xref: /openbmc/linux/security/selinux/hooks.c (revision c819e2cf)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>		/* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h>		/* for Unix socket types */
71 #include <net/af_unix.h>	/* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87 
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97 
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103 
104 static int __init enforcing_setup(char *str)
105 {
106 	unsigned long enforcing;
107 	if (!kstrtoul(str, 0, &enforcing))
108 		selinux_enforcing = enforcing ? 1 : 0;
109 	return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113 
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 
117 static int __init selinux_enabled_setup(char *str)
118 {
119 	unsigned long enabled;
120 	if (!kstrtoul(str, 0, &enabled))
121 		selinux_enabled = enabled ? 1 : 0;
122 	return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128 
129 static struct kmem_cache *sel_inode_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
139  * policy capability is enabled, SECMARK is always considered enabled.
140  *
141  */
142 static int selinux_secmark_enabled(void)
143 {
144 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146 
147 /**
148  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149  *
150  * Description:
151  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
152  * (1) if any are enabled or false (0) if neither are enabled.  If the
153  * always_check_network policy capability is enabled, peer labeling
154  * is always considered enabled.
155  *
156  */
157 static int selinux_peerlbl_enabled(void)
158 {
159 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161 
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 	if (event == AVC_CALLBACK_RESET) {
165 		sel_netif_flush();
166 		sel_netnode_flush();
167 		sel_netport_flush();
168 		synchronize_net();
169 	}
170 	return 0;
171 }
172 
173 /*
174  * initialise the security for the init task
175  */
176 static void cred_init_security(void)
177 {
178 	struct cred *cred = (struct cred *) current->real_cred;
179 	struct task_security_struct *tsec;
180 
181 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 	if (!tsec)
183 		panic("SELinux:  Failed to initialize initial task.\n");
184 
185 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 	cred->security = tsec;
187 }
188 
189 /*
190  * get the security ID of a set of credentials
191  */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 	const struct task_security_struct *tsec;
195 
196 	tsec = cred->security;
197 	return tsec->sid;
198 }
199 
200 /*
201  * get the objective security ID of a task
202  */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 	u32 sid;
206 
207 	rcu_read_lock();
208 	sid = cred_sid(__task_cred(task));
209 	rcu_read_unlock();
210 	return sid;
211 }
212 
213 /*
214  * get the subjective security ID of the current task
215  */
216 static inline u32 current_sid(void)
217 {
218 	const struct task_security_struct *tsec = current_security();
219 
220 	return tsec->sid;
221 }
222 
223 /* Allocate and free functions for each kind of security blob. */
224 
225 static int inode_alloc_security(struct inode *inode)
226 {
227 	struct inode_security_struct *isec;
228 	u32 sid = current_sid();
229 
230 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 	if (!isec)
232 		return -ENOMEM;
233 
234 	mutex_init(&isec->lock);
235 	INIT_LIST_HEAD(&isec->list);
236 	isec->inode = inode;
237 	isec->sid = SECINITSID_UNLABELED;
238 	isec->sclass = SECCLASS_FILE;
239 	isec->task_sid = sid;
240 	inode->i_security = isec;
241 
242 	return 0;
243 }
244 
245 static void inode_free_rcu(struct rcu_head *head)
246 {
247 	struct inode_security_struct *isec;
248 
249 	isec = container_of(head, struct inode_security_struct, rcu);
250 	kmem_cache_free(sel_inode_cache, isec);
251 }
252 
253 static void inode_free_security(struct inode *inode)
254 {
255 	struct inode_security_struct *isec = inode->i_security;
256 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
257 
258 	spin_lock(&sbsec->isec_lock);
259 	if (!list_empty(&isec->list))
260 		list_del_init(&isec->list);
261 	spin_unlock(&sbsec->isec_lock);
262 
263 	/*
264 	 * The inode may still be referenced in a path walk and
265 	 * a call to selinux_inode_permission() can be made
266 	 * after inode_free_security() is called. Ideally, the VFS
267 	 * wouldn't do this, but fixing that is a much harder
268 	 * job. For now, simply free the i_security via RCU, and
269 	 * leave the current inode->i_security pointer intact.
270 	 * The inode will be freed after the RCU grace period too.
271 	 */
272 	call_rcu(&isec->rcu, inode_free_rcu);
273 }
274 
275 static int file_alloc_security(struct file *file)
276 {
277 	struct file_security_struct *fsec;
278 	u32 sid = current_sid();
279 
280 	fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
281 	if (!fsec)
282 		return -ENOMEM;
283 
284 	fsec->sid = sid;
285 	fsec->fown_sid = sid;
286 	file->f_security = fsec;
287 
288 	return 0;
289 }
290 
291 static void file_free_security(struct file *file)
292 {
293 	struct file_security_struct *fsec = file->f_security;
294 	file->f_security = NULL;
295 	kfree(fsec);
296 }
297 
298 static int superblock_alloc_security(struct super_block *sb)
299 {
300 	struct superblock_security_struct *sbsec;
301 
302 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
303 	if (!sbsec)
304 		return -ENOMEM;
305 
306 	mutex_init(&sbsec->lock);
307 	INIT_LIST_HEAD(&sbsec->isec_head);
308 	spin_lock_init(&sbsec->isec_lock);
309 	sbsec->sb = sb;
310 	sbsec->sid = SECINITSID_UNLABELED;
311 	sbsec->def_sid = SECINITSID_FILE;
312 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
313 	sb->s_security = sbsec;
314 
315 	return 0;
316 }
317 
318 static void superblock_free_security(struct super_block *sb)
319 {
320 	struct superblock_security_struct *sbsec = sb->s_security;
321 	sb->s_security = NULL;
322 	kfree(sbsec);
323 }
324 
325 /* The file system's label must be initialized prior to use. */
326 
327 static const char *labeling_behaviors[7] = {
328 	"uses xattr",
329 	"uses transition SIDs",
330 	"uses task SIDs",
331 	"uses genfs_contexts",
332 	"not configured for labeling",
333 	"uses mountpoint labeling",
334 	"uses native labeling",
335 };
336 
337 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
338 
339 static inline int inode_doinit(struct inode *inode)
340 {
341 	return inode_doinit_with_dentry(inode, NULL);
342 }
343 
344 enum {
345 	Opt_error = -1,
346 	Opt_context = 1,
347 	Opt_fscontext = 2,
348 	Opt_defcontext = 3,
349 	Opt_rootcontext = 4,
350 	Opt_labelsupport = 5,
351 	Opt_nextmntopt = 6,
352 };
353 
354 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
355 
356 static const match_table_t tokens = {
357 	{Opt_context, CONTEXT_STR "%s"},
358 	{Opt_fscontext, FSCONTEXT_STR "%s"},
359 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
360 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
361 	{Opt_labelsupport, LABELSUPP_STR},
362 	{Opt_error, NULL},
363 };
364 
365 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
366 
367 static int may_context_mount_sb_relabel(u32 sid,
368 			struct superblock_security_struct *sbsec,
369 			const struct cred *cred)
370 {
371 	const struct task_security_struct *tsec = cred->security;
372 	int rc;
373 
374 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
375 			  FILESYSTEM__RELABELFROM, NULL);
376 	if (rc)
377 		return rc;
378 
379 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
380 			  FILESYSTEM__RELABELTO, NULL);
381 	return rc;
382 }
383 
384 static int may_context_mount_inode_relabel(u32 sid,
385 			struct superblock_security_struct *sbsec,
386 			const struct cred *cred)
387 {
388 	const struct task_security_struct *tsec = cred->security;
389 	int rc;
390 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
391 			  FILESYSTEM__RELABELFROM, NULL);
392 	if (rc)
393 		return rc;
394 
395 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
396 			  FILESYSTEM__ASSOCIATE, NULL);
397 	return rc;
398 }
399 
400 static int selinux_is_sblabel_mnt(struct super_block *sb)
401 {
402 	struct superblock_security_struct *sbsec = sb->s_security;
403 
404 	if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
405 	    sbsec->behavior == SECURITY_FS_USE_TRANS ||
406 	    sbsec->behavior == SECURITY_FS_USE_TASK)
407 		return 1;
408 
409 	/* Special handling for sysfs. Is genfs but also has setxattr handler*/
410 	if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
411 		return 1;
412 
413 	/*
414 	 * Special handling for rootfs. Is genfs but supports
415 	 * setting SELinux context on in-core inodes.
416 	 */
417 	if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
418 		return 1;
419 
420 	return 0;
421 }
422 
423 static int sb_finish_set_opts(struct super_block *sb)
424 {
425 	struct superblock_security_struct *sbsec = sb->s_security;
426 	struct dentry *root = sb->s_root;
427 	struct inode *root_inode = root->d_inode;
428 	int rc = 0;
429 
430 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
431 		/* Make sure that the xattr handler exists and that no
432 		   error other than -ENODATA is returned by getxattr on
433 		   the root directory.  -ENODATA is ok, as this may be
434 		   the first boot of the SELinux kernel before we have
435 		   assigned xattr values to the filesystem. */
436 		if (!root_inode->i_op->getxattr) {
437 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
438 			       "xattr support\n", sb->s_id, sb->s_type->name);
439 			rc = -EOPNOTSUPP;
440 			goto out;
441 		}
442 		rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
443 		if (rc < 0 && rc != -ENODATA) {
444 			if (rc == -EOPNOTSUPP)
445 				printk(KERN_WARNING "SELinux: (dev %s, type "
446 				       "%s) has no security xattr handler\n",
447 				       sb->s_id, sb->s_type->name);
448 			else
449 				printk(KERN_WARNING "SELinux: (dev %s, type "
450 				       "%s) getxattr errno %d\n", sb->s_id,
451 				       sb->s_type->name, -rc);
452 			goto out;
453 		}
454 	}
455 
456 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
457 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
458 		       sb->s_id, sb->s_type->name);
459 	else
460 		printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
461 		       sb->s_id, sb->s_type->name,
462 		       labeling_behaviors[sbsec->behavior-1]);
463 
464 	sbsec->flags |= SE_SBINITIALIZED;
465 	if (selinux_is_sblabel_mnt(sb))
466 		sbsec->flags |= SBLABEL_MNT;
467 
468 	/* Initialize the root inode. */
469 	rc = inode_doinit_with_dentry(root_inode, root);
470 
471 	/* Initialize any other inodes associated with the superblock, e.g.
472 	   inodes created prior to initial policy load or inodes created
473 	   during get_sb by a pseudo filesystem that directly
474 	   populates itself. */
475 	spin_lock(&sbsec->isec_lock);
476 next_inode:
477 	if (!list_empty(&sbsec->isec_head)) {
478 		struct inode_security_struct *isec =
479 				list_entry(sbsec->isec_head.next,
480 					   struct inode_security_struct, list);
481 		struct inode *inode = isec->inode;
482 		list_del_init(&isec->list);
483 		spin_unlock(&sbsec->isec_lock);
484 		inode = igrab(inode);
485 		if (inode) {
486 			if (!IS_PRIVATE(inode))
487 				inode_doinit(inode);
488 			iput(inode);
489 		}
490 		spin_lock(&sbsec->isec_lock);
491 		goto next_inode;
492 	}
493 	spin_unlock(&sbsec->isec_lock);
494 out:
495 	return rc;
496 }
497 
498 /*
499  * This function should allow an FS to ask what it's mount security
500  * options were so it can use those later for submounts, displaying
501  * mount options, or whatever.
502  */
503 static int selinux_get_mnt_opts(const struct super_block *sb,
504 				struct security_mnt_opts *opts)
505 {
506 	int rc = 0, i;
507 	struct superblock_security_struct *sbsec = sb->s_security;
508 	char *context = NULL;
509 	u32 len;
510 	char tmp;
511 
512 	security_init_mnt_opts(opts);
513 
514 	if (!(sbsec->flags & SE_SBINITIALIZED))
515 		return -EINVAL;
516 
517 	if (!ss_initialized)
518 		return -EINVAL;
519 
520 	/* make sure we always check enough bits to cover the mask */
521 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
522 
523 	tmp = sbsec->flags & SE_MNTMASK;
524 	/* count the number of mount options for this sb */
525 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
526 		if (tmp & 0x01)
527 			opts->num_mnt_opts++;
528 		tmp >>= 1;
529 	}
530 	/* Check if the Label support flag is set */
531 	if (sbsec->flags & SBLABEL_MNT)
532 		opts->num_mnt_opts++;
533 
534 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
535 	if (!opts->mnt_opts) {
536 		rc = -ENOMEM;
537 		goto out_free;
538 	}
539 
540 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
541 	if (!opts->mnt_opts_flags) {
542 		rc = -ENOMEM;
543 		goto out_free;
544 	}
545 
546 	i = 0;
547 	if (sbsec->flags & FSCONTEXT_MNT) {
548 		rc = security_sid_to_context(sbsec->sid, &context, &len);
549 		if (rc)
550 			goto out_free;
551 		opts->mnt_opts[i] = context;
552 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
553 	}
554 	if (sbsec->flags & CONTEXT_MNT) {
555 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
556 		if (rc)
557 			goto out_free;
558 		opts->mnt_opts[i] = context;
559 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
560 	}
561 	if (sbsec->flags & DEFCONTEXT_MNT) {
562 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
563 		if (rc)
564 			goto out_free;
565 		opts->mnt_opts[i] = context;
566 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
567 	}
568 	if (sbsec->flags & ROOTCONTEXT_MNT) {
569 		struct inode *root = sbsec->sb->s_root->d_inode;
570 		struct inode_security_struct *isec = root->i_security;
571 
572 		rc = security_sid_to_context(isec->sid, &context, &len);
573 		if (rc)
574 			goto out_free;
575 		opts->mnt_opts[i] = context;
576 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
577 	}
578 	if (sbsec->flags & SBLABEL_MNT) {
579 		opts->mnt_opts[i] = NULL;
580 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
581 	}
582 
583 	BUG_ON(i != opts->num_mnt_opts);
584 
585 	return 0;
586 
587 out_free:
588 	security_free_mnt_opts(opts);
589 	return rc;
590 }
591 
592 static int bad_option(struct superblock_security_struct *sbsec, char flag,
593 		      u32 old_sid, u32 new_sid)
594 {
595 	char mnt_flags = sbsec->flags & SE_MNTMASK;
596 
597 	/* check if the old mount command had the same options */
598 	if (sbsec->flags & SE_SBINITIALIZED)
599 		if (!(sbsec->flags & flag) ||
600 		    (old_sid != new_sid))
601 			return 1;
602 
603 	/* check if we were passed the same options twice,
604 	 * aka someone passed context=a,context=b
605 	 */
606 	if (!(sbsec->flags & SE_SBINITIALIZED))
607 		if (mnt_flags & flag)
608 			return 1;
609 	return 0;
610 }
611 
612 /*
613  * Allow filesystems with binary mount data to explicitly set mount point
614  * labeling information.
615  */
616 static int selinux_set_mnt_opts(struct super_block *sb,
617 				struct security_mnt_opts *opts,
618 				unsigned long kern_flags,
619 				unsigned long *set_kern_flags)
620 {
621 	const struct cred *cred = current_cred();
622 	int rc = 0, i;
623 	struct superblock_security_struct *sbsec = sb->s_security;
624 	const char *name = sb->s_type->name;
625 	struct inode *inode = sbsec->sb->s_root->d_inode;
626 	struct inode_security_struct *root_isec = inode->i_security;
627 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
628 	u32 defcontext_sid = 0;
629 	char **mount_options = opts->mnt_opts;
630 	int *flags = opts->mnt_opts_flags;
631 	int num_opts = opts->num_mnt_opts;
632 
633 	mutex_lock(&sbsec->lock);
634 
635 	if (!ss_initialized) {
636 		if (!num_opts) {
637 			/* Defer initialization until selinux_complete_init,
638 			   after the initial policy is loaded and the security
639 			   server is ready to handle calls. */
640 			goto out;
641 		}
642 		rc = -EINVAL;
643 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
644 			"before the security server is initialized\n");
645 		goto out;
646 	}
647 	if (kern_flags && !set_kern_flags) {
648 		/* Specifying internal flags without providing a place to
649 		 * place the results is not allowed */
650 		rc = -EINVAL;
651 		goto out;
652 	}
653 
654 	/*
655 	 * Binary mount data FS will come through this function twice.  Once
656 	 * from an explicit call and once from the generic calls from the vfs.
657 	 * Since the generic VFS calls will not contain any security mount data
658 	 * we need to skip the double mount verification.
659 	 *
660 	 * This does open a hole in which we will not notice if the first
661 	 * mount using this sb set explict options and a second mount using
662 	 * this sb does not set any security options.  (The first options
663 	 * will be used for both mounts)
664 	 */
665 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
666 	    && (num_opts == 0))
667 		goto out;
668 
669 	/*
670 	 * parse the mount options, check if they are valid sids.
671 	 * also check if someone is trying to mount the same sb more
672 	 * than once with different security options.
673 	 */
674 	for (i = 0; i < num_opts; i++) {
675 		u32 sid;
676 
677 		if (flags[i] == SBLABEL_MNT)
678 			continue;
679 		rc = security_context_to_sid(mount_options[i],
680 					     strlen(mount_options[i]), &sid, GFP_KERNEL);
681 		if (rc) {
682 			printk(KERN_WARNING "SELinux: security_context_to_sid"
683 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
684 			       mount_options[i], sb->s_id, name, rc);
685 			goto out;
686 		}
687 		switch (flags[i]) {
688 		case FSCONTEXT_MNT:
689 			fscontext_sid = sid;
690 
691 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
692 					fscontext_sid))
693 				goto out_double_mount;
694 
695 			sbsec->flags |= FSCONTEXT_MNT;
696 			break;
697 		case CONTEXT_MNT:
698 			context_sid = sid;
699 
700 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
701 					context_sid))
702 				goto out_double_mount;
703 
704 			sbsec->flags |= CONTEXT_MNT;
705 			break;
706 		case ROOTCONTEXT_MNT:
707 			rootcontext_sid = sid;
708 
709 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
710 					rootcontext_sid))
711 				goto out_double_mount;
712 
713 			sbsec->flags |= ROOTCONTEXT_MNT;
714 
715 			break;
716 		case DEFCONTEXT_MNT:
717 			defcontext_sid = sid;
718 
719 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
720 					defcontext_sid))
721 				goto out_double_mount;
722 
723 			sbsec->flags |= DEFCONTEXT_MNT;
724 
725 			break;
726 		default:
727 			rc = -EINVAL;
728 			goto out;
729 		}
730 	}
731 
732 	if (sbsec->flags & SE_SBINITIALIZED) {
733 		/* previously mounted with options, but not on this attempt? */
734 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
735 			goto out_double_mount;
736 		rc = 0;
737 		goto out;
738 	}
739 
740 	if (strcmp(sb->s_type->name, "proc") == 0)
741 		sbsec->flags |= SE_SBPROC;
742 
743 	if (!sbsec->behavior) {
744 		/*
745 		 * Determine the labeling behavior to use for this
746 		 * filesystem type.
747 		 */
748 		rc = security_fs_use(sb);
749 		if (rc) {
750 			printk(KERN_WARNING
751 				"%s: security_fs_use(%s) returned %d\n",
752 					__func__, sb->s_type->name, rc);
753 			goto out;
754 		}
755 	}
756 	/* sets the context of the superblock for the fs being mounted. */
757 	if (fscontext_sid) {
758 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
759 		if (rc)
760 			goto out;
761 
762 		sbsec->sid = fscontext_sid;
763 	}
764 
765 	/*
766 	 * Switch to using mount point labeling behavior.
767 	 * sets the label used on all file below the mountpoint, and will set
768 	 * the superblock context if not already set.
