1/*
2 *  NSA Security-Enhanced Linux (SELinux) security module
3 *
4 *  This file contains the SELinux hook function implementations.
5 *
6 *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7 *	      Chris Vance, <cvance@nai.com>
8 *	      Wayne Salamon, <wsalamon@nai.com>
9 *	      James Morris <jmorris@redhat.com>
10 *
11 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 *					   Eric Paris <eparis@redhat.com>
14 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 *			    <dgoeddel@trustedcs.com>
16 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 *	Paul Moore <paul@paul-moore.com>
18 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 *	This program is free software; you can redistribute it and/or modify
22 *	it under the terms of the GNU General Public License version 2,
23 *	as published by the Free Software Foundation.
24 */
25
26#include <linux/init.h>
27#include <linux/kd.h>
28#include <linux/kernel.h>
29#include <linux/tracehook.h>
30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
40#include <linux/proc_fs.h>
41#include <linux/swap.h>
42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
44#include <linux/dcache.h>
45#include <linux/file.h>
46#include <linux/fdtable.h>
47#include <linux/namei.h>
48#include <linux/mount.h>
49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
53#include <net/ip.h>		/* for local_port_range[] */
54#include <net/sock.h>
55#include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56#include <net/inet_connection_sock.h>
57#include <net/net_namespace.h>
58#include <net/netlabel.h>
59#include <linux/uaccess.h>
60#include <asm/ioctls.h>
61#include <linux/atomic.h>
62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h>	/* for network interface checks */
65#include <net/netlink.h>
66#include <linux/tcp.h>
67#include <linux/udp.h>
68#include <linux/dccp.h>
69#include <linux/quota.h>
70#include <linux/un.h>		/* for Unix socket types */
71#include <net/af_unix.h>	/* for Unix socket types */
72#include <linux/parser.h>
73#include <linux/nfs_mount.h>
74#include <net/ipv6.h>
75#include <linux/hugetlb.h>
76#include <linux/personality.h>
77#include <linux/audit.h>
78#include <linux/string.h>
79#include <linux/selinux.h>
80#include <linux/mutex.h>
81#include <linux/posix-timers.h>
82#include <linux/syslog.h>
83#include <linux/user_namespace.h>
84#include <linux/export.h>
85#include <linux/msg.h>
86#include <linux/shm.h>
87
88#include "avc.h"
89#include "objsec.h"
90#include "netif.h"
91#include "netnode.h"
92#include "netport.h"
93#include "xfrm.h"
94#include "netlabel.h"
95#include "audit.h"
96#include "avc_ss.h"
97
98extern struct security_operations *security_ops;
99
100/* SECMARK reference count */
101static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104int selinux_enforcing;
105
106static int __init enforcing_setup(char *str)
107{
108	unsigned long enforcing;
109	if (!kstrtoul(str, 0, &enforcing))
110		selinux_enforcing = enforcing ? 1 : 0;
111	return 1;
112}
113__setup("enforcing=", enforcing_setup);
114#endif
115
116#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119static int __init selinux_enabled_setup(char *str)
120{
121	unsigned long enabled;
122	if (!kstrtoul(str, 0, &enabled))
123		selinux_enabled = enabled ? 1 : 0;
124	return 1;
125}
126__setup("selinux=", selinux_enabled_setup);
127#else
128int selinux_enabled = 1;
129#endif
130
131static struct kmem_cache *sel_inode_cache;
132
133/**
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 *
136 * Description:
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140 * enabled, false (0) if SECMARK is disabled.  If the always_check_network
141 * policy capability is enabled, SECMARK is always considered enabled.
142 *
143 */
144static int selinux_secmark_enabled(void)
145{
146	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147}
148
149/**
150 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 *
152 * Description:
153 * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
154 * (1) if any are enabled or false (0) if neither are enabled.  If the
155 * always_check_network policy capability is enabled, peer labeling
156 * is always considered enabled.
157 *
158 */
159static int selinux_peerlbl_enabled(void)
160{
161	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162}
163
164static int selinux_netcache_avc_callback(u32 event)
165{
166	if (event == AVC_CALLBACK_RESET) {
167		sel_netif_flush();
168		sel_netnode_flush();
169		sel_netport_flush();
170		synchronize_net();
171	}
172	return 0;
173}
174
175/*
176 * initialise the security for the init task
177 */
178static void cred_init_security(void)
179{
180	struct cred *cred = (struct cred *) current->real_cred;
181	struct task_security_struct *tsec;
182
183	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
184	if (!tsec)
185		panic("SELinux:  Failed to initialize initial task.\n");
186
187	tsec->osid = tsec->sid = SECINITSID_KERNEL;
188	cred->security = tsec;
189}
190
191/*
192 * get the security ID of a set of credentials
193 */
194static inline u32 cred_sid(const struct cred *cred)
195{
196	const struct task_security_struct *tsec;
197
198	tsec = cred->security;
199	return tsec->sid;
200}
201
202/*
203 * get the objective security ID of a task
204 */
205static inline u32 task_sid(const struct task_struct *task)
206{
207	u32 sid;
208
209	rcu_read_lock();
210	sid = cred_sid(__task_cred(task));
211	rcu_read_unlock();
212	return sid;
213}
214
215/*
216 * get the subjective security ID of the current task
217 */
218static inline u32 current_sid(void)
219{
220	const struct task_security_struct *tsec = current_security();
221
222	return tsec->sid;
223}
224
225/* Allocate and free functions for each kind of security blob. */
226
227static int inode_alloc_security(struct inode *inode)
228{
229	struct inode_security_struct *isec;
230	u32 sid = current_sid();
231
232	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
233	if (!isec)
234		return -ENOMEM;
235
236	mutex_init(&isec->lock);
237	INIT_LIST_HEAD(&isec->list);
238	isec->inode = inode;
239	isec->sid = SECINITSID_UNLABELED;
240	isec->sclass = SECCLASS_FILE;
241	isec->task_sid = sid;
242	inode->i_security = isec;
243
244	return 0;
245}
246
247static void inode_free_rcu(struct rcu_head *head)
248{
249	struct inode_security_struct *isec;
250
251	isec = container_of(head, struct inode_security_struct, rcu);
252	kmem_cache_free(sel_inode_cache, isec);
253}
254
255static void inode_free_security(struct inode *inode)
256{
257	struct inode_security_struct *isec = inode->i_security;
258	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
259
260	spin_lock(&sbsec->isec_lock);
261	if (!list_empty(&isec->list))
262		list_del_init(&isec->list);
263	spin_unlock(&sbsec->isec_lock);
264
265	/*
266	 * The inode may still be referenced in a path walk and
267	 * a call to selinux_inode_permission() can be made
268	 * after inode_free_security() is called. Ideally, the VFS
269	 * wouldn't do this, but fixing that is a much harder
270	 * job. For now, simply free the i_security via RCU, and
271	 * leave the current inode->i_security pointer intact.
272	 * The inode will be freed after the RCU grace period too.
273	 */
274	call_rcu(&isec->rcu, inode_free_rcu);
275}
276
277static int file_alloc_security(struct file *file)
278{
279	struct file_security_struct *fsec;
280	u32 sid = current_sid();
281
282	fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
283	if (!fsec)
284		return -ENOMEM;
285
286	fsec->sid = sid;
287	fsec->fown_sid = sid;
288	file->f_security = fsec;
289
290	return 0;
291}
292
293static void file_free_security(struct file *file)
294{
295	struct file_security_struct *fsec = file->f_security;
296	file->f_security = NULL;
297	kfree(fsec);
298}
299
300static int superblock_alloc_security(struct super_block *sb)
301{
302	struct superblock_security_struct *sbsec;
303
304	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
305	if (!sbsec)
306		return -ENOMEM;
307
308	mutex_init(&sbsec->lock);
309	INIT_LIST_HEAD(&sbsec->isec_head);
310	spin_lock_init(&sbsec->isec_lock);
311	sbsec->sb = sb;
312	sbsec->sid = SECINITSID_UNLABELED;
313	sbsec->def_sid = SECINITSID_FILE;
314	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
315	sb->s_security = sbsec;
316
317	return 0;
318}
319
320static void superblock_free_security(struct super_block *sb)
321{
322	struct superblock_security_struct *sbsec = sb->s_security;
323	sb->s_security = NULL;
324	kfree(sbsec);
325}
326
327/* The file system's label must be initialized prior to use. */
328
329static const char *labeling_behaviors[7] = {
330	"uses xattr",
331	"uses transition SIDs",
332	"uses task SIDs",
333	"uses genfs_contexts",
334	"not configured for labeling",
335	"uses mountpoint labeling",
336	"uses native labeling",
337};
338
339static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
340
341static inline int inode_doinit(struct inode *inode)
342{
343	return inode_doinit_with_dentry(inode, NULL);
344}
345
346enum {
347	Opt_error = -1,
348	Opt_context = 1,
349	Opt_fscontext = 2,
350	Opt_defcontext = 3,
351	Opt_rootcontext = 4,
352	Opt_labelsupport = 5,
353	Opt_nextmntopt = 6,
354};
355
356#define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
357
358static const match_table_t tokens = {
359	{Opt_context, CONTEXT_STR "%s"},
360	{Opt_fscontext, FSCONTEXT_STR "%s"},
361	{Opt_defcontext, DEFCONTEXT_STR "%s"},
362	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363	{Opt_labelsupport, LABELSUPP_STR},
364	{Opt_error, NULL},
365};
366
367#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
368
369static int may_context_mount_sb_relabel(u32 sid,
370			struct superblock_security_struct *sbsec,
371			const struct cred *cred)
372{
373	const struct task_security_struct *tsec = cred->security;
374	int rc;
375
376	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
377			  FILESYSTEM__RELABELFROM, NULL);
378	if (rc)
379		return rc;
380
381	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
382			  FILESYSTEM__RELABELTO, NULL);
383	return rc;
384}
385
386static int may_context_mount_inode_relabel(u32 sid,
387			struct superblock_security_struct *sbsec,
388			const struct cred *cred)
389{
390	const struct task_security_struct *tsec = cred->security;
391	int rc;
392	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
393			  FILESYSTEM__RELABELFROM, NULL);
394	if (rc)
395		return rc;
396
397	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
398			  FILESYSTEM__ASSOCIATE, NULL);
399	return rc;
400}
401
402static int selinux_is_sblabel_mnt(struct super_block *sb)
403{
404	struct superblock_security_struct *sbsec = sb->s_security;
405
406	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
407		sbsec->behavior == SECURITY_FS_USE_TRANS ||
408		sbsec->behavior == SECURITY_FS_USE_TASK ||
409		/* Special handling. Genfs but also in-core setxattr handler */
410		!strcmp(sb->s_type->name, "sysfs") ||
411		!strcmp(sb->s_type->name, "pstore") ||
412		!strcmp(sb->s_type->name, "debugfs") ||
413		!strcmp(sb->s_type->name, "rootfs");
414}
415
416static int sb_finish_set_opts(struct super_block *sb)
417{
418	struct superblock_security_struct *sbsec = sb->s_security;
419	struct dentry *root = sb->s_root;
420	struct inode *root_inode = root->d_inode;
421	int rc = 0;
422
423	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
424		/* Make sure that the xattr handler exists and that no
425		   error other than -ENODATA is returned by getxattr on
426		   the root directory.  -ENODATA is ok, as this may be
427		   the first boot of the SELinux kernel before we have
428		   assigned xattr values to the filesystem. */
429		if (!root_inode->i_op->getxattr) {
430			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
431			       "xattr support\n", sb->s_id, sb->s_type->name);
432			rc = -EOPNOTSUPP;
433			goto out;
434		}
435		rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
436		if (rc < 0 && rc != -ENODATA) {
437			if (rc == -EOPNOTSUPP)
438				printk(KERN_WARNING "SELinux: (dev %s, type "
439				       "%s) has no security xattr handler\n",
440				       sb->s_id, sb->s_type->name);
441			else
442				printk(KERN_WARNING "SELinux: (dev %s, type "
443				       "%s) getxattr errno %d\n", sb->s_id,
444				       sb->s_type->name, -rc);
445			goto out;
446		}
447	}
448
449	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
450		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
451		       sb->s_id, sb->s_type->name);
452	else
453		printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
454		       sb->s_id, sb->s_type->name,
455		       labeling_behaviors[sbsec->behavior-1]);
456
457	sbsec->flags |= SE_SBINITIALIZED;
458	if (selinux_is_sblabel_mnt(sb))
459		sbsec->flags |= SBLABEL_MNT;
460
461	/* Initialize the root inode. */
462	rc = inode_doinit_with_dentry(root_inode, root);
463
464	/* Initialize any other inodes associated with the superblock, e.g.
465	   inodes created prior to initial policy load or inodes created
466	   during get_sb by a pseudo filesystem that directly
467	   populates itself. */
468	spin_lock(&sbsec->isec_lock);
469next_inode:
470	if (!list_empty(&sbsec->isec_head)) {
471		struct inode_security_struct *isec =
472				list_entry(sbsec->isec_head.next,
473					   struct inode_security_struct, list);
474		struct inode *inode = isec->inode;
475		list_del_init(&isec->list);
476		spin_unlock(&sbsec->isec_lock);
477		inode = igrab(inode);
478		if (inode) {
479			if (!IS_PRIVATE(inode))
480				inode_doinit(inode);
481			iput(inode);
482		}
483		spin_lock(&sbsec->isec_lock);
484		goto next_inode;
485	}
486	spin_unlock(&sbsec->isec_lock);
487out:
488	return rc;
489}
490
491/*
492 * This function should allow an FS to ask what it's mount security
493 * options were so it can use those later for submounts, displaying
494 * mount options, or whatever.
495 */
496static int selinux_get_mnt_opts(const struct super_block *sb,
497				struct security_mnt_opts *opts)
498{
499	int rc = 0, i;
500	struct superblock_security_struct *sbsec = sb->s_security;
501	char *context = NULL;
502	u32 len;
503	char tmp;
504
505	security_init_mnt_opts(opts);
506
507	if (!(sbsec->flags & SE_SBINITIALIZED))
508		return -EINVAL;
509
510	if (!ss_initialized)
511		return -EINVAL;
512
513	/* make sure we always check enough bits to cover the mask */
514	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
515
516	tmp = sbsec->flags & SE_MNTMASK;
517	/* count the number of mount options for this sb */
518	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
519		if (tmp & 0x01)
520			opts->num_mnt_opts++;
521		tmp >>= 1;
522	}
523	/* Check if the Label support flag is set */
524	if (sbsec->flags & SBLABEL_MNT)
525		opts->num_mnt_opts++;
526
527	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
528	if (!opts->mnt_opts) {
529		rc = -ENOMEM;
530		goto out_free;
531	}
532
533	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
534	if (!opts->mnt_opts_flags) {
535		rc = -ENOMEM;
536		goto out_free;
537	}
538
539	i = 0;
540	if (sbsec->flags & FSCONTEXT_MNT) {
541		rc = security_sid_to_context(sbsec->sid, &context, &len);
542		if (rc)
543			goto out_free;
544		opts->mnt_opts[i] = context;
545		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
546	}
547	if (sbsec->flags & CONTEXT_MNT) {
548		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
549		if (rc)
550			goto out_free;
551		opts->mnt_opts[i] = context;
552		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
553	}
554	if (sbsec->flags & DEFCONTEXT_MNT) {
555		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
556		if (rc)
557			goto out_free;
558		opts->mnt_opts[i] = context;
559		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
560	}
561	if (sbsec->flags & ROOTCONTEXT_MNT) {
562		struct inode *root = sbsec->sb->s_root->d_inode;
563		struct inode_security_struct *isec = root->i_security;
564
565		rc = security_sid_to_context(isec->sid, &context, &len);
566		if (rc)
567			goto out_free;
568		opts->mnt_opts[i] = context;
569		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
570	}
571	if (sbsec->flags & SBLABEL_MNT) {
572		opts->mnt_opts[i] = NULL;
573		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
574	}
575
576	BUG_ON(i != opts->num_mnt_opts);
577
578	return 0;
579
580out_free:
581	security_free_mnt_opts(opts);
582	return rc;
583}
584
585static int bad_option(struct superblock_security_struct *sbsec, char flag,
586		      u32 old_sid, u32 new_sid)
587{
588	char mnt_flags = sbsec->flags & SE_MNTMASK;
589
590	/* check if the old mount command had the same options */
591	if (sbsec->flags & SE_SBINITIALIZED)
592		if (!(sbsec->flags & flag) ||
593		    (old_sid != new_sid))
594			return 1;
595
596	/* check if we were passed the same options twice,
597	 * aka someone passed context=a,context=b
598	 */
599	if (!(sbsec->flags & SE_SBINITIALIZED))
600		if (mnt_flags & flag)
601			return 1;
602	return 0;
603}
604
605/*
606 * Allow filesystems with binary mount data to explicitly set mount point
607 * labeling information.
608 */
609static int selinux_set_mnt_opts(struct super_block *sb,
610				struct security_mnt_opts *opts,
611				unsigned long kern_flags,
612				unsigned long *set_kern_flags)
613{
614	const struct cred *cred = current_cred();
615	int rc = 0, i;
616	struct superblock_security_struct *sbsec = sb->s_security;
617	const char *name = sb->s_type->name;
618	struct inode *inode = sbsec->sb->s_root->d_inode;
619	struct inode_security_struct *root_isec = inode->i_security;
620	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
621	u32 defcontext_sid = 0;
622	char **mount_options = opts->mnt_opts;
623	int *flags = opts->mnt_opts_flags;
624	int num_opts = opts->num_mnt_opts;
625
626	mutex_lock(&sbsec->lock);
627
628	if (!ss_initialized) {
629		if (!num_opts) {
630			/* Defer initialization until selinux_complete_init,
631			   after the initial policy is loaded and the security
632			   server is ready to handle calls. */
633			goto out;
634		}
635		rc = -EINVAL;
636		printk(KERN_WARNING "SELinux: Unable to set superblock options "
637			"before the security server is initialized\n");
638		goto out;
639	}
640	if (kern_flags && !set_kern_flags) {
641		/* Specifying internal flags without providing a place to
642		 * place the results is not allowed */
643		rc = -EINVAL;
644		goto out;
645	}
646
647	/*
648	 * Binary mount data FS will come through this function twice.  Once
649	 * from an explicit call and once from the generic calls from the vfs.
650	 * Since the generic VFS calls will not contain any security mount data
651	 * we need to skip the double mount verification.
652	 *
653	 * This does open a hole in which we will not notice if the first
654	 * mount using this sb set explict options and a second mount using
655	 * this sb does not set any security options.  (The first options
656	 * will be used for both mounts)
657	 */
658	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
659	    && (num_opts == 0))
660		goto out;
661
662	/*
663	 * parse the mount options, check if they are valid sids.
664	 * also check if someone is trying to mount the same sb more
665	 * than once with different security options.
666	 */
667	for (i = 0; i < num_opts; i++) {
668		u32 sid;
669
670		if (flags[i] == SBLABEL_MNT)
671			continue;
672		rc = security_context_to_sid(mount_options[i],
673					     strlen(mount_options[i]), &sid, GFP_KERNEL);
674		if (rc) {
675			printk(KERN_WARNING "SELinux: security_context_to_sid"
676			       "(%s) failed for (dev %s, type %s) errno=%d\n",
677			       mount_options[i], sb->s_id, name, rc);
678			goto out;
679		}
680		switch (flags[i]) {
681		case FSCONTEXT_MNT:
682			fscontext_sid = sid;
683
684			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
685					fscontext_sid))
686				goto out_double_mount;
687
688			sbsec->flags |= FSCONTEXT_MNT;
689			break;
690		case CONTEXT_MNT:
691			context_sid = sid;
692
693			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
694					context_sid))
695				goto out_double_mount;
696
697			sbsec->flags |= CONTEXT_MNT;
698			break;
699		case ROOTCONTEXT_MNT:
700			rootcontext_sid = sid;
701
702			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
703					rootcontext_sid))
704				goto out_double_mount;
705
706			sbsec->flags |= ROOTCONTEXT_MNT;
707
708			break;
709		case DEFCONTEXT_MNT:
710			defcontext_sid = sid;
711
712			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
713					defcontext_sid))
714				goto out_double_mount;
715
716			sbsec->flags |= DEFCONTEXT_MNT;
717
718			break;
719		default:
720			rc = -EINVAL;
721			goto out;
722		}
723	}
724
725	if (sbsec->flags & SE_SBINITIALIZED) {
726		/* previously mounted with options, but not on this attempt? */
727		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
728			goto out_double_mount;
729		rc = 0;
730		goto out;
731	}
732
733	if (strcmp(sb->s_type->name, "proc") == 0)
734		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
735
736	if (!strcmp(sb->s_type->name, "debugfs") ||
737	    !strcmp(sb->s_type->name, "sysfs") ||
738	    !strcmp(sb->s_type->name, "pstore"))
739		sbsec->flags |= SE_SBGENFS;
740
741	if (!sbsec->behavior) {
742		/*
743		 * Determine the labeling behavior to use for this
744		 * filesystem type.
