eca70f42e678c67df6c524b973733917c32bff1b
[kernel.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *              Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/fdtable.h>
43 #include <linux/namei.h>
44 #include <linux/mount.h>
45 #include <linux/ext2_fs.h>
46 #include <linux/proc_fs.h>
47 #include <linux/kd.h>
48 #include <linux/netfilter_ipv4.h>
49 #include <linux/netfilter_ipv6.h>
50 #include <linux/tty.h>
51 #include <net/icmp.h>
52 #include <net/ip.h>             /* for local_port_range[] */
53 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
54 #include <net/net_namespace.h>
55 #include <net/netlabel.h>
56 #include <linux/uaccess.h>
57 #include <asm/ioctls.h>
58 #include <asm/atomic.h>
59 #include <linux/bitops.h>
60 #include <linux/interrupt.h>
61 #include <linux/netdevice.h>    /* for network interface checks */
62 #include <linux/netlink.h>
63 #include <linux/tcp.h>
64 #include <linux/udp.h>
65 #include <linux/dccp.h>
66 #include <linux/quota.h>
67 #include <linux/un.h>           /* for Unix socket types */
68 #include <net/af_unix.h>        /* for Unix socket types */
69 #include <linux/parser.h>
70 #include <linux/nfs_mount.h>
71 #include <net/ipv6.h>
72 #include <linux/hugetlb.h>
73 #include <linux/personality.h>
74 #include <linux/sysctl.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         unsigned long enforcing;
108         if (!strict_strtoul(str, 0, &enforcing))
109                 selinux_enforcing = enforcing ? 1 : 0;
110         return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120         unsigned long enabled;
121         if (!strict_strtoul(str, 0, &enabled))
122                 selinux_enabled = enabled ? 1 : 0;
123         return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130 /* Original (dummy) security module. */
131 static struct security_operations *original_ops;
132
133 /* Minimal support for a secondary security module,
134    just to allow the use of the dummy or capability modules.
135    The owlsm module can alternatively be used as a secondary
136    module as long as CONFIG_OWLSM_FD is not enabled. */
137 static struct security_operations *secondary_ops;
138
139 /* Lists of inode and superblock security structures initialized
140    before the policy was loaded. */
141 static LIST_HEAD(superblock_security_head);
142 static DEFINE_SPINLOCK(sb_security_lock);
143
144 static struct kmem_cache *sel_inode_cache;
145
146 /**
147  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
148  *
149  * Description:
150  * This function checks the SECMARK reference counter to see if any SECMARK
151  * targets are currently configured, if the reference counter is greater than
152  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
153  * enabled, false (0) if SECMARK is disabled.
154  *
155  */
156 static int selinux_secmark_enabled(void)
157 {
158         return (atomic_read(&selinux_secmark_refcount) > 0);
159 }
160
161 /* Allocate and free functions for each kind of security blob. */
162
163 static int task_alloc_security(struct task_struct *task)
164 {
165         struct task_security_struct *tsec;
166
167         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168         if (!tsec)
169                 return -ENOMEM;
170
171         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
172         task->security = tsec;
173
174         return 0;
175 }
176
177 static void task_free_security(struct task_struct *task)
178 {
179         struct task_security_struct *tsec = task->security;
180         task->security = NULL;
181         kfree(tsec);
182 }
183
184 static int inode_alloc_security(struct inode *inode)
185 {
186         struct task_security_struct *tsec = current->security;
187         struct inode_security_struct *isec;
188
189         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
190         if (!isec)
191                 return -ENOMEM;
192
193         mutex_init(&isec->lock);
194         INIT_LIST_HEAD(&isec->list);
195         isec->inode = inode;
196         isec->sid = SECINITSID_UNLABELED;
197         isec->sclass = SECCLASS_FILE;
198         isec->task_sid = tsec->sid;
199         inode->i_security = isec;
200
201         return 0;
202 }
203
204 static void inode_free_security(struct inode *inode)
205 {
206         struct inode_security_struct *isec = inode->i_security;
207         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
208
209         spin_lock(&sbsec->isec_lock);
210         if (!list_empty(&isec->list))
211                 list_del_init(&isec->list);
212         spin_unlock(&sbsec->isec_lock);
213
214         inode->i_security = NULL;
215         kmem_cache_free(sel_inode_cache, isec);
216 }
217
218 static int file_alloc_security(struct file *file)
219 {
220         struct task_security_struct *tsec = current->security;
221         struct file_security_struct *fsec;
222
223         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
224         if (!fsec)
225                 return -ENOMEM;
226
227         fsec->sid = tsec->sid;
228         fsec->fown_sid = tsec->sid;
229         file->f_security = fsec;
230
231         return 0;
232 }
233
234 static void file_free_security(struct file *file)
235 {
236         struct file_security_struct *fsec = file->f_security;
237         file->f_security = NULL;
238         kfree(fsec);
239 }
240
241 static int superblock_alloc_security(struct super_block *sb)
242 {
243         struct superblock_security_struct *sbsec;
244
245         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
246         if (!sbsec)
247                 return -ENOMEM;
248
249         mutex_init(&sbsec->lock);
250         INIT_LIST_HEAD(&sbsec->list);
251         INIT_LIST_HEAD(&sbsec->isec_head);
252         spin_lock_init(&sbsec->isec_lock);
253         sbsec->sb = sb;
254         sbsec->sid = SECINITSID_UNLABELED;
255         sbsec->def_sid = SECINITSID_FILE;
256         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
257         sb->s_security = sbsec;
258
259         return 0;
260 }
261
262 static void superblock_free_security(struct super_block *sb)
263 {
264         struct superblock_security_struct *sbsec = sb->s_security;
265
266         spin_lock(&sb_security_lock);
267         if (!list_empty(&sbsec->list))
268                 list_del_init(&sbsec->list);
269         spin_unlock(&sb_security_lock);
270
271         sb->s_security = NULL;
272         kfree(sbsec);
273 }
274
275 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
276 {
277         struct sk_security_struct *ssec;
278
279         ssec = kzalloc(sizeof(*ssec), priority);
280         if (!ssec)
281                 return -ENOMEM;
282
283         ssec->peer_sid = SECINITSID_UNLABELED;
284         ssec->sid = SECINITSID_UNLABELED;
285         sk->sk_security = ssec;
286
287         selinux_netlbl_sk_security_reset(ssec, family);
288
289         return 0;
290 }
291
292 static void sk_free_security(struct sock *sk)
293 {
294         struct sk_security_struct *ssec = sk->sk_security;
295
296         sk->sk_security = NULL;
297         kfree(ssec);
298 }
299
300 /* The security server must be initialized before
301    any labeling or access decisions can be provided. */
302 extern int ss_initialized;
303
304 /* The file system's label must be initialized prior to use. */
305
306 static char *labeling_behaviors[6] = {
307         "uses xattr",
308         "uses transition SIDs",
309         "uses task SIDs",
310         "uses genfs_contexts",
311         "not configured for labeling",
312         "uses mountpoint labeling",
313 };
314
315 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
316
317 static inline int inode_doinit(struct inode *inode)
318 {
319         return inode_doinit_with_dentry(inode, NULL);
320 }
321
322 enum {
323         Opt_error = -1,
324         Opt_context = 1,
325         Opt_fscontext = 2,
326         Opt_defcontext = 3,
327         Opt_rootcontext = 4,
328 };
329
330 static match_table_t tokens = {
331         {Opt_context, CONTEXT_STR "%s"},
332         {Opt_fscontext, FSCONTEXT_STR "%s"},
333         {Opt_defcontext, DEFCONTEXT_STR "%s"},
334         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
335         {Opt_error, NULL},
336 };
337
338 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
339
340 static int may_context_mount_sb_relabel(u32 sid,
341                         struct superblock_security_struct *sbsec,
342                         struct task_security_struct *tsec)
343 {
344         int rc;
345
346         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELFROM, NULL);
348         if (rc)
349                 return rc;
350
351         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352                           FILESYSTEM__RELABELTO, NULL);
353         return rc;
354 }
355
356 static int may_context_mount_inode_relabel(u32 sid,
357                         struct superblock_security_struct *sbsec,
358                         struct task_security_struct *tsec)
359 {
360         int rc;
361         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362                           FILESYSTEM__RELABELFROM, NULL);
363         if (rc)
364                 return rc;
365
366         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367                           FILESYSTEM__ASSOCIATE, NULL);
368         return rc;
369 }
370
371 static int sb_finish_set_opts(struct super_block *sb)
372 {
373         struct superblock_security_struct *sbsec = sb->s_security;
374         struct dentry *root = sb->s_root;
375         struct inode *root_inode = root->d_inode;
376         int rc = 0;
377
378         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379                 /* Make sure that the xattr handler exists and that no
380                    error other than -ENODATA is returned by getxattr on
381                    the root directory.  -ENODATA is ok, as this may be
382                    the first boot of the SELinux kernel before we have
383                    assigned xattr values to the filesystem. */
384                 if (!root_inode->i_op->getxattr) {
385                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386                                "xattr support\n", sb->s_id, sb->s_type->name);
387                         rc = -EOPNOTSUPP;
388                         goto out;
389                 }
390                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391                 if (rc < 0 && rc != -ENODATA) {
392                         if (rc == -EOPNOTSUPP)
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) has no security xattr handler\n",
395                                        sb->s_id, sb->s_type->name);
396                         else
397                                 printk(KERN_WARNING "SELinux: (dev %s, type "
398                                        "%s) getxattr errno %d\n", sb->s_id,
399                                        sb->s_type->name, -rc);
400                         goto out;
401                 }
402         }
403
404         sbsec->initialized = 1;
405
406         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408                        sb->s_id, sb->s_type->name);
409         else
410                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411                        sb->s_id, sb->s_type->name,
412                        labeling_behaviors[sbsec->behavior-1]);
413
414         /* Initialize the root inode. */
415         rc = inode_doinit_with_dentry(root_inode, root);
416
417         /* Initialize any other inodes associated with the superblock, e.g.
418            inodes created prior to initial policy load or inodes created
419            during get_sb by a pseudo filesystem that directly
420            populates itself. */
421         spin_lock(&sbsec->isec_lock);
422 next_inode:
423         if (!list_empty(&sbsec->isec_head)) {
424                 struct inode_security_struct *isec =
425                                 list_entry(sbsec->isec_head.next,
426                                            struct inode_security_struct, list);
427                 struct inode *inode = isec->inode;
428                 spin_unlock(&sbsec->isec_lock);
429                 inode = igrab(inode);
430                 if (inode) {
431                         if (!IS_PRIVATE(inode))
432                                 inode_doinit(inode);
433                         iput(inode);
434                 }
435                 spin_lock(&sbsec->isec_lock);
436                 list_del_init(&isec->list);
437                 goto next_inode;
438         }
439         spin_unlock(&sbsec->isec_lock);
440 out:
441         return rc;
442 }
443
444 /*
445  * This function should allow an FS to ask what it's mount security
446  * options were so it can use those later for submounts, displaying
447  * mount options, or whatever.
448  */
449 static int selinux_get_mnt_opts(const struct super_block *sb,
450                                 struct security_mnt_opts *opts)
451 {
452         int rc = 0, i;
453         struct superblock_security_struct *sbsec = sb->s_security;
454         char *context = NULL;
455         u32 len;
456         char tmp;
457
458         security_init_mnt_opts(opts);
459
460         if (!sbsec->initialized)
461                 return -EINVAL;
462
463         if (!ss_initialized)
464                 return -EINVAL;
465
466         /*
467          * if we ever use sbsec flags for anything other than tracking mount
468          * settings this is going to need a mask
469          */
470         tmp = sbsec->flags;
471         /* count the number of mount options for this sb */
472         for (i = 0; i < 8; i++) {
473                 if (tmp & 0x01)
474                         opts->num_mnt_opts++;
475                 tmp >>= 1;
476         }
477
478         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
479         if (!opts->mnt_opts) {
480                 rc = -ENOMEM;
481                 goto out_free;
482         }
483
484         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
485         if (!opts->mnt_opts_flags) {
486                 rc = -ENOMEM;
487                 goto out_free;
488         }
489
490         i = 0;
491         if (sbsec->flags & FSCONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
497         }
498         if (sbsec->flags & CONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
504         }
505         if (sbsec->flags & DEFCONTEXT_MNT) {
506                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
507                 if (rc)
508                         goto out_free;
509                 opts->mnt_opts[i] = context;
510                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
511         }
512         if (sbsec->flags & ROOTCONTEXT_MNT) {
513                 struct inode *root = sbsec->sb->s_root->d_inode;
514                 struct inode_security_struct *isec = root->i_security;
515
516                 rc = security_sid_to_context(isec->sid, &context, &len);
517                 if (rc)
518                         goto out_free;
519                 opts->mnt_opts[i] = context;
520                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
521         }
522
523         BUG_ON(i != opts->num_mnt_opts);
524
525         return 0;
526
527 out_free:
528         security_free_mnt_opts(opts);
529         return rc;
530 }
531
532 static int bad_option(struct superblock_security_struct *sbsec, char flag,
533                       u32 old_sid, u32 new_sid)
534 {
535         /* check if the old mount command had the same options */
536         if (sbsec->initialized)
537                 if (!(sbsec->flags & flag) ||
538                     (old_sid != new_sid))
539                         return 1;
540
541         /* check if we were passed the same options twice,
542          * aka someone passed context=a,context=b
543          */
544         if (!sbsec->initialized)
545                 if (sbsec->flags & flag)
546                         return 1;
547         return 0;
548 }
549
550 /*
551  * Allow filesystems with binary mount data to explicitly set mount point
552  * labeling information.
