204 
4205 			if (snum < max(PROT_SOCK, low) || snum > high) {
4206 				err = sel_netport_sid(sk->sk_protocol,
4207 						      snum, &sid);
4208 				if (err)
4209 					goto out;
4210 				ad.type = LSM_AUDIT_DATA_NET;
4211 				ad.u.net = &net;
4212 				ad.u.net->sport = htons(snum);
4213 				ad.u.net->family = family;
4214 				err = avc_has_perm(sksec->sid, sid,
4215 						   sksec->sclass,
4216 						   SOCKET__NAME_BIND, &ad);
4217 				if (err)
4218 					goto out;
4219 			}
4220 		}
4221 
4222 		switch (sksec->sclass) {
4223 		case SECCLASS_TCP_SOCKET:
4224 			node_perm = TCP_SOCKET__NODE_BIND;
4225 			break;
4226 
4227 		case SECCLASS_UDP_SOCKET:
4228 			node_perm = UDP_SOCKET__NODE_BIND;
4229 			break;
4230 
4231 		case SECCLASS_DCCP_SOCKET:
4232 			node_perm = DCCP_SOCKET__NODE_BIND;
4233 			break;
4234 
4235 		default:
4236 			node_perm = RAWIP_SOCKET__NODE_BIND;
4237 			break;
4238 		}
4239 
4240 		err = sel_netnode_sid(addrp, family, &sid);
4241 		if (err)
4242 			goto out;
4243 
4244 		ad.type = LSM_AUDIT_DATA_NET;
4245 		ad.u.net = &net;
4246 		ad.u.net->sport = htons(snum);
4247 		ad.u.net->family = family;
4248 
4249 		if (family == PF_INET)
4250 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4251 		else
4252 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4253 
4254 		err = avc_has_perm(sksec->sid, sid,
4255 				   sksec->sclass, node_perm, &ad);
4256 		if (err)
4257 			goto out;
4258 	}
4259 out:
4260 	return err;
4261 }
4262 
4263 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4264 {
4265 	struct sock *sk = sock->sk;
4266 	struct sk_security_struct *sksec = sk->sk_security;
4267 	int err;
4268 
4269 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4270 	if (err)
4271 		return err;
4272 
4273 	/*
4274 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4275 	 */
4276 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4277 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4278 		struct common_audit_data ad;
4279 		struct lsm_network_audit net = {0,};
4280 		struct sockaddr_in *addr4 = NULL;
4281 		struct sockaddr_in6 *addr6 = NULL;
4282 		unsigned short snum;
4283 		u32 sid, perm;
4284 
4285 		if (sk->sk_family == PF_INET) {
4286 			addr4 = (struct sockaddr_in *)address;
4287 			if (addrlen < sizeof(struct sockaddr_in))
4288 				return -EINVAL;
4289 			snum = ntohs(addr4->sin_port);
4290 		} else {
4291 			addr6 = (struct sockaddr_in6 *)address;
4292 			if (addrlen < SIN6_LEN_RFC2133)
4293 				return -EINVAL;
4294 			snum = ntohs(addr6->sin6_port);
4295 		}
4296 
4297 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4298 		if (err)
4299 			goto out;
4300 
4301 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4302 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4303 
4304 		ad.type = LSM_AUDIT_DATA_NET;
4305 		ad.u.net = &net;
4306 		ad.u.net->dport = htons(snum);
4307 		ad.u.net->family = sk->sk_family;
4308 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4309 		if (err)
4310 			goto out;
4311 	}
4312 
4313 	err = selinux_netlbl_socket_connect(sk, address);
4314 
4315 out:
4316 	return err;
4317 }
4318 
4319 static int selinux_socket_listen(struct socket *sock, int backlog)
4320 {
4321 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4322 }
4323 
4324 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4325 {
4326 	int err;
4327 	struct inode_security_struct *isec;
4328 	struct inode_security_struct *newisec;
4329 
4330 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4331 	if (err)
4332 		return err;
4333 
4334 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4335 
4336 	isec = inode_security_novalidate(SOCK_INODE(sock));
4337 	newisec->sclass = isec->sclass;
4338 	newisec->sid = isec->sid;
4339 	newisec->initialized = LABEL_INITIALIZED;
4340 
4341 	return 0;
4342 }
4343 
4344 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4345 				  int size)
4346 {
4347 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4348 }
4349 
4350 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4351 				  int size, int flags)
4352 {
4353 	return sock_has_perm(current, sock->sk, SOCKET__READ);
4354 }
4355 
4356 static int selinux_socket_getsockname(struct socket *sock)
4357 {
4358 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4359 }
4360 
4361 static int selinux_socket_getpeername(struct socket *sock)
4362 {
4363 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4364 }
4365 
4366 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4367 {
4368 	int err;
4369 
4370 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4371 	if (err)
4372 		return err;
4373 
4374 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4375 }
4376 
4377 static int selinux_socket_getsockopt(struct socket *sock, int level,
4378 				     int optname)
4379 {
4380 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4381 }
4382 
4383 static int selinux_socket_shutdown(struct socket *sock, int how)
4384 {
4385 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4386 }
4387 
4388 static int selinux_socket_unix_stream_connect(struct sock *sock,
4389 					      struct sock *other,
4390 					      struct sock *newsk)
4391 {
4392 	struct sk_security_struct *sksec_sock = sock->sk_security;
4393 	struct sk_security_struct *sksec_other = other->sk_security;
4394 	struct sk_security_struct *sksec_new = newsk->sk_security;
4395 	struct common_audit_data ad;
4396 	struct lsm_network_audit net = {0,};
4397 	int err;
4398 
4399 	ad.type = LSM_AUDIT_DATA_NET;
4400 	ad.u.net = &net;
4401 	ad.u.net->sk = other;
4402 
4403 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4404 			   sksec_other->sclass,
4405 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4406 	if (err)
4407 		return err;
4408 
4409 	/* server child socket */
4410 	sksec_new->peer_sid = sksec_sock->sid;
4411 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4412 				    &sksec_new->sid);
4413 	if (err)
4414 		return err;
4415 
4416 	/* connecting socket */
4417 	sksec_sock->peer_sid = sksec_new->sid;
4418 
4419 	return 0;
4420 }
4421 
4422 static int selinux_socket_unix_may_send(struct socket *sock,
4423 					struct socket *other)
4424 {
4425 	struct sk_security_struct *ssec = sock->sk->sk_security;
4426 	struct sk_security_struct *osec = other->sk->sk_security;
4427 	struct common_audit_data ad;
4428 	struct lsm_network_audit net = {0,};
4429 
4430 	ad.type = LSM_AUDIT_DATA_NET;
4431 	ad.u.net = &net;
4432 	ad.u.net->sk = other->sk;
4433 
4434 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4435 			    &ad);
4436 }
4437 
4438 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4439 				    char *addrp, u16 family, u32 peer_sid,
4440 				    struct common_audit_data *ad)
4441 {
4442 	int err;
4443 	u32 if_sid;
4444 	u32 node_sid;
4445 
4446 	err = sel_netif_sid(ns, ifindex, &if_sid);
4447 	if (err)
4448 		return err;
4449 	err = avc_has_perm(peer_sid, if_sid,
4450 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4451 	if (err)
4452 		return err;
4453 
4454 	err = sel_netnode_sid(addrp, family, &node_sid);
4455 	if (err)
4456 		return err;
4457 	return avc_has_perm(peer_sid, node_sid,
4458 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4459 }
4460 
