[PATCH] keys: sort out key quota system
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
84
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
87
88 static int __init enforcing_setup(char *str)
89 {
90         selinux_enforcing = simple_strtol(str,NULL,0);
91         return 1;
92 }
93 __setup("enforcing=", enforcing_setup);
94 #endif
95
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99 static int __init selinux_enabled_setup(char *str)
100 {
101         selinux_enabled = simple_strtol(str, NULL, 0);
102         return 1;
103 }
104 __setup("selinux=", selinux_enabled_setup);
105 #else
106 int selinux_enabled = 1;
107 #endif
108
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
111
112 /* Minimal support for a secondary security module,
113    just to allow the use of the dummy or capability modules.
114    The owlsm module can alternatively be used as a secondary
115    module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
117
118 /* Lists of inode and superblock security structures initialized
119    before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
122
123 static kmem_cache_t *sel_inode_cache;
124
125 /* Return security context for a given sid or just the context 
126    length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128 {
129         char *context;
130         unsigned len;
131         int rc;
132
133         rc = security_sid_to_context(sid, &context, &len);
134         if (rc)
135                 return rc;
136
137         if (!buffer || !size)
138                 goto getsecurity_exit;
139
140         if (size < len) {
141                 len = -ERANGE;
142                 goto getsecurity_exit;
143         }
144         memcpy(buffer, context, len);
145
146 getsecurity_exit:
147         kfree(context);
148         return len;
149 }
150
151 /* Allocate and free functions for each kind of security blob. */
152
153 static int task_alloc_security(struct task_struct *task)
154 {
155         struct task_security_struct *tsec;
156
157         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158         if (!tsec)
159                 return -ENOMEM;
160
161         tsec->task = task;
162         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163         task->security = tsec;
164
165         return 0;
166 }
167
168 static void task_free_security(struct task_struct *task)
169 {
170         struct task_security_struct *tsec = task->security;
171         task->security = NULL;
172         kfree(tsec);
173 }
174
175 static int inode_alloc_security(struct inode *inode)
176 {
177         struct task_security_struct *tsec = current->security;
178         struct inode_security_struct *isec;
179
180         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
181         if (!isec)
182                 return -ENOMEM;
183
184         memset(isec, 0, sizeof(*isec));
185         init_MUTEX(&isec->sem);
186         INIT_LIST_HEAD(&isec->list);
187         isec->inode = inode;
188         isec->sid = SECINITSID_UNLABELED;
189         isec->sclass = SECCLASS_FILE;
190         isec->task_sid = tsec->sid;
191         inode->i_security = isec;
192
193         return 0;
194 }
195
196 static void inode_free_security(struct inode *inode)
197 {
198         struct inode_security_struct *isec = inode->i_security;
199         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
201         spin_lock(&sbsec->isec_lock);
202         if (!list_empty(&isec->list))
203                 list_del_init(&isec->list);
204         spin_unlock(&sbsec->isec_lock);
205
206         inode->i_security = NULL;
207         kmem_cache_free(sel_inode_cache, isec);
208 }
209
210 static int file_alloc_security(struct file *file)
211 {
212         struct task_security_struct *tsec = current->security;
213         struct file_security_struct *fsec;
214
215         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
216         if (!fsec)
217                 return -ENOMEM;
218
219         fsec->file = file;
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         init_MUTEX(&sbsec->sem);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sb->s_security = sbsec;
250
251         return 0;
252 }
253
254 static void superblock_free_security(struct super_block *sb)
255 {
256         struct superblock_security_struct *sbsec = sb->s_security;
257
258         spin_lock(&sb_security_lock);
259         if (!list_empty(&sbsec->list))
260                 list_del_init(&sbsec->list);
261         spin_unlock(&sb_security_lock);
262
263         sb->s_security = NULL;
264         kfree(sbsec);
265 }
266
267 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
268 {
269         struct sk_security_struct *ssec;
270
271         if (family != PF_UNIX)
272                 return 0;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         if (sk->sk_family != PF_UNIX)
290                 return;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, "context=%s"},
326         {Opt_fscontext, "fscontext=%s"},
327         {Opt_defcontext, "defcontext=%s"},
328 };
329
330 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
331
332 static int try_context_mount(struct super_block *sb, void *data)
333 {
334         char *context = NULL, *defcontext = NULL;
335         const char *name;
336         u32 sid;
337         int alloc = 0, rc = 0, seen = 0;
338         struct task_security_struct *tsec = current->security;
339         struct superblock_security_struct *sbsec = sb->s_security;
340
341         if (!data)
342                 goto out;
343
344         name = sb->s_type->name;
345
346         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
347
348                 /* NFS we understand. */
349                 if (!strcmp(name, "nfs")) {
350                         struct nfs_mount_data *d = data;
351
352                         if (d->version <  NFS_MOUNT_VERSION)
353                                 goto out;
354
355                         if (d->context[0]) {
356                                 context = d->context;
357                                 seen |= Opt_context;
358                         }
359                 } else
360                         goto out;
361
362         } else {
363                 /* Standard string-based options. */
364                 char *p, *options = data;
365
366                 while ((p = strsep(&options, ",")) != NULL) {
367                         int token;
368                         substring_t args[MAX_OPT_ARGS];
369
370                         if (!*p)
371                                 continue;
372
373                         token = match_token(p, tokens, args);
374
375                         switch (token) {
376                         case Opt_context:
377                                 if (seen) {
378                                         rc = -EINVAL;
379                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
380                                         goto out_free;
381                                 }
382                                 context = match_strdup(&args[0]);
383                                 if (!context) {
384                                         rc = -ENOMEM;
385                                         goto out_free;
386                                 }
387                                 if (!alloc)
388                                         alloc = 1;
389                                 seen |= Opt_context;
390                                 break;
391
392                         case Opt_fscontext:
393                                 if (seen & (Opt_context|Opt_fscontext)) {
394                                         rc = -EINVAL;
395                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396                                         goto out_free;