553  */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555                                 struct security_mnt_opts *opts)
556 {
557         int rc = 0, i;
558         struct task_security_struct *tsec = current->security;
559         struct superblock_security_struct *sbsec = sb->s_security;
560         const char *name = sb->s_type->name;
561         struct inode *inode = sbsec->sb->s_root->d_inode;
562         struct inode_security_struct *root_isec = inode->i_security;
563         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564         u32 defcontext_sid = 0;
565         char **mount_options = opts->mnt_opts;
566         int *flags = opts->mnt_opts_flags;
567         int num_opts = opts->num_mnt_opts;
568
569         mutex_lock(&sbsec->lock);
570
571         if (!ss_initialized) {
572                 if (!num_opts) {
573                         /* Defer initialization until selinux_complete_init,
574                            after the initial policy is loaded and the security
575                            server is ready to handle calls. */
576                         spin_lock(&sb_security_lock);
577                         if (list_empty(&sbsec->list))
578                                 list_add(&sbsec->list, &superblock_security_head);
579                         spin_unlock(&sb_security_lock);
580                         goto out;
581                 }
582                 rc = -EINVAL;
583                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
584                         "before the security server is initialized\n");
585                 goto out;
586         }
587
588         /*
589          * Binary mount data FS will come through this function twice.  Once
590          * from an explicit call and once from the generic calls from the vfs.
591          * Since the generic VFS calls will not contain any security mount data
592          * we need to skip the double mount verification.
593          *
594          * This does open a hole in which we will not notice if the first
595          * mount using this sb set explict options and a second mount using
596          * this sb does not set any security options.  (The first options
597          * will be used for both mounts)
598          */
599         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
600             && (num_opts == 0))
601                 goto out;
602
603         /*
604          * parse the mount options, check if they are valid sids.
605          * also check if someone is trying to mount the same sb more
606          * than once with different security options.
607          */
608         for (i = 0; i < num_opts; i++) {
609                 u32 sid;
610                 rc = security_context_to_sid(mount_options[i],
611                                              strlen(mount_options[i]), &sid);
612                 if (rc) {
613                         printk(KERN_WARNING "SELinux: security_context_to_sid"
614                                "(%s) failed for (dev %s, type %s) errno=%d\n",
615                                mount_options[i], sb->s_id, name, rc);
616                         goto out;
617                 }
618                 switch (flags[i]) {
619                 case FSCONTEXT_MNT:
620                         fscontext_sid = sid;
621
622                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623                                         fscontext_sid))
624                                 goto out_double_mount;
625
626                         sbsec->flags |= FSCONTEXT_MNT;
627                         break;
628                 case CONTEXT_MNT:
629                         context_sid = sid;
630
631                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632                                         context_sid))
633                                 goto out_double_mount;
634
635                         sbsec->flags |= CONTEXT_MNT;
636                         break;
637                 case ROOTCONTEXT_MNT:
638                         rootcontext_sid = sid;
639
640                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641                                         rootcontext_sid))
642                                 goto out_double_mount;
643
644                         sbsec->flags |= ROOTCONTEXT_MNT;
645
646                         break;
647                 case DEFCONTEXT_MNT:
648                         defcontext_sid = sid;
649
650                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651                                         defcontext_sid))
652                                 goto out_double_mount;
653
654                         sbsec->flags |= DEFCONTEXT_MNT;
655
656                         break;
657                 default:
658                         rc = -EINVAL;
659                         goto out;
660                 }
661         }
662
663         if (sbsec->initialized) {
664                 /* previously mounted with options, but not on this attempt? */
665                 if (sbsec->flags && !num_opts)
666                         goto out_double_mount;
667                 rc = 0;
668                 goto out;
669         }
670
671         if (strcmp(sb->s_type->name, "proc") == 0)
672                 sbsec->proc = 1;
673
674         /* Determine the labeling behavior to use for this filesystem type. */
675         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
676         if (rc) {
677                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
678                        __func__, sb->s_type->name, rc);
679                 goto out;
680         }
681
682         /* sets the context of the superblock for the fs being mounted. */
683         if (fscontext_sid) {
684
685                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
686                 if (rc)
687                         goto out;
688
689                 sbsec->sid = fscontext_sid;
690         }
691
692         /*
693          * Switch to using mount point labeling behavior.
694          * sets the label used on all file below the mountpoint, and will set
695          * the superblock context if not already set.
696          */
697         if (context_sid) {
698                 if (!fscontext_sid) {
699                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
700                         if (rc)
701                                 goto out;
702                         sbsec->sid = context_sid;
703                 } else {
704                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
705                         if (rc)
706                                 goto out;
707                 }
708                 if (!rootcontext_sid)
709                         rootcontext_sid = context_sid;
710
711                 sbsec->mntpoint_sid = context_sid;
712                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713         }
714
715         if (rootcontext_sid) {
716                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
717                 if (rc)
718                         goto out;
719
720                 root_isec->sid = rootcontext_sid;
721                 root_isec->initialized = 1;
722         }
723
724         if (defcontext_sid) {
725                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726                         rc = -EINVAL;
727                         printk(KERN_WARNING "SELinux: defcontext option is "
728                                "invalid for this filesystem type\n");
729                         goto out;
730                 }
731
732                 if (defcontext_sid != sbsec->def_sid) {
733                         rc = may_context_mount_inode_relabel(defcontext_sid,
734                                                              sbsec, tsec);
735                         if (rc)
736                                 goto out;
737                 }
738
739                 sbsec->def_sid = defcontext_sid;
740         }
741
742         rc = sb_finish_set_opts(sb);
743 out:
744         mutex_unlock(&sbsec->lock);
745         return rc;
746 out_double_mount:
747         rc = -EINVAL;
748         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
749                "security settings for (dev %s, type %s)\n", sb->s_id, name);
750         goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754                                         struct super_block *newsb)
755 {
756         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757         struct superblock_security_struct *newsbsec = newsb->s_security;
758
759         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
760         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
761         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763         /*
764          * if the parent was able to be mounted it clearly had no special lsm
765          * mount options.  thus we can safely put this sb on the list and deal
766          * with it later
767          */
768         if (!ss_initialized) {
769                 spin_lock(&sb_security_lock);
770                 if (list_empty(&newsbsec->list))
771                         list_add(&newsbsec->list, &superblock_security_head);
772                 spin_unlock(&sb_security_lock);
773                 return;
774         }
775
776         /* how can we clone if the old one wasn't set up?? */
777         BUG_ON(!oldsbsec->initialized);
778
779         /* if fs is reusing a sb, just let its options stand... */
780         if (newsbsec->initialized)
781                 return;
782
783         mutex_lock(&newsbsec->lock);
784
785         newsbsec->flags = oldsbsec->flags;
786
787         newsbsec->sid = oldsbsec->sid;
788         newsbsec->def_sid = oldsbsec->def_sid;
789         newsbsec->behavior = oldsbsec->behavior;
790
791         if (set_context) {
792                 u32 sid = oldsbsec->mntpoint_sid;
793
794                 if (!set_fscontext)
795                         newsbsec->sid = sid;
796                 if (!set_rootcontext) {
797                         struct inode *newinode = newsb->s_root->d_inode;
798                         struct inode_security_struct *newisec = newinode->i_security;
799                         newisec->sid = sid;
800                 }
801                 newsbsec->mntpoint_sid = sid;
802         }
803         if (set_rootcontext) {
804                 const struct inode *oldinode = oldsb->s_root->d_inode;
805                 const struct inode_security_struct *oldisec = oldinode->i_security;
806                 struct inode *newinode = newsb->s_root->d_inode;
807                 struct inode_security_struct *newisec = newinode->i_security;
808
809                 newisec->sid = oldisec->sid;
810         }
811
812         sb_finish_set_opts(newsb);
813         mutex_unlock(&newsbsec->lock);
814 }
815
816 static int selinux_parse_opts_str(char *options,
817                                   struct security_mnt_opts *opts)
818 {
819         char *p;
820         char *context = NULL, *defcontext = NULL;
821         char *fscontext = NULL, *rootcontext = NULL;
822         int rc, num_mnt_opts = 0;
823
824         opts->num_mnt_opts = 0;
825
826         /* Standard string-based options. */
827         while ((p = strsep(&options, "|")) != NULL) {
828                 int token;
829                 substring_t args[MAX_OPT_ARGS];
830
831                 if (!*p)
832                         continue;
833
834                 token = match_token(p, tokens, args);
835
836                 switch (token) {
837                 case Opt_context:
838                         if (context || defcontext) {
839                                 rc = -EINVAL;
840                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841                                 goto out_err;
842                         }
843                         context = match_strdup(&args[0]);
844                         if (!context) {
845                                 rc = -ENOMEM;
846                                 goto out_err;
847                         }
848                         break;
849
850                 case Opt_fscontext:
851                         if (fscontext) {
852                                 rc = -EINVAL;
853                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854                                 goto out_err;
855                         }
856                         fscontext = match_strdup(&args[0]);
857                         if (!fscontext) {
858                                 rc = -ENOMEM;
859                                 goto out_err;
860                         }
861                         break;
862
863                 case Opt_rootcontext:
864                         if (rootcontext) {
865                                 rc = -EINVAL;
866                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867                                 goto out_err;
868                         }
869                         rootcontext = match_strdup(&args[0]);
870                         if (!rootcontext) {
871                                 rc = -ENOMEM;
872                                 goto out_err;
873                         }
874                         break;
875
876                 case Opt_defcontext:
877                         if (context || defcontext) {
878                                 rc = -EINVAL;
879                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
880                                 goto out_err;
881                         }
882                         defcontext = match_strdup(&args[0]);
883                         if (!defcontext) {
884                                 rc = -ENOMEM;
885                                 goto out_err;
886                         }
887                         break;
888
889                 default:
890                         rc = -EINVAL;
891                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
892                         goto out_err;
893
894                 }
895         }
896
897         rc = -ENOMEM;
898         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
899         if (!opts->mnt_opts)
900                 goto out_err;
901
902         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
903         if (!opts->mnt_opts_flags) {
904                 kfree(opts->mnt_opts);
905                 goto out_err;
906         }
907
908         if (fscontext) {
909                 opts->mnt_opts[num_mnt_opts] = fscontext;
910                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
911         }
912         if (context) {
913                 opts->mnt_opts[num_mnt_opts] = context;
914                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
915         }
916         if (rootcontext) {
917                 opts->mnt_opts[num_mnt_opts] = rootcontext;
918                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
919         }
920         if (defcontext) {
921                 opts->mnt_opts[num_mnt_opts] = defcontext;
922                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
923         }
924
925         opts->num_mnt_opts = num_mnt_opts;
926         return 0;
927
928 out_err:
929         kfree(context);
930         kfree(defcontext);
931         kfree(fscontext);
932         kfree(rootcontext);
933         return rc;
934 }
935 /*
936  * string mount options parsing and call set the sbsec
937  */
938 static int superblock_doinit(struct super_block *sb, void *data)
939 {
940         int rc = 0;
941         char *options = data;
942         struct security_mnt_opts opts;
943
944         security_init_mnt_opts(&opts);
945
946         if (!data)
947                 goto out;
948
949         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
950
951         rc = selinux_parse_opts_str(options, &opts);
952         if (rc)
953                 goto out_err;
954
955 out:
956         rc = selinux_set_mnt_opts(sb, &opts);
957
958 out_err:
959         security_free_mnt_opts(&opts);
960         return rc;
961 }
962
963 static inline u16 inode_mode_to_security_class(umode_t mode)
964 {
965         switch (mode & S_IFMT) {
966         case S_IFSOCK:
967                 return SECCLASS_SOCK_FILE;
968         case S_IFLNK:
969                 return SECCLASS_LNK_FILE;
970         case S_IFREG:
971                 return SECCLASS_FILE;
972         case S_IFBLK:
973                 return SECCLASS_BLK_FILE;
974         case S_IFDIR:
975                 return SECCLASS_DIR;
976         case S_IFCHR:
977                 return SECCLASS_CHR_FILE;
978         case S_IFIFO:
979                 return SECCLASS_FIFO_FILE;
980
981         }
982
983         return SECCLASS_FILE;
984 }
985
986 static inline int default_protocol_stream(int protocol)
987 {
988         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
989 }
990
991 static inline int default_protocol_dgram(int protocol)
992 {
993         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
994 }
995
996 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
997 {
998         switch (family) {
999         case PF_UNIX:
1000                 switch (type) {
1001                 case SOCK_STREAM:
1002                 case SOCK_SEQPACKET:
1003                         return SECCLASS_UNIX_STREAM_SOCKET;
1004                 case SOCK_DGRAM:
1005                         return SECCLASS_UNIX_DGRAM_SOCKET;
1006                 }
1007                 break;
1008         case PF_INET:
1009         case PF_INET6:
1010                 switch (type) {
1011                 case SOCK_STREAM:
1012                         if (default_protocol_stream(protocol))
1013                                 return SECCLASS_TCP_SOCKET;
1014                         else
1015                                 return SECCLASS_RAWIP_SOCKET;
1016                 case SOCK_DGRAM:
1017                         if (default_protocol_dgram(protocol))
1018                                 return SECCLASS_UDP_SOCKET;
1019                         else
1020                                 return SECCLASS_RAWIP_SOCKET;
1021                 case SOCK_DCCP:
1022                         return SECCLASS_DCCP_SOCKET;
1023                 default:
1024                         return SECCLASS_RAWIP_SOCKET;
1025                 }
1026                 break;
1027         case PF_NETLINK:
1028                 switch (protocol) {
1029                 case NETLINK_ROUTE:
1030                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1031                 case NETLINK_FIREWALL:
1032                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1033                 case NETLINK_INET_DIAG:
1034                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1035                 case NETLINK_NFLOG:
1036                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1037                 case NETLINK_XFRM:
1038                         return SECCLASS_NETLINK_XFRM_SOCKET;
1039                 case NETLINK_SELINUX:
1040                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1041                 case NETLINK_AUDIT:
1042                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1043                 case NETLINK_IP6_FW:
1044                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1045                 case NETLINK_DNRTMSG:
1046                         return SECCLASS_NETLINK_DNRT_SOCKET;
1047                 case NETLINK_KOBJECT_UEVENT:
1048                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1049                 default:
1050                         return SECCLASS_NETLINK_SOCKET;
1051                 }
1052         case PF_PACKET:
1053                 return SECCLASS_PACKET_SOCKET;
1054         case PF_KEY:
1055                 return SECCLASS_KEY_SOCKET;
1056         case PF_APPLETALK:
1057                 return SECCLASS_APPLETALK_SOCKET;
1058         }
1059
1060         return SECCLASS_SOCKET;
1061 }
1062
1063 #ifdef CONFIG_PROC_FS
1064 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1065                                 u16 tclass,
1066                                 u32 *sid)
1067 {
1068         int buflen, rc;
1069         char *buffer, *path, *end;
1070
1071         buffer = (char *)__get_free_page(GFP_KERNEL);
1072         if (!buffer)
1073                 return -ENOMEM;
1074
1075         buflen = PAGE_SIZE;
1076         end = buffer+buflen;
1077         *--end = '\0';
1078         buflen--;
1079         path = end-1;
1080         *path = '/';
1081         while (de && de != de->parent) {
1082                 buflen -= de->namelen + 1;
1083                 if (buflen < 0)
1084                         break;
1085                 end -= de->namelen;
1086                 memcpy(end, de->name, de->namelen);
1087                 *--end = '/';
1088                 path = end;
1089                 de = de->parent;
1090         }
1091         rc = security_genfs_sid("proc", path, tclass, sid);
1092         free_page((unsigned long)buffer);
1093         return rc;
1094 }
1095 #else
1096 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1097                                 u16 tclass,
1098                                 u32 *sid)
1099 {
1100         return -EINVAL;
1101 }
1102 #endif
1103
1104 /* The inode's security attributes must be initialized before first use. */
1105 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1106 {
1107         struct superblock_security_struct *sbsec = NULL;
1108         struct inode_security_struct *isec = inode->i_security;
1109         u32 sid;
1110         struct dentry *dentry;
1111 #define INITCONTEXTLEN 255
1112         char *context = NULL;
1113         unsigned len = 0;
1114         int rc = 0;
1115
1116         if (isec->initialized)
1117                 goto out;
1118
1119         mutex_lock(&isec->lock);
1120         if (isec->initialized)
1121                 goto out_unlock;
1122
1123         sbsec = inode->i_sb->s_security;
1124         if (!sbsec->initialized) {
1125                 /* Defer initialization until selinux_complete_init,
1126                    after the initial policy is loaded and the security
1127                    server is ready to handle calls. */
1128                 spin_lock(&sbsec->isec_lock);
1129                 if (list_empty(&isec->list))
1130                         list_add(&isec->list, &sbsec->isec_head);
1131                 spin_unlock(&sbsec->isec_lock);
1132                 goto out_unlock;
1133         }
1134
1135         switch (sbsec->behavior) {
1136         case SECURITY_FS_USE_XATTR:
1137                 if (!inode->i_op->getxattr) {
1138                         isec->sid = sbsec->def_sid;
1139                         break;
1140                 }
1141
1142                 /* Need a dentry, since the xattr API requires one.