4461 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4462 				       u16 family)
4463 {
4464 	int err = 0;
4465 	struct sk_security_struct *sksec = sk->sk_security;
4466 	u32 sk_sid = sksec->sid;
4467 	struct common_audit_data ad;
4468 	struct lsm_network_audit net = {0,};
4469 	char *addrp;
4470 
4471 	ad.type = LSM_AUDIT_DATA_NET;
4472 	ad.u.net = &net;
4473 	ad.u.net->netif = skb->skb_iif;
4474 	ad.u.net->family = family;
4475 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4476 	if (err)
4477 		return err;
4478 
4479 	if (selinux_secmark_enabled()) {
4480 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4481 				   PACKET__RECV, &ad);
4482 		if (err)
4483 			return err;
4484 	}
4485 
4486 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4487 	if (err)
4488 		return err;
4489 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4490 
4491 	return err;
4492 }
4493 
4494 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4495 {
4496 	int err;
4497 	struct sk_security_struct *sksec = sk->sk_security;
4498 	u16 family = sk->sk_family;
4499 	u32 sk_sid = sksec->sid;
4500 	struct common_audit_data ad;
4501 	struct lsm_network_audit net = {0,};
4502 	char *addrp;
4503 	u8 secmark_active;
4504 	u8 peerlbl_active;
4505 
4506 	if (family != PF_INET && family != PF_INET6)
4507 		return 0;
4508 
4509 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4510 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4511 		family = PF_INET;
4512 
4513 	/* If any sort of compatibility mode is enabled then handoff processing
4514 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4515 	 * special handling.  We do this in an attempt to keep this function
4516 	 * as fast and as clean as possible. */
4517 	if (!selinux_policycap_netpeer)
4518 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4519 
4520 	secmark_active = selinux_secmark_enabled();
4521 	peerlbl_active = selinux_peerlbl_enabled();
4522 	if (!secmark_active && !peerlbl_active)
4523 		return 0;
4524 
4525 	ad.type = LSM_AUDIT_DATA_NET;
4526 	ad.u.net = &net;
4527 	ad.u.net->netif = skb->skb_iif;
4528 	ad.u.net->family = family;
4529 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4530 	if (err)
4531 		return err;
4532 
4533 	if (peerlbl_active) {
4534 		u32 peer_sid;
4535 
4536 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4537 		if (err)
4538 			return err;
4539 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4540 					       addrp, family, peer_sid, &ad);
4541 		if (err) {
4542 			selinux_netlbl_err(skb, err, 0);
4543 			return err;
4544 		}
4545 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4546 				   PEER__RECV, &ad);
4547 		if (err) {
4548 			selinux_netlbl_err(skb, err, 0);
4549 			return err;
4550 		}
4551 	}
4552 
4553 	if (secmark_active) {
4554 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4555 				   PACKET__RECV, &ad);
4556 		if (err)
4557 			return err;
4558 	}
4559 
4560 	return err;
4561 }
4562 
4563 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4564 					    int __user *optlen, unsigned len)
4565 {
4566 	int err = 0;
4567 	char *scontext;
4568 	u32 scontext_len;
4569 	struct sk_security_struct *sksec = sock->sk->sk_security;
4570 	u32 peer_sid = SECSID_NULL;
4571 
4572 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4573 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4574 		peer_sid = sksec->peer_sid;
4575 	if (peer_sid == SECSID_NULL)
4576 		return -ENOPROTOOPT;
4577 
4578 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4579 	if (err)
4580 		return err;
4581 
4582 	if (scontext_len > len) {
4583 		err = -ERANGE;
4584 		goto out_len;
4585 	}
4586 
4587 	if (copy_to_user(optval, scontext, scontext_len))
4588 		err = -EFAULT;
4589 
4590 out_len:
4591 	if (put_user(scontext_len, optlen))
4592 		err = -EFAULT;
4593 	kfree(scontext);
4594 	return err;
4595 }
4596 
4597 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4598 {
4599 	u32 peer_secid = SECSID_NULL;
4600 	u16 family;
4601 
4602 	if (skb && skb->protocol == htons(ETH_P_IP))
4603 		family = PF_INET;
4604 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4605 		family = PF_INET6;
4606 	else if (sock)
4607 		family = sock->sk->sk_family;
4608 	else
4609 		goto out;
4610 
4611 	if (sock && family == PF_UNIX)
4612 		selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4613 	else if (skb)
4614 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4615 
4616 out:
4617 	*secid = peer_secid;
4618 	if (peer_secid == SECSID_NULL)
4619 		return -EINVAL;
4620 	return 0;
4621 }
4622 
4623 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4624 {
4625 	struct sk_security_struct *sksec;
4626 
4627 	sksec = kzalloc(sizeof(*sksec), priority);
4628 	if (!sksec)
4629 		return -ENOMEM;
4630 
4631 	sksec->peer_sid = SECINITSID_UNLABELED;
4632 	sksec->sid = SECINITSID_UNLABELED;
4633 	sksec->sclass = SECCLASS_SOCKET;
4634 	selinux_netlbl_sk_security_reset(sksec);
4635 	sk->sk_security = sksec;
4636 
4637 	return 0;
4638 }
4639 
4640 static void selinux_sk_free_security(struct sock *sk)
4641 {
4642 	struct sk_security_struct *sksec = sk->sk_security;
4643 
4644 	sk->sk_security = NULL;
4645 	selinux_netlbl_sk_security_free(sksec);
4646 	kfree(sksec);
4647 }
4648 
4649 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4650 {
4651 	struct sk_security_struct *sksec = sk->sk_security;
4652 	struct sk_security_struct *newsksec = newsk->sk_security;
4653 
4654 	newsksec->sid = sksec->sid;
4655 	newsksec->peer_sid = sksec->peer_sid;
4656 	newsksec->sclass = sksec->sclass;
4657 
4658 	selinux_netlbl_sk_security_reset(newsksec);
4659 }
4660 
4661 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4662 {
4663 	if (!sk)
4664 		*secid = SECINITSID_ANY_SOCKET;
4665 	else {
4666 		struct sk_security_struct *sksec = sk->sk_security;
4667 
4668 		*secid = sksec->sid;
4669 	}
4670 }
4671 
4672 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4673 {
4674 	struct inode_security_struct *isec =
4675 		inode_security_novalidate(SOCK_INODE(parent));
4676 	struct sk_security_struct *sksec = sk->sk_security;
4677 
4678 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4679 	    sk->sk_family == PF_UNIX)
4680 		isec->sid = sksec->sid;
4681 	sksec->sclass = isec->sclass;
4682 }
4683 
4684 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4685 				     struct request_sock *req)
4686 {
4687 	struct sk_security_struct *sksec = sk->sk_security;
4688 	int err;
4689 	u16 family = req->rsk_ops->family;
4690 	u32 connsid;
4691 	u32 peersid;
4692 
4693 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4694 	if (err)
4695 		return err;
4696 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4697 	if (err)
4698 		return err;
4699 	req->secid = connsid;
4700 	req->peer_secid = peersid;
4701 
4702 	return selinux_netlbl_inet_conn_request(req, family);
4703 }
4704 
4705 static void selinux_inet_csk_clone(struct sock *newsk,
4706 				   const struct request_sock *req)
4707 {
4708 	struct sk_security_struct *newsksec = newsk->sk_security;
4709 
4710 	newsksec->sid = req->secid;
4711 	newsksec->peer_sid = req->peer_secid;
4712 	/* NOTE: Ideally, we should also get the isec->sid for the
4713 	   new socket in sync, but we don't have the isec available yet.