769 	 */
770 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
771 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
772 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
773 	}
774 
775 	if (context_sid) {
776 		if (!fscontext_sid) {
777 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
778 							  cred);
779 			if (rc)
780 				goto out;
781 			sbsec->sid = context_sid;
782 		} else {
783 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
784 							     cred);
785 			if (rc)
786 				goto out;
787 		}
788 		if (!rootcontext_sid)
789 			rootcontext_sid = context_sid;
790 
791 		sbsec->mntpoint_sid = context_sid;
792 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
793 	}
794 
795 	if (rootcontext_sid) {
796 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
797 						     cred);
798 		if (rc)
799 			goto out;
800 
801 		root_isec->sid = rootcontext_sid;
802 		root_isec->initialized = 1;
803 	}
804 
805 	if (defcontext_sid) {
806 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
807 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
808 			rc = -EINVAL;
809 			printk(KERN_WARNING "SELinux: defcontext option is "
810 			       "invalid for this filesystem type\n");
811 			goto out;
812 		}
813 
814 		if (defcontext_sid != sbsec->def_sid) {
815 			rc = may_context_mount_inode_relabel(defcontext_sid,
816 							     sbsec, cred);
817 			if (rc)
818 				goto out;
819 		}
820 
821 		sbsec->def_sid = defcontext_sid;
822 	}
823 
824 	rc = sb_finish_set_opts(sb);
825 out:
826 	mutex_unlock(&sbsec->lock);
827 	return rc;
828 out_double_mount:
829 	rc = -EINVAL;
830 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
831 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
832 	goto out;
833 }
834 
835 static int selinux_cmp_sb_context(const struct super_block *oldsb,
836 				    const struct super_block *newsb)
837 {
838 	struct superblock_security_struct *old = oldsb->s_security;
839 	struct superblock_security_struct *new = newsb->s_security;
840 	char oldflags = old->flags & SE_MNTMASK;
841 	char newflags = new->flags & SE_MNTMASK;
842 
843 	if (oldflags != newflags)
844 		goto mismatch;
845 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
846 		goto mismatch;
847 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
848 		goto mismatch;
849 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
850 		goto mismatch;
851 	if (oldflags & ROOTCONTEXT_MNT) {
852 		struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
853 		struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
854 		if (oldroot->sid != newroot->sid)
855 			goto mismatch;
856 	}
857 	return 0;
858 mismatch:
859 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
860 			    "different security settings for (dev %s, "
861 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
862 	return -EBUSY;
863 }
864 
865 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
866 					struct super_block *newsb)
867 {
868 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
869 	struct superblock_security_struct *newsbsec = newsb->s_security;
870 
871 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
872 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
873 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
874 
875 	/*
876 	 * if the parent was able to be mounted it clearly had no special lsm
877 	 * mount options.  thus we can safely deal with this superblock later
878 	 */
879 	if (!ss_initialized)
880 		return 0;
881 
882 	/* how can we clone if the old one wasn't set up?? */
883 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
884 
885 	/* if fs is reusing a sb, make sure that the contexts match */
886 	if (newsbsec->flags & SE_SBINITIALIZED)
887 		return selinux_cmp_sb_context(oldsb, newsb);
888 
889 	mutex_lock(&newsbsec->lock);
890 
891 	newsbsec->flags = oldsbsec->flags;
892 
893 	newsbsec->sid = oldsbsec->sid;
894 	newsbsec->def_sid = oldsbsec->def_sid;
895 	newsbsec->behavior = oldsbsec->behavior;
896 
897 	if (set_context) {
898 		u32 sid = oldsbsec->mntpoint_sid;
899 
900 		if (!set_fscontext)
901 			newsbsec->sid = sid;
902 		if (!set_rootcontext) {
903 			struct inode *newinode = newsb->s_root->d_inode;
904 			struct inode_security_struct *newisec = newinode->i_security;
905 			newisec->sid = sid;
906 		}
907 		newsbsec->mntpoint_sid = sid;
908 	}
909 	if (set_rootcontext) {
910 		const struct inode *oldinode = oldsb->s_root->d_inode;
911 		const struct inode_security_struct *oldisec = oldinode->i_security;
912 		struct inode *newinode = newsb->s_root->d_inode;
913 		struct inode_security_struct *newisec = newinode->i_security;
914 
915 		newisec->sid = oldisec->sid;
916 	}
917 
918 	sb_finish_set_opts(newsb);
919 	mutex_unlock(&newsbsec->lock);
920 	return 0;
921 }
922 
923 static int selinux_parse_opts_str(char *options,
924 				  struct security_mnt_opts *opts)
925 {
926 	char *p;
927 	char *context = NULL, *defcontext = NULL;
928 	char *fscontext = NULL, *rootcontext = NULL;
929 	int rc, num_mnt_opts = 0;
930 
931 	opts->num_mnt_opts = 0;
932 
933 	/* Standard string-based options. */
934 	while ((p = strsep(&options, "|")) != NULL) {
935 		int token;
936 		substring_t args[MAX_OPT_ARGS];
937 
938 		if (!*p)
939 			continue;
940 
941 		token = match_token(p, tokens, args);
942 
943 		switch (token) {
944 		case Opt_context:
945 			if (context || defcontext) {
946 				rc = -EINVAL;
947 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
948 				goto out_err;
949 			}
950 			context = match_strdup(&args[0]);
951 			if (!context) {
952 				rc = -ENOMEM;
953 				goto out_err;
954 			}
955 			break;
956 
957 		case Opt_fscontext:
958 			if (fscontext) {
959 				rc = -EINVAL;
960 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
961 				goto out_err;
962 			}
963 			fscontext = match_strdup(&args[0]);
964 			if (!fscontext) {
965 				rc = -ENOMEM;
966 				goto out_err;
967 			}
968 			break;
969 
970 		case Opt_rootcontext:
971 			if (rootcontext) {
972 				rc = -EINVAL;
973 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
974 				goto out_err;
975 			}
976 			rootcontext = match_strdup(&args[0]);
977 			if (!rootcontext) {
978 				rc = -ENOMEM;
979 				goto out_err;
980 			}
981 			break;
982 
983 		case Opt_defcontext:
984 			if (context || defcontext) {
985 				rc = -EINVAL;
986 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
987 				goto out_err;
988 			}
989 			defcontext = match_strdup(&args[0]);
990 			if (!defcontext) {
991 				rc = -ENOMEM;
992 				goto out_err;
993 			}
994 			break;
995 		case Opt_labelsupport:
996 			break;
997 		default:
998 			rc = -EINVAL;
999 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1000 			goto out_err;
1001 
1002 		}
1003 	}
1004 
1005 	rc = -ENOMEM;
1006 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1007 	if (!opts->mnt_opts)
1008 		goto out_err;
1009 
1010 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1011 	if (!opts->mnt_opts_flags) {
1012 		kfree(opts->mnt_opts);
1013 		goto out_err;
1014 	}
1015 
1016 	if (fscontext) {
1017 		opts->mnt_opts[num_mnt_opts] = fscontext;
1018 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1019 	}
1020 	if (context) {
1021 		opts->mnt_opts[num_mnt_opts] = context;
1022 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1023 	}
1024 	if (rootcontext) {
1025 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1026 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1027 	}
1028 	if (defcontext) {
1029 		opts->mnt_opts[num_mnt_opts] = defcontext;
1030 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1031 	}
1032 
1033 	opts->num_mnt_opts = num_mnt_opts;
1034 	return 0;
1035 
1036 out_err:
1037 	kfree(context);
1038 	kfree(defcontext);
1039 	kfree(fscontext);
1040 	kfree(rootcontext);
1041 	return rc;
1042 }
1043 /*
1044  * string mount options parsing and call set the sbsec
1045  */
1046 static int superblock_doinit(struct super_block *sb, void *data)
1047 {
1048 	int rc = 0;
1049 	char *options = data;
1050 	struct security_mnt_opts opts;
1051 
1052 	security_init_mnt_opts(&opts);
1053 
1054 	if (!data)
1055 		goto out;
1056 
1057 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1058 
1059 	rc = selinux_parse_opts_str(options, &opts);
1060 	if (rc)
1061 		goto out_err;
1062 
1063 out:
1064 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1065 
1066 out_err:
1067 	security_free_mnt_opts(&opts);
1068 	return rc;
1069 }
1070 
1071 static void selinux_write_opts(struct seq_file *m,
1072 			       struct security_mnt_opts *opts)
1073 {
1074 	int i;
1075 	char *prefix;
1076 
1077 	for (i = 0; i < opts->num_mnt_opts; i++) {
1078 		char *has_comma;
1079 
1080 		if (opts->mnt_opts[i])
1081 			has_comma = strchr(opts->mnt_opts[i], ',');
1082 		else
1083 			has_comma = NULL;
1084 
1085 		switch (opts->mnt_opts_flags[i]) {
1086 		case CONTEXT_MNT:
1087 			prefix = CONTEXT_STR;
1088 			break;
1089 		case FSCONTEXT_MNT:
1090 			prefix = FSCONTEXT_STR;
1091 			break;
1092 		case ROOTCONTEXT_MNT:
1093 			prefix = ROOTCONTEXT_STR;
1094 			break;
1095 		case DEFCONTEXT_MNT:
1096 			prefix = DEFCONTEXT_STR;
1097 			break;
1098 		case SBLABEL_MNT:
1099 			seq_putc(m, ',');
1100 			seq_puts(m, LABELSUPP_STR);
1101 			continue;
1102 		default:
1103 			BUG();
1104 			return;
1105 		};
1106 		/* we need a comma before each option */
1107 		seq_putc(m, ',');
1108 		seq_puts(m, prefix);
1109 		if (has_comma)
1110 			seq_putc(m, '\"');
1111 		seq_puts(m, opts->mnt_opts[i]);
1112 		if (has_comma)
1113 			seq_putc(m, '\"');
1114 	}
1115 }
1116 
1117 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1118 {
1119 	struct security_mnt_opts opts;
1120 	int rc;
1121 
1122 	rc = selinux_get_mnt_opts(sb, &opts);
1123 	if (rc) {
1124 		/* before policy load we may get EINVAL, don't show anything */
1125 		if (rc == -EINVAL)
1126 			rc = 0;
1127 		return rc;
1128 	}
1129 
1130 	selinux_write_opts(m, &opts);
1131 
1132 	security_free_mnt_opts(&opts);
1133 
1134 	return rc;
1135 }
1136 
1137 static inline u16 inode_mode_to_security_class(umode_t mode)
1138 {
1139 	switch (mode & S_IFMT) {
1140 	case S_IFSOCK:
1141 		return SECCLASS_SOCK_FILE;
1142 	case S_IFLNK:
1143 		return SECCLASS_LNK_FILE;
1144 	case S_IFREG:
1145 		return SECCLASS_FILE;
1146 	case S_IFBLK:
1147 		return SECCLASS_BLK_FILE;
1148 	case S_IFDIR:
1149 		return SECCLASS_DIR;
1150 	case S_IFCHR:
1151 		return SECCLASS_CHR_FILE;
1152 	case S_IFIFO:
1153 		return SECCLASS_FIFO_FILE;
1154 
1155 	}
1156 
1157 	return SECCLASS_FILE;
1158 }
1159 
1160 static inline int default_protocol_stream(int protocol)
1161 {
1162 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1163 }
1164 
1165 static inline int default_protocol_dgram(int protocol)
1166 {
1167 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1168 }
1169 
1170 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1171 {
1172 	switch (family) {
1173 	case PF_UNIX:
1174 		switch (type) {
1175 		case SOCK_STREAM:
1176 		case SOCK_SEQPACKET:
1177 			return SECCLASS_UNIX_STREAM_SOCKET;
1178 		case SOCK_DGRAM:
1179 			return SECCLASS_UNIX_DGRAM_SOCKET;
1180 		}
1181 		break;
1182 	case PF_INET:
1183 	case PF_INET6:
1184 		switch (type) {
1185 		case SOCK_STREAM:
1186 			if (default_protocol_stream(protocol))
1187 				return SECCLASS_TCP_SOCKET;
1188 			else
1189 				return SECCLASS_RAWIP_SOCKET;
1190 		case SOCK_DGRAM:
1191 			if (default_protocol_dgram(protocol))
1192 				return SECCLASS_UDP_SOCKET;
1193 			else
1194 				return SECCLASS_RAWIP_SOCKET;
1195 		case SOCK_DCCP:
1196 			return SECCLASS_DCCP_SOCKET;
1197 		default:
1198 			return SECCLASS_RAWIP_SOCKET;
1199 		}
1200 		break;
1201 	case PF_NETLINK:
1202 		switch (protocol) {
1203 		case NETLINK_ROUTE:
1204 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1205 		case NETLINK_FIREWALL:
1206 			return SECCLASS_NETLINK_FIREWALL_SOCKET;
1207 		case NETLINK_SOCK_DIAG:
1208 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1209 		case NETLINK_NFLOG:
1210 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1211 		case NETLINK_XFRM:
1212 			return SECCLASS_NETLINK_XFRM_SOCKET;
1213 		case NETLINK_SELINUX:
1214 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1215 		case NETLINK_AUDIT:
1216 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1217 		case NETLINK_IP6_FW:
1218 			return SECCLASS_NETLINK_IP6FW_SOCKET;
1219 		case NETLINK_DNRTMSG:
1220 			return SECCLASS_NETLINK_DNRT_SOCKET;
1221 		case NETLINK_KOBJECT_UEVENT:
1222 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1223 		default:
1224 			return SECCLASS_NETLINK_SOCKET;
1225 		}
1226 	case PF_PACKET:
1227 		return SECCLASS_PACKET_SOCKET;
1228 	case PF_KEY:
1229 		return SECCLASS_KEY_SOCKET;
1230 	case PF_APPLETALK:
1231 		return SECCLASS_APPLETALK_SOCKET;
1232 	}
1233 
1234 	return SECCLASS_SOCKET;
1235 }
1236 
1237 #ifdef CONFIG_PROC_FS
1238 static int selinux_proc_get_sid(struct dentry *dentry,
1239 				u16 tclass,
1240 				u32 *sid)
1241 {
1242 	int rc;
1243 	char *buffer, *path;
1244 
1245 	buffer = (char *)__get_free_page(GFP_KERNEL);
1246 	if (!buffer)
1247 		return -ENOMEM;
1248 
1249 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1250 	if (IS_ERR(path))
1251 		rc = PTR_ERR(path);
1252 	else {
1253 		/* each process gets a /proc/PID/ entry. Strip off the
1254 		 * PID part to get a valid selinux labeling.
1255 		 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1256 		while (path[1] >= '0' && path[1] <= '9') {
1257 			path[1] = '/';
1258 			path++;
1259 		}
1260 		rc = security_genfs_sid("proc", path, tclass, sid);
1261 	}
1262 	free_page((unsigned long)buffer);
1263 	return rc;
1264 }
1265 #else
1266 static int selinux_proc_get_sid(struct dentry *dentry,
1267 				u16 tclass,
1268 				u32 *sid)
1269 {
1270 	return -EINVAL;
1271 }
1272 #endif
1273 
1274 /* The inode's security attributes must be initialized before first use. */
1275 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1276 {
1277 	struct superblock_security_struct *sbsec = NULL;
1278 	struct inode_security_struct *isec = inode->i_security;
1279 	u32 sid;
1280 	struct dentry *dentry;
1281 #define INITCONTEXTLEN 255
1282 	char *context = NULL;
1283 	unsigned len = 0;
1284 	int rc = 0;
1285 
1286 	if (isec->initialized)
1287 		goto out;
1288 
1289 	mutex_lock(&isec->lock);
1290 	if (isec->initialized)
1291 		goto out_unlock;
1292 
1293 	sbsec = inode->i_sb->s_security;
1294 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1295 		/* Defer initialization until selinux_complete_init,
1296 		   after the initial policy is loaded and the security
1297 		   server is ready to handle calls. */
1298 		spin_lock(&sbsec->isec_lock);
1299 		if (list_empty(&isec->list))
1300 			list_add(&isec->list, &sbsec->isec_head);
1301 		spin_unlock(&sbsec->isec_lock);
1302 		goto out_unlock;
1303 	}
1304 
1305 	switch (sbsec->behavior) {
1306 	case SECURITY_FS_USE_NATIVE:
1307 		break;
1308 	case SECURITY_FS_USE_XATTR:
1309 		if (!inode->i_op->getxattr) {
1310 			isec->sid = sbsec->def_sid;
1311 			break;
1312 		}
1313 
1314 		/* Need a dentry, since the xattr API requires one.
1315 		   Life would be simpler if we could just pass the inode. */
1316 		if (opt_dentry) {
1317 			/* Called from d_instantiate or d_splice_alias. */
1318 			dentry = dget(opt_dentry);
1319 		} else {
1320 			/* Called from selinux_complete_init, try to find a dentry. */
1321 			dentry = d_find_alias(inode);
1322 		}
1323 		if (!dentry) {
1324 			/*
1325 			 * this is can be hit on boot when a file is accessed
1326 			 * before the policy is loaded.  When we load policy we
1327 			 * may find inodes that have no dentry on the
1328 			 * sbsec->isec_head list.  No reason to complain as these
1329 			 * will get fixed up the next time we go through
1330 			 * inode_doinit with a dentry, before these inodes could
1331 			 * be used again by userspace.
1332 			 */
1333 			goto out_unlock;
1334 		}
1335 
1336 		len = INITCONTEXTLEN;
1337 		context = kmalloc(len+1, GFP_NOFS);
1338 		if (!context) {
1339 			rc = -ENOMEM;
1340 			dput(dentry);
1341 			goto out_unlock;
1342 		}
1343 		context[len] = '\0';
1344 		rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1345 					   context, len);
1346 		if (rc == -ERANGE) {
1347 			kfree(context);
1348 
1349 			/* Need a larger buffer.  Query for the right size. */
1350 			rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1351 						   NULL, 0);
1352 			if (rc < 0) {
1353 				dput(dentry);
1354 				goto out_unlock;
1355 			}
1356 			len = rc;
1357 			context = kmalloc(len+1, GFP_NOFS);
1358 			if (!context) {
1359 				rc = -ENOMEM;
1360 				dput(dentry);
1361 				goto out_unlock;
1362 			}
1363 			context[len] = '\0';
1364 			rc = inode->i_op->getxattr(dentry,
1365 						   XATTR_NAME_SELINUX,
1366 						   context, len);
1367 		}
1368 		dput(dentry);
1369 		if (rc < 0) {
1370 			if (rc != -ENODATA) {
1371 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1372 				       "%d for dev=%s ino=%ld\n", __func__,
1373 				       -rc, inode->i_sb->s_id, inode->i_ino);
1374 				kfree(context);
1375 				goto out_unlock;
1376 			}
1377 			/* Map ENODATA to the default file SID */
1378 			sid = sbsec->def_sid;
1379 			rc = 0;
1380 		} else {
1381 			rc = security_context_to_sid_default(context, rc, &sid,
1382 							     sbsec->def_sid,
1383 							     GFP_NOFS);
1384 			if (rc) {
1385 				char *dev = inode->i_sb->s_id;
1386 				unsigned long ino = inode->i_ino;
1387 
1388 				if (rc == -EINVAL) {
1389 					if (printk_ratelimit())
1390 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1391 							"context=%s.  This indicates you may need to relabel the inode or the "
1392 							"filesystem in question.\n", ino, dev, context);
1393 				} else {
1394 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1395 					       "returned %d for dev=%s ino=%ld\n",
1396 					       __func__, context, -rc, dev, ino);
1397 				}
1398 				kfree(context);
1399 				/* Leave with the unlabeled SID */
1400 				rc = 0;
1401 				break;
1402 			}
1403 		}
1404 		kfree(context);
1405 		isec->sid = sid;
1406 		break;
1407 	case SECURITY_FS_USE_TASK:
1408 		isec->sid = isec->task_sid;
1409 		break;
1410 	case SECURITY_FS_USE_TRANS:
1411 		/* Default to the fs SID. */
1412 		isec->sid = sbsec->sid;
1413 
1414 		/* Try to obtain a transition SID. */
1415 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1416 		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1417 					     isec->sclass, NULL, &sid);
1418 		if (rc)
1419 			goto out_unlock;
1420 		isec->sid = sid;
1421 		break;
1422 	case SECURITY_FS_USE_MNTPOINT:
1423 		isec->sid = sbsec->mntpoint_sid;
1424 		break;
1425 	default:
1426 		/* Default to the fs superblock SID. */
1427 		isec->sid = sbsec->sid;
1428 
1429 		if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1430 			/* We must have a dentry to determine the label on
1431 			 * procfs inodes */
1432 			if (opt_dentry)
1433 				/* Called from d_instantiate or
1434 				 * d_splice_alias. */
1435 				dentry = dget(opt_dentry);
1436 			else
1437 				/* Called from selinux_complete_init, try to
1438 				 * find a dentry. */
1439 				dentry = d_find_alias(inode);
1440 			/*
1441 			 * This can be hit on boot when a file is accessed
1442 			 * before the policy is loaded.  When we load policy we
1443 			 * may find inodes that have no dentry on the
1444 			 * sbsec->isec_head list.  No reason to complain as
1445 			 * these will get fixed up the next time we go through
1446 			 * inode_doinit() with a dentry, before these inodes
1447 			 * could be used again by userspace.
1448 			 */
1449 			if (!dentry)
1450 				goto out_unlock;
1451 			isec->sclass = inode_mode_to_security_class(inode->i_mode);
1452 			rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1453 			dput(dentry);
1454 			if (rc)
1455 				goto out_unlock;
1456 			isec->sid = sid;
1457 		}
1458 		break;
1459 	}
1460 
1461 	isec->initialized = 1;
1462 
1463 out_unlock:
1464 	mutex_unlock(&isec->lock);
1465 out:
1466 	if (isec->sclass == SECCLASS_FILE)
1467 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1468 	return rc;
1469 }
1470 
1471 /* Convert a Linux signal to an access vector. */
1472 static inline u32 signal_to_av(int sig)
1473 {
1474 	u32 perm = 0;
1475 
1476 	switch (sig) {
1477 	case SIGCHLD:
1478 		/* Commonly granted from child to parent. */
1479 		perm = PROCESS__SIGCHLD;
1480 		break;
1481 	case SIGKILL:
1482 		/* Cannot be caught or ignored */
1483 		perm = PROCESS__SIGKILL;
1484 		break;
1485 	case SIGSTOP:
1486 		/* Cannot be caught or ignored */
1487 		perm = PROCESS__SIGSTOP;
1488 		break;
1489 	default:
1490 		/* All other signals. */
1491 		perm = PROCESS__SIGNAL;
1492 		break;
1493 	}
1494 
1495 	return perm;
1496 }
1497 
1498 /*
1499  * Check permission between a pair of credentials
1500  * fork check, ptrace check, etc.
1501  */
1502 static int cred_has_perm(const struct cred *actor,
1503 			 const struct cred *target,
1504 			 u32 perms)
1505 {
1506 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1507 
1508 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1509 }
1510 
1511 /*
1512  * Check permission between a pair of tasks, e.g. signal checks,
1513  * fork check, ptrace check, etc.
1514  * tsk1 is the actor and tsk2 is the target
1515  * - this uses the default subjective creds of tsk1
1516  */
1517 static int task_has_perm(const struct task_struct *tsk1,
1518 			 const struct task_struct *tsk2,
1519 			 u32 perms)
1520 {
1521 	const struct task_security_struct *__tsec1, *__tsec2;
1522 	u32 sid1, sid2;
1523 
1524 	rcu_read_lock();
1525 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1526 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1527 	rcu_read_unlock();
1528 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1529 }
1530 
1531 /*
1532  * Check permission between current and another task, e.g. signal checks,
1533  * fork check, ptrace check, etc.
1534  * current is the actor and tsk2 is the target
1535  * - this uses current's subjective creds
1536  */
1537 static int current_has_perm(const struct task_struct *tsk,
1538 			    u32 perms)
1539 {
1540 	u32 sid, tsid;
1541 
1542 	sid = current_sid();
1543 	tsid = task_sid(tsk);
1544 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1545 }
1546 
1547 #if CAP_LAST_CAP > 63
1548 #error Fix SELinux to handle capabilities > 63.
1549 #endif
1550 
1551 /* Check whether a task is allowed to use a capability. */
1552 static int cred_has_capability(const struct cred *cred,
1553 			       int cap, int audit)
1554 {
1555 	struct common_audit_data ad;
1556 	struct av_decision avd;
1557 	u16 sclass;
1558 	u32 sid = cred_sid(cred);
1559 	u32 av = CAP_TO_MASK(cap);
1560 	int rc;
1561 
1562 	ad.type = LSM_AUDIT_DATA_CAP;
1563 	ad.u.cap = cap;
1564 
1565 	switch (CAP_TO_INDEX(cap)) {
1566 	case 0:
1567 		sclass = SECCLASS_CAPABILITY;
1568 		break;
1569 	case 1:
1570 		sclass = SECCLASS_CAPABILITY2;
1571 		break;
1572 	default:
1573 		printk(KERN_ERR
1574 		       "SELinux:  out of range capability %d\n", cap);
1575 		BUG();
1576 		return -EINVAL;
1577 	}
1578 
1579 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1580 	if (audit == SECURITY_CAP_AUDIT) {
1581 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1582 		if (rc2)
1583 			return rc2;
1584 	}
1585 	return rc;
1586 }
1587 
1588 /* Check whether a task is allowed to use a system operation. */
1589 static int task_has_system(struct task_struct *tsk,
1590 			   u32 perms)
1591 {
1592 	u32 sid = task_sid(tsk);
1593 
1594 	return avc_has_perm(sid, SECINITSID_KERNEL,
1595 			    SECCLASS_SYSTEM, perms, NULL);
1596 }
1597 
1598 /* Check whether a task has a particular permission to an inode.
1599    The 'adp' parameter is optional and allows other audit
1600    data to be passed (e.g. the dentry). */
1601 static int inode_has_perm(const struct cred *cred,
1602 			  struct inode *inode,
1603 			  u32 perms,
1604 			  struct common_audit_data *adp)
1605 {
1606 	struct inode_security_struct *isec;
1607 	u32 sid;
1608 
1609 	validate_creds(cred);
1610 
1611 	if (unlikely(IS_PRIVATE(inode)))
1612 		return 0;
1613 
1614 	sid = cred_sid(cred);
1615 	isec = inode->i_security;
1616 
1617 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1618 }
1619 
1620 /* Same as inode_has_perm, but pass explicit audit data containing
1621    the dentry to help the auditing code to more easily generate the
1622    pathname if needed. */
1623 static inline int dentry_has_perm(const struct cred *cred,
1624 				  struct dentry *dentry,
1625 				  u32 av)
1626 {
1627 	struct inode *inode = dentry->d_inode;
1628 	struct common_audit_data ad;
1629 
1630 	ad.type = LSM_AUDIT_DATA_DENTRY;
1631 	ad.u.dentry = dentry;
1632 	return inode_has_perm(cred, inode, av, &ad);
1633 }
1634 
1635 /* Same as inode_has_perm, but pass explicit audit data containing
1636    the path to help the auditing code to more easily generate the
1637    pathname if needed. */
1638 static inline int path_has_perm(const struct cred *cred,
1639 				struct path *path,
1640 				u32 av)
1641 {
1642 	struct inode *inode = path->dentry->d_inode;
1643 	struct common_audit_data ad;
1644 
1645 	ad.type = LSM_AUDIT_DATA_PATH;
1646 	ad.u.path = *path;
1647 	return inode_has_perm(cred, inode, av, &ad);
1648 }
1649 
1650 /* Same as path_has_perm, but uses the inode from the file struct. */
1651 static inline int file_path_has_perm(const struct cred *cred,
1652 				     struct file *file,
1653 				     u32 av)
1654 {
1655 	struct common_audit_data ad;
1656 
1657 	ad.type = LSM_AUDIT_DATA_PATH;
1658 	ad.u.path = file->f_path;
1659 	return inode_has_perm(cred, file_inode(file), av, &ad);
1660 }
1661 
1662 /* Check whether a task can use an open file descriptor to
1663    access an inode in a given way.  Check access to the
1664    descriptor itself, and then use dentry_has_perm to
1665    check a particular permission to the file.