745		 */
746		rc = security_fs_use(sb);
747		if (rc) {
748			printk(KERN_WARNING
749				"%s: security_fs_use(%s) returned %d\n",
750					__func__, sb->s_type->name, rc);
751			goto out;
752		}
753	}
754	/* sets the context of the superblock for the fs being mounted. */
755	if (fscontext_sid) {
756		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
757		if (rc)
758			goto out;
759
760		sbsec->sid = fscontext_sid;
761	}
762
763	/*
764	 * Switch to using mount point labeling behavior.
765	 * sets the label used on all file below the mountpoint, and will set
766	 * the superblock context if not already set.
767	 */
768	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
769		sbsec->behavior = SECURITY_FS_USE_NATIVE;
770		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
771	}
772
773	if (context_sid) {
774		if (!fscontext_sid) {
775			rc = may_context_mount_sb_relabel(context_sid, sbsec,
776							  cred);
777			if (rc)
778				goto out;
779			sbsec->sid = context_sid;
780		} else {
781			rc = may_context_mount_inode_relabel(context_sid, sbsec,
782							     cred);
783			if (rc)
784				goto out;
785		}
786		if (!rootcontext_sid)
787			rootcontext_sid = context_sid;
788
789		sbsec->mntpoint_sid = context_sid;
790		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
791	}
792
793	if (rootcontext_sid) {
794		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
795						     cred);
796		if (rc)
797			goto out;
798
799		root_isec->sid = rootcontext_sid;
800		root_isec->initialized = 1;
801	}
802
803	if (defcontext_sid) {
804		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
805			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
806			rc = -EINVAL;
807			printk(KERN_WARNING "SELinux: defcontext option is "
808			       "invalid for this filesystem type\n");
809			goto out;
810		}
811
812		if (defcontext_sid != sbsec->def_sid) {
813			rc = may_context_mount_inode_relabel(defcontext_sid,
814							     sbsec, cred);
815			if (rc)
816				goto out;
817		}
818
819		sbsec->def_sid = defcontext_sid;
820	}
821
822	rc = sb_finish_set_opts(sb);
823out:
824	mutex_unlock(&sbsec->lock);
825	return rc;
826out_double_mount:
827	rc = -EINVAL;
828	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
829	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
830	goto out;
831}
832
833static int selinux_cmp_sb_context(const struct super_block *oldsb,
834				    const struct super_block *newsb)
835{
836	struct superblock_security_struct *old = oldsb->s_security;
837	struct superblock_security_struct *new = newsb->s_security;
838	char oldflags = old->flags & SE_MNTMASK;
839	char newflags = new->flags & SE_MNTMASK;
840
841	if (oldflags != newflags)
842		goto mismatch;
843	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
844		goto mismatch;
845	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
846		goto mismatch;
847	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
848		goto mismatch;
849	if (oldflags & ROOTCONTEXT_MNT) {
850		struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
851		struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
852		if (oldroot->sid != newroot->sid)
853			goto mismatch;
854	}
855	return 0;
856mismatch:
857	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
858			    "different security settings for (dev %s, "
859			    "type %s)\n", newsb->s_id, newsb->s_type->name);
860	return -EBUSY;
861}
862
863static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
864					struct super_block *newsb)
865{
866	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
867	struct superblock_security_struct *newsbsec = newsb->s_security;
868
869	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
870	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
871	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
872
873	/*
874	 * if the parent was able to be mounted it clearly had no special lsm
875	 * mount options.  thus we can safely deal with this superblock later
876	 */
877	if (!ss_initialized)
878		return 0;
879
880	/* how can we clone if the old one wasn't set up?? */
881	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
882
883	/* if fs is reusing a sb, make sure that the contexts match */
884	if (newsbsec->flags & SE_SBINITIALIZED)
885		return selinux_cmp_sb_context(oldsb, newsb);
886
887	mutex_lock(&newsbsec->lock);
888
889	newsbsec->flags = oldsbsec->flags;
890
891	newsbsec->sid = oldsbsec->sid;
892	newsbsec->def_sid = oldsbsec->def_sid;
893	newsbsec->behavior = oldsbsec->behavior;
894
895	if (set_context) {
896		u32 sid = oldsbsec->mntpoint_sid;
897
898		if (!set_fscontext)
899			newsbsec->sid = sid;
900		if (!set_rootcontext) {
901			struct inode *newinode = newsb->s_root->d_inode;
902			struct inode_security_struct *newisec = newinode->i_security;
903			newisec->sid = sid;
904		}
905		newsbsec->mntpoint_sid = sid;
906	}
907	if (set_rootcontext) {
908		const struct inode *oldinode = oldsb->s_root->d_inode;
909		const struct inode_security_struct *oldisec = oldinode->i_security;
910		struct inode *newinode = newsb->s_root->d_inode;
911		struct inode_security_struct *newisec = newinode->i_security;
912
913		newisec->sid = oldisec->sid;
914	}
915
916	sb_finish_set_opts(newsb);
917	mutex_unlock(&newsbsec->lock);
918	return 0;
919}
920
921static int selinux_parse_opts_str(char *options,
922				  struct security_mnt_opts *opts)
923{
924	char *p;
925	char *context = NULL, *defcontext = NULL;
926	char *fscontext = NULL, *rootcontext = NULL;
927	int rc, num_mnt_opts = 0;
928
929	opts->num_mnt_opts = 0;
930
931	/* Standard string-based options. */
932	while ((p = strsep(&options, "|")) != NULL) {
933		int token;
934		substring_t args[MAX_OPT_ARGS];
935
936		if (!*p)
937			continue;
938
939		token = match_token(p, tokens, args);
940
941		switch (token) {
942		case Opt_context:
943			if (context || defcontext) {
944				rc = -EINVAL;
945				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
946				goto out_err;
947			}
948			context = match_strdup(&args[0]);
949			if (!context) {
950				rc = -ENOMEM;
951				goto out_err;
952			}
953			break;
954
955		case Opt_fscontext:
956			if (fscontext) {
957				rc = -EINVAL;
958				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
959				goto out_err;
960			}
961			fscontext = match_strdup(&args[0]);
962			if (!fscontext) {
963				rc = -ENOMEM;
964				goto out_err;
965			}
966			break;
967
968		case Opt_rootcontext:
969			if (rootcontext) {
970				rc = -EINVAL;
971				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
972				goto out_err;
973			}
974			rootcontext = match_strdup(&args[0]);
975			if (!rootcontext) {
976				rc = -ENOMEM;
977				goto out_err;
978			}
979			break;
980
981		case Opt_defcontext:
982			if (context || defcontext) {
983				rc = -EINVAL;
984				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
985				goto out_err;
986			}
987			defcontext = match_strdup(&args[0]);
988			if (!defcontext) {
989				rc = -ENOMEM;
990				goto out_err;
991			}
992			break;
993		case Opt_labelsupport:
994			break;
995		default:
996			rc = -EINVAL;
997			printk(KERN_WARNING "SELinux:  unknown mount option\n");
998			goto out_err;
999
1000		}
1001	}
1002
1003	rc = -ENOMEM;
1004	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1005	if (!opts->mnt_opts)
1006		goto out_err;
1007
1008	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1009	if (!opts->mnt_opts_flags) {
1010		kfree(opts->mnt_opts);
1011		goto out_err;
1012	}
1013
1014	if (fscontext) {
1015		opts->mnt_opts[num_mnt_opts] = fscontext;
1016		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1017	}
1018	if (context) {
1019		opts->mnt_opts[num_mnt_opts] = context;
1020		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1021	}
1022	if (rootcontext) {
1023		opts->mnt_opts[num_mnt_opts] = rootcontext;
1024		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1025	}
1026	if (defcontext) {
1027		opts->mnt_opts[num_mnt_opts] = defcontext;
1028		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1029	}
1030
1031	opts->num_mnt_opts = num_mnt_opts;
1032	return 0;
1033
1034out_err:
1035	kfree(context);
1036	kfree(defcontext);
1037	kfree(fscontext);
1038	kfree(rootcontext);
1039	return rc;
1040}
1041/*
1042 * string mount options parsing and call set the sbsec
1043 */
1044static int superblock_doinit(struct super_block *sb, void *data)
1045{
1046	int rc = 0;
1047	char *options = data;
1048	struct security_mnt_opts opts;
1049
1050	security_init_mnt_opts(&opts);
1051
1052	if (!data)
1053		goto out;
1054
1055	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1056
1057	rc = selinux_parse_opts_str(options, &opts);
1058	if (rc)
1059		goto out_err;
1060
1061out:
1062	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1063
1064out_err:
1065	security_free_mnt_opts(&opts);
1066	return rc;
1067}
1068
1069static void selinux_write_opts(struct seq_file *m,
1070			       struct security_mnt_opts *opts)
1071{
1072	int i;
1073	char *prefix;
1074
1075	for (i = 0; i < opts->num_mnt_opts; i++) {
1076		char *has_comma;
1077
1078		if (opts->mnt_opts[i])
1079			has_comma = strchr(opts->mnt_opts[i], ',');
1080		else
1081			has_comma = NULL;
1082
1083		switch (opts->mnt_opts_flags[i]) {
1084		case CONTEXT_MNT:
1085			prefix = CONTEXT_STR;
1086			break;
1087		case FSCONTEXT_MNT:
1088			prefix = FSCONTEXT_STR;
1089			break;
1090		case ROOTCONTEXT_MNT:
1091			prefix = ROOTCONTEXT_STR;
1092			break;
1093		case DEFCONTEXT_MNT:
1094			prefix = DEFCONTEXT_STR;
1095			break;
1096		case SBLABEL_MNT:
1097			seq_putc(m, ',');
1098			seq_puts(m, LABELSUPP_STR);
1099			continue;
1100		default:
1101			BUG();
1102			return;
1103		};
1104		/* we need a comma before each option */
1105		seq_putc(m, ',');
1106		seq_puts(m, prefix);
1107		if (has_comma)
1108			seq_putc(m, '\"');
1109		seq_puts(m, opts->mnt_opts[i]);
1110		if (has_comma)
1111			seq_putc(m, '\"');
1112	}
1113}
1114
1115static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1116{
1117	struct security_mnt_opts opts;
1118	int rc;
1119
1120	rc = selinux_get_mnt_opts(sb, &opts);
1121	if (rc) {
1122		/* before policy load we may get EINVAL, don't show anything */
1123		if (rc == -EINVAL)
1124			rc = 0;
1125		return rc;
1126	}
1127
1128	selinux_write_opts(m, &opts);
1129
1130	security_free_mnt_opts(&opts);
1131
1132	return rc;
1133}
1134
1135static inline u16 inode_mode_to_security_class(umode_t mode)
1136{
1137	switch (mode & S_IFMT) {
1138	case S_IFSOCK:
1139		return SECCLASS_SOCK_FILE;
1140	case S_IFLNK:
1141		return SECCLASS_LNK_FILE;
1142	case S_IFREG:
1143		return SECCLASS_FILE;
1144	case S_IFBLK:
1145		return SECCLASS_BLK_FILE;
1146	case S_IFDIR:
1147		return SECCLASS_DIR;
1148	case S_IFCHR:
1149		return SECCLASS_CHR_FILE;
1150	case S_IFIFO:
1151		return SECCLASS_FIFO_FILE;
1152
1153	}
1154
1155	return SECCLASS_FILE;
1156}
1157
1158static inline int default_protocol_stream(int protocol)
1159{
1160	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1161}
1162
1163static inline int default_protocol_dgram(int protocol)
1164{
1165	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1166}
1167
1168static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1169{
1170	switch (family) {
1171	case PF_UNIX:
1172		switch (type) {
1173		case SOCK_STREAM:
1174		case SOCK_SEQPACKET:
1175			return SECCLASS_UNIX_STREAM_SOCKET;
1176		case SOCK_DGRAM:
1177			return SECCLASS_UNIX_DGRAM_SOCKET;
1178		}
1179		break;
1180	case PF_INET:
1181	case PF_INET6:
1182		switch (type) {
1183		case SOCK_STREAM:
1184			if (default_protocol_stream(protocol))
1185				return SECCLASS_TCP_SOCKET;
1186			else
1187				return SECCLASS_RAWIP_SOCKET;
1188		case SOCK_DGRAM:
1189			if (default_protocol_dgram(protocol))
1190				return SECCLASS_UDP_SOCKET;
1191			else
1192				return SECCLASS_RAWIP_SOCKET;
1193		case SOCK_DCCP:
1194			return SECCLASS_DCCP_SOCKET;
1195		default:
1196			return SECCLASS_RAWIP_SOCKET;
1197		}
1198		break;
1199	case PF_NETLINK:
1200		switch (protocol) {
1201		case NETLINK_ROUTE:
1202			return SECCLASS_NETLINK_ROUTE_SOCKET;
1203		case NETLINK_FIREWALL:
1204			return SECCLASS_NETLINK_FIREWALL_SOCKET;
1205		case NETLINK_SOCK_DIAG:
1206			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1207		case NETLINK_NFLOG:
1208			return SECCLASS_NETLINK_NFLOG_SOCKET;
1209		case NETLINK_XFRM:
1210			return SECCLASS_NETLINK_XFRM_SOCKET;
1211		case NETLINK_SELINUX:
1212			return SECCLASS_NETLINK_SELINUX_SOCKET;
1213		case NETLINK_AUDIT:
1214			return SECCLASS_NETLINK_AUDIT_SOCKET;
1215		case NETLINK_IP6_FW:
1216			return SECCLASS_NETLINK_IP6FW_SOCKET;
1217		case NETLINK_DNRTMSG:
1218			return SECCLASS_NETLINK_DNRT_SOCKET;
1219		case NETLINK_KOBJECT_UEVENT:
1220			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1221		default:
1222			return SECCLASS_NETLINK_SOCKET;
1223		}
1224	case PF_PACKET:
1225		return SECCLASS_PACKET_SOCKET;
1226	case PF_KEY:
1227		return SECCLASS_KEY_SOCKET;
1228	case PF_APPLETALK:
1229		return SECCLASS_APPLETALK_SOCKET;
1230	}
1231
1232	return SECCLASS_SOCKET;
1233}
1234
1235static int selinux_genfs_get_sid(struct dentry *dentry,
1236				 u16 tclass,
1237				 u16 flags,
1238				 u32 *sid)
1239{
1240	int rc;
1241	struct super_block *sb = dentry->d_inode->i_sb;
1242	char *buffer, *path;
1243
1244	buffer = (char *)__get_free_page(GFP_KERNEL);
1245	if (!buffer)
1246		return -ENOMEM;
1247
1248	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1249	if (IS_ERR(path))
1250		rc = PTR_ERR(path);
1251	else {
1252		if (flags & SE_SBPROC) {
1253			/* each process gets a /proc/PID/ entry. Strip off the
1254			 * PID part to get a valid selinux labeling.
1255			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1256			while (path[1] >= '0' && path[1] <= '9') {
1257				path[1] = '/';
1258				path++;
1259			}
1260		}
1261		rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1262	}
1263	free_page((unsigned long)buffer);
1264	return rc;
1265}
1266
1267/* The inode's security attributes must be initialized before first use. */
1268static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1269{
1270	struct superblock_security_struct *sbsec = NULL;
1271	struct inode_security_struct *isec = inode->i_security;
1272	u32 sid;
1273	struct dentry *dentry;
1274#define INITCONTEXTLEN 255
1275	char *context = NULL;
1276	unsigned len = 0;
1277	int rc = 0;
1278
1279	if (isec->initialized)
1280		goto out;
1281
1282	mutex_lock(&isec->lock);
1283	if (isec->initialized)
1284		goto out_unlock;
1285
1286	sbsec = inode->i_sb->s_security;
1287	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1288		/* Defer initialization until selinux_complete_init,
1289		   after the initial policy is loaded and the security
1290		   server is ready to handle calls. */
1291		spin_lock(&sbsec->isec_lock);
1292		if (list_empty(&isec->list))
1293			list_add(&isec->list, &sbsec->isec_head);
1294		spin_unlock(&sbsec->isec_lock);
1295		goto out_unlock;
1296	}
1297
1298	switch (sbsec->behavior) {
1299	case SECURITY_FS_USE_NATIVE:
1300		break;
1301	case SECURITY_FS_USE_XATTR:
1302		if (!inode->i_op->getxattr) {
1303			isec->sid = sbsec->def_sid;
1304			break;
1305		}
1306
1307		/* Need a dentry, since the xattr API requires one.
1308		   Life would be simpler if we could just pass the inode. */
1309		if (opt_dentry) {
1310			/* Called from d_instantiate or d_splice_alias. */
1311			dentry = dget(opt_dentry);
1312		} else {
1313			/* Called from selinux_complete_init, try to find a dentry. */
1314			dentry = d_find_alias(inode);
1315		}
1316		if (!dentry) {
1317			/*
1318			 * this is can be hit on boot when a file is accessed
1319			 * before the policy is loaded.  When we load policy we
1320			 * may find inodes that have no dentry on the
1321			 * sbsec->isec_head list.  No reason to complain as these
1322			 * will get fixed up the next time we go through
1323			 * inode_doinit with a dentry, before these inodes could
1324			 * be used again by userspace.
1325			 */
1326			goto out_unlock;
1327		}
1328
1329		len = INITCONTEXTLEN;
1330		context = kmalloc(len+1, GFP_NOFS);
1331		if (!context) {
1332			rc = -ENOMEM;
1333			dput(dentry);
1334			goto out_unlock;
1335		}
1336		context[len] = '\0';
1337		rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1338					   context, len);
1339		if (rc == -ERANGE) {
1340			kfree(context);
1341
1342			/* Need a larger buffer.  Query for the right size. */
1343			rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1344						   NULL, 0);
1345			if (rc < 0) {
1346				dput(dentry);
1347				goto out_unlock;
1348			}
1349			len = rc;
1350			context = kmalloc(len+1, GFP_NOFS);
1351			if (!context) {
1352				rc = -ENOMEM;
1353				dput(dentry);
1354				goto out_unlock;
1355			}
1356			context[len] = '\0';
1357			rc = inode->i_op->getxattr(dentry,
1358						   XATTR_NAME_SELINUX,
1359						   context, len);
1360		}
1361		dput(dentry);
1362		if (rc < 0) {
1363			if (rc != -ENODATA) {
1364				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1365				       "%d for dev=%s ino=%ld\n", __func__,
1366				       -rc, inode->i_sb->s_id, inode->i_ino);
1367				kfree(context);
1368				goto out_unlock;
1369			}
1370			/* Map ENODATA to the default file SID */
1371			sid = sbsec->def_sid;
1372			rc = 0;
1373		} else {
1374			rc = security_context_to_sid_default(context, rc, &sid,
1375							     sbsec->def_sid,
1376							     GFP_NOFS);
1377			if (rc) {
1378				char *dev = inode->i_sb->s_id;
1379				unsigned long ino = inode->i_ino;
1380
1381				if (rc == -EINVAL) {
1382					if (printk_ratelimit())
1383						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1384							"context=%s.  This indicates you may need to relabel the inode or the "
1385							"filesystem in question.\n", ino, dev, context);
1386				} else {
1387					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1388					       "returned %d for dev=%s ino=%ld\n",
1389					       __func__, context, -rc, dev, ino);
1390				}
1391				kfree(context);
1392				/* Leave with the unlabeled SID */
1393				rc = 0;
1394				break;
1395			}
1396		}
1397		kfree(context);
1398		isec->sid = sid;
1399		break;
1400	case SECURITY_FS_USE_TASK:
1401		isec->sid = isec->task_sid;
1402		break;
1403	case SECURITY_FS_USE_TRANS:
1404		/* Default to the fs SID. */
1405		isec->sid = sbsec->sid;
1406
1407		/* Try to obtain a transition SID. */
1408		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1409		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1410					     isec->sclass, NULL, &sid);
1411		if (rc)
1412			goto out_unlock;
1413		isec->sid = sid;
1414		break;
1415	case SECURITY_FS_USE_MNTPOINT:
1416		isec->sid = sbsec->mntpoint_sid;
1417		break;
1418	default:
1419		/* Default to the fs superblock SID. */
1420		isec->sid = sbsec->sid;
1421
1422		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1423			/* We must have a dentry to determine the label on
1424			 * procfs inodes */
1425			if (opt_dentry)
1426				/* Called from d_instantiate or
1427				 * d_splice_alias. */
1428				dentry = dget(opt_dentry);
1429			else
1430				/* Called from selinux_complete_init, try to
1431				 * find a dentry. */
1432				dentry = d_find_alias(inode);
1433			/*
1434			 * This can be hit on boot when a file is accessed
1435			 * before the policy is loaded.  When we load policy we
1436			 * may find inodes that have no dentry on the
1437			 * sbsec->isec_head list.  No reason to complain as
1438			 * these will get fixed up the next time we go through
1439			 * inode_doinit() with a dentry, before these inodes
1440			 * could be used again by userspace.