397                                 }
398                                 context = match_strdup(&args[0]);
399                                 if (!context) {
400                                         rc = -ENOMEM;
401                                         goto out_free;
402                                 }
403                                 if (!alloc)
404                                         alloc = 1;
405                                 seen |= Opt_fscontext;
406                                 break;
407
408                         case Opt_defcontext:
409                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410                                         rc = -EINVAL;
411                                         printk(KERN_WARNING "SELinux:  "
412                                                "defcontext option is invalid "
413                                                "for this filesystem type\n");
414                                         goto out_free;
415                                 }
416                                 if (seen & (Opt_context|Opt_defcontext)) {
417                                         rc = -EINVAL;
418                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419                                         goto out_free;
420                                 }
421                                 defcontext = match_strdup(&args[0]);
422                                 if (!defcontext) {
423                                         rc = -ENOMEM;
424                                         goto out_free;
425                                 }
426                                 if (!alloc)
427                                         alloc = 1;
428                                 seen |= Opt_defcontext;
429                                 break;
430
431                         default:
432                                 rc = -EINVAL;
433                                 printk(KERN_WARNING "SELinux:  unknown mount "
434                                        "option\n");
435                                 goto out_free;
436
437                         }
438                 }
439         }
440
441         if (!seen)
442                 goto out;
443
444         if (context) {
445                 rc = security_context_to_sid(context, strlen(context), &sid);
446                 if (rc) {
447                         printk(KERN_WARNING "SELinux: security_context_to_sid"
448                                "(%s) failed for (dev %s, type %s) errno=%d\n",
449                                context, sb->s_id, name, rc);
450                         goto out_free;
451                 }
452
453                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454                                   FILESYSTEM__RELABELFROM, NULL);
455                 if (rc)
456                         goto out_free;
457
458                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459                                   FILESYSTEM__RELABELTO, NULL);
460                 if (rc)
461                         goto out_free;
462
463                 sbsec->sid = sid;
464
465                 if (seen & Opt_context)
466                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
467         }
468
469         if (defcontext) {
470                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471                 if (rc) {
472                         printk(KERN_WARNING "SELinux: security_context_to_sid"
473                                "(%s) failed for (dev %s, type %s) errno=%d\n",
474                                defcontext, sb->s_id, name, rc);
475                         goto out_free;
476                 }
477
478                 if (sid == sbsec->def_sid)
479                         goto out_free;
480
481                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482                                   FILESYSTEM__RELABELFROM, NULL);
483                 if (rc)
484                         goto out_free;
485
486                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487                                   FILESYSTEM__ASSOCIATE, NULL);
488                 if (rc)
489                         goto out_free;
490
491                 sbsec->def_sid = sid;
492         }
493
494 out_free:
495         if (alloc) {
496                 kfree(context);
497                 kfree(defcontext);
498         }
499 out:
500         return rc;
501 }
502
503 static int superblock_doinit(struct super_block *sb, void *data)
504 {
505         struct superblock_security_struct *sbsec = sb->s_security;
506         struct dentry *root = sb->s_root;
507         struct inode *inode = root->d_inode;
508         int rc = 0;
509
510         down(&sbsec->sem);
511         if (sbsec->initialized)
512                 goto out;
513
514         if (!ss_initialized) {
515                 /* Defer initialization until selinux_complete_init,
516                    after the initial policy is loaded and the security
517                    server is ready to handle calls. */
518                 spin_lock(&sb_security_lock);
519                 if (list_empty(&sbsec->list))
520                         list_add(&sbsec->list, &superblock_security_head);
521                 spin_unlock(&sb_security_lock);
522                 goto out;
523         }
524
525         /* Determine the labeling behavior to use for this filesystem type. */
526         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527         if (rc) {
528                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
529                        __FUNCTION__, sb->s_type->name, rc);
530                 goto out;
531         }
532
533         rc = try_context_mount(sb, data);
534         if (rc)
535                 goto out;
536
537         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538                 /* Make sure that the xattr handler exists and that no
539                    error other than -ENODATA is returned by getxattr on
540                    the root directory.  -ENODATA is ok, as this may be
541                    the first boot of the SELinux kernel before we have
542                    assigned xattr values to the filesystem. */
543                 if (!inode->i_op->getxattr) {
544                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545                                "xattr support\n", sb->s_id, sb->s_type->name);
546                         rc = -EOPNOTSUPP;
547                         goto out;
548                 }
549                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550                 if (rc < 0 && rc != -ENODATA) {
551                         if (rc == -EOPNOTSUPP)
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) has no security xattr handler\n",
554                                        sb->s_id, sb->s_type->name);
555                         else
556                                 printk(KERN_WARNING "SELinux: (dev %s, type "
557                                        "%s) getxattr errno %d\n", sb->s_id,
558                                        sb->s_type->name, -rc);
559                         goto out;
560                 }
561         }
562
563         if (strcmp(sb->s_type->name, "proc") == 0)
564                 sbsec->proc = 1;
565
566         sbsec->initialized = 1;
567
568         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570                        sb->s_id, sb->s_type->name);
571         }
572         else {
573                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574                        sb->s_id, sb->s_type->name,
575                        labeling_behaviors[sbsec->behavior-1]);
576         }
577
578         /* Initialize the root inode. */