4714 	   So we will wait until sock_graft to do it, by which
4715 	   time it will have been created and available. */
4716 
4717 	/* We don't need to take any sort of lock here as we are the only
4718 	 * thread with access to newsksec */
4719 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4720 }
4721 
4722 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4723 {
4724 	u16 family = sk->sk_family;
4725 	struct sk_security_struct *sksec = sk->sk_security;
4726 
4727 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4728 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4729 		family = PF_INET;
4730 
4731 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4732 }
4733 
4734 static int selinux_secmark_relabel_packet(u32 sid)
4735 {
4736 	const struct task_security_struct *__tsec;
4737 	u32 tsid;
4738 
4739 	__tsec = current_security();
4740 	tsid = __tsec->sid;
4741 
4742 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4743 }
4744 
4745 static void selinux_secmark_refcount_inc(void)
4746 {
4747 	atomic_inc(&selinux_secmark_refcount);
4748 }
4749 
4750 static void selinux_secmark_refcount_dec(void)
4751 {
4752 	atomic_dec(&selinux_secmark_refcount);
4753 }
4754 
4755 static void selinux_req_classify_flow(const struct request_sock *req,
4756 				      struct flowi *fl)
4757 {
4758 	fl->flowi_secid = req->secid;
4759 }
4760 
4761 static int selinux_tun_dev_alloc_security(void **security)
4762 {
4763 	struct tun_security_struct *tunsec;
4764 
4765 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4766 	if (!tunsec)
4767 		return -ENOMEM;
4768 	tunsec->sid = current_sid();
4769 
4770 	*security = tunsec;
4771 	return 0;
4772 }
4773 
4774 static void selinux_tun_dev_free_security(void *security)
4775 {
4776 	kfree(security);
4777 }
4778 
4779 static int selinux_tun_dev_create(void)
4780 {
4781 	u32 sid = current_sid();
4782 
4783 	/* we aren't taking into account the "sockcreate" SID since the socket
4784 	 * that is being created here is not a socket in the traditional sense,
4785 	 * instead it is a private sock, accessible only to the kernel, and
4786 	 * representing a wide range of network traffic spanning multiple
4787 	 * connections unlike traditional sockets - check the TUN driver to
4788 	 * get a better understanding of why this socket is special */
4789 
4790 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4791 			    NULL);
4792 }
4793 
4794 static int selinux_tun_dev_attach_queue(void *security)
4795 {
4796 	struct tun_security_struct *tunsec = security;
4797 
4798 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4799 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4800 }
4801 
4802 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4803 {
4804 	struct tun_security_struct *tunsec = security;
4805 	struct sk_security_struct *sksec = sk->sk_security;
4806 
4807 	/* we don't currently perform any NetLabel based labeling here and it
4808 	 * isn't clear that we would want to do so anyway; while we could apply
4809 	 * labeling without the support of the TUN user the resulting labeled
4810 	 * traffic from the other end of the connection would almost certainly
4811 	 * cause confusion to the TUN user that had no idea network labeling
4812 	 * protocols were being used */
4813 
4814 	sksec->sid = tunsec->sid;
4815 	sksec->sclass = SECCLASS_TUN_SOCKET;
4816 
4817 	return 0;
4818 }
4819 
4820 static int selinux_tun_dev_open(void *security)
4821 {
4822 	struct tun_security_struct *tunsec = security;
4823 	u32 sid = current_sid();
4824 	int err;
4825 
4826 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4827 			   TUN_SOCKET__RELABELFROM, NULL);
4828 	if (err)
4829 		return err;
4830 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4831 			   TUN_SOCKET__RELABELTO, NULL);
4832 	if (err)
4833 		return err;
4834 	tunsec->sid = sid;
4835 
4836 	return 0;
4837 }
4838 
4839 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4840 {
4841 	int err = 0;
4842 	u32 perm;
4843 	struct nlmsghdr *nlh;
4844 	struct sk_security_struct *sksec = sk->sk_security;
4845 
4846 	if (skb->len < NLMSG_HDRLEN) {
4847 		err = -EINVAL;
4848 		goto out;
4849 	}
4850 	nlh = nlmsg_hdr(skb);
4851 
4852 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4853 	if (err) {
4854 		if (err == -EINVAL) {
4855 			pr_warn_ratelimited("SELinux: unrecognized netlink"
4856 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4857 			       " pig=%d comm=%s\n",
4858 			       sk->sk_protocol, nlh->nlmsg_type,
4859 			       secclass_map[sksec->sclass - 1].name,
4860 			       task_pid_nr(current), current->comm);
4861 			if (!selinux_enforcing || security_get_allow_unknown())
4862 				err = 0;
4863 		}
4864 
4865 		/* Ignore */
4866 		if (err == -ENOENT)
4867 			err = 0;
4868 		goto out;
4869 	}
4870 
4871 	err = sock_has_perm(current, sk, perm);
4872 out:
4873 	return err;
4874 }
4875 
4876 #ifdef CONFIG_NETFILTER
4877 
4878 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4879 				       const struct net_device *indev,
4880 				       u16 family)
4881 {
4882 	int err;
4883 	char *addrp;
4884 	u32 peer_sid;
4885 	struct common_audit_data ad;
4886 	struct lsm_network_audit net = {0,};
4887 	u8 secmark_active;
4888 	u8 netlbl_active;
4889 	u8 peerlbl_active;
4890 
4891 	if (!selinux_policycap_netpeer)
4892 		return NF_ACCEPT;
4893 
4894 	secmark_active = selinux_secmark_enabled();
4895 	netlbl_active = netlbl_enabled();
4896 	peerlbl_active = selinux_peerlbl_enabled();
4897 	if (!secmark_active && !peerlbl_active)
4898 		return NF_ACCEPT;
4899 
4900 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4901 		return NF_DROP;
4902 
4903 	ad.type = LSM_AUDIT_DATA_NET;
4904 	ad.u.net = &net;
4905 	ad.u.net->netif = indev->ifindex;
4906 	ad.u.net->family = family;
4907 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4908 		return NF_DROP;
4909 
4910 	if (peerlbl_active) {
4911 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4912 					       addrp, family, peer_sid, &ad);
4913 		if (err) {
4914 			selinux_netlbl_err(skb, err, 1);
4915 			return NF_DROP;
4916 		}
4917 	}
4918 
4919 	if (secmark_active)
4920 		if (avc_has_perm(peer_sid, skb->secmark,
4921 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4922 			return NF_DROP;
4923 
4924 	if (netlbl_active)
4925 		/* we do this in the FORWARD path and not the POST_ROUTING
4926 		 * path because we want to make sure we apply the necessary
4927 		 * labeling before IPsec is applied so we can leverage AH
4928 		 * protection */
4929 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4930 			return NF_DROP;
4931 
4932 	return NF_ACCEPT;
4933 }
4934 
4935 static unsigned int selinux_ipv4_forward(void *priv,
4936 					 struct sk_buff *skb,
4937 					 const struct nf_hook_state *state)
4938 {
4939 	return selinux_ip_forward(skb, state->in, PF_INET);
4940 }
4941 
4942 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4943 static unsigned int selinux_ipv6_forward(void *priv,
4944 					 struct sk_buff *skb,
4945 					 const struct nf_hook_state *state)
4946 {
4947 	return selinux_ip_forward(skb, state->in, PF_INET6);
4948 }
4949 #endif	/* IPV6 */
4950 
4951 static unsigned int selinux_ip_output(struct sk_buff *skb,
4952 				      u16 family)
4953 {
4954 	struct sock *sk;
4955 	u32 sid;
4956 
4957 	if (!netlbl_enabled())
4958 		return NF_ACCEPT;
4959 
4960 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4961 	 * because we want to make sure we apply the necessary labeling
4962 	 * before IPsec is applied so we can leverage AH protection */
4963 	sk = skb->sk;
4964 	if (sk) {
4965 		struct sk_security_struct *sksec;
4966 
4967 		if (sk_listener(sk))
4968 			/* if the socket is the listening state then this
4969 			 * packet is a SYN-ACK packet which means it needs to
4970 			 * be labeled based on the connection/request_sock and
4971 			 * not the parent socket.  unfortunately, we can't
4972 			 * lookup the request_sock yet as it isn't queued on
4973 			 * the parent socket until after the SYN-ACK is sent.