1441			 */
1442			if (!dentry)
1443				goto out_unlock;
1444			isec->sclass = inode_mode_to_security_class(inode->i_mode);
1445			rc = selinux_genfs_get_sid(dentry, isec->sclass,
1446						   sbsec->flags, &sid);
1447			dput(dentry);
1448			if (rc)
1449				goto out_unlock;
1450			isec->sid = sid;
1451		}
1452		break;
1453	}
1454
1455	isec->initialized = 1;
1456
1457out_unlock:
1458	mutex_unlock(&isec->lock);
1459out:
1460	if (isec->sclass == SECCLASS_FILE)
1461		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1462	return rc;
1463}
1464
1465/* Convert a Linux signal to an access vector. */
1466static inline u32 signal_to_av(int sig)
1467{
1468	u32 perm = 0;
1469
1470	switch (sig) {
1471	case SIGCHLD:
1472		/* Commonly granted from child to parent. */
1473		perm = PROCESS__SIGCHLD;
1474		break;
1475	case SIGKILL:
1476		/* Cannot be caught or ignored */
1477		perm = PROCESS__SIGKILL;
1478		break;
1479	case SIGSTOP:
1480		/* Cannot be caught or ignored */
1481		perm = PROCESS__SIGSTOP;
1482		break;
1483	default:
1484		/* All other signals. */
1485		perm = PROCESS__SIGNAL;
1486		break;
1487	}
1488
1489	return perm;
1490}
1491
1492/*
1493 * Check permission between a pair of credentials
1494 * fork check, ptrace check, etc.
1495 */
1496static int cred_has_perm(const struct cred *actor,
1497			 const struct cred *target,
1498			 u32 perms)
1499{
1500	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1501
1502	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1503}
1504
1505/*
1506 * Check permission between a pair of tasks, e.g. signal checks,
1507 * fork check, ptrace check, etc.
1508 * tsk1 is the actor and tsk2 is the target
1509 * - this uses the default subjective creds of tsk1
1510 */
1511static int task_has_perm(const struct task_struct *tsk1,
1512			 const struct task_struct *tsk2,
1513			 u32 perms)
1514{
1515	const struct task_security_struct *__tsec1, *__tsec2;
1516	u32 sid1, sid2;
1517
1518	rcu_read_lock();
1519	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1520	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1521	rcu_read_unlock();
1522	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1523}
1524
1525/*
1526 * Check permission between current and another task, e.g. signal checks,
1527 * fork check, ptrace check, etc.
1528 * current is the actor and tsk2 is the target
1529 * - this uses current's subjective creds
1530 */
1531static int current_has_perm(const struct task_struct *tsk,
1532			    u32 perms)
1533{
1534	u32 sid, tsid;
1535
1536	sid = current_sid();
1537	tsid = task_sid(tsk);
1538	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1539}
1540
1541#if CAP_LAST_CAP > 63
1542#error Fix SELinux to handle capabilities > 63.
1543#endif
1544
1545/* Check whether a task is allowed to use a capability. */
1546static int cred_has_capability(const struct cred *cred,
1547			       int cap, int audit)
1548{
1549	struct common_audit_data ad;
1550	struct av_decision avd;
1551	u16 sclass;
1552	u32 sid = cred_sid(cred);
1553	u32 av = CAP_TO_MASK(cap);
1554	int rc;
1555
1556	ad.type = LSM_AUDIT_DATA_CAP;
1557	ad.u.cap = cap;
1558
1559	switch (CAP_TO_INDEX(cap)) {
1560	case 0:
1561		sclass = SECCLASS_CAPABILITY;
1562		break;
1563	case 1:
1564		sclass = SECCLASS_CAPABILITY2;
1565		break;
1566	default:
1567		printk(KERN_ERR
1568		       "SELinux:  out of range capability %d\n", cap);
1569		BUG();
1570		return -EINVAL;
1571	}
1572
1573	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1574	if (audit == SECURITY_CAP_AUDIT) {
1575		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1576		if (rc2)
1577			return rc2;
1578	}
1579	return rc;
1580}
1581
1582/* Check whether a task is allowed to use a system operation. */
1583static int task_has_system(struct task_struct *tsk,
1584			   u32 perms)
1585{
1586	u32 sid = task_sid(tsk);
1587
1588	return avc_has_perm(sid, SECINITSID_KERNEL,
1589			    SECCLASS_SYSTEM, perms, NULL);
1590}
1591
1592/* Check whether a task has a particular permission to an inode.
1593   The 'adp' parameter is optional and allows other audit
1594   data to be passed (e.g. the dentry). */
1595static int inode_has_perm(const struct cred *cred,
1596			  struct inode *inode,
1597			  u32 perms,
1598			  struct common_audit_data *adp)
1599{
1600	struct inode_security_struct *isec;
1601	u32 sid;
1602
1603	validate_creds(cred);
1604
1605	if (unlikely(IS_PRIVATE(inode)))
1606		return 0;
1607
1608	sid = cred_sid(cred);
1609	isec = inode->i_security;
1610
1611	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1612}
1613
1614/* Same as inode_has_perm, but pass explicit audit data containing
1615   the dentry to help the auditing code to more easily generate the
1616   pathname if needed. */
1617static inline int dentry_has_perm(const struct cred *cred,
1618				  struct dentry *dentry,
1619				  u32 av)
1620{
1621	struct inode *inode = dentry->d_inode;
1622	struct common_audit_data ad;
1623
1624	ad.type = LSM_AUDIT_DATA_DENTRY;
1625	ad.u.dentry = dentry;
1626	return inode_has_perm(cred, inode, av, &ad);
1627}
1628
1629/* Same as inode_has_perm, but pass explicit audit data containing
1630   the path to help the auditing code to more easily generate the
1631   pathname if needed. */
1632static inline int path_has_perm(const struct cred *cred,
1633				struct path *path,
1634				u32 av)
1635{
1636	struct inode *inode = path->dentry->d_inode;
1637	struct common_audit_data ad;
1638
1639	ad.type = LSM_AUDIT_DATA_PATH;
1640	ad.u.path = *path;
1641	return inode_has_perm(cred, inode, av, &ad);
1642}
1643
1644/* Same as path_has_perm, but uses the inode from the file struct. */
1645static inline int file_path_has_perm(const struct cred *cred,
1646				     struct file *file,
1647				     u32 av)
1648{
1649	struct common_audit_data ad;
1650
1651	ad.type = LSM_AUDIT_DATA_PATH;
1652	ad.u.path = file->f_path;
1653	return inode_has_perm(cred, file_inode(file), av, &ad);
1654}
1655
1656/* Check whether a task can use an open file descriptor to
1657   access an inode in a given way.  Check access to the
1658   descriptor itself, and then use dentry_has_perm to
1659   check a particular permission to the file.
1660   Access to the descriptor is implicitly granted if it
1661   has the same SID as the process.  If av is zero, then
1662   access to the file is not checked, e.g. for cases
1663   where only the descriptor is affected like seek. */
1664static int file_has_perm(const struct cred *cred,
1665			 struct file *file,
1666			 u32 av)
1667{
1668	struct file_security_struct *fsec = file->f_security;
1669	struct inode *inode = file_inode(file);
1670	struct common_audit_data ad;
1671	u32 sid = cred_sid(cred);
1672	int rc;
1673
1674	ad.type = LSM_AUDIT_DATA_PATH;
1675	ad.u.path = file->f_path;
1676
1677	if (sid != fsec->sid) {
1678		rc = avc_has_perm(sid, fsec->sid,
1679				  SECCLASS_FD,
1680				  FD__USE,
1681				  &ad);
1682		if (rc)
1683			goto out;
1684	}
1685
1686	/* av is zero if only checking access to the descriptor. */
1687	rc = 0;
1688	if (av)
1689		rc = inode_has_perm(cred, inode, av, &ad);
1690
1691out:
1692	return rc;
1693}
1694
1695/* Check whether a task can create a file. */
1696static int may_create(struct inode *dir,
1697		      struct dentry *dentry,
1698		      u16 tclass)
1699{
1700	const struct task_security_struct *tsec = current_security();
1701	struct inode_security_struct *dsec;
1702	struct superblock_security_struct *sbsec;
1703	u32 sid, newsid;
1704	struct common_audit_data ad;
1705	int rc;
1706
1707	dsec = dir->i_security;
1708	sbsec = dir->i_sb->s_security;
1709
1710	sid = tsec->sid;
1711	newsid = tsec->create_sid;
1712
1713	ad.type = LSM_AUDIT_DATA_DENTRY;
1714	ad.u.dentry = dentry;
1715
1716	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1717			  DIR__ADD_NAME | DIR__SEARCH,
1718			  &ad);
1719	if (rc)
1720		return rc;
1721
1722	if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1723		rc = security_transition_sid(sid, dsec->sid, tclass,
1724					     &dentry->d_name, &newsid);
1725		if (rc)
1726			return rc;
1727	}
1728
1729	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1730	if (rc)
1731		return rc;
1732
1733	return avc_has_perm(newsid, sbsec->sid,
1734			    SECCLASS_FILESYSTEM,
1735			    FILESYSTEM__ASSOCIATE, &ad);
1736}
1737
1738/* Check whether a task can create a key. */
1739static int may_create_key(u32 ksid,
1740			  struct task_struct *ctx)
1741{
1742	u32 sid = task_sid(ctx);
1743
1744	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1745}
1746
1747#define MAY_LINK	0
1748#define MAY_UNLINK	1
1749#define MAY_RMDIR	2
1750
1751/* Check whether a task can link, unlink, or rmdir a file/directory. */
1752static int may_link(struct inode *dir,
1753		    struct dentry *dentry,
1754		    int kind)
1755
1756{
1757	struct inode_security_struct *dsec, *isec;
1758	struct common_audit_data ad;
1759	u32 sid = current_sid();
1760	u32 av;
1761	int rc;
1762
1763	dsec = dir->i_security;
1764	isec = dentry->d_inode->i_security;
1765
1766	ad.type = LSM_AUDIT_DATA_DENTRY;
1767	ad.u.dentry = dentry;
1768
1769	av = DIR__SEARCH;
1770	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1771	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1772	if (rc)
1773		return rc;
1774
1775	switch (kind) {
1776	case MAY_LINK:
1777		av = FILE__LINK;
1778		break;
1779	case MAY_UNLINK:
1780		av = FILE__UNLINK;
1781		break;
1782	case MAY_RMDIR:
1783		av = DIR__RMDIR;
1784		break;
1785	default:
1786		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1787			__func__, kind);
1788		return 0;
1789	}
1790
1791	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1792	return rc;
1793}
1794
1795static inline int may_rename(struct inode *old_dir,
1796			     struct dentry *old_dentry,
1797			     struct inode *new_dir,
1798			     struct dentry *new_dentry)
1799{
1800	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1801	struct common_audit_data ad;
1802	u32 sid = current_sid();
1803	u32 av;
1804	int old_is_dir, new_is_dir;
1805	int rc;
1806
1807	old_dsec = old_dir->i_security;
1808	old_isec = old_dentry->d_inode->i_security;
1809	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1810	new_dsec = new_dir->i_security;
1811
1812	ad.type = LSM_AUDIT_DATA_DENTRY;
1813
1814	ad.u.dentry = old_dentry;
1815	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1816			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1817	if (rc)
1818		return rc;
1819	rc = avc_has_perm(sid, old_isec->sid,
1820			  old_isec->sclass, FILE__RENAME, &ad);
1821	if (rc)
1822		return rc;
1823	if (old_is_dir && new_dir != old_dir) {
1824		rc = avc_has_perm(sid, old_isec->sid,
1825				  old_isec->sclass, DIR__REPARENT, &ad);
1826		if (rc)
1827			return rc;
1828	}
1829
1830	ad.u.dentry = new_dentry;
1831	av = DIR__ADD_NAME | DIR__SEARCH;
1832	if (new_dentry->d_inode)
1833		av |= DIR__REMOVE_NAME;
1834	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1835	if (rc)
1836		return rc;
1837	if (new_dentry->d_inode) {
1838		new_isec = new_dentry->d_inode->i_security;
1839		new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1840		rc = avc_has_perm(sid, new_isec->sid,
1841				  new_isec->sclass,
1842				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1843		if (rc)
1844			return rc;
1845	}
1846
1847	return 0;
1848}
1849
1850/* Check whether a task can perform a filesystem operation. */
1851static int superblock_has_perm(const struct cred *cred,
1852			       struct super_block *sb,
1853			       u32 perms,
1854			       struct common_audit_data *ad)
1855{
1856	struct superblock_security_struct *sbsec;
1857	u32 sid = cred_sid(cred);
1858
1859	sbsec = sb->s_security;
1860	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1861}
1862
1863/* Convert a Linux mode and permission mask to an access vector. */
1864static inline u32 file_mask_to_av(int mode, int mask)
1865{
1866	u32 av = 0;
1867
1868	if (!S_ISDIR(mode)) {
1869		if (mask & MAY_EXEC)
1870			av |= FILE__EXECUTE;
1871		if (mask & MAY_READ)
1872			av |= FILE__READ;
1873
1874		if (mask & MAY_APPEND)
1875			av |= FILE__APPEND;
1876		else if (mask & MAY_WRITE)
1877			av |= FILE__WRITE;
1878
1879	} else {
1880		if (mask & MAY_EXEC)
1881			av |= DIR__SEARCH;
1882		if (mask & MAY_WRITE)
1883			av |= DIR__WRITE;
1884		if (mask & MAY_READ)
1885			av |= DIR__READ;
1886	}
1887
1888	return av;
1889}
1890
1891/* Convert a Linux file to an access vector. */
1892static inline u32 file_to_av(struct file *file)
1893{
1894	u32 av = 0;
1895
1896	if (file->f_mode & FMODE_READ)
1897		av |= FILE__READ;
1898	if (file->f_mode & FMODE_WRITE) {
1899		if (file->f_flags & O_APPEND)
1900			av |= FILE__APPEND;
1901		else
1902			av |= FILE__WRITE;
1903	}
1904	if (!av) {
1905		/*
1906		 * Special file opened with flags 3 for ioctl-only use.
1907		 */
1908		av = FILE__IOCTL;
1909	}
1910
1911	return av;
1912}
1913
1914/*
1915 * Convert a file to an access vector and include the correct open
1916 * open permission.
1917 */
1918static inline u32 open_file_to_av(struct file *file)
1919{
1920	u32 av = file_to_av(file);
1921
1922	if (selinux_policycap_openperm)
1923		av |= FILE__OPEN;
1924
1925	return av;
1926}
1927
1928/* Hook functions begin here. */
1929
1930static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1931{
1932	u32 mysid = current_sid();
1933	u32 mgrsid = task_sid(mgr);
1934
1935	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL);
1936}
1937
1938static int selinux_binder_transaction(struct task_struct *from, struct task_struct *to)
1939{
1940	u32 mysid = current_sid();
1941	u32 fromsid = task_sid(from);
1942	u32 tosid = task_sid(to);
1943	int rc;
1944
1945	if (mysid != fromsid) {
1946		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, BINDER__IMPERSONATE, NULL);
1947		if (rc)
1948			return rc;
1949	}
1950
1951	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
1952}
1953
1954static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
1955{
1956	u32 fromsid = task_sid(from);
1957	u32 tosid = task_sid(to);
1958	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
1959}
1960
1961static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)
1962{
1963	u32 sid = task_sid(to);
1964	struct file_security_struct *fsec = file->f_security;
1965	struct inode *inode = file->f_path.dentry->d_inode;
1966	struct inode_security_struct *isec = inode->i_security;
1967	struct common_audit_data ad;
1968	int rc;
1969
1970	ad.type = LSM_AUDIT_DATA_PATH;
1971	ad.u.path = file->f_path;
1972
1973	if (sid != fsec->sid) {
1974		rc = avc_has_perm(sid, fsec->sid,
1975				  SECCLASS_FD,
1976				  FD__USE,
1977				  &ad);
1978		if (rc)
1979			return rc;
1980	}
1981
1982	if (unlikely(IS_PRIVATE(inode)))
1983		return 0;
1984
1985	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1986			    &ad);
1987}
1988
1989static int selinux_ptrace_access_check(struct task_struct *child,
1990				     unsigned int mode)
1991{
1992	int rc;
1993
1994	rc = cap_ptrace_access_check(child, mode);
1995	if (rc)
1996		return rc;
1997
1998	if (mode & PTRACE_MODE_READ) {
1999		u32 sid = current_sid();
2000		u32 csid = task_sid(child);
2001		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2002	}
2003
2004	return current_has_perm(child, PROCESS__PTRACE);
2005}
2006
2007static int selinux_ptrace_traceme(struct task_struct *parent)
2008{
2009	int rc;
2010
2011	rc = cap_ptrace_traceme(parent);
2012	if (rc)
2013		return rc;
2014
2015	return task_has_perm(parent, current, PROCESS__PTRACE);
2016}
2017
2018static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2019			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2020{
2021	int error;
2022
2023	error = current_has_perm(target, PROCESS__GETCAP);
2024	if (error)
2025		return error;
2026
2027	return cap_capget(target, effective, inheritable, permitted);
2028}
2029
2030static int selinux_capset(struct cred *new, const struct cred *old,
2031			  const kernel_cap_t *effective,
2032			  const kernel_cap_t *inheritable,
2033			  const kernel_cap_t *permitted)
2034{
2035	int error;
2036
2037	error = cap_capset(new, old,
2038				      effective, inheritable, permitted);
2039	if (error)
2040		return error;
2041
2042	return cred_has_perm(old, new, PROCESS__SETCAP);
2043}
2044
2045/*
2046 * (This comment used to live with the selinux_task_setuid hook,
2047 * which was removed).
2048 *
2049 * Since setuid only affects the current process, and since the SELinux
2050 * controls are not based on the Linux identity attributes, SELinux does not
2051 * need to control this operation.  However, SELinux does control the use of
2052 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2053 */
2054
2055static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2056			   int cap, int audit)
2057{
2058	int rc;
2059
2060	rc = cap_capable(cred, ns, cap, audit);
2061	if (rc)
2062		return rc;
2063
2064	return cred_has_capability(cred, cap, audit);
2065}
2066
2067static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2068{
2069	const struct cred *cred = current_cred();
2070	int rc = 0;
2071
2072	if (!sb)
2073		return 0;
2074
2075	switch (cmds) {
2076	case Q_SYNC:
2077	case Q_QUOTAON:
2078	case Q_QUOTAOFF:
2079	case Q_SETINFO:
2080	case Q_SETQUOTA:
2081		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2082		break;
2083	case Q_GETFMT:
2084	case Q_GETINFO:
2085	case Q_GETQUOTA:
2086		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2087		break;
2088	default:
2089		rc = 0;  /* let the kernel handle invalid cmds */
2090		break;
2091	}
2092	return rc;
2093}
2094
2095static int selinux_quota_on(struct dentry *dentry)
2096{
2097	const struct cred *cred = current_cred();
2098
2099	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2100}
2101
2102static int selinux_syslog(int type)
2103{
2104	int rc;
2105
2106	switch (type) {
2107	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2108	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2109		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2110		break;
2111	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2112	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2113	/* Set level of messages printed to console */
2114	case SYSLOG_ACTION_CONSOLE_LEVEL:
2115		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2116		break;
2117	case SYSLOG_ACTION_CLOSE:	/* Close log */
2118	case SYSLOG_ACTION_OPEN:	/* Open log */
2119	case SYSLOG_ACTION_READ:	/* Read from log */
2120	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2121	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2122	default:
2123		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2124		break;
2125	}
2126	return rc;
2127}
2128
2129/*
2130 * Check that a process has enough memory to allocate a new virtual
2131 * mapping. 0 means there is enough memory for the allocation to
2132 * succeed and -ENOMEM implies there is not.
2133 *
2134 * Do not audit the selinux permission check, as this is applied to all
2135 * processes that allocate mappings.
2136 */
2137static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2138{
2139	int rc, cap_sys_admin = 0;
2140
2141	rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2142			     SECURITY_CAP_NOAUDIT);
2143	if (rc == 0)
2144		cap_sys_admin = 1;
2145
2146	return __vm_enough_memory(mm, pages, cap_sys_admin);
2147}
2148
2149/* binprm security operations */
2150
2151static int check_nnp_nosuid(const struct linux_binprm *bprm,
2152			    const struct task_security_struct *old_tsec,
2153			    const struct task_security_struct *new_tsec)
2154{
2155	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2156	int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2157	int rc;
2158
2159	if (!nnp && !nosuid)
2160		return 0; /* neither NNP nor nosuid */
2161
2162	if (new_tsec->sid == old_tsec->sid)
2163		return 0; /* No change in credentials */
2164
2165	/*
2166	 * The only transitions we permit under NNP or nosuid
2167	 * are transitions to bounded SIDs, i.e. SIDs that are
2168	 * guaranteed to only be allowed a subset of the permissions
2169	 * of the current SID.