579         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580
581         /* Initialize any other inodes associated with the superblock, e.g.
582            inodes created prior to initial policy load or inodes created
583            during get_sb by a pseudo filesystem that directly
584            populates itself. */
585         spin_lock(&sbsec->isec_lock);
586 next_inode:
587         if (!list_empty(&sbsec->isec_head)) {
588                 struct inode_security_struct *isec =
589                                 list_entry(sbsec->isec_head.next,
590                                            struct inode_security_struct, list);
591                 struct inode *inode = isec->inode;
592                 spin_unlock(&sbsec->isec_lock);
593                 inode = igrab(inode);
594                 if (inode) {
595                         if (!IS_PRIVATE (inode))
596                                 inode_doinit(inode);
597                         iput(inode);
598                 }
599                 spin_lock(&sbsec->isec_lock);
600                 list_del_init(&isec->list);
601                 goto next_inode;
602         }
603         spin_unlock(&sbsec->isec_lock);
604 out:
605         up(&sbsec->sem);
606         return rc;
607 }
608
609 static inline u16 inode_mode_to_security_class(umode_t mode)
610 {
611         switch (mode & S_IFMT) {
612         case S_IFSOCK:
613                 return SECCLASS_SOCK_FILE;
614         case S_IFLNK:
615                 return SECCLASS_LNK_FILE;
616         case S_IFREG:
617                 return SECCLASS_FILE;
618         case S_IFBLK:
619                 return SECCLASS_BLK_FILE;
620         case S_IFDIR:
621                 return SECCLASS_DIR;
622         case S_IFCHR:
623                 return SECCLASS_CHR_FILE;
624         case S_IFIFO:
625                 return SECCLASS_FIFO_FILE;
626
627         }
628
629         return SECCLASS_FILE;
630 }
631
632 static inline int default_protocol_stream(int protocol)
633 {
634         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
635 }
636
637 static inline int default_protocol_dgram(int protocol)
638 {
639         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
640 }
641
642 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
643 {
644         switch (family) {
645         case PF_UNIX:
646                 switch (type) {
647                 case SOCK_STREAM:
648                 case SOCK_SEQPACKET:
649                         return SECCLASS_UNIX_STREAM_SOCKET;
650                 case SOCK_DGRAM:
651                         return SECCLASS_UNIX_DGRAM_SOCKET;
652                 }
653                 break;
654         case PF_INET:
655         case PF_INET6:
656                 switch (type) {
657                 case SOCK_STREAM:
658                         if (default_protocol_stream(protocol))
659                                 return SECCLASS_TCP_SOCKET;
660                         else
661                                 return SECCLASS_RAWIP_SOCKET;
662                 case SOCK_DGRAM:
663                         if (default_protocol_dgram(protocol))
664                                 return SECCLASS_UDP_SOCKET;
665                         else
666                                 return SECCLASS_RAWIP_SOCKET;
667                 default:
668                         return SECCLASS_RAWIP_SOCKET;
669                 }
670                 break;
671         case PF_NETLINK:
672                 switch (protocol) {
673                 case NETLINK_ROUTE:
674                         return SECCLASS_NETLINK_ROUTE_SOCKET;
675                 case NETLINK_FIREWALL:
676                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
677                 case NETLINK_INET_DIAG:
678                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
679                 case NETLINK_NFLOG:
680                         return SECCLASS_NETLINK_NFLOG_SOCKET;
681                 case NETLINK_XFRM:
682                         return SECCLASS_NETLINK_XFRM_SOCKET;
683                 case NETLINK_SELINUX:
684                         return SECCLASS_NETLINK_SELINUX_SOCKET;
685                 case NETLINK_AUDIT:
686                         return SECCLASS_NETLINK_AUDIT_SOCKET;
687                 case NETLINK_IP6_FW:
688                         return SECCLASS_NETLINK_IP6FW_SOCKET;
689                 case NETLINK_DNRTMSG:
690                         return SECCLASS_NETLINK_DNRT_SOCKET;
691                 case NETLINK_KOBJECT_UEVENT:
692                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
693                 default:
694                         return SECCLASS_NETLINK_SOCKET;
695                 }
696         case PF_PACKET:
697                 return SECCLASS_PACKET_SOCKET;
698         case PF_KEY:
699                 return SECCLASS_KEY_SOCKET;
700         case PF_APPLETALK:
701                 return SECCLASS_APPLETALK_SOCKET;
702         }
703
704         return SECCLASS_SOCKET;
705 }
706
707 #ifdef CONFIG_PROC_FS
708 static int selinux_proc_get_sid(struct proc_dir_entry *de,
709                                 u16 tclass,
710                                 u32 *sid)
711 {
712         int buflen, rc;
713         char *buffer, *path, *end;
714
715         buffer = (char*)__get_free_page(GFP_KERNEL);
716         if (!buffer)
717                 return -ENOMEM;
718
719         buflen = PAGE_SIZE;
720         end = buffer+buflen;
721         *--end = '\0';
722         buflen--;
723         path = end-1;
724         *path = '/';
725         while (de && de != de->parent) {
726                 buflen -= de->namelen + 1;
727                 if (buflen < 0)
728                         break;
729                 end -= de->namelen;
730                 memcpy(end, de->name, de->namelen);
731                 *--end = '/';
732                 path = end;
733                 de = de->parent;
734         }
735         rc = security_genfs_sid("proc", path, tclass, sid);
736         free_page((unsigned long)buffer);
737         return rc;
738 }
739 #else
740 static int selinux_proc_get_sid(struct proc_dir_entry *de,
741                                 u16 tclass,
742                                 u32 *sid)
743 {
744         return -EINVAL;
745 }
746 #endif
747
748 /* The inode's security attributes must be initialized before first use. */
749 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
750 {
751         struct superblock_security_struct *sbsec = NULL;
752         struct inode_security_struct *isec = inode->i_security;
753         u32 sid;
754         struct dentry *dentry;
755 #define INITCONTEXTLEN 255
756         char *context = NULL;
757         unsigned len = 0;
758         int rc = 0;
759         int hold_sem = 0;
760
761         if (isec->initialized)
762                 goto out;
763
764         down(&isec->sem);
765         hold_sem = 1;
766         if (isec->initialized)
767                 goto out;
768
769         sbsec = inode->i_sb->s_security;
770         if (!sbsec->initialized) {
771                 /* Defer initialization until selinux_complete_init,
772                    after the initial policy is loaded and the security
773                    server is ready to handle calls. */
774                 spin_lock(&sbsec->isec_lock);
775                 if (list_empty(&isec->list))
776                         list_add(&isec->list, &sbsec->isec_head);
777                 spin_unlock(&sbsec->isec_lock);
778                 goto out;
779         }
780
781         switch (sbsec->behavior) {
782         case SECURITY_FS_USE_XATTR:
783                 if (!inode->i_op->getxattr) {
784                         isec->sid = sbsec->def_sid;
785                         break;
786                 }
787
788                 /* Need a dentry, since the xattr API requires one.