1666    Access to the descriptor is implicitly granted if it
1667    has the same SID as the process.  If av is zero, then
1668    access to the file is not checked, e.g. for cases
1669    where only the descriptor is affected like seek. */
1670 static int file_has_perm(const struct cred *cred,
1671 			 struct file *file,
1672 			 u32 av)
1673 {
1674 	struct file_security_struct *fsec = file->f_security;
1675 	struct inode *inode = file_inode(file);
1676 	struct common_audit_data ad;
1677 	u32 sid = cred_sid(cred);
1678 	int rc;
1679 
1680 	ad.type = LSM_AUDIT_DATA_PATH;
1681 	ad.u.path = file->f_path;
1682 
1683 	if (sid != fsec->sid) {
1684 		rc = avc_has_perm(sid, fsec->sid,
1685 				  SECCLASS_FD,
1686 				  FD__USE,
1687 				  &ad);
1688 		if (rc)
1689 			goto out;
1690 	}
1691 
1692 	/* av is zero if only checking access to the descriptor. */
1693 	rc = 0;
1694 	if (av)
1695 		rc = inode_has_perm(cred, inode, av, &ad);
1696 
1697 out:
1698 	return rc;
1699 }
1700 
1701 /* Check whether a task can create a file. */
1702 static int may_create(struct inode *dir,
1703 		      struct dentry *dentry,
1704 		      u16 tclass)
1705 {
1706 	const struct task_security_struct *tsec = current_security();
1707 	struct inode_security_struct *dsec;
1708 	struct superblock_security_struct *sbsec;
1709 	u32 sid, newsid;
1710 	struct common_audit_data ad;
1711 	int rc;
1712 
1713 	dsec = dir->i_security;
1714 	sbsec = dir->i_sb->s_security;
1715 
1716 	sid = tsec->sid;
1717 	newsid = tsec->create_sid;
1718 
1719 	ad.type = LSM_AUDIT_DATA_DENTRY;
1720 	ad.u.dentry = dentry;
1721 
1722 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1723 			  DIR__ADD_NAME | DIR__SEARCH,
1724 			  &ad);
1725 	if (rc)
1726 		return rc;
1727 
1728 	if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1729 		rc = security_transition_sid(sid, dsec->sid, tclass,
1730 					     &dentry->d_name, &newsid);
1731 		if (rc)
1732 			return rc;
1733 	}
1734 
1735 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1736 	if (rc)
1737 		return rc;
1738 
1739 	return avc_has_perm(newsid, sbsec->sid,
1740 			    SECCLASS_FILESYSTEM,
1741 			    FILESYSTEM__ASSOCIATE, &ad);
1742 }
1743 
1744 /* Check whether a task can create a key. */
1745 static int may_create_key(u32 ksid,
1746 			  struct task_struct *ctx)
1747 {
1748 	u32 sid = task_sid(ctx);
1749 
1750 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1751 }
1752 
1753 #define MAY_LINK	0
1754 #define MAY_UNLINK	1
1755 #define MAY_RMDIR	2
1756 
1757 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1758 static int may_link(struct inode *dir,
1759 		    struct dentry *dentry,
1760 		    int kind)
1761 
1762 {
1763 	struct inode_security_struct *dsec, *isec;
1764 	struct common_audit_data ad;
1765 	u32 sid = current_sid();
1766 	u32 av;
1767 	int rc;
1768 
1769 	dsec = dir->i_security;
1770 	isec = dentry->d_inode->i_security;
1771 
1772 	ad.type = LSM_AUDIT_DATA_DENTRY;
1773 	ad.u.dentry = dentry;
1774 
1775 	av = DIR__SEARCH;
1776 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1777 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1778 	if (rc)
1779 		return rc;
1780 
1781 	switch (kind) {
1782 	case MAY_LINK:
1783 		av = FILE__LINK;
1784 		break;
1785 	case MAY_UNLINK:
1786 		av = FILE__UNLINK;
1787 		break;
1788 	case MAY_RMDIR:
1789 		av = DIR__RMDIR;
1790 		break;
1791 	default:
1792 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1793 			__func__, kind);
1794 		return 0;
1795 	}
1796 
1797 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1798 	return rc;
1799 }
1800 
1801 static inline int may_rename(struct inode *old_dir,
1802 			     struct dentry *old_dentry,
1803 			     struct inode *new_dir,
1804 			     struct dentry *new_dentry)
1805 {
1806 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1807 	struct common_audit_data ad;
1808 	u32 sid = current_sid();
1809 	u32 av;
1810 	int old_is_dir, new_is_dir;
1811 	int rc;
1812 
1813 	old_dsec = old_dir->i_security;
1814 	old_isec = old_dentry->d_inode->i_security;
1815 	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1816 	new_dsec = new_dir->i_security;
1817 
1818 	ad.type = LSM_AUDIT_DATA_DENTRY;
1819 
1820 	ad.u.dentry = old_dentry;
1821 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1822 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1823 	if (rc)
1824 		return rc;
1825 	rc = avc_has_perm(sid, old_isec->sid,
1826 			  old_isec->sclass, FILE__RENAME, &ad);
1827 	if (rc)
1828 		return rc;
1829 	if (old_is_dir && new_dir != old_dir) {
1830 		rc = avc_has_perm(sid, old_isec->sid,
1831 				  old_isec->sclass, DIR__REPARENT, &ad);
1832 		if (rc)
1833 			return rc;
1834 	}
1835 
1836 	ad.u.dentry = new_dentry;
1837 	av = DIR__ADD_NAME | DIR__SEARCH;
1838 	if (new_dentry->d_inode)
1839 		av |= DIR__REMOVE_NAME;
1840 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1841 	if (rc)
1842 		return rc;
1843 	if (new_dentry->d_inode) {
1844 		new_isec = new_dentry->d_inode->i_security;
1845 		new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1846 		rc = avc_has_perm(sid, new_isec->sid,
1847 				  new_isec->sclass,
1848 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1849 		if (rc)
1850 			return rc;
1851 	}
1852 
1853 	return 0;
1854 }
1855 
1856 /* Check whether a task can perform a filesystem operation. */
1857 static int superblock_has_perm(const struct cred *cred,
1858 			       struct super_block *sb,
1859 			       u32 perms,
1860 			       struct common_audit_data *ad)
1861 {
1862 	struct superblock_security_struct *sbsec;
1863 	u32 sid = cred_sid(cred);
1864 
1865 	sbsec = sb->s_security;
1866 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1867 }
1868 
1869 /* Convert a Linux mode and permission mask to an access vector. */
1870 static inline u32 file_mask_to_av(int mode, int mask)
1871 {
1872 	u32 av = 0;
1873 
1874 	if (!S_ISDIR(mode)) {
1875 		if (mask & MAY_EXEC)
1876 			av |= FILE__EXECUTE;
1877 		if (mask & MAY_READ)
1878 			av |= FILE__READ;
1879 
1880 		if (mask & MAY_APPEND)
1881 			av |= FILE__APPEND;
1882 		else if (mask & MAY_WRITE)
1883 			av |= FILE__WRITE;
1884 
1885 	} else {
1886 		if (mask & MAY_EXEC)
1887 			av |= DIR__SEARCH;
1888 		if (mask & MAY_WRITE)
1889 			av |= DIR__WRITE;
1890 		if (mask & MAY_READ)
1891 			av |= DIR__READ;
1892 	}
1893 
1894 	return av;
1895 }
1896 
1897 /* Convert a Linux file to an access vector. */
1898 static inline u32 file_to_av(struct file *file)
1899 {
1900 	u32 av = 0;
1901 
1902 	if (file->f_mode & FMODE_READ)
1903 		av |= FILE__READ;
1904 	if (file->f_mode & FMODE_WRITE) {
1905 		if (file->f_flags & O_APPEND)
1906 			av |= FILE__APPEND;
1907 		else
1908 			av |= FILE__WRITE;
1909 	}
1910 	if (!av) {
1911 		/*
1912 		 * Special file opened with flags 3 for ioctl-only use.
1913 		 */
1914 		av = FILE__IOCTL;
1915 	}
1916 
1917 	return av;
1918 }
1919 
1920 /*
1921  * Convert a file to an access vector and include the correct open
1922  * open permission.
1923  */
1924 static inline u32 open_file_to_av(struct file *file)
1925 {
1926 	u32 av = file_to_av(file);
1927 
1928 	if (selinux_policycap_openperm)
1929 		av |= FILE__OPEN;
1930 
1931 	return av;
1932 }
1933 
1934 /* Hook functions begin here. */
1935 
1936 static int selinux_ptrace_access_check(struct task_struct *child,
1937 				     unsigned int mode)
1938 {
1939 	int rc;
1940 
1941 	rc = cap_ptrace_access_check(child, mode);
1942 	if (rc)
1943 		return rc;
1944 
1945 	if (mode & PTRACE_MODE_READ) {
1946 		u32 sid = current_sid();
1947 		u32 csid = task_sid(child);
1948 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1949 	}
1950 
1951 	return current_has_perm(child, PROCESS__PTRACE);
1952 }
1953 
1954 static int selinux_ptrace_traceme(struct task_struct *parent)
1955 {
1956 	int rc;
1957 
1958 	rc = cap_ptrace_traceme(parent);
1959 	if (rc)
1960 		return rc;
1961 
1962 	return task_has_perm(parent, current, PROCESS__PTRACE);
1963 }
1964 
1965 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1966 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
1967 {
1968 	int error;
1969 
1970 	error = current_has_perm(target, PROCESS__GETCAP);
1971 	if (error)
1972 		return error;
1973 
1974 	return cap_capget(target, effective, inheritable, permitted);
1975 }
1976 
1977 static int selinux_capset(struct cred *new, const struct cred *old,
1978 			  const kernel_cap_t *effective,
1979 			  const kernel_cap_t *inheritable,
1980 			  const kernel_cap_t *permitted)
1981 {
1982 	int error;
1983 
1984 	error = cap_capset(new, old,
1985 				      effective, inheritable, permitted);
1986 	if (error)
1987 		return error;
1988 
1989 	return cred_has_perm(old, new, PROCESS__SETCAP);
1990 }
1991 
1992 /*
1993  * (This comment used to live with the selinux_task_setuid hook,
1994  * which was removed).
1995  *
1996  * Since setuid only affects the current process, and since the SELinux
1997  * controls are not based on the Linux identity attributes, SELinux does not
1998  * need to control this operation.  However, SELinux does control the use of
1999  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2000  */
2001 
2002 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2003 			   int cap, int audit)
2004 {
2005 	int rc;
2006 
2007 	rc = cap_capable(cred, ns, cap, audit);
2008 	if (rc)
2009 		return rc;
2010 
2011 	return cred_has_capability(cred, cap, audit);
2012 }
2013 
2014 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2015 {
2016 	const struct cred *cred = current_cred();
2017 	int rc = 0;
2018 
2019 	if (!sb)
2020 		return 0;
2021 
2022 	switch (cmds) {
2023 	case Q_SYNC:
2024 	case Q_QUOTAON:
2025 	case Q_QUOTAOFF:
2026 	case Q_SETINFO:
2027 	case Q_SETQUOTA:
2028 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2029 		break;
2030 	case Q_GETFMT:
2031 	case Q_GETINFO:
2032 	case Q_GETQUOTA:
2033 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2034 		break;
2035 	default:
2036 		rc = 0;  /* let the kernel handle invalid cmds */
2037 		break;
2038 	}
2039 	return rc;
2040 }
2041 
2042 static int selinux_quota_on(struct dentry *dentry)
2043 {
2044 	const struct cred *cred = current_cred();
2045 
2046 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2047 }
2048 
2049 static int selinux_syslog(int type)
2050 {
2051 	int rc;
2052 
2053 	switch (type) {
2054 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2055 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2056 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2057 		break;
2058 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2059 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2060 	/* Set level of messages printed to console */
2061 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2062 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2063 		break;
2064 	case SYSLOG_ACTION_CLOSE:	/* Close log */
2065 	case SYSLOG_ACTION_OPEN:	/* Open log */
2066 	case SYSLOG_ACTION_READ:	/* Read from log */
2067 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2068 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2069 	default:
2070 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2071 		break;
2072 	}
2073 	return rc;
2074 }
2075 
2076 /*
2077  * Check that a process has enough memory to allocate a new virtual
2078  * mapping. 0 means there is enough memory for the allocation to
2079  * succeed and -ENOMEM implies there is not.
2080  *
2081  * Do not audit the selinux permission check, as this is applied to all
2082  * processes that allocate mappings.
2083  */
2084 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2085 {
2086 	int rc, cap_sys_admin = 0;
2087 
2088 	rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2089 			     SECURITY_CAP_NOAUDIT);
2090 	if (rc == 0)
2091 		cap_sys_admin = 1;
2092 
2093 	return __vm_enough_memory(mm, pages, cap_sys_admin);
2094 }
2095 
2096 /* binprm security operations */
2097 
2098 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2099 			    const struct task_security_struct *old_tsec,
2100 			    const struct task_security_struct *new_tsec)
2101 {
2102 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2103 	int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2104 	int rc;
2105 
2106 	if (!nnp && !nosuid)
2107 		return 0; /* neither NNP nor nosuid */
2108 
2109 	if (new_tsec->sid == old_tsec->sid)
2110 		return 0; /* No change in credentials */
2111 
2112 	/*
2113 	 * The only transitions we permit under NNP or nosuid
2114 	 * are transitions to bounded SIDs, i.e. SIDs that are
2115 	 * guaranteed to only be allowed a subset of the permissions
2116 	 * of the current SID.
2117 	 */
2118 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2119 	if (rc) {
2120 		/*
2121 		 * On failure, preserve the errno values for NNP vs nosuid.
2122 		 * NNP:  Operation not permitted for caller.
2123 		 * nosuid:  Permission denied to file.
2124 		 */
2125 		if (nnp)
2126 			return -EPERM;
2127 		else
2128 			return -EACCES;
2129 	}
2130 	return 0;
2131 }
2132 
2133 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2134 {
2135 	const struct task_security_struct *old_tsec;
2136 	struct task_security_struct *new_tsec;
2137 	struct inode_security_struct *isec;
2138 	struct common_audit_data ad;
2139 	struct inode *inode = file_inode(bprm->file);
2140 	int rc;
2141 
2142 	rc = cap_bprm_set_creds(bprm);
2143 	if (rc)
2144 		return rc;
2145 
2146 	/* SELinux context only depends on initial program or script and not
2147 	 * the script interpreter */
2148 	if (bprm->cred_prepared)
2149 		return 0;
2150 
2151 	old_tsec = current_security();
2152 	new_tsec = bprm->cred->security;
2153 	isec = inode->i_security;
2154 
2155 	/* Default to the current task SID. */
2156 	new_tsec->sid = old_tsec->sid;
2157 	new_tsec->osid = old_tsec->sid;
2158 
2159 	/* Reset fs, key, and sock SIDs on execve. */
2160 	new_tsec->create_sid = 0;
2161 	new_tsec->keycreate_sid = 0;
2162 	new_tsec->sockcreate_sid = 0;
2163 
2164 	if (old_tsec->exec_sid) {
2165 		new_tsec->sid = old_tsec->exec_sid;
2166 		/* Reset exec SID on execve. */
2167 		new_tsec->exec_sid = 0;
2168 
2169 		/* Fail on NNP or nosuid if not an allowed transition. */
2170 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2171 		if (rc)
2172 			return rc;
2173 	} else {
2174 		/* Check for a default transition on this program. */
2175 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2176 					     SECCLASS_PROCESS, NULL,
2177 					     &new_tsec->sid);
2178 		if (rc)
2179 			return rc;
2180 
2181 		/*
2182 		 * Fallback to old SID on NNP or nosuid if not an allowed
2183 		 * transition.
2184 		 */
2185 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2186 		if (rc)
2187 			new_tsec->sid = old_tsec->sid;
2188 	}
2189 
2190 	ad.type = LSM_AUDIT_DATA_PATH;
2191 	ad.u.path = bprm->file->f_path;
2192 
2193 	if (new_tsec->sid == old_tsec->sid) {
2194 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2195 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2196 		if (rc)
2197 			return rc;
2198 	} else {
2199 		/* Check permissions for the transition. */
2200 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2201 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2202 		if (rc)
2203 			return rc;
2204 
2205 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2206 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2207 		if (rc)
2208 			return rc;
2209 
2210 		/* Check for shared state */
2211 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2212 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2213 					  SECCLASS_PROCESS, PROCESS__SHARE,
2214 					  NULL);
2215 			if (rc)
2216 				return -EPERM;
2217 		}
2218 
2219 		/* Make sure that anyone attempting to ptrace over a task that
2220 		 * changes its SID has the appropriate permit */
2221 		if (bprm->unsafe &
2222 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2223 			struct task_struct *tracer;
2224 			struct task_security_struct *sec;
2225 			u32 ptsid = 0;
2226 
2227 			rcu_read_lock();
2228 			tracer = ptrace_parent(current);
2229 			if (likely(tracer != NULL)) {
2230 				sec = __task_cred(tracer)->security;
2231 				ptsid = sec->sid;
2232 			}
2233 			rcu_read_unlock();
2234 
2235 			if (ptsid != 0) {
2236 				rc = avc_has_perm(ptsid, new_tsec->sid,
2237 						  SECCLASS_PROCESS,
2238 						  PROCESS__PTRACE, NULL);
2239 				if (rc)
2240 					return -EPERM;
2241 			}
2242 		}
2243 
2244 		/* Clear any possibly unsafe personality bits on exec: */
2245 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2246 	}
2247 
2248 	return 0;
2249 }
2250 
2251 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2252 {
2253 	const struct task_security_struct *tsec = current_security();
2254 	u32 sid, osid;
2255 	int atsecure = 0;
2256 
2257 	sid = tsec->sid;
2258 	osid = tsec->osid;
2259 
2260 	if (osid != sid) {
2261 		/* Enable secure mode for SIDs transitions unless
2262 		   the noatsecure permission is granted between
2263 		   the two SIDs, i.e. ahp returns 0. */
2264 		atsecure = avc_has_perm(osid, sid,
2265 					SECCLASS_PROCESS,
2266 					PROCESS__NOATSECURE, NULL);
2267 	}
2268 
2269 	return (atsecure || cap_bprm_secureexec(bprm));
2270 }
2271 
2272 static int match_file(const void *p, struct file *file, unsigned fd)
2273 {
2274 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2275 }
2276 
2277 /* Derived from fs/exec.c:flush_old_files. */
2278 static inline void flush_unauthorized_files(const struct cred *cred,
2279 					    struct files_struct *files)
2280 {
2281 	struct file *file, *devnull = NULL;
2282 	struct tty_struct *tty;
2283 	int drop_tty = 0;
2284 	unsigned n;
2285 
2286 	tty = get_current_tty();
2287 	if (tty) {
2288 		spin_lock(&tty_files_lock);
2289 		if (!list_empty(&tty->tty_files)) {
2290 			struct tty_file_private *file_priv;
2291 
2292 			/* Revalidate access to controlling tty.
2293 			   Use file_path_has_perm on the tty path directly
2294 			   rather than using file_has_perm, as this particular
2295 			   open file may belong to another process and we are
2296 			   only interested in the inode-based check here. */
2297 			file_priv = list_first_entry(&tty->tty_files,
2298 						struct tty_file_private, list);
2299 			file = file_priv->file;
2300 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2301 				drop_tty = 1;
2302 		}
2303 		spin_unlock(&tty_files_lock);
2304 		tty_kref_put(tty);
2305 	}
2306 	/* Reset controlling tty. */
2307 	if (drop_tty)
2308 		no_tty();
2309 
2310 	/* Revalidate access to inherited open files. */
2311 	n = iterate_fd(files, 0, match_file, cred);
2312 	if (!n) /* none found? */
2313 		return;
2314 
2315 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2316 	if (IS_ERR(devnull))
2317 		devnull = NULL;
2318 	/* replace all the matching ones with this */
2319 	do {
2320 		replace_fd(n - 1, devnull, 0);
2321 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2322 	if (devnull)
2323 		fput(devnull);
2324 }
2325 
2326 /*
2327  * Prepare a process for imminent new credential changes due to exec
2328  */
2329 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2330 {
2331 	struct task_security_struct *new_tsec;
2332 	struct rlimit *rlim, *initrlim;
2333 	int rc, i;
2334 
2335 	new_tsec = bprm->cred->security;
2336 	if (new_tsec->sid == new_tsec->osid)
2337 		return;
2338 
2339 	/* Close files for which the new task SID is not authorized. */
2340 	flush_unauthorized_files(bprm->cred, current->files);
2341 
2342 	/* Always clear parent death signal on SID transitions. */
2343 	current->pdeath_signal = 0;
2344 
2345 	/* Check whether the new SID can inherit resource limits from the old
2346 	 * SID.  If not, reset all soft limits to the lower of the current
2347 	 * task's hard limit and the init task's soft limit.
2348 	 *
2349 	 * Note that the setting of hard limits (even to lower them) can be
2350 	 * controlled by the setrlimit check.  The inclusion of the init task's
2351 	 * soft limit into the computation is to avoid resetting soft limits
2352 	 * higher than the default soft limit for cases where the default is
2353 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2354 	 */
2355 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2356 			  PROCESS__RLIMITINH, NULL);
2357 	if (rc) {
2358 		/* protect against do_prlimit() */
2359 		task_lock(current);
2360 		for (i = 0; i < RLIM_NLIMITS; i++) {
2361 			rlim = current->signal->rlim + i;
2362 			initrlim = init_task.signal->rlim + i;
2363 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2364 		}
2365 		task_unlock(current);
2366 		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2367 	}
2368 }
2369 
2370 /*
2371  * Clean up the process immediately after the installation of new credentials
2372  * due to exec
2373  */
2374 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2375 {
2376 	const struct task_security_struct *tsec = current_security();
2377 	struct itimerval itimer;
2378 	u32 osid, sid;
2379 	int rc, i;
2380 
2381 	osid = tsec->osid;
2382 	sid = tsec->sid;
2383 
2384 	if (sid == osid)
2385 		return;
2386 
2387 	/* Check whether the new SID can inherit signal state from the old SID.
2388 	 * If not, clear itimers to avoid subsequent signal generation and
2389 	 * flush and unblock signals.
2390 	 *
2391 	 * This must occur _after_ the task SID has been updated so that any
2392 	 * kill done after the flush will be checked against the new SID.