4974 			 * the "solution" is to simply pass the packet as-is
4975 			 * as any IP option based labeling should be copied
4976 			 * from the initial connection request (in the IP
4977 			 * layer).  it is far from ideal, but until we get a
4978 			 * security label in the packet itself this is the
4979 			 * best we can do. */
4980 			return NF_ACCEPT;
4981 
4982 		/* standard practice, label using the parent socket */
4983 		sksec = sk->sk_security;
4984 		sid = sksec->sid;
4985 	} else
4986 		sid = SECINITSID_KERNEL;
4987 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4988 		return NF_DROP;
4989 
4990 	return NF_ACCEPT;
4991 }
4992 
4993 static unsigned int selinux_ipv4_output(void *priv,
4994 					struct sk_buff *skb,
4995 					const struct nf_hook_state *state)
4996 {
4997 	return selinux_ip_output(skb, PF_INET);
4998 }
4999 
5000 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5001 						int ifindex,
5002 						u16 family)
5003 {
5004 	struct sock *sk = skb_to_full_sk(skb);
5005 	struct sk_security_struct *sksec;
5006 	struct common_audit_data ad;
5007 	struct lsm_network_audit net = {0,};
5008 	char *addrp;
5009 	u8 proto;
5010 
5011 	if (sk == NULL)
5012 		return NF_ACCEPT;
5013 	sksec = sk->sk_security;
5014 
5015 	ad.type = LSM_AUDIT_DATA_NET;
5016 	ad.u.net = &net;
5017 	ad.u.net->netif = ifindex;
5018 	ad.u.net->family = family;
5019 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5020 		return NF_DROP;
5021 
5022 	if (selinux_secmark_enabled())
5023 		if (avc_has_perm(sksec->sid, skb->secmark,
5024 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5025 			return NF_DROP_ERR(-ECONNREFUSED);
5026 
5027 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5028 		return NF_DROP_ERR(-ECONNREFUSED);
5029 
5030 	return NF_ACCEPT;
5031 }
5032 
5033 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5034 					 const struct net_device *outdev,
5035 					 u16 family)
5036 {
5037 	u32 secmark_perm;
5038 	u32 peer_sid;
5039 	int ifindex = outdev->ifindex;
5040 	struct sock *sk;
5041 	struct common_audit_data ad;
5042 	struct lsm_network_audit net = {0,};
5043 	char *addrp;
5044 	u8 secmark_active;
5045 	u8 peerlbl_active;
5046 
5047 	/* If any sort of compatibility mode is enabled then handoff processing
5048 	 * to the selinux_ip_postroute_compat() function to deal with the
5049 	 * special handling.  We do this in an attempt to keep this function
5050 	 * as fast and as clean as possible. */
5051 	if (!selinux_policycap_netpeer)
5052 		return selinux_ip_postroute_compat(skb, ifindex, family);
5053 
5054 	secmark_active = selinux_secmark_enabled();
5055 	peerlbl_active = selinux_peerlbl_enabled();
5056 	if (!secmark_active && !peerlbl_active)
5057 		return NF_ACCEPT;
5058 
5059 	sk = skb_to_full_sk(skb);
5060 
5061 #ifdef CONFIG_XFRM
5062 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5063 	 * packet transformation so allow the packet to pass without any checks
5064 	 * since we'll have another chance to perform access control checks
5065 	 * when the packet is on it's final way out.
5066 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5067 	 *       is NULL, in this case go ahead and apply access control.
5068 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5069 	 *       TCP listening state we cannot wait until the XFRM processing
5070 	 *       is done as we will miss out on the SA label if we do;
5071 	 *       unfortunately, this means more work, but it is only once per
5072 	 *       connection. */
5073 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5074 	    !(sk && sk_listener(sk)))
5075 		return NF_ACCEPT;
5076 #endif
5077 
5078 	if (sk == NULL) {
5079 		/* Without an associated socket the packet is either coming
5080 		 * from the kernel or it is being forwarded; check the packet
5081 		 * to determine which and if the packet is being forwarded
5082 		 * query the packet directly to determine the security label. */
5083 		if (skb->skb_iif) {
5084 			secmark_perm = PACKET__FORWARD_OUT;
5085 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5086 				return NF_DROP;
5087 		} else {
5088 			secmark_perm = PACKET__SEND;
5089 			peer_sid = SECINITSID_KERNEL;
5090 		}
5091 	} else if (sk_listener(sk)) {
5092 		/* Locally generated packet but the associated socket is in the
5093 		 * listening state which means this is a SYN-ACK packet.  In
5094 		 * this particular case the correct security label is assigned
5095 		 * to the connection/request_sock but unfortunately we can't
5096 		 * query the request_sock as it isn't queued on the parent
5097 		 * socket until after the SYN-ACK packet is sent; the only
5098 		 * viable choice is to regenerate the label like we do in
5099 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5100 		 * for similar problems. */
5101 		u32 skb_sid;
5102 		struct sk_security_struct *sksec;
5103 
5104 		sksec = sk->sk_security;
5105 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5106 			return NF_DROP;
5107 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5108 		 * and the packet has been through at least one XFRM
5109 		 * transformation then we must be dealing with the "final"
5110 		 * form of labeled IPsec packet; since we've already applied
5111 		 * all of our access controls on this packet we can safely
5112 		 * pass the packet. */
5113 		if (skb_sid == SECSID_NULL) {
5114 			switch (family) {
5115 			case PF_INET:
5116 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5117 					return NF_ACCEPT;
5118 				break;
5119 			case PF_INET6:
5120 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5121 					return NF_ACCEPT;
5122 				break;
5123 			default:
5124 				return NF_DROP_ERR(-ECONNREFUSED);
5125 			}
5126 		}
5127 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5128 			return NF_DROP;
5129 		secmark_perm = PACKET__SEND;
5130 	} else {
5131 		/* Locally generated packet, fetch the security label from the
5132 		 * associated socket. */
5133 		struct sk_security_struct *sksec = sk->sk_security;
5134 		peer_sid = sksec->sid;
5135 		secmark_perm = PACKET__SEND;
5136 	}
5137 
5138 	ad.type = LSM_AUDIT_DATA_NET;
5139 	ad.u.net = &net;
5140 	ad.u.net->netif = ifindex;
5141 	ad.u.net->family = family;
5142 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5143 		return NF_DROP;
5144 
5145 	if (secmark_active)
5146 		if (avc_has_perm(peer_sid, skb->secmark,
5147 				 SECCLASS_PACKET, secmark_perm, &ad))
5148 			return NF_DROP_ERR(-ECONNREFUSED);
5149 
5150 	if (peerlbl_active) {
5151 		u32 if_sid;
5152 		u32 node_sid;
5153 
5154 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5155 			return NF_DROP;
5156 		if (avc_has_perm(peer_sid, if_sid,
5157 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5158 			return NF_DROP_ERR(-ECONNREFUSED);
5159 