789                    Life would be simpler if we could just pass the inode. */
790                 if (opt_dentry) {
791                         /* Called from d_instantiate or d_splice_alias. */
792                         dentry = dget(opt_dentry);
793                 } else {
794                         /* Called from selinux_complete_init, try to find a dentry. */
795                         dentry = d_find_alias(inode);
796                 }
797                 if (!dentry) {
798                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
799                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
800                                inode->i_ino);
801                         goto out;
802                 }
803
804                 len = INITCONTEXTLEN;
805                 context = kmalloc(len, GFP_KERNEL);
806                 if (!context) {
807                         rc = -ENOMEM;
808                         dput(dentry);
809                         goto out;
810                 }
811                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
812                                            context, len);
813                 if (rc == -ERANGE) {
814                         /* Need a larger buffer.  Query for the right size. */
815                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
816                                                    NULL, 0);
817                         if (rc < 0) {
818                                 dput(dentry);
819                                 goto out;
820                         }
821                         kfree(context);
822                         len = rc;
823                         context = kmalloc(len, GFP_KERNEL);
824                         if (!context) {
825                                 rc = -ENOMEM;
826                                 dput(dentry);
827                                 goto out;
828                         }
829                         rc = inode->i_op->getxattr(dentry,
830                                                    XATTR_NAME_SELINUX,
831                                                    context, len);
832                 }
833                 dput(dentry);
834                 if (rc < 0) {
835                         if (rc != -ENODATA) {
836                                 printk(KERN_WARNING "%s:  getxattr returned "
837                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
838                                        -rc, inode->i_sb->s_id, inode->i_ino);
839                                 kfree(context);
840                                 goto out;
841                         }
842                         /* Map ENODATA to the default file SID */
843                         sid = sbsec->def_sid;
844                         rc = 0;
845                 } else {
846                         rc = security_context_to_sid_default(context, rc, &sid,
847                                                              sbsec->def_sid);
848                         if (rc) {
849                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
850                                        "returned %d for dev=%s ino=%ld\n",
851                                        __FUNCTION__, context, -rc,
852                                        inode->i_sb->s_id, inode->i_ino);
853                                 kfree(context);
854                                 /* Leave with the unlabeled SID */
855                                 rc = 0;
856                                 break;
857                         }
858                 }
859                 kfree(context);
860                 isec->sid = sid;
861                 break;
862         case SECURITY_FS_USE_TASK:
863                 isec->sid = isec->task_sid;
864                 break;
865         case SECURITY_FS_USE_TRANS:
866                 /* Default to the fs SID. */
867                 isec->sid = sbsec->sid;
868
869                 /* Try to obtain a transition SID. */
870                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
871                 rc = security_transition_sid(isec->task_sid,
872                                              sbsec->sid,
873                                              isec->sclass,
874                                              &sid);
875                 if (rc)
876                         goto out;
877                 isec->sid = sid;
878                 break;
879         default:
880                 /* Default to the fs SID. */
881                 isec->sid = sbsec->sid;
882
883                 if (sbsec->proc) {
884                         struct proc_inode *proci = PROC_I(inode);
885                         if (proci->pde) {
886                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
887                                 rc = selinux_proc_get_sid(proci->pde,
888                                                           isec->sclass,
889                                                           &sid);
890                                 if (rc)
891                                         goto out;
892                                 isec->sid = sid;
893                         }
894                 }
895                 break;
896         }
897
898         isec->initialized = 1;
899
900 out:
901         if (isec->sclass == SECCLASS_FILE)
902                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
903
904         if (hold_sem)
905                 up(&isec->sem);
906         return rc;
907 }
908
909 /* Convert a Linux signal to an access vector. */
910 static inline u32 signal_to_av(int sig)
911 {
912         u32 perm = 0;
913
914         switch (sig) {
915         case SIGCHLD:
916                 /* Commonly granted from child to parent. */
917                 perm = PROCESS__SIGCHLD;
918                 break;
919         case SIGKILL:
920                 /* Cannot be caught or ignored */
921                 perm = PROCESS__SIGKILL;
922                 break;
923         case SIGSTOP:
924                 /* Cannot be caught or ignored */
925                 perm = PROCESS__SIGSTOP;
926                 break;
927         default:
928                 /* All other signals. */
929                 perm = PROCESS__SIGNAL;
930                 break;
931         }
932
933         return perm;
934 }
935
936 /* Check permission betweeen a pair of tasks, e.g. signal checks,
937    fork check, ptrace check, etc. */
938 static int task_has_perm(struct task_struct *tsk1,
939                          struct task_struct *tsk2,
940                          u32 perms)
941 {
942         struct task_security_struct *tsec1, *tsec2;
943
944         tsec1 = tsk1->security;
945         tsec2 = tsk2->security;
946         return avc_has_perm(tsec1->sid, tsec2->sid,
947                             SECCLASS_PROCESS, perms, NULL);
948 }
949
950 /* Check whether a task is allowed to use a capability. */
951 static int task_has_capability(struct task_struct *tsk,
952                                int cap)
953 {
954         struct task_security_struct *tsec;
955         struct avc_audit_data ad;
956
957         tsec = tsk->security;
958
959         AVC_AUDIT_DATA_INIT(&ad,CAP);
960         ad.tsk = tsk;
961         ad.u.cap = cap;
962
963         return avc_has_perm(tsec->sid, tsec->sid,
964                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
965 }
966
967 /* Check whether a task is allowed to use a system operation. */
968 static int task_has_system(struct task_struct *tsk,
969                            u32 perms)
970 {
971         struct task_security_struct *tsec;
972
973         tsec = tsk->security;
974
975         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
976                             SECCLASS_SYSTEM, perms, NULL);
977 }
978
979 /* Check whether a task has a particular permission to an inode.
980    The 'adp' parameter is optional and allows other audit
981    data to be passed (e.g. the dentry). */
982 static int inode_has_perm(struct task_struct *tsk,
983                           struct inode *inode,
984                           u32 perms,
985                           struct avc_audit_data *adp)
986 {
987         struct task_security_struct *tsec;
988         struct inode_security_struct *isec;
989         struct avc_audit_data ad;
990
991         tsec = tsk->security;
992         isec = inode->i_security;
993
994         if (!adp) {
995                 adp = &ad;
996                 AVC_AUDIT_DATA_INIT(&ad, FS);
997                 ad.u.fs.inode = inode;
998         }
999
1000         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1001 }
1002
1003 /* Same as inode_has_perm, but pass explicit audit data containing
1004    the dentry to help the auditing code to more easily generate the
1005    pathname if needed. */
1006 static inline int dentry_has_perm(struct task_struct *tsk,
1007                                   struct vfsmount *mnt,
1008                                   struct dentry *dentry,
1009                                   u32 av)
1010 {
1011         struct inode *inode = dentry->d_inode;
1012         struct avc_audit_data ad;
1013         AVC_AUDIT_DATA_INIT(&ad,FS);
1014         ad.u.fs.mnt = mnt;
1015         ad.u.fs.dentry = dentry;
1016         return inode_has_perm(tsk, inode, av, &ad);
1017 }
1018
1019 /* Check whether a task can use an open file descriptor to
1020    access an inode in a given way.  Check access to the
1021    descriptor itself, and then use dentry_has_perm to
1022    check a particular permission to the file.
