xref: /openbmc/linux/security/selinux/selinuxfs.c (revision 981ab3f1)
1 /* Updated: Karl MacMillan <kmacmillan@tresys.com>
2  *
3  *	Added conditional policy language extensions
4  *
5  *  Updated: Hewlett-Packard <paul@paul-moore.com>
6  *
7  *	Added support for the policy capability bitmap
8  *
9  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
10  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
11  * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
12  *	This program is free software; you can redistribute it and/or modify
13  *	it under the terms of the GNU General Public License as published by
14  *	the Free Software Foundation, version 2.
15  */
16 
17 #include <linux/kernel.h>
18 #include <linux/pagemap.h>
19 #include <linux/slab.h>
20 #include <linux/vmalloc.h>
21 #include <linux/fs.h>
22 #include <linux/mutex.h>
23 #include <linux/init.h>
24 #include <linux/string.h>
25 #include <linux/security.h>
26 #include <linux/major.h>
27 #include <linux/seq_file.h>
28 #include <linux/percpu.h>
29 #include <linux/audit.h>
30 #include <linux/uaccess.h>
31 #include <linux/kobject.h>
32 #include <linux/ctype.h>
33 
34 /* selinuxfs pseudo filesystem for exporting the security policy API.
35    Based on the proc code and the fs/nfsd/nfsctl.c code. */
36 
37 #include "flask.h"
38 #include "avc.h"
39 #include "avc_ss.h"
40 #include "security.h"
41 #include "objsec.h"
42 #include "conditional.h"
43 
44 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
45 
46 static int __init checkreqprot_setup(char *str)
47 {
48 	unsigned long checkreqprot;
49 	if (!kstrtoul(str, 0, &checkreqprot))
50 		selinux_checkreqprot = checkreqprot ? 1 : 0;
51 	return 1;
52 }
53 __setup("checkreqprot=", checkreqprot_setup);
54 
55 static DEFINE_MUTEX(sel_mutex);
56 
57 /* global data for booleans */
58 static struct dentry *bool_dir;
59 static int bool_num;
60 static char **bool_pending_names;
61 static int *bool_pending_values;
62 
63 /* global data for classes */
64 static struct dentry *class_dir;
65 static unsigned long last_class_ino;
66 
67 static char policy_opened;
68 
69 /* global data for policy capabilities */
70 static struct dentry *policycap_dir;
71 
72 enum sel_inos {
73 	SEL_ROOT_INO = 2,
74 	SEL_LOAD,	/* load policy */
75 	SEL_ENFORCE,	/* get or set enforcing status */
76 	SEL_CONTEXT,	/* validate context */
77 	SEL_ACCESS,	/* compute access decision */
78 	SEL_CREATE,	/* compute create labeling decision */
79 	SEL_RELABEL,	/* compute relabeling decision */
80 	SEL_USER,	/* compute reachable user contexts */
81 	SEL_POLICYVERS,	/* return policy version for this kernel */
82 	SEL_COMMIT_BOOLS, /* commit new boolean values */
83 	SEL_MLS,	/* return if MLS policy is enabled */
84 	SEL_DISABLE,	/* disable SELinux until next reboot */
85 	SEL_MEMBER,	/* compute polyinstantiation membership decision */
86 	SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
87 	SEL_COMPAT_NET,	/* whether to use old compat network packet controls */
88 	SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */
89 	SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */
90 	SEL_STATUS,	/* export current status using mmap() */
91 	SEL_POLICY,	/* allow userspace to read the in kernel policy */
92 	SEL_VALIDATE_TRANS, /* compute validatetrans decision */
93 	SEL_INO_NEXT,	/* The next inode number to use */
94 };
95 
96 static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
97 
98 #define SEL_INITCON_INO_OFFSET		0x01000000
99 #define SEL_BOOL_INO_OFFSET		0x02000000
100 #define SEL_CLASS_INO_OFFSET		0x04000000
101 #define SEL_POLICYCAP_INO_OFFSET	0x08000000
102 #define SEL_INO_MASK			0x00ffffff
103 
104 #define TMPBUFLEN	12
105 static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
106 				size_t count, loff_t *ppos)
107 {
108 	char tmpbuf[TMPBUFLEN];
109 	ssize_t length;
110 
111 	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_enforcing);
112 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
113 }
114 
115 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
116 static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
117 				 size_t count, loff_t *ppos)
118 
119 {
120 	char *page = NULL;
121 	ssize_t length;
122 	int new_value;
123 
124 	if (count >= PAGE_SIZE)
125 		return -ENOMEM;
126 
127 	/* No partial writes. */
128 	if (*ppos != 0)
129 		return -EINVAL;
130 
131 	page = memdup_user_nul(buf, count);
132 	if (IS_ERR(page))
133 		return PTR_ERR(page);
134 
135 	length = -EINVAL;
136 	if (sscanf(page, "%d", &new_value) != 1)
137 		goto out;
138 
139 	new_value = !!new_value;
140 
141 	if (new_value != selinux_enforcing) {
142 		length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
143 				      SECCLASS_SECURITY, SECURITY__SETENFORCE,
144 				      NULL);
145 		if (length)
146 			goto out;
147 		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
148 			"enforcing=%d old_enforcing=%d auid=%u ses=%u",
149 			new_value, selinux_enforcing,
150 			from_kuid(&init_user_ns, audit_get_loginuid(current)),
151 			audit_get_sessionid(current));
152 		selinux_enforcing = new_value;
153 		if (selinux_enforcing)
154 			avc_ss_reset(0);
155 		selnl_notify_setenforce(selinux_enforcing);
156 		selinux_status_update_setenforce(selinux_enforcing);
157 		if (!selinux_enforcing)
158 			call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
159 	}
160 	length = count;
161 out:
162 	kfree(page);
163 	return length;
164 }
165 #else
166 #define sel_write_enforce NULL
167 #endif
168 
169 static const struct file_operations sel_enforce_ops = {
170 	.read		= sel_read_enforce,
171 	.write		= sel_write_enforce,
172 	.llseek		= generic_file_llseek,
173 };
174 
175 static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf,
176 					size_t count, loff_t *ppos)
177 {
178 	char tmpbuf[TMPBUFLEN];
179 	ssize_t length;
180 	ino_t ino = file_inode(filp)->i_ino;
181 	int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ?