5160 		if (sel_netnode_sid(addrp, family, &node_sid))
5161 			return NF_DROP;
5162 		if (avc_has_perm(peer_sid, node_sid,
5163 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5164 			return NF_DROP_ERR(-ECONNREFUSED);
5165 	}
5166 
5167 	return NF_ACCEPT;
5168 }
5169 
5170 static unsigned int selinux_ipv4_postroute(void *priv,
5171 					   struct sk_buff *skb,
5172 					   const struct nf_hook_state *state)
5173 {
5174 	return selinux_ip_postroute(skb, state->out, PF_INET);
5175 }
5176 
5177 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5178 static unsigned int selinux_ipv6_postroute(void *priv,
5179 					   struct sk_buff *skb,
5180 					   const struct nf_hook_state *state)
5181 {
5182 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5183 }
5184 #endif	/* IPV6 */
5185 
5186 #endif	/* CONFIG_NETFILTER */
5187 
5188 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5189 {
5190 	return selinux_nlmsg_perm(sk, skb);
5191 }
5192 
5193 static int ipc_alloc_security(struct task_struct *task,
5194 			      struct kern_ipc_perm *perm,
5195 			      u16 sclass)
5196 {
5197 	struct ipc_security_struct *isec;
5198 	u32 sid;
5199 
5200 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5201 	if (!isec)
5202 		return -ENOMEM;
5203 
5204 	sid = task_sid(task);
5205 	isec->sclass = sclass;
5206 	isec->sid = sid;
5207 	perm->security = isec;
5208 
5209 	return 0;
5210 }
5211 
5212 static void ipc_free_security(struct kern_ipc_perm *perm)
5213 {
5214 	struct ipc_security_struct *isec = perm->security;
5215 	perm->security = NULL;
5216 	kfree(isec);
5217 }
5218 
5219 static int msg_msg_alloc_security(struct msg_msg *msg)
5220 {
5221 	struct msg_security_struct *msec;
5222 
5223 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5224 	if (!msec)
5225 		return -ENOMEM;
5226 
5227 	msec->sid = SECINITSID_UNLABELED;
5228 	msg->security = msec;
5229 
5230 	return 0;
5231 }
5232 
5233 static void msg_msg_free_security(struct msg_msg *msg)
5234 {
5235 	struct msg_security_struct *msec = msg->security;
5236 
5237 	msg->security = NULL;
5238 	kfree(msec);
5239 }
5240 
5241 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5242 			u32 perms)
5243 {
5244 	struct ipc_security_struct *isec;
5245 	struct common_audit_data ad;
5246 	u32 sid = current_sid();
5247 
5248 	isec = ipc_perms->security;
5249 
5250 	ad.type = LSM_AUDIT_DATA_IPC;
5251 	ad.u.ipc_id = ipc_perms->key;
5252 
5253 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5254 }
5255 
5256 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5257 {
5258 	return msg_msg_alloc_security(msg);
5259 }
5260 
5261 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5262 {
5263 	msg_msg_free_security(msg);
5264 }
5265 
5266 /* message queue security operations */
5267 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5268 {
5269 	struct ipc_security_struct *isec;
5270 	struct common_audit_data ad;
5271 	u32 sid = current_sid();
5272 	int rc;
5273 
5274 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5275 	if (rc)
5276 		return rc;
5277 
5278 	isec = msq->q_perm.security;
5279 
5280 	ad.type = LSM_AUDIT_DATA_IPC;
5281 	ad.u.ipc_id = msq->q_perm.key;
5282 
5283 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5284 			  MSGQ__CREATE, &ad);
5285 	if (rc) {
5286 		ipc_free_security(&msq->q_perm);
5287 		return rc;
5288 	}
5289 	return 0;
5290 }
5291 
5292 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5293 {
5294 	ipc_free_security(&msq->q_perm);
5295 }
5296 
5297 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5298 {
5299 	struct ipc_security_struct *isec;
5300 	struct common_audit_data ad;
5301 	u32 sid = current_sid();
5302 
5303 	isec = msq->q_perm.security;
5304 
5305 	ad.type = LSM_AUDIT_DATA_IPC;
5306 	ad.u.ipc_id = msq->q_perm.key;
5307 
5308 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5309 			    MSGQ__ASSOCIATE, &ad);
5310 }
5311 
5312 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5313 {
5314 	int err;
5315 	int perms;
5316 
5317 	switch (cmd) {
5318 	case IPC_INFO:
5319 	case MSG_INFO:
5320 		/* No specific object, just general system-wide information. */
5321 		return task_has_system(current, SYSTEM__IPC_INFO);
5322 	case IPC_STAT:
5323 	case MSG_STAT:
5324 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5325 		break;
5326 	case IPC_SET:
5327 		perms = MSGQ__SETATTR;
5328 		break;
5329 	case IPC_RMID:
5330 		perms = MSGQ__DESTROY;
5331 		break;
5332 	default:
5333 		return 0;
5334 	}
5335 
5336 	err = ipc_has_perm(&msq->q_perm, perms);
5337 	return err;
5338 }
5339 
5340 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5341 {
5342 	struct ipc_security_struct *isec;
5343 	struct msg_security_struct *msec;
5344 	struct common_audit_data ad;
5345 	u32 sid = current_sid();
5346 	int rc;
5347 
5348 	isec = msq->q_perm.security;
5349 	msec = msg->security;
5350 
5351 	/*
5352 	 * First time through, need to assign label to the message
5353 	 */
5354 	if (msec->sid == SECINITSID_UNLABELED) {
5355 		/*
5356 		 * Compute new sid based on current process and
5357 		 * message queue this message will be stored in
5358 		 */
5359 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5360 					     NULL, &msec->sid);
5361 		if (rc)
5362 			return rc;
5363 	}
5364 
5365 	ad.type = LSM_AUDIT_DATA_IPC;
5366 	ad.u.ipc_id = msq->q_perm.key;
5367 
5368 	/* Can this process write to the queue? */
5369 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5370 			  MSGQ__WRITE, &ad);
5371 	if (!rc)
5372 		/* Can this process send the message */
5373 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5374 				  MSG__SEND, &ad);
5375 	if (!rc)
5376 		/* Can the message be put in the queue? */
5377 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5378 				  MSGQ__ENQUEUE, &ad);
5379 
5380 	return rc;
5381 }
5382 
5383 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5384 				    struct task_struct *target,
5385 				    long type, int mode)
5386 {
5387 	struct ipc_security_struct *isec;
5388 	struct msg_security_struct *msec;
5389 	struct common_audit_data ad;
5390 	u32 sid = task_sid(target);
5391 	int rc;
5392 
5393 	isec = msq->q_perm.security;
5394 	msec = msg->security;
5395 
5396 	ad.type = LSM_AUDIT_DATA_IPC;
5397 	ad.u.ipc_id = msq->q_perm.key;
5398 
5399 	rc = avc_has_perm(sid, isec->sid,
5400 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5401 	if (!rc)
5402 		rc = avc_has_perm(sid, msec->sid,
5403 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5404 	return rc;
5405 }
5406 
5407 /* Shared Memory security operations */
5408 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5409 {
5410 	struct ipc_security_struct *isec;
5411 	struct common_audit_data ad;
5412 	u32 sid = current_sid();
5413 	int rc;
5414 
5415 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5416 	if (rc)