1023    Access to the descriptor is implicitly granted if it
1024    has the same SID as the process.  If av is zero, then
1025    access to the file is not checked, e.g. for cases
1026    where only the descriptor is affected like seek. */
1027 static int file_has_perm(struct task_struct *tsk,
1028                                 struct file *file,
1029                                 u32 av)
1030 {
1031         struct task_security_struct *tsec = tsk->security;
1032         struct file_security_struct *fsec = file->f_security;
1033         struct vfsmount *mnt = file->f_vfsmnt;
1034         struct dentry *dentry = file->f_dentry;
1035         struct inode *inode = dentry->d_inode;
1036         struct avc_audit_data ad;
1037         int rc;
1038
1039         AVC_AUDIT_DATA_INIT(&ad, FS);
1040         ad.u.fs.mnt = mnt;
1041         ad.u.fs.dentry = dentry;
1042
1043         if (tsec->sid != fsec->sid) {
1044                 rc = avc_has_perm(tsec->sid, fsec->sid,
1045                                   SECCLASS_FD,
1046                                   FD__USE,
1047                                   &ad);
1048                 if (rc)
1049                         return rc;
1050         }
1051
1052         /* av is zero if only checking access to the descriptor. */
1053         if (av)
1054                 return inode_has_perm(tsk, inode, av, &ad);
1055
1056         return 0;
1057 }
1058
1059 /* Check whether a task can create a file. */
1060 static int may_create(struct inode *dir,
1061                       struct dentry *dentry,
1062                       u16 tclass)
1063 {
1064         struct task_security_struct *tsec;
1065         struct inode_security_struct *dsec;
1066         struct superblock_security_struct *sbsec;
1067         u32 newsid;
1068         struct avc_audit_data ad;
1069         int rc;
1070
1071         tsec = current->security;
1072         dsec = dir->i_security;
1073         sbsec = dir->i_sb->s_security;
1074
1075         AVC_AUDIT_DATA_INIT(&ad, FS);
1076         ad.u.fs.dentry = dentry;
1077
1078         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1079                           DIR__ADD_NAME | DIR__SEARCH,
1080                           &ad);
1081         if (rc)
1082                 return rc;
1083
1084         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1085                 newsid = tsec->create_sid;
1086         } else {
1087                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1088                                              &newsid);
1089                 if (rc)
1090                         return rc;
1091         }
1092
1093         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1094         if (rc)
1095                 return rc;
1096
1097         return avc_has_perm(newsid, sbsec->sid,
1098                             SECCLASS_FILESYSTEM,
1099                             FILESYSTEM__ASSOCIATE, &ad);
1100 }
1101
1102 #define MAY_LINK   0
1103 #define MAY_UNLINK 1
1104 #define MAY_RMDIR  2
1105
1106 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1107 static int may_link(struct inode *dir,
1108                     struct dentry *dentry,
1109                     int kind)
1110
1111 {
1112         struct task_security_struct *tsec;
1113         struct inode_security_struct *dsec, *isec;
1114         struct avc_audit_data ad;
1115         u32 av;
1116         int rc;
1117
1118         tsec = current->security;
1119         dsec = dir->i_security;
1120         isec = dentry->d_inode->i_security;
1121
1122         AVC_AUDIT_DATA_INIT(&ad, FS);
1123         ad.u.fs.dentry = dentry;
1124
1125         av = DIR__SEARCH;
1126         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1127         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1128         if (rc)
1129                 return rc;
1130
1131         switch (kind) {
1132         case MAY_LINK:
1133                 av = FILE__LINK;
1134                 break;
1135         case MAY_UNLINK:
1136                 av = FILE__UNLINK;
1137                 break;
1138         case MAY_RMDIR:
1139                 av = DIR__RMDIR;
1140                 break;
1141         default:
1142                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1143                 return 0;
1144         }
1145
1146         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1147         return rc;
1148 }
1149
1150 static inline int may_rename(struct inode *old_dir,
1151                              struct dentry *old_dentry,
1152                              struct inode *new_dir,
1153                              struct dentry *new_dentry)
1154 {
1155         struct task_security_struct *tsec;
1156         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1157         struct avc_audit_data ad;
1158         u32 av;
1159         int old_is_dir, new_is_dir;
1160         int rc;
1161
1162         tsec = current->security;
1163         old_dsec = old_dir->i_security;
1164         old_isec = old_dentry->d_inode->i_security;
1165         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1166         new_dsec = new_dir->i_security;
1167
1168         AVC_AUDIT_DATA_INIT(&ad, FS);
1169
1170         ad.u.fs.dentry = old_dentry;
1171         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1172                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1173         if (rc)
1174                 return rc;
1175         rc = avc_has_perm(tsec->sid, old_isec->sid,
1176                           old_isec->sclass, FILE__RENAME, &ad);
1177         if (rc)
1178                 return rc;
1179         if (old_is_dir && new_dir != old_dir) {
1180                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1181                                   old_isec->sclass, DIR__REPARENT, &ad);
1182                 if (rc)
1183                         return rc;
1184         }
1185
1186         ad.u.fs.dentry = new_dentry;
1187         av = DIR__ADD_NAME | DIR__SEARCH;
1188         if (new_dentry->d_inode)
1189                 av |= DIR__REMOVE_NAME;
1190         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1191         if (rc)
1192                 return rc;
1193         if (new_dentry->d_inode) {
1194                 new_isec = new_dentry->d_inode->i_security;
1195                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1196                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1197                                   new_isec->sclass,
1198                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1199                 if (rc)
1200                         return rc;
1201         }
1202
1203         return 0;
1204 }
1205
1206 /* Check whether a task can perform a filesystem operation. */
1207 static int superblock_has_perm(struct task_struct *tsk,
1208                                struct super_block *sb,
1209                                u32 perms,
1210                                struct avc_audit_data *ad)
1211 {
1212         struct task_security_struct *tsec;
1213         struct superblock_security_struct *sbsec;
1214
1215         tsec = tsk->security;
1216         sbsec = sb->s_security;
1217         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1218                             perms, ad);
1219 }
1220
1221 /* Convert a Linux mode and permission mask to an access vector. */
1222 static inline u32 file_mask_to_av(int mode, int mask)
1223 {
1224         u32 av = 0;
1225
1226         if ((mode & S_IFMT) != S_IFDIR) {
1227                 if (mask & MAY_EXEC)
1228                         av |= FILE__EXECUTE;
1229                 if (mask & MAY_READ)
1230                         av |= FILE__READ;
1231
1232                 if (mask & MAY_APPEND)
1233                         av |= FILE__APPEND;
1234                 else if (mask & MAY_WRITE)
1235                         av |= FILE__WRITE;
1236
1237         } else {