1143                    Life would be simpler if we could just pass the inode. */
1144                 if (opt_dentry) {
1145                         /* Called from d_instantiate or d_splice_alias. */
1146                         dentry = dget(opt_dentry);
1147                 } else {
1148                         /* Called from selinux_complete_init, try to find a dentry. */
1149                         dentry = d_find_alias(inode);
1150                 }
1151                 if (!dentry) {
1152                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1153                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1154                                inode->i_ino);
1155                         goto out_unlock;
1156                 }
1157
1158                 len = INITCONTEXTLEN;
1159                 context = kmalloc(len, GFP_NOFS);
1160                 if (!context) {
1161                         rc = -ENOMEM;
1162                         dput(dentry);
1163                         goto out_unlock;
1164                 }
1165                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1166                                            context, len);
1167                 if (rc == -ERANGE) {
1168                         /* Need a larger buffer.  Query for the right size. */
1169                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1170                                                    NULL, 0);
1171                         if (rc < 0) {
1172                                 dput(dentry);
1173                                 goto out_unlock;
1174                         }
1175                         kfree(context);
1176                         len = rc;
1177                         context = kmalloc(len, GFP_NOFS);
1178                         if (!context) {
1179                                 rc = -ENOMEM;
1180                                 dput(dentry);
1181                                 goto out_unlock;
1182                         }
1183                         rc = inode->i_op->getxattr(dentry,
1184                                                    XATTR_NAME_SELINUX,
1185                                                    context, len);
1186                 }
1187                 dput(dentry);
1188                 if (rc < 0) {
1189                         if (rc != -ENODATA) {
1190                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1191                                        "%d for dev=%s ino=%ld\n", __func__,
1192                                        -rc, inode->i_sb->s_id, inode->i_ino);
1193                                 kfree(context);
1194                                 goto out_unlock;
1195                         }
1196                         /* Map ENODATA to the default file SID */
1197                         sid = sbsec->def_sid;
1198                         rc = 0;
1199                 } else {
1200                         rc = security_context_to_sid_default(context, rc, &sid,
1201                                                              sbsec->def_sid,
1202                                                              GFP_NOFS);
1203                         if (rc) {
1204                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1205                                        "returned %d for dev=%s ino=%ld\n",
1206                                        __func__, context, -rc,
1207                                        inode->i_sb->s_id, inode->i_ino);
1208                                 kfree(context);
1209                                 /* Leave with the unlabeled SID */
1210                                 rc = 0;
1211                                 break;
1212                         }
1213                 }
1214                 kfree(context);
1215                 isec->sid = sid;
1216                 break;
1217         case SECURITY_FS_USE_TASK:
1218                 isec->sid = isec->task_sid;
1219                 break;
1220         case SECURITY_FS_USE_TRANS:
1221                 /* Default to the fs SID. */
1222                 isec->sid = sbsec->sid;
1223
1224                 /* Try to obtain a transition SID. */
1225                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1226                 rc = security_transition_sid(isec->task_sid,
1227                                              sbsec->sid,
1228                                              isec->sclass,
1229                                              &sid);
1230                 if (rc)
1231                         goto out_unlock;
1232                 isec->sid = sid;
1233                 break;
1234         case SECURITY_FS_USE_MNTPOINT:
1235                 isec->sid = sbsec->mntpoint_sid;
1236                 break;
1237         default:
1238                 /* Default to the fs superblock SID. */
1239                 isec->sid = sbsec->sid;
1240
1241                 if (sbsec->proc) {
1242                         struct proc_inode *proci = PROC_I(inode);
1243                         if (proci->pde) {
1244                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245                                 rc = selinux_proc_get_sid(proci->pde,
1246                                                           isec->sclass,
1247                                                           &sid);
1248                                 if (rc)
1249                                         goto out_unlock;
1250                                 isec->sid = sid;
1251                         }
1252                 }
1253                 break;
1254         }
1255
1256         isec->initialized = 1;
1257
1258 out_unlock:
1259         mutex_unlock(&isec->lock);
1260 out:
1261         if (isec->sclass == SECCLASS_FILE)
1262                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1263         return rc;
1264 }
1265
1266 /* Convert a Linux signal to an access vector. */
1267 static inline u32 signal_to_av(int sig)
1268 {
1269         u32 perm = 0;
1270
1271         switch (sig) {
1272         case SIGCHLD:
1273                 /* Commonly granted from child to parent. */
1274                 perm = PROCESS__SIGCHLD;
1275                 break;
1276         case SIGKILL:
1277                 /* Cannot be caught or ignored */
1278                 perm = PROCESS__SIGKILL;
1279                 break;
1280         case SIGSTOP:
1281                 /* Cannot be caught or ignored */
1282                 perm = PROCESS__SIGSTOP;
1283                 break;
1284         default:
1285                 /* All other signals. */
1286                 perm = PROCESS__SIGNAL;
1287                 break;
1288         }
1289
1290         return perm;
1291 }
1292
1293 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1294    fork check, ptrace check, etc. */
1295 static int task_has_perm(struct task_struct *tsk1,
1296                          struct task_struct *tsk2,
1297                          u32 perms)
1298 {
1299         struct task_security_struct *tsec1, *tsec2;
1300
1301         tsec1 = tsk1->security;
1302         tsec2 = tsk2->security;
1303         return avc_has_perm(tsec1->sid, tsec2->sid,
1304                             SECCLASS_PROCESS, perms, NULL);
1305 }
1306
1307 #if CAP_LAST_CAP > 63
1308 #error Fix SELinux to handle capabilities > 63.
1309 #endif
1310
1311 /* Check whether a task is allowed to use a capability. */
1312 static int task_has_capability(struct task_struct *tsk,
1313                                int cap)
1314 {
1315         struct task_security_struct *tsec;
1316         struct avc_audit_data ad;
1317         u16 sclass;
1318         u32 av = CAP_TO_MASK(cap);
1319
1320         tsec = tsk->security;
1321
1322         AVC_AUDIT_DATA_INIT(&ad, CAP);
1323         ad.tsk = tsk;
1324         ad.u.cap = cap;
1325
1326         switch (CAP_TO_INDEX(cap)) {
1327         case 0:
1328                 sclass = SECCLASS_CAPABILITY;
1329                 break;
1330         case 1:
1331                 sclass = SECCLASS_CAPABILITY2;
1332                 break;
1333         default:
1334                 printk(KERN_ERR
1335                        "SELinux:  out of range capability %d\n", cap);
1336                 BUG();
1337         }
1338         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1339 }
1340
1341 /* Check whether a task is allowed to use a system operation. */
1342 static int task_has_system(struct task_struct *tsk,
1343                            u32 perms)
1344 {
1345         struct task_security_struct *tsec;
1346
1347         tsec = tsk->security;
1348
1349         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1350                             SECCLASS_SYSTEM, perms, NULL);
1351 }
1352
1353 /* Check whether a task has a particular permission to an inode.
1354    The 'adp' parameter is optional and allows other audit
1355    data to be passed (e.g. the dentry). */
1356 static int inode_has_perm(struct task_struct *tsk,
1357                           struct inode *inode,
1358                           u32 perms,
1359                           struct avc_audit_data *adp)
1360 {
1361         struct task_security_struct *tsec;
1362         struct inode_security_struct *isec;
1363         struct avc_audit_data ad;
1364
1365         if (unlikely(IS_PRIVATE(inode)))
1366                 return 0;
1367
1368         tsec = tsk->security;
1369         isec = inode->i_security;
1370
1371         if (!adp) {
1372                 adp = &ad;
1373                 AVC_AUDIT_DATA_INIT(&ad, FS);
1374                 ad.u.fs.inode = inode;
1375         }
1376
1377         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1378 }
1379
1380 /* Same as inode_has_perm, but pass explicit audit data containing
1381    the dentry to help the auditing code to more easily generate the
1382    pathname if needed. */
1383 static inline int dentry_has_perm(struct task_struct *tsk,
1384                                   struct vfsmount *mnt,
1385                                   struct dentry *dentry,
1386                                   u32 av)
1387 {
1388         struct inode *inode = dentry->d_inode;
1389         struct avc_audit_data ad;
1390         AVC_AUDIT_DATA_INIT(&ad, FS);
1391         ad.u.fs.path.mnt = mnt;
1392         ad.u.fs.path.dentry = dentry;
1393         return inode_has_perm(tsk, inode, av, &ad);
1394 }
1395
1396 /* Check whether a task can use an open file descriptor to
1397    access an inode in a given way.  Check access to the
1398    descriptor itself, and then use dentry_has_perm to
1399    check a particular permission to the file.