5417 		return rc;
5418 
5419 	isec = shp->shm_perm.security;
5420 
5421 	ad.type = LSM_AUDIT_DATA_IPC;
5422 	ad.u.ipc_id = shp->shm_perm.key;
5423 
5424 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5425 			  SHM__CREATE, &ad);
5426 	if (rc) {
5427 		ipc_free_security(&shp->shm_perm);
5428 		return rc;
5429 	}
5430 	return 0;
5431 }
5432 
5433 static void selinux_shm_free_security(struct shmid_kernel *shp)
5434 {
5435 	ipc_free_security(&shp->shm_perm);
5436 }
5437 
5438 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5439 {
5440 	struct ipc_security_struct *isec;
5441 	struct common_audit_data ad;
5442 	u32 sid = current_sid();
5443 
5444 	isec = shp->shm_perm.security;
5445 
5446 	ad.type = LSM_AUDIT_DATA_IPC;
5447 	ad.u.ipc_id = shp->shm_perm.key;
5448 
5449 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5450 			    SHM__ASSOCIATE, &ad);
5451 }
5452 
5453 /* Note, at this point, shp is locked down */
5454 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5455 {
5456 	int perms;
5457 	int err;
5458 
5459 	switch (cmd) {
5460 	case IPC_INFO:
5461 	case SHM_INFO:
5462 		/* No specific object, just general system-wide information. */
5463 		return task_has_system(current, SYSTEM__IPC_INFO);
5464 	case IPC_STAT:
5465 	case SHM_STAT:
5466 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5467 		break;
5468 	case IPC_SET:
5469 		perms = SHM__SETATTR;
5470 		break;
5471 	case SHM_LOCK:
5472 	case SHM_UNLOCK:
5473 		perms = SHM__LOCK;
5474 		break;
5475 	case IPC_RMID:
5476 		perms = SHM__DESTROY;
5477 		break;
5478 	default:
5479 		return 0;
5480 	}
5481 
5482 	err = ipc_has_perm(&shp->shm_perm, perms);
5483 	return err;
5484 }
5485 
5486 static int selinux_shm_shmat(struct shmid_kernel *shp,
5487 			     char __user *shmaddr, int shmflg)
5488 {
5489 	u32 perms;
5490 
5491 	if (shmflg & SHM_RDONLY)
5492 		perms = SHM__READ;
5493 	else
5494 		perms = SHM__READ | SHM__WRITE;
5495 
5496 	return ipc_has_perm(&shp->shm_perm, perms);
5497 }
5498 
5499 /* Semaphore security operations */
5500 static int selinux_sem_alloc_security(struct sem_array *sma)
5501 {
5502 	struct ipc_security_struct *isec;
5503 	struct common_audit_data ad;
5504 	u32 sid = current_sid();
5505 	int rc;
5506 
5507 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5508 	if (rc)
5509 		return rc;
5510 
5511 	isec = sma->sem_perm.security;
5512 
5513 	ad.type = LSM_AUDIT_DATA_IPC;
5514 	ad.u.ipc_id = sma->sem_perm.key;
5515 
5516 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5517 			  SEM__CREATE, &ad);
5518 	if (rc) {
5519 		ipc_free_security(&sma->sem_perm);
5520 		return rc;
5521 	}
5522 	return 0;
5523 }
5524 
5525 static void selinux_sem_free_security(struct sem_array *sma)
5526 {
5527 	ipc_free_security(&sma->sem_perm);
5528 }
5529 
5530 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5531 {
5532 	struct ipc_security_struct *isec;
5533 	struct common_audit_data ad;
5534 	u32 sid = current_sid();
5535 
5536 	isec = sma->sem_perm.security;
5537 
5538 	ad.type = LSM_AUDIT_DATA_IPC;
5539 	ad.u.ipc_id = sma->sem_perm.key;
5540 
5541 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5542 			    SEM__ASSOCIATE, &ad);
5543 }
5544 
5545 /* Note, at this point, sma is locked down */
5546 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5547 {
5548 	int err;
5549 	u32 perms;
5550 
5551 	switch (cmd) {
5552 	case IPC_INFO:
5553 	case SEM_INFO:
5554 		/* No specific object, just general system-wide information. */
5555 		return task_has_system(current, SYSTEM__IPC_INFO);
5556 	case GETPID:
5557 	case GETNCNT:
5558 	case GETZCNT:
5559 		perms = SEM__GETATTR;
5560 		break;
5561 	case GETVAL:
5562 	case GETALL:
5563 		perms = SEM__READ;
5564 		break;
5565 	case SETVAL:
5566 	case SETALL:
5567 		perms = SEM__WRITE;
5568 		break;
5569 	case IPC_RMID:
5570 		perms = SEM__DESTROY;
5571 		break;
5572 	case IPC_SET:
5573 		perms = SEM__SETATTR;
5574 		break;
5575 	case IPC_STAT:
5576 	case SEM_STAT:
5577 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5578 		break;
5579 	default:
5580 		return 0;
5581 	}
5582 
5583 	err = ipc_has_perm(&sma->sem_perm, perms);
5584 	return err;
5585 }
5586 
5587 static int selinux_sem_semop(struct sem_array *sma,
5588 			     struct sembuf *sops, unsigned nsops, int alter)
5589 {
5590 	u32 perms;
5591 
5592 	if (alter)
5593 		perms = SEM__READ | SEM__WRITE;
5594 	else
5595 		perms = SEM__READ;
5596 
5597 	return ipc_has_perm(&sma->sem_perm, perms);
5598 }
5599 
5600 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5601 {
5602 	u32 av = 0;
5603 
5604 	av = 0;
5605 	if (flag & S_IRUGO)
5606 		av |= IPC__UNIX_READ;
5607 	if (flag & S_IWUGO)
5608 		av |= IPC__UNIX_WRITE;
5609 
5610 	if (av == 0)
5611 		return 0;
5612 
5613 	return ipc_has_perm(ipcp, av);
5614 }
5615 
5616 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5617 {
5618 	struct ipc_security_struct *isec = ipcp->security;
5619 	*secid = isec->sid;
5620 }
5621 
5622 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5623 {
5624 	if (inode)
5625 		inode_doinit_with_dentry(inode, dentry);
5626 }
5627 
5628 static int selinux_getprocattr(struct task_struct *p,
5629 			       char *name, char **value)
5630 {
5631 	const struct task_security_struct *__tsec;
5632 	u32 sid;
5633 	int error;
5634 	unsigned len;
5635 
5636 	if (current != p) {
5637 		error = current_has_perm(p, PROCESS__GETATTR);
5638 		if (error)
5639 			return error;
5640 	}
5641 
5642 	rcu_read_lock();
5643 	__tsec = __task_cred(p)->security;
5644 
5645 	if (!strcmp(name, "current"))
5646 		sid = __tsec->sid;
5647 	else if (!strcmp(name, "prev"))
5648 		sid = __tsec->osid;
5649 	else if (!strcmp(name, "exec"))
5650 		sid = __tsec->exec_sid;
5651 	else if (!strcmp(name, "fscreate"))
5652 		sid = __tsec->create_sid;
5653 	else if (!strcmp(name, "keycreate"))
5654 		sid = __tsec->keycreate_sid;
5655 	else if (!strcmp(name, "sockcreate"))
5656 		sid = __tsec->sockcreate_sid;
5657 	else
5658 		goto invalid;
5659 	rcu_read_unlock();
5660 
5661 	if (!sid)
5662 		return 0;
5663 
5664 	error = security_sid_to_context(sid, value, &len);
5665 	if (error)
5666 		return error;
5667 	return len;
5668 
5669 invalid:
5670 	rcu_read_unlock();
5671 	return -EINVAL;
5672 }
5673 
5674 static int selinux_setprocattr(struct task_struct *p,
5675 			       char *name, void *value, size_t size)
5676 {
5677 	struct task_security_struct *tsec;
5678 	struct task_struct *tracer;
5679 	struct cred *new;
5680 	u32 sid = 0, ptsid;
5681 	int error;
5682 	char *str = value;
5683 
5684 	if (current != p) {
5685 		/* SELinux only allows a process to change its own
5686 		   security attributes. */
5687 		return -EACCES;
5688 	}
5689 
5690 	/*
5691 	 * Basic control over ability to set these attributes at all.