1238                 if (mask & MAY_EXEC)
1239                         av |= DIR__SEARCH;
1240                 if (mask & MAY_WRITE)
1241                         av |= DIR__WRITE;
1242                 if (mask & MAY_READ)
1243                         av |= DIR__READ;
1244         }
1245
1246         return av;
1247 }
1248
1249 /* Convert a Linux file to an access vector. */
1250 static inline u32 file_to_av(struct file *file)
1251 {
1252         u32 av = 0;
1253
1254         if (file->f_mode & FMODE_READ)
1255                 av |= FILE__READ;
1256         if (file->f_mode & FMODE_WRITE) {
1257                 if (file->f_flags & O_APPEND)
1258                         av |= FILE__APPEND;
1259                 else
1260                         av |= FILE__WRITE;
1261         }
1262
1263         return av;
1264 }
1265
1266 /* Set an inode's SID to a specified value. */
1267 static int inode_security_set_sid(struct inode *inode, u32 sid)
1268 {
1269         struct inode_security_struct *isec = inode->i_security;
1270         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1271
1272         if (!sbsec->initialized) {
1273                 /* Defer initialization to selinux_complete_init. */
1274                 return 0;
1275         }
1276
1277         down(&isec->sem);
1278         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1279         isec->sid = sid;
1280         isec->initialized = 1;
1281         up(&isec->sem);
1282         return 0;
1283 }
1284
1285 /* Hook functions begin here. */
1286
1287 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1288 {
1289         struct task_security_struct *psec = parent->security;
1290         struct task_security_struct *csec = child->security;
1291         int rc;
1292
1293         rc = secondary_ops->ptrace(parent,child);
1294         if (rc)
1295                 return rc;
1296
1297         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1298         /* Save the SID of the tracing process for later use in apply_creds. */
1299         if (!(child->ptrace & PT_PTRACED) && !rc)
1300                 csec->ptrace_sid = psec->sid;
1301         return rc;
1302 }
1303
1304 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1305                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1306 {
1307         int error;
1308
1309         error = task_has_perm(current, target, PROCESS__GETCAP);
1310         if (error)
1311                 return error;
1312
1313         return secondary_ops->capget(target, effective, inheritable, permitted);
1314 }
1315
1316 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1317                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1318 {
1319         int error;
1320
1321         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1322         if (error)
1323                 return error;
1324
1325         return task_has_perm(current, target, PROCESS__SETCAP);
1326 }
1327
1328 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1329                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1330 {
1331         secondary_ops->capset_set(target, effective, inheritable, permitted);
1332 }
1333
1334 static int selinux_capable(struct task_struct *tsk, int cap)
1335 {
1336         int rc;
1337
1338         rc = secondary_ops->capable(tsk, cap);
1339         if (rc)
1340                 return rc;
1341
1342         return task_has_capability(tsk,cap);
1343 }
1344
1345 static int selinux_sysctl(ctl_table *table, int op)
1346 {
1347         int error = 0;
1348         u32 av;
1349         struct task_security_struct *tsec;
1350         u32 tsid;
1351         int rc;
1352
1353         rc = secondary_ops->sysctl(table, op);
1354         if (rc)
1355                 return rc;
1356
1357         tsec = current->security;
1358
1359         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1360                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1361         if (rc) {
1362                 /* Default to the well-defined sysctl SID. */
1363                 tsid = SECINITSID_SYSCTL;
1364         }
1365
1366         /* The op values are "defined" in sysctl.c, thereby creating
1367          * a bad coupling between this module and sysctl.c */
1368         if(op == 001) {
1369                 error = avc_has_perm(tsec->sid, tsid,
1370                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1371         } else {
1372                 av = 0;
1373                 if (op & 004)
1374                         av |= FILE__READ;
1375                 if (op & 002)
1376                         av |= FILE__WRITE;
1377                 if (av)
1378                         error = avc_has_perm(tsec->sid, tsid,
1379                                              SECCLASS_FILE, av, NULL);
1380         }
1381
1382         return error;
1383 }
1384
1385 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1386 {
1387         int rc = 0;
1388
1389         if (!sb)
1390                 return 0;
1391
1392         switch (cmds) {
1393                 case Q_SYNC:
1394                 case Q_QUOTAON:
1395                 case Q_QUOTAOFF:
1396                 case Q_SETINFO:
1397                 case Q_SETQUOTA:
1398                         rc = superblock_has_perm(current,
1399                                                  sb,
1400                                                  FILESYSTEM__QUOTAMOD, NULL);
1401                         break;
1402                 case Q_GETFMT:
1403                 case Q_GETINFO:
1404                 case Q_GETQUOTA:
1405                         rc = superblock_has_perm(current,
1406                                                  sb,
1407                                                  FILESYSTEM__QUOTAGET, NULL);
1408                         break;
1409                 default:
1410                         rc = 0;  /* let the kernel handle invalid cmds */
1411                         break;
1412         }
1413         return rc;
1414 }
1415
1416 static int selinux_quota_on(struct dentry *dentry)
1417 {
1418         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1419 }
1420
1421 static int selinux_syslog(int type)
1422 {
1423         int rc;
1424
1425         rc = secondary_ops->syslog(type);
1426         if (rc)
1427                 return rc;
1428
1429         switch (type) {
1430                 case 3:         /* Read last kernel messages */
1431                 case 10:        /* Return size of the log buffer */
1432                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1433                         break;
1434                 case 6:         /* Disable logging to console */
1435                 case 7:         /* Enable logging to console */
1436                 case 8:         /* Set level of messages printed to console */
1437                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1438                         break;
1439                 case 0:         /* Close log */
1440                 case 1:         /* Open log */
1441                 case 2:         /* Read from log */
1442                 case 4:         /* Read/clear last kernel messages */
1443                 case 5:         /* Clear ring buffer */
1444                 default:
1445                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1446                         break;
1447         }
1448         return rc;
1449 }
1450
1451 /*
1452  * Check that a process has enough memory to allocate a new virtual
1453  * mapping. 0 means there is enough memory for the allocation to
1454  * succeed and -ENOMEM implies there is not.
1455  *
1456  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1457  * if the capability is granted, but __vm_enough_memory requires 1 if
1458  * the capability is granted.
1459  *
1460  * Do not audit the selinux permission check, as this is applied to all
1461  * processes that allocate mappings.