1400    Access to the descriptor is implicitly granted if it
1401    has the same SID as the process.  If av is zero, then
1402    access to the file is not checked, e.g. for cases
1403    where only the descriptor is affected like seek. */
1404 static int file_has_perm(struct task_struct *tsk,
1405                                 struct file *file,
1406                                 u32 av)
1407 {
1408         struct task_security_struct *tsec = tsk->security;
1409         struct file_security_struct *fsec = file->f_security;
1410         struct inode *inode = file->f_path.dentry->d_inode;
1411         struct avc_audit_data ad;
1412         int rc;
1413
1414         AVC_AUDIT_DATA_INIT(&ad, FS);
1415         ad.u.fs.path = file->f_path;
1416
1417         if (tsec->sid != fsec->sid) {
1418                 rc = avc_has_perm(tsec->sid, fsec->sid,
1419                                   SECCLASS_FD,
1420                                   FD__USE,
1421                                   &ad);
1422                 if (rc)
1423                         return rc;
1424         }
1425
1426         /* av is zero if only checking access to the descriptor. */
1427         if (av)
1428                 return inode_has_perm(tsk, inode, av, &ad);
1429
1430         return 0;
1431 }
1432
1433 /* Check whether a task can create a file. */
1434 static int may_create(struct inode *dir,
1435                       struct dentry *dentry,
1436                       u16 tclass)
1437 {
1438         struct task_security_struct *tsec;
1439         struct inode_security_struct *dsec;
1440         struct superblock_security_struct *sbsec;
1441         u32 newsid;
1442         struct avc_audit_data ad;
1443         int rc;
1444
1445         tsec = current->security;
1446         dsec = dir->i_security;
1447         sbsec = dir->i_sb->s_security;
1448
1449         AVC_AUDIT_DATA_INIT(&ad, FS);
1450         ad.u.fs.path.dentry = dentry;
1451
1452         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1453                           DIR__ADD_NAME | DIR__SEARCH,
1454                           &ad);
1455         if (rc)
1456                 return rc;
1457
1458         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1459                 newsid = tsec->create_sid;
1460         } else {
1461                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1462                                              &newsid);
1463                 if (rc)
1464                         return rc;
1465         }
1466
1467         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1468         if (rc)
1469                 return rc;
1470
1471         return avc_has_perm(newsid, sbsec->sid,
1472                             SECCLASS_FILESYSTEM,
1473                             FILESYSTEM__ASSOCIATE, &ad);
1474 }
1475
1476 /* Check whether a task can create a key. */
1477 static int may_create_key(u32 ksid,
1478                           struct task_struct *ctx)
1479 {
1480         struct task_security_struct *tsec;
1481
1482         tsec = ctx->security;
1483
1484         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1485 }
1486
1487 #define MAY_LINK        0
1488 #define MAY_UNLINK      1
1489 #define MAY_RMDIR       2
1490
1491 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1492 static int may_link(struct inode *dir,
1493                     struct dentry *dentry,
1494                     int kind)
1495
1496 {
1497         struct task_security_struct *tsec;
1498         struct inode_security_struct *dsec, *isec;
1499         struct avc_audit_data ad;
1500         u32 av;
1501         int rc;
1502
1503         tsec = current->security;
1504         dsec = dir->i_security;
1505         isec = dentry->d_inode->i_security;
1506
1507         AVC_AUDIT_DATA_INIT(&ad, FS);
1508         ad.u.fs.path.dentry = dentry;
1509
1510         av = DIR__SEARCH;
1511         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1512         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1513         if (rc)
1514                 return rc;
1515
1516         switch (kind) {
1517         case MAY_LINK:
1518                 av = FILE__LINK;
1519                 break;
1520         case MAY_UNLINK:
1521                 av = FILE__UNLINK;
1522                 break;
1523         case MAY_RMDIR:
1524                 av = DIR__RMDIR;
1525                 break;
1526         default:
1527                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1528                         __func__, kind);
1529                 return 0;
1530         }
1531
1532         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1533         return rc;
1534 }
1535
1536 static inline int may_rename(struct inode *old_dir,
1537                              struct dentry *old_dentry,
1538                              struct inode *new_dir,
1539                              struct dentry *new_dentry)
1540 {
1541         struct task_security_struct *tsec;
1542         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1543         struct avc_audit_data ad;
1544         u32 av;
1545         int old_is_dir, new_is_dir;
1546         int rc;
1547
1548         tsec = current->security;
1549         old_dsec = old_dir->i_security;
1550         old_isec = old_dentry->d_inode->i_security;
1551         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1552         new_dsec = new_dir->i_security;
1553
1554         AVC_AUDIT_DATA_INIT(&ad, FS);
1555
1556         ad.u.fs.path.dentry = old_dentry;
1557         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1558                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1559         if (rc)
1560                 return rc;
1561         rc = avc_has_perm(tsec->sid, old_isec->sid,
1562                           old_isec->sclass, FILE__RENAME, &ad);
1563         if (rc)
1564                 return rc;
1565         if (old_is_dir && new_dir != old_dir) {
1566                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1567                                   old_isec->sclass, DIR__REPARENT, &ad);
1568                 if (rc)
1569                         return rc;
1570         }
1571
1572         ad.u.fs.path.dentry = new_dentry;
1573         av = DIR__ADD_NAME | DIR__SEARCH;
1574         if (new_dentry->d_inode)
1575                 av |= DIR__REMOVE_NAME;
1576         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1577         if (rc)
1578                 return rc;
1579         if (new_dentry->d_inode) {
1580                 new_isec = new_dentry->d_inode->i_security;
1581                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1582                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1583                                   new_isec->sclass,
1584                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1585                 if (rc)
1586                         return rc;
1587         }
1588
1589         return 0;
1590 }
1591
1592 /* Check whether a task can perform a filesystem operation. */
1593 static int superblock_has_perm(struct task_struct *tsk,
1594                                struct super_block *sb,
1595                                u32 perms,
1596                                struct avc_audit_data *ad)
1597 {
1598         struct task_security_struct *tsec;
1599         struct superblock_security_struct *sbsec;
1600
1601         tsec = tsk->security;
1602         sbsec = sb->s_security;
1603         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1604                             perms, ad);
1605 }
1606
1607 /* Convert a Linux mode and permission mask to an access vector. */
1608 static inline u32 file_mask_to_av(int mode, int mask)
1609 {
1610         u32 av = 0;
1611
1612         if ((mode & S_IFMT) != S_IFDIR) {
1613                 if (mask & MAY_EXEC)
1614                         av |= FILE__EXECUTE;
1615                 if (mask & MAY_READ)
1616                         av |= FILE__READ;
1617
1618                 if (mask & MAY_APPEND)
1619                         av |= FILE__APPEND;
1620                 else if (mask & MAY_WRITE)
1621                         av |= FILE__WRITE;
1622
1623         } else {
1624                 if (mask & MAY_EXEC)
1625                         av |= DIR__SEARCH;
1626                 if (mask & MAY_WRITE)
1627                         av |= DIR__WRITE;
1628                 if (mask & MAY_READ)
1629                         av |= DIR__READ;
1630         }
1631
1632         return av;
1633 }
1634
1635 /*
1636  * Convert a file mask to an access vector and include the correct open
1637  * open permission.
1638  */
1639 static inline u32 open_file_mask_to_av(int mode, int mask)
1640 {
1641         u32 av = file_mask_to_av(mode, mask);
1642
1643         if (selinux_policycap_openperm) {
1644                 /*
1645                  * lnk files and socks do not really have an 'open'
1646                  */
1647                 if (S_ISREG(mode))
1648                         av |= FILE__OPEN;
1649                 else if (S_ISCHR(mode))
1650                         av |= CHR_FILE__OPEN;
1651                 else if (S_ISBLK(mode))
1652                         av |= BLK_FILE__OPEN;
1653                 else if (S_ISFIFO(mode))
1654                         av |= FIFO_FILE__OPEN;
1655                 else if (S_ISDIR(mode))
1656                         av |= DIR__OPEN;
1657                 else
1658                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1659                                 "unknown mode:%x\n", __func__, mode);
1660         }
1661         return av;
1662 }
1663
1664 /* Convert a Linux file to an access vector. */
1665 static inline u32 file_to_av(struct file *file)
1666 {
1667         u32 av = 0;
1668
1669         if (file->f_mode & FMODE_READ)
1670                 av |= FILE__READ;
1671         if (file->f_mode & FMODE_WRITE) {
1672                 if (file->f_flags & O_APPEND)
1673                         av |= FILE__APPEND;
1674                 else
1675                         av |= FILE__WRITE;
1676         }
1677         if (!av) {
1678                 /*
1679                  * Special file opened with flags 3 for ioctl-only use.
1680                  */
1681                 av = FILE__IOCTL;
1682         }
1683
1684         return av;
1685 }
1686
1687 /* Hook functions begin here. */
1688
1689 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1690 {
1691         int rc;
1692
1693         rc = secondary_ops->ptrace(parent, child);
1694         if (rc)
1695                 return rc;
1696
1697         return task_has_perm(parent, child, PROCESS__PTRACE);
1698 }
1699
1700 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1701                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1702 {
1703         int error;
1704
1705         error = task_has_perm(current, target, PROCESS__GETCAP);
1706         if (error)
1707                 return error;
1708
1709         return secondary_ops->capget(target, effective, inheritable, permitted);
1710 }
1711
1712 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1713                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1714 {
1715         int error;
1716
1717         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1718         if (error)
1719                 return error;
1720
1721         return task_has_perm(current, target, PROCESS__SETCAP);
1722 }
1723
1724 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1725                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1726 {
1727         secondary_ops->capset_set(target, effective, inheritable, permitted);
1728 }
1729
1730 static int selinux_capable(struct task_struct *tsk, int cap)
1731 {
1732         int rc;
1733
1734         rc = secondary_ops->capable(tsk, cap);
1735         if (rc)
1736                 return rc;
1737
1738         return task_has_capability(tsk, cap);
1739 }
1740
1741 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1742 {
1743         int buflen, rc;
1744         char *buffer, *path, *end;
1745
1746         rc = -ENOMEM;
1747         buffer = (char *)__get_free_page(GFP_KERNEL);
1748         if (!buffer)
1749                 goto out;
1750
1751         buflen = PAGE_SIZE;
1752         end = buffer+buflen;
1753         *--end = '\0';
1754         buflen--;
1755         path = end-1;
1756         *path = '/';
1757         while (table) {
1758                 const char *name = table->procname;
1759                 size_t namelen = strlen(name);
1760                 buflen -= namelen + 1;
1761                 if (buflen < 0)
1762                         goto out_free;
1763                 end -= namelen;
1764                 memcpy(end, name, namelen);
1765                 *--end = '/';
1766                 path = end;
1767                 table = table->parent;
1768         }
1769         buflen -= 4;
1770         if (buflen < 0)
1771                 goto out_free;
1772         end -= 4;
1773         memcpy(end, "/sys", 4);
1774         path = end;
1775         rc = security_genfs_sid("proc", path, tclass, sid);
1776 out_free:
1777         free_page((unsigned long)buffer);
1778 out:
1779         return rc;
1780 }
1781
1782 static int selinux_sysctl(ctl_table *table, int op)
1783 {
1784         int error = 0;
1785         u32 av;
1786         struct task_security_struct *tsec;
1787         u32 tsid;
1788         int rc;
1789
1790         rc = secondary_ops->sysctl(table, op);
1791         if (rc)
1792                 return rc;
1793
1794         tsec = current->security;
1795
1796         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1797                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1798         if (rc) {
1799                 /* Default to the well-defined sysctl SID. */
1800                 tsid = SECINITSID_SYSCTL;
1801         }
1802
1803         /* The op values are "defined" in sysctl.c, thereby creating
1804          * a bad coupling between this module and sysctl.c */
1805         if (op == 001) {
1806                 error = avc_has_perm(tsec->sid, tsid,
1807                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1808         } else {
1809                 av = 0;
1810                 if (op & 004)
1811                         av |= FILE__READ;
1812                 if (op & 002)
1813                         av |= FILE__WRITE;
1814                 if (av)
1815                         error = avc_has_perm(tsec->sid, tsid,
1816                                              SECCLASS_FILE, av, NULL);
1817         }
1818
1819         return error;
1820 }
1821
1822 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1823 {
1824         int rc = 0;
1825
1826         if (!sb)
1827                 return 0;
1828
1829         switch (cmds) {
1830         case Q_SYNC:
1831         case Q_QUOTAON:
1832         case Q_QUOTAOFF:
1833         case Q_SETINFO:
1834         case Q_SETQUOTA:
1835                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1836                                          NULL);
1837                 break;
1838         case Q_GETFMT:
1839         case Q_GETINFO:
1840         case Q_GETQUOTA:
1841                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1842                                          NULL);
1843                 break;
1844         default:
1845                 rc = 0;  /* let the kernel handle invalid cmds */
1846                 break;
1847         }
1848         return rc;
1849 }
1850
1851 static int selinux_quota_on(struct dentry *dentry)
1852 {
1853         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1854 }
1855
1856 static int selinux_syslog(int type)
1857 {
1858         int rc;
1859
1860         rc = secondary_ops->syslog(type);
1861         if (rc)
1862                 return rc;
1863
1864         switch (type) {
1865         case 3:         /* Read last kernel messages */
1866         case 10:        /* Return size of the log buffer */
1867                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1868                 break;
1869         case 6:         /* Disable logging to console */
1870         case 7:         /* Enable logging to console */
1871         case 8:         /* Set level of messages printed to console */
1872                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1873                 break;
1874         case 0:         /* Close log */
1875         case 1:         /* Open log */
1876         case 2:         /* Read from log */
1877         case 4:         /* Read/clear last kernel messages */
1878         case 5:         /* Clear ring buffer */
1879         default:
1880                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1881                 break;
1882         }
1883         return rc;
1884 }
1885
1886 /*
1887  * Check that a process has enough memory to allocate a new virtual
1888  * mapping. 0 means there is enough memory for the allocation to
1889  * succeed and -ENOMEM implies there is not.
1890  *
1891  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1892  * if the capability is granted, but __vm_enough_memory requires 1 if
1893  * the capability is granted.
1894  *
1895  * Do not audit the selinux permission check, as this is applied to all
1896  * processes that allocate mappings.
1897  */
1898 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1899 {
1900         int rc, cap_sys_admin = 0;
1901         struct task_security_struct *tsec = current->security;
1902
1903         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1904         if (rc == 0)
1905                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1906                                           SECCLASS_CAPABILITY,
1907                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1908                                           0,
1909                                           NULL);
1910
1911         if (rc == 0)
1912                 cap_sys_admin = 1;
1913
1914         return __vm_enough_memory(mm, pages, cap_sys_admin);
1915 }
1916
1917 /**
1918  * task_tracer_task - return the task that is tracing the given task
1919  * @task:               task to consider
1920  *
1921  * Returns NULL if noone is tracing @task, or the &struct task_struct
1922  * pointer to its tracer.
1923  *
1924  * Must be called under rcu_read_lock().
1925  */
1926 static struct task_struct *task_tracer_task(struct task_struct *task)
1927 {
1928         if (task->ptrace & PT_PTRACED)
1929                 return rcu_dereference(task->parent);
1930         return NULL;
1931 }
1932
1933 /* binprm security operations */
1934
1935 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1936 {
1937         struct bprm_security_struct *bsec;
1938
1939         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1940         if (!bsec)
1941                 return -ENOMEM;
1942
1943         bsec->sid = SECINITSID_UNLABELED;
1944         bsec->set = 0;
1945
1946         bprm->security = bsec;
1947         return 0;
1948 }
1949
1950 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1951 {
1952         struct task_security_struct *tsec;
1953         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1954         struct inode_security_struct *isec;
1955         struct bprm_security_struct *bsec;
1956         u32 newsid;
1957         struct avc_audit_data ad;
1958         int rc;
1959
1960         rc = secondary_ops->bprm_set_security(bprm);
1961         if (rc)
1962                 return rc;
1963
1964         bsec = bprm->security;
1965
1966         if (bsec->set)
1967                 return 0;
1968
1969         tsec = current->security;
1970         isec = inode->i_security;
1971
1972         /* Default to the current task SID. */
1973         bsec->sid = tsec->sid;
1974
1975         /* Reset fs, key, and sock SIDs on execve. */
1976         tsec->create_sid = 0;
1977         tsec->keycreate_sid = 0;
1978         tsec->sockcreate_sid = 0;
1979
1980         if (tsec->exec_sid) {
1981                 newsid = tsec->exec_sid;
1982                 /* Reset exec SID on execve. */
1983                 tsec->exec_sid = 0;
1984         } else {
1985                 /* Check for a default transition on this program. */
1986                 rc = security_transition_sid(tsec->sid, isec->sid,
1987                                              SECCLASS_PROCESS, &newsid);
1988                 if (rc)
1989                         return rc;
1990         }
1991
1992         AVC_AUDIT_DATA_INIT(&ad, FS);
1993         ad.u.fs.path = bprm->file->f_path;
1994
1995         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1996                 newsid = tsec->sid;
1997
1998         if (tsec->sid == newsid) {
1999                 rc = avc_has_perm(tsec->sid, isec->sid,
2000                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2001                 if (rc)
2002                         return rc;
2003         } else {
2004                 /* Check permissions for the transition. */
2005                 rc = avc_has_perm(tsec->sid, newsid,
2006                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2007                 if (rc)
2008                         return rc;
2009
2010                 rc = avc_has_perm(newsid, isec->sid,
2011                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2012                 if (rc)
2013                         return rc;
2014
2015                 /* Clear any possibly unsafe personality bits on exec: */
2016                 current->personality &= ~PER_CLEAR_ON_SETID;
2017
2018                 /* Set the security field to the new SID. */
2019                 bsec->sid = newsid;
2020         }
2021
2022         bsec->set = 1;
2023         return 0;
2024 }
2025
2026 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2027 {
2028         return secondary_ops->bprm_check_security(bprm);
2029 }
2030
2031
2032 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2033 {
2034         struct task_security_struct *tsec = current->security;
2035         int atsecure = 0;
2036
2037         if (tsec->osid != tsec->sid) {
2038                 /* Enable secure mode for SIDs transitions unless
2039                    the noatsecure permission is granted between
2040                    the two SIDs, i.e. ahp returns 0. */
2041                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2042                                          SECCLASS_PROCESS,
2043                                          PROCESS__NOATSECURE, NULL);
2044         }
2045
2046         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2047 }
2048
2049 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2050 {
2051         kfree(bprm->security);
2052         bprm->security = NULL;
2053 }
2054
2055 extern struct vfsmount *selinuxfs_mount;
2056 extern struct dentry *selinux_null;
2057
2058 /* Derived from fs/exec.c:flush_old_files. */
2059 static inline void flush_unauthorized_files(struct files_struct *files)
2060 {
2061         struct avc_audit_data ad;
2062         struct file *file, *devnull = NULL;
2063         struct tty_struct *tty;
2064         struct fdtable *fdt;
2065         long j = -1;
2066         int drop_tty = 0;
2067
2068         mutex_lock(&tty_mutex);
2069         tty = get_current_tty();
2070         if (tty) {
2071                 file_list_lock();
2072                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2073                 if (file) {
2074                         /* Revalidate access to controlling tty.