5692 	 * current == p, but we'll pass them separately in case the
5693 	 * above restriction is ever removed.
5694 	 */
5695 	if (!strcmp(name, "exec"))
5696 		error = current_has_perm(p, PROCESS__SETEXEC);
5697 	else if (!strcmp(name, "fscreate"))
5698 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5699 	else if (!strcmp(name, "keycreate"))
5700 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5701 	else if (!strcmp(name, "sockcreate"))
5702 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5703 	else if (!strcmp(name, "current"))
5704 		error = current_has_perm(p, PROCESS__SETCURRENT);
5705 	else
5706 		error = -EINVAL;
5707 	if (error)
5708 		return error;
5709 
5710 	/* Obtain a SID for the context, if one was specified. */
5711 	if (size && str[1] && str[1] != '\n') {
5712 		if (str[size-1] == '\n') {
5713 			str[size-1] = 0;
5714 			size--;
5715 		}
5716 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5717 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5718 			if (!capable(CAP_MAC_ADMIN)) {
5719 				struct audit_buffer *ab;
5720 				size_t audit_size;
5721 
5722 				/* We strip a nul only if it is at the end, otherwise the
5723 				 * context contains a nul and we should audit that */
5724 				if (str[size - 1] == '\0')
5725 					audit_size = size - 1;
5726 				else
5727 					audit_size = size;
5728 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5729 				audit_log_format(ab, "op=fscreate invalid_context=");
5730 				audit_log_n_untrustedstring(ab, value, audit_size);
5731 				audit_log_end(ab);
5732 
5733 				return error;
5734 			}
5735 			error = security_context_to_sid_force(value, size,
5736 							      &sid);
5737 		}
5738 		if (error)
5739 			return error;
5740 	}
5741 
5742 	new = prepare_creds();
5743 	if (!new)
5744 		return -ENOMEM;
5745 
5746 	/* Permission checking based on the specified context is
5747 	   performed during the actual operation (execve,
5748 	   open/mkdir/...), when we know the full context of the
5749 	   operation.  See selinux_bprm_set_creds for the execve
5750 	   checks and may_create for the file creation checks. The
5751 	   operation will then fail if the context is not permitted. */
5752 	tsec = new->security;
5753 	if (!strcmp(name, "exec")) {
5754 		tsec->exec_sid = sid;
5755 	} else if (!strcmp(name, "fscreate")) {
5756 		tsec->create_sid = sid;
5757 	} else if (!strcmp(name, "keycreate")) {
5758 		error = may_create_key(sid, p);
5759 		if (error)
5760 			goto abort_change;
5761 		tsec->keycreate_sid = sid;
5762 	} else if (!strcmp(name, "sockcreate")) {
5763 		tsec->sockcreate_sid = sid;
5764 	} else if (!strcmp(name, "current")) {
5765 		error = -EINVAL;
5766 		if (sid == 0)
5767 			goto abort_change;
5768 
5769 		/* Only allow single threaded processes to change context */
5770 		error = -EPERM;
5771 		if (!current_is_single_threaded()) {
5772 			error = security_bounded_transition(tsec->sid, sid);
5773 			if (error)
5774 				goto abort_change;
5775 		}
5776 
5777 		/* Check permissions for the transition. */
5778 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5779 				     PROCESS__DYNTRANSITION, NULL);
5780 		if (error)
5781 			goto abort_change;
5782 
5783 		/* Check for ptracing, and update the task SID if ok.
5784 		   Otherwise, leave SID unchanged and fail. */
5785 		ptsid = 0;
5786 		rcu_read_lock();
5787 		tracer = ptrace_parent(p);
5788 		if (tracer)
5789 			ptsid = task_sid(tracer);
5790 		rcu_read_unlock();
5791 
5792 		if (tracer) {
5793 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5794 					     PROCESS__PTRACE, NULL);
5795 			if (error)
5796 				goto abort_change;
5797 		}
5798 
5799 		tsec->sid = sid;
5800 	} else {
5801 		error = -EINVAL;
5802 		goto abort_change;
5803 	}
5804 
5805 	commit_creds(new);
5806 	return size;
5807 
5808 abort_change:
5809 	abort_creds(new);
5810 	return error;
5811 }
5812 
5813 static int selinux_ismaclabel(const char *name)
5814 {
5815 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5816 }
5817 
5818 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5819 {
5820 	return security_sid_to_context(secid, secdata, seclen);
5821 }
5822 
5823 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5824 {
5825 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5826 }
5827 
5828 static void selinux_release_secctx(char *secdata, u32 seclen)
5829 {
5830 	kfree(secdata);
5831 }
5832 
5833 static void selinux_inode_invalidate_secctx(struct inode *inode)
5834 {
5835 	struct inode_security_struct *isec = inode->i_security;
5836 
5837 	mutex_lock(&isec->lock);
5838 	isec->initialized = LABEL_INVALID;
5839 	mutex_unlock(&isec->lock);
5840 }
5841 
5842 /*
5843  *	called with inode->i_mutex locked
5844  */
5845 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5846 {
5847 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5848 }
5849 
5850 /*
5851  *	called with inode->i_mutex locked
5852  */
5853 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5854 {
5855 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5856 }
5857 
5858 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5859 {
5860 	int len = 0;
5861 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5862 						ctx, true);
5863 	if (len < 0)
5864 		return len;
5865 	*ctxlen = len;
5866 	return 0;
5867 }
5868 #ifdef CONFIG_KEYS
5869 
5870 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5871 			     unsigned long flags)
5872 {
5873 	const struct task_security_struct *tsec;
5874 	struct key_security_struct *ksec;
5875 
5876 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5877 	if (!ksec)
5878 		return -ENOMEM;
5879 
5880 	tsec = cred->security;
5881 	if (tsec->keycreate_sid)
5882 		ksec->sid = tsec->keycreate_sid;
5883 	else
5884 		ksec->sid = tsec->sid;
5885 
5886 	k->security = ksec;
5887 	return 0;
5888 }
5889 
5890 static void selinux_key_free(struct key *k)
5891 {
5892 	struct key_security_struct *ksec = k->security;
5893 
5894 	k->security = NULL;
5895 	kfree(ksec);
5896 }
5897 
5898 static int selinux_key_permission(key_ref_t key_ref,
5899 				  const struct cred *cred,
5900 				  unsigned perm)
5901 {
5902 	struct key *key;
5903 	struct key_security_struct *ksec;
5904 	u32 sid;
5905 
5906 	/* if no specific permissions are requested, we skip the
5907 	   permission check. No serious, additional covert channels
5908 	   appear to be created. */
5909 	if (perm == 0)
5910 		return 0;
5911 
5912 	sid = cred_sid(cred);
5913 
5914 	key = key_ref_to_ptr(key_ref);
5915 	ksec = key->security;
5916 
5917 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5918 }
5919 
5920 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5921 {
5922 	struct key_security_struct *ksec = key->security;
5923 	char *context = NULL;
5924 	unsigned len;
5925 	int rc;
5926 
5927 	rc = security_sid_to_context(ksec->sid, &context, &len);
5928 	if (!rc)
5929 		rc = len;
5930 	*_buffer = context;
5931 	return rc;
5932 }
5933 
5934 #endif
5935 
5936 static struct security_hook_list selinux_hooks[] = {
5937 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5938 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5939 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5940 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5941 
5942 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5943 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5944 	LSM_HOOK_INIT(capget, selinux_capget),
5945 	LSM_HOOK_INIT(capset, selinux_capset),
5946 	LSM_HOOK_INIT(capable, selinux_capable),
5947 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
5948 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
5949 	LSM_HOOK_INIT(syslog, selinux_syslog),
5950 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5951 
5952 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5953 
5954 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5955 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5956 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5957 	LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5958 
5959 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5960 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5961 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5962 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5963 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5964 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5965 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5966 	LSM_HOOK_INIT(sb_mount, selinux_mount),
5967 	LSM_HOOK_INIT(sb_umount, selinux_umount),
5968 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5969 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5970 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5971 
5972 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5973 
5974 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5975 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5976 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5977 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
5978 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
5979 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5980 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5981 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5982 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5983 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5984 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5985 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5986 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5987 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5988 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5989 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5990 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5991 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5992 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5993 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5994 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5995 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5996 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5997 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5998 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
5999 
6000 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6001 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6002 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6003 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6004 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6005 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6006 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6007 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6008 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6009 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6010 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6011 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6012 
6013 	LSM_HOOK_INIT(file_open, selinux_file_open),
6014 
6015 	LSM_HOOK_INIT(task_create, selinux_task_create),