2170	 */
2171	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2172	if (rc) {
2173		/*
2174		 * On failure, preserve the errno values for NNP vs nosuid.
2175		 * NNP:  Operation not permitted for caller.
2176		 * nosuid:  Permission denied to file.
2177		 */
2178		if (nnp)
2179			return -EPERM;
2180		else
2181			return -EACCES;
2182	}
2183	return 0;
2184}
2185
2186static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2187{
2188	const struct task_security_struct *old_tsec;
2189	struct task_security_struct *new_tsec;
2190	struct inode_security_struct *isec;
2191	struct common_audit_data ad;
2192	struct inode *inode = file_inode(bprm->file);
2193	int rc;
2194
2195	rc = cap_bprm_set_creds(bprm);
2196	if (rc)
2197		return rc;
2198
2199	/* SELinux context only depends on initial program or script and not
2200	 * the script interpreter */
2201	if (bprm->cred_prepared)
2202		return 0;
2203
2204	old_tsec = current_security();
2205	new_tsec = bprm->cred->security;
2206	isec = inode->i_security;
2207
2208	/* Default to the current task SID. */
2209	new_tsec->sid = old_tsec->sid;
2210	new_tsec->osid = old_tsec->sid;
2211
2212	/* Reset fs, key, and sock SIDs on execve. */
2213	new_tsec->create_sid = 0;
2214	new_tsec->keycreate_sid = 0;
2215	new_tsec->sockcreate_sid = 0;
2216
2217	if (old_tsec->exec_sid) {
2218		new_tsec->sid = old_tsec->exec_sid;
2219		/* Reset exec SID on execve. */
2220		new_tsec->exec_sid = 0;
2221
2222		/* Fail on NNP or nosuid if not an allowed transition. */
2223		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2224		if (rc)
2225			return rc;
2226	} else {
2227		/* Check for a default transition on this program. */
2228		rc = security_transition_sid(old_tsec->sid, isec->sid,
2229					     SECCLASS_PROCESS, NULL,
2230					     &new_tsec->sid);
2231		if (rc)
2232			return rc;
2233
2234		/*
2235		 * Fallback to old SID on NNP or nosuid if not an allowed
2236		 * transition.
2237		 */
2238		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2239		if (rc)
2240			new_tsec->sid = old_tsec->sid;
2241	}
2242
2243	ad.type = LSM_AUDIT_DATA_PATH;
2244	ad.u.path = bprm->file->f_path;
2245
2246	if (new_tsec->sid == old_tsec->sid) {
2247		rc = avc_has_perm(old_tsec->sid, isec->sid,
2248				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2249		if (rc)
2250			return rc;
2251	} else {
2252		/* Check permissions for the transition. */
2253		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2254				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2255		if (rc)
2256			return rc;
2257
2258		rc = avc_has_perm(new_tsec->sid, isec->sid,
2259				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2260		if (rc)
2261			return rc;
2262
2263		/* Check for shared state */
2264		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2265			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2266					  SECCLASS_PROCESS, PROCESS__SHARE,
2267					  NULL);
2268			if (rc)
2269				return -EPERM;
2270		}
2271
2272		/* Make sure that anyone attempting to ptrace over a task that
2273		 * changes its SID has the appropriate permit */
2274		if (bprm->unsafe &
2275		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2276			struct task_struct *tracer;
2277			struct task_security_struct *sec;
2278			u32 ptsid = 0;
2279
2280			rcu_read_lock();
2281			tracer = ptrace_parent(current);
2282			if (likely(tracer != NULL)) {
2283				sec = __task_cred(tracer)->security;
2284				ptsid = sec->sid;
2285			}
2286			rcu_read_unlock();
2287
2288			if (ptsid != 0) {
2289				rc = avc_has_perm(ptsid, new_tsec->sid,
2290						  SECCLASS_PROCESS,
2291						  PROCESS__PTRACE, NULL);
2292				if (rc)
2293					return -EPERM;
2294			}
2295		}
2296
2297		/* Clear any possibly unsafe personality bits on exec: */
2298		bprm->per_clear |= PER_CLEAR_ON_SETID;
2299	}
2300
2301	return 0;
2302}
2303
2304static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2305{
2306	const struct task_security_struct *tsec = current_security();
2307	u32 sid, osid;
2308	int atsecure = 0;
2309
2310	sid = tsec->sid;
2311	osid = tsec->osid;
2312
2313	if (osid != sid) {
2314		/* Enable secure mode for SIDs transitions unless
2315		   the noatsecure permission is granted between
2316		   the two SIDs, i.e. ahp returns 0. */
2317		atsecure = avc_has_perm(osid, sid,
2318					SECCLASS_PROCESS,
2319					PROCESS__NOATSECURE, NULL);
2320	}
2321
2322	return (atsecure || cap_bprm_secureexec(bprm));
2323}
2324
2325static int match_file(const void *p, struct file *file, unsigned fd)
2326{
2327	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2328}
2329
2330/* Derived from fs/exec.c:flush_old_files. */
2331static inline void flush_unauthorized_files(const struct cred *cred,
2332					    struct files_struct *files)
2333{
2334	struct file *file, *devnull = NULL;
2335	struct tty_struct *tty;
2336	int drop_tty = 0;
2337	unsigned n;
2338
2339	tty = get_current_tty();
2340	if (tty) {
2341		spin_lock(&tty_files_lock);
2342		if (!list_empty(&tty->tty_files)) {
2343			struct tty_file_private *file_priv;
2344
2345			/* Revalidate access to controlling tty.
2346			   Use file_path_has_perm on the tty path directly
2347			   rather than using file_has_perm, as this particular
2348			   open file may belong to another process and we are
2349			   only interested in the inode-based check here. */
2350			file_priv = list_first_entry(&tty->tty_files,
2351						struct tty_file_private, list);
2352			file = file_priv->file;
2353			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2354				drop_tty = 1;
2355		}
2356		spin_unlock(&tty_files_lock);
2357		tty_kref_put(tty);
2358	}
2359	/* Reset controlling tty. */
2360	if (drop_tty)
2361		no_tty();
2362
2363	/* Revalidate access to inherited open files. */
2364	n = iterate_fd(files, 0, match_file, cred);
2365	if (!n) /* none found? */
2366		return;
2367
2368	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2369	if (IS_ERR(devnull))
2370		devnull = NULL;
2371	/* replace all the matching ones with this */
2372	do {
2373		replace_fd(n - 1, devnull, 0);
2374	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2375	if (devnull)
2376		fput(devnull);
2377}
2378
2379/*
2380 * Prepare a process for imminent new credential changes due to exec
2381 */
2382static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2383{
2384	struct task_security_struct *new_tsec;
2385	struct rlimit *rlim, *initrlim;
2386	int rc, i;
2387
2388	new_tsec = bprm->cred->security;
2389	if (new_tsec->sid == new_tsec->osid)
2390		return;
2391
2392	/* Close files for which the new task SID is not authorized. */
2393	flush_unauthorized_files(bprm->cred, current->files);
2394
2395	/* Always clear parent death signal on SID transitions. */
2396	current->pdeath_signal = 0;
2397
2398	/* Check whether the new SID can inherit resource limits from the old
2399	 * SID.  If not, reset all soft limits to the lower of the current
2400	 * task's hard limit and the init task's soft limit.
2401	 *
2402	 * Note that the setting of hard limits (even to lower them) can be
2403	 * controlled by the setrlimit check.  The inclusion of the init task's
2404	 * soft limit into the computation is to avoid resetting soft limits
2405	 * higher than the default soft limit for cases where the default is
2406	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2407	 */
2408	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2409			  PROCESS__RLIMITINH, NULL);
2410	if (rc) {
2411		/* protect against do_prlimit() */
2412		task_lock(current);
2413		for (i = 0; i < RLIM_NLIMITS; i++) {
2414			rlim = current->signal->rlim + i;
2415			initrlim = init_task.signal->rlim + i;
2416			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2417		}
2418		task_unlock(current);
2419		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2420	}
2421}
2422
2423/*
2424 * Clean up the process immediately after the installation of new credentials
2425 * due to exec
2426 */
2427static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2428{
2429	const struct task_security_struct *tsec = current_security();
2430	struct itimerval itimer;
2431	u32 osid, sid;
2432	int rc, i;
2433
2434	osid = tsec->osid;
2435	sid = tsec->sid;
2436
2437	if (sid == osid)
2438		return;
2439
2440	/* Check whether the new SID can inherit signal state from the old SID.
2441	 * If not, clear itimers to avoid subsequent signal generation and
2442	 * flush and unblock signals.
2443	 *
2444	 * This must occur _after_ the task SID has been updated so that any
2445	 * kill done after the flush will be checked against the new SID.
2446	 */
2447	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2448	if (rc) {
2449		memset(&itimer, 0, sizeof itimer);
2450		for (i = 0; i < 3; i++)
2451			do_setitimer(i, &itimer, NULL);
2452		spin_lock_irq(&current->sighand->siglock);
2453		if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2454			__flush_signals(current);
2455			flush_signal_handlers(current, 1);
2456			sigemptyset(&current->blocked);
2457		}
2458		spin_unlock_irq(&current->sighand->siglock);
2459	}
2460
2461	/* Wake up the parent if it is waiting so that it can recheck
2462	 * wait permission to the new task SID. */
2463	read_lock(&tasklist_lock);
2464	__wake_up_parent(current, current->real_parent);
2465	read_unlock(&tasklist_lock);
2466}
2467
2468/* superblock security operations */
2469
2470static int selinux_sb_alloc_security(struct super_block *sb)
2471{
2472	return superblock_alloc_security(sb);
2473}
2474
2475static void selinux_sb_free_security(struct super_block *sb)
2476{
2477	superblock_free_security(sb);
2478}
2479
2480static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2481{
2482	if (plen > olen)
2483		return 0;
2484
2485	return !memcmp(prefix, option, plen);
2486}
2487
2488static inline int selinux_option(char *option, int len)
2489{
2490	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2491		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2492		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2493		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2494		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2495}
2496
2497static inline void take_option(char **to, char *from, int *first, int len)
2498{
2499	if (!*first) {
2500		**to = ',';
2501		*to += 1;
2502	} else
2503		*first = 0;
2504	memcpy(*to, from, len);
2505	*to += len;
2506}
2507
2508static inline void take_selinux_option(char **to, char *from, int *first,
2509				       int len)
2510{
2511	int current_size = 0;
2512
2513	if (!*first) {
2514		**to = '|';
2515		*to += 1;
2516	} else
2517		*first = 0;
2518
2519	while (current_size < len) {
2520		if (*from != '"') {
2521			**to = *from;
2522			*to += 1;
2523		}
2524		from += 1;
2525		current_size += 1;
2526	}
2527}
2528
2529static int selinux_sb_copy_data(char *orig, char *copy)
2530{
2531	int fnosec, fsec, rc = 0;
2532	char *in_save, *in_curr, *in_end;
2533	char *sec_curr, *nosec_save, *nosec;
2534	int open_quote = 0;
2535
2536	in_curr = orig;
2537	sec_curr = copy;
2538
2539	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2540	if (!nosec) {
2541		rc = -ENOMEM;
2542		goto out;
2543	}
2544
2545	nosec_save = nosec;
2546	fnosec = fsec = 1;
2547	in_save = in_end = orig;
2548
2549	do {
2550		if (*in_end == '"')
2551			open_quote = !open_quote;
2552		if ((*in_end == ',' && open_quote == 0) ||
2553				*in_end == '\0') {
2554			int len = in_end - in_curr;
2555
2556			if (selinux_option(in_curr, len))
2557				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2558			else
2559				take_option(&nosec, in_curr, &fnosec, len);
2560
2561			in_curr = in_end + 1;
2562		}
2563	} while (*in_end++);
2564
2565	strcpy(in_save, nosec_save);
2566	free_page((unsigned long)nosec_save);
2567out:
2568	return rc;
2569}
2570
2571static int selinux_sb_remount(struct super_block *sb, void *data)
2572{
2573	int rc, i, *flags;
2574	struct security_mnt_opts opts;
2575	char *secdata, **mount_options;
2576	struct superblock_security_struct *sbsec = sb->s_security;
2577
2578	if (!(sbsec->flags & SE_SBINITIALIZED))
2579		return 0;
2580
2581	if (!data)
2582		return 0;
2583
2584	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2585		return 0;
2586
2587	security_init_mnt_opts(&opts);
2588	secdata = alloc_secdata();
2589	if (!secdata)
2590		return -ENOMEM;
2591	rc = selinux_sb_copy_data(data, secdata);
2592	if (rc)
2593		goto out_free_secdata;
2594
2595	rc = selinux_parse_opts_str(secdata, &opts);
2596	if (rc)
2597		goto out_free_secdata;
2598
2599	mount_options = opts.mnt_opts;
2600	flags = opts.mnt_opts_flags;
2601
2602	for (i = 0; i < opts.num_mnt_opts; i++) {
2603		u32 sid;
2604		size_t len;
2605
2606		if (flags[i] == SBLABEL_MNT)
2607			continue;
2608		len = strlen(mount_options[i]);
2609		rc = security_context_to_sid(mount_options[i], len, &sid,
2610					     GFP_KERNEL);
2611		if (rc) {
2612			printk(KERN_WARNING "SELinux: security_context_to_sid"
2613			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2614			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2615			goto out_free_opts;
2616		}
2617		rc = -EINVAL;
2618		switch (flags[i]) {
2619		case FSCONTEXT_MNT:
2620			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2621				goto out_bad_option;
2622			break;
2623		case CONTEXT_MNT:
2624			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2625				goto out_bad_option;
2626			break;
2627		case ROOTCONTEXT_MNT: {
2628			struct inode_security_struct *root_isec;
2629			root_isec = sb->s_root->d_inode->i_security;
2630
2631			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2632				goto out_bad_option;
2633			break;
2634		}
2635		case DEFCONTEXT_MNT:
2636			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2637				goto out_bad_option;
2638			break;
2639		default:
2640			goto out_free_opts;
2641		}
2642	}
2643
2644	rc = 0;
2645out_free_opts:
2646	security_free_mnt_opts(&opts);
2647out_free_secdata:
2648	free_secdata(secdata);
2649	return rc;
2650out_bad_option:
2651	printk(KERN_WARNING "SELinux: unable to change security options "
2652	       "during remount (dev %s, type=%s)\n", sb->s_id,
2653	       sb->s_type->name);
2654	goto out_free_opts;
2655}
2656
2657static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2658{
2659	const struct cred *cred = current_cred();
2660	struct common_audit_data ad;
2661	int rc;
2662
2663	rc = superblock_doinit(sb, data);
2664	if (rc)
2665		return rc;
2666
2667	/* Allow all mounts performed by the kernel */
2668	if (flags & MS_KERNMOUNT)
2669		return 0;
2670
2671	ad.type = LSM_AUDIT_DATA_DENTRY;
2672	ad.u.dentry = sb->s_root;
2673	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2674}
2675
2676static int selinux_sb_statfs(struct dentry *dentry)
2677{
2678	const struct cred *cred = current_cred();
2679	struct common_audit_data ad;
2680
2681	ad.type = LSM_AUDIT_DATA_DENTRY;
2682	ad.u.dentry = dentry->d_sb->s_root;
2683	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2684}
2685
2686static int selinux_mount(const char *dev_name,
2687			 struct path *path,
2688			 const char *type,
2689			 unsigned long flags,
2690			 void *data)
2691{
2692	const struct cred *cred = current_cred();
2693
2694	if (flags & MS_REMOUNT)
2695		return superblock_has_perm(cred, path->dentry->d_sb,
2696					   FILESYSTEM__REMOUNT, NULL);
2697	else
2698		return path_has_perm(cred, path, FILE__MOUNTON);
2699}
2700
2701static int selinux_umount(struct vfsmount *mnt, int flags)
2702{
2703	const struct cred *cred = current_cred();
2704
2705	return superblock_has_perm(cred, mnt->mnt_sb,
2706				   FILESYSTEM__UNMOUNT, NULL);
2707}
2708
2709/* inode security operations */
2710
2711static int selinux_inode_alloc_security(struct inode *inode)
2712{
2713	return inode_alloc_security(inode);
2714}
2715
2716static void selinux_inode_free_security(struct inode *inode)
2717{
2718	inode_free_security(inode);
2719}
2720
2721static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2722					struct qstr *name, void **ctx,
2723					u32 *ctxlen)
2724{
2725	const struct cred *cred = current_cred();
2726	struct task_security_struct *tsec;
2727	struct inode_security_struct *dsec;
2728	struct superblock_security_struct *sbsec;
2729	struct inode *dir = dentry->d_parent->d_inode;
2730	u32 newsid;
2731	int rc;
2732
2733	tsec = cred->security;
2734	dsec = dir->i_security;
2735	sbsec = dir->i_sb->s_security;
2736
2737	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2738		newsid = tsec->create_sid;
2739	} else {
2740		rc = security_transition_sid(tsec->sid, dsec->sid,
2741					     inode_mode_to_security_class(mode),
2742					     name,
2743					     &newsid);
2744		if (rc) {
2745			printk(KERN_WARNING
2746				"%s: security_transition_sid failed, rc=%d\n",
2747			       __func__, -rc);
2748			return rc;
2749		}
2750	}
2751
2752	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2753}
2754
2755static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2756				       const struct qstr *qstr,
2757				       const char **name,
2758				       void **value, size_t *len)
2759{
2760	const struct task_security_struct *tsec = current_security();
2761	struct inode_security_struct *dsec;
2762	struct superblock_security_struct *sbsec;
2763	u32 sid, newsid, clen;
2764	int rc;
2765	char *context;
2766
2767	dsec = dir->i_security;
2768	sbsec = dir->i_sb->s_security;
2769
2770	sid = tsec->sid;
2771	newsid = tsec->create_sid;
2772
2773	if ((sbsec->flags & SE_SBINITIALIZED) &&
2774	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2775		newsid = sbsec->mntpoint_sid;
2776	else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2777		rc = security_transition_sid(sid, dsec->sid,
2778					     inode_mode_to_security_class(inode->i_mode),
2779					     qstr, &newsid);
2780		if (rc) {
2781			printk(KERN_WARNING "%s:  "
2782			       "security_transition_sid failed, rc=%d (dev=%s "
2783			       "ino=%ld)\n",
2784			       __func__,
2785			       -rc, inode->i_sb->s_id, inode->i_ino);
2786			return rc;
2787		}
2788	}
2789
2790	/* Possibly defer initialization to selinux_complete_init. */
2791	if (sbsec->flags & SE_SBINITIALIZED) {
2792		struct inode_security_struct *isec = inode->i_security;
2793		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2794		isec->sid = newsid;
2795		isec->initialized = 1;
2796	}
2797
2798	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2799		return -EOPNOTSUPP;
2800
2801	if (name)
2802		*name = XATTR_SELINUX_SUFFIX;
2803
2804	if (value && len) {
2805		rc = security_sid_to_context_force(newsid, &context, &clen);
2806		if (rc)
2807			return rc;
2808		*value = context;
2809		*len = clen;
2810	}
2811
2812	return 0;
2813}
2814
2815static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2816{
2817	return may_create(dir, dentry, SECCLASS_FILE);
2818}
2819
2820static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2821{
2822	return may_link(dir, old_dentry, MAY_LINK);
2823}
2824
2825static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2826{
2827	return may_link(dir, dentry, MAY_UNLINK);
2828}
2829
2830static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2831{
2832	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2833}
2834
2835static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2836{
2837	return may_create(dir, dentry, SECCLASS_DIR);
2838}
2839
2840static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2841{
2842	return may_link(dir, dentry, MAY_RMDIR);
2843}
2844
2845static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2846{
2847	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2848}
2849
2850static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2851				struct inode *new_inode, struct dentry *new_dentry)
2852{
2853	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2854}
2855
2856static int selinux_inode_readlink(struct dentry *dentry)
2857{
2858	const struct cred *cred = current_cred();
2859
2860	return dentry_has_perm(cred, dentry, FILE__READ);
2861}
2862
2863static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2864{
2865	const struct cred *cred = current_cred();
2866
2867	return dentry_has_perm(cred, dentry, FILE__READ);
2868}
2869
2870static noinline int audit_inode_permission(struct inode *inode,
2871					   u32 perms, u32 audited, u32 denied,
2872					   int result,
2873					   unsigned flags)
2874{
2875	struct common_audit_data ad;
2876	struct inode_security_struct *isec = inode->i_security;
2877	int rc;
2878
2879	ad.type = LSM_AUDIT_DATA_INODE;
2880	ad.u.inode = inode;
2881
2882	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2883			    audited, denied, result, &ad, flags);
2884	if (rc)
2885		return rc;
2886	return 0;
2887}
2888
2889static int selinux_inode_permission(struct inode *inode, int mask)
2890{
2891	const struct cred *cred = current_cred();
2892	u32 perms;
2893	bool from_access;
2894	unsigned flags = mask & MAY_NOT_BLOCK;
2895	struct inode_security_struct *isec;
2896	u32 sid;
2897	struct av_decision avd;
2898	int rc, rc2;
2899	u32 audited, denied;
2900
2901	from_access = mask & MAY_ACCESS;
2902	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2903
2904	/* No permission to check.  Existence test. */
2905	if (!mask)
2906		return 0;
2907
2908	validate_creds(cred);
2909
2910	if (unlikely(IS_PRIVATE(inode)))
2911		return 0;
2912
2913	perms = file_mask_to_av(inode->i_mode, mask);
2914
2915	sid = cred_sid(cred);
2916	isec = inode->i_security;
2917
2918	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2919	audited = avc_audit_required(perms, &avd, rc,
2920				     from_access ? FILE__AUDIT_ACCESS : 0,
2921				     &denied);
2922	if (likely(!audited))
2923		return rc;
2924
2925	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2926	if (rc2)
2927		return rc2;
2928	return rc;
2929}
2930
2931static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2932{
2933	const struct cred *cred = current_cred();
2934	unsigned int ia_valid = iattr->ia_valid;
2935	__u32 av = FILE__WRITE;
2936
2937	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2938	if (ia_valid & ATTR_FORCE) {
2939		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2940			      ATTR_FORCE);
2941		if (!ia_valid)
2942			return 0;
2943	}
2944
2945	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2946			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2947		return dentry_has_perm(cred, dentry, FILE__SETATTR);
2948
2949	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
2950			&& !(ia_valid & ATTR_FILE))
2951		av |= FILE__OPEN;
2952
2953	return dentry_has_perm(cred, dentry, av);
2954}
2955
2956static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2957{
2958	const struct cred *cred = current_cred();
2959	struct path path;
2960
2961	path.dentry = dentry;
2962	path.mnt = mnt;
2963
2964	return path_has_perm(cred, &path, FILE__GETATTR);
2965}
2966
2967static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2968{
2969	const struct cred *cred = current_cred();
2970
2971	if (!strncmp(name, XATTR_SECURITY_PREFIX,
2972		     sizeof XATTR_SECURITY_PREFIX - 1)) {
2973		if (!strcmp(name, XATTR_NAME_CAPS)) {
2974			if (!capable(CAP_SETFCAP))
2975				return -EPERM;
2976		} else if (!capable(CAP_SYS_ADMIN)) {
2977			/* A different attribute in the security namespace.