182 		security_get_reject_unknown() : !security_get_allow_unknown();
183 
184 	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown);
185 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
186 }
187 
188 static const struct file_operations sel_handle_unknown_ops = {
189 	.read		= sel_read_handle_unknown,
190 	.llseek		= generic_file_llseek,
191 };
192 
193 static int sel_open_handle_status(struct inode *inode, struct file *filp)
194 {
195 	struct page    *status = selinux_kernel_status_page();
196 
197 	if (!status)
198 		return -ENOMEM;
199 
200 	filp->private_data = status;
201 
202 	return 0;
203 }
204 
205 static ssize_t sel_read_handle_status(struct file *filp, char __user *buf,
206 				      size_t count, loff_t *ppos)
207 {
208 	struct page    *status = filp->private_data;
209 
210 	BUG_ON(!status);
211 
212 	return simple_read_from_buffer(buf, count, ppos,
213 				       page_address(status),
214 				       sizeof(struct selinux_kernel_status));
215 }
216 
217 static int sel_mmap_handle_status(struct file *filp,
218 				  struct vm_area_struct *vma)
219 {
220 	struct page    *status = filp->private_data;
221 	unsigned long	size = vma->vm_end - vma->vm_start;
222 
223 	BUG_ON(!status);
224 
225 	/* only allows one page from the head */
226 	if (vma->vm_pgoff > 0 || size != PAGE_SIZE)
227 		return -EIO;
228 	/* disallow writable mapping */
229 	if (vma->vm_flags & VM_WRITE)
230 		return -EPERM;
231 	/* disallow mprotect() turns it into writable */
232 	vma->vm_flags &= ~VM_MAYWRITE;
233 
234 	return remap_pfn_range(vma, vma->vm_start,
235 			       page_to_pfn(status),
236 			       size, vma->vm_page_prot);
237 }
238 
239 static const struct file_operations sel_handle_status_ops = {
240 	.open		= sel_open_handle_status,
241 	.read		= sel_read_handle_status,
242 	.mmap		= sel_mmap_handle_status,
243 	.llseek		= generic_file_llseek,
244 };
245 
246 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
247 static ssize_t sel_write_disable(struct file *file, const char __user *buf,
248 				 size_t count, loff_t *ppos)
249 
250 {
251 	char *page;
252 	ssize_t length;
253 	int new_value;
254 
255 	if (count >= PAGE_SIZE)
256 		return -ENOMEM;
257 
258 	/* No partial writes. */
259 	if (*ppos != 0)
260 		return -EINVAL;
261 
262 	page = memdup_user_nul(buf, count);
263 	if (IS_ERR(page))
264 		return PTR_ERR(page);
265 
266 	length = -EINVAL;
267 	if (sscanf(page, "%d", &new_value) != 1)
268 		goto out;
269 
270 	if (new_value) {
271 		length = selinux_disable();
272 		if (length)
273 			goto out;
274 		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
275 			"selinux=0 auid=%u ses=%u",
276 			from_kuid(&init_user_ns, audit_get_loginuid(current)),
277 			audit_get_sessionid(current));
278 	}
279 
280 	length = count;
281 out:
282 	kfree(page);
283 	return length;
284 }
285 #else
286 #define sel_write_disable NULL
287 #endif
288 
289 static const struct file_operations sel_disable_ops = {
290 	.write		= sel_write_disable,
291 	.llseek		= generic_file_llseek,
292 };
293 
294 static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
295 				   size_t count, loff_t *ppos)
296 {
297 	char tmpbuf[TMPBUFLEN];
298 	ssize_t length;
299 
300 	length = scnprintf(tmpbuf, TMPBUFLEN, "%u", POLICYDB_VERSION_MAX);
301 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
302 }
303 
304 static const struct file_operations sel_policyvers_ops = {
305 	.read		= sel_read_policyvers,
306 	.llseek		= generic_file_llseek,
307 };
308 
309 /* declaration for sel_write_load */
310 static int sel_make_bools(void);
311 static int sel_make_classes(void);
312 static int sel_make_policycap(void);
313 
314 /* declaration for sel_make_class_dirs */
315 static struct dentry *sel_make_dir(struct dentry *dir, const char *name,
316 			unsigned long *ino);
317 
318 static ssize_t sel_read_mls(struct file *filp, char __user *buf,
319 				size_t count, loff_t *ppos)
320 {
321 	char tmpbuf[TMPBUFLEN];
322 	ssize_t length;
323 
324 	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
325 			   security_mls_enabled());
326 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
327 }
328 
329 static const struct file_operations sel_mls_ops = {
330 	.read		= sel_read_mls,
331 	.llseek		= generic_file_llseek,
332 };
333 
334 struct policy_load_memory {
335 	size_t len;
336 	void *data;
337 };
338 
339 static int sel_open_policy(struct inode *inode, struct file *filp)
340 {
341 	struct policy_load_memory *plm = NULL;
342 	int rc;
343 
344 	BUG_ON(filp->private_data);
345 
346 	mutex_lock(&sel_mutex);
347 
348 	rc = avc_has_perm(current_sid(), SECINITSID_SECURITY,
349 			  SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL);
350 	if (rc)
351 		goto err;
352 
353 	rc = -EBUSY;
354 	if (policy_opened)
355 		goto err;
356 
357 	rc = -ENOMEM;
358 	plm = kzalloc(sizeof(*plm), GFP_KERNEL);
359 	if (!plm)
360 		goto err;
361 
362 	if (i_size_read(inode) != security_policydb_len()) {
363 		inode_lock(inode);
364 		i_size_write(inode, security_policydb_len());
365 		inode_unlock(inode);
366 	}
367 
368 	rc = security_read_policy(&plm->data, &plm->len);
369 	if (rc)
370 		goto err;
371 
372 	policy_opened = 1;
373 
374 	filp->private_data = plm;
375 
376 	mutex_unlock(&sel_mutex);
377 
378 	return 0;
379 err:
380 	mutex_unlock(&sel_mutex);
381 
382 	if (plm)
383 		vfree(plm->data);
384 	kfree(plm);
385 	return rc;
386 }
387 
388 static int sel_release_policy(struct inode *inode, struct file *filp)
389 {
390 	struct policy_load_memory *plm = filp->private_data;
391 
392 	BUG_ON(!plm);
393 
394 	policy_opened = 0;
395 
396 	vfree(plm->data);
397 	kfree(plm);
398 
399 	return 0;
400 }
401 
402 static ssize_t sel_read_policy(struct file *filp, char __user *buf,
403 			       size_t count, loff_t *ppos)
404 {
405 	struct policy_load_memory *plm = filp->private_data;
406 	int ret;
407 
408 	mutex_lock(&sel_mutex);
409 
410 	ret = avc_has_perm(current_sid(), SECINITSID_SECURITY,
411 			  SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL);
412 	if (ret)
413 		goto out;
414 
415 	ret = simple_read_from_buffer(buf, count, ppos, plm->data, plm->len);
416 out:
417 	mutex_unlock(&sel_mutex);
418 	return ret;
419 }
420 
421 static int sel_mmap_policy_fault(struct vm_fault *vmf)
422 {
423 	struct policy_load_memory *plm = vmf->vma->vm_file->private_data;
424 	unsigned long offset;
425 	struct page *page;
426 
427 	if (vmf->flags & (FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE))
428 		return VM_FAULT_SIGBUS;
429 
430 	offset = vmf->pgoff << PAGE_SHIFT;
431 	if (offset >= roundup(plm->len, PAGE_SIZE))
432 		return VM_FAULT_SIGBUS;
433 
434 	page = vmalloc_to_page(plm->data + offset);
435 	get_page(page);
436 
437 	vmf->page = page;
438 
439 	return 0;
440 }
441 
442 static const struct vm_operations_struct sel_mmap_policy_ops = {
443 	.fault = sel_mmap_policy_fault,
444 	.page_mkwrite = sel_mmap_policy_fault,
445 };
446 
447 static int sel_mmap_policy(struct file *filp, struct vm_area_struct *vma)
448 {
449 	if (vma->vm_flags & VM_SHARED) {
450 		/* do not allow mprotect to make mapping writable */
451 		vma->vm_flags &= ~VM_MAYWRITE;
452 
453 		if (vma->vm_flags & VM_WRITE)
454 			return -EACCES;
455 	}
456 
457 	vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
458 	vma->vm_ops = &sel_mmap_policy_ops;
459 
460 	return 0;
461 }
462 
463 static const struct file_operations sel_policy_ops = {
464 	.open		= sel_open_policy,
465 	.read		= sel_read_policy,