2075                            Use inode_has_perm on the tty inode directly rather
2076                            than using file_has_perm, as this particular open
2077                            file may belong to another process and we are only
2078                            interested in the inode-based check here. */
2079                         struct inode *inode = file->f_path.dentry->d_inode;
2080                         if (inode_has_perm(current, inode,
2081                                            FILE__READ | FILE__WRITE, NULL)) {
2082                                 drop_tty = 1;
2083                         }
2084                 }
2085                 file_list_unlock();
2086         }
2087         mutex_unlock(&tty_mutex);
2088         /* Reset controlling tty. */
2089         if (drop_tty)
2090                 no_tty();
2091
2092         /* Revalidate access to inherited open files. */
2093
2094         AVC_AUDIT_DATA_INIT(&ad, FS);
2095
2096         spin_lock(&files->file_lock);
2097         for (;;) {
2098                 unsigned long set, i;
2099                 int fd;
2100
2101                 j++;
2102                 i = j * __NFDBITS;
2103                 fdt = files_fdtable(files);
2104                 if (i >= fdt->max_fds)
2105                         break;
2106                 set = fdt->open_fds->fds_bits[j];
2107                 if (!set)
2108                         continue;
2109                 spin_unlock(&files->file_lock);
2110                 for ( ; set ; i++, set >>= 1) {
2111                         if (set & 1) {
2112                                 file = fget(i);
2113                                 if (!file)
2114                                         continue;
2115                                 if (file_has_perm(current,
2116                                                   file,
2117                                                   file_to_av(file))) {
2118                                         sys_close(i);
2119                                         fd = get_unused_fd();
2120                                         if (fd != i) {
2121                                                 if (fd >= 0)
2122                                                         put_unused_fd(fd);
2123                                                 fput(file);
2124                                                 continue;
2125                                         }
2126                                         if (devnull) {
2127                                                 get_file(devnull);
2128                                         } else {
2129                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2130                                                 if (IS_ERR(devnull)) {
2131                                                         devnull = NULL;
2132                                                         put_unused_fd(fd);
2133                                                         fput(file);
2134                                                         continue;
2135                                                 }
2136                                         }
2137                                         fd_install(fd, devnull);
2138                                 }
2139                                 fput(file);
2140                         }
2141                 }
2142                 spin_lock(&files->file_lock);
2143
2144         }
2145         spin_unlock(&files->file_lock);
2146 }
2147
2148 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2149 {
2150         struct task_security_struct *tsec;
2151         struct bprm_security_struct *bsec;
2152         u32 sid;
2153         int rc;
2154
2155         secondary_ops->bprm_apply_creds(bprm, unsafe);
2156
2157         tsec = current->security;
2158
2159         bsec = bprm->security;
2160         sid = bsec->sid;
2161
2162         tsec->osid = tsec->sid;
2163         bsec->unsafe = 0;
2164         if (tsec->sid != sid) {
2165                 /* Check for shared state.  If not ok, leave SID
2166                    unchanged and kill. */
2167                 if (unsafe & LSM_UNSAFE_SHARE) {
2168                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2169                                         PROCESS__SHARE, NULL);
2170                         if (rc) {
2171                                 bsec->unsafe = 1;
2172                                 return;
2173                         }
2174                 }
2175
2176                 /* Check for ptracing, and update the task SID if ok.
2177                    Otherwise, leave SID unchanged and kill. */
2178                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2179                         struct task_struct *tracer;
2180                         struct task_security_struct *sec;
2181                         u32 ptsid = 0;
2182
2183                         rcu_read_lock();
2184                         tracer = task_tracer_task(current);
2185                         if (likely(tracer != NULL)) {
2186                                 sec = tracer->security;
2187                                 ptsid = sec->sid;
2188                         }
2189                         rcu_read_unlock();
2190
2191                         if (ptsid != 0) {
2192                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2193                                                   PROCESS__PTRACE, NULL);
2194                                 if (rc) {
2195                                         bsec->unsafe = 1;
2196                                         return;
2197                                 }
2198                         }
2199                 }
2200                 tsec->sid = sid;
2201         }
2202 }
2203
2204 /*
2205  * called after apply_creds without the task lock held
2206  */
2207 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2208 {
2209         struct task_security_struct *tsec;
2210         struct rlimit *rlim, *initrlim;
2211         struct itimerval itimer;
2212         struct bprm_security_struct *bsec;
2213         int rc, i;
2214
2215         tsec = current->security;
2216         bsec = bprm->security;
2217
2218         if (bsec->unsafe) {
2219                 force_sig_specific(SIGKILL, current);
2220                 return;
2221         }
2222         if (tsec->osid == tsec->sid)
2223                 return;
2224
2225         /* Close files for which the new task SID is not authorized. */
2226         flush_unauthorized_files(current->files);
2227
2228         /* Check whether the new SID can inherit signal state
2229            from the old SID.  If not, clear itimers to avoid
2230            subsequent signal generation and flush and unblock
2231            signals. This must occur _after_ the task SID has
2232           been updated so that any kill done after the flush
2233           will be checked against the new SID. */
2234         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2235                           PROCESS__SIGINH, NULL);
2236         if (rc) {
2237                 memset(&itimer, 0, sizeof itimer);
2238                 for (i = 0; i < 3; i++)
2239                         do_setitimer(i, &itimer, NULL);
2240                 flush_signals(current);
2241                 spin_lock_irq(&current->sighand->siglock);
2242                 flush_signal_handlers(current, 1);
2243                 sigemptyset(&current->blocked);
2244                 recalc_sigpending();
2245                 spin_unlock_irq(&current->sighand->siglock);
2246         }
2247
2248         /* Always clear parent death signal on SID transitions. */
2249         current->pdeath_signal = 0;
2250
2251         /* Check whether the new SID can inherit resource limits
2252            from the old SID.  If not, reset all soft limits to
2253            the lower of the current task's hard limit and the init
2254            task's soft limit.  Note that the setting of hard limits
2255            (even to lower them) can be controlled by the setrlimit
2256            check. The inclusion of the init task's soft limit into
2257            the computation is to avoid resetting soft limits higher
2258            than the default soft limit for cases where the default
2259            is lower than the hard limit, e.g. RLIMIT_CORE or
2260            RLIMIT_STACK.*/
2261         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2262                           PROCESS__RLIMITINH, NULL);
2263         if (rc) {
2264                 for (i = 0; i < RLIM_NLIMITS; i++) {
2265                         rlim = current->signal->rlim + i;
2266                         initrlim = init_task.signal->rlim+i;
2267                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2268                 }
2269                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2270                         /*
2271                          * This will cause RLIMIT_CPU calculations
2272                          * to be refigured.
2273                          */
2274                         current->it_prof_expires = jiffies_to_cputime(1);
2275                 }
2276         }
2277
2278         /* Wake up the parent if it is waiting so that it can
2279            recheck wait permission to the new task SID. */
2280         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2281 }
2282
2283 /* superblock security operations */
2284
2285 static int selinux_sb_alloc_security(struct super_block *sb)
2286 {
2287         return superblock_alloc_security(sb);
2288 }
2289
2290 static void selinux_sb_free_security(struct super_block *sb)
2291 {
2292         superblock_free_security(sb);
2293 }
2294
2295 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2296 {
2297         if (plen > olen)
2298                 return 0;
2299
2300         return !memcmp(prefix, option, plen);
2301 }
2302
2303 static inline int selinux_option(char *option, int len)
2304 {
2305         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2306                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2307                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2308                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2309 }
2310
2311 static inline void take_option(char **to, char *from, int *first, int len)
2312 {
2313         if (!*first) {
2314                 **to = ',';
2315                 *to += 1;
2316         } else
2317                 *first = 0;
2318         memcpy(*to, from, len);
2319         *to += len;
2320 }
2321
2322 static inline void take_selinux_option(char **to, char *from, int *first,
2323                                        int len)
2324 {
2325         int current_size = 0;
2326
2327         if (!*first) {
2328                 **to = '|';
2329                 *to += 1;
2330         } else
2331                 *first = 0;
2332
2333         while (current_size < len) {
2334                 if (*from != '"') {
2335                         **to = *from;
2336                         *to += 1;
2337                 }
2338                 from += 1;
2339                 current_size += 1;
2340         }
2341 }
2342
2343 static int selinux_sb_copy_data(char *orig, char *copy)
2344 {
2345         int fnosec, fsec, rc = 0;
2346         char *in_save, *in_curr, *in_end;
2347         char *sec_curr, *nosec_save, *nosec;
2348         int open_quote = 0;
2349
2350         in_curr = orig;
2351         sec_curr = copy;
2352
2353         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2354         if (!nosec) {
2355                 rc = -ENOMEM;
2356                 goto out;
2357         }
2358
2359         nosec_save = nosec;
2360         fnosec = fsec = 1;
2361         in_save = in_end = orig;
2362
2363         do {
2364                 if (*in_end == '"')
2365                         open_quote = !open_quote;
2366                 if ((*in_end == ',' && open_quote == 0) ||
2367                                 *in_end == '\0') {
2368                         int len = in_end - in_curr;
2369
2370                         if (selinux_option(in_curr, len))
2371                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2372                         else
2373                                 take_option(&nosec, in_curr, &fnosec, len);
2374
2375                         in_curr = in_end + 1;
2376                 }
2377         } while (*in_end++);
2378
2379         strcpy(in_save, nosec_save);
2380         free_page((unsigned long)nosec_save);
2381 out:
2382         return rc;
2383 }
2384
2385 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2386 {
2387         struct avc_audit_data ad;
2388         int rc;
2389
2390         rc = superblock_doinit(sb, data);
2391         if (rc)
2392                 return rc;
2393
2394         AVC_AUDIT_DATA_INIT(&ad, FS);
2395         ad.u.fs.path.dentry = sb->s_root;
2396         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2397 }
2398
2399 static int selinux_sb_statfs(struct dentry *dentry)
2400 {
2401         struct avc_audit_data ad;
2402
2403         AVC_AUDIT_DATA_INIT(&ad, FS);
2404         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2405         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2406 }
2407
2408 static int selinux_mount(char *dev_name,
2409                          struct path *path,
2410                          char *type,
2411                          unsigned long flags,
2412                          void *data)
2413 {
2414         int rc;
2415
2416         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2417         if (rc)
2418                 return rc;
2419
2420         if (flags & MS_REMOUNT)
2421                 return superblock_has_perm(current, path->mnt->mnt_sb,
2422                                            FILESYSTEM__REMOUNT, NULL);
2423         else
2424                 return dentry_has_perm(current, path->mnt, path->dentry,
2425                                        FILE__MOUNTON);
2426 }
2427
2428 static int selinux_umount(struct vfsmount *mnt, int flags)
2429 {
2430         int rc;
2431
2432         rc = secondary_ops->sb_umount(mnt, flags);
2433         if (rc)
2434                 return rc;
2435
2436         return superblock_has_perm(current, mnt->mnt_sb,
2437                                    FILESYSTEM__UNMOUNT, NULL);
2438 }
2439
2440 /* inode security operations */
2441
2442 static int selinux_inode_alloc_security(struct inode *inode)
2443 {
2444         return inode_alloc_security(inode);
2445 }
2446
2447 static void selinux_inode_free_security(struct inode *inode)
2448 {
2449         inode_free_security(inode);
2450 }
2451
2452 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2453                                        char **name, void **value,
2454                                        size_t *len)
2455 {
2456         struct task_security_struct *tsec;
2457         struct inode_security_struct *dsec;
2458         struct superblock_security_struct *sbsec;
2459         u32 newsid, clen;
2460         int rc;
2461         char *namep = NULL, *context;
2462
2463         tsec = current->security;
2464         dsec = dir->i_security;
2465         sbsec = dir->i_sb->s_security;
2466
2467         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2468                 newsid = tsec->create_sid;
2469         } else {
2470                 rc = security_transition_sid(tsec->sid, dsec->sid,
2471                                              inode_mode_to_security_class(inode->i_mode),
2472                                              &newsid);
2473                 if (rc) {
2474                         printk(KERN_WARNING "%s:  "
2475                                "security_transition_sid failed, rc=%d (dev=%s "
2476                                "ino=%ld)\n",
2477                                __func__,
2478                                -rc, inode->i_sb->s_id, inode->i_ino);
2479                         return rc;
2480                 }
2481         }
2482
2483         /* Possibly defer initialization to selinux_complete_init. */
2484         if (sbsec->initialized) {
2485                 struct inode_security_struct *isec = inode->i_security;
2486                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2487                 isec->sid = newsid;
2488                 isec->initialized = 1;
2489         }
2490
2491         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2492                 return -EOPNOTSUPP;
2493
2494         if (name) {
2495                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2496                 if (!namep)
2497                         return -ENOMEM;
2498                 *name = namep;
2499         }
2500
2501         if (value && len) {
2502                 rc = security_sid_to_context_force(newsid, &context, &clen);
2503                 if (rc) {
2504                         kfree(namep);
2505                         return rc;
2506                 }
2507                 *value = context;
2508                 *len = clen;
2509         }
2510
2511         return 0;
2512 }
2513
2514 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2515 {
2516         return may_create(dir, dentry, SECCLASS_FILE);
2517 }
2518
2519 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2520 {
2521         int rc;
2522
2523         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2524         if (rc)
2525                 return rc;
2526         return may_link(dir, old_dentry, MAY_LINK);
2527 }
2528
2529 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2530 {
2531         int rc;
2532
2533         rc = secondary_ops->inode_unlink(dir, dentry);
2534         if (rc)
2535                 return rc;
2536         return may_link(dir, dentry, MAY_UNLINK);
2537 }
2538
2539 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2540 {
2541         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2542 }
2543
2544 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2545 {
2546         return may_create(dir, dentry, SECCLASS_DIR);
2547 }
2548
2549 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2550 {
2551         return may_link(dir, dentry, MAY_RMDIR);
2552 }
2553
2554 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2555 {
2556         int rc;
2557
2558         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2559         if (rc)
2560                 return rc;
2561
2562         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2563 }
2564
2565 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2566                                 struct inode *new_inode, struct dentry *new_dentry)
2567 {
2568         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2569 }
2570
2571 static int selinux_inode_readlink(struct dentry *dentry)
2572 {
2573         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2574 }
2575
2576 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2577 {
2578         int rc;
2579
2580         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2581         if (rc)
2582                 return rc;
2583         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2584 }
2585
2586 static int selinux_inode_permission(struct inode *inode, int mask,
2587                                     struct nameidata *nd)
2588 {
2589         int rc;
2590
2591         rc = secondary_ops->inode_permission(inode, mask, nd);
2592         if (rc)
2593                 return rc;
2594
2595         if (!mask) {
2596                 /* No permission to check.  Existence test. */
2597                 return 0;
2598         }
2599
2600         return inode_has_perm(current, inode,
2601                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2602 }
2603
2604 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2605 {
2606         int rc;
2607
2608         rc = secondary_ops->inode_setattr(dentry, iattr);
2609         if (rc)
2610                 return rc;
2611
2612         if (iattr->ia_valid & ATTR_FORCE)
2613                 return 0;
2614
2615         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2616                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2617                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2618
2619         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2620 }
2621
2622 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2623 {
2624         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2625 }
2626
2627 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2628 {
2629         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2630                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2631                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2632                         if (!capable(CAP_SETFCAP))
2633                                 return -EPERM;
2634                 } else if (!capable(CAP_SYS_ADMIN)) {
2635                         /* A different attribute in the security namespace.