1462  */
1463 static int selinux_vm_enough_memory(long pages)
1464 {
1465         int rc, cap_sys_admin = 0;
1466         struct task_security_struct *tsec = current->security;
1467
1468         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1469         if (rc == 0)
1470                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1471                                         SECCLASS_CAPABILITY,
1472                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1473                                         NULL);
1474
1475         if (rc == 0)
1476                 cap_sys_admin = 1;
1477
1478         return __vm_enough_memory(pages, cap_sys_admin);
1479 }
1480
1481 /* binprm security operations */
1482
1483 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1484 {
1485         struct bprm_security_struct *bsec;
1486
1487         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1488         if (!bsec)
1489                 return -ENOMEM;
1490
1491         bsec->bprm = bprm;
1492         bsec->sid = SECINITSID_UNLABELED;
1493         bsec->set = 0;
1494
1495         bprm->security = bsec;
1496         return 0;
1497 }
1498
1499 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1500 {
1501         struct task_security_struct *tsec;
1502         struct inode *inode = bprm->file->f_dentry->d_inode;
1503         struct inode_security_struct *isec;
1504         struct bprm_security_struct *bsec;
1505         u32 newsid;
1506         struct avc_audit_data ad;
1507         int rc;
1508
1509         rc = secondary_ops->bprm_set_security(bprm);
1510         if (rc)
1511                 return rc;
1512
1513         bsec = bprm->security;
1514
1515         if (bsec->set)
1516                 return 0;
1517
1518         tsec = current->security;
1519         isec = inode->i_security;
1520
1521         /* Default to the current task SID. */
1522         bsec->sid = tsec->sid;
1523
1524         /* Reset create SID on execve. */
1525         tsec->create_sid = 0;
1526
1527         if (tsec->exec_sid) {
1528                 newsid = tsec->exec_sid;
1529                 /* Reset exec SID on execve. */
1530                 tsec->exec_sid = 0;
1531         } else {
1532                 /* Check for a default transition on this program. */
1533                 rc = security_transition_sid(tsec->sid, isec->sid,
1534                                              SECCLASS_PROCESS, &newsid);
1535                 if (rc)
1536                         return rc;
1537         }
1538
1539         AVC_AUDIT_DATA_INIT(&ad, FS);
1540         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1541         ad.u.fs.dentry = bprm->file->f_dentry;
1542
1543         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1544                 newsid = tsec->sid;
1545
1546         if (tsec->sid == newsid) {
1547                 rc = avc_has_perm(tsec->sid, isec->sid,
1548                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1549                 if (rc)
1550                         return rc;
1551         } else {
1552                 /* Check permissions for the transition. */
1553                 rc = avc_has_perm(tsec->sid, newsid,
1554                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1555                 if (rc)
1556                         return rc;
1557
1558                 rc = avc_has_perm(newsid, isec->sid,
1559                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1560                 if (rc)
1561                         return rc;
1562
1563                 /* Clear any possibly unsafe personality bits on exec: */
1564                 current->personality &= ~PER_CLEAR_ON_SETID;
1565
1566                 /* Set the security field to the new SID. */
1567                 bsec->sid = newsid;
1568         }
1569
1570         bsec->set = 1;
1571         return 0;
1572 }
1573
1574 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1575 {
1576         return secondary_ops->bprm_check_security(bprm);
1577 }
1578
1579
1580 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1581 {
1582         struct task_security_struct *tsec = current->security;
1583         int atsecure = 0;
1584
1585         if (tsec->osid != tsec->sid) {
1586                 /* Enable secure mode for SIDs transitions unless
1587                    the noatsecure permission is granted between
1588                    the two SIDs, i.e. ahp returns 0. */
1589                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1590                                          SECCLASS_PROCESS,
1591                                          PROCESS__NOATSECURE, NULL);
1592         }
1593
1594         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1595 }
1596
1597 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1598 {
1599         kfree(bprm->security);
1600         bprm->security = NULL;
1601 }
1602
1603 extern struct vfsmount *selinuxfs_mount;
1604 extern struct dentry *selinux_null;
1605
1606 /* Derived from fs/exec.c:flush_old_files. */
1607 static inline void flush_unauthorized_files(struct files_struct * files)
1608 {
1609         struct avc_audit_data ad;
1610         struct file *file, *devnull = NULL;
1611         struct tty_struct *tty = current->signal->tty;
1612         struct fdtable *fdt;
1613         long j = -1;
1614
1615         if (tty) {
1616                 file_list_lock();
1617                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1618                 if (file) {
1619                         /* Revalidate access to controlling tty.
1620                            Use inode_has_perm on the tty inode directly rather
1621                            than using file_has_perm, as this particular open
1622                            file may belong to another process and we are only
1623                            interested in the inode-based check here. */
1624                         struct inode *inode = file->f_dentry->d_inode;
1625                         if (inode_has_perm(current, inode,
1626                                            FILE__READ | FILE__WRITE, NULL)) {
1627                                 /* Reset controlling tty. */
1628                                 current->signal->tty = NULL;
1629                                 current->signal->tty_old_pgrp = 0;
1630                         }
1631                 }
1632                 file_list_unlock();
1633         }
1634
1635         /* Revalidate access to inherited open files. */
1636
1637         AVC_AUDIT_DATA_INIT(&ad,FS);
1638
1639         spin_lock(&files->file_lock);
1640         for (;;) {
1641                 unsigned long set, i;
1642                 int fd;
1643
1644                 j++;
1645                 i = j * __NFDBITS;
1646                 fdt = files_fdtable(files);
1647                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1648                         break;
1649                 set = fdt->open_fds->fds_bits[j];
1650                 if (!set)
1651                         continue;
1652                 spin_unlock(&files->file_lock);
1653                 for ( ; set ; i++,set >>= 1) {
1654                         if (set & 1) {
1655                                 file = fget(i);
1656                                 if (!file)
1657                                         continue;
1658                                 if (file_has_perm(current,
1659                                                   file,
1660                                                   file_to_av(file))) {
1661                                         sys_close(i);
1662                                         fd = get_unused_fd();
1663                                         if (fd != i) {
1664                                                 if (fd >= 0)
1665                                                         put_unused_fd(fd);
1666                                                 fput(file);
1667                                                 continue;
1668                                         }
1669                                         if (devnull) {
1670                                                 get_file(devnull);
1671                                         } else {
1672                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1673                                                 if (!devnull) {
1674                                                         put_unused_fd(fd);
1675                                                         fput(file);
1676                                                         continue;
1677                                                 }
1678                                         }
1679                                         fd_install(fd, devnull);
1680                                 }
1681                                 fput(file);
1682                         }
1683                 }
1684                 spin_lock(&files->file_lock);
1685
1686         }
1687         spin_unlock(&files->file_lock);
1688 }
1689
1690 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1691 {
1692         struct task_security_struct *tsec;
1693         struct bprm_security_struct *bsec;
1694         u32 sid;
1695         int rc;
1696
1697         secondary_ops->bprm_apply_creds(bprm, unsafe);
1698
1699         tsec = current->security;
1700
1701         bsec = bprm->security;
1702         sid = bsec->sid;
1703
1704         tsec->osid = tsec->sid;
1705         bsec->unsafe = 0;
1706         if (tsec->sid != sid) {
1707                 /* Check for shared state.  If not ok, leave SID
1708                    unchanged and kill. */
1709                 if (unsafe & LSM_UNSAFE_SHARE) {
1710                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1711                                         PROCESS__SHARE, NULL);
1712                         if (rc) {
1713                                 bsec->unsafe = 1;
1714                                 return;
1715                         }
1716                 }
1717
1718                 /* Check for ptracing, and update the task SID if ok.