466 	.mmap		= sel_mmap_policy,
467 	.release	= sel_release_policy,
468 	.llseek		= generic_file_llseek,
469 };
470 
471 static ssize_t sel_write_load(struct file *file, const char __user *buf,
472 			      size_t count, loff_t *ppos)
473 
474 {
475 	ssize_t length;
476 	void *data = NULL;
477 
478 	mutex_lock(&sel_mutex);
479 
480 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
481 			      SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL);
482 	if (length)
483 		goto out;
484 
485 	/* No partial writes. */
486 	length = -EINVAL;
487 	if (*ppos != 0)
488 		goto out;
489 
490 	length = -EFBIG;
491 	if (count > 64 * 1024 * 1024)
492 		goto out;
493 
494 	length = -ENOMEM;
495 	data = vmalloc(count);
496 	if (!data)
497 		goto out;
498 
499 	length = -EFAULT;
500 	if (copy_from_user(data, buf, count) != 0)
501 		goto out;
502 
503 	length = security_load_policy(data, count);
504 	if (length) {
505 		pr_warn_ratelimited("SELinux: failed to load policy\n");
506 		goto out;
507 	}
508 
509 	length = sel_make_bools();
510 	if (length) {
511 		pr_err("SELinux: failed to load policy booleans\n");
512 		goto out1;
513 	}
514 
515 	length = sel_make_classes();
516 	if (length) {
517 		pr_err("SELinux: failed to load policy classes\n");
518 		goto out1;
519 	}
520 
521 	length = sel_make_policycap();
522 	if (length) {
523 		pr_err("SELinux: failed to load policy capabilities\n");
524 		goto out1;
525 	}
526 
527 	length = count;
528 
529 out1:
530 	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
531 		"policy loaded auid=%u ses=%u",
532 		from_kuid(&init_user_ns, audit_get_loginuid(current)),
533 		audit_get_sessionid(current));
534 out:
535 	mutex_unlock(&sel_mutex);
536 	vfree(data);
537 	return length;
538 }
539 
540 static const struct file_operations sel_load_ops = {
541 	.write		= sel_write_load,
542 	.llseek		= generic_file_llseek,
543 };
544 
545 static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
546 {
547 	char *canon = NULL;
548 	u32 sid, len;
549 	ssize_t length;
550 
551 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
552 			      SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, NULL);
553 	if (length)
554 		goto out;
555 
556 	length = security_context_to_sid(buf, size, &sid, GFP_KERNEL);
557 	if (length)
558 		goto out;
559 
560 	length = security_sid_to_context(sid, &canon, &len);
561 	if (length)
562 		goto out;
563 
564 	length = -ERANGE;
565 	if (len > SIMPLE_TRANSACTION_LIMIT) {
566 		printk(KERN_ERR "SELinux: %s:  context size (%u) exceeds "
567 			"payload max\n", __func__, len);
568 		goto out;
569 	}
570 
571 	memcpy(buf, canon, len);
572 	length = len;
573 out:
574 	kfree(canon);
575 	return length;
576 }
577 
578 static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
579 				     size_t count, loff_t *ppos)
580 {
581 	char tmpbuf[TMPBUFLEN];
582 	ssize_t length;
583 
584 	length = scnprintf(tmpbuf, TMPBUFLEN, "%u", selinux_checkreqprot);
585 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
586 }
587 
588 static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
589 				      size_t count, loff_t *ppos)
590 {
591 	char *page;
592 	ssize_t length;
593 	unsigned int new_value;
594 
595 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
596 			      SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT,
597 			      NULL);
598 	if (length)
599 		return length;
600 
601 	if (count >= PAGE_SIZE)
602 		return -ENOMEM;
603 
604 	/* No partial writes. */
605 	if (*ppos != 0)
606 		return -EINVAL;
607 
608 	page = memdup_user_nul(buf, count);
609 	if (IS_ERR(page))
610 		return PTR_ERR(page);
611 
612 	length = -EINVAL;
613 	if (sscanf(page, "%u", &new_value) != 1)
614 		goto out;
615 
616 	selinux_checkreqprot = new_value ? 1 : 0;
617 	length = count;
618 out:
619 	kfree(page);
620 	return length;
621 }
622 static const struct file_operations sel_checkreqprot_ops = {
623 	.read		= sel_read_checkreqprot,
624 	.write		= sel_write_checkreqprot,
625 	.llseek		= generic_file_llseek,
626 };
627 
628 static ssize_t sel_write_validatetrans(struct file *file,
629 					const char __user *buf,
630 					size_t count, loff_t *ppos)
631 {
632 	char *oldcon = NULL, *newcon = NULL, *taskcon = NULL;
633 	char *req = NULL;
634 	u32 osid, nsid, tsid;
635 	u16 tclass;
636 	int rc;
637 
638 	rc = avc_has_perm(current_sid(), SECINITSID_SECURITY,
639 			  SECCLASS_SECURITY, SECURITY__VALIDATE_TRANS, NULL);
640 	if (rc)
641 		goto out;
642 
643 	rc = -ENOMEM;
644 	if (count >= PAGE_SIZE)
645 		goto out;
646 
647 	/* No partial writes. */
648 	rc = -EINVAL;
649 	if (*ppos != 0)
650 		goto out;
651 
652 	req = memdup_user_nul(buf, count);
653 	if (IS_ERR(req)) {
654 		rc = PTR_ERR(req);
655 		req = NULL;
656 		goto out;
657 	}
658 
659 	rc = -ENOMEM;
660 	oldcon = kzalloc(count + 1, GFP_KERNEL);
661 	if (!oldcon)
662 		goto out;
663 
664 	newcon = kzalloc(count + 1, GFP_KERNEL);
665 	if (!newcon)
666 		goto out;
667 
668 	taskcon = kzalloc(count + 1, GFP_KERNEL);
669 	if (!taskcon)
670 		goto out;
671 
672 	rc = -EINVAL;
673 	if (sscanf(req, "%s %s %hu %s", oldcon, newcon, &tclass, taskcon) != 4)
674 		goto out;
675 
676 	rc = security_context_str_to_sid(oldcon, &osid, GFP_KERNEL);
677 	if (rc)
678 		goto out;
679 
680 	rc = security_context_str_to_sid(newcon, &nsid, GFP_KERNEL);
681 	if (rc)
682 		goto out;
683 
684 	rc = security_context_str_to_sid(taskcon, &tsid, GFP_KERNEL);
685 	if (rc)
686 		goto out;
687 
688 	rc = security_validate_transition_user(osid, nsid, tsid, tclass);
689 	if (!rc)
690 		rc = count;
691 out:
692 	kfree(req);
693 	kfree(oldcon);
694 	kfree(newcon);
695 	kfree(taskcon);
696 	return rc;
697 }
698 
699 static const struct file_operations sel_transition_ops = {
700 	.write		= sel_write_validatetrans,
701 	.llseek		= generic_file_llseek,
702 };
703 
704 /*
705  * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
706  */
707 static ssize_t sel_write_access(struct file *file, char *buf, size_t size);
708 static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
709 static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
710 static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
711 static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
712 
713 static ssize_t (*write_op[])(struct file *, char *, size_t) = {
714 	[SEL_ACCESS] = sel_write_access,
715 	[SEL_CREATE] = sel_write_create,
716 	[SEL_RELABEL] = sel_write_relabel,
717 	[SEL_USER] = sel_write_user,
718 	[SEL_MEMBER] = sel_write_member,
719 	[SEL_CONTEXT] = sel_write_context,
720 };
721 
722 static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
723 {
724 	ino_t ino = file_inode(file)->i_ino;
725 	char *data;
726 	ssize_t rv;
727 
728 	if (ino >= ARRAY_SIZE(write_op) || !write_op[ino])
729 		return -EINVAL;
730 
731 	data = simple_transaction_get(file, buf, size);
732 	if (IS_ERR(data))
733 		return PTR_ERR(data);
734 
735 	rv = write_op[ino](file, data, size);
736 	if (rv > 0) {
737 		simple_transaction_set(file, rv);
738 		rv = size;
739 	}
740 	return rv;
741 }
742 
743 static const struct file_operations transaction_ops = {
744 	.write		= selinux_transaction_write,
745 	.read		= simple_transaction_read,
746 	.release	= simple_transaction_release,
747 	.llseek		= generic_file_llseek,
748 };
749 
750 /*
751  * payload - write methods
752  * If the method has a response, the response should be put in buf,
753  * and the length returned.  Otherwise return 0 or and -error.