2636                            Restrict to administrator. */
2637                         return -EPERM;
2638                 }
2639         }
2640
2641         /* Not an attribute we recognize, so just check the
2642            ordinary setattr permission. */
2643         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2644 }
2645
2646 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2647                                   const void *value, size_t size, int flags)
2648 {
2649         struct task_security_struct *tsec = current->security;
2650         struct inode *inode = dentry->d_inode;
2651         struct inode_security_struct *isec = inode->i_security;
2652         struct superblock_security_struct *sbsec;
2653         struct avc_audit_data ad;
2654         u32 newsid;
2655         int rc = 0;
2656
2657         if (strcmp(name, XATTR_NAME_SELINUX))
2658                 return selinux_inode_setotherxattr(dentry, name);
2659
2660         sbsec = inode->i_sb->s_security;
2661         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2662                 return -EOPNOTSUPP;
2663
2664         if (!is_owner_or_cap(inode))
2665                 return -EPERM;
2666
2667         AVC_AUDIT_DATA_INIT(&ad, FS);
2668         ad.u.fs.path.dentry = dentry;
2669
2670         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2671                           FILE__RELABELFROM, &ad);
2672         if (rc)
2673                 return rc;
2674
2675         rc = security_context_to_sid(value, size, &newsid);
2676         if (rc == -EINVAL) {
2677                 if (!capable(CAP_MAC_ADMIN))
2678                         return rc;
2679                 rc = security_context_to_sid_force(value, size, &newsid);
2680         }
2681         if (rc)
2682                 return rc;
2683
2684         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2685                           FILE__RELABELTO, &ad);
2686         if (rc)
2687                 return rc;
2688
2689         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2690                                           isec->sclass);
2691         if (rc)
2692                 return rc;
2693
2694         return avc_has_perm(newsid,
2695                             sbsec->sid,
2696                             SECCLASS_FILESYSTEM,
2697                             FILESYSTEM__ASSOCIATE,
2698                             &ad);
2699 }
2700
2701 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2702                                         const void *value, size_t size,
2703                                         int flags)
2704 {
2705         struct inode *inode = dentry->d_inode;
2706         struct inode_security_struct *isec = inode->i_security;
2707         u32 newsid;
2708         int rc;
2709
2710         if (strcmp(name, XATTR_NAME_SELINUX)) {
2711                 /* Not an attribute we recognize, so nothing to do. */
2712                 return;
2713         }
2714
2715         rc = security_context_to_sid_force(value, size, &newsid);
2716         if (rc) {
2717                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2718                        "for (%s, %lu), rc=%d\n",
2719                        inode->i_sb->s_id, inode->i_ino, -rc);
2720                 return;
2721         }
2722
2723         isec->sid = newsid;
2724         return;
2725 }
2726
2727 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2728 {
2729         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2730 }
2731
2732 static int selinux_inode_listxattr(struct dentry *dentry)
2733 {
2734         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2735 }
2736
2737 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2738 {
2739         if (strcmp(name, XATTR_NAME_SELINUX))
2740                 return selinux_inode_setotherxattr(dentry, name);
2741
2742         /* No one is allowed to remove a SELinux security label.
2743            You can change the label, but all data must be labeled. */
2744         return -EACCES;
2745 }
2746
2747 /*
2748  * Copy the in-core inode security context value to the user.  If the
2749  * getxattr() prior to this succeeded, check to see if we need to
2750  * canonicalize the value to be finally returned to the user.
2751  *
2752  * Permission check is handled by selinux_inode_getxattr hook.
2753  */
2754 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2755 {
2756         u32 size;
2757         int error;
2758         char *context = NULL;
2759         struct inode_security_struct *isec = inode->i_security;
2760
2761         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2762                 return -EOPNOTSUPP;
2763
2764         error = security_sid_to_context(isec->sid, &context, &size);
2765         if (error)
2766                 return error;
2767         error = size;
2768         if (alloc) {
2769                 *buffer = context;
2770                 goto out_nofree;
2771         }
2772         kfree(context);
2773 out_nofree:
2774         return error;
2775 }
2776
2777 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2778                                      const void *value, size_t size, int flags)
2779 {
2780         struct inode_security_struct *isec = inode->i_security;
2781         u32 newsid;
2782         int rc;
2783
2784         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2785                 return -EOPNOTSUPP;
2786
2787         if (!value || !size)
2788                 return -EACCES;
2789
2790         rc = security_context_to_sid((void *)value, size, &newsid);
2791         if (rc)
2792                 return rc;
2793
2794         isec->sid = newsid;
2795         return 0;
2796 }
2797
2798 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2799 {
2800         const int len = sizeof(XATTR_NAME_SELINUX);
2801         if (buffer && len <= buffer_size)
2802                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2803         return len;
2804 }
2805
2806 static int selinux_inode_need_killpriv(struct dentry *dentry)
2807 {
2808         return secondary_ops->inode_need_killpriv(dentry);
2809 }
2810
2811 static int selinux_inode_killpriv(struct dentry *dentry)
2812 {
2813         return secondary_ops->inode_killpriv(dentry);
2814 }
2815
2816 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2817 {
2818         struct inode_security_struct *isec = inode->i_security;
2819         *secid = isec->sid;
2820 }
2821
2822 /* file security operations */
2823
2824 static int selinux_revalidate_file_permission(struct file *file, int mask)
2825 {
2826         int rc;
2827         struct inode *inode = file->f_path.dentry->d_inode;
2828
2829         if (!mask) {
2830                 /* No permission to check.  Existence test. */
2831                 return 0;
2832         }
2833
2834         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2835         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2836                 mask |= MAY_APPEND;
2837
2838         rc = file_has_perm(current, file,
2839                            file_mask_to_av(inode->i_mode, mask));
2840         if (rc)
2841                 return rc;
2842
2843         return selinux_netlbl_inode_permission(inode, mask);
2844 }
2845
2846 static int selinux_file_permission(struct file *file, int mask)
2847 {
2848         struct inode *inode = file->f_path.dentry->d_inode;
2849         struct task_security_struct *tsec = current->security;
2850         struct file_security_struct *fsec = file->f_security;
2851         struct inode_security_struct *isec = inode->i_security;
2852
2853         if (!mask) {
2854                 /* No permission to check.  Existence test. */
2855                 return 0;
2856         }
2857
2858         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2859             && fsec->pseqno == avc_policy_seqno())
2860                 return selinux_netlbl_inode_permission(inode, mask);
2861
2862         return selinux_revalidate_file_permission(file, mask);
2863 }
2864
2865 static int selinux_file_alloc_security(struct file *file)
2866 {
2867         return file_alloc_security(file);
2868 }
2869
2870 static void selinux_file_free_security(struct file *file)
2871 {
2872         file_free_security(file);
2873 }
2874
2875 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2876                               unsigned long arg)
2877 {
2878         int error = 0;
2879
2880         switch (cmd) {
2881         case FIONREAD:
2882         /* fall through */
2883         case FIBMAP:
2884         /* fall through */
2885         case FIGETBSZ:
2886         /* fall through */
2887         case EXT2_IOC_GETFLAGS:
2888         /* fall through */
2889         case EXT2_IOC_GETVERSION:
2890                 error = file_has_perm(current, file, FILE__GETATTR);
2891                 break;
2892
2893         case EXT2_IOC_SETFLAGS:
2894         /* fall through */
2895         case EXT2_IOC_SETVERSION:
2896                 error = file_has_perm(current, file, FILE__SETATTR);
2897                 break;
2898
2899         /* sys_ioctl() checks */
2900         case FIONBIO:
2901         /* fall through */
2902         case FIOASYNC:
2903                 error = file_has_perm(current, file, 0);
2904                 break;
2905
2906         case KDSKBENT:
2907         case KDSKBSENT:
2908                 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2909                 break;
2910
2911         /* default case assumes that the command will go
2912          * to the file's ioctl() function.
2913          */
2914         default:
2915                 error = file_has_perm(current, file, FILE__IOCTL);
2916         }
2917         return error;
2918 }
2919
2920 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2921 {
2922 #ifndef CONFIG_PPC32
2923         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2924                 /*
2925                  * We are making executable an anonymous mapping or a
2926                  * private file mapping that will also be writable.
2927                  * This has an additional check.
2928                  */
2929                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2930                 if (rc)
2931                         return rc;
2932         }
2933 #endif
2934
2935         if (file) {
2936                 /* read access is always possible with a mapping */
2937                 u32 av = FILE__READ;
2938
2939                 /* write access only matters if the mapping is shared */
2940                 if (shared && (prot & PROT_WRITE))
2941                         av |= FILE__WRITE;
2942
2943                 if (prot & PROT_EXEC)
2944                         av |= FILE__EXECUTE;
2945
2946                 return file_has_perm(current, file, av);
2947         }
2948         return 0;
2949 }
2950
2951 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2952                              unsigned long prot, unsigned long flags,
2953                              unsigned long addr, unsigned long addr_only)
2954 {
2955         int rc = 0;
2956         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2957
2958         if (addr < mmap_min_addr)
2959                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2960                                   MEMPROTECT__MMAP_ZERO, NULL);
2961         if (rc || addr_only)
2962                 return rc;
2963
2964         if (selinux_checkreqprot)
2965                 prot = reqprot;
2966
2967         return file_map_prot_check(file, prot,
2968                                    (flags & MAP_TYPE) == MAP_SHARED);
2969 }
2970
2971 static int selinux_file_mprotect(struct vm_area_struct *vma,
2972                                  unsigned long reqprot,
2973                                  unsigned long prot)
2974 {
2975         int rc;
2976
2977         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2978         if (rc)
2979                 return rc;
2980
2981         if (selinux_checkreqprot)
2982                 prot = reqprot;
2983
2984 #ifndef CONFIG_PPC32
2985         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2986                 rc = 0;
2987                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2988                     vma->vm_end <= vma->vm_mm->brk) {
2989                         rc = task_has_perm(current, current,
2990                                            PROCESS__EXECHEAP);
2991                 } else if (!vma->vm_file &&
2992                            vma->vm_start <= vma->vm_mm->start_stack &&
2993                            vma->vm_end >= vma->vm_mm->start_stack) {
2994                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2995                 } else if (vma->vm_file && vma->anon_vma) {
2996                         /*
2997                          * We are making executable a file mapping that has
2998                          * had some COW done. Since pages might have been
2999                          * written, check ability to execute the possibly
3000                          * modified content.  This typically should only
3001                          * occur for text relocations.