2393 	 */
2394 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2395 	if (rc) {
2396 		memset(&itimer, 0, sizeof itimer);
2397 		for (i = 0; i < 3; i++)
2398 			do_setitimer(i, &itimer, NULL);
2399 		spin_lock_irq(&current->sighand->siglock);
2400 		if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2401 			__flush_signals(current);
2402 			flush_signal_handlers(current, 1);
2403 			sigemptyset(&current->blocked);
2404 		}
2405 		spin_unlock_irq(&current->sighand->siglock);
2406 	}
2407 
2408 	/* Wake up the parent if it is waiting so that it can recheck
2409 	 * wait permission to the new task SID. */
2410 	read_lock(&tasklist_lock);
2411 	__wake_up_parent(current, current->real_parent);
2412 	read_unlock(&tasklist_lock);
2413 }
2414 
2415 /* superblock security operations */
2416 
2417 static int selinux_sb_alloc_security(struct super_block *sb)
2418 {
2419 	return superblock_alloc_security(sb);
2420 }
2421 
2422 static void selinux_sb_free_security(struct super_block *sb)
2423 {
2424 	superblock_free_security(sb);
2425 }
2426 
2427 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2428 {
2429 	if (plen > olen)
2430 		return 0;
2431 
2432 	return !memcmp(prefix, option, plen);
2433 }
2434 
2435 static inline int selinux_option(char *option, int len)
2436 {
2437 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2438 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2439 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2440 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2441 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2442 }
2443 
2444 static inline void take_option(char **to, char *from, int *first, int len)
2445 {
2446 	if (!*first) {
2447 		**to = ',';
2448 		*to += 1;
2449 	} else
2450 		*first = 0;
2451 	memcpy(*to, from, len);
2452 	*to += len;
2453 }
2454 
2455 static inline void take_selinux_option(char **to, char *from, int *first,
2456 				       int len)
2457 {
2458 	int current_size = 0;
2459 
2460 	if (!*first) {
2461 		**to = '|';
2462 		*to += 1;
2463 	} else
2464 		*first = 0;
2465 
2466 	while (current_size < len) {
2467 		if (*from != '"') {
2468 			**to = *from;
2469 			*to += 1;
2470 		}
2471 		from += 1;
2472 		current_size += 1;
2473 	}
2474 }
2475 
2476 static int selinux_sb_copy_data(char *orig, char *copy)
2477 {
2478 	int fnosec, fsec, rc = 0;
2479 	char *in_save, *in_curr, *in_end;
2480 	char *sec_curr, *nosec_save, *nosec;
2481 	int open_quote = 0;
2482 
2483 	in_curr = orig;
2484 	sec_curr = copy;
2485 
2486 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2487 	if (!nosec) {
2488 		rc = -ENOMEM;
2489 		goto out;
2490 	}
2491 
2492 	nosec_save = nosec;
2493 	fnosec = fsec = 1;
2494 	in_save = in_end = orig;
2495 
2496 	do {
2497 		if (*in_end == '"')
2498 			open_quote = !open_quote;
2499 		if ((*in_end == ',' && open_quote == 0) ||
2500 				*in_end == '\0') {
2501 			int len = in_end - in_curr;
2502 
2503 			if (selinux_option(in_curr, len))
2504 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2505 			else
2506 				take_option(&nosec, in_curr, &fnosec, len);
2507 
2508 			in_curr = in_end + 1;
2509 		}
2510 	} while (*in_end++);
2511 
2512 	strcpy(in_save, nosec_save);
2513 	free_page((unsigned long)nosec_save);
2514 out:
2515 	return rc;
2516 }
2517 
2518 static int selinux_sb_remount(struct super_block *sb, void *data)
2519 {
2520 	int rc, i, *flags;
2521 	struct security_mnt_opts opts;
2522 	char *secdata, **mount_options;
2523 	struct superblock_security_struct *sbsec = sb->s_security;
2524 
2525 	if (!(sbsec->flags & SE_SBINITIALIZED))
2526 		return 0;
2527 
2528 	if (!data)
2529 		return 0;
2530 
2531 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2532 		return 0;
2533 
2534 	security_init_mnt_opts(&opts);
2535 	secdata = alloc_secdata();
2536 	if (!secdata)
2537 		return -ENOMEM;
2538 	rc = selinux_sb_copy_data(data, secdata);
2539 	if (rc)
2540 		goto out_free_secdata;
2541 
2542 	rc = selinux_parse_opts_str(secdata, &opts);
2543 	if (rc)
2544 		goto out_free_secdata;
2545 
2546 	mount_options = opts.mnt_opts;
2547 	flags = opts.mnt_opts_flags;
2548 
2549 	for (i = 0; i < opts.num_mnt_opts; i++) {
2550 		u32 sid;
2551 		size_t len;
2552 
2553 		if (flags[i] == SBLABEL_MNT)
2554 			continue;
2555 		len = strlen(mount_options[i]);
2556 		rc = security_context_to_sid(mount_options[i], len, &sid,
2557 					     GFP_KERNEL);
2558 		if (rc) {
2559 			printk(KERN_WARNING "SELinux: security_context_to_sid"
2560 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2561 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2562 			goto out_free_opts;
2563 		}
2564 		rc = -EINVAL;
2565 		switch (flags[i]) {
2566 		case FSCONTEXT_MNT:
2567 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2568 				goto out_bad_option;
2569 			break;
2570 		case CONTEXT_MNT:
2571 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2572 				goto out_bad_option;
2573 			break;
2574 		case ROOTCONTEXT_MNT: {
2575 			struct inode_security_struct *root_isec;
2576 			root_isec = sb->s_root->d_inode->i_security;
2577 
2578 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2579 				goto out_bad_option;
2580 			break;
2581 		}
2582 		case DEFCONTEXT_MNT:
2583 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2584 				goto out_bad_option;
2585 			break;
2586 		default:
2587 			goto out_free_opts;
2588 		}
2589 	}
2590 
2591 	rc = 0;
2592 out_free_opts:
2593 	security_free_mnt_opts(&opts);
2594 out_free_secdata:
2595 	free_secdata(secdata);
2596 	return rc;
2597 out_bad_option:
2598 	printk(KERN_WARNING "SELinux: unable to change security options "
2599 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2600 	       sb->s_type->name);
2601 	goto out_free_opts;
2602 }
2603 
2604 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2605 {
2606 	const struct cred *cred = current_cred();
2607 	struct common_audit_data ad;
2608 	int rc;
2609 
2610 	rc = superblock_doinit(sb, data);
2611 	if (rc)
2612 		return rc;
2613 
2614 	/* Allow all mounts performed by the kernel */
2615 	if (flags & MS_KERNMOUNT)
2616 		return 0;
2617 
2618 	ad.type = LSM_AUDIT_DATA_DENTRY;
2619 	ad.u.dentry = sb->s_root;
2620 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2621 }
2622 
2623 static int selinux_sb_statfs(struct dentry *dentry)
2624 {
2625 	const struct cred *cred = current_cred();
2626 	struct common_audit_data ad;
2627 
2628 	ad.type = LSM_AUDIT_DATA_DENTRY;
2629 	ad.u.dentry = dentry->d_sb->s_root;
2630 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2631 }
2632 
2633 static int selinux_mount(const char *dev_name,
2634 			 struct path *path,
2635 			 const char *type,
2636 			 unsigned long flags,
2637 			 void *data)
2638 {
2639 	const struct cred *cred = current_cred();
2640 
2641 	if (flags & MS_REMOUNT)
2642 		return superblock_has_perm(cred, path->dentry->d_sb,
2643 					   FILESYSTEM__REMOUNT, NULL);
2644 	else
2645 		return path_has_perm(cred, path, FILE__MOUNTON);
2646 }
2647 
2648 static int selinux_umount(struct vfsmount *mnt, int flags)
2649 {
2650 	const struct cred *cred = current_cred();
2651 
2652 	return superblock_has_perm(cred, mnt->mnt_sb,
2653 				   FILESYSTEM__UNMOUNT, NULL);
2654 }
2655 
2656 /* inode security operations */
2657 
2658 static int selinux_inode_alloc_security(struct inode *inode)
2659 {
2660 	return inode_alloc_security(inode);
2661 }
2662 
2663 static void selinux_inode_free_security(struct inode *inode)
2664 {
2665 	inode_free_security(inode);
2666 }
2667 
2668 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2669 					struct qstr *name, void **ctx,
2670 					u32 *ctxlen)
2671 {
2672 	const struct cred *cred = current_cred();
2673 	struct task_security_struct *tsec;
2674 	struct inode_security_struct *dsec;
2675 	struct superblock_security_struct *sbsec;
2676 	struct inode *dir = dentry->d_parent->d_inode;
2677 	u32 newsid;
2678 	int rc;
2679 
2680 	tsec = cred->security;
2681 	dsec = dir->i_security;
2682 	sbsec = dir->i_sb->s_security;
2683 
2684 	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2685 		newsid = tsec->create_sid;
2686 	} else {
2687 		rc = security_transition_sid(tsec->sid, dsec->sid,
2688 					     inode_mode_to_security_class(mode),
2689 					     name,
2690 					     &newsid);
2691 		if (rc) {
2692 			printk(KERN_WARNING
2693 				"%s: security_transition_sid failed, rc=%d\n",
2694 			       __func__, -rc);
2695 			return rc;
2696 		}
2697 	}
2698 
2699 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2700 }
2701 
2702 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2703 				       const struct qstr *qstr,
2704 				       const char **name,
2705 				       void **value, size_t *len)
2706 {
2707 	const struct task_security_struct *tsec = current_security();
2708 	struct inode_security_struct *dsec;
2709 	struct superblock_security_struct *sbsec;
2710 	u32 sid, newsid, clen;
2711 	int rc;
2712 	char *context;
2713 
2714 	dsec = dir->i_security;
2715 	sbsec = dir->i_sb->s_security;
2716 
2717 	sid = tsec->sid;
2718 	newsid = tsec->create_sid;
2719 
2720 	if ((sbsec->flags & SE_SBINITIALIZED) &&
2721 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2722 		newsid = sbsec->mntpoint_sid;
2723 	else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2724 		rc = security_transition_sid(sid, dsec->sid,
2725 					     inode_mode_to_security_class(inode->i_mode),
2726 					     qstr, &newsid);
2727 		if (rc) {
2728 			printk(KERN_WARNING "%s:  "
2729 			       "security_transition_sid failed, rc=%d (dev=%s "
2730 			       "ino=%ld)\n",
2731 			       __func__,
2732 			       -rc, inode->i_sb->s_id, inode->i_ino);
2733 			return rc;
2734 		}
2735 	}
2736 
2737 	/* Possibly defer initialization to selinux_complete_init. */
2738 	if (sbsec->flags & SE_SBINITIALIZED) {
2739 		struct inode_security_struct *isec = inode->i_security;
2740 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2741 		isec->sid = newsid;
2742 		isec->initialized = 1;
2743 	}
2744 
2745 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2746 		return -EOPNOTSUPP;
2747 
2748 	if (name)
2749 		*name = XATTR_SELINUX_SUFFIX;
2750 
2751 	if (value && len) {
2752 		rc = security_sid_to_context_force(newsid, &context, &clen);
2753 		if (rc)
2754 			return rc;
2755 		*value = context;
2756 		*len = clen;
2757 	}
2758 
2759 	return 0;
2760 }
2761 
2762 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2763 {
2764 	return may_create(dir, dentry, SECCLASS_FILE);
2765 }
2766 
2767 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2768 {
2769 	return may_link(dir, old_dentry, MAY_LINK);
2770 }
2771 
2772 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2773 {
2774 	return may_link(dir, dentry, MAY_UNLINK);
2775 }
2776 
2777 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2778 {
2779 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2780 }
2781 
2782 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2783 {
2784 	return may_create(dir, dentry, SECCLASS_DIR);
2785 }
2786 
2787 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2788 {
2789 	return may_link(dir, dentry, MAY_RMDIR);
2790 }
2791 
2792 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2793 {
2794 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2795 }
2796 
2797 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2798 				struct inode *new_inode, struct dentry *new_dentry)
2799 {
2800 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2801 }
2802 
2803 static int selinux_inode_readlink(struct dentry *dentry)
2804 {
2805 	const struct cred *cred = current_cred();
2806 
2807 	return dentry_has_perm(cred, dentry, FILE__READ);
2808 }
2809 
2810 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2811 {
2812 	const struct cred *cred = current_cred();
2813 
2814 	return dentry_has_perm(cred, dentry, FILE__READ);
2815 }
2816 
2817 static noinline int audit_inode_permission(struct inode *inode,
2818 					   u32 perms, u32 audited, u32 denied,
2819 					   int result,
2820 					   unsigned flags)
2821 {
2822 	struct common_audit_data ad;
2823 	struct inode_security_struct *isec = inode->i_security;
2824 	int rc;
2825 
2826 	ad.type = LSM_AUDIT_DATA_INODE;
2827 	ad.u.inode = inode;
2828 
2829 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2830 			    audited, denied, result, &ad, flags);
2831 	if (rc)
2832 		return rc;
2833 	return 0;
2834 }
2835 
2836 static int selinux_inode_permission(struct inode *inode, int mask)
2837 {
2838 	const struct cred *cred = current_cred();
2839 	u32 perms;
2840 	bool from_access;
2841 	unsigned flags = mask & MAY_NOT_BLOCK;
2842 	struct inode_security_struct *isec;
2843 	u32 sid;
2844 	struct av_decision avd;
2845 	int rc, rc2;
2846 	u32 audited, denied;
2847 
2848 	from_access = mask & MAY_ACCESS;
2849 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2850 
2851 	/* No permission to check.  Existence test. */
2852 	if (!mask)
2853 		return 0;
2854 
2855 	validate_creds(cred);
2856 
2857 	if (unlikely(IS_PRIVATE(inode)))
2858 		return 0;
2859 
2860 	perms = file_mask_to_av(inode->i_mode, mask);
2861 
2862 	sid = cred_sid(cred);
2863 	isec = inode->i_security;
2864 
2865 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2866 	audited = avc_audit_required(perms, &avd, rc,
2867 				     from_access ? FILE__AUDIT_ACCESS : 0,
2868 				     &denied);
2869 	if (likely(!audited))
2870 		return rc;
2871 
2872 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2873 	if (rc2)
2874 		return rc2;
2875 	return rc;
2876 }
2877 
2878 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2879 {
2880 	const struct cred *cred = current_cred();
2881 	unsigned int ia_valid = iattr->ia_valid;
2882 	__u32 av = FILE__WRITE;
2883 
2884 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2885 	if (ia_valid & ATTR_FORCE) {
2886 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2887 			      ATTR_FORCE);
2888 		if (!ia_valid)
2889 			return 0;
2890 	}
2891 
2892 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2893 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2894 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
2895 
2896 	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2897 		av |= FILE__OPEN;
2898 
2899 	return dentry_has_perm(cred, dentry, av);
2900 }
2901 
2902 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2903 {
2904 	const struct cred *cred = current_cred();
2905 	struct path path;
2906 
2907 	path.dentry = dentry;
2908 	path.mnt = mnt;
2909 
2910 	return path_has_perm(cred, &path, FILE__GETATTR);
2911 }
2912 
2913 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2914 {
2915 	const struct cred *cred = current_cred();
2916 
2917 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
2918 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
2919 		if (!strcmp(name, XATTR_NAME_CAPS)) {
2920 			if (!capable(CAP_SETFCAP))
2921 				return -EPERM;
2922 		} else if (!capable(CAP_SYS_ADMIN)) {
2923 			/* A different attribute in the security namespace.
2924 			   Restrict to administrator. */
2925 			return -EPERM;
2926 		}
2927 	}
2928 
2929 	/* Not an attribute we recognize, so just check the
2930 	   ordinary setattr permission. */
2931 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
2932 }
2933 
2934 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2935 				  const void *value, size_t size, int flags)
2936 {
2937 	struct inode *inode = dentry->d_inode;
2938 	struct inode_security_struct *isec = inode->i_security;
2939 	struct superblock_security_struct *sbsec;
2940 	struct common_audit_data ad;
2941 	u32 newsid, sid = current_sid();
2942 	int rc = 0;
2943 
2944 	if (strcmp(name, XATTR_NAME_SELINUX))
2945 		return selinux_inode_setotherxattr(dentry, name);
2946 
2947 	sbsec = inode->i_sb->s_security;
2948 	if (!(sbsec->flags & SBLABEL_MNT))
2949 		return -EOPNOTSUPP;
2950 
2951 	if (!inode_owner_or_capable(inode))
2952 		return -EPERM;
2953 
2954 	ad.type = LSM_AUDIT_DATA_DENTRY;
2955 	ad.u.dentry = dentry;
2956 
2957 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
2958 			  FILE__RELABELFROM, &ad);
2959 	if (rc)
2960 		return rc;
2961 
2962 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2963 	if (rc == -EINVAL) {
2964 		if (!capable(CAP_MAC_ADMIN)) {
2965 			struct audit_buffer *ab;
2966 			size_t audit_size;
2967 			const char *str;
2968 
2969 			/* We strip a nul only if it is at the end, otherwise the
2970 			 * context contains a nul and we should audit that */
2971 			if (value) {
2972 				str = value;
2973 				if (str[size - 1] == '\0')
2974 					audit_size = size - 1;
2975 				else
2976 					audit_size = size;
2977 			} else {
2978 				str = "";
2979 				audit_size = 0;
2980 			}
2981 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2982 			audit_log_format(ab, "op=setxattr invalid_context=");
2983 			audit_log_n_untrustedstring(ab, value, audit_size);
2984 			audit_log_end(ab);
2985 
2986 			return rc;
2987 		}
2988 		rc = security_context_to_sid_force(value, size, &newsid);
2989 	}
2990 	if (rc)
2991 		return rc;
2992 
2993 	rc = avc_has_perm(sid, newsid, isec->sclass,
2994 			  FILE__RELABELTO, &ad);
2995 	if (rc)
2996 		return rc;
2997 
2998 	rc = security_validate_transition(isec->sid, newsid, sid,
2999 					  isec->sclass);
3000 	if (rc)
3001 		return rc;
3002 
3003 	return avc_has_perm(newsid,
3004 			    sbsec->sid,
3005 			    SECCLASS_FILESYSTEM,
3006 			    FILESYSTEM__ASSOCIATE,
3007 			    &ad);
3008 }
3009 
3010 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3011 					const void *value, size_t size,
3012 					int flags)
3013 {
3014 	struct inode *inode = dentry->d_inode;
3015 	struct inode_security_struct *isec = inode->i_security;
3016 	u32 newsid;
3017 	int rc;
3018 
3019 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3020 		/* Not an attribute we recognize, so nothing to do. */
3021 		return;
3022 	}
3023 
3024 	rc = security_context_to_sid_force(value, size, &newsid);
3025 	if (rc) {
3026 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3027 		       "for (%s, %lu), rc=%d\n",
3028 		       inode->i_sb->s_id, inode->i_ino, -rc);
3029 		return;
3030 	}
3031 
3032 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3033 	isec->sid = newsid;
3034 	isec->initialized = 1;
3035 
3036 	return;
3037 }
3038 
3039 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3040 {
3041 	const struct cred *cred = current_cred();
3042 
3043 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3044 }
3045 
3046 static int selinux_inode_listxattr(struct dentry *dentry)
3047 {
3048 	const struct cred *cred = current_cred();
3049 
3050 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3051 }
3052 
3053 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3054 {
3055 	if (strcmp(name, XATTR_NAME_SELINUX))
3056 		return selinux_inode_setotherxattr(dentry, name);
3057 
3058 	/* No one is allowed to remove a SELinux security label.
3059 	   You can change the label, but all data must be labeled. */
3060 	return -EACCES;
3061 }
3062 
3063 /*
3064  * Copy the inode security context value to the user.
3065  *
3066  * Permission check is handled by selinux_inode_getxattr hook.
3067  */
3068 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3069 {
3070 	u32 size;
3071 	int error;
3072 	char *context = NULL;
3073 	struct inode_security_struct *isec = inode->i_security;
3074 
3075 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3076 		return -EOPNOTSUPP;
3077 
3078 	/*
3079 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3080 	 * value even if it is not defined by current policy; otherwise,
3081 	 * use the in-core value under current policy.
3082 	 * Use the non-auditing forms of the permission checks since
3083 	 * getxattr may be called by unprivileged processes commonly
3084 	 * and lack of permission just means that we fall back to the
3085 	 * in-core context value, not a denial.
3086 	 */
3087 	error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3088 				SECURITY_CAP_NOAUDIT);
3089 	if (!error)
3090 		error = security_sid_to_context_force(isec->sid, &context,
3091 						      &size);
3092 	else
3093 		error = security_sid_to_context(isec->sid, &context, &size);
3094 	if (error)
3095 		return error;
3096 	error = size;
3097 	if (alloc) {
3098 		*buffer = context;
3099 		goto out_nofree;
3100 	}
3101 	kfree(context);
3102 out_nofree:
3103 	return error;
3104 }
3105 
3106 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3107 				     const void *value, size_t size, int flags)
3108 {
3109 	struct inode_security_struct *isec = inode->i_security;
3110 	u32 newsid;
3111 	int rc;
3112 
3113 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3114 		return -EOPNOTSUPP;
3115 
3116 	if (!value || !size)
3117 		return -EACCES;
3118 
3119 	rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3120 	if (rc)
3121 		return rc;
3122 
3123 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3124 	isec->sid = newsid;
3125 	isec->initialized = 1;
3126 	return 0;
3127 }
3128 
3129 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3130 {
3131 	const int len = sizeof(XATTR_NAME_SELINUX);
3132 	if (buffer && len <= buffer_size)
3133 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3134 	return len;
3135 }
3136 
3137 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3138 {
3139 	struct inode_security_struct *isec = inode->i_security;
3140 	*secid = isec->sid;
3141 }
3142 
3143 /* file security operations */
3144 
3145 static int selinux_revalidate_file_permission(struct file *file, int mask)
3146 {
3147 	const struct cred *cred = current_cred();
3148 	struct inode *inode = file_inode(file);
3149 
3150 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3151 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3152 		mask |= MAY_APPEND;
3153 
3154 	return file_has_perm(cred, file,
3155 			     file_mask_to_av(inode->i_mode, mask));
3156 }
3157 
3158 static int selinux_file_permission(struct file *file, int mask)
3159 {
3160 	struct inode *inode = file_inode(file);
3161 	struct file_security_struct *fsec = file->f_security;
3162 	struct inode_security_struct *isec = inode->i_security;
3163 	u32 sid = current_sid();
3164 
3165 	if (!mask)
3166 		/* No permission to check.  Existence test. */
3167 		return 0;
3168 
3169 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3170 	    fsec->pseqno == avc_policy_seqno())
3171 		/* No change since file_open check. */
3172 		return 0;
3173 
3174 	return selinux_revalidate_file_permission(file, mask);
3175 }
3176 
3177 static int selinux_file_alloc_security(struct file *file)
3178 {
3179 	return file_alloc_security(file);
3180 }
3181 
3182 static void selinux_file_free_security(struct file *file)
3183 {
3184 	file_free_security(file);
3185 }
3186 
3187 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3188 			      unsigned long arg)
3189 {
3190 	const struct cred *cred = current_cred();
3191 	int error = 0;
3192 
3193 	switch (cmd) {
3194 	case FIONREAD:
3195 	/* fall through */
3196 	case FIBMAP:
3197 	/* fall through */
3198 	case FIGETBSZ:
3199 	/* fall through */
3200 	case FS_IOC_GETFLAGS:
3201 	/* fall through */
3202 	case FS_IOC_GETVERSION:
3203 		error = file_has_perm(cred, file, FILE__GETATTR);
3204 		break;
3205 
3206 	case FS_IOC_SETFLAGS:
3207 	/* fall through */
3208 	case FS_IOC_SETVERSION:
3209 		error = file_has_perm(cred, file, FILE__SETATTR);
3210 		break;
3211 
3212 	/* sys_ioctl() checks */
3213 	case FIONBIO:
3214 	/* fall through */
3215 	case FIOASYNC:
3216 		error = file_has_perm(cred, file, 0);
3217 		break;
3218 
3219 	case KDSKBENT:
3220 	case KDSKBSENT:
3221 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3222 					    SECURITY_CAP_AUDIT);
3223 		break;
3224 
3225 	/* default case assumes that the command will go
3226 	 * to the file's ioctl() function.