754  */
755 
756 static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
757 {
758 	char *scon = NULL, *tcon = NULL;
759 	u32 ssid, tsid;
760 	u16 tclass;
761 	struct av_decision avd;
762 	ssize_t length;
763 
764 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
765 			      SECCLASS_SECURITY, SECURITY__COMPUTE_AV, NULL);
766 	if (length)
767 		goto out;
768 
769 	length = -ENOMEM;
770 	scon = kzalloc(size + 1, GFP_KERNEL);
771 	if (!scon)
772 		goto out;
773 
774 	length = -ENOMEM;
775 	tcon = kzalloc(size + 1, GFP_KERNEL);
776 	if (!tcon)
777 		goto out;
778 
779 	length = -EINVAL;
780 	if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
781 		goto out;
782 
783 	length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
784 	if (length)
785 		goto out;
786 
787 	length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
788 	if (length)
789 		goto out;
790 
791 	security_compute_av_user(ssid, tsid, tclass, &avd);
792 
793 	length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
794 			  "%x %x %x %x %u %x",
795 			  avd.allowed, 0xffffffff,
796 			  avd.auditallow, avd.auditdeny,
797 			  avd.seqno, avd.flags);
798 out:
799 	kfree(tcon);
800 	kfree(scon);
801 	return length;
802 }
803 
804 static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
805 {
806 	char *scon = NULL, *tcon = NULL;
807 	char *namebuf = NULL, *objname = NULL;
808 	u32 ssid, tsid, newsid;
809 	u16 tclass;
810 	ssize_t length;
811 	char *newcon = NULL;
812 	u32 len;
813 	int nargs;
814 
815 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
816 			      SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE,
817 			      NULL);
818 	if (length)
819 		goto out;
820 
821 	length = -ENOMEM;
822 	scon = kzalloc(size + 1, GFP_KERNEL);
823 	if (!scon)
824 		goto out;
825 
826 	length = -ENOMEM;
827 	tcon = kzalloc(size + 1, GFP_KERNEL);
828 	if (!tcon)
829 		goto out;
830 
831 	length = -ENOMEM;
832 	namebuf = kzalloc(size + 1, GFP_KERNEL);
833 	if (!namebuf)
834 		goto out;
835 
836 	length = -EINVAL;
837 	nargs = sscanf(buf, "%s %s %hu %s", scon, tcon, &tclass, namebuf);
838 	if (nargs < 3 || nargs > 4)
839 		goto out;
840 	if (nargs == 4) {
841 		/*
842 		 * If and when the name of new object to be queried contains
843 		 * either whitespace or multibyte characters, they shall be
844 		 * encoded based on the percentage-encoding rule.
845 		 * If not encoded, the sscanf logic picks up only left-half
846 		 * of the supplied name; splitted by a whitespace unexpectedly.
847 		 */
848 		char   *r, *w;
849 		int     c1, c2;
850 
851 		r = w = namebuf;
852 		do {
853 			c1 = *r++;
854 			if (c1 == '+')
855 				c1 = ' ';
856 			else if (c1 == '%') {
857 				c1 = hex_to_bin(*r++);
858 				if (c1 < 0)
859 					goto out;
860 				c2 = hex_to_bin(*r++);
861 				if (c2 < 0)
862 					goto out;
863 				c1 = (c1 << 4) | c2;
864 			}
865 			*w++ = c1;
866 		} while (c1 != '\0');
867 
868 		objname = namebuf;
869 	}
870 
871 	length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
872 	if (length)
873 		goto out;
874 
875 	length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
876 	if (length)
877 		goto out;
878 
879 	length = security_transition_sid_user(ssid, tsid, tclass,
880 					      objname, &newsid);
881 	if (length)
882 		goto out;
883 
884 	length = security_sid_to_context(newsid, &newcon, &len);
885 	if (length)
886 		goto out;
887 
888 	length = -ERANGE;
889 	if (len > SIMPLE_TRANSACTION_LIMIT) {
890 		printk(KERN_ERR "SELinux: %s:  context size (%u) exceeds "
891 			"payload max\n", __func__, len);
892 		goto out;
893 	}
894 
895 	memcpy(buf, newcon, len);
896 	length = len;
897 out:
898 	kfree(newcon);
899 	kfree(namebuf);
900 	kfree(tcon);
901 	kfree(scon);
902 	return length;
903 }
904 
905 static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
906 {
907 	char *scon = NULL, *tcon = NULL;
908 	u32 ssid, tsid, newsid;
909 	u16 tclass;
910 	ssize_t length;
911 	char *newcon = NULL;
912 	u32 len;
913 
914 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
915 			      SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL,
916 			      NULL);
917 	if (length)
918 		goto out;
919 
920 	length = -ENOMEM;
921 	scon = kzalloc(size + 1, GFP_KERNEL);
922 	if (!scon)
923 		goto out;
924 
925 	length = -ENOMEM;
926 	tcon = kzalloc(size + 1, GFP_KERNEL);
927 	if (!tcon)
928 		goto out;
929 
930 	length = -EINVAL;
931 	if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
932 		goto out;
933 
934 	length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
935 	if (length)
936 		goto out;
937 
938 	length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
939 	if (length)
940 		goto out;
941 
942 	length = security_change_sid(ssid, tsid, tclass, &newsid);
943 	if (length)
944 		goto out;
945 
946 	length = security_sid_to_context(newsid, &newcon, &len);
947 	if (length)
948 		goto out;
949 
950 	length = -ERANGE;
951 	if (len > SIMPLE_TRANSACTION_LIMIT)
952 		goto out;
953 
954 	memcpy(buf, newcon, len);
955 	length = len;
956 out:
957 	kfree(newcon);
958 	kfree(tcon);
959 	kfree(scon);
960 	return length;
961 }
962 
963 static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
964 {
965 	char *con = NULL, *user = NULL, *ptr;
966 	u32 sid, *sids = NULL;
967 	ssize_t length;
968 	char *newcon;
969 	int i, rc;
970 	u32 len, nsids;
971 
972 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
973 			      SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
974 			      NULL);
975 	if (length)
976 		goto out;
977 
978 	length = -ENOMEM;
979 	con = kzalloc(size + 1, GFP_KERNEL);
980 	if (!con)
981 		goto out;
982 
983 	length = -ENOMEM;
984 	user = kzalloc(size + 1, GFP_KERNEL);
985 	if (!user)
986 		goto out;
987 
988 	length = -EINVAL;
989 	if (sscanf(buf, "%s %s", con, user) != 2)
990 		goto out;
991 
992 	length = security_context_str_to_sid(con, &sid, GFP_KERNEL);
993 	if (length)
994 		goto out;
995 
996 	length = security_get_user_sids(sid, user, &sids, &nsids);
997 	if (length)
998 		goto out;
999 
1000 	length = sprintf(buf, "%u", nsids) + 1;
1001 	ptr = buf + length;
1002 	for (i = 0; i < nsids; i++) {
1003 		rc = security_sid_to_context(sids[i], &newcon, &len);
1004 		if (rc) {
1005 			length = rc;
1006 			goto out;
1007 		}
1008 		if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) {
1009 			kfree(newcon);
1010 			length = -ERANGE;