3002                          */
3003                         rc = file_has_perm(current, vma->vm_file,
3004                                            FILE__EXECMOD);
3005                 }
3006                 if (rc)
3007                         return rc;
3008         }
3009 #endif
3010
3011         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3012 }
3013
3014 static int selinux_file_lock(struct file *file, unsigned int cmd)
3015 {
3016         return file_has_perm(current, file, FILE__LOCK);
3017 }
3018
3019 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3020                               unsigned long arg)
3021 {
3022         int err = 0;
3023
3024         switch (cmd) {
3025         case F_SETFL:
3026                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3027                         err = -EINVAL;
3028                         break;
3029                 }
3030
3031                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3032                         err = file_has_perm(current, file, FILE__WRITE);
3033                         break;
3034                 }
3035                 /* fall through */
3036         case F_SETOWN:
3037         case F_SETSIG:
3038         case F_GETFL:
3039         case F_GETOWN:
3040         case F_GETSIG:
3041                 /* Just check FD__USE permission */
3042                 err = file_has_perm(current, file, 0);
3043                 break;
3044         case F_GETLK:
3045         case F_SETLK:
3046         case F_SETLKW:
3047 #if BITS_PER_LONG == 32
3048         case F_GETLK64:
3049         case F_SETLK64:
3050         case F_SETLKW64:
3051 #endif
3052                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3053                         err = -EINVAL;
3054                         break;
3055                 }
3056                 err = file_has_perm(current, file, FILE__LOCK);
3057                 break;
3058         }
3059
3060         return err;
3061 }
3062
3063 static int selinux_file_set_fowner(struct file *file)
3064 {
3065         struct task_security_struct *tsec;
3066         struct file_security_struct *fsec;
3067
3068         tsec = current->security;
3069         fsec = file->f_security;
3070         fsec->fown_sid = tsec->sid;
3071
3072         return 0;
3073 }
3074
3075 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3076                                        struct fown_struct *fown, int signum)
3077 {
3078         struct file *file;
3079         u32 perm;
3080         struct task_security_struct *tsec;
3081         struct file_security_struct *fsec;
3082
3083         /* struct fown_struct is never outside the context of a struct file */
3084         file = container_of(fown, struct file, f_owner);
3085
3086         tsec = tsk->security;
3087         fsec = file->f_security;
3088
3089         if (!signum)
3090                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3091         else
3092                 perm = signal_to_av(signum);
3093
3094         return avc_has_perm(fsec->fown_sid, tsec->sid,
3095                             SECCLASS_PROCESS, perm, NULL);
3096 }
3097
3098 static int selinux_file_receive(struct file *file)
3099 {
3100         return file_has_perm(current, file, file_to_av(file));
3101 }
3102
3103 static int selinux_dentry_open(struct file *file)
3104 {
3105         struct file_security_struct *fsec;
3106         struct inode *inode;
3107         struct inode_security_struct *isec;
3108         inode = file->f_path.dentry->d_inode;
3109         fsec = file->f_security;
3110         isec = inode->i_security;
3111         /*
3112          * Save inode label and policy sequence number
3113          * at open-time so that selinux_file_permission
3114          * can determine whether revalidation is necessary.
3115          * Task label is already saved in the file security
3116          * struct as its SID.
3117          */
3118         fsec->isid = isec->sid;
3119         fsec->pseqno = avc_policy_seqno();
3120         /*
3121          * Since the inode label or policy seqno may have changed
3122          * between the selinux_inode_permission check and the saving
3123          * of state above, recheck that access is still permitted.
3124          * Otherwise, access might never be revalidated against the
3125          * new inode label or new policy.
3126          * This check is not redundant - do not remove.
3127          */
3128         return inode_has_perm(current, inode, file_to_av(file), NULL);
3129 }
3130
3131 /* task security operations */
3132
3133 static int selinux_task_create(unsigned long clone_flags)
3134 {
3135         int rc;
3136
3137         rc = secondary_ops->task_create(clone_flags);
3138         if (rc)
3139                 return rc;
3140
3141         return task_has_perm(current, current, PROCESS__FORK);
3142 }
3143
3144 static int selinux_task_alloc_security(struct task_struct *tsk)
3145 {
3146         struct task_security_struct *tsec1, *tsec2;
3147         int rc;
3148
3149         tsec1 = current->security;
3150
3151         rc = task_alloc_security(tsk);
3152         if (rc)
3153                 return rc;
3154         tsec2 = tsk->security;
3155
3156         tsec2->osid = tsec1->osid;
3157         tsec2->sid = tsec1->sid;
3158
3159         /* Retain the exec, fs, key, and sock SIDs across fork */
3160         tsec2->exec_sid = tsec1->exec_sid;
3161         tsec2->create_sid = tsec1->create_sid;
3162         tsec2->keycreate_sid = tsec1->keycreate_sid;
3163         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3164
3165         return 0;
3166 }
3167
3168 static void selinux_task_free_security(struct task_struct *tsk)
3169 {
3170         task_free_security(tsk);
3171 }
3172
3173 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3174 {
3175         /* Since setuid only affects the current process, and
3176            since the SELinux controls are not based on the Linux
3177            identity attributes, SELinux does not need to control
3178            this operation.  However, SELinux does control the use
3179            of the CAP_SETUID and CAP_SETGID capabilities using the
3180            capable hook. */
3181         return 0;
3182 }
3183
3184 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3185 {
3186         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3187 }
3188
3189 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3190 {
3191         /* See the comment for setuid above. */
3192         return 0;
3193 }
3194
3195 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3196 {
3197         return task_has_perm(current, p, PROCESS__SETPGID);
3198 }
3199
3200 static int selinux_task_getpgid(struct task_struct *p)
3201 {
3202         return task_has_perm(current, p, PROCESS__GETPGID);
3203 }
3204
3205 static int selinux_task_getsid(struct task_struct *p)
3206 {
3207         return task_has_perm(current, p, PROCESS__GETSESSION);
3208 }
3209
3210 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3211 {
3212         struct task_security_struct *tsec = p->security;
3213         *secid = tsec->sid;
3214 }
3215
3216 static int selinux_task_setgroups(struct group_info *group_info)
3217 {
3218         /* See the comment for setuid above. */
3219         return 0;
3220 }
3221
3222 static int selinux_task_setnice(struct task_struct *p, int nice)
3223 {
3224         int rc;
3225
3226         rc = secondary_ops->task_setnice(p, nice);
3227         if (rc)
3228                 return rc;
3229
3230         return task_has_perm(current, p, PROCESS__SETSCHED);
3231 }
3232
3233 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3234 {
3235         int rc;
3236
3237         rc = secondary_ops->task_setioprio(p, ioprio);
3238         if (rc)
3239                 return rc;
3240
3241         return task_has_perm(current, p, PROCESS__SETSCHED);
3242 }
3243
3244 static int selinux_task_getioprio(struct task_struct *p)
3245 {
3246         return task_has_perm(current, p, PROCESS__GETSCHED);
3247 }
3248
3249 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3250 {
3251         struct rlimit *old_rlim = current->signal->rlim + resource;
3252         int rc;
3253
3254         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3255         if (rc)
3256                 return rc;
3257
3258         /* Control the ability to change the hard limit (whether
3259            lowering or raising it), so that the hard limit can
3260            later be used as a safe reset point for the soft limit
3261            upon context transitions. See selinux_bprm_apply_creds. */
3262         if (old_rlim->rlim_max != new_rlim->rlim_max)
3263                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3264
3265         return 0;
3266 }
3267
3268 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3269 {
3270         int rc;
3271
3272         rc = secondary_ops->task_setscheduler(p, policy, lp);
3273         if (rc)
3274                 return rc;
3275
3276         return task_has_perm(current, p, PROCESS__SETSCHED);
3277 }
3278
3279 static int selinux_task_getscheduler(struct task_struct *p)
3280 {
3281         return task_has_perm(current, p, PROCESS__GETSCHED);
3282 }
3283
3284 static int selinux_task_movememory(struct task_struct *p)
3285 {
3286         return task_has_perm(current, p, PROCESS__SETSCHED);
3287 }
3288
3289 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3290                                 int sig, u32 secid)
3291 {
3292         u32 perm;
3293         int rc;
3294         struct task_security_struct *tsec;
3295
3296         rc = secondary_ops->task_kill(p, info, sig, secid);
3297         if (rc)
3298                 return rc;
3299
3300         if (!sig)
3301                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3302         else
3303                 perm = signal_to_av(sig);
3304         tsec = p->security;
3305         if (secid)
3306                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3307         else
3308                 rc = task_has_perm(current, p, perm);
3309         return rc;
3310 }
3311
3312 static int selinux_task_prctl(int option,
3313                               unsigned long arg2,
3314                               unsigned long arg3,
3315                               unsigned long arg4,
3316                               unsigned long arg5,
3317                               long *rc_p)
3318 {
3319         /* The current prctl operations do not appear to require
3320            any SELinux controls since they merely observe or modify
3321            the state of the current process. */
3322         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3323 }
3324
3325 static int selinux_task_wait(struct task_struct *p)
3326 {
3327         return task_has_perm(p, current, PROCESS__SIGCHLD);
3328 }
3329
3330 static void selinux_task_reparent_to_init(struct task_struct *p)
3331 {
3332         struct task_security_struct *tsec;
3333
3334         secondary_ops->task_reparent_to_init(p);
3335
3336         tsec = p->security;
3337         tsec->osid = tsec->sid;
3338         tsec->sid = SECINITSID_KERNEL;
3339         return;
3340 }
3341
3342 static void selinux_task_to_inode(struct task_struct *p,
3343                                   struct inode *inode)
3344 {
3345         struct task_security_struct *tsec = p->security;
3346         struct inode_security_struct *isec = inode->i_security;
3347
3348         isec->sid = tsec->sid;
3349         isec->initialized = 1;
3350         return;
3351 }
3352
3353 /* Returns error only if unable to parse addresses */
3354 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3355                         struct avc_audit_data *ad, u8 *proto)
3356 {
3357         int offset, ihlen, ret = -EINVAL;
3358         struct iphdr _iph, *ih;
3359
3360         offset = skb_network_offset(skb);
3361         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3362         if (ih == NULL)
3363                 goto out;
3364
3365         ihlen = ih->ihl * 4;
3366         if (ihlen < sizeof(_iph))
3367                 goto out;
3368
3369         ad->u.net.v4info.saddr = ih->saddr;
3370         ad->u.net.v4info.daddr = ih->daddr;
3371         ret = 0;
3372
3373         if (proto)
3374                 *proto = ih->protocol;
3375
3376         switch (ih->protocol) {
3377         case IPPROTO_TCP: {
3378                 struct tcphdr _tcph, *th;
3379
3380                 if (ntohs(ih->frag_off) & IP_OFFSET)
3381                         break;
3382
3383                 offset += ihlen;
3384                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3385                 if (th == NULL)
3386                         break;
3387
3388                 ad->u.net.sport = th->source;
3389                 ad->u.net.dport = th->dest;
3390                 break;
3391         }
3392
3393         case IPPROTO_UDP: {
3394                 struct udphdr _udph, *uh;
3395
3396                 if (ntohs(ih->frag_off) & IP_OFFSET)
3397                         break;
3398
3399                 offset += ihlen;
3400                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3401                 if (uh == NULL)
3402                         break;
3403
3404                 ad->u.net.sport = uh->source;
3405                 ad->u.net.dport = uh->dest;
3406                 break;
3407         }
3408
3409         case IPPROTO_DCCP: {
3410                 struct dccp_hdr _dccph, *dh;
3411
3412                 if (ntohs(ih->frag_off) & IP_OFFSET)
3413                         break;
3414
3415                 offset += ihlen;
3416                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3417                 if (dh == NULL)
3418                         break;
3419
3420                 ad->u.net.sport = dh->dccph_sport;
3421                 ad->u.net.dport = dh->dccph_dport;
3422                 break;
3423         }
3424
3425         default:
3426                 break;
3427         }
3428 out:
3429         return ret;
3430 }
3431
3432 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3433
3434 /* Returns error only if unable to parse addresses */
3435 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3436                         struct avc_audit_data *ad, u8 *proto)
3437 {
3438         u8 nexthdr;
3439         int ret = -EINVAL, offset;
3440         struct ipv6hdr _ipv6h, *ip6;
3441
3442         offset = skb_network_offset(skb);
3443         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3444         if (ip6 == NULL)
3445                 goto out;
3446
3447         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3448         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3449         ret = 0;
3450
3451         nexthdr = ip6->nexthdr;
3452         offset += sizeof(_ipv6h);
3453         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3454         if (offset < 0)
3455                 goto out;
3456
3457         if (proto)
3458                 *proto = nexthdr;
3459
3460         switch (nexthdr) {
3461         case IPPROTO_TCP: {
3462                 struct tcphdr _tcph, *th;
3463
3464                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3465                 if (th == NULL)
3466                         break;
3467
3468                 ad->u.net.sport = th->source;
3469                 ad->u.net.dport = th->dest;
3470                 break;
3471         }
3472
3473         case IPPROTO_UDP: {
3474                 struct udphdr _udph, *uh;
3475
3476                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3477                 if (uh == NULL)
3478                         break;
3479
3480                 ad->u.net.sport = uh->source;
3481                 ad->u.net.dport = uh->dest;
3482                 break;
3483         }
3484
3485         case IPPROTO_DCCP: {
3486                 struct dccp_hdr _dccph, *dh;
3487
3488                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3489                 if (dh == NULL)
3490                         break;
3491
3492                 ad->u.net.sport = dh->dccph_sport;
3493                 ad->u.net.dport = dh->dccph_dport;
3494                 break;
3495         }
3496
3497         /* includes fragments */
3498         default:
3499                 break;
3500         }
3501 out:
3502         return ret;
3503 }
3504
3505 #endif /* IPV6 */
3506
3507 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3508                              char **addrp, int src, u8 *proto)
3509 {
3510         int ret = 0;
3511
3512         switch (ad->u.net.family) {
3513         case PF_INET:
3514                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3515                 if (ret || !addrp)
3516                         break;
3517                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3518                                         &ad->u.net.v4info.daddr);
3519                 break;
3520
3521 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3522         case PF_INET6:
3523                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3524                 if (ret || !addrp)
3525                         break;
3526                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3527                                         &ad->u.net.v6info.daddr);
3528                 break;
3529 #endif  /* IPV6 */
3530         default:
3531                 break;
3532         }
3533
3534         if (unlikely(ret))
3535                 printk(KERN_WARNING
3536                        "SELinux: failure in selinux_parse_skb(),"
3537                        " unable to parse packet\n");
3538
3539         return ret;
3540 }
3541
3542 /**
3543  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3544  * @skb: the packet
3545  * @family: protocol family
3546  * @sid: the packet's peer label SID
3547  *
3548  * Description:
3549  * Check the various different forms of network peer labeling and determine
3550  * the peer label/SID for the packet; most of the magic actually occurs in
3551  * the security server function security_net_peersid_cmp().  The function
3552  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3553  * or -EACCES if @sid is invalid due to inconsistencies with the different
3554  * peer labels.