3227 	 */
3228 	default:
3229 		error = file_has_perm(cred, file, FILE__IOCTL);
3230 	}
3231 	return error;
3232 }
3233 
3234 static int default_noexec;
3235 
3236 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3237 {
3238 	const struct cred *cred = current_cred();
3239 	int rc = 0;
3240 
3241 	if (default_noexec &&
3242 	    (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3243 		/*
3244 		 * We are making executable an anonymous mapping or a
3245 		 * private file mapping that will also be writable.
3246 		 * This has an additional check.
3247 		 */
3248 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3249 		if (rc)
3250 			goto error;
3251 	}
3252 
3253 	if (file) {
3254 		/* read access is always possible with a mapping */
3255 		u32 av = FILE__READ;
3256 
3257 		/* write access only matters if the mapping is shared */
3258 		if (shared && (prot & PROT_WRITE))
3259 			av |= FILE__WRITE;
3260 
3261 		if (prot & PROT_EXEC)
3262 			av |= FILE__EXECUTE;
3263 
3264 		return file_has_perm(cred, file, av);
3265 	}
3266 
3267 error:
3268 	return rc;
3269 }
3270 
3271 static int selinux_mmap_addr(unsigned long addr)
3272 {
3273 	int rc;
3274 
3275 	/* do DAC check on address space usage */
3276 	rc = cap_mmap_addr(addr);
3277 	if (rc)
3278 		return rc;
3279 
3280 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3281 		u32 sid = current_sid();
3282 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3283 				  MEMPROTECT__MMAP_ZERO, NULL);
3284 	}
3285 
3286 	return rc;
3287 }
3288 
3289 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3290 			     unsigned long prot, unsigned long flags)
3291 {
3292 	if (selinux_checkreqprot)
3293 		prot = reqprot;
3294 
3295 	return file_map_prot_check(file, prot,
3296 				   (flags & MAP_TYPE) == MAP_SHARED);
3297 }
3298 
3299 static int selinux_file_mprotect(struct vm_area_struct *vma,
3300 				 unsigned long reqprot,
3301 				 unsigned long prot)
3302 {
3303 	const struct cred *cred = current_cred();
3304 
3305 	if (selinux_checkreqprot)
3306 		prot = reqprot;
3307 
3308 	if (default_noexec &&
3309 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3310 		int rc = 0;
3311 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3312 		    vma->vm_end <= vma->vm_mm->brk) {
3313 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3314 		} else if (!vma->vm_file &&
3315 			   vma->vm_start <= vma->vm_mm->start_stack &&
3316 			   vma->vm_end >= vma->vm_mm->start_stack) {
3317 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3318 		} else if (vma->vm_file && vma->anon_vma) {
3319 			/*
3320 			 * We are making executable a file mapping that has
3321 			 * had some COW done. Since pages might have been
3322 			 * written, check ability to execute the possibly
3323 			 * modified content.  This typically should only
3324 			 * occur for text relocations.
3325 			 */
3326 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3327 		}
3328 		if (rc)
3329 			return rc;
3330 	}
3331 
3332 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3333 }
3334 
3335 static int selinux_file_lock(struct file *file, unsigned int cmd)
3336 {
3337 	const struct cred *cred = current_cred();
3338 
3339 	return file_has_perm(cred, file, FILE__LOCK);
3340 }
3341 
3342 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3343 			      unsigned long arg)
3344 {
3345 	const struct cred *cred = current_cred();
3346 	int err = 0;
3347 
3348 	switch (cmd) {
3349 	case F_SETFL:
3350 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3351 			err = file_has_perm(cred, file, FILE__WRITE);
3352 			break;
3353 		}
3354 		/* fall through */
3355 	case F_SETOWN:
3356 	case F_SETSIG:
3357 	case F_GETFL:
3358 	case F_GETOWN:
3359 	case F_GETSIG:
3360 	case F_GETOWNER_UIDS:
3361 		/* Just check FD__USE permission */
3362 		err = file_has_perm(cred, file, 0);
3363 		break;
3364 	case F_GETLK:
3365 	case F_SETLK:
3366 	case F_SETLKW:
3367 	case F_OFD_GETLK:
3368 	case F_OFD_SETLK:
3369 	case F_OFD_SETLKW:
3370 #if BITS_PER_LONG == 32
3371 	case F_GETLK64:
3372 	case F_SETLK64:
3373 	case F_SETLKW64:
3374 #endif
3375 		err = file_has_perm(cred, file, FILE__LOCK);
3376 		break;
3377 	}
3378 
3379 	return err;
3380 }
3381 
3382 static void selinux_file_set_fowner(struct file *file)
3383 {
3384 	struct file_security_struct *fsec;
3385 
3386 	fsec = file->f_security;
3387 	fsec->fown_sid = current_sid();
3388 }
3389 
3390 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3391 				       struct fown_struct *fown, int signum)
3392 {
3393 	struct file *file;
3394 	u32 sid = task_sid(tsk);
3395 	u32 perm;
3396 	struct file_security_struct *fsec;
3397 
3398 	/* struct fown_struct is never outside the context of a struct file */
3399 	file = container_of(fown, struct file, f_owner);
3400 
3401 	fsec = file->f_security;
3402 
3403 	if (!signum)
3404 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3405 	else
3406 		perm = signal_to_av(signum);
3407 
3408 	return avc_has_perm(fsec->fown_sid, sid,
3409 			    SECCLASS_PROCESS, perm, NULL);
3410 }
3411 
3412 static int selinux_file_receive(struct file *file)
3413 {
3414 	const struct cred *cred = current_cred();
3415 
3416 	return file_has_perm(cred, file, file_to_av(file));
3417 }
3418 
3419 static int selinux_file_open(struct file *file, const struct cred *cred)
3420 {
3421 	struct file_security_struct *fsec;
3422 	struct inode_security_struct *isec;
3423 
3424 	fsec = file->f_security;
3425 	isec = file_inode(file)->i_security;
3426 	/*
3427 	 * Save inode label and policy sequence number
3428 	 * at open-time so that selinux_file_permission
3429 	 * can determine whether revalidation is necessary.
3430 	 * Task label is already saved in the file security
3431 	 * struct as its SID.
3432 	 */
3433 	fsec->isid = isec->sid;
3434 	fsec->pseqno = avc_policy_seqno();
3435 	/*
3436 	 * Since the inode label or policy seqno may have changed
3437 	 * between the selinux_inode_permission check and the saving
3438 	 * of state above, recheck that access is still permitted.
3439 	 * Otherwise, access might never be revalidated against the
3440 	 * new inode label or new policy.
3441 	 * This check is not redundant - do not remove.
3442 	 */
3443 	return file_path_has_perm(cred, file, open_file_to_av(file));
3444 }
3445 
3446 /* task security operations */
3447 
3448 static int selinux_task_create(unsigned long clone_flags)
3449 {
3450 	return current_has_perm(current, PROCESS__FORK);
3451 }
3452 
3453 /*
3454  * allocate the SELinux part of blank credentials
3455  */
3456 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3457 {
3458 	struct task_security_struct *tsec;
3459 
3460 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3461 	if (!tsec)
3462 		return -ENOMEM;
3463 
3464 	cred->security = tsec;
3465 	return 0;
3466 }
3467 
3468 /*
3469  * detach and free the LSM part of a set of credentials
3470  */
3471 static void selinux_cred_free(struct cred *cred)
3472 {
3473 	struct task_security_struct *tsec = cred->security;
3474 
3475 	/*
3476 	 * cred->security == NULL if security_cred_alloc_blank() or
3477 	 * security_prepare_creds() returned an error.
3478 	 */
3479 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3480 	cred->security = (void *) 0x7UL;
3481 	kfree(tsec);
3482 }
3483 
3484 /*
3485  * prepare a new set of credentials for modification
3486  */
3487 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3488 				gfp_t gfp)
3489 {
3490 	const struct task_security_struct *old_tsec;
3491 	struct task_security_struct *tsec;
3492 
3493 	old_tsec = old->security;
3494 
3495 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3496 	if (!tsec)
3497 		return -ENOMEM;
3498 
3499 	new->security = tsec;
3500 	return 0;
3501 }
3502 
3503 /*
3504  * transfer the SELinux data to a blank set of creds
3505  */
3506 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3507 {
3508 	const struct task_security_struct *old_tsec = old->security;
3509 	struct task_security_struct *tsec = new->security;
3510 
3511 	*tsec = *old_tsec;
3512 }
3513 
3514 /*
3515  * set the security data for a kernel service
3516  * - all the creation contexts are set to unlabelled
3517  */
3518 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3519 {
3520 	struct task_security_struct *tsec = new->security;
3521 	u32 sid = current_sid();
3522 	int ret;
3523 
3524 	ret = avc_has_perm(sid, secid,
3525 			   SECCLASS_KERNEL_SERVICE,
3526 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3527 			   NULL);
3528 	if (ret == 0) {
3529 		tsec->sid = secid;
3530 		tsec->create_sid = 0;
3531 		tsec->keycreate_sid = 0;
3532 		tsec->sockcreate_sid = 0;
3533 	}
3534 	return ret;
3535 }
3536 
3537 /*
3538  * set the file creation context in a security record to the same as the
3539  * objective context of the specified inode
3540  */
3541 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3542 {
3543 	struct inode_security_struct *isec = inode->i_security;
3544 	struct task_security_struct *tsec = new->security;
3545 	u32 sid = current_sid();
3546 	int ret;
3547 
3548 	ret = avc_has_perm(sid, isec->sid,
3549 			   SECCLASS_KERNEL_SERVICE,
3550 			   KERNEL_SERVICE__CREATE_FILES_AS,
3551 			   NULL);
3552 
3553 	if (ret == 0)
3554 		tsec->create_sid = isec->sid;
3555 	return ret;
3556 }
3557 
3558 static int selinux_kernel_module_request(char *kmod_name)
3559 {
3560 	u32 sid;
3561 	struct common_audit_data ad;
3562 
3563 	sid = task_sid(current);
3564 
3565 	ad.type = LSM_AUDIT_DATA_KMOD;
3566 	ad.u.kmod_name = kmod_name;
3567 
3568 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3569 			    SYSTEM__MODULE_REQUEST, &ad);
3570 }
3571 
3572 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3573 {
3574 	return current_has_perm(p, PROCESS__SETPGID);
3575 }
3576 
3577 static int selinux_task_getpgid(struct task_struct *p)
3578 {
3579 	return current_has_perm(p, PROCESS__GETPGID);
3580 }
3581 
3582 static int selinux_task_getsid(struct task_struct *p)
3583 {
3584 	return current_has_perm(p, PROCESS__GETSESSION);
3585 }
3586 
3587 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3588 {
3589 	*secid = task_sid(p);
3590 }
3591 
3592 static int selinux_task_setnice(struct task_struct *p, int nice)
3593 {
3594 	int rc;
3595 
3596 	rc = cap_task_setnice(p, nice);
3597 	if (rc)
3598 		return rc;
3599 
3600 	return current_has_perm(p, PROCESS__SETSCHED);
3601 }
3602 
3603 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3604 {
3605 	int rc;
3606 
3607 	rc = cap_task_setioprio(p, ioprio);
3608 	if (rc)
3609 		return rc;
3610 
3611 	return current_has_perm(p, PROCESS__SETSCHED);
3612 }
3613 
3614 static int selinux_task_getioprio(struct task_struct *p)
3615 {
3616 	return current_has_perm(p, PROCESS__GETSCHED);
3617 }
3618 
3619 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3620 		struct rlimit *new_rlim)
3621 {
3622 	struct rlimit *old_rlim = p->signal->rlim + resource;
3623 
3624 	/* Control the ability to change the hard limit (whether
3625 	   lowering or raising it), so that the hard limit can
3626 	   later be used as a safe reset point for the soft limit
3627 	   upon context transitions.  See selinux_bprm_committing_creds. */
3628 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3629 		return current_has_perm(p, PROCESS__SETRLIMIT);
3630 
3631 	return 0;
3632 }
3633 
3634 static int selinux_task_setscheduler(struct task_struct *p)
3635 {
3636 	int rc;
3637 
3638 	rc = cap_task_setscheduler(p);
3639 	if (rc)
3640 		return rc;
3641 
3642 	return current_has_perm(p, PROCESS__SETSCHED);
3643 }
3644 
3645 static int selinux_task_getscheduler(struct task_struct *p)
3646 {
3647 	return current_has_perm(p, PROCESS__GETSCHED);
3648 }
3649 
3650 static int selinux_task_movememory(struct task_struct *p)
3651 {
3652 	return current_has_perm(p, PROCESS__SETSCHED);
3653 }
3654 
3655 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3656 				int sig, u32 secid)
3657 {
3658 	u32 perm;
3659 	int rc;
3660 
3661 	if (!sig)
3662 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3663 	else
3664 		perm = signal_to_av(sig);
3665 	if (secid)
3666 		rc = avc_has_perm(secid, task_sid(p),
3667 				  SECCLASS_PROCESS, perm, NULL);
3668 	else
3669 		rc = current_has_perm(p, perm);
3670 	return rc;
3671 }
3672 
3673 static int selinux_task_wait(struct task_struct *p)
3674 {
3675 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3676 }
3677 
3678 static void selinux_task_to_inode(struct task_struct *p,
3679 				  struct inode *inode)
3680 {
3681 	struct inode_security_struct *isec = inode->i_security;
3682 	u32 sid = task_sid(p);
3683 
3684 	isec->sid = sid;
3685 	isec->initialized = 1;
3686 }
3687 
3688 /* Returns error only if unable to parse addresses */
3689 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3690 			struct common_audit_data *ad, u8 *proto)
3691 {
3692 	int offset, ihlen, ret = -EINVAL;
3693 	struct iphdr _iph, *ih;
3694 
3695 	offset = skb_network_offset(skb);
3696 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3697 	if (ih == NULL)
3698 		goto out;
3699 
3700 	ihlen = ih->ihl * 4;
3701 	if (ihlen < sizeof(_iph))
3702 		goto out;
3703 
3704 	ad->u.net->v4info.saddr = ih->saddr;
3705 	ad->u.net->v4info.daddr = ih->daddr;
3706 	ret = 0;
3707 
3708 	if (proto)
3709 		*proto = ih->protocol;
3710 
3711 	switch (ih->protocol) {
3712 	case IPPROTO_TCP: {
3713 		struct tcphdr _tcph, *th;
3714 
3715 		if (ntohs(ih->frag_off) & IP_OFFSET)
3716 			break;
3717 
3718 		offset += ihlen;
3719 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3720 		if (th == NULL)
3721 			break;
3722 
3723 		ad->u.net->sport = th->source;
3724 		ad->u.net->dport = th->dest;
3725 		break;
3726 	}
3727 
3728 	case IPPROTO_UDP: {
3729 		struct udphdr _udph, *uh;
3730 
3731 		if (ntohs(ih->frag_off) & IP_OFFSET)
3732 			break;
3733 
3734 		offset += ihlen;
3735 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3736 		if (uh == NULL)
3737 			break;
3738 
3739 		ad->u.net->sport = uh->source;
3740 		ad->u.net->dport = uh->dest;
3741 		break;
3742 	}
3743 
3744 	case IPPROTO_DCCP: {
3745 		struct dccp_hdr _dccph, *dh;
3746 
3747 		if (ntohs(ih->frag_off) & IP_OFFSET)
3748 			break;
3749 
3750 		offset += ihlen;
3751 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3752 		if (dh == NULL)
3753 			break;
3754 
3755 		ad->u.net->sport = dh->dccph_sport;
3756 		ad->u.net->dport = dh->dccph_dport;
3757 		break;
3758 	}
3759 
3760 	default:
3761 		break;
3762 	}
3763 out:
3764 	return ret;
3765 }
3766 
3767 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3768 
3769 /* Returns error only if unable to parse addresses */
3770 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3771 			struct common_audit_data *ad, u8 *proto)
3772 {
3773 	u8 nexthdr;
3774 	int ret = -EINVAL, offset;
3775 	struct ipv6hdr _ipv6h, *ip6;
3776 	__be16 frag_off;
3777 
3778 	offset = skb_network_offset(skb);
3779 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3780 	if (ip6 == NULL)
3781 		goto out;
3782 
3783 	ad->u.net->v6info.saddr = ip6->saddr;
3784 	ad->u.net->v6info.daddr = ip6->daddr;
3785 	ret = 0;
3786 
3787 	nexthdr = ip6->nexthdr;
3788 	offset += sizeof(_ipv6h);
3789 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3790 	if (offset < 0)
3791 		goto out;
3792 
3793 	if (proto)
3794 		*proto = nexthdr;
3795 
3796 	switch (nexthdr) {
3797 	case IPPROTO_TCP: {
3798 		struct tcphdr _tcph, *th;
3799 
3800 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3801 		if (th == NULL)
3802 			break;
3803 
3804 		ad->u.net->sport = th->source;
3805 		ad->u.net->dport = th->dest;
3806 		break;
3807 	}
3808 
3809 	case IPPROTO_UDP: {
3810 		struct udphdr _udph, *uh;
3811 
3812 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3813 		if (uh == NULL)
3814 			break;
3815 
3816 		ad->u.net->sport = uh->source;
3817 		ad->u.net->dport = uh->dest;
3818 		break;
3819 	}
3820 
3821 	case IPPROTO_DCCP: {
3822 		struct dccp_hdr _dccph, *dh;
3823 
3824 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3825 		if (dh == NULL)
3826 			break;
3827 
3828 		ad->u.net->sport = dh->dccph_sport;
3829 		ad->u.net->dport = dh->dccph_dport;
3830 		break;
3831 	}
3832 
3833 	/* includes fragments */
3834 	default:
3835 		break;
3836 	}
3837 out:
3838 	return ret;
3839 }
3840 
3841 #endif /* IPV6 */
3842 
3843 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3844 			     char **_addrp, int src, u8 *proto)
3845 {
3846 	char *addrp;
3847 	int ret;
3848 
3849 	switch (ad->u.net->family) {
3850 	case PF_INET:
3851 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
3852 		if (ret)
3853 			goto parse_error;
3854 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3855 				       &ad->u.net->v4info.daddr);
3856 		goto okay;
3857 
3858 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3859 	case PF_INET6:
3860 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
3861 		if (ret)
3862 			goto parse_error;
3863 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3864 				       &ad->u.net->v6info.daddr);
3865 		goto okay;
3866 #endif	/* IPV6 */
3867 	default:
3868 		addrp = NULL;
3869 		goto okay;
3870 	}
3871 
3872 parse_error:
3873 	printk(KERN_WARNING
3874 	       "SELinux: failure in selinux_parse_skb(),"
3875 	       " unable to parse packet\n");
3876 	return ret;
3877 
3878 okay:
3879 	if (_addrp)
3880 		*_addrp = addrp;
3881 	return 0;
3882 }
3883 
3884 /**
3885  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3886  * @skb: the packet
3887  * @family: protocol family
3888  * @sid: the packet's peer label SID
3889  *
3890  * Description:
3891  * Check the various different forms of network peer labeling and determine
3892  * the peer label/SID for the packet; most of the magic actually occurs in
3893  * the security server function security_net_peersid_cmp().  The function
3894  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3895  * or -EACCES if @sid is invalid due to inconsistencies with the different
3896  * peer labels.
3897  *
3898  */
3899 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3900 {
3901 	int err;
3902 	u32 xfrm_sid;
3903 	u32 nlbl_sid;
3904 	u32 nlbl_type;
3905 
3906 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3907 	if (unlikely(err))
3908 		return -EACCES;
3909 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3910 	if (unlikely(err))
3911 		return -EACCES;
3912 
3913 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3914 	if (unlikely(err)) {
3915 		printk(KERN_WARNING
3916 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3917 		       " unable to determine packet's peer label\n");
3918 		return -EACCES;
3919 	}
3920 
3921 	return 0;
3922 }
3923 
3924 /**
3925  * selinux_conn_sid - Determine the child socket label for a connection
3926  * @sk_sid: the parent socket's SID
3927  * @skb_sid: the packet's SID
3928  * @conn_sid: the resulting connection SID
3929  *
3930  * If @skb_sid is valid then the user:role:type information from @sk_sid is
3931  * combined with the MLS information from @skb_sid in order to create
3932  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
3933  * of @sk_sid.  Returns zero on success, negative values on failure.
3934  *
3935  */
3936 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3937 {
3938 	int err = 0;
3939 
3940 	if (skb_sid != SECSID_NULL)
3941 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3942 	else
3943 		*conn_sid = sk_sid;
3944 
3945 	return err;
3946 }
3947 
3948 /* socket security operations */
3949 
3950 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3951 				 u16 secclass, u32 *socksid)
3952 {
3953 	if (tsec->sockcreate_sid > SECSID_NULL) {
3954 		*socksid = tsec->sockcreate_sid;
3955 		return 0;
3956 	}
3957 
3958 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3959 				       socksid);
3960 }
3961 
3962 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3963 {
3964 	struct sk_security_struct *sksec = sk->sk_security;
3965 	struct common_audit_data ad;
3966 	struct lsm_network_audit net = {0,};
3967 	u32 tsid = task_sid(task);
3968 
3969 	if (sksec->sid == SECINITSID_KERNEL)
3970 		return 0;
3971 
3972 	ad.type = LSM_AUDIT_DATA_NET;
3973 	ad.u.net = &net;
3974 	ad.u.net->sk = sk;
3975 
3976 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3977 }
3978 
3979 static int selinux_socket_create(int family, int type,
3980 				 int protocol, int kern)
3981 {
3982 	const struct task_security_struct *tsec = current_security();
3983 	u32 newsid;
3984 	u16 secclass;
3985 	int rc;
3986 
3987 	if (kern)
3988 		return 0;
3989 
3990 	secclass = socket_type_to_security_class(family, type, protocol);
3991 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3992 	if (rc)
3993 		return rc;
3994 
3995 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3996 }
3997 
3998 static int selinux_socket_post_create(struct socket *sock, int family,
3999 				      int type, int protocol, int kern)
4000 {
4001 	const struct task_security_struct *tsec = current_security();
4002 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4003 	struct sk_security_struct *sksec;
4004 	int err = 0;
4005 
4006 	isec->sclass = socket_type_to_security_class(family, type, protocol);
4007 
4008 	if (kern)
4009 		isec->sid = SECINITSID_KERNEL;
4010 	else {
4011 		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4012 		if (err)
4013 			return err;
4014 	}
4015 
4016 	isec->initialized = 1;
4017 
4018 	if (sock->sk) {
4019 		sksec = sock->sk->sk_security;
4020 		sksec->sid = isec->sid;
4021 		sksec->sclass = isec->sclass;
4022 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4023 	}
4024 
4025 	return err;
4026 }
4027 
4028 /* Range of port numbers used to automatically bind.