1011 			goto out;
1012 		}
1013 		memcpy(ptr, newcon, len);
1014 		kfree(newcon);
1015 		ptr += len;
1016 		length += len;
1017 	}
1018 out:
1019 	kfree(sids);
1020 	kfree(user);
1021 	kfree(con);
1022 	return length;
1023 }
1024 
1025 static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
1026 {
1027 	char *scon = NULL, *tcon = NULL;
1028 	u32 ssid, tsid, newsid;
1029 	u16 tclass;
1030 	ssize_t length;
1031 	char *newcon = NULL;
1032 	u32 len;
1033 
1034 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
1035 			      SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER,
1036 			      NULL);
1037 	if (length)
1038 		goto out;
1039 
1040 	length = -ENOMEM;
1041 	scon = kzalloc(size + 1, GFP_KERNEL);
1042 	if (!scon)
1043 		goto out;
1044 
1045 	length = -ENOMEM;
1046 	tcon = kzalloc(size + 1, GFP_KERNEL);
1047 	if (!tcon)
1048 		goto out;
1049 
1050 	length = -EINVAL;
1051 	if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
1052 		goto out;
1053 
1054 	length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
1055 	if (length)
1056 		goto out;
1057 
1058 	length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
1059 	if (length)
1060 		goto out;
1061 
1062 	length = security_member_sid(ssid, tsid, tclass, &newsid);
1063 	if (length)
1064 		goto out;
1065 
1066 	length = security_sid_to_context(newsid, &newcon, &len);
1067 	if (length)
1068 		goto out;
1069 
1070 	length = -ERANGE;
1071 	if (len > SIMPLE_TRANSACTION_LIMIT) {
1072 		printk(KERN_ERR "SELinux: %s:  context size (%u) exceeds "
1073 			"payload max\n", __func__, len);
1074 		goto out;
1075 	}
1076 
1077 	memcpy(buf, newcon, len);
1078 	length = len;
1079 out:
1080 	kfree(newcon);
1081 	kfree(tcon);
1082 	kfree(scon);
1083 	return length;
1084 }
1085 
1086 static struct inode *sel_make_inode(struct super_block *sb, int mode)
1087 {
1088 	struct inode *ret = new_inode(sb);
1089 
1090 	if (ret) {
1091 		ret->i_mode = mode;
1092 		ret->i_atime = ret->i_mtime = ret->i_ctime = current_time(ret);
1093 	}
1094 	return ret;
1095 }
1096 
1097 static ssize_t sel_read_bool(struct file *filep, char __user *buf,
1098 			     size_t count, loff_t *ppos)
1099 {
1100 	char *page = NULL;
1101 	ssize_t length;
1102 	ssize_t ret;
1103 	int cur_enforcing;
1104 	unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK;
1105 	const char *name = filep->f_path.dentry->d_name.name;
1106 
1107 	mutex_lock(&sel_mutex);
1108 
1109 	ret = -EINVAL;
1110 	if (index >= bool_num || strcmp(name, bool_pending_names[index]))
1111 		goto out;
1112 
1113 	ret = -ENOMEM;
1114 	page = (char *)get_zeroed_page(GFP_KERNEL);
1115 	if (!page)
1116 		goto out;
1117 
1118 	cur_enforcing = security_get_bool_value(index);
1119 	if (cur_enforcing < 0) {
1120 		ret = cur_enforcing;
1121 		goto out;
1122 	}
1123 	length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
1124 			  bool_pending_values[index]);
1125 	ret = simple_read_from_buffer(buf, count, ppos, page, length);
1126 out:
1127 	mutex_unlock(&sel_mutex);
1128 	free_page((unsigned long)page);
1129 	return ret;
1130 }
1131 
1132 static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
1133 			      size_t count, loff_t *ppos)
1134 {
1135 	char *page = NULL;
1136 	ssize_t length;
1137 	int new_value;
1138 	unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK;
1139 	const char *name = filep->f_path.dentry->d_name.name;
1140 
1141 	mutex_lock(&sel_mutex);
1142 
1143 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
1144 			      SECCLASS_SECURITY, SECURITY__SETBOOL,
1145 			      NULL);
1146 	if (length)
1147 		goto out;
1148 
1149 	length = -EINVAL;
1150 	if (index >= bool_num || strcmp(name, bool_pending_names[index]))
1151 		goto out;
1152 
1153 	length = -ENOMEM;
1154 	if (count >= PAGE_SIZE)
1155 		goto out;
1156 
1157 	/* No partial writes. */
1158 	length = -EINVAL;
1159 	if (*ppos != 0)
1160 		goto out;
1161 
1162 	page = memdup_user_nul(buf, count);
1163 	if (IS_ERR(page)) {
1164 		length = PTR_ERR(page);
1165 		page = NULL;
1166 		goto out;
1167 	}
1168 
1169 	length = -EINVAL;
1170 	if (sscanf(page, "%d", &new_value) != 1)
1171 		goto out;
1172 
1173 	if (new_value)
1174 		new_value = 1;
1175 
1176 	bool_pending_values[index] = new_value;
1177 	length = count;
1178 
1179 out:
1180 	mutex_unlock(&sel_mutex);
1181 	kfree(page);
1182 	return length;
1183 }
1184 
1185 static const struct file_operations sel_bool_ops = {
1186 	.read		= sel_read_bool,
1187 	.write		= sel_write_bool,
1188 	.llseek		= generic_file_llseek,
1189 };
1190 
1191 static ssize_t sel_commit_bools_write(struct file *filep,
1192 				      const char __user *buf,
1193 				      size_t count, loff_t *ppos)
1194 {
1195 	char *page = NULL;
1196 	ssize_t length;
1197 	int new_value;
1198 
1199 	mutex_lock(&sel_mutex);
1200 
1201 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
1202 			      SECCLASS_SECURITY, SECURITY__SETBOOL,
1203 			      NULL);
1204 	if (length)
1205 		goto out;
1206 
1207 	length = -ENOMEM;
1208 	if (count >= PAGE_SIZE)
1209 		goto out;
1210 
1211 	/* No partial writes. */
1212 	length = -EINVAL;
1213 	if (*ppos != 0)
1214 		goto out;
1215 
1216 	page = memdup_user_nul(buf, count);
1217 	if (IS_ERR(page)) {
1218 		length = PTR_ERR(page);
1219 		page = NULL;
1220 		goto out;
1221 	}
1222 
1223 	length = -EINVAL;
1224 	if (sscanf(page, "%d", &new_value) != 1)
1225 		goto out;
1226 
1227 	length = 0;
1228 	if (new_value && bool_pending_values)
1229 		length = security_set_bools(bool_num, bool_pending_values);
1230 
1231 	if (!length)
1232 		length = count;
1233 
1234 out:
1235 	mutex_unlock(&sel_mutex);
1236 	kfree(page);
1237 	return length;
1238 }
1239 
1240 static const struct file_operations sel_commit_bools_ops = {
1241 	.write		= sel_commit_bools_write,
1242 	.llseek		= generic_file_llseek,
1243 };
1244 
1245 static void sel_remove_entries(struct dentry *de)
1246 {
1247 	d_genocide(de);
1248 	shrink_dcache_parent(de);
1249 }
1250 
1251 #define BOOL_DIR_NAME "booleans"
1252 
1253 static int sel_make_bools(void)
1254 {
1255 	int i, ret;
1256 	ssize_t len;
1257 	struct dentry *dentry = NULL;
1258 	struct dentry *dir = bool_dir;
1259 	struct inode *inode = NULL;
1260 	struct inode_security_struct *isec;
1261 	char **names = NULL, *page;
1262 	int num;
1263 	int *values = NULL;
1264 	u32 sid;
1265 
1266 	/* remove any existing files */
1267 	for (i = 0; i < bool_num; i++)