3555  *
3556  */
3557 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3558 {
3559         int err;
3560         u32 xfrm_sid;
3561         u32 nlbl_sid;
3562         u32 nlbl_type;
3563
3564         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3565         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3566
3567         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3568         if (unlikely(err)) {
3569                 printk(KERN_WARNING
3570                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3571                        " unable to determine packet's peer label\n");
3572                 return -EACCES;
3573         }
3574
3575         return 0;
3576 }
3577
3578 /* socket security operations */
3579 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3580                            u32 perms)
3581 {
3582         struct inode_security_struct *isec;
3583         struct task_security_struct *tsec;
3584         struct avc_audit_data ad;
3585         int err = 0;
3586
3587         tsec = task->security;
3588         isec = SOCK_INODE(sock)->i_security;
3589
3590         if (isec->sid == SECINITSID_KERNEL)
3591                 goto out;
3592
3593         AVC_AUDIT_DATA_INIT(&ad, NET);
3594         ad.u.net.sk = sock->sk;
3595         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3596
3597 out:
3598         return err;
3599 }
3600
3601 static int selinux_socket_create(int family, int type,
3602                                  int protocol, int kern)
3603 {
3604         int err = 0;
3605         struct task_security_struct *tsec;
3606         u32 newsid;
3607
3608         if (kern)
3609                 goto out;
3610
3611         tsec = current->security;
3612         newsid = tsec->sockcreate_sid ? : tsec->sid;
3613         err = avc_has_perm(tsec->sid, newsid,
3614                            socket_type_to_security_class(family, type,
3615                            protocol), SOCKET__CREATE, NULL);
3616
3617 out:
3618         return err;
3619 }
3620
3621 static int selinux_socket_post_create(struct socket *sock, int family,
3622                                       int type, int protocol, int kern)
3623 {
3624         int err = 0;
3625         struct inode_security_struct *isec;
3626         struct task_security_struct *tsec;
3627         struct sk_security_struct *sksec;
3628         u32 newsid;
3629
3630         isec = SOCK_INODE(sock)->i_security;
3631
3632         tsec = current->security;
3633         newsid = tsec->sockcreate_sid ? : tsec->sid;
3634         isec->sclass = socket_type_to_security_class(family, type, protocol);
3635         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3636         isec->initialized = 1;
3637
3638         if (sock->sk) {
3639                 sksec = sock->sk->sk_security;
3640                 sksec->sid = isec->sid;
3641                 sksec->sclass = isec->sclass;
3642                 err = selinux_netlbl_socket_post_create(sock);
3643         }
3644
3645         return err;
3646 }
3647
3648 /* Range of port numbers used to automatically bind.
3649    Need to determine whether we should perform a name_bind
3650    permission check between the socket and the port number. */
3651
3652 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3653 {
3654         u16 family;
3655         int err;
3656
3657         err = socket_has_perm(current, sock, SOCKET__BIND);
3658         if (err)
3659                 goto out;
3660
3661         /*
3662          * If PF_INET or PF_INET6, check name_bind permission for the port.
3663          * Multiple address binding for SCTP is not supported yet: we just
3664          * check the first address now.
3665          */
3666         family = sock->sk->sk_family;
3667         if (family == PF_INET || family == PF_INET6) {
3668                 char *addrp;
3669                 struct inode_security_struct *isec;
3670                 struct task_security_struct *tsec;
3671                 struct avc_audit_data ad;
3672                 struct sockaddr_in *addr4 = NULL;
3673                 struct sockaddr_in6 *addr6 = NULL;
3674                 unsigned short snum;
3675                 struct sock *sk = sock->sk;
3676                 u32 sid, node_perm, addrlen;
3677
3678                 tsec = current->security;
3679                 isec = SOCK_INODE(sock)->i_security;
3680
3681                 if (family == PF_INET) {
3682                         addr4 = (struct sockaddr_in *)address;
3683                         snum = ntohs(addr4->sin_port);
3684                         addrlen = sizeof(addr4->sin_addr.s_addr);
3685                         addrp = (char *)&addr4->sin_addr.s_addr;
3686                 } else {
3687                         addr6 = (struct sockaddr_in6 *)address;
3688                         snum = ntohs(addr6->sin6_port);
3689                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3690                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3691                 }
3692
3693                 if (snum) {
3694                         int low, high;
3695
3696                         inet_get_local_port_range(&low, &high);
3697
3698                         if (snum < max(PROT_SOCK, low) || snum > high) {
3699                                 err = sel_netport_sid(sk->sk_protocol,
3700                                                       snum, &sid);
3701                                 if (err)
3702                                         goto out;
3703                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3704                                 ad.u.net.sport = htons(snum);
3705                                 ad.u.net.family = family;
3706                                 err = avc_has_perm(isec->sid, sid,
3707                                                    isec->sclass,
3708                                                    SOCKET__NAME_BIND, &ad);
3709                                 if (err)
3710                                         goto out;
3711                         }
3712                 }
3713
3714                 switch (isec->sclass) {
3715                 case SECCLASS_TCP_SOCKET:
3716                         node_perm = TCP_SOCKET__NODE_BIND;
3717                         break;
3718
3719                 case SECCLASS_UDP_SOCKET:
3720                         node_perm = UDP_SOCKET__NODE_BIND;
3721                         break;
3722
3723                 case SECCLASS_DCCP_SOCKET:
3724                         node_perm = DCCP_SOCKET__NODE_BIND;
3725                         break;
3726
3727                 default:
3728                         node_perm = RAWIP_SOCKET__NODE_BIND;
3729                         break;
3730                 }
3731
3732                 err = sel_netnode_sid(addrp, family, &sid);
3733                 if (err)
3734                         goto out;
3735
3736                 AVC_AUDIT_DATA_INIT(&ad, NET);
3737                 ad.u.net.sport = htons(snum);
3738                 ad.u.net.family = family;
3739
3740                 if (family == PF_INET)
3741                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3742                 else
3743                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3744
3745                 err = avc_has_perm(isec->sid, sid,
3746                                    isec->sclass, node_perm, &ad);
3747                 if (err)
3748                         goto out;
3749         }
3750 out:
3751         return err;
3752 }
3753
3754 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3755 {
3756         struct inode_security_struct *isec;
3757         int err;
3758
3759         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3760         if (err)
3761                 return err;
3762
3763         /*
3764          * If a TCP or DCCP socket, check name_connect permission for the port.
3765          */
3766         isec = SOCK_INODE(sock)->i_security;
3767         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3768             isec->sclass == SECCLASS_DCCP_SOCKET) {
3769                 struct sock *sk = sock->sk;
3770                 struct avc_audit_data ad;
3771                 struct sockaddr_in *addr4 = NULL;
3772                 struct sockaddr_in6 *addr6 = NULL;
3773                 unsigned short snum;
3774                 u32 sid, perm;
3775
3776                 if (sk->sk_family == PF_INET) {
3777                         addr4 = (struct sockaddr_in *)address;
3778                         if (addrlen < sizeof(struct sockaddr_in))
3779                                 return -EINVAL;
3780                         snum = ntohs(addr4->sin_port);
3781                 } else {
3782                         addr6 = (struct sockaddr_in6 *)address;
3783                         if (addrlen < SIN6_LEN_RFC2133)
3784                                 return -EINVAL;
3785                         snum = ntohs(addr6->sin6_port);
3786                 }
3787
3788                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3789                 if (err)
3790                         goto out;
3791
3792                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3793                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3794
3795                 AVC_AUDIT_DATA_INIT(&ad, NET);
3796                 ad.u.net.dport = htons(snum);
3797                 ad.u.net.family = sk->sk_family;
3798                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3799                 if (err)
3800                         goto out;
3801         }
3802
3803 out:
3804         return err;
3805 }
3806
3807 static int selinux_socket_listen(struct socket *sock, int backlog)
3808 {
3809         return socket_has_perm(current, sock, SOCKET__LISTEN);
3810 }
3811
3812 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3813 {
3814         int err;
3815         struct inode_security_struct *isec;
3816         struct inode_security_struct *newisec;
3817
3818         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3819         if (err)
3820                 return err;
3821
3822         newisec = SOCK_INODE(newsock)->i_security;
3823
3824         isec = SOCK_INODE(sock)->i_security;
3825         newisec->sclass = isec->sclass;
3826         newisec->sid = isec->sid;
3827         newisec->initialized = 1;
3828
3829         return 0;
3830 }
3831
3832 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3833                                   int size)
3834 {
3835         int rc;
3836
3837         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3838         if (rc)
3839                 return rc;
3840
3841         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3842 }
3843
3844 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3845                                   int size, int flags)
3846 {
3847         return socket_has_perm(current, sock, SOCKET__READ);
3848 }
3849
3850 static int selinux_socket_getsockname(struct socket *sock)
3851 {
3852         return socket_has_perm(current, sock, SOCKET__GETATTR);
3853 }
3854
3855 static int selinux_socket_getpeername(struct socket *sock)
3856 {
3857         return socket_has_perm(current, sock, SOCKET__GETATTR);
3858 }
3859
3860 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3861 {
3862         int err;
3863
3864         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3865         if (err)
3866                 return err;
3867
3868         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3869 }
3870
3871 static int selinux_socket_getsockopt(struct socket *sock, int level,
3872                                      int optname)
3873 {
3874         return socket_has_perm(current, sock, SOCKET__GETOPT);
3875 }
3876
3877 static int selinux_socket_shutdown(struct socket *sock, int how)
3878 {
3879         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3880 }
3881
3882 static int selinux_socket_unix_stream_connect(struct socket *sock,
3883                                               struct socket *other,
3884                                               struct sock *newsk)
3885 {
3886         struct sk_security_struct *ssec;
3887         struct inode_security_struct *isec;
3888         struct inode_security_struct *other_isec;
3889         struct avc_audit_data ad;
3890         int err;
3891
3892         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3893         if (err)
3894                 return err;
3895
3896         isec = SOCK_INODE(sock)->i_security;
3897         other_isec = SOCK_INODE(other)->i_security;
3898
3899         AVC_AUDIT_DATA_INIT(&ad, NET);
3900         ad.u.net.sk = other->sk;
3901
3902         err = avc_has_perm(isec->sid, other_isec->sid,
3903                            isec->sclass,
3904                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3905         if (err)
3906                 return err;
3907
3908         /* connecting socket */
3909         ssec = sock->sk->sk_security;
3910         ssec->peer_sid = other_isec->sid;
3911
3912         /* server child socket */
3913         ssec = newsk->sk_security;
3914         ssec->peer_sid = isec->sid;
3915         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3916
3917         return err;
3918 }
3919
3920 static int selinux_socket_unix_may_send(struct socket *sock,
3921                                         struct socket *other)
3922 {
3923         struct inode_security_struct *isec;
3924         struct inode_security_struct *other_isec;
3925         struct avc_audit_data ad;
3926         int err;
3927
3928         isec = SOCK_INODE(sock)->i_security;
3929         other_isec = SOCK_INODE(other)->i_security;
3930
3931         AVC_AUDIT_DATA_INIT(&ad, NET);
3932         ad.u.net.sk = other->sk;
3933
3934         err = avc_has_perm(isec->sid, other_isec->sid,
3935                            isec->sclass, SOCKET__SENDTO, &ad);
3936         if (err)
3937                 return err;
3938
3939         return 0;
3940 }
3941
3942 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3943                                     u32 peer_sid,
3944                                     struct avc_audit_data *ad)
3945 {
3946         int err;
3947         u32 if_sid;
3948         u32 node_sid;
3949
3950         err = sel_netif_sid(ifindex, &if_sid);
3951         if (err)
3952                 return err;
3953         err = avc_has_perm(peer_sid, if_sid,
3954                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3955         if (err)
3956                 return err;
3957
3958         err = sel_netnode_sid(addrp, family, &node_sid);
3959         if (err)
3960                 return err;
3961         return avc_has_perm(peer_sid, node_sid,
3962                             SECCLASS_NODE, NODE__RECVFROM, ad);
3963 }
3964
3965 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3966                                                 struct sk_buff *skb,
3967                                                 struct avc_audit_data *ad,
3968                                                 u16 family,
3969                                                 char *addrp)
3970 {
3971         int err;
3972         struct sk_security_struct *sksec = sk->sk_security;
3973         u16 sk_class;
3974         u32 netif_perm, node_perm, recv_perm;
3975         u32 port_sid, node_sid, if_sid, sk_sid;
3976
3977         sk_sid = sksec->sid;
3978         sk_class = sksec->sclass;
3979
3980         switch (sk_class) {
3981         case SECCLASS_UDP_SOCKET:
3982                 netif_perm = NETIF__UDP_RECV;
3983                 node_perm = NODE__UDP_RECV;
3984                 recv_perm = UDP_SOCKET__RECV_MSG;
3985                 break;
3986         case SECCLASS_TCP_SOCKET:
3987                 netif_perm = NETIF__TCP_RECV;
3988                 node_perm = NODE__TCP_RECV;
3989                 recv_perm = TCP_SOCKET__RECV_MSG;
3990                 break;
3991         case SECCLASS_DCCP_SOCKET:
3992                 netif_perm = NETIF__DCCP_RECV;
3993                 node_perm = NODE__DCCP_RECV;
3994                 recv_perm = DCCP_SOCKET__RECV_MSG;
3995                 break;
3996         default:
3997                 netif_perm = NETIF__RAWIP_RECV;
3998                 node_perm = NODE__RAWIP_RECV;
3999                 recv_perm = 0;
4000                 break;
4001         }
4002
4003         err = sel_netif_sid(skb->iif, &if_sid);
4004         if (err)
4005                 return err;
4006         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4007         if (err)
4008                 return err;
4009
4010         err = sel_netnode_sid(addrp, family, &node_sid);
4011         if (err)
4012                 return err;
4013         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4014         if (err)
4015                 return err;
4016
4017         if (!recv_perm)
4018                 return 0;
4019         err = sel_netport_sid(sk->sk_protocol,
4020                               ntohs(ad->u.net.sport), &port_sid);
4021         if (unlikely(err)) {
4022                 printk(KERN_WARNING
4023                        "SELinux: failure in"
4024                        " selinux_sock_rcv_skb_iptables_compat(),"
4025                        " network port label not found\n");
4026                 return err;
4027         }
4028         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4029 }
4030
4031 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,