4029    Need to determine whether we should perform a name_bind
4030    permission check between the socket and the port number. */
4031 
4032 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4033 {
4034 	struct sock *sk = sock->sk;
4035 	u16 family;
4036 	int err;
4037 
4038 	err = sock_has_perm(current, sk, SOCKET__BIND);
4039 	if (err)
4040 		goto out;
4041 
4042 	/*
4043 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4044 	 * Multiple address binding for SCTP is not supported yet: we just
4045 	 * check the first address now.
4046 	 */
4047 	family = sk->sk_family;
4048 	if (family == PF_INET || family == PF_INET6) {
4049 		char *addrp;
4050 		struct sk_security_struct *sksec = sk->sk_security;
4051 		struct common_audit_data ad;
4052 		struct lsm_network_audit net = {0,};
4053 		struct sockaddr_in *addr4 = NULL;
4054 		struct sockaddr_in6 *addr6 = NULL;
4055 		unsigned short snum;
4056 		u32 sid, node_perm;
4057 
4058 		if (family == PF_INET) {
4059 			addr4 = (struct sockaddr_in *)address;
4060 			snum = ntohs(addr4->sin_port);
4061 			addrp = (char *)&addr4->sin_addr.s_addr;
4062 		} else {
4063 			addr6 = (struct sockaddr_in6 *)address;
4064 			snum = ntohs(addr6->sin6_port);
4065 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4066 		}
4067 
4068 		if (snum) {
4069 			int low, high;
4070 
4071 			inet_get_local_port_range(sock_net(sk), &low, &high);
4072 
4073 			if (snum < max(PROT_SOCK, low) || snum > high) {
4074 				err = sel_netport_sid(sk->sk_protocol,
4075 						      snum, &sid);
4076 				if (err)
4077 					goto out;
4078 				ad.type = LSM_AUDIT_DATA_NET;
4079 				ad.u.net = &net;
4080 				ad.u.net->sport = htons(snum);
4081 				ad.u.net->family = family;
4082 				err = avc_has_perm(sksec->sid, sid,
4083 						   sksec->sclass,
4084 						   SOCKET__NAME_BIND, &ad);
4085 				if (err)
4086 					goto out;
4087 			}
4088 		}
4089 
4090 		switch (sksec->sclass) {
4091 		case SECCLASS_TCP_SOCKET:
4092 			node_perm = TCP_SOCKET__NODE_BIND;
4093 			break;
4094 
4095 		case SECCLASS_UDP_SOCKET:
4096 			node_perm = UDP_SOCKET__NODE_BIND;
4097 			break;
4098 
4099 		case SECCLASS_DCCP_SOCKET:
4100 			node_perm = DCCP_SOCKET__NODE_BIND;
4101 			break;
4102 
4103 		default:
4104 			node_perm = RAWIP_SOCKET__NODE_BIND;
4105 			break;
4106 		}
4107 
4108 		err = sel_netnode_sid(addrp, family, &sid);
4109 		if (err)
4110 			goto out;
4111 
4112 		ad.type = LSM_AUDIT_DATA_NET;
4113 		ad.u.net = &net;
4114 		ad.u.net->sport = htons(snum);
4115 		ad.u.net->family = family;
4116 
4117 		if (family == PF_INET)
4118 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4119 		else
4120 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4121 
4122 		err = avc_has_perm(sksec->sid, sid,
4123 				   sksec->sclass, node_perm, &ad);
4124 		if (err)
4125 			goto out;
4126 	}
4127 out:
4128 	return err;
4129 }
4130 
4131 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4132 {
4133 	struct sock *sk = sock->sk;
4134 	struct sk_security_struct *sksec = sk->sk_security;
4135 	int err;
4136 
4137 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4138 	if (err)
4139 		return err;
4140 
4141 	/*
4142 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4143 	 */
4144 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4145 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4146 		struct common_audit_data ad;
4147 		struct lsm_network_audit net = {0,};
4148 		struct sockaddr_in *addr4 = NULL;
4149 		struct sockaddr_in6 *addr6 = NULL;
4150 		unsigned short snum;
4151 		u32 sid, perm;
4152 
4153 		if (sk->sk_family == PF_INET) {
4154 			addr4 = (struct sockaddr_in *)address;
4155 			if (addrlen < sizeof(struct sockaddr_in))
4156 				return -EINVAL;
4157 			snum = ntohs(addr4->sin_port);
4158 		} else {
4159 			addr6 = (struct sockaddr_in6 *)address;
4160 			if (addrlen < SIN6_LEN_RFC2133)
4161 				return -EINVAL;
4162 			snum = ntohs(addr6->sin6_port);
4163 		}
4164 
4165 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4166 		if (err)
4167 			goto out;
4168 
4169 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4170 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4171 
4172 		ad.type = LSM_AUDIT_DATA_NET;
4173 		ad.u.net = &net;
4174 		ad.u.net->dport = htons(snum);
4175 		ad.u.net->family = sk->sk_family;
4176 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4177 		if (err)
4178 			goto out;
4179 	}
4180 
4181 	err = selinux_netlbl_socket_connect(sk, address);
4182 
4183 out:
4184 	return err;
4185 }
4186 
4187 static int selinux_socket_listen(struct socket *sock, int backlog)
4188 {
4189 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4190 }
4191 
4192 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4193 {
4194 	int err;
4195 	struct inode_security_struct *isec;
4196 	struct inode_security_struct *newisec;
4197 
4198 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4199 	if (err)
4200 		return err;
4201 
4202 	newisec = SOCK_INODE(newsock)->i_security;
4203 
4204 	isec = SOCK_INODE(sock)->i_security;
4205 	newisec->sclass = isec->sclass;
4206 	newisec->sid = isec->sid;
4207 	newisec->initialized = 1;
4208 
4209 	return 0;
4210 }
4211 
4212 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4213 				  int size)
4214 {
4215 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4216 }
4217 
4218 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4219 				  int size, int flags)
4220 {
4221 	return sock_has_perm(current, sock->sk, SOCKET__READ);
4222 }
4223 
4224 static int selinux_socket_getsockname(struct socket *sock)
4225 {
4226 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4227 }
4228 
4229 static int selinux_socket_getpeername(struct socket *sock)
4230 {
4231 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4232 }
4233 
4234 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4235 {
4236 	int err;
4237 
4238 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4239 	if (err)
4240 		return err;
4241 
4242 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4243 }
4244 
4245 static int selinux_socket_getsockopt(struct socket *sock, int level,
4246 				     int optname)
4247 {
4248 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4249 }
4250 
4251 static int selinux_socket_shutdown(struct socket *sock, int how)
4252 {
4253 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4254 }
4255 
4256 static int selinux_socket_unix_stream_connect(struct sock *sock,
4257 					      struct sock *other,
4258 					      struct sock *newsk)
4259 {
4260 	struct sk_security_struct *sksec_sock = sock->sk_security;
4261 	struct sk_security_struct *sksec_other = other->sk_security;
4262 	struct sk_security_struct *sksec_new = newsk->sk_security;
4263 	struct common_audit_data ad;
4264 	struct lsm_network_audit net = {0,};
4265 	int err;
4266 
4267 	ad.type = LSM_AUDIT_DATA_NET;
4268 	ad.u.net = &net;
4269 	ad.u.net->sk = other;
4270 
4271 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4272 			   sksec_other->sclass,
4273 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4274 	if (err)
4275 		return err;
4276 
4277 	/* server child socket */
4278 	sksec_new->peer_sid = sksec_sock->sid;
4279 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4280 				    &sksec_new->sid);
4281 	if (err)
4282 		return err;
4283 
4284 	/* connecting socket */
4285 	sksec_sock->peer_sid = sksec_new->sid;
4286 
4287 	return 0;
4288 }
4289 
4290 static int selinux_socket_unix_may_send(struct socket *sock,
4291 					struct socket *other)
4292 {
4293 	struct sk_security_struct *ssec = sock->sk->sk_security;
4294 	struct sk_security_struct *osec = other->sk->sk_security;
4295 	struct common_audit_data ad;
4296 	struct lsm_network_audit net = {0,};
4297 
4298 	ad.type = LSM_AUDIT_DATA_NET;
4299 	ad.u.net = &net;
4300 	ad.u.net->sk = other->sk;
4301 
4302 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4303 			    &ad);
4304 }
4305 
4306 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4307 				    char *addrp, u16 family, u32 peer_sid,
4308 				    struct common_audit_data *ad)
4309 {
4310 	int err;
4311 	u32 if_sid;
4312 	u32 node_sid;
4313 
4314 	err = sel_netif_sid(ns, ifindex, &if_sid);
4315 	if (err)
4316 		return err;
4317 	err = avc_has_perm(peer_sid, if_sid,
4318 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4319 	if (err)
4320 		return err;
4321 
4322 	err = sel_netnode_sid(addrp, family, &node_sid);
4323 	if (err)
4324 		return err;
4325 	return avc_has_perm(peer_sid, node_sid,
4326 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4327 }
4328 
4329 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4330 				       u16 family)
4331 {
4332 	int err = 0;
4333 	struct sk_security_struct *sksec = sk->sk_security;
4334 	u32 sk_sid = sksec->sid;
4335 	struct common_audit_data ad;
4336 	struct lsm_network_audit net = {0,};
4337 	char *addrp;
4338 
4339 	ad.type = LSM_AUDIT_DATA_NET;
4340 	ad.u.net = &net;
4341 	ad.u.net->netif = skb->skb_iif;
4342 	ad.u.net->family = family;
4343 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4344 	if (err)
4345 		return err;
4346 
4347 	if (selinux_secmark_enabled()) {
4348 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4349 				   PACKET__RECV, &ad);
4350 		if (err)
4351 			return err;
4352 	}
4353 
4354 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4355 	if (err)
4356 		return err;
4357 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4358 
4359 	return err;
4360 }
4361 
4362 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4363 {
4364 	int err;
4365 	struct sk_security_struct *sksec = sk->sk_security;
4366 	u16 family = sk->sk_family;
4367 	u32 sk_sid = sksec->sid;
4368 	struct common_audit_data ad;
4369 	struct lsm_network_audit net = {0,};
4370 	char *addrp;
4371 	u8 secmark_active;
4372 	u8 peerlbl_active;
4373 
4374 	if (family != PF_INET && family != PF_INET6)
4375 		return 0;
4376 
4377 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4378 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4379 		family = PF_INET;
4380 
4381 	/* If any sort of compatibility mode is enabled then handoff processing
4382 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4383 	 * special handling.  We do this in an attempt to keep this function
4384 	 * as fast and as clean as possible. */
4385 	if (!selinux_policycap_netpeer)
4386 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4387 
4388 	secmark_active = selinux_secmark_enabled();
4389 	peerlbl_active = selinux_peerlbl_enabled();
4390 	if (!secmark_active && !peerlbl_active)
4391 		return 0;
4392 
4393 	ad.type = LSM_AUDIT_DATA_NET;
4394 	ad.u.net = &net;
4395 	ad.u.net->netif = skb->skb_iif;
4396 	ad.u.net->family = family;
4397 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4398 	if (err)
4399 		return err;
4400 
4401 	if (peerlbl_active) {
4402 		u32 peer_sid;
4403 
4404 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4405 		if (err)
4406 			return err;
4407 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4408 					       addrp, family, peer_sid, &ad);
4409 		if (err) {
4410 			selinux_netlbl_err(skb, err, 0);
4411 			return err;
4412 		}
4413 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4414 				   PEER__RECV, &ad);
4415 		if (err) {
4416 			selinux_netlbl_err(skb, err, 0);
4417 			return err;
4418 		}
4419 	}
4420 
4421 	if (secmark_active) {
4422 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4423 				   PACKET__RECV, &ad);
4424 		if (err)
4425 			return err;
4426 	}
4427 
4428 	return err;
4429 }
4430 
4431 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4432 					    int __user *optlen, unsigned len)
4433 {
4434 	int err = 0;
4435 	char *scontext;
4436 	u32 scontext_len;
4437 	struct sk_security_struct *sksec = sock->sk->sk_security;
4438 	u32 peer_sid = SECSID_NULL;
4439 
4440 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4441 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4442 		peer_sid = sksec->peer_sid;
4443 	if (peer_sid == SECSID_NULL)
4444 		return -ENOPROTOOPT;
4445 
4446 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4447 	if (err)
4448 		return err;
4449 
4450 	if (scontext_len > len) {
4451 		err = -ERANGE;
4452 		goto out_len;
4453 	}
4454 
4455 	if (copy_to_user(optval, scontext, scontext_len))
4456 		err = -EFAULT;
4457 
4458 out_len:
4459 	if (put_user(scontext_len, optlen))
4460 		err = -EFAULT;
4461 	kfree(scontext);
4462 	return err;
4463 }
4464 
4465 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4466 {
4467 	u32 peer_secid = SECSID_NULL;
4468 	u16 family;
4469 
4470 	if (skb && skb->protocol == htons(ETH_P_IP))
4471 		family = PF_INET;
4472 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4473 		family = PF_INET6;
4474 	else if (sock)
4475 		family = sock->sk->sk_family;
4476 	else
4477 		goto out;
4478 
4479 	if (sock && family == PF_UNIX)
4480 		selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4481 	else if (skb)
4482 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4483 
4484 out:
4485 	*secid = peer_secid;
4486 	if (peer_secid == SECSID_NULL)
4487 		return -EINVAL;
4488 	return 0;
4489 }
4490 
4491 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4492 {
4493 	struct sk_security_struct *sksec;
4494 
4495 	sksec = kzalloc(sizeof(*sksec), priority);
4496 	if (!sksec)
4497 		return -ENOMEM;
4498 
4499 	sksec->peer_sid = SECINITSID_UNLABELED;
4500 	sksec->sid = SECINITSID_UNLABELED;
4501 	selinux_netlbl_sk_security_reset(sksec);
4502 	sk->sk_security = sksec;
4503 
4504 	return 0;
4505 }
4506 
4507 static void selinux_sk_free_security(struct sock *sk)
4508 {
4509 	struct sk_security_struct *sksec = sk->sk_security;
4510 
4511 	sk->sk_security = NULL;
4512 	selinux_netlbl_sk_security_free(sksec);
4513 	kfree(sksec);
4514 }
4515 
4516 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4517 {
4518 	struct sk_security_struct *sksec = sk->sk_security;
4519 	struct sk_security_struct *newsksec = newsk->sk_security;
4520 
4521 	newsksec->sid = sksec->sid;
4522 	newsksec->peer_sid = sksec->peer_sid;
4523 	newsksec->sclass = sksec->sclass;
4524 
4525 	selinux_netlbl_sk_security_reset(newsksec);
4526 }
4527 
4528 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4529 {
4530 	if (!sk)
4531 		*secid = SECINITSID_ANY_SOCKET;
4532 	else {
4533 		struct sk_security_struct *sksec = sk->sk_security;
4534 
4535 		*secid = sksec->sid;
4536 	}
4537 }
4538 
4539 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4540 {
4541 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4542 	struct sk_security_struct *sksec = sk->sk_security;
4543 
4544 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4545 	    sk->sk_family == PF_UNIX)
4546 		isec->sid = sksec->sid;
4547 	sksec->sclass = isec->sclass;
4548 }
4549 
4550 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4551 				     struct request_sock *req)
4552 {
4553 	struct sk_security_struct *sksec = sk->sk_security;
4554 	int err;
4555 	u16 family = req->rsk_ops->family;
4556 	u32 connsid;
4557 	u32 peersid;
4558 
4559 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4560 	if (err)
4561 		return err;
4562 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4563 	if (err)
4564 		return err;
4565 	req->secid = connsid;
4566 	req->peer_secid = peersid;
4567 
4568 	return selinux_netlbl_inet_conn_request(req, family);
4569 }
4570 
4571 static void selinux_inet_csk_clone(struct sock *newsk,
4572 				   const struct request_sock *req)
4573 {
4574 	struct sk_security_struct *newsksec = newsk->sk_security;
4575 
4576 	newsksec->sid = req->secid;
4577 	newsksec->peer_sid = req->peer_secid;
4578 	/* NOTE: Ideally, we should also get the isec->sid for the
4579 	   new socket in sync, but we don't have the isec available yet.
4580 	   So we will wait until sock_graft to do it, by which
4581 	   time it will have been created and available. */
4582 
4583 	/* We don't need to take any sort of lock here as we are the only
4584 	 * thread with access to newsksec */
4585 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4586 }
4587 
4588 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4589 {
4590 	u16 family = sk->sk_family;
4591 	struct sk_security_struct *sksec = sk->sk_security;
4592 
4593 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4594 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4595 		family = PF_INET;
4596 
4597 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4598 }
4599 
4600 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4601 {
4602 	skb_set_owner_w(skb, sk);
4603 }
4604 
4605 static int selinux_secmark_relabel_packet(u32 sid)
4606 {
4607 	const struct task_security_struct *__tsec;
4608 	u32 tsid;
4609 
4610 	__tsec = current_security();
4611 	tsid = __tsec->sid;
4612 
4613 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4614 }
4615 
4616 static void selinux_secmark_refcount_inc(void)
4617 {
4618 	atomic_inc(&selinux_secmark_refcount);
4619 }
4620 
4621 static void selinux_secmark_refcount_dec(void)
4622 {
4623 	atomic_dec(&selinux_secmark_refcount);
4624 }
4625 
4626 static void selinux_req_classify_flow(const struct request_sock *req,
4627 				      struct flowi *fl)
4628 {
4629 	fl->flowi_secid = req->secid;
4630 }
4631 
4632 static int selinux_tun_dev_alloc_security(void **security)
4633 {
4634 	struct tun_security_struct *tunsec;
4635 
4636 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4637 	if (!tunsec)
4638 		return -ENOMEM;
4639 	tunsec->sid = current_sid();
4640 
4641 	*security = tunsec;
4642 	return 0;
4643 }
4644 
4645 static void selinux_tun_dev_free_security(void *security)
4646 {
4647 	kfree(security);
4648 }
4649 
4650 static int selinux_tun_dev_create(void)
4651 {
4652 	u32 sid = current_sid();
4653 
4654 	/* we aren't taking into account the "sockcreate" SID since the socket
4655 	 * that is being created here is not a socket in the traditional sense,
4656 	 * instead it is a private sock, accessible only to the kernel, and
4657 	 * representing a wide range of network traffic spanning multiple
4658 	 * connections unlike traditional sockets - check the TUN driver to
4659 	 * get a better understanding of why this socket is special */
4660 
4661 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4662 			    NULL);
4663 }
4664 
4665 static int selinux_tun_dev_attach_queue(void *security)
4666 {
4667 	struct tun_security_struct *tunsec = security;
4668 
4669 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4670 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4671 }
4672 
4673 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4674 {
4675 	struct tun_security_struct *tunsec = security;
4676 	struct sk_security_struct *sksec = sk->sk_security;
4677 
4678 	/* we don't currently perform any NetLabel based labeling here and it
4679 	 * isn't clear that we would want to do so anyway; while we could apply
4680 	 * labeling without the support of the TUN user the resulting labeled
4681 	 * traffic from the other end of the connection would almost certainly
4682 	 * cause confusion to the TUN user that had no idea network labeling
4683 	 * protocols were being used */
4684 
4685 	sksec->sid = tunsec->sid;
4686 	sksec->sclass = SECCLASS_TUN_SOCKET;
4687 
4688 	return 0;
4689 }
4690 
4691 static int selinux_tun_dev_open(void *security)
4692 {
4693 	struct tun_security_struct *tunsec = security;
4694 	u32 sid = current_sid();
4695 	int err;
4696 
4697 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4698 			   TUN_SOCKET__RELABELFROM, NULL);
4699 	if (err)
4700 		return err;
4701 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4702 			   TUN_SOCKET__RELABELTO, NULL);
4703 	if (err)
4704 		return err;
4705 	tunsec->sid = sid;
4706 
4707 	return 0;
4708 }
4709 
4710 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4711 {
4712 	int err = 0;
4713 	u32 perm;
4714 	struct nlmsghdr *nlh;
4715 	struct sk_security_struct *sksec = sk->sk_security;
4716 
4717 	if (skb->len < NLMSG_HDRLEN) {
4718 		err = -EINVAL;
4719 		goto out;
4720 	}
4721 	nlh = nlmsg_hdr(skb);
4722 
4723 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4724 	if (err) {
4725 		if (err == -EINVAL) {
4726 			printk(KERN_WARNING
4727 			       "SELinux: unrecognized netlink message:"
4728 			       " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4729 			       sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4730 			if (!selinux_enforcing || security_get_allow_unknown())
4731 				err = 0;
4732 		}
4733 
4734 		/* Ignore */
4735 		if (err == -ENOENT)
4736 			err = 0;
4737 		goto out;
4738 	}
4739 
4740 	err = sock_has_perm(current, sk, perm);
4741 out:
4742 	return err;
4743 }
4744 
4745 #ifdef CONFIG_NETFILTER
4746 
4747 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4748 				       const struct net_device *indev,
4749 				       u16 family)
4750 {
4751 	int err;
4752 	char *addrp;
4753 	u32 peer_sid;
4754 	struct common_audit_data ad;
4755 	struct lsm_network_audit net = {0,};
4756 	u8 secmark_active;
4757 	u8 netlbl_active;
4758 	u8 peerlbl_active;
4759 
4760 	if (!selinux_policycap_netpeer)
4761 		return NF_ACCEPT;
4762 
4763 	secmark_active = selinux_secmark_enabled();
4764 	netlbl_active = netlbl_enabled();
4765 	peerlbl_active = selinux_peerlbl_enabled();
4766 	if (!secmark_active && !peerlbl_active)
4767 		return NF_ACCEPT;
4768 
4769 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4770 		return NF_DROP;
4771 
4772 	ad.type = LSM_AUDIT_DATA_NET;
4773 	ad.u.net = &net;
4774 	ad.u.net->netif = indev->ifindex;
4775 	ad.u.net->family = family;
4776 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4777 		return NF_DROP;
4778 
4779 	if (peerlbl_active) {
4780 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4781 					       addrp, family, peer_sid, &ad);
4782 		if (err) {
4783 			selinux_netlbl_err(skb, err, 1);
4784 			return NF_DROP;
4785 		}
4786 	}
4787 
4788 	if (secmark_active)
4789 		if (avc_has_perm(peer_sid, skb->secmark,
4790 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4791 			return NF_DROP;
4792 
4793 	if (netlbl_active)
4794 		/* we do this in the FORWARD path and not the POST_ROUTING
4795 		 * path because we want to make sure we apply the necessary
4796 		 * labeling before IPsec is applied so we can leverage AH
4797 		 * protection */
4798 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4799 			return NF_DROP;
4800 
4801 	return NF_ACCEPT;
4802 }
4803 
4804 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4805 					 struct sk_buff *skb,
4806 					 const struct net_device *in,
4807 					 const struct net_device *out,
4808 					 int (*okfn)(struct sk_buff *))
4809 {
4810 	return selinux_ip_forward(skb, in, PF_INET);
4811 }
4812 
4813 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4814 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4815 					 struct sk_buff *skb,
4816 					 const struct net_device *in,
4817 					 const struct net_device *out,
4818 					 int (*okfn)(struct sk_buff *))
4819 {
4820 	return selinux_ip_forward(skb, in, PF_INET6);
4821 }
4822 #endif	/* IPV6 */
4823 
4824 static unsigned int selinux_ip_output(struct sk_buff *skb,
4825 				      u16 family)
4826 {
4827 	struct sock *sk;
4828 	u32 sid;
4829 
4830 	if (!netlbl_enabled())
4831 		return NF_ACCEPT;
4832 
4833 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4834 	 * because we want to make sure we apply the necessary labeling
4835 	 * before IPsec is applied so we can leverage AH protection */
4836 	sk = skb->sk;
4837 	if (sk) {
4838 		struct sk_security_struct *sksec;
4839 
4840 		if (sk->sk_state == TCP_LISTEN)
4841 			/* if the socket is the listening state then this
4842 			 * packet is a SYN-ACK packet which means it needs to
4843 			 * be labeled based on the connection/request_sock and
4844 			 * not the parent socket.  unfortunately, we can't
4845 			 * lookup the request_sock yet as it isn't queued on
4846 			 * the parent socket until after the SYN-ACK is sent.