6016 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6017 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6018 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6019 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6020 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6021 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6022 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6023 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6024 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6025 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6026 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6027 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6028 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6029 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6030 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6031 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6032 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6033 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6034 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6035 	LSM_HOOK_INIT(task_wait, selinux_task_wait),
6036 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6037 
6038 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6039 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6040 
6041 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6042 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6043 
6044 	LSM_HOOK_INIT(msg_queue_alloc_security,
6045 			selinux_msg_queue_alloc_security),
6046 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6047 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6048 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6049 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6050 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6051 
6052 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6053 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6054 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6055 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6056 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6057 
6058 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6059 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6060 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6061 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6062 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6063 
6064 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6065 
6066 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6067 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6068 
6069 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6070 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6071 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6072 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6073 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6074 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6075 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6076 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6077 
6078 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6079 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6080 
6081 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6082 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6083 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6084 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6085 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6086 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6087 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6088 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6089 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6090 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6091 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6092 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6093 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6094 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6095 	LSM_HOOK_INIT(socket_getpeersec_stream,
6096 			selinux_socket_getpeersec_stream),
6097 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6098 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6099 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6100 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6101 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6102 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6103 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6104 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6105 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6106 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6107 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6108 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6109 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6110 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6111 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6112 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6113 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6114 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6115 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6116 
6117 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6118 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6119 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6120 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6121 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6122 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6123 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6124 			selinux_xfrm_state_alloc_acquire),
6125 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6126 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6127 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6128 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6129 			selinux_xfrm_state_pol_flow_match),
6130 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6131 #endif
6132 
6133 #ifdef CONFIG_KEYS
6134 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6135 	LSM_HOOK_INIT(key_free, selinux_key_free),
6136 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
6137 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6138 #endif
6139 
6140 #ifdef CONFIG_AUDIT
6141 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6142 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6143 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6144 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6145 #endif
6146 };
6147 
6148 static __init int selinux_init(void)
6149 {
6150 	if (!security_module_enable("selinux")) {
6151 		selinux_enabled = 0;
6152 		return 0;
6153 	}
6154 
6155 	if (!selinux_enabled) {
6156 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6157 		return 0;
6158 	}
6159 
6160 	printk(KERN_INFO "SELinux:  Initializing.\n");
6161 
6162 	/* Set the security state for the initial task. */
6163 	cred_init_security();
6164 
6165 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6166 
6167 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6168 					    sizeof(struct inode_security_struct),
6169 					    0, SLAB_PANIC, NULL);
6170 	file_security_cache = kmem_cache_create("selinux_file_security",
6171 					    sizeof(struct file_security_struct),
6172 					    0, SLAB_PANIC, NULL);
6173 	avc_init();
6174 
6175 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6176 
6177 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6178 		panic("SELinux: Unable to register AVC netcache callback\n");
6179 
6180 	if (selinux_enforcing)
6181 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6182 	else
6183 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6184 
6185 	return 0;
6186 }
6187 
6188 static void delayed_superblock_init(struct super_block *sb, void *unused)
6189 {
6190 	superblock_doinit(sb, NULL);
6191 }
6192 
6193 void selinux_complete_init(void)
6194 {
6195 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6196 
6197 	/* Set up any superblocks initialized prior to the policy load. */
6198 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6199 	iterate_supers(delayed_superblock_init, NULL);
6200 }
6201 
6202 /* SELinux requires early initialization in order to label
6203    all processes and objects when they are created. */
6204 security_initcall(selinux_init);
6205 
6206 #if defined(CONFIG_NETFILTER)
6207 
6208 static struct nf_hook_ops selinux_nf_ops[] = {
6209 	{
6210 		.hook =		selinux_ipv4_postroute,
6211 		.pf =		NFPROTO_IPV4,
6212 		.hooknum =	NF_INET_POST_ROUTING,
6213 		.priority =	NF_IP_PRI_SELINUX_LAST,
6214 	},
6215 	{
6216 		.hook =		selinux_ipv4_forward,
6217 		.pf =		NFPROTO_IPV4,
6218 		.hooknum =	NF_INET_FORWARD,
6219 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6220 	},
6221 	{
6222 		.hook =		selinux_ipv4_output,
6223 		.pf =		NFPROTO_IPV4,
6224 		.hooknum =	NF_INET_LOCAL_OUT,
6225 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6226 	},
6227 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6228 	{
6229 		.hook =		selinux_ipv6_postroute,
6230 		.pf =		NFPROTO_IPV6,
6231 		.hooknum =	NF_INET_POST_ROUTING,
6232 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6233 	},
6234 	{
6235 		.hook =		selinux_ipv6_forward,
6236 		.pf =		NFPROTO_IPV6,
6237 		.hooknum =	NF_INET_FORWARD,
6238 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6239 	},
6240 #endif	/* IPV6 */
6241 };
6242 
6243 static int __init selinux_nf_ip_init(void)
6244 {
6245 	int err;
6246 
6247 	if (!selinux_enabled)
6248 		return 0;
6249 
6250 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6251 
6252 	err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6253 	if (err)
6254 		panic("SELinux: nf_register_hooks: error %d\n", err);
6255 
6256 	return 0;
6257 }
6258 
6259 __initcall(selinux_nf_ip_init);
6260 
6261 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6262 static void selinux_nf_ip_exit(void)
6263 {
6264 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6265 
6266 	nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6267 }
6268 #endif
6269 
6270 #else /* CONFIG_NETFILTER */
6271 
6272 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6273 #define selinux_nf_ip_exit()
6274 #endif
6275 
6276 #endif /* CONFIG_NETFILTER */
6277 
6278 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6279 static int selinux_disabled;
6280 
6281 int selinux_disable(void)
6282 {
6283 	if (ss_initialized) {
6284 		/* Not permitted after initial policy load. */
6285 		return -EINVAL;
6286 	}
6287 
6288 	if (selinux_disabled) {
6289 		/* Only do this once. */
6290 		return -EINVAL;
6291 	}
6292 
6293 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6294 
6295 	selinux_disabled = 1;
6296 	selinux_enabled = 0;
6297 
6298 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6299 
6300 	/* Try to destroy the avc node cache */
6301 	avc_disable();
6302 
6303 	/* Unregister netfilter hooks. */
6304 	selinux_nf_ip_exit();
6305 
6306 	/* Unregister selinuxfs. */
6307 	exit_sel_fs();
6308 
6309 	return 0;
6310 }
6311 #endif
6312