2978			   Restrict to administrator. */
2979			return -EPERM;
2980		}
2981	}
2982
2983	/* Not an attribute we recognize, so just check the
2984	   ordinary setattr permission. */
2985	return dentry_has_perm(cred, dentry, FILE__SETATTR);
2986}
2987
2988static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2989				  const void *value, size_t size, int flags)
2990{
2991	struct inode *inode = dentry->d_inode;
2992	struct inode_security_struct *isec = inode->i_security;
2993	struct superblock_security_struct *sbsec;
2994	struct common_audit_data ad;
2995	u32 newsid, sid = current_sid();
2996	int rc = 0;
2997
2998	if (strcmp(name, XATTR_NAME_SELINUX))
2999		return selinux_inode_setotherxattr(dentry, name);
3000
3001	sbsec = inode->i_sb->s_security;
3002	if (!(sbsec->flags & SBLABEL_MNT))
3003		return -EOPNOTSUPP;
3004
3005	if (!inode_owner_or_capable(inode))
3006		return -EPERM;
3007
3008	ad.type = LSM_AUDIT_DATA_DENTRY;
3009	ad.u.dentry = dentry;
3010
3011	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3012			  FILE__RELABELFROM, &ad);
3013	if (rc)
3014		return rc;
3015
3016	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3017	if (rc == -EINVAL) {
3018		if (!capable(CAP_MAC_ADMIN)) {
3019			struct audit_buffer *ab;
3020			size_t audit_size;
3021			const char *str;
3022
3023			/* We strip a nul only if it is at the end, otherwise the
3024			 * context contains a nul and we should audit that */
3025			if (value) {
3026				str = value;
3027				if (str[size - 1] == '\0')
3028					audit_size = size - 1;
3029				else
3030					audit_size = size;
3031			} else {
3032				str = "";
3033				audit_size = 0;
3034			}
3035			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3036			audit_log_format(ab, "op=setxattr invalid_context=");
3037			audit_log_n_untrustedstring(ab, value, audit_size);
3038			audit_log_end(ab);
3039
3040			return rc;
3041		}
3042		rc = security_context_to_sid_force(value, size, &newsid);
3043	}
3044	if (rc)
3045		return rc;
3046
3047	rc = avc_has_perm(sid, newsid, isec->sclass,
3048			  FILE__RELABELTO, &ad);
3049	if (rc)
3050		return rc;
3051
3052	rc = security_validate_transition(isec->sid, newsid, sid,
3053					  isec->sclass);
3054	if (rc)
3055		return rc;
3056
3057	return avc_has_perm(newsid,
3058			    sbsec->sid,
3059			    SECCLASS_FILESYSTEM,
3060			    FILESYSTEM__ASSOCIATE,
3061			    &ad);
3062}
3063
3064static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3065					const void *value, size_t size,
3066					int flags)
3067{
3068	struct inode *inode = dentry->d_inode;
3069	struct inode_security_struct *isec = inode->i_security;
3070	u32 newsid;
3071	int rc;
3072
3073	if (strcmp(name, XATTR_NAME_SELINUX)) {
3074		/* Not an attribute we recognize, so nothing to do. */
3075		return;
3076	}
3077
3078	rc = security_context_to_sid_force(value, size, &newsid);
3079	if (rc) {
3080		printk(KERN_ERR "SELinux:  unable to map context to SID"
3081		       "for (%s, %lu), rc=%d\n",
3082		       inode->i_sb->s_id, inode->i_ino, -rc);
3083		return;
3084	}
3085
3086	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3087	isec->sid = newsid;
3088	isec->initialized = 1;
3089
3090	return;
3091}
3092
3093static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3094{
3095	const struct cred *cred = current_cred();
3096
3097	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3098}
3099
3100static int selinux_inode_listxattr(struct dentry *dentry)
3101{
3102	const struct cred *cred = current_cred();
3103
3104	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3105}
3106
3107static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3108{
3109	if (strcmp(name, XATTR_NAME_SELINUX))
3110		return selinux_inode_setotherxattr(dentry, name);
3111
3112	/* No one is allowed to remove a SELinux security label.
3113	   You can change the label, but all data must be labeled. */
3114	return -EACCES;
3115}
3116
3117/*
3118 * Copy the inode security context value to the user.
3119 *
3120 * Permission check is handled by selinux_inode_getxattr hook.
3121 */
3122static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3123{
3124	u32 size;
3125	int error;
3126	char *context = NULL;
3127	struct inode_security_struct *isec = inode->i_security;
3128
3129	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3130		return -EOPNOTSUPP;
3131
3132	/*
3133	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3134	 * value even if it is not defined by current policy; otherwise,
3135	 * use the in-core value under current policy.
3136	 * Use the non-auditing forms of the permission checks since
3137	 * getxattr may be called by unprivileged processes commonly
3138	 * and lack of permission just means that we fall back to the
3139	 * in-core context value, not a denial.
3140	 */
3141	error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3142				SECURITY_CAP_NOAUDIT);
3143	if (!error)
3144		error = security_sid_to_context_force(isec->sid, &context,
3145						      &size);
3146	else
3147		error = security_sid_to_context(isec->sid, &context, &size);
3148	if (error)
3149		return error;
3150	error = size;
3151	if (alloc) {
3152		*buffer = context;
3153		goto out_nofree;
3154	}
3155	kfree(context);
3156out_nofree:
3157	return error;
3158}
3159
3160static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3161				     const void *value, size_t size, int flags)
3162{
3163	struct inode_security_struct *isec = inode->i_security;
3164	u32 newsid;
3165	int rc;
3166
3167	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3168		return -EOPNOTSUPP;
3169
3170	if (!value || !size)
3171		return -EACCES;
3172
3173	rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3174	if (rc)
3175		return rc;
3176
3177	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3178	isec->sid = newsid;
3179	isec->initialized = 1;
3180	return 0;
3181}
3182
3183static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3184{
3185	const int len = sizeof(XATTR_NAME_SELINUX);
3186	if (buffer && len <= buffer_size)
3187		memcpy(buffer, XATTR_NAME_SELINUX, len);
3188	return len;
3189}
3190
3191static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3192{
3193	struct inode_security_struct *isec = inode->i_security;
3194	*secid = isec->sid;
3195}
3196
3197/* file security operations */
3198
3199static int selinux_revalidate_file_permission(struct file *file, int mask)
3200{
3201	const struct cred *cred = current_cred();
3202	struct inode *inode = file_inode(file);
3203
3204	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3205	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3206		mask |= MAY_APPEND;
3207
3208	return file_has_perm(cred, file,
3209			     file_mask_to_av(inode->i_mode, mask));
3210}
3211
3212static int selinux_file_permission(struct file *file, int mask)
3213{
3214	struct inode *inode = file_inode(file);
3215	struct file_security_struct *fsec = file->f_security;
3216	struct inode_security_struct *isec = inode->i_security;
3217	u32 sid = current_sid();
3218
3219	if (!mask)
3220		/* No permission to check.  Existence test. */
3221		return 0;
3222
3223	if (sid == fsec->sid && fsec->isid == isec->sid &&
3224	    fsec->pseqno == avc_policy_seqno())
3225		/* No change since file_open check. */
3226		return 0;
3227
3228	return selinux_revalidate_file_permission(file, mask);
3229}
3230
3231static int selinux_file_alloc_security(struct file *file)
3232{
3233	return file_alloc_security(file);
3234}
3235
3236static void selinux_file_free_security(struct file *file)
3237{
3238	file_free_security(file);
3239}
3240
3241/*
3242 * Check whether a task has the ioctl permission and cmd
3243 * operation to an inode.
3244 */
3245int ioctl_has_perm(const struct cred *cred, struct file *file,
3246		u32 requested, u16 cmd)
3247{
3248	struct common_audit_data ad;
3249	struct file_security_struct *fsec = file->f_security;
3250	struct inode *inode = file_inode(file);
3251	struct inode_security_struct *isec = inode->i_security;
3252	struct lsm_ioctlop_audit ioctl;
3253	u32 ssid = cred_sid(cred);
3254	int rc;
3255
3256	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3257	ad.u.op = &ioctl;
3258	ad.u.op->cmd = cmd;
3259	ad.u.op->path = file->f_path;
3260
3261	if (ssid != fsec->sid) {
3262		rc = avc_has_perm(ssid, fsec->sid,
3263				SECCLASS_FD,
3264				FD__USE,
3265				&ad);
3266		if (rc)
3267			goto out;
3268	}
3269
3270	if (unlikely(IS_PRIVATE(inode)))
3271		return 0;
3272
3273	rc = avc_has_operation(ssid, isec->sid, isec->sclass,
3274			requested, cmd, &ad);
3275out:
3276	return rc;
3277}
3278
3279static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3280			      unsigned long arg)
3281{
3282	const struct cred *cred = current_cred();
3283	int error = 0;
3284
3285	switch (cmd) {
3286	case FIONREAD:
3287	/* fall through */
3288	case FIBMAP:
3289	/* fall through */
3290	case FIGETBSZ:
3291	/* fall through */
3292	case FS_IOC_GETFLAGS:
3293	/* fall through */
3294	case FS_IOC_GETVERSION:
3295		error = file_has_perm(cred, file, FILE__GETATTR);
3296		break;
3297
3298	case FS_IOC_SETFLAGS:
3299	/* fall through */
3300	case FS_IOC_SETVERSION:
3301		error = file_has_perm(cred, file, FILE__SETATTR);
3302		break;
3303
3304	/* sys_ioctl() checks */
3305	case FIONBIO:
3306	/* fall through */
3307	case FIOASYNC:
3308		error = file_has_perm(cred, file, 0);
3309		break;
3310
3311	case KDSKBENT:
3312	case KDSKBSENT:
3313		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3314					    SECURITY_CAP_AUDIT);
3315		break;
3316
3317	/* default case assumes that the command will go
3318	 * to the file's ioctl() function.
3319	 */
3320	default:
3321		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3322	}
3323	return error;
3324}
3325
3326static int default_noexec;
3327
3328static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3329{
3330	const struct cred *cred = current_cred();
3331	int rc = 0;
3332
3333	if (default_noexec &&
3334	    (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3335		/*
3336		 * We are making executable an anonymous mapping or a
3337		 * private file mapping that will also be writable.
3338		 * This has an additional check.
3339		 */
3340		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3341		if (rc)
3342			goto error;
3343	}
3344
3345	if (file) {
3346		/* read access is always possible with a mapping */
3347		u32 av = FILE__READ;
3348
3349		/* write access only matters if the mapping is shared */
3350		if (shared && (prot & PROT_WRITE))
3351			av |= FILE__WRITE;
3352
3353		if (prot & PROT_EXEC)
3354			av |= FILE__EXECUTE;
3355
3356		return file_has_perm(cred, file, av);
3357	}
3358
3359error:
3360	return rc;
3361}
3362
3363static int selinux_mmap_addr(unsigned long addr)
3364{
3365	int rc;
3366
3367	/* do DAC check on address space usage */
3368	rc = cap_mmap_addr(addr);
3369	if (rc)
3370		return rc;
3371
3372	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3373		u32 sid = current_sid();
3374		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3375				  MEMPROTECT__MMAP_ZERO, NULL);
3376	}
3377
3378	return rc;
3379}
3380
3381static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3382			     unsigned long prot, unsigned long flags)
3383{
3384	if (selinux_checkreqprot)
3385		prot = reqprot;
3386
3387	return file_map_prot_check(file, prot,
3388				   (flags & MAP_TYPE) == MAP_SHARED);
3389}
3390
3391static int selinux_file_mprotect(struct vm_area_struct *vma,
3392				 unsigned long reqprot,
3393				 unsigned long prot)
3394{
3395	const struct cred *cred = current_cred();
3396
3397	if (selinux_checkreqprot)
3398		prot = reqprot;
3399
3400	if (default_noexec &&
3401	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3402		int rc = 0;
3403		if (vma->vm_start >= vma->vm_mm->start_brk &&
3404		    vma->vm_end <= vma->vm_mm->brk) {
3405			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3406		} else if (!vma->vm_file &&
3407			   vma->vm_start <= vma->vm_mm->start_stack &&
3408			   vma->vm_end >= vma->vm_mm->start_stack) {
3409			rc = current_has_perm(current, PROCESS__EXECSTACK);
3410		} else if (vma->vm_file && vma->anon_vma) {
3411			/*
3412			 * We are making executable a file mapping that has
3413			 * had some COW done. Since pages might have been
3414			 * written, check ability to execute the possibly
3415			 * modified content.  This typically should only
3416			 * occur for text relocations.
3417			 */
3418			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3419		}
3420		if (rc)
3421			return rc;
3422	}
3423
3424	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3425}
3426
3427static int selinux_file_lock(struct file *file, unsigned int cmd)
3428{
3429	const struct cred *cred = current_cred();
3430
3431	return file_has_perm(cred, file, FILE__LOCK);
3432}
3433
3434static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3435			      unsigned long arg)
3436{
3437	const struct cred *cred = current_cred();
3438	int err = 0;
3439
3440	switch (cmd) {
3441	case F_SETFL:
3442		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3443			err = file_has_perm(cred, file, FILE__WRITE);
3444			break;
3445		}
3446		/* fall through */
3447	case F_SETOWN:
3448	case F_SETSIG:
3449	case F_GETFL:
3450	case F_GETOWN:
3451	case F_GETSIG:
3452	case F_GETOWNER_UIDS:
3453		/* Just check FD__USE permission */
3454		err = file_has_perm(cred, file, 0);
3455		break;
3456	case F_GETLK:
3457	case F_SETLK:
3458	case F_SETLKW:
3459	case F_OFD_GETLK:
3460	case F_OFD_SETLK:
3461	case F_OFD_SETLKW:
3462#if BITS_PER_LONG == 32
3463	case F_GETLK64:
3464	case F_SETLK64:
3465	case F_SETLKW64:
3466#endif
3467		err = file_has_perm(cred, file, FILE__LOCK);
3468		break;
3469	}
3470
3471	return err;
3472}
3473
3474static void selinux_file_set_fowner(struct file *file)
3475{
3476	struct file_security_struct *fsec;
3477
3478	fsec = file->f_security;
3479	fsec->fown_sid = current_sid();
3480}
3481
3482static int selinux_file_send_sigiotask(struct task_struct *tsk,
3483				       struct fown_struct *fown, int signum)
3484{
3485	struct file *file;
3486	u32 sid = task_sid(tsk);
3487	u32 perm;
3488	struct file_security_struct *fsec;
3489
3490	/* struct fown_struct is never outside the context of a struct file */
3491	file = container_of(fown, struct file, f_owner);
3492
3493	fsec = file->f_security;
3494
3495	if (!signum)
3496		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3497	else
3498		perm = signal_to_av(signum);
3499
3500	return avc_has_perm(fsec->fown_sid, sid,
3501			    SECCLASS_PROCESS, perm, NULL);
3502}
3503
3504static int selinux_file_receive(struct file *file)
3505{
3506	const struct cred *cred = current_cred();
3507
3508	return file_has_perm(cred, file, file_to_av(file));
3509}
3510
3511static int selinux_file_open(struct file *file, const struct cred *cred)
3512{
3513	struct file_security_struct *fsec;
3514	struct inode_security_struct *isec;
3515
3516	fsec = file->f_security;
3517	isec = file_inode(file)->i_security;
3518	/*
3519	 * Save inode label and policy sequence number
3520	 * at open-time so that selinux_file_permission
3521	 * can determine whether revalidation is necessary.
3522	 * Task label is already saved in the file security
3523	 * struct as its SID.
3524	 */
3525	fsec->isid = isec->sid;
3526	fsec->pseqno = avc_policy_seqno();
3527	/*
3528	 * Since the inode label or policy seqno may have changed
3529	 * between the selinux_inode_permission check and the saving
3530	 * of state above, recheck that access is still permitted.
3531	 * Otherwise, access might never be revalidated against the
3532	 * new inode label or new policy.
3533	 * This check is not redundant - do not remove.
3534	 */
3535	return file_path_has_perm(cred, file, open_file_to_av(file));
3536}
3537
3538/* task security operations */
3539
3540static int selinux_task_create(unsigned long clone_flags)
3541{
3542	return current_has_perm(current, PROCESS__FORK);
3543}
3544
3545/*
3546 * allocate the SELinux part of blank credentials
3547 */
3548static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3549{
3550	struct task_security_struct *tsec;
3551
3552	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3553	if (!tsec)
3554		return -ENOMEM;
3555
3556	cred->security = tsec;
3557	return 0;
3558}
3559
3560/*
3561 * detach and free the LSM part of a set of credentials
3562 */
3563static void selinux_cred_free(struct cred *cred)
3564{
3565	struct task_security_struct *tsec = cred->security;
3566
3567	/*
3568	 * cred->security == NULL if security_cred_alloc_blank() or
3569	 * security_prepare_creds() returned an error.