1268 		kfree(bool_pending_names[i]);
1269 	kfree(bool_pending_names);
1270 	kfree(bool_pending_values);
1271 	bool_num = 0;
1272 	bool_pending_names = NULL;
1273 	bool_pending_values = NULL;
1274 
1275 	sel_remove_entries(dir);
1276 
1277 	ret = -ENOMEM;
1278 	page = (char *)get_zeroed_page(GFP_KERNEL);
1279 	if (!page)
1280 		goto out;
1281 
1282 	ret = security_get_bools(&num, &names, &values);
1283 	if (ret)
1284 		goto out;
1285 
1286 	for (i = 0; i < num; i++) {
1287 		ret = -ENOMEM;
1288 		dentry = d_alloc_name(dir, names[i]);
1289 		if (!dentry)
1290 			goto out;
1291 
1292 		ret = -ENOMEM;
1293 		inode = sel_make_inode(dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR);
1294 		if (!inode)
1295 			goto out;
1296 
1297 		ret = -ENAMETOOLONG;
1298 		len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]);
1299 		if (len >= PAGE_SIZE)
1300 			goto out;
1301 
1302 		isec = (struct inode_security_struct *)inode->i_security;
1303 		ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
1304 		if (ret) {
1305 			pr_warn_ratelimited("SELinux: no sid found, defaulting to security isid for %s\n",
1306 					   page);
1307 			sid = SECINITSID_SECURITY;
1308 		}
1309 
1310 		isec->sid = sid;
1311 		isec->initialized = LABEL_INITIALIZED;
1312 		inode->i_fop = &sel_bool_ops;
1313 		inode->i_ino = i|SEL_BOOL_INO_OFFSET;
1314 		d_add(dentry, inode);
1315 	}
1316 	bool_num = num;
1317 	bool_pending_names = names;
1318 	bool_pending_values = values;
1319 
1320 	free_page((unsigned long)page);
1321 	return 0;
1322 out:
1323 	free_page((unsigned long)page);
1324 
1325 	if (names) {
1326 		for (i = 0; i < num; i++)
1327 			kfree(names[i]);
1328 		kfree(names);
1329 	}
1330 	kfree(values);
1331 	sel_remove_entries(dir);
1332 
1333 	return ret;
1334 }
1335 
1336 #define NULL_FILE_NAME "null"
1337 
1338 struct path selinux_null;
1339 
1340 static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
1341 					    size_t count, loff_t *ppos)
1342 {
1343 	char tmpbuf[TMPBUFLEN];
1344 	ssize_t length;
1345 
1346 	length = scnprintf(tmpbuf, TMPBUFLEN, "%u", avc_cache_threshold);
1347 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
1348 }
1349 
1350 static ssize_t sel_write_avc_cache_threshold(struct file *file,
1351 					     const char __user *buf,
1352 					     size_t count, loff_t *ppos)
1353 
1354 {
1355 	char *page;
1356 	ssize_t ret;
1357 	unsigned int new_value;
1358 
1359 	ret = avc_has_perm(current_sid(), SECINITSID_SECURITY,
1360 			   SECCLASS_SECURITY, SECURITY__SETSECPARAM,
1361 			   NULL);
1362 	if (ret)
1363 		return ret;
1364 
1365 	if (count >= PAGE_SIZE)
1366 		return -ENOMEM;
1367 
1368 	/* No partial writes. */
1369 	if (*ppos != 0)
1370 		return -EINVAL;
1371 
1372 	page = memdup_user_nul(buf, count);
1373 	if (IS_ERR(page))
1374 		return PTR_ERR(page);
1375 
1376 	ret = -EINVAL;
1377 	if (sscanf(page, "%u", &new_value) != 1)
1378 		goto out;
1379 
1380 	avc_cache_threshold = new_value;
1381 
1382 	ret = count;
1383 out:
1384 	kfree(page);
1385 	return ret;
1386 }
1387 
1388 static ssize_t sel_read_avc_hash_stats(struct file *filp, char __user *buf,
1389 				       size_t count, loff_t *ppos)
1390 {
1391 	char *page;
1392 	ssize_t length;
1393 
1394 	page = (char *)__get_free_page(GFP_KERNEL);
1395 	if (!page)
1396 		return -ENOMEM;
1397 
1398 	length = avc_get_hash_stats(page);
1399 	if (length >= 0)
1400 		length = simple_read_from_buffer(buf, count, ppos, page, length);
1401 	free_page((unsigned long)page);
1402 
1403 	return length;
1404 }
1405 
1406 static const struct file_operations sel_avc_cache_threshold_ops = {
1407 	.read		= sel_read_avc_cache_threshold,
1408 	.write		= sel_write_avc_cache_threshold,
1409 	.llseek		= generic_file_llseek,
1410 };
1411 
1412 static const struct file_operations sel_avc_hash_stats_ops = {
1413 	.read		= sel_read_avc_hash_stats,
1414 	.llseek		= generic_file_llseek,
1415 };
1416 
1417 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1418 static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx)
1419 {
1420 	int cpu;
1421 
1422 	for (cpu = *idx; cpu < nr_cpu_ids; ++cpu) {
1423 		if (!cpu_possible(cpu))
1424 			continue;
1425 		*idx = cpu + 1;
1426 		return &per_cpu(avc_cache_stats, cpu);
1427 	}
1428 	return NULL;
1429 }
1430 
1431 static void *sel_avc_stats_seq_start(struct seq_file *seq, loff_t *pos)
1432 {
1433 	loff_t n = *pos - 1;
1434 
1435 	if (*pos == 0)
1436 		return SEQ_START_TOKEN;
1437 
1438 	return sel_avc_get_stat_idx(&n);
1439 }
1440 
1441 static void *sel_avc_stats_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1442 {
1443 	return sel_avc_get_stat_idx(pos);
1444 }
1445 
1446 static int sel_avc_stats_seq_show(struct seq_file *seq, void *v)
1447 {
1448 	struct avc_cache_stats *st = v;
1449 
1450 	if (v == SEQ_START_TOKEN) {
1451 		seq_puts(seq,
1452 			 "lookups hits misses allocations reclaims frees\n");
1453 	} else {
1454 		unsigned int lookups = st->lookups;
1455 		unsigned int misses = st->misses;
1456 		unsigned int hits = lookups - misses;
1457 		seq_printf(seq, "%u %u %u %u %u %u\n", lookups,
1458 			   hits, misses, st->allocations,
1459 			   st->reclaims, st->frees);
1460 	}
1461 	return 0;
1462 }
1463 
1464 static void sel_avc_stats_seq_stop(struct seq_file *seq, void *v)
1465 { }
1466 
1467 static const struct seq_operations sel_avc_cache_stats_seq_ops = {
1468 	.start		= sel_avc_stats_seq_start,
1469 	.next		= sel_avc_stats_seq_next,
1470 	.show		= sel_avc_stats_seq_show,
1471 	.stop		= sel_avc_stats_seq_stop,
1472 };
1473 
1474 static int sel_open_avc_cache_stats(struct inode *inode, struct file *file)
1475 {
1476 	return seq_open(file, &sel_avc_cache_stats_seq_ops);
1477 }
1478 
1479 static const struct file_operations sel_avc_cache_stats_ops = {
1480 	.open		= sel_open_avc_cache_stats,
1481 	.read		= seq_read,
1482 	.llseek		= seq_lseek,
1483 	.release	= seq_release,
1484 };
1485 #endif
1486 
1487 static int sel_make_avc_files(struct dentry *dir)
1488 {
1489 	int i;
1490 	static const struct tree_descr files[] = {
1491 		{ "cache_threshold",
1492 		  &sel_avc_cache_threshold_ops, S_IRUGO|S_IWUSR },
1493 		{ "hash_stats", &sel_avc_hash_stats_ops, S_IRUGO },
1494 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1495 		{ "cache_stats", &sel_avc_cache_stats_ops, S_IRUGO },
1496 #endif
1497 	};
1498 
1499 	for (i = 0; i < ARRAY_SIZE(files); i++) {
1500 		struct inode *inode;