4847 			 * the "solution" is to simply pass the packet as-is
4848 			 * as any IP option based labeling should be copied
4849 			 * from the initial connection request (in the IP
4850 			 * layer).  it is far from ideal, but until we get a
4851 			 * security label in the packet itself this is the
4852 			 * best we can do. */
4853 			return NF_ACCEPT;
4854 
4855 		/* standard practice, label using the parent socket */
4856 		sksec = sk->sk_security;
4857 		sid = sksec->sid;
4858 	} else
4859 		sid = SECINITSID_KERNEL;
4860 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4861 		return NF_DROP;
4862 
4863 	return NF_ACCEPT;
4864 }
4865 
4866 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4867 					struct sk_buff *skb,
4868 					const struct net_device *in,
4869 					const struct net_device *out,
4870 					int (*okfn)(struct sk_buff *))
4871 {
4872 	return selinux_ip_output(skb, PF_INET);
4873 }
4874 
4875 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4876 						int ifindex,
4877 						u16 family)
4878 {
4879 	struct sock *sk = skb->sk;
4880 	struct sk_security_struct *sksec;
4881 	struct common_audit_data ad;
4882 	struct lsm_network_audit net = {0,};
4883 	char *addrp;
4884 	u8 proto;
4885 
4886 	if (sk == NULL)
4887 		return NF_ACCEPT;
4888 	sksec = sk->sk_security;
4889 
4890 	ad.type = LSM_AUDIT_DATA_NET;
4891 	ad.u.net = &net;
4892 	ad.u.net->netif = ifindex;
4893 	ad.u.net->family = family;
4894 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4895 		return NF_DROP;
4896 
4897 	if (selinux_secmark_enabled())
4898 		if (avc_has_perm(sksec->sid, skb->secmark,
4899 				 SECCLASS_PACKET, PACKET__SEND, &ad))
4900 			return NF_DROP_ERR(-ECONNREFUSED);
4901 
4902 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4903 		return NF_DROP_ERR(-ECONNREFUSED);
4904 
4905 	return NF_ACCEPT;
4906 }
4907 
4908 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4909 					 const struct net_device *outdev,
4910 					 u16 family)
4911 {
4912 	u32 secmark_perm;
4913 	u32 peer_sid;
4914 	int ifindex = outdev->ifindex;
4915 	struct sock *sk;
4916 	struct common_audit_data ad;
4917 	struct lsm_network_audit net = {0,};
4918 	char *addrp;
4919 	u8 secmark_active;
4920 	u8 peerlbl_active;
4921 
4922 	/* If any sort of compatibility mode is enabled then handoff processing
4923 	 * to the selinux_ip_postroute_compat() function to deal with the
4924 	 * special handling.  We do this in an attempt to keep this function
4925 	 * as fast and as clean as possible. */
4926 	if (!selinux_policycap_netpeer)
4927 		return selinux_ip_postroute_compat(skb, ifindex, family);
4928 
4929 	secmark_active = selinux_secmark_enabled();
4930 	peerlbl_active = selinux_peerlbl_enabled();
4931 	if (!secmark_active && !peerlbl_active)
4932 		return NF_ACCEPT;
4933 
4934 	sk = skb->sk;
4935 
4936 #ifdef CONFIG_XFRM
4937 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4938 	 * packet transformation so allow the packet to pass without any checks
4939 	 * since we'll have another chance to perform access control checks
4940 	 * when the packet is on it's final way out.
4941 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4942 	 *       is NULL, in this case go ahead and apply access control.
4943 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4944 	 *       TCP listening state we cannot wait until the XFRM processing
4945 	 *       is done as we will miss out on the SA label if we do;
4946 	 *       unfortunately, this means more work, but it is only once per
4947 	 *       connection. */
4948 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4949 	    !(sk != NULL && sk->sk_state == TCP_LISTEN))
4950 		return NF_ACCEPT;
4951 #endif
4952 
4953 	if (sk == NULL) {
4954 		/* Without an associated socket the packet is either coming
4955 		 * from the kernel or it is being forwarded; check the packet
4956 		 * to determine which and if the packet is being forwarded
4957 		 * query the packet directly to determine the security label. */
4958 		if (skb->skb_iif) {
4959 			secmark_perm = PACKET__FORWARD_OUT;
4960 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4961 				return NF_DROP;
4962 		} else {
4963 			secmark_perm = PACKET__SEND;
4964 			peer_sid = SECINITSID_KERNEL;
4965 		}
4966 	} else if (sk->sk_state == TCP_LISTEN) {
4967 		/* Locally generated packet but the associated socket is in the
4968 		 * listening state which means this is a SYN-ACK packet.  In
4969 		 * this particular case the correct security label is assigned
4970 		 * to the connection/request_sock but unfortunately we can't
4971 		 * query the request_sock as it isn't queued on the parent
4972 		 * socket until after the SYN-ACK packet is sent; the only
4973 		 * viable choice is to regenerate the label like we do in
4974 		 * selinux_inet_conn_request().  See also selinux_ip_output()
4975 		 * for similar problems. */
4976 		u32 skb_sid;
4977 		struct sk_security_struct *sksec = sk->sk_security;
4978 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4979 			return NF_DROP;
4980 		/* At this point, if the returned skb peerlbl is SECSID_NULL
4981 		 * and the packet has been through at least one XFRM
4982 		 * transformation then we must be dealing with the "final"
4983 		 * form of labeled IPsec packet; since we've already applied
4984 		 * all of our access controls on this packet we can safely
4985 		 * pass the packet. */
4986 		if (skb_sid == SECSID_NULL) {
4987 			switch (family) {
4988 			case PF_INET:
4989 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4990 					return NF_ACCEPT;
4991 				break;
4992 			case PF_INET6:
4993 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4994 					return NF_ACCEPT;
4995 				break;
4996 			default:
4997 				return NF_DROP_ERR(-ECONNREFUSED);
4998 			}
4999 		}
5000 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5001 			return NF_DROP;
5002 		secmark_perm = PACKET__SEND;
5003 	} else {
5004 		/* Locally generated packet, fetch the security label from the
5005 		 * associated socket. */
5006 		struct sk_security_struct *sksec = sk->sk_security;
5007 		peer_sid = sksec->sid;
5008 		secmark_perm = PACKET__SEND;
5009 	}
5010 
5011 	ad.type = LSM_AUDIT_DATA_NET;
5012 	ad.u.net = &net;
5013 	ad.u.net->netif = ifindex;
5014 	ad.u.net->family = family;
5015 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5016 		return NF_DROP;
5017 
5018 	if (secmark_active)
5019 		if (avc_has_perm(peer_sid, skb->secmark,
5020 				 SECCLASS_PACKET, secmark_perm, &ad))
5021 			return NF_DROP_ERR(-ECONNREFUSED);
5022 
5023 	if (peerlbl_active) {
5024 		u32 if_sid;
5025 		u32 node_sid;
5026 
5027 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5028 			return NF_DROP;
5029 		if (avc_has_perm(peer_sid, if_sid,
5030 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5031 			return NF_DROP_ERR(-ECONNREFUSED);
5032 
5033 		if (sel_netnode_sid(addrp, family, &node_sid))
5034 			return NF_DROP;
5035 		if (avc_has_perm(peer_sid, node_sid,
5036 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5037 			return NF_DROP_ERR(-ECONNREFUSED);
5038 	}
5039 
5040 	return NF_ACCEPT;
5041 }
5042 
5043 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5044 					   struct sk_buff *skb,
5045 					   const struct net_device *in,
5046 					   const struct net_device *out,
5047 					   int (*okfn)(struct sk_buff *))
5048 {
5049 	return selinux_ip_postroute(skb, out, PF_INET);
5050 }
5051 
5052 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5053 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5054 					   struct sk_buff *skb,
5055 					   const struct net_device *in,
5056 					   const struct net_device *out,
5057 					   int (*okfn)(struct sk_buff *))
5058 {
5059 	return selinux_ip_postroute(skb, out, PF_INET6);
5060 }
5061 #endif	/* IPV6 */
5062 
5063 #endif	/* CONFIG_NETFILTER */
5064 
5065 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5066 {
5067 	int err;
5068 
5069 	err = cap_netlink_send(sk, skb);
5070 	if (err)
5071 		return err;
5072 
5073 	return selinux_nlmsg_perm(sk, skb);
5074 }
5075 
5076 static int ipc_alloc_security(struct task_struct *task,
5077 			      struct kern_ipc_perm *perm,
5078 			      u16 sclass)
5079 {
5080 	struct ipc_security_struct *isec;
5081 	u32 sid;
5082 
5083 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5084 	if (!isec)
5085 		return -ENOMEM;
5086 
5087 	sid = task_sid(task);
5088 	isec->sclass = sclass;
5089 	isec->sid = sid;
5090 	perm->security = isec;
5091 
5092 	return 0;
5093 }
5094 
5095 static void ipc_free_security(struct kern_ipc_perm *perm)
5096 {
5097 	struct ipc_security_struct *isec = perm->security;
5098 	perm->security = NULL;
5099 	kfree(isec);
5100 }
5101 
5102 static int msg_msg_alloc_security(struct msg_msg *msg)
5103 {
5104 	struct msg_security_struct *msec;
5105 
5106 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5107 	if (!msec)
5108 		return -ENOMEM;
5109 
5110 	msec->sid = SECINITSID_UNLABELED;
5111 	msg->security = msec;
5112 
5113 	return 0;
5114 }
5115 
5116 static void msg_msg_free_security(struct msg_msg *msg)
5117 {
5118 	struct msg_security_struct *msec = msg->security;
5119 
5120 	msg->security = NULL;
5121 	kfree(msec);
5122 }
5123 
5124 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5125 			u32 perms)
5126 {
5127 	struct ipc_security_struct *isec;
5128 	struct common_audit_data ad;
5129 	u32 sid = current_sid();
5130 
5131 	isec = ipc_perms->security;
5132 
5133 	ad.type = LSM_AUDIT_DATA_IPC;
5134 	ad.u.ipc_id = ipc_perms->key;
5135 
5136 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5137 }
5138 
5139 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5140 {
5141 	return msg_msg_alloc_security(msg);
5142 }
5143 
5144 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5145 {
5146 	msg_msg_free_security(msg);
5147 }
5148 
5149 /* message queue security operations */
5150 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5151 {
5152 	struct ipc_security_struct *isec;
5153 	struct common_audit_data ad;
5154 	u32 sid = current_sid();
5155 	int rc;
5156 
5157 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5158 	if (rc)
5159 		return rc;
5160 
5161 	isec = msq->q_perm.security;
5162 
5163 	ad.type = LSM_AUDIT_DATA_IPC;
5164 	ad.u.ipc_id = msq->q_perm.key;
5165 
5166 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5167 			  MSGQ__CREATE, &ad);
5168 	if (rc) {
5169 		ipc_free_security(&msq->q_perm);
5170 		return rc;
5171 	}
5172 	return 0;
5173 }
5174 
5175 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5176 {
5177 	ipc_free_security(&msq->q_perm);
5178 }
5179 
5180 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5181 {
5182 	struct ipc_security_struct *isec;
5183 	struct common_audit_data ad;
5184 	u32 sid = current_sid();
5185 
5186 	isec = msq->q_perm.security;
5187 
5188 	ad.type = LSM_AUDIT_DATA_IPC;
5189 	ad.u.ipc_id = msq->q_perm.key;
5190 
5191 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5192 			    MSGQ__ASSOCIATE, &ad);
5193 }
5194 
5195 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5196 {
5197 	int err;
5198 	int perms;
5199 
5200 	switch (cmd) {
5201 	case IPC_INFO:
5202 	case MSG_INFO:
5203 		/* No specific object, just general system-wide information. */
5204 		return task_has_system(current, SYSTEM__IPC_INFO);
5205 	case IPC_STAT:
5206 	case MSG_STAT:
5207 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5208 		break;
5209 	case IPC_SET:
5210 		perms = MSGQ__SETATTR;
5211 		break;
5212 	case IPC_RMID:
5213 		perms = MSGQ__DESTROY;
5214 		break;
5215 	default:
5216 		return 0;
5217 	}
5218 
5219 	err = ipc_has_perm(&msq->q_perm, perms);
5220 	return err;
5221 }
5222 
5223 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5224 {
5225 	struct ipc_security_struct *isec;
5226 	struct msg_security_struct *msec;
5227 	struct common_audit_data ad;
5228 	u32 sid = current_sid();
5229 	int rc;
5230 
5231 	isec = msq->q_perm.security;
5232 	msec = msg->security;
5233 
5234 	/*
5235 	 * First time through, need to assign label to the message
5236 	 */
5237 	if (msec->sid == SECINITSID_UNLABELED) {
5238 		/*
5239 		 * Compute new sid based on current process and
5240 		 * message queue this message will be stored in
5241 		 */
5242 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5243 					     NULL, &msec->sid);
5244 		if (rc)
5245 			return rc;
5246 	}
5247 
5248 	ad.type = LSM_AUDIT_DATA_IPC;
5249 	ad.u.ipc_id = msq->q_perm.key;
5250 
5251 	/* Can this process write to the queue? */
5252 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5253 			  MSGQ__WRITE, &ad);
5254 	if (!rc)
5255 		/* Can this process send the message */
5256 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5257 				  MSG__SEND, &ad);
5258 	if (!rc)
5259 		/* Can the message be put in the queue? */
5260 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5261 				  MSGQ__ENQUEUE, &ad);
5262 
5263 	return rc;
5264 }
5265 
5266 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5267 				    struct task_struct *target,
5268 				    long type, int mode)
5269 {
5270 	struct ipc_security_struct *isec;
5271 	struct msg_security_struct *msec;
5272 	struct common_audit_data ad;
5273 	u32 sid = task_sid(target);
5274 	int rc;
5275 
5276 	isec = msq->q_perm.security;
5277 	msec = msg->security;
5278 
5279 	ad.type = LSM_AUDIT_DATA_IPC;
5280 	ad.u.ipc_id = msq->q_perm.key;
5281 
5282 	rc = avc_has_perm(sid, isec->sid,
5283 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5284 	if (!rc)
5285 		rc = avc_has_perm(sid, msec->sid,
5286 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5287 	return rc;
5288 }
5289 
5290 /* Shared Memory security operations */
5291 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5292 {
5293 	struct ipc_security_struct *isec;
5294 	struct common_audit_data ad;
5295 	u32 sid = current_sid();
5296 	int rc;
5297 
5298 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5299 	if (rc)
5300 		return rc;
5301 
5302 	isec = shp->shm_perm.security;
5303 
5304 	ad.type = LSM_AUDIT_DATA_IPC;
5305 	ad.u.ipc_id = shp->shm_perm.key;
5306 
5307 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5308 			  SHM__CREATE, &ad);
5309 	if (rc) {
5310 		ipc_free_security(&shp->shm_perm);
5311 		return rc;
5312 	}
5313 	return 0;
5314 }
5315 
5316 static void selinux_shm_free_security(struct shmid_kernel *shp)
5317 {
5318 	ipc_free_security(&shp->shm_perm);
5319 }
5320 
5321 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5322 {
5323 	struct ipc_security_struct *isec;
5324 	struct common_audit_data ad;
5325 	u32 sid = current_sid();
5326 
5327 	isec = shp->shm_perm.security;
5328 
5329 	ad.type = LSM_AUDIT_DATA_IPC;
5330 	ad.u.ipc_id = shp->shm_perm.key;
5331 
5332 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5333 			    SHM__ASSOCIATE, &ad);
5334 }
5335 
5336 /* Note, at this point, shp is locked down */
5337 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5338 {
5339 	int perms;
5340 	int err;
5341 
5342 	switch (cmd) {
5343 	case IPC_INFO:
5344 	case SHM_INFO:
5345 		/* No specific object, just general system-wide information. */
5346 		return task_has_system(current, SYSTEM__IPC_INFO);
5347 	case IPC_STAT:
5348 	case SHM_STAT:
5349 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5350 		break;
5351 	case IPC_SET:
5352 		perms = SHM__SETATTR;
5353 		break;
5354 	case SHM_LOCK:
5355 	case SHM_UNLOCK:
5356 		perms = SHM__LOCK;
5357 		break;
5358 	case IPC_RMID:
5359 		perms = SHM__DESTROY;
5360 		break;
5361 	default:
5362 		return 0;
5363 	}
5364 
5365 	err = ipc_has_perm(&shp->shm_perm, perms);
5366 	return err;
5367 }
5368 
5369 static int selinux_shm_shmat(struct shmid_kernel *shp,
5370 			     char __user *shmaddr, int shmflg)
5371 {
5372 	u32 perms;
5373 
5374 	if (shmflg & SHM_RDONLY)
5375 		perms = SHM__READ;
5376 	else
5377 		perms = SHM__READ | SHM__WRITE;
5378 
5379 	return ipc_has_perm(&shp->shm_perm, perms);
5380 }
5381 
5382 /* Semaphore security operations */
5383 static int selinux_sem_alloc_security(struct sem_array *sma)
5384 {
5385 	struct ipc_security_struct *isec;
5386 	struct common_audit_data ad;
5387 	u32 sid = current_sid();
5388 	int rc;
5389 
5390 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5391 	if (rc)
5392 		return rc;
5393 
5394 	isec = sma->sem_perm.security;
5395 
5396 	ad.type = LSM_AUDIT_DATA_IPC;
5397 	ad.u.ipc_id = sma->sem_perm.key;
5398 
5399 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5400 			  SEM__CREATE, &ad);
5401 	if (rc) {
5402 		ipc_free_security(&sma->sem_perm);
5403 		return rc;
5404 	}
5405 	return 0;
5406 }
5407 
5408 static void selinux_sem_free_security(struct sem_array *sma)
5409 {
5410 	ipc_free_security(&sma->sem_perm);
5411 }
5412 
5413 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5414 {
5415 	struct ipc_security_struct *isec;
5416 	struct common_audit_data ad;
5417 	u32 sid = current_sid();
5418 
5419 	isec = sma->sem_perm.security;
5420 
5421 	ad.type = LSM_AUDIT_DATA_IPC;
5422 	ad.u.ipc_id = sma->sem_perm.key;
5423 
5424 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5425 			    SEM__ASSOCIATE, &ad);
5426 }
5427 
5428 /* Note, at this point, sma is locked down */
5429 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5430 {
5431 	int err;
5432 	u32 perms;
5433 
5434 	switch (cmd) {
5435 	case IPC_INFO:
5436 	case SEM_INFO:
5437 		/* No specific object, just general system-wide information. */
5438 		return task_has_system(current, SYSTEM__IPC_INFO);
5439 	case GETPID:
5440 	case GETNCNT:
5441 	case GETZCNT:
5442 		perms = SEM__GETATTR;
5443 		break;
5444 	case GETVAL:
5445 	case GETALL:
5446 		perms = SEM__READ;
5447 		break;
5448 	case SETVAL:
5449 	case SETALL:
5450 		perms = SEM__WRITE;
5451 		break;
5452 	case IPC_RMID:
5453 		perms = SEM__DESTROY;
5454 		break;
5455 	case IPC_SET:
5456 		perms = SEM__SETATTR;
5457 		break;
5458 	case IPC_STAT:
5459 	case SEM_STAT:
5460 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5461 		break;
5462 	default:
5463 		return 0;
5464 	}
5465 
5466 	err = ipc_has_perm(&sma->sem_perm, perms);
5467 	return err;
5468 }
5469 
5470 static int selinux_sem_semop(struct sem_array *sma,
5471 			     struct sembuf *sops, unsigned nsops, int alter)
5472 {
5473 	u32 perms;
5474 
5475 	if (alter)
5476 		perms = SEM__READ | SEM__WRITE;
5477 	else
5478 		perms = SEM__READ;
5479 
5480 	return ipc_has_perm(&sma->sem_perm, perms);
5481 }
5482 
5483 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5484 {
5485 	u32 av = 0;
5486 
5487 	av = 0;
5488 	if (flag & S_IRUGO)
5489 		av |= IPC__UNIX_READ;
5490 	if (flag & S_IWUGO)
5491 		av |= IPC__UNIX_WRITE;
5492 
5493 	if (av == 0)
5494 		return 0;
5495 
5496 	return ipc_has_perm(ipcp, av);
5497 }
5498 
5499 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5500 {
5501 	struct ipc_security_struct *isec = ipcp->security;
5502 	*secid = isec->sid;
5503 }
5504 
5505 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5506 {
5507 	if (inode)
5508 		inode_doinit_with_dentry(inode, dentry);
5509 }
5510 
5511 static int selinux_getprocattr(struct task_struct *p,
5512 			       char *name, char **value)
5513 {
5514 	const struct task_security_struct *__tsec;
5515 	u32 sid;
5516 	int error;
5517 	unsigned len;
5518 
5519 	if (current != p) {
5520 		error = current_has_perm(p, PROCESS__GETATTR);
5521 		if (error)
5522 			return error;
5523 	}
5524 
5525 	rcu_read_lock();
5526 	__tsec = __task_cred(p)->security;
5527 
5528 	if (!strcmp(name, "current"))
5529 		sid = __tsec->sid;
5530 	else if (!strcmp(name, "prev"))
5531 		sid = __tsec->osid;
5532 	else if (!strcmp(name, "exec"))
5533 		sid = __tsec->exec_sid;
5534 	else if (!strcmp(name, "fscreate"))
5535 		sid = __tsec->create_sid;
5536 	else if (!strcmp(name, "keycreate"))
5537 		sid = __tsec->keycreate_sid;
5538 	else if (!strcmp(name, "sockcreate"))
5539 		sid = __tsec->sockcreate_sid;
5540 	else
5541 		goto invalid;
5542 	rcu_read_unlock();
5543 
5544 	if (!sid)
5545 		return 0;
5546 
5547 	error = security_sid_to_context(sid, value, &len);
5548 	if (error)
5549 		return error;
5550 	return len;
5551 
5552 invalid:
5553 	rcu_read_unlock();
5554 	return -EINVAL;
5555 }
5556 
5557 static int selinux_setprocattr(struct task_struct *p,
5558 			       char *name, void *value, size_t size)
5559 {
5560 	struct task_security_struct *tsec;
5561 	struct task_struct *tracer;
5562 	struct cred *new;
5563 	u32 sid = 0, ptsid;
5564 	int error;
5565 	char *str = value;
5566 
5567 	if (current != p) {
5568 		/* SELinux only allows a process to change its own
5569 		   security attributes. */
5570 		return -EACCES;
5571 	}
5572 
5573 	/*
5574 	 * Basic control over ability to set these attributes at all.