3570	 */
3571	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3572	cred->security = (void *) 0x7UL;
3573	kfree(tsec);
3574}
3575
3576/*
3577 * prepare a new set of credentials for modification
3578 */
3579static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3580				gfp_t gfp)
3581{
3582	const struct task_security_struct *old_tsec;
3583	struct task_security_struct *tsec;
3584
3585	old_tsec = old->security;
3586
3587	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3588	if (!tsec)
3589		return -ENOMEM;
3590
3591	new->security = tsec;
3592	return 0;
3593}
3594
3595/*
3596 * transfer the SELinux data to a blank set of creds
3597 */
3598static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3599{
3600	const struct task_security_struct *old_tsec = old->security;
3601	struct task_security_struct *tsec = new->security;
3602
3603	*tsec = *old_tsec;
3604}
3605
3606/*
3607 * set the security data for a kernel service
3608 * - all the creation contexts are set to unlabelled
3609 */
3610static int selinux_kernel_act_as(struct cred *new, u32 secid)
3611{
3612	struct task_security_struct *tsec = new->security;
3613	u32 sid = current_sid();
3614	int ret;
3615
3616	ret = avc_has_perm(sid, secid,
3617			   SECCLASS_KERNEL_SERVICE,
3618			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3619			   NULL);
3620	if (ret == 0) {
3621		tsec->sid = secid;
3622		tsec->create_sid = 0;
3623		tsec->keycreate_sid = 0;
3624		tsec->sockcreate_sid = 0;
3625	}
3626	return ret;
3627}
3628
3629/*
3630 * set the file creation context in a security record to the same as the
3631 * objective context of the specified inode
3632 */
3633static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3634{
3635	struct inode_security_struct *isec = inode->i_security;
3636	struct task_security_struct *tsec = new->security;
3637	u32 sid = current_sid();
3638	int ret;
3639
3640	ret = avc_has_perm(sid, isec->sid,
3641			   SECCLASS_KERNEL_SERVICE,
3642			   KERNEL_SERVICE__CREATE_FILES_AS,
3643			   NULL);
3644
3645	if (ret == 0)
3646		tsec->create_sid = isec->sid;
3647	return ret;
3648}
3649
3650static int selinux_kernel_module_request(char *kmod_name)
3651{
3652	u32 sid;
3653	struct common_audit_data ad;
3654
3655	sid = task_sid(current);
3656
3657	ad.type = LSM_AUDIT_DATA_KMOD;
3658	ad.u.kmod_name = kmod_name;
3659
3660	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3661			    SYSTEM__MODULE_REQUEST, &ad);
3662}
3663
3664static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3665{
3666	return current_has_perm(p, PROCESS__SETPGID);
3667}
3668
3669static int selinux_task_getpgid(struct task_struct *p)
3670{
3671	return current_has_perm(p, PROCESS__GETPGID);
3672}
3673
3674static int selinux_task_getsid(struct task_struct *p)
3675{
3676	return current_has_perm(p, PROCESS__GETSESSION);
3677}
3678
3679static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3680{
3681	*secid = task_sid(p);
3682}
3683
3684static int selinux_task_setnice(struct task_struct *p, int nice)
3685{
3686	int rc;
3687
3688	rc = cap_task_setnice(p, nice);
3689	if (rc)
3690		return rc;
3691
3692	return current_has_perm(p, PROCESS__SETSCHED);
3693}
3694
3695static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3696{
3697	int rc;
3698
3699	rc = cap_task_setioprio(p, ioprio);
3700	if (rc)
3701		return rc;
3702
3703	return current_has_perm(p, PROCESS__SETSCHED);
3704}
3705
3706static int selinux_task_getioprio(struct task_struct *p)
3707{
3708	return current_has_perm(p, PROCESS__GETSCHED);
3709}
3710
3711static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3712		struct rlimit *new_rlim)
3713{
3714	struct rlimit *old_rlim = p->signal->rlim + resource;
3715
3716	/* Control the ability to change the hard limit (whether
3717	   lowering or raising it), so that the hard limit can
3718	   later be used as a safe reset point for the soft limit
3719	   upon context transitions.  See selinux_bprm_committing_creds. */
3720	if (old_rlim->rlim_max != new_rlim->rlim_max)
3721		return current_has_perm(p, PROCESS__SETRLIMIT);
3722
3723	return 0;
3724}
3725
3726static int selinux_task_setscheduler(struct task_struct *p)
3727{
3728	int rc;
3729
3730	rc = cap_task_setscheduler(p);
3731	if (rc)
3732		return rc;
3733
3734	return current_has_perm(p, PROCESS__SETSCHED);
3735}
3736
3737static int selinux_task_getscheduler(struct task_struct *p)
3738{
3739	return current_has_perm(p, PROCESS__GETSCHED);
3740}
3741
3742static int selinux_task_movememory(struct task_struct *p)
3743{
3744	return current_has_perm(p, PROCESS__SETSCHED);
3745}
3746
3747static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3748				int sig, u32 secid)
3749{
3750	u32 perm;
3751	int rc;
3752
3753	if (!sig)
3754		perm = PROCESS__SIGNULL; /* null signal; existence test */
3755	else
3756		perm = signal_to_av(sig);
3757	if (secid)
3758		rc = avc_has_perm(secid, task_sid(p),
3759				  SECCLASS_PROCESS, perm, NULL);
3760	else
3761		rc = current_has_perm(p, perm);
3762	return rc;
3763}
3764
3765static int selinux_task_wait(struct task_struct *p)
3766{
3767	return task_has_perm(p, current, PROCESS__SIGCHLD);
3768}
3769
3770static void selinux_task_to_inode(struct task_struct *p,
3771				  struct inode *inode)
3772{
3773	struct inode_security_struct *isec = inode->i_security;
3774	u32 sid = task_sid(p);
3775
3776	isec->sid = sid;
3777	isec->initialized = 1;
3778}
3779
3780/* Returns error only if unable to parse addresses */
3781static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3782			struct common_audit_data *ad, u8 *proto)
3783{
3784	int offset, ihlen, ret = -EINVAL;
3785	struct iphdr _iph, *ih;
3786
3787	offset = skb_network_offset(skb);
3788	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3789	if (ih == NULL)
3790		goto out;
3791
3792	ihlen = ih->ihl * 4;
3793	if (ihlen < sizeof(_iph))
3794		goto out;
3795
3796	ad->u.net->v4info.saddr = ih->saddr;
3797	ad->u.net->v4info.daddr = ih->daddr;
3798	ret = 0;
3799
3800	if (proto)
3801		*proto = ih->protocol;
3802
3803	switch (ih->protocol) {
3804	case IPPROTO_TCP: {
3805		struct tcphdr _tcph, *th;
3806
3807		if (ntohs(ih->frag_off) & IP_OFFSET)
3808			break;
3809
3810		offset += ihlen;
3811		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3812		if (th == NULL)
3813			break;
3814
3815		ad->u.net->sport = th->source;
3816		ad->u.net->dport = th->dest;
3817		break;
3818	}
3819
3820	case IPPROTO_UDP: {
3821		struct udphdr _udph, *uh;
3822
3823		if (ntohs(ih->frag_off) & IP_OFFSET)
3824			break;
3825
3826		offset += ihlen;
3827		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3828		if (uh == NULL)
3829			break;
3830
3831		ad->u.net->sport = uh->source;
3832		ad->u.net->dport = uh->dest;
3833		break;
3834	}
3835
3836	case IPPROTO_DCCP: {
3837		struct dccp_hdr _dccph, *dh;
3838
3839		if (ntohs(ih->frag_off) & IP_OFFSET)
3840			break;
3841
3842		offset += ihlen;
3843		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3844		if (dh == NULL)
3845			break;
3846
3847		ad->u.net->sport = dh->dccph_sport;
3848		ad->u.net->dport = dh->dccph_dport;
3849		break;
3850	}
3851
3852	default:
3853		break;
3854	}
3855out:
3856	return ret;
3857}
3858
3859#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3860
3861/* Returns error only if unable to parse addresses */
3862static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3863			struct common_audit_data *ad, u8 *proto)
3864{
3865	u8 nexthdr;
3866	int ret = -EINVAL, offset;
3867	struct ipv6hdr _ipv6h, *ip6;
3868	__be16 frag_off;
3869
3870	offset = skb_network_offset(skb);
3871	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3872	if (ip6 == NULL)
3873		goto out;
3874
3875	ad->u.net->v6info.saddr = ip6->saddr;
3876	ad->u.net->v6info.daddr = ip6->daddr;
3877	ret = 0;
3878
3879	nexthdr = ip6->nexthdr;
3880	offset += sizeof(_ipv6h);
3881	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3882	if (offset < 0)
3883		goto out;
3884
3885	if (proto)
3886		*proto = nexthdr;
3887
3888	switch (nexthdr) {
3889	case IPPROTO_TCP: {
3890		struct tcphdr _tcph, *th;
3891
3892		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3893		if (th == NULL)
3894			break;
3895
3896		ad->u.net->sport = th->source;
3897		ad->u.net->dport = th->dest;
3898		break;
3899	}
3900
3901	case IPPROTO_UDP: {
3902		struct udphdr _udph, *uh;
3903
3904		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3905		if (uh == NULL)
3906			break;
3907
3908		ad->u.net->sport = uh->source;
3909		ad->u.net->dport = uh->dest;
3910		break;
3911	}
3912
3913	case IPPROTO_DCCP: {
3914		struct dccp_hdr _dccph, *dh;
3915
3916		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3917		if (dh == NULL)
3918			break;
3919
3920		ad->u.net->sport = dh->dccph_sport;
3921		ad->u.net->dport = dh->dccph_dport;
3922		break;
3923	}
3924
3925	/* includes fragments */
3926	default:
3927		break;
3928	}
3929out:
3930	return ret;
3931}
3932
3933#endif /* IPV6 */
3934
3935static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3936			     char **_addrp, int src, u8 *proto)
3937{
3938	char *addrp;
3939	int ret;
3940
3941	switch (ad->u.net->family) {
3942	case PF_INET:
3943		ret = selinux_parse_skb_ipv4(skb, ad, proto);
3944		if (ret)
3945			goto parse_error;
3946		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3947				       &ad->u.net->v4info.daddr);
3948		goto okay;
3949
3950#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3951	case PF_INET6:
3952		ret = selinux_parse_skb_ipv6(skb, ad, proto);
3953		if (ret)
3954			goto parse_error;
3955		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3956				       &ad->u.net->v6info.daddr);
3957		goto okay;
3958#endif	/* IPV6 */
3959	default:
3960		addrp = NULL;
3961		goto okay;
3962	}
3963
3964parse_error:
3965	printk(KERN_WARNING
3966	       "SELinux: failure in selinux_parse_skb(),"
3967	       " unable to parse packet\n");
3968	return ret;
3969
3970okay:
3971	if (_addrp)
3972		*_addrp = addrp;
3973	return 0;
3974}
3975
3976/**
3977 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3978 * @skb: the packet
3979 * @family: protocol family
3980 * @sid: the packet's peer label SID
3981 *
3982 * Description:
3983 * Check the various different forms of network peer labeling and determine
3984 * the peer label/SID for the packet; most of the magic actually occurs in
3985 * the security server function security_net_peersid_cmp().  The function
3986 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3987 * or -EACCES if @sid is invalid due to inconsistencies with the different
3988 * peer labels.
3989 *
3990 */
3991static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3992{
3993	int err;
3994	u32 xfrm_sid;
3995	u32 nlbl_sid;
3996	u32 nlbl_type;
3997
3998	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3999	if (unlikely(err))
4000		return -EACCES;
4001	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4002	if (unlikely(err))
4003		return -EACCES;
4004
4005	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4006	if (unlikely(err)) {
4007		printk(KERN_WARNING
4008		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4009		       " unable to determine packet's peer label\n");
4010		return -EACCES;
4011	}
4012
4013	return 0;
4014}
4015
4016/**
4017 * selinux_conn_sid - Determine the child socket label for a connection
4018 * @sk_sid: the parent socket's SID
4019 * @skb_sid: the packet's SID
4020 * @conn_sid: the resulting connection SID
4021 *
4022 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4023 * combined with the MLS information from @skb_sid in order to create
4024 * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4025 * of @sk_sid.  Returns zero on success, negative values on failure.
4026 *
4027 */
4028static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4029{
4030	int err = 0;
4031
4032	if (skb_sid != SECSID_NULL)
4033		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4034	else
4035		*conn_sid = sk_sid;
4036
4037	return err;
4038}
4039
4040/* socket security operations */
4041
4042static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4043				 u16 secclass, u32 *socksid)
4044{
4045	if (tsec->sockcreate_sid > SECSID_NULL) {
4046		*socksid = tsec->sockcreate_sid;
4047		return 0;
4048	}
4049
4050	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4051				       socksid);
4052}
4053
4054static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4055{
4056	struct sk_security_struct *sksec = sk->sk_security;
4057	struct common_audit_data ad;
4058	struct lsm_network_audit net = {0,};
4059	u32 tsid = task_sid(task);
4060
4061	if (sksec->sid == SECINITSID_KERNEL)
4062		return 0;
4063
4064	ad.type = LSM_AUDIT_DATA_NET;
4065	ad.u.net = &net;
4066	ad.u.net->sk = sk;
4067
4068	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4069}
4070
4071static int selinux_socket_create(int family, int type,
4072				 int protocol, int kern)
4073{
4074	const struct task_security_struct *tsec = current_security();
4075	u32 newsid;
4076	u16 secclass;
4077	int rc;
4078
4079	if (kern)
4080		return 0;
4081
4082	secclass = socket_type_to_security_class(family, type, protocol);
4083	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4084	if (rc)
4085		return rc;
4086
4087	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4088}
4089
4090static int selinux_socket_post_create(struct socket *sock, int family,
4091				      int type, int protocol, int kern)
4092{
4093	const struct task_security_struct *tsec = current_security();
4094	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4095	struct sk_security_struct *sksec;
4096	int err = 0;
4097
4098	isec->sclass = socket_type_to_security_class(family, type, protocol);
4099
4100	if (kern)
4101		isec->sid = SECINITSID_KERNEL;
4102	else {
4103		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4104		if (err)
4105			return err;
4106	}
4107
4108	isec->initialized = 1;
4109
4110	if (sock->sk) {
4111		sksec = sock->sk->sk_security;
4112		sksec->sid = isec->sid;
4113		sksec->sclass = isec->sclass;
4114		err = selinux_netlbl_socket_post_create(sock->sk, family);
4115	}
4116
4117	return err;
4118}
4119
4120/* Range of port numbers used to automatically bind.
4121   Need to determine whether we should perform a name_bind
4122   permission check between the socket and the port number. */
4123
4124static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4125{
4126	struct sock *sk = sock->sk;
4127	u16 family;
4128	int err;
4129
4130	err = sock_has_perm(current, sk, SOCKET__BIND);
4131	if (err)
4132		goto out;
4133
4134	/*
4135	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4136	 * Multiple address binding for SCTP is not supported yet: we just
4137	 * check the first address now.
4138	 */
4139	family = sk->sk_family;
4140	if (family == PF_INET || family == PF_INET6) {
4141		char *addrp;
4142		struct sk_security_struct *sksec = sk->sk_security;
4143		struct common_audit_data ad;
4144		struct lsm_network_audit net = {0,};
4145		struct sockaddr_in *addr4 = NULL;
4146		struct sockaddr_in6 *addr6 = NULL;
4147		unsigned short snum;
4148		u32 sid, node_perm;
4149
4150		if (family == PF_INET) {
4151			addr4 = (struct sockaddr_in *)address;
4152			snum = ntohs(addr4->sin_port);
4153			addrp = (char *)&addr4->sin_addr.s_addr;
4154		} else {
4155			addr6 = (struct sockaddr_in6 *)address;
4156			snum = ntohs(addr6->sin6_port);
4157			addrp = (char *)&addr6->sin6_addr.s6_addr;
4158		}
4159
4160		if (snum) {
4161			int low, high;
4162
4163			inet_get_local_port_range(sock_net(sk), &low, &high);
4164
4165			if (snum < max(PROT_SOCK, low) || snum > high) {
4166				err = sel_netport_sid(sk->sk_protocol,
4167						      snum, &sid);
4168				if (err)
4169					goto out;
4170				ad.type = LSM_AUDIT_DATA_NET;
4171				ad.u.net = &net;
4172				ad.u.net->sport = htons(snum);
4173				ad.u.net->family = family;
4174				err = avc_has_perm(sksec->sid, sid,
4175						   sksec->sclass,
4176						   SOCKET__NAME_BIND, &ad);
4177				if (err)
4178					goto out;
4179			}
4180		}
4181
4182		switch (sksec->sclass) {
4183		case SECCLASS_TCP_SOCKET:
4184			node_perm = TCP_SOCKET__NODE_BIND;
4185			break;
4186
4187		case SECCLASS_UDP_SOCKET:
4188			node_perm = UDP_SOCKET__NODE_BIND;
4189			break;
4190
4191		case SECCLASS_DCCP_SOCKET:
4192			node_perm = DCCP_SOCKET__NODE_BIND;
4193			break;
4194
4195		default:
4196			node_perm = RAWIP_SOCKET__NODE_BIND;
4197			break;
4198		}
4199
4200		err = sel_netnode_sid(addrp, family, &sid);
4201		if (err)
4202			goto out;
4203
4204		ad.type = LSM_AUDIT_DATA_NET;
4205		ad.u.net = &net;
4206		ad.u.net->sport = htons(snum);
4207		ad.u.net->family = family;
4208
4209		if (family == PF_INET)
4210			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4211		else
4212			ad.u.net->v6info.saddr = addr6->sin6_addr;
4213
4214		err = avc_has_perm(sksec->sid, sid,
4215				   sksec->sclass, node_perm, &ad);
4216		if (err)
4217			goto out;
4218	}
4219out:
4220	return err;
4221}
4222
4223static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4224{
4225	struct sock *sk = sock->sk;
4226	struct sk_security_struct *sksec = sk->sk_security;
4227	int err;
4228
4229	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4230	if (err)
4231		return err;
4232
4233	/*
4234	 * If a TCP or DCCP socket, check name_connect permission for the port.