1501 		struct dentry *dentry;
1502 
1503 		dentry = d_alloc_name(dir, files[i].name);
1504 		if (!dentry)
1505 			return -ENOMEM;
1506 
1507 		inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode);
1508 		if (!inode)
1509 			return -ENOMEM;
1510 
1511 		inode->i_fop = files[i].ops;
1512 		inode->i_ino = ++sel_last_ino;
1513 		d_add(dentry, inode);
1514 	}
1515 
1516 	return 0;
1517 }
1518 
1519 static ssize_t sel_read_initcon(struct file *file, char __user *buf,
1520 				size_t count, loff_t *ppos)
1521 {
1522 	char *con;
1523 	u32 sid, len;
1524 	ssize_t ret;
1525 
1526 	sid = file_inode(file)->i_ino&SEL_INO_MASK;
1527 	ret = security_sid_to_context(sid, &con, &len);
1528 	if (ret)
1529 		return ret;
1530 
1531 	ret = simple_read_from_buffer(buf, count, ppos, con, len);
1532 	kfree(con);
1533 	return ret;
1534 }
1535 
1536 static const struct file_operations sel_initcon_ops = {
1537 	.read		= sel_read_initcon,
1538 	.llseek		= generic_file_llseek,
1539 };
1540 
1541 static int sel_make_initcon_files(struct dentry *dir)
1542 {
1543 	int i;
1544 
1545 	for (i = 1; i <= SECINITSID_NUM; i++) {
1546 		struct inode *inode;
1547 		struct dentry *dentry;
1548 		dentry = d_alloc_name(dir, security_get_initial_sid_context(i));
1549 		if (!dentry)
1550 			return -ENOMEM;
1551 
1552 		inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1553 		if (!inode)
1554 			return -ENOMEM;
1555 
1556 		inode->i_fop = &sel_initcon_ops;
1557 		inode->i_ino = i|SEL_INITCON_INO_OFFSET;
1558 		d_add(dentry, inode);
1559 	}
1560 
1561 	return 0;
1562 }
1563 
1564 static inline unsigned long sel_class_to_ino(u16 class)
1565 {
1566 	return (class * (SEL_VEC_MAX + 1)) | SEL_CLASS_INO_OFFSET;
1567 }
1568 
1569 static inline u16 sel_ino_to_class(unsigned long ino)
1570 {
1571 	return (ino & SEL_INO_MASK) / (SEL_VEC_MAX + 1);
1572 }
1573 
1574 static inline unsigned long sel_perm_to_ino(u16 class, u32 perm)
1575 {
1576 	return (class * (SEL_VEC_MAX + 1) + perm) | SEL_CLASS_INO_OFFSET;
1577 }
1578 
1579 static inline u32 sel_ino_to_perm(unsigned long ino)
1580 {
1581 	return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
1582 }
1583 
1584 static ssize_t sel_read_class(struct file *file, char __user *buf,
1585 				size_t count, loff_t *ppos)
1586 {
1587 	unsigned long ino = file_inode(file)->i_ino;
1588 	char res[TMPBUFLEN];
1589 	ssize_t len = snprintf(res, sizeof(res), "%d", sel_ino_to_class(ino));
1590 	return simple_read_from_buffer(buf, count, ppos, res, len);
1591 }
1592 
1593 static const struct file_operations sel_class_ops = {
1594 	.read		= sel_read_class,
1595 	.llseek		= generic_file_llseek,
1596 };
1597 
1598 static ssize_t sel_read_perm(struct file *file, char __user *buf,
1599 				size_t count, loff_t *ppos)
1600 {
1601 	unsigned long ino = file_inode(file)->i_ino;
1602 	char res[TMPBUFLEN];
1603 	ssize_t len = snprintf(res, sizeof(res), "%d", sel_ino_to_perm(ino));
1604 	return simple_read_from_buffer(buf, count, ppos, res, len);
1605 }
1606 
1607 static const struct file_operations sel_perm_ops = {
1608 	.read		= sel_read_perm,
1609 	.llseek		= generic_file_llseek,
1610 };
1611 
1612 static ssize_t sel_read_policycap(struct file *file, char __user *buf,
1613 				  size_t count, loff_t *ppos)
1614 {
1615 	int value;
1616 	char tmpbuf[TMPBUFLEN];
1617 	ssize_t length;
1618 	unsigned long i_ino = file_inode(file)->i_ino;
1619 
1620 	value = security_policycap_supported(i_ino & SEL_INO_MASK);
1621 	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value);
1622 
1623 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
1624 }
1625 
1626 static const struct file_operations sel_policycap_ops = {
1627 	.read		= sel_read_policycap,
1628 	.llseek		= generic_file_llseek,
1629 };
1630 
1631 static int sel_make_perm_files(char *objclass, int classvalue,
1632 				struct dentry *dir)
1633 {
1634 	int i, rc, nperms;
1635 	char **perms;
1636 
1637 	rc = security_get_permissions(objclass, &perms, &nperms);
1638 	if (rc)
1639 		return rc;
1640 
1641 	for (i = 0; i < nperms; i++) {
1642 		struct inode *inode;
1643 		struct dentry *dentry;
1644 
1645 		rc = -ENOMEM;
1646 		dentry = d_alloc_name(dir, perms[i]);
1647 		if (!dentry)
1648 			goto out;
1649 
1650 		rc = -ENOMEM;
1651 		inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1652 		if (!inode)
1653 			goto out;
1654 
1655 		inode->i_fop = &sel_perm_ops;
1656 		/* i+1 since perm values are 1-indexed */
1657 		inode->i_ino = sel_perm_to_ino(classvalue, i + 1);
1658 		d_add(dentry, inode);
1659 	}
1660 	rc = 0;
1661 out:
1662 	for (i = 0; i < nperms; i++)
1663 		kfree(perms[i]);
1664 	kfree(perms);
1665 	return rc;
1666 }
1667 
1668 static int sel_make_class_dir_entries(char *classname, int index,
1669 					struct dentry *dir)
1670 {
1671 	struct dentry *dentry = NULL;
1672 	struct inode *inode = NULL;
1673 	int rc;
1674 
1675 	dentry = d_alloc_name(dir, "index");
1676 	if (!dentry)
1677 		return -ENOMEM;
1678 
1679 	inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1680 	if (!inode)
1681 		return -ENOMEM;
1682 
1683 	inode->i_fop = &sel_class_ops;
1684 	inode->i_ino = sel_class_to_ino(index);
1685 	d_add(dentry, inode);
1686 
1687 	dentry = sel_make_dir(dir, "perms", &last_class_ino);
1688 	if (IS_ERR(dentry))
1689 		return PTR_ERR(dentry);
1690 
1691 	rc = sel_make_perm_files(classname, index, dentry);
1692 
1693 	return rc;
1694 }
1695 
1696 static int sel_make_classes(void)
1697 {
1698 	int rc, nclasses, i;
1699 	char **classes;
1700 
1701 	/* delete any existing entries */
1702 	sel_remove_entries(class_dir);
1703 
1704 	rc = security_get_classes(&classes, &nclasses);
1705 	if (rc)
1706 		return rc;
1707 
1708 	/* +2 since classes are 1-indexed */
1709 	last_class_ino = sel_class_to_ino(nclasses + 2);
1710 
1711 	for (i = 0; i < nclasses; i++) {
1712 		struct dentry *class_name_dir;
1713 
1714 		class_name_dir = sel_make_dir(class_dir, classes[i],
1715 				&last_class_ino);
1716 		if (IS_ERR(class_name_dir)) {
1717 			rc = PTR_ERR(class_name_dir);
1718 			goto out;
1719 		}
1720 
1721 		/* i+1 since class values are 1-indexed */
1722 		rc = sel_make_class_dir_entries(classes[i], i + 1,
1723 				class_name_dir);
1724 		if (rc)
1725 			goto out;
1726 	}
1727 	rc = 0;
1728 out:
1729 	for (i = 0; i < nclasses; i++)
1730 		kfree(classes[i]);
1731 	kfree(classes);
1732 	return rc;
1733 }
1734 