5575 	 * current == p, but we'll pass them separately in case the
5576 	 * above restriction is ever removed.
5577 	 */
5578 	if (!strcmp(name, "exec"))
5579 		error = current_has_perm(p, PROCESS__SETEXEC);
5580 	else if (!strcmp(name, "fscreate"))
5581 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5582 	else if (!strcmp(name, "keycreate"))
5583 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5584 	else if (!strcmp(name, "sockcreate"))
5585 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5586 	else if (!strcmp(name, "current"))
5587 		error = current_has_perm(p, PROCESS__SETCURRENT);
5588 	else
5589 		error = -EINVAL;
5590 	if (error)
5591 		return error;
5592 
5593 	/* Obtain a SID for the context, if one was specified. */
5594 	if (size && str[1] && str[1] != '\n') {
5595 		if (str[size-1] == '\n') {
5596 			str[size-1] = 0;
5597 			size--;
5598 		}
5599 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5600 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5601 			if (!capable(CAP_MAC_ADMIN)) {
5602 				struct audit_buffer *ab;
5603 				size_t audit_size;
5604 
5605 				/* We strip a nul only if it is at the end, otherwise the
5606 				 * context contains a nul and we should audit that */
5607 				if (str[size - 1] == '\0')
5608 					audit_size = size - 1;
5609 				else
5610 					audit_size = size;
5611 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5612 				audit_log_format(ab, "op=fscreate invalid_context=");
5613 				audit_log_n_untrustedstring(ab, value, audit_size);
5614 				audit_log_end(ab);
5615 
5616 				return error;
5617 			}
5618 			error = security_context_to_sid_force(value, size,
5619 							      &sid);
5620 		}
5621 		if (error)
5622 			return error;
5623 	}
5624 
5625 	new = prepare_creds();
5626 	if (!new)
5627 		return -ENOMEM;
5628 
5629 	/* Permission checking based on the specified context is
5630 	   performed during the actual operation (execve,
5631 	   open/mkdir/...), when we know the full context of the
5632 	   operation.  See selinux_bprm_set_creds for the execve
5633 	   checks and may_create for the file creation checks. The
5634 	   operation will then fail if the context is not permitted. */
5635 	tsec = new->security;
5636 	if (!strcmp(name, "exec")) {
5637 		tsec->exec_sid = sid;
5638 	} else if (!strcmp(name, "fscreate")) {
5639 		tsec->create_sid = sid;
5640 	} else if (!strcmp(name, "keycreate")) {
5641 		error = may_create_key(sid, p);
5642 		if (error)
5643 			goto abort_change;
5644 		tsec->keycreate_sid = sid;
5645 	} else if (!strcmp(name, "sockcreate")) {
5646 		tsec->sockcreate_sid = sid;
5647 	} else if (!strcmp(name, "current")) {
5648 		error = -EINVAL;
5649 		if (sid == 0)
5650 			goto abort_change;
5651 
5652 		/* Only allow single threaded processes to change context */
5653 		error = -EPERM;
5654 		if (!current_is_single_threaded()) {
5655 			error = security_bounded_transition(tsec->sid, sid);
5656 			if (error)
5657 				goto abort_change;
5658 		}
5659 
5660 		/* Check permissions for the transition. */
5661 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5662 				     PROCESS__DYNTRANSITION, NULL);
5663 		if (error)
5664 			goto abort_change;
5665 
5666 		/* Check for ptracing, and update the task SID if ok.
5667 		   Otherwise, leave SID unchanged and fail. */
5668 		ptsid = 0;
5669 		rcu_read_lock();
5670 		tracer = ptrace_parent(p);
5671 		if (tracer)
5672 			ptsid = task_sid(tracer);
5673 		rcu_read_unlock();
5674 
5675 		if (tracer) {
5676 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5677 					     PROCESS__PTRACE, NULL);
5678 			if (error)
5679 				goto abort_change;
5680 		}
5681 
5682 		tsec->sid = sid;
5683 	} else {
5684 		error = -EINVAL;
5685 		goto abort_change;
5686 	}
5687 
5688 	commit_creds(new);
5689 	return size;
5690 
5691 abort_change:
5692 	abort_creds(new);
5693 	return error;
5694 }
5695 
5696 static int selinux_ismaclabel(const char *name)
5697 {
5698 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5699 }
5700 
5701 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5702 {
5703 	return security_sid_to_context(secid, secdata, seclen);
5704 }
5705 
5706 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5707 {
5708 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5709 }
5710 
5711 static void selinux_release_secctx(char *secdata, u32 seclen)
5712 {
5713 	kfree(secdata);
5714 }
5715 
5716 /*
5717  *	called with inode->i_mutex locked
5718  */
5719 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5720 {
5721 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5722 }
5723 
5724 /*
5725  *	called with inode->i_mutex locked
5726  */
5727 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5728 {
5729 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5730 }
5731 
5732 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5733 {
5734 	int len = 0;
5735 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5736 						ctx, true);
5737 	if (len < 0)
5738 		return len;
5739 	*ctxlen = len;
5740 	return 0;
5741 }
5742 #ifdef CONFIG_KEYS
5743 
5744 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5745 			     unsigned long flags)
5746 {
5747 	const struct task_security_struct *tsec;
5748 	struct key_security_struct *ksec;
5749 
5750 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5751 	if (!ksec)
5752 		return -ENOMEM;
5753 
5754 	tsec = cred->security;
5755 	if (tsec->keycreate_sid)
5756 		ksec->sid = tsec->keycreate_sid;
5757 	else
5758 		ksec->sid = tsec->sid;
5759 
5760 	k->security = ksec;
5761 	return 0;
5762 }
5763 
5764 static void selinux_key_free(struct key *k)
5765 {
5766 	struct key_security_struct *ksec = k->security;
5767 
5768 	k->security = NULL;
5769 	kfree(ksec);
5770 }
5771 
5772 static int selinux_key_permission(key_ref_t key_ref,
5773 				  const struct cred *cred,
5774 				  unsigned perm)
5775 {
5776 	struct key *key;
5777 	struct key_security_struct *ksec;
5778 	u32 sid;
5779 
5780 	/* if no specific permissions are requested, we skip the
5781 	   permission check. No serious, additional covert channels
5782 	   appear to be created. */
5783 	if (perm == 0)
5784 		return 0;
5785 
5786 	sid = cred_sid(cred);
5787 
5788 	key = key_ref_to_ptr(key_ref);
5789 	ksec = key->security;
5790 
5791 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5792 }
5793 
5794 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5795 {
5796 	struct key_security_struct *ksec = key->security;
5797 	char *context = NULL;
5798 	unsigned len;
5799 	int rc;
5800 
5801 	rc = security_sid_to_context(ksec->sid, &context, &len);
5802 	if (!rc)
5803 		rc = len;
5804 	*_buffer = context;
5805 	return rc;
5806 }
5807 
5808 #endif
5809 
5810 static struct security_operations selinux_ops = {
5811 	.name =				"selinux",
5812 
5813 	.ptrace_access_check =		selinux_ptrace_access_check,
5814 	.ptrace_traceme =		selinux_ptrace_traceme,
5815 	.capget =			selinux_capget,
5816 	.capset =			selinux_capset,
5817 	.capable =			selinux_capable,
5818 	.quotactl =			selinux_quotactl,
5819 	.quota_on =			selinux_quota_on,
5820 	.syslog =			selinux_syslog,
5821 	.vm_enough_memory =		selinux_vm_enough_memory,
5822 
5823 	.netlink_send =			selinux_netlink_send,
5824 
5825 	.bprm_set_creds =		selinux_bprm_set_creds,
5826 	.bprm_committing_creds =	selinux_bprm_committing_creds,
5827 	.bprm_committed_creds =		selinux_bprm_committed_creds,
5828 	.bprm_secureexec =		selinux_bprm_secureexec,
5829 
5830 	.sb_alloc_security =		selinux_sb_alloc_security,
5831 	.sb_free_security =		selinux_sb_free_security,
5832 	.sb_copy_data =			selinux_sb_copy_data,
5833 	.sb_remount =			selinux_sb_remount,
5834 	.sb_kern_mount =		selinux_sb_kern_mount,
5835 	.sb_show_options =		selinux_sb_show_options,
5836 	.sb_statfs =			selinux_sb_statfs,
5837 	.sb_mount =			selinux_mount,
5838 	.sb_umount =			selinux_umount,
5839 	.sb_set_mnt_opts =		selinux_set_mnt_opts,
5840 	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
5841 	.sb_parse_opts_str = 		selinux_parse_opts_str,
5842 
5843 	.dentry_init_security =		selinux_dentry_init_security,
5844 
5845 	.inode_alloc_security =		selinux_inode_alloc_security,
5846 	.inode_free_security =		selinux_inode_free_security,
5847 	.inode_init_security =		selinux_inode_init_security,
5848 	.inode_create =			selinux_inode_create,
5849 	.inode_link =			selinux_inode_link,
5850 	.inode_unlink =			selinux_inode_unlink,
5851 	.inode_symlink =		selinux_inode_symlink,
5852 	.inode_mkdir =			selinux_inode_mkdir,
5853 	.inode_rmdir =			selinux_inode_rmdir,
5854 	.inode_mknod =			selinux_inode_mknod,
5855 	.inode_rename =			selinux_inode_rename,
5856 	.inode_readlink =		selinux_inode_readlink,
5857 	.inode_follow_link =		selinux_inode_follow_link,
5858 	.inode_permission =		selinux_inode_permission,
5859 	.inode_setattr =		selinux_inode_setattr,
5860 	.inode_getattr =		selinux_inode_getattr,
5861 	.inode_setxattr =		selinux_inode_setxattr,
5862 	.inode_post_setxattr =		selinux_inode_post_setxattr,
5863 	.inode_getxattr =		selinux_inode_getxattr,
5864 	.inode_listxattr =		selinux_inode_listxattr,
5865 	.inode_removexattr =		selinux_inode_removexattr,
5866 	.inode_getsecurity =		selinux_inode_getsecurity,
5867 	.inode_setsecurity =		selinux_inode_setsecurity,
5868 	.inode_listsecurity =		selinux_inode_listsecurity,
5869 	.inode_getsecid =		selinux_inode_getsecid,
5870 
5871 	.file_permission =		selinux_file_permission,
5872 	.file_alloc_security =		selinux_file_alloc_security,
5873 	.file_free_security =		selinux_file_free_security,
5874 	.file_ioctl =			selinux_file_ioctl,
5875 	.mmap_file =			selinux_mmap_file,
5876 	.mmap_addr =			selinux_mmap_addr,
5877 	.file_mprotect =		selinux_file_mprotect,
5878 	.file_lock =			selinux_file_lock,
5879 	.file_fcntl =			selinux_file_fcntl,
5880 	.file_set_fowner =		selinux_file_set_fowner,
5881 	.file_send_sigiotask =		selinux_file_send_sigiotask,
5882 	.file_receive =			selinux_file_receive,
5883 
5884 	.file_open =			selinux_file_open,
5885 
5886 	.task_create =			selinux_task_create,
5887 	.cred_alloc_blank =		selinux_cred_alloc_blank,
5888 	.cred_free =			selinux_cred_free,
5889 	.cred_prepare =			selinux_cred_prepare,
5890 	.cred_transfer =		selinux_cred_transfer,
5891 	.kernel_act_as =		selinux_kernel_act_as,
5892 	.kernel_create_files_as =	selinux_kernel_create_files_as,
5893 	.kernel_module_request =	selinux_kernel_module_request,
5894 	.task_setpgid =			selinux_task_setpgid,
5895 	.task_getpgid =			selinux_task_getpgid,
5896 	.task_getsid =			selinux_task_getsid,
5897 	.task_getsecid =		selinux_task_getsecid,
5898 	.task_setnice =			selinux_task_setnice,
5899 	.task_setioprio =		selinux_task_setioprio,
5900 	.task_getioprio =		selinux_task_getioprio,
5901 	.task_setrlimit =		selinux_task_setrlimit,
5902 	.task_setscheduler =		selinux_task_setscheduler,
5903 	.task_getscheduler =		selinux_task_getscheduler,
5904 	.task_movememory =		selinux_task_movememory,
5905 	.task_kill =			selinux_task_kill,
5906 	.task_wait =			selinux_task_wait,
5907 	.task_to_inode =		selinux_task_to_inode,
5908 
5909 	.ipc_permission =		selinux_ipc_permission,
5910 	.ipc_getsecid =			selinux_ipc_getsecid,
5911 
5912 	.msg_msg_alloc_security =	selinux_msg_msg_alloc_security,
5913 	.msg_msg_free_security =	selinux_msg_msg_free_security,
5914 
5915 	.msg_queue_alloc_security =	selinux_msg_queue_alloc_security,
5916 	.msg_queue_free_security =	selinux_msg_queue_free_security,
5917 	.msg_queue_associate =		selinux_msg_queue_associate,
5918 	.msg_queue_msgctl =		selinux_msg_queue_msgctl,
5919 	.msg_queue_msgsnd =		selinux_msg_queue_msgsnd,
5920 	.msg_queue_msgrcv =		selinux_msg_queue_msgrcv,
5921 
5922 	.shm_alloc_security =		selinux_shm_alloc_security,
5923 	.shm_free_security =		selinux_shm_free_security,
5924 	.shm_associate =		selinux_shm_associate,
5925 	.shm_shmctl =			selinux_shm_shmctl,
5926 	.shm_shmat =			selinux_shm_shmat,
5927 
5928 	.sem_alloc_security =		selinux_sem_alloc_security,
5929 	.sem_free_security =		selinux_sem_free_security,
5930 	.sem_associate =		selinux_sem_associate,
5931 	.sem_semctl =			selinux_sem_semctl,
5932 	.sem_semop =			selinux_sem_semop,
5933 
5934 	.d_instantiate =		selinux_d_instantiate,
5935 
5936 	.getprocattr =			selinux_getprocattr,
5937 	.setprocattr =			selinux_setprocattr,
5938 
5939 	.ismaclabel =			selinux_ismaclabel,
5940 	.secid_to_secctx =		selinux_secid_to_secctx,
5941 	.secctx_to_secid =		selinux_secctx_to_secid,
5942 	.release_secctx =		selinux_release_secctx,
5943 	.inode_notifysecctx =		selinux_inode_notifysecctx,
5944 	.inode_setsecctx =		selinux_inode_setsecctx,
5945 	.inode_getsecctx =		selinux_inode_getsecctx,
5946 
5947 	.unix_stream_connect =		selinux_socket_unix_stream_connect,
5948 	.unix_may_send =		selinux_socket_unix_may_send,
5949 
5950 	.socket_create =		selinux_socket_create,
5951 	.socket_post_create =		selinux_socket_post_create,
5952 	.socket_bind =			selinux_socket_bind,
5953 	.socket_connect =		selinux_socket_connect,
5954 	.socket_listen =		selinux_socket_listen,
5955 	.socket_accept =		selinux_socket_accept,
5956 	.socket_sendmsg =		selinux_socket_sendmsg,
5957 	.socket_recvmsg =		selinux_socket_recvmsg,
5958 	.socket_getsockname =		selinux_socket_getsockname,
5959 	.socket_getpeername =		selinux_socket_getpeername,
5960 	.socket_getsockopt =		selinux_socket_getsockopt,
5961 	.socket_setsockopt =		selinux_socket_setsockopt,
5962 	.socket_shutdown =		selinux_socket_shutdown,
5963 	.socket_sock_rcv_skb =		selinux_socket_sock_rcv_skb,
5964 	.socket_getpeersec_stream =	selinux_socket_getpeersec_stream,
5965 	.socket_getpeersec_dgram =	selinux_socket_getpeersec_dgram,
5966 	.sk_alloc_security =		selinux_sk_alloc_security,
5967 	.sk_free_security =		selinux_sk_free_security,
5968 	.sk_clone_security =		selinux_sk_clone_security,
5969 	.sk_getsecid =			selinux_sk_getsecid,
5970 	.sock_graft =			selinux_sock_graft,
5971 	.inet_conn_request =		selinux_inet_conn_request,
5972 	.inet_csk_clone =		selinux_inet_csk_clone,
5973 	.inet_conn_established =	selinux_inet_conn_established,
5974 	.secmark_relabel_packet =	selinux_secmark_relabel_packet,
5975 	.secmark_refcount_inc =		selinux_secmark_refcount_inc,
5976 	.secmark_refcount_dec =		selinux_secmark_refcount_dec,
5977 	.req_classify_flow =		selinux_req_classify_flow,
5978 	.tun_dev_alloc_security =	selinux_tun_dev_alloc_security,
5979 	.tun_dev_free_security =	selinux_tun_dev_free_security,
5980 	.tun_dev_create =		selinux_tun_dev_create,
5981 	.tun_dev_attach_queue =		selinux_tun_dev_attach_queue,
5982 	.tun_dev_attach =		selinux_tun_dev_attach,
5983 	.tun_dev_open =			selinux_tun_dev_open,
5984 	.skb_owned_by =			selinux_skb_owned_by,
5985 
5986 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5987 	.xfrm_policy_alloc_security =	selinux_xfrm_policy_alloc,
5988 	.xfrm_policy_clone_security =	selinux_xfrm_policy_clone,
5989 	.xfrm_policy_free_security =	selinux_xfrm_policy_free,
5990 	.xfrm_policy_delete_security =	selinux_xfrm_policy_delete,
5991 	.xfrm_state_alloc =		selinux_xfrm_state_alloc,
5992 	.xfrm_state_alloc_acquire =	selinux_xfrm_state_alloc_acquire,
5993 	.xfrm_state_free_security =	selinux_xfrm_state_free,
5994 	.xfrm_state_delete_security =	selinux_xfrm_state_delete,
5995 	.xfrm_policy_lookup =		selinux_xfrm_policy_lookup,
5996 	.xfrm_state_pol_flow_match =	selinux_xfrm_state_pol_flow_match,
5997 	.xfrm_decode_session =		selinux_xfrm_decode_session,
5998 #endif
5999 
6000 #ifdef CONFIG_KEYS
6001 	.key_alloc =			selinux_key_alloc,
6002 	.key_free =			selinux_key_free,
6003 	.key_permission =		selinux_key_permission,
6004 	.key_getsecurity =		selinux_key_getsecurity,
6005 #endif
6006 
6007 #ifdef CONFIG_AUDIT
6008 	.audit_rule_init =		selinux_audit_rule_init,
6009 	.audit_rule_known =		selinux_audit_rule_known,
6010 	.audit_rule_match =		selinux_audit_rule_match,
6011 	.audit_rule_free =		selinux_audit_rule_free,
6012 #endif
6013 };
6014 
6015 static __init int selinux_init(void)
6016 {
6017 	if (!security_module_enable(&selinux_ops)) {
6018 		selinux_enabled = 0;
6019 		return 0;
6020 	}
6021 
6022 	if (!selinux_enabled) {
6023 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6024 		return 0;
6025 	}
6026 
6027 	printk(KERN_INFO "SELinux:  Initializing.\n");
6028 
6029 	/* Set the security state for the initial task. */
6030 	cred_init_security();
6031 
6032 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6033 
6034 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6035 					    sizeof(struct inode_security_struct),
6036 					    0, SLAB_PANIC, NULL);
6037 	avc_init();
6038 
6039 	if (register_security(&selinux_ops))
6040 		panic("SELinux: Unable to register with kernel.\n");
6041 
6042 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6043 		panic("SELinux: Unable to register AVC netcache callback\n");
6044 
6045 	if (selinux_enforcing)
6046 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6047 	else
6048 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6049 
6050 	return 0;
6051 }
6052 
6053 static void delayed_superblock_init(struct super_block *sb, void *unused)
6054 {
6055 	superblock_doinit(sb, NULL);
6056 }
6057 
6058 void selinux_complete_init(void)
6059 {
6060 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6061 
6062 	/* Set up any superblocks initialized prior to the policy load. */
6063 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6064 	iterate_supers(delayed_superblock_init, NULL);
6065 }
6066 
6067 /* SELinux requires early initialization in order to label
6068    all processes and objects when they are created. */
6069 security_initcall(selinux_init);
6070 
6071 #if defined(CONFIG_NETFILTER)
6072 
6073 static struct nf_hook_ops selinux_nf_ops[] = {
6074 	{
6075 		.hook =		selinux_ipv4_postroute,
6076 		.owner =	THIS_MODULE,
6077 		.pf =		NFPROTO_IPV4,
6078 		.hooknum =	NF_INET_POST_ROUTING,
6079 		.priority =	NF_IP_PRI_SELINUX_LAST,
6080 	},
6081 	{
6082 		.hook =		selinux_ipv4_forward,
6083 		.owner =	THIS_MODULE,
6084 		.pf =		NFPROTO_IPV4,
6085 		.hooknum =	NF_INET_FORWARD,
6086 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6087 	},
6088 	{
6089 		.hook =		selinux_ipv4_output,
6090 		.owner =	THIS_MODULE,
6091 		.pf =		NFPROTO_IPV4,
6092 		.hooknum =	NF_INET_LOCAL_OUT,
6093 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6094 	},
6095 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6096 	{
6097 		.hook =		selinux_ipv6_postroute,
6098 		.owner =	THIS_MODULE,
6099 		.pf =		NFPROTO_IPV6,
6100 		.hooknum =	NF_INET_POST_ROUTING,
6101 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6102 	},
6103 	{
6104 		.hook =		selinux_ipv6_forward,
6105 		.owner =	THIS_MODULE,
6106 		.pf =		NFPROTO_IPV6,
6107 		.hooknum =	NF_INET_FORWARD,
6108 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6109 	},
6110 #endif	/* IPV6 */
6111 };
6112 
6113 static int __init selinux_nf_ip_init(void)
6114 {
6115 	int err;
6116 
6117 	if (!selinux_enabled)
6118 		return 0;
6119 
6120 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6121 
6122 	err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6123 	if (err)
6124 		panic("SELinux: nf_register_hooks: error %d\n", err);
6125 
6126 	return 0;
6127 }
6128 
6129 __initcall(selinux_nf_ip_init);
6130 
6131 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6132 static void selinux_nf_ip_exit(void)
6133 {
6134 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6135 
6136 	nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6137 }
6138 #endif
6139 
6140 #else /* CONFIG_NETFILTER */
6141 
6142 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6143 #define selinux_nf_ip_exit()
6144 #endif
6145 
6146 #endif /* CONFIG_NETFILTER */
6147 
6148 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6149 static int selinux_disabled;
6150 
6151 int selinux_disable(void)
6152 {
6153 	if (ss_initialized) {
6154 		/* Not permitted after initial policy load. */
6155 		return -EINVAL;
6156 	}
6157 
6158 	if (selinux_disabled) {
6159 		/* Only do this once. */
6160 		return -EINVAL;
6161 	}
6162 
6163 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6164 
6165 	selinux_disabled = 1;
6166 	selinux_enabled = 0;
6167 
6168 	reset_security_ops();
6169 
6170 	/* Try to destroy the avc node cache */
6171 	avc_disable();
6172 
6173 	/* Unregister netfilter hooks. */
6174 	selinux_nf_ip_exit();
6175 
6176 	/* Unregister selinuxfs. */
6177 	exit_sel_fs();
6178 
6179 	return 0;
6180 }
6181 #endif
6182