4235	 */
4236	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4237	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4238		struct common_audit_data ad;
4239		struct lsm_network_audit net = {0,};
4240		struct sockaddr_in *addr4 = NULL;
4241		struct sockaddr_in6 *addr6 = NULL;
4242		unsigned short snum;
4243		u32 sid, perm;
4244
4245		if (sk->sk_family == PF_INET) {
4246			addr4 = (struct sockaddr_in *)address;
4247			if (addrlen < sizeof(struct sockaddr_in))
4248				return -EINVAL;
4249			snum = ntohs(addr4->sin_port);
4250		} else {
4251			addr6 = (struct sockaddr_in6 *)address;
4252			if (addrlen < SIN6_LEN_RFC2133)
4253				return -EINVAL;
4254			snum = ntohs(addr6->sin6_port);
4255		}
4256
4257		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4258		if (err)
4259			goto out;
4260
4261		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4262		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4263
4264		ad.type = LSM_AUDIT_DATA_NET;
4265		ad.u.net = &net;
4266		ad.u.net->dport = htons(snum);
4267		ad.u.net->family = sk->sk_family;
4268		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4269		if (err)
4270			goto out;
4271	}
4272
4273	err = selinux_netlbl_socket_connect(sk, address);
4274
4275out:
4276	return err;
4277}
4278
4279static int selinux_socket_listen(struct socket *sock, int backlog)
4280{
4281	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4282}
4283
4284static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4285{
4286	int err;
4287	struct inode_security_struct *isec;
4288	struct inode_security_struct *newisec;
4289
4290	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4291	if (err)
4292		return err;
4293
4294	newisec = SOCK_INODE(newsock)->i_security;
4295
4296	isec = SOCK_INODE(sock)->i_security;
4297	newisec->sclass = isec->sclass;
4298	newisec->sid = isec->sid;
4299	newisec->initialized = 1;
4300
4301	return 0;
4302}
4303
4304static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4305				  int size)
4306{
4307	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4308}
4309
4310static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4311				  int size, int flags)
4312{
4313	return sock_has_perm(current, sock->sk, SOCKET__READ);
4314}
4315
4316static int selinux_socket_getsockname(struct socket *sock)
4317{
4318	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4319}
4320
4321static int selinux_socket_getpeername(struct socket *sock)
4322{
4323	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4324}
4325
4326static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4327{
4328	int err;
4329
4330	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4331	if (err)
4332		return err;
4333
4334	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4335}
4336
4337static int selinux_socket_getsockopt(struct socket *sock, int level,
4338				     int optname)
4339{
4340	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4341}
4342
4343static int selinux_socket_shutdown(struct socket *sock, int how)
4344{
4345	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4346}
4347
4348static int selinux_socket_unix_stream_connect(struct sock *sock,
4349					      struct sock *other,
4350					      struct sock *newsk)
4351{
4352	struct sk_security_struct *sksec_sock = sock->sk_security;
4353	struct sk_security_struct *sksec_other = other->sk_security;
4354	struct sk_security_struct *sksec_new = newsk->sk_security;
4355	struct common_audit_data ad;
4356	struct lsm_network_audit net = {0,};
4357	int err;
4358
4359	ad.type = LSM_AUDIT_DATA_NET;
4360	ad.u.net = &net;
4361	ad.u.net->sk = other;
4362
4363	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4364			   sksec_other->sclass,
4365			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4366	if (err)
4367		return err;
4368
4369	/* server child socket */
4370	sksec_new->peer_sid = sksec_sock->sid;
4371	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4372				    &sksec_new->sid);
4373	if (err)
4374		return err;
4375
4376	/* connecting socket */
4377	sksec_sock->peer_sid = sksec_new->sid;
4378
4379	return 0;
4380}
4381
4382static int selinux_socket_unix_may_send(struct socket *sock,
4383					struct socket *other)
4384{
4385	struct sk_security_struct *ssec = sock->sk->sk_security;
4386	struct sk_security_struct *osec = other->sk->sk_security;
4387	struct common_audit_data ad;
4388	struct lsm_network_audit net = {0,};
4389
4390	ad.type = LSM_AUDIT_DATA_NET;
4391	ad.u.net = &net;
4392	ad.u.net->sk = other->sk;
4393
4394	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4395			    &ad);
4396}
4397
4398static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4399				    char *addrp, u16 family, u32 peer_sid,
4400				    struct common_audit_data *ad)
4401{
4402	int err;
4403	u32 if_sid;
4404	u32 node_sid;
4405
4406	err = sel_netif_sid(ns, ifindex, &if_sid);
4407	if (err)
4408		return err;
4409	err = avc_has_perm(peer_sid, if_sid,
4410			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4411	if (err)
4412		return err;
4413
4414	err = sel_netnode_sid(addrp, family, &node_sid);
4415	if (err)
4416		return err;
4417	return avc_has_perm(peer_sid, node_sid,
4418			    SECCLASS_NODE, NODE__RECVFROM, ad);
4419}
4420
4421static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4422				       u16 family)
4423{
4424	int err = 0;
4425	struct sk_security_struct *sksec = sk->sk_security;
4426	u32 sk_sid = sksec->sid;
4427	struct common_audit_data ad;
4428	struct lsm_network_audit net = {0,};
4429	char *addrp;
4430
4431	ad.type = LSM_AUDIT_DATA_NET;
4432	ad.u.net = &net;
4433	ad.u.net->netif = skb->skb_iif;
4434	ad.u.net->family = family;
4435	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4436	if (err)
4437		return err;
4438
4439	if (selinux_secmark_enabled()) {
4440		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4441				   PACKET__RECV, &ad);
4442		if (err)
4443			return err;
4444	}
4445
4446	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4447	if (err)
4448		return err;
4449	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4450
4451	return err;
4452}
4453
4454static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4455{
4456	int err;
4457	struct sk_security_struct *sksec = sk->sk_security;
4458	u16 family = sk->sk_family;
4459	u32 sk_sid = sksec->sid;
4460	struct common_audit_data ad;
4461	struct lsm_network_audit net = {0,};
4462	char *addrp;
4463	u8 secmark_active;
4464	u8 peerlbl_active;
4465
4466	if (family != PF_INET && family != PF_INET6)
4467		return 0;
4468
4469	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4470	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4471		family = PF_INET;
4472
4473	/* If any sort of compatibility mode is enabled then handoff processing
4474	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4475	 * special handling.  We do this in an attempt to keep this function
4476	 * as fast and as clean as possible. */
4477	if (!selinux_policycap_netpeer)
4478		return selinux_sock_rcv_skb_compat(sk, skb, family);
4479
4480	secmark_active = selinux_secmark_enabled();
4481	peerlbl_active = selinux_peerlbl_enabled();
4482	if (!secmark_active && !peerlbl_active)
4483		return 0;
4484
4485	ad.type = LSM_AUDIT_DATA_NET;
4486	ad.u.net = &net;
4487	ad.u.net->netif = skb->skb_iif;
4488	ad.u.net->family = family;
4489	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4490	if (err)
4491		return err;
4492
4493	if (peerlbl_active) {
4494		u32 peer_sid;
4495
4496		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4497		if (err)
4498			return err;
4499		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4500					       addrp, family, peer_sid, &ad);
4501		if (err) {
4502			selinux_netlbl_err(skb, err, 0);
4503			return err;
4504		}
4505		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4506				   PEER__RECV, &ad);
4507		if (err) {
4508			selinux_netlbl_err(skb, err, 0);
4509			return err;
4510		}
4511	}
4512
4513	if (secmark_active) {
4514		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4515				   PACKET__RECV, &ad);
4516		if (err)
4517			return err;
4518	}
4519
4520	return err;
4521}
4522
4523static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4524					    int __user *optlen, unsigned len)
4525{
4526	int err = 0;
4527	char *scontext;
4528	u32 scontext_len;
4529	struct sk_security_struct *sksec = sock->sk->sk_security;
4530	u32 peer_sid = SECSID_NULL;
4531
4532	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4533	    sksec->sclass == SECCLASS_TCP_SOCKET)
4534		peer_sid = sksec->peer_sid;
4535	if (peer_sid == SECSID_NULL)
4536		return -ENOPROTOOPT;
4537
4538	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4539	if (err)
4540		return err;
4541
4542	if (scontext_len > len) {
4543		err = -ERANGE;
4544		goto out_len;
4545	}
4546
4547	if (copy_to_user(optval, scontext, scontext_len))
4548		err = -EFAULT;
4549
4550out_len:
4551	if (put_user(scontext_len, optlen))
4552		err = -EFAULT;
4553	kfree(scontext);
4554	return err;
4555}
4556
4557static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4558{
4559	u32 peer_secid = SECSID_NULL;
4560	u16 family;
4561
4562	if (skb && skb->protocol == htons(ETH_P_IP))
4563		family = PF_INET;
4564	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4565		family = PF_INET6;
4566	else if (sock)
4567		family = sock->sk->sk_family;
4568	else
4569		goto out;
4570
4571	if (sock && family == PF_UNIX)
4572		selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4573	else if (skb)
4574		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4575
4576out:
4577	*secid = peer_secid;
4578	if (peer_secid == SECSID_NULL)
4579		return -EINVAL;
4580	return 0;
4581}
4582
4583static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4584{
4585	struct sk_security_struct *sksec;
4586
4587	sksec = kzalloc(sizeof(*sksec), priority);
4588	if (!sksec)
4589		return -ENOMEM;
4590
4591	sksec->peer_sid = SECINITSID_UNLABELED;
4592	sksec->sid = SECINITSID_UNLABELED;
4593	selinux_netlbl_sk_security_reset(sksec);
4594	sk->sk_security = sksec;
4595
4596	return 0;
4597}
4598
4599static void selinux_sk_free_security(struct sock *sk)
4600{
4601	struct sk_security_struct *sksec = sk->sk_security;
4602
4603	sk->sk_security = NULL;
4604	selinux_netlbl_sk_security_free(sksec);
4605	kfree(sksec);
4606}
4607
4608static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4609{
4610	struct sk_security_struct *sksec = sk->sk_security;
4611	struct sk_security_struct *newsksec = newsk->sk_security;
4612
4613	newsksec->sid = sksec->sid;
4614	newsksec->peer_sid = sksec->peer_sid;
4615	newsksec->sclass = sksec->sclass;
4616
4617	selinux_netlbl_sk_security_reset(newsksec);
4618}
4619
4620static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4621{
4622	if (!sk)
4623		*secid = SECINITSID_ANY_SOCKET;
4624	else {
4625		struct sk_security_struct *sksec = sk->sk_security;
4626
4627		*secid = sksec->sid;
4628	}
4629}
4630
4631static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4632{
4633	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4634	struct sk_security_struct *sksec = sk->sk_security;
4635
4636	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4637	    sk->sk_family == PF_UNIX)
4638		isec->sid = sksec->sid;
4639	sksec->sclass = isec->sclass;
4640}
4641
4642static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4643				     struct request_sock *req)
4644{
4645	struct sk_security_struct *sksec = sk->sk_security;
4646	int err;
4647	u16 family = req->rsk_ops->family;
4648	u32 connsid;
4649	u32 peersid;
4650
4651	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4652	if (err)
4653		return err;
4654	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4655	if (err)
4656		return err;
4657	req->secid = connsid;
4658	req->peer_secid = peersid;
4659
4660	return selinux_netlbl_inet_conn_request(req, family);
4661}
4662
4663static void selinux_inet_csk_clone(struct sock *newsk,
4664				   const struct request_sock *req)
4665{
4666	struct sk_security_struct *newsksec = newsk->sk_security;
4667
4668	newsksec->sid = req->secid;
4669	newsksec->peer_sid = req->peer_secid;
4670	/* NOTE: Ideally, we should also get the isec->sid for the
4671	   new socket in sync, but we don't have the isec available yet.
4672	   So we will wait until sock_graft to do it, by which
4673	   time it will have been created and available. */
4674
4675	/* We don't need to take any sort of lock here as we are the only
4676	 * thread with access to newsksec */
4677	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4678}
4679
4680static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4681{
4682	u16 family = sk->sk_family;
4683	struct sk_security_struct *sksec = sk->sk_security;
4684
4685	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4686	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4687		family = PF_INET;
4688
4689	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4690}
4691
4692static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4693{
4694	skb_set_owner_w(skb, sk);
4695}
4696
4697static int selinux_secmark_relabel_packet(u32 sid)
4698{
4699	const struct task_security_struct *__tsec;
4700	u32 tsid;
4701
4702	__tsec = current_security();
4703	tsid = __tsec->sid;
4704
4705	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4706}
4707
4708static void selinux_secmark_refcount_inc(void)
4709{
4710	atomic_inc(&selinux_secmark_refcount);
4711}
4712
4713static void selinux_secmark_refcount_dec(void)
4714{
4715	atomic_dec(&selinux_secmark_refcount);
4716}
4717
4718static void selinux_req_classify_flow(const struct request_sock *req,
4719				      struct flowi *fl)
4720{
4721	fl->flowi_secid = req->secid;
4722}
4723
4724static int selinux_tun_dev_alloc_security(void **security)
4725{
4726	struct tun_security_struct *tunsec;
4727
4728	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4729	if (!tunsec)
4730		return -ENOMEM;
4731	tunsec->sid = current_sid();
4732
4733	*security = tunsec;
4734	return 0;
4735}
4736
4737static void selinux_tun_dev_free_security(void *security)
4738{
4739	kfree(security);
4740}
4741
4742static int selinux_tun_dev_create(void)
4743{
4744	u32 sid = current_sid();
4745
4746	/* we aren't taking into account the "sockcreate" SID since the socket
4747	 * that is being created here is not a socket in the traditional sense,
4748	 * instead it is a private sock, accessible only to the kernel, and
4749	 * representing a wide range of network traffic spanning multiple
4750	 * connections unlike traditional sockets - check the TUN driver to
4751	 * get a better understanding of why this socket is special */
4752
4753	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4754			    NULL);
4755}
4756
4757static int selinux_tun_dev_attach_queue(void *security)
4758{
4759	struct tun_security_struct *tunsec = security;
4760
4761	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4762			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4763}
4764
4765static int selinux_tun_dev_attach(struct sock *sk, void *security)
4766{
4767	struct tun_security_struct *tunsec = security;
4768	struct sk_security_struct *sksec = sk->sk_security;
4769
4770	/* we don't currently perform any NetLabel based labeling here and it
4771	 * isn't clear that we would want to do so anyway; while we could apply
4772	 * labeling without the support of the TUN user the resulting labeled
4773	 * traffic from the other end of the connection would almost certainly
4774	 * cause confusion to the TUN user that had no idea network labeling
4775	 * protocols were being used */
4776
4777	sksec->sid = tunsec->sid;
4778	sksec->sclass = SECCLASS_TUN_SOCKET;
4779
4780	return 0;
4781}
4782
4783static int selinux_tun_dev_open(void *security)
4784{
4785	struct tun_security_struct *tunsec = security;
4786	u32 sid = current_sid();
4787	int err;
4788
4789	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4790			   TUN_SOCKET__RELABELFROM, NULL);
4791	if (err)
4792		return err;
4793	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4794			   TUN_SOCKET__RELABELTO, NULL);
4795	if (err)
4796		return err;
4797	tunsec->sid = sid;
4798
4799	return 0;
4800}
4801
4802static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4803{
4804	int err = 0;
4805	u32 perm;
4806	struct nlmsghdr *nlh;
4807	struct sk_security_struct *sksec = sk->sk_security;
4808
4809	if (skb->len < NLMSG_HDRLEN) {
4810		err = -EINVAL;
4811		goto out;
4812	}
4813	nlh = nlmsg_hdr(skb);
4814
4815	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4816	if (err) {
4817		if (err == -EINVAL) {
4818			printk(KERN_WARNING
4819			       "SELinux: unrecognized netlink message:"
4820			       " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4821			       sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4822			if (!selinux_enforcing || security_get_allow_unknown())
4823				err = 0;
4824		}
4825
4826		/* Ignore */
4827		if (err == -ENOENT)
4828			err = 0;
4829		goto out;
4830	}
4831
4832	err = sock_has_perm(current, sk, perm);
4833out:
4834	return err;
4835}
4836
4837#ifdef CONFIG_NETFILTER
4838
4839static unsigned int selinux_ip_forward(struct sk_buff *skb,
4840				       const struct net_device *indev,
4841				       u16 family)
4842{
4843	int err;
4844	char *addrp;
4845	u32 peer_sid;
4846	struct common_audit_data ad;
4847	struct lsm_network_audit net = {0,};
4848	u8 secmark_active;
4849	u8 netlbl_active;
4850	u8 peerlbl_active;
4851
4852	if (!selinux_policycap_netpeer)
4853		return NF_ACCEPT;
4854
4855	secmark_active = selinux_secmark_enabled();
4856	netlbl_active = netlbl_enabled();
4857	peerlbl_active = selinux_peerlbl_enabled();
4858	if (!secmark_active && !peerlbl_active)
4859		return NF_ACCEPT;
4860
4861	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4862		return NF_DROP;
4863
4864	ad.type = LSM_AUDIT_DATA_NET;
4865	ad.u.net = &net;
4866	ad.u.net->netif = indev->ifindex;
4867	ad.u.net->family = family;
4868	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4869		return NF_DROP;
4870
4871	if (peerlbl_active) {
4872		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4873					       addrp, family, peer_sid, &ad);
4874		if (err) {
4875			selinux_netlbl_err(skb, err, 1);
4876			return NF_DROP;
4877		}
4878	}
4879
4880	if (secmark_active)
4881		if (avc_has_perm(peer_sid, skb->secmark,
4882				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4883			return NF_DROP;
4884
4885	if (netlbl_active)
4886		/* we do this in the FORWARD path and not the POST_ROUTING
4887		 * path because we want to make sure we apply the necessary
4888		 * labeling before IPsec is applied so we can leverage AH
4889		 * protection */
4890		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4891			return NF_DROP;
4892
4893	return NF_ACCEPT;
4894}
4895
4896static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4897					 struct sk_buff *skb,
4898					 const struct net_device *in,
4899					 const struct net_device *out,
4900					 int (*okfn)(struct sk_buff *))
4901{
4902	return selinux_ip_forward(skb, in, PF_INET);
4903}
4904
4905#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4906static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4907					 struct sk_buff *skb,
4908					 const struct net_device *in,
4909					 const struct net_device *out,
4910					 int (*okfn)(struct sk_buff *))
4911{
4912	return selinux_ip_forward(skb, in, PF_INET6);
4913}
4914#endif	/* IPV6 */
4915
4916static unsigned int selinux_ip_output(struct sk_buff *skb,
4917				      u16 family)
4918{
4919	struct sock *sk;
4920	u32 sid;
4921
4922	if (!netlbl_enabled())
4923		return NF_ACCEPT;
4924
4925	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4926	 * because we want to make sure we apply the necessary labeling
4927	 * before IPsec is applied so we can leverage AH protection */
4928	sk = skb->sk;
4929	if (sk) {
4930		struct sk_security_struct *sksec;
4931
4932		if (sk->sk_state == TCP_LISTEN)
4933			/* if the socket is the listening state then this
4934			 * packet is a SYN-ACK packet which means it needs to
4935			 * be labeled based on the connection/request_sock and
4936			 * not the parent socket.  unfortunately, we can't
4937			 * lookup the request_sock yet as it isn't queued on
4938			 * the parent socket until after the SYN-ACK is sent.
4939			 * the "solution" is to simply pass the packet as-is
4940			 * as any IP option based labeling should be copied
4941			 * from the initial connection request (in the IP
4942			 * layer).  it is far from ideal, but until we get a
4943			 * security label in the packet itself this is the
4944			 * best we can do. */
4945			return NF_ACCEPT;
4946
4947		/* standard practice, label using the parent socket */
4948		sksec = sk->sk_security;
4949		sid = sksec->sid;
4950	} else
4951		sid = SECINITSID_KERNEL;
4952	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4953		return NF_DROP;
4954
4955	return NF_ACCEPT;
4956}
4957
4958static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4959					struct sk_buff *skb,
4960					const struct net_device *in,
4961					const struct net_device *out,
4962					int (*okfn)(struct sk_buff *))
4963{
4964	return selinux_ip_output(skb, PF_INET);
4965}
4966
4967static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4968						int ifindex,
4969						u16 family)
4970{
4971	struct sock *sk = skb->sk;
4972	struct sk_security_struct *sksec;
4973	struct common_audit_data ad;
4974	struct lsm_network_audit net = {0,};
4975	char *addrp;
4976	u8 proto;
4977
4978	if (sk == NULL)
4979		return NF_ACCEPT;
4980	sksec = sk->sk_security;
4981
4982	ad.type = LSM_AUDIT_DATA_NET;
4983	ad.u.net = &net;
4984	ad.u.net->netif = ifindex;
4985	ad.u.net->family = family;
4986	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4987		return NF_DROP;
4988
4989	if (selinux_secmark_enabled())
4990		if (avc_has_perm(sksec->sid, skb->secmark,
4991				 SECCLASS_PACKET, PACKET__SEND, &ad))
4992			return NF_DROP_ERR(-ECONNREFUSED);
4993
4994	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4995		return NF_DROP_ERR(-ECONNREFUSED);
4996
4997	return NF_ACCEPT;
4998}
4999
5000static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5001					 const struct net_device *outdev,
5002					 u16 family)
5003{
5004	u32 secmark_perm;
5005	u32 peer_sid;
5006	int ifindex = outdev->ifindex;
5007	struct sock *sk;
5008	struct common_audit_data ad;
5009	struct lsm_network_audit net = {0,};
5010	char *addrp;
5011	u8 secmark_active;
5012	u8 peerlbl_active;
5013
5014	/* If any sort of compatibility mode is enabled then handoff processing
5015	 * to the selinux_ip_postroute_compat() function to deal with the
5016	 * special handling.  We do this in an attempt to keep this function
5017	 * as fast and as clean as possible. */
5018	if (!selinux_policycap_netpeer)
5019		return selinux_ip_postroute_compat(skb, ifindex, family);
5020
5021	secmark_active = selinux_secmark_enabled();
5022	peerlbl_active = selinux_peerlbl_enabled();
5023	if (!secmark_active && !peerlbl_active)
5024		return NF_ACCEPT;
5025
5026	sk = skb->sk;
5027
5028#ifdef CONFIG_XFRM
5029	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5030	 * packet transformation so allow the packet to pass without any checks
5031	 * since we'll have another chance to perform access control checks
5032	 * when the packet is on it's final way out.
5033	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5034	 *       is NULL, in this case go ahead and apply access control.