1735 static int sel_make_policycap(void)
1736 {
1737 	unsigned int iter;
1738 	struct dentry *dentry = NULL;
1739 	struct inode *inode = NULL;
1740 
1741 	sel_remove_entries(policycap_dir);
1742 
1743 	for (iter = 0; iter <= POLICYDB_CAPABILITY_MAX; iter++) {
1744 		if (iter < ARRAY_SIZE(selinux_policycap_names))
1745 			dentry = d_alloc_name(policycap_dir,
1746 					      selinux_policycap_names[iter]);
1747 		else
1748 			dentry = d_alloc_name(policycap_dir, "unknown");
1749 
1750 		if (dentry == NULL)
1751 			return -ENOMEM;
1752 
1753 		inode = sel_make_inode(policycap_dir->d_sb, S_IFREG | S_IRUGO);
1754 		if (inode == NULL)
1755 			return -ENOMEM;
1756 
1757 		inode->i_fop = &sel_policycap_ops;
1758 		inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET;
1759 		d_add(dentry, inode);
1760 	}
1761 
1762 	return 0;
1763 }
1764 
1765 static struct dentry *sel_make_dir(struct dentry *dir, const char *name,
1766 			unsigned long *ino)
1767 {
1768 	struct dentry *dentry = d_alloc_name(dir, name);
1769 	struct inode *inode;
1770 
1771 	if (!dentry)
1772 		return ERR_PTR(-ENOMEM);
1773 
1774 	inode = sel_make_inode(dir->d_sb, S_IFDIR | S_IRUGO | S_IXUGO);
1775 	if (!inode) {
1776 		dput(dentry);
1777 		return ERR_PTR(-ENOMEM);
1778 	}
1779 
1780 	inode->i_op = &simple_dir_inode_operations;
1781 	inode->i_fop = &simple_dir_operations;
1782 	inode->i_ino = ++(*ino);
1783 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
1784 	inc_nlink(inode);
1785 	d_add(dentry, inode);
1786 	/* bump link count on parent directory, too */
1787 	inc_nlink(d_inode(dir));
1788 
1789 	return dentry;
1790 }
1791 
1792 static int sel_fill_super(struct super_block *sb, void *data, int silent)
1793 {
1794 	int ret;
1795 	struct dentry *dentry;
1796 	struct inode *inode;
1797 	struct inode_security_struct *isec;
1798 
1799 	static const struct tree_descr selinux_files[] = {
1800 		[SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR},
1801 		[SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR},
1802 		[SEL_CONTEXT] = {"context", &transaction_ops, S_IRUGO|S_IWUGO},
1803 		[SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO},
1804 		[SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO},
1805 		[SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO},
1806 		[SEL_USER] = {"user", &transaction_ops, S_IRUGO|S_IWUGO},
1807 		[SEL_POLICYVERS] = {"policyvers", &sel_policyvers_ops, S_IRUGO},
1808 		[SEL_COMMIT_BOOLS] = {"commit_pending_bools", &sel_commit_bools_ops, S_IWUSR},
1809 		[SEL_MLS] = {"mls", &sel_mls_ops, S_IRUGO},
1810 		[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
1811 		[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
1812 		[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
1813 		[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
1814 		[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
1815 		[SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO},
1816 		[SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO},
1817 		[SEL_VALIDATE_TRANS] = {"validatetrans", &sel_transition_ops,
1818 					S_IWUGO},
1819 		/* last one */ {""}
1820 	};
1821 	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
1822 	if (ret)
1823 		goto err;
1824 
1825 	bool_dir = sel_make_dir(sb->s_root, BOOL_DIR_NAME, &sel_last_ino);
1826 	if (IS_ERR(bool_dir)) {
1827 		ret = PTR_ERR(bool_dir);
1828 		bool_dir = NULL;
1829 		goto err;
1830 	}
1831 
1832 	ret = -ENOMEM;
1833 	dentry = d_alloc_name(sb->s_root, NULL_FILE_NAME);
1834 	if (!dentry)
1835 		goto err;
1836 
1837 	ret = -ENOMEM;
1838 	inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO);
1839 	if (!inode)
1840 		goto err;
1841 
1842 	inode->i_ino = ++sel_last_ino;
1843 	isec = (struct inode_security_struct *)inode->i_security;
1844 	isec->sid = SECINITSID_DEVNULL;
1845 	isec->sclass = SECCLASS_CHR_FILE;
1846 	isec->initialized = LABEL_INITIALIZED;
1847 
1848 	init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3));
1849 	d_add(dentry, inode);
1850 	selinux_null.dentry = dentry;
1851 
1852 	dentry = sel_make_dir(sb->s_root, "avc", &sel_last_ino);
1853 	if (IS_ERR(dentry)) {
1854 		ret = PTR_ERR(dentry);
1855 		goto err;
1856 	}
1857 
1858 	ret = sel_make_avc_files(dentry);
1859 	if (ret)
1860 		goto err;
1861 
1862 	dentry = sel_make_dir(sb->s_root, "initial_contexts", &sel_last_ino);
1863 	if (IS_ERR(dentry)) {
1864 		ret = PTR_ERR(dentry);
1865 		goto err;
1866 	}
1867 
1868 	ret = sel_make_initcon_files(dentry);
1869 	if (ret)
1870 		goto err;
1871 
1872 	class_dir = sel_make_dir(sb->s_root, "class", &sel_last_ino);
1873 	if (IS_ERR(class_dir)) {
1874 		ret = PTR_ERR(class_dir);
1875 		class_dir = NULL;
1876 		goto err;
1877 	}
1878 
1879 	policycap_dir = sel_make_dir(sb->s_root, "policy_capabilities", &sel_last_ino);
1880 	if (IS_ERR(policycap_dir)) {
1881 		ret = PTR_ERR(policycap_dir);
1882 		policycap_dir = NULL;
1883 		goto err;
1884 	}
1885 	return 0;
1886 err:
1887 	printk(KERN_ERR "SELinux: %s:  failed while creating inodes\n",
1888 		__func__);
1889 	return ret;
1890 }
1891 
1892 static struct dentry *sel_mount(struct file_system_type *fs_type,
1893 		      int flags, const char *dev_name, void *data)
1894 {
1895 	return mount_single(fs_type, flags, data, sel_fill_super);
1896 }
1897 
1898 static struct file_system_type sel_fs_type = {
1899 	.name		= "selinuxfs",
1900 	.mount		= sel_mount,
1901 	.kill_sb	= kill_litter_super,
1902 };
1903 
1904 struct vfsmount *selinuxfs_mount;
1905 
1906 static int __init init_sel_fs(void)
1907 {
1908 	int err;
1909 
1910 	if (!selinux_enabled)
1911 		return 0;
1912 
1913 	err = sysfs_create_mount_point(fs_kobj, "selinux");
1914 	if (err)
1915 		return err;
1916 
1917 	err = register_filesystem(&sel_fs_type);
1918 	if (err) {
1919 		sysfs_remove_mount_point(fs_kobj, "selinux");
1920 		return err;
1921 	}
1922 
1923 	selinux_null.mnt = selinuxfs_mount = kern_mount(&sel_fs_type);
1924 	if (IS_ERR(selinuxfs_mount)) {
1925 		printk(KERN_ERR "selinuxfs:  could not mount!\n");
1926 		err = PTR_ERR(selinuxfs_mount);
1927 		selinuxfs_mount = NULL;
1928 	}
1929 
1930 	return err;
1931 }
1932 
1933 __initcall(init_sel_fs);
1934 
1935 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
1936 void exit_sel_fs(void)
1937 {
1938 	sysfs_remove_mount_point(fs_kobj, "selinux");
1939 	kern_unmount(selinuxfs_mount);
1940 	unregister_filesystem(&sel_fs_type);
1941 }
1942 #endif
1943