5035	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5036	 *       TCP listening state we cannot wait until the XFRM processing
5037	 *       is done as we will miss out on the SA label if we do;
5038	 *       unfortunately, this means more work, but it is only once per
5039	 *       connection. */
5040	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5041	    !(sk != NULL && sk->sk_state == TCP_LISTEN))
5042		return NF_ACCEPT;
5043#endif
5044
5045	if (sk == NULL) {
5046		/* Without an associated socket the packet is either coming
5047		 * from the kernel or it is being forwarded; check the packet
5048		 * to determine which and if the packet is being forwarded
5049		 * query the packet directly to determine the security label. */
5050		if (skb->skb_iif) {
5051			secmark_perm = PACKET__FORWARD_OUT;
5052			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5053				return NF_DROP;
5054		} else {
5055			secmark_perm = PACKET__SEND;
5056			peer_sid = SECINITSID_KERNEL;
5057		}
5058	} else if (sk->sk_state == TCP_LISTEN) {
5059		/* Locally generated packet but the associated socket is in the
5060		 * listening state which means this is a SYN-ACK packet.  In
5061		 * this particular case the correct security label is assigned
5062		 * to the connection/request_sock but unfortunately we can't
5063		 * query the request_sock as it isn't queued on the parent
5064		 * socket until after the SYN-ACK packet is sent; the only
5065		 * viable choice is to regenerate the label like we do in
5066		 * selinux_inet_conn_request().  See also selinux_ip_output()
5067		 * for similar problems. */
5068		u32 skb_sid;
5069		struct sk_security_struct *sksec = sk->sk_security;
5070		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5071			return NF_DROP;
5072		/* At this point, if the returned skb peerlbl is SECSID_NULL
5073		 * and the packet has been through at least one XFRM
5074		 * transformation then we must be dealing with the "final"
5075		 * form of labeled IPsec packet; since we've already applied
5076		 * all of our access controls on this packet we can safely
5077		 * pass the packet. */
5078		if (skb_sid == SECSID_NULL) {
5079			switch (family) {
5080			case PF_INET:
5081				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5082					return NF_ACCEPT;
5083				break;
5084			case PF_INET6:
5085				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5086					return NF_ACCEPT;
5087				break;
5088			default:
5089				return NF_DROP_ERR(-ECONNREFUSED);
5090			}
5091		}
5092		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5093			return NF_DROP;
5094		secmark_perm = PACKET__SEND;
5095	} else {
5096		/* Locally generated packet, fetch the security label from the
5097		 * associated socket. */
5098		struct sk_security_struct *sksec = sk->sk_security;
5099		peer_sid = sksec->sid;
5100		secmark_perm = PACKET__SEND;
5101	}
5102
5103	ad.type = LSM_AUDIT_DATA_NET;
5104	ad.u.net = &net;
5105	ad.u.net->netif = ifindex;
5106	ad.u.net->family = family;
5107	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5108		return NF_DROP;
5109
5110	if (secmark_active)
5111		if (avc_has_perm(peer_sid, skb->secmark,
5112				 SECCLASS_PACKET, secmark_perm, &ad))
5113			return NF_DROP_ERR(-ECONNREFUSED);
5114
5115	if (peerlbl_active) {
5116		u32 if_sid;
5117		u32 node_sid;
5118
5119		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5120			return NF_DROP;
5121		if (avc_has_perm(peer_sid, if_sid,
5122				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5123			return NF_DROP_ERR(-ECONNREFUSED);
5124
5125		if (sel_netnode_sid(addrp, family, &node_sid))
5126			return NF_DROP;
5127		if (avc_has_perm(peer_sid, node_sid,
5128				 SECCLASS_NODE, NODE__SENDTO, &ad))
5129			return NF_DROP_ERR(-ECONNREFUSED);
5130	}
5131
5132	return NF_ACCEPT;
5133}
5134
5135static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5136					   struct sk_buff *skb,
5137					   const struct net_device *in,
5138					   const struct net_device *out,
5139					   int (*okfn)(struct sk_buff *))
5140{
5141	return selinux_ip_postroute(skb, out, PF_INET);
5142}
5143
5144#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5145static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5146					   struct sk_buff *skb,
5147					   const struct net_device *in,
5148					   const struct net_device *out,
5149					   int (*okfn)(struct sk_buff *))
5150{
5151	return selinux_ip_postroute(skb, out, PF_INET6);
5152}
5153#endif	/* IPV6 */
5154
5155#endif	/* CONFIG_NETFILTER */
5156
5157static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5158{
5159	int err;
5160
5161	err = cap_netlink_send(sk, skb);
5162	if (err)
5163		return err;
5164
5165	return selinux_nlmsg_perm(sk, skb);
5166}
5167
5168static int ipc_alloc_security(struct task_struct *task,
5169			      struct kern_ipc_perm *perm,
5170			      u16 sclass)
5171{
5172	struct ipc_security_struct *isec;
5173	u32 sid;
5174
5175	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5176	if (!isec)
5177		return -ENOMEM;
5178
5179	sid = task_sid(task);
5180	isec->sclass = sclass;
5181	isec->sid = sid;
5182	perm->security = isec;
5183
5184	return 0;
5185}
5186
5187static void ipc_free_security(struct kern_ipc_perm *perm)
5188{
5189	struct ipc_security_struct *isec = perm->security;
5190	perm->security = NULL;
5191	kfree(isec);
5192}
5193
5194static int msg_msg_alloc_security(struct msg_msg *msg)
5195{
5196	struct msg_security_struct *msec;
5197
5198	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5199	if (!msec)
5200		return -ENOMEM;
5201
5202	msec->sid = SECINITSID_UNLABELED;
5203	msg->security = msec;
5204
5205	return 0;
5206}
5207
5208static void msg_msg_free_security(struct msg_msg *msg)
5209{
5210	struct msg_security_struct *msec = msg->security;
5211
5212	msg->security = NULL;
5213	kfree(msec);
5214}
5215
5216static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5217			u32 perms)
5218{
5219	struct ipc_security_struct *isec;
5220	struct common_audit_data ad;
5221	u32 sid = current_sid();
5222
5223	isec = ipc_perms->security;
5224
5225	ad.type = LSM_AUDIT_DATA_IPC;
5226	ad.u.ipc_id = ipc_perms->key;
5227
5228	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5229}
5230
5231static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5232{
5233	return msg_msg_alloc_security(msg);
5234}
5235
5236static void selinux_msg_msg_free_security(struct msg_msg *msg)
5237{
5238	msg_msg_free_security(msg);
5239}
5240
5241/* message queue security operations */
5242static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5243{
5244	struct ipc_security_struct *isec;
5245	struct common_audit_data ad;
5246	u32 sid = current_sid();
5247	int rc;
5248
5249	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5250	if (rc)
5251		return rc;
5252
5253	isec = msq->q_perm.security;
5254
5255	ad.type = LSM_AUDIT_DATA_IPC;
5256	ad.u.ipc_id = msq->q_perm.key;
5257
5258	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5259			  MSGQ__CREATE, &ad);
5260	if (rc) {
5261		ipc_free_security(&msq->q_perm);
5262		return rc;
5263	}
5264	return 0;
5265}
5266
5267static void selinux_msg_queue_free_security(struct msg_queue *msq)
5268{
5269	ipc_free_security(&msq->q_perm);
5270}
5271
5272static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5273{
5274	struct ipc_security_struct *isec;
5275	struct common_audit_data ad;
5276	u32 sid = current_sid();
5277
5278	isec = msq->q_perm.security;
5279
5280	ad.type = LSM_AUDIT_DATA_IPC;
5281	ad.u.ipc_id = msq->q_perm.key;
5282
5283	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5284			    MSGQ__ASSOCIATE, &ad);
5285}
5286
5287static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5288{
5289	int err;
5290	int perms;
5291
5292	switch (cmd) {
5293	case IPC_INFO:
5294	case MSG_INFO:
5295		/* No specific object, just general system-wide information. */
5296		return task_has_system(current, SYSTEM__IPC_INFO);
5297	case IPC_STAT:
5298	case MSG_STAT:
5299		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5300		break;
5301	case IPC_SET:
5302		perms = MSGQ__SETATTR;
5303		break;
5304	case IPC_RMID:
5305		perms = MSGQ__DESTROY;
5306		break;
5307	default:
5308		return 0;
5309	}
5310
5311	err = ipc_has_perm(&msq->q_perm, perms);
5312	return err;
5313}
5314
5315static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5316{
5317	struct ipc_security_struct *isec;
5318	struct msg_security_struct *msec;
5319	struct common_audit_data ad;
5320	u32 sid = current_sid();
5321	int rc;
5322
5323	isec = msq->q_perm.security;
5324	msec = msg->security;
5325
5326	/*
5327	 * First time through, need to assign label to the message
5328	 */
5329	if (msec->sid == SECINITSID_UNLABELED) {
5330		/*
5331		 * Compute new sid based on current process and
5332		 * message queue this message will be stored in
5333		 */
5334		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5335					     NULL, &msec->sid);
5336		if (rc)
5337			return rc;
5338	}
5339
5340	ad.type = LSM_AUDIT_DATA_IPC;
5341	ad.u.ipc_id = msq->q_perm.key;
5342
5343	/* Can this process write to the queue? */
5344	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5345			  MSGQ__WRITE, &ad);
5346	if (!rc)
5347		/* Can this process send the message */
5348		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5349				  MSG__SEND, &ad);
5350	if (!rc)
5351		/* Can the message be put in the queue? */
5352		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5353				  MSGQ__ENQUEUE, &ad);
5354
5355	return rc;
5356}
5357
5358static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5359				    struct task_struct *target,
5360				    long type, int mode)
5361{
5362	struct ipc_security_struct *isec;
5363	struct msg_security_struct *msec;
5364	struct common_audit_data ad;
5365	u32 sid = task_sid(target);
5366	int rc;
5367
5368	isec = msq->q_perm.security;
5369	msec = msg->security;
5370
5371	ad.type = LSM_AUDIT_DATA_IPC;
5372	ad.u.ipc_id = msq->q_perm.key;
5373
5374	rc = avc_has_perm(sid, isec->sid,
5375			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5376	if (!rc)
5377		rc = avc_has_perm(sid, msec->sid,
5378				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5379	return rc;
5380}
5381
5382/* Shared Memory security operations */
5383static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5384{
5385	struct ipc_security_struct *isec;
5386	struct common_audit_data ad;
5387	u32 sid = current_sid();
5388	int rc;
5389
5390	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5391	if (rc)
5392		return rc;
5393
5394	isec = shp->shm_perm.security;
5395
5396	ad.type = LSM_AUDIT_DATA_IPC;
5397	ad.u.ipc_id = shp->shm_perm.key;
5398
5399	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5400			  SHM__CREATE, &ad);
5401	if (rc) {
5402		ipc_free_security(&shp->shm_perm);
5403		return rc;
5404	}
5405	return 0;
5406}
5407
5408static void selinux_shm_free_security(struct shmid_kernel *shp)
5409{
5410	ipc_free_security(&shp->shm_perm);
5411}
5412
5413static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5414{
5415	struct ipc_security_struct *isec;
5416	struct common_audit_data ad;
5417	u32 sid = current_sid();
5418
5419	isec = shp->shm_perm.security;
5420
5421	ad.type = LSM_AUDIT_DATA_IPC;
5422	ad.u.ipc_id = shp->shm_perm.key;
5423
5424	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5425			    SHM__ASSOCIATE, &ad);
5426}
5427
5428/* Note, at this point, shp is locked down */
5429static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5430{
5431	int perms;
5432	int err;
5433
5434	switch (cmd) {
5435	case IPC_INFO:
5436	case SHM_INFO:
5437		/* No specific object, just general system-wide information. */
5438		return task_has_system(current, SYSTEM__IPC_INFO);
5439	case IPC_STAT:
5440	case SHM_STAT:
5441		perms = SHM__GETATTR | SHM__ASSOCIATE;
5442		break;
5443	case IPC_SET:
5444		perms = SHM__SETATTR;
5445		break;
5446	case SHM_LOCK:
5447	case SHM_UNLOCK:
5448		perms = SHM__LOCK;
5449		break;
5450	case IPC_RMID:
5451		perms = SHM__DESTROY;
5452		break;
5453	default:
5454		return 0;
5455	}
5456
5457	err = ipc_has_perm(&shp->shm_perm, perms);
5458	return err;
5459}
5460
5461static int selinux_shm_shmat(struct shmid_kernel *shp,
5462			     char __user *shmaddr, int shmflg)
5463{
5464	u32 perms;
5465
5466	if (shmflg & SHM_RDONLY)
5467		perms = SHM__READ;
5468	else
5469		perms = SHM__READ | SHM__WRITE;
5470
5471	return ipc_has_perm(&shp->shm_perm, perms);
5472}
5473
5474/* Semaphore security operations */
5475static int selinux_sem_alloc_security(struct sem_array *sma)
5476{
5477	struct ipc_security_struct *isec;
5478	struct common_audit_data ad;
5479	u32 sid = current_sid();
5480	int rc;
5481
5482	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5483	if (rc)
5484		return rc;
5485
5486	isec = sma->sem_perm.security;
5487
5488	ad.type = LSM_AUDIT_DATA_IPC;
5489	ad.u.ipc_id = sma->sem_perm.key;
5490
5491	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5492			  SEM__CREATE, &ad);
5493	if (rc) {
5494		ipc_free_security(&sma->sem_perm);
5495		return rc;
5496	}
5497	return 0;
5498}
5499
5500static void selinux_sem_free_security(struct sem_array *sma)
5501{
5502	ipc_free_security(&sma->sem_perm);
5503}
5504
5505static int selinux_sem_associate(struct sem_array *sma, int semflg)
5506{
5507	struct ipc_security_struct *isec;
5508	struct common_audit_data ad;
5509	u32 sid = current_sid();
5510
5511	isec = sma->sem_perm.security;
5512
5513	ad.type = LSM_AUDIT_DATA_IPC;
5514	ad.u.ipc_id = sma->sem_perm.key;
5515
5516	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5517			    SEM__ASSOCIATE, &ad);
5518}
5519
5520/* Note, at this point, sma is locked down */
5521static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5522{
5523	int err;
5524	u32 perms;
5525
5526	switch (cmd) {
5527	case IPC_INFO:
5528	case SEM_INFO:
5529		/* No specific object, just general system-wide information. */
5530		return task_has_system(current, SYSTEM__IPC_INFO);
5531	case GETPID:
5532	case GETNCNT:
5533	case GETZCNT:
5534		perms = SEM__GETATTR;
5535		break;
5536	case GETVAL:
5537	case GETALL:
5538		perms = SEM__READ;
5539		break;
5540	case SETVAL:
5541	case SETALL:
5542		perms = SEM__WRITE;
5543		break;
5544	case IPC_RMID:
5545		perms = SEM__DESTROY;
5546		break;
5547	case IPC_SET:
5548		perms = SEM__SETATTR;
5549		break;
5550	case IPC_STAT:
5551	case SEM_STAT:
5552		perms = SEM__GETATTR | SEM__ASSOCIATE;
5553		break;
5554	default:
5555		return 0;
5556	}
5557
5558	err = ipc_has_perm(&sma->sem_perm, perms);
5559	return err;
5560}
5561
5562static int selinux_sem_semop(struct sem_array *sma,
5563			     struct sembuf *sops, unsigned nsops, int alter)
5564{
5565	u32 perms;
5566
5567	if (alter)
5568		perms = SEM__READ | SEM__WRITE;
5569	else
5570		perms = SEM__READ;
5571
5572	return ipc_has_perm(&sma->sem_perm, perms);
5573}
5574
5575static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5576{
5577	u32 av = 0;
5578
5579	av = 0;
5580	if (flag & S_IRUGO)
5581		av |= IPC__UNIX_READ;
5582	if (flag & S_IWUGO)
5583		av |= IPC__UNIX_WRITE;
5584
5585	if (av == 0)
5586		return 0;
5587
5588	return ipc_has_perm(ipcp, av);
5589}
5590
5591static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5592{
5593	struct ipc_security_struct *isec = ipcp->security;
5594	*secid = isec->sid;
5595}
5596
5597static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5598{
5599	if (inode)
5600		inode_doinit_with_dentry(inode, dentry);
5601}
5602
5603static int selinux_getprocattr(struct task_struct *p,
5604			       char *name, char **value)
5605{
5606	const struct task_security_struct *__tsec;
5607	u32 sid;
5608	int error;
5609	unsigned len;
5610
5611	if (current != p) {
5612		error = current_has_perm(p, PROCESS__GETATTR);
5613		if (error)
5614			return error;
5615	}
5616
5617	rcu_read_lock();
5618	__tsec = __task_cred(p)->security;
5619
5620	if (!strcmp(name, "current"))
5621		sid = __tsec->sid;
5622	else if (!strcmp(name, "prev"))
5623		sid = __tsec->osid;
5624	else if (!strcmp(name, "exec"))
5625		sid = __tsec->exec_sid;
5626	else if (!strcmp(name, "fscreate"))
5627		sid = __tsec->create_sid;
5628	else if (!strcmp(name, "keycreate"))
5629		sid = __tsec->keycreate_sid;
5630	else if (!strcmp(name, "sockcreate"))
5631		sid = __tsec->sockcreate_sid;
5632	else
5633		goto invalid;
5634	rcu_read_unlock();
5635
5636	if (!sid)
5637		return 0;
5638
5639	error = security_sid_to_context(sid, value, &len);
5640	if (error)
5641		return error;
5642	return len;
5643
5644invalid:
5645	rcu_read_unlock();
5646	return -EINVAL;
5647}
5648
5649static int selinux_setprocattr(struct task_struct *p,
5650			       char *name, void *value, size_t size)
5651{
5652	struct task_security_struct *tsec;
5653	struct task_struct *tracer;
5654	struct cred *new;
5655	u32 sid = 0, ptsid;
5656	int error;
5657	char *str = value;
5658
5659	if (current != p) {
5660		/* SELinux only allows a process to change its own
5661		   security attributes. */
5662		return -EACCES;
5663	}
5664
5665	/*
5666	 * Basic control over ability to set these attributes at all.
5667	 * current == p, but we'll pass them separately in case the
5668	 * above restriction is ever removed.
5669	 */
5670	if (!strcmp(name, "exec"))
5671		error = current_has_perm(p, PROCESS__SETEXEC);
5672	else if (!strcmp(name, "fscreate"))
5673		error = current_has_perm(p, PROCESS__SETFSCREATE);
5674	else if (!strcmp(name, "keycreate"))
5675		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5676	else if (!strcmp(name, "sockcreate"))
5677		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5678	else if (!strcmp(name, "current"))
5679		error = current_has_perm(p, PROCESS__SETCURRENT);
5680	else
5681		error = -EINVAL;
5682	if (error)
5683		return error;
5684
5685	/* Obtain a SID for the context, if one was specified. */
5686	if (size && str[1] && str[1] != '\n') {
5687		if (str[size-1] == '\n') {
5688			str[size-1] = 0;
5689			size--;
5690		}
5691		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5692		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5693			if (!capable(CAP_MAC_ADMIN)) {
5694				struct audit_buffer *ab;
5695				size_t audit_size;
5696
5697				/* We strip a nul only if it is at the end, otherwise the
5698				 * context contains a nul and we should audit that */
5699				if (str[size - 1] == '\0')
5700					audit_size = size - 1;
5701				else
5702					audit_size = size;
5703				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5704				audit_log_format(ab, "op=fscreate invalid_context=");
5705				audit_log_n_untrustedstring(ab, value, audit_size);
5706				audit_log_end(ab);
5707
5708				return error;
5709			}
5710			error = security_context_to_sid_force(value, size,
5711							      &sid);
5712		}
5713		if (error)
5714			return error;
5715	}
5716
5717	new = prepare_creds();
5718	if (!new)
5719		return -ENOMEM;
5720
5721	/* Permission checking based on the specified context is
5722	   performed during the actual operation (execve,
5723	   open/mkdir/...), when we know the full context of the
5724	   operation.  See selinux_bprm_set_creds for the execve
5725	   checks and may_create for the file creation checks. The
5726	   operation will then fail if the context is not permitted. */
5727	tsec = new->security;
5728	if (!strcmp(name, "exec")) {
5729		tsec->exec_sid = sid;
5730	} else if (!strcmp(name, "fscreate")) {
5731		tsec->create_sid = sid;
5732	} else if (!strcmp(name, "keycreate")) {
5733		error = may_create_key(sid, p);
5734		if (error)
5735			goto abort_change;
5736		tsec->keycreate_sid = sid;
5737	} else if (!strcmp(name, "sockcreate")) {
5738		tsec->sockcreate_sid = sid;
5739	} else if (!strcmp(name, "current")) {
5740		error = -EINVAL;
5741		if (sid == 0)
5742			goto abort_change;
5743
5744		/* Only allow single threaded processes to change context */
5745		error = -EPERM;
5746		if (!current_is_single_threaded()) {
5747			error = security_bounded_transition(tsec->sid, sid);
5748			if (error)
5749				goto abort_change;
5750		}
5751
5752		/* Check permissions for the transition. */
5753		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5754				     PROCESS__DYNTRANSITION, NULL);
5755		if (error)
5756			goto abort_change;
5757
5758		/* Check for ptracing, and update the task SID if ok.
5759		   Otherwise, leave SID unchanged and fail. */
5760		ptsid = 0;
5761		rcu_read_lock();
5762		tracer = ptrace_parent(p);
5763		if (tracer)
5764			ptsid = task_sid(tracer);
5765		rcu_read_unlock();
5766
5767		if (tracer) {
5768			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5769					     PROCESS__PTRACE, NULL);
5770			if (error)
5771				goto abort_change;
5772		}
5773
5774		tsec->sid = sid;
5775	} else {
5776		error = -EINVAL;
5777		goto abort_change;
5778	}
5779
5780	commit_creds(new);
5781	return size;
5782
5783abort_change:
5784	abort_creds(new);
5785	return error;
5786}
5787
5788static int selinux_ismaclabel(const char *name)
5789{
5790	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5791}
5792
5793static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5794{
5795	return security_sid_to_context(secid, secdata, seclen);
5796}
5797
5798static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5799{
5800	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5801}
5802
5803static void selinux_release_secctx(char *secdata, u32 seclen)
5804{
5805	kfree(secdata);
5806}
5807
5808/*
5809 *	called with inode->i_mutex locked
5810 */
5811static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5812{
5813	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5814}
5815
5816/*
5817 *	called with inode->i_mutex locked
5818 */
5819static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5820{
5821	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5822}
5823
5824static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5825{
5826	int len = 0;
5827	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5828						ctx, true);
5829	if (len < 0)
5830		return len;
5831	*ctxlen = len;
5832	return 0;
5833}
5834#ifdef CONFIG_KEYS
5835
5836static int selinux_key_alloc(struct key *k, const struct cred *cred,
5837			     unsigned long flags)
5838{
5839	const struct task_security_struct *tsec;
5840	struct key_security_struct *ksec;
5841
5842	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5843	if (!ksec)
5844		return -ENOMEM;
5845
5846	tsec = cred->security;
5847	if (tsec->keycreate_sid)