1719                    Otherwise, leave SID unchanged and kill. */
1720                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1721                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1722                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1723                                           NULL);
1724                         if (rc) {
1725                                 bsec->unsafe = 1;
1726                                 return;
1727                         }
1728                 }
1729                 tsec->sid = sid;
1730         }
1731 }
1732
1733 /*
1734  * called after apply_creds without the task lock held
1735  */
1736 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1737 {
1738         struct task_security_struct *tsec;
1739         struct rlimit *rlim, *initrlim;
1740         struct itimerval itimer;
1741         struct bprm_security_struct *bsec;
1742         int rc, i;
1743
1744         tsec = current->security;
1745         bsec = bprm->security;
1746
1747         if (bsec->unsafe) {
1748                 force_sig_specific(SIGKILL, current);
1749                 return;
1750         }
1751         if (tsec->osid == tsec->sid)
1752                 return;
1753
1754         /* Close files for which the new task SID is not authorized. */
1755         flush_unauthorized_files(current->files);
1756
1757         /* Check whether the new SID can inherit signal state
1758            from the old SID.  If not, clear itimers to avoid
1759            subsequent signal generation and flush and unblock
1760            signals. This must occur _after_ the task SID has
1761           been updated so that any kill done after the flush
1762           will be checked against the new SID. */
1763         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1764                           PROCESS__SIGINH, NULL);
1765         if (rc) {
1766                 memset(&itimer, 0, sizeof itimer);
1767                 for (i = 0; i < 3; i++)
1768                         do_setitimer(i, &itimer, NULL);
1769                 flush_signals(current);
1770                 spin_lock_irq(&current->sighand->siglock);
1771                 flush_signal_handlers(current, 1);
1772                 sigemptyset(&current->blocked);
1773                 recalc_sigpending();
1774                 spin_unlock_irq(&current->sighand->siglock);
1775         }
1776
1777         /* Check whether the new SID can inherit resource limits
1778            from the old SID.  If not, reset all soft limits to
1779            the lower of the current task's hard limit and the init
1780            task's soft limit.  Note that the setting of hard limits
1781            (even to lower them) can be controlled by the setrlimit
1782            check. The inclusion of the init task's soft limit into
1783            the computation is to avoid resetting soft limits higher
1784            than the default soft limit for cases where the default
1785            is lower than the hard limit, e.g. RLIMIT_CORE or
1786            RLIMIT_STACK.*/
1787         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1788                           PROCESS__RLIMITINH, NULL);
1789         if (rc) {
1790                 for (i = 0; i < RLIM_NLIMITS; i++) {
1791                         rlim = current->signal->rlim + i;
1792                         initrlim = init_task.signal->rlim+i;
1793                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1794                 }
1795                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1796                         /*
1797                          * This will cause RLIMIT_CPU calculations
1798                          * to be refigured.
1799                          */
1800                         current->it_prof_expires = jiffies_to_cputime(1);
1801                 }
1802         }
1803
1804         /* Wake up the parent if it is waiting so that it can
1805            recheck wait permission to the new task SID. */
1806         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1807 }
1808
1809 /* superblock security operations */
1810
1811 static int selinux_sb_alloc_security(struct super_block *sb)
1812 {
1813         return superblock_alloc_security(sb);
1814 }
1815
1816 static void selinux_sb_free_security(struct super_block *sb)
1817 {
1818         superblock_free_security(sb);
1819 }
1820
1821 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1822 {
1823         if (plen > olen)
1824                 return 0;
1825
1826         return !memcmp(prefix, option, plen);
1827 }
1828
1829 static inline int selinux_option(char *option, int len)
1830 {
1831         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1832                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1833                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1834 }
1835
1836 static inline void take_option(char **to, char *from, int *first, int len)
1837 {
1838         if (!*first) {
1839                 **to = ',';
1840                 *to += 1;
1841         }
1842         else
1843                 *first = 0;
1844         memcpy(*to, from, len);
1845         *to += len;
1846 }
1847
1848 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1849 {
1850         int fnosec, fsec, rc = 0;
1851         char *in_save, *in_curr, *in_end;
1852         char *sec_curr, *nosec_save, *nosec;
1853
1854         in_curr = orig;
1855         sec_curr = copy;
1856
1857         /* Binary mount data: just copy */
1858         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1859                 copy_page(sec_curr, in_curr);
1860                 goto out;
1861         }
1862
1863         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1864         if (!nosec) {
1865                 rc = -ENOMEM;
1866                 goto out;
1867         }
1868
1869         nosec_save = nosec;
1870         fnosec = fsec = 1;
1871         in_save = in_end = orig;
1872
1873         do {
1874                 if (*in_end == ',' || *in_end == '\0') {
1875                         int len = in_end - in_curr;
1876
1877                         if (selinux_option(in_curr, len))
1878                                 take_option(&sec_curr, in_curr, &fsec, len);
1879                         else
1880                                 take_option(&nosec, in_curr, &fnosec, len);
1881
1882                         in_curr = in_end + 1;
1883                 }
1884         } while (*in_end++);
1885
1886         strcpy(in_save, nosec_save);
1887         free_page((unsigned long)nosec_save);
1888 out:
1889         return rc;
1890 }
1891
1892 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1893 {
1894         struct avc_audit_data ad;
1895         int rc;
1896
1897         rc = superblock_doinit(sb, data);
1898         if (rc)
1899                 return rc;
1900
1901         AVC_AUDIT_DATA_INIT(&ad,FS);
1902         ad.u.fs.dentry = sb->s_root;
1903         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1904 }
1905
1906 static int selinux_sb_statfs(struct dentry *dentry)
1907 {
1908         struct avc_audit_data ad;
1909
1910         AVC_AUDIT_DATA_INIT(&ad,FS);
1911         ad.u.fs.dentry = dentry->d_sb->s_root;
1912         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1913 }
1914
1915 static int selinux_mount(char * dev_name,
1916                          struct nameidata *nd,
1917                          char * type,
1918                          unsigned long flags,
1919                          void * data)
1920 {
1921         int rc;
1922
1923         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1924         if (rc)
1925                 return rc;
1926
1927         if (flags & MS_REMOUNT)
1928                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1929                                            FILESYSTEM__REMOUNT, NULL);
1930         else
1931                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1932                                        FILE__MOUNTON);
1933 }
1934
1935 static int selinux_umount(struct vfsmount *mnt, int flags)
1936 {
1937         int rc;
1938
1939         rc = secondary_ops->sb_umount(mnt, flags);
1940         if (rc)
1941                 return rc;
1942
1943         return superblock_has_perm(current,mnt->mnt_sb,
1944                                    FILESYSTEM__UNMOUNT,NULL);
1945 }
1946
1947 /* inode security operations */
1948
1949 static int selinux_inode_alloc_security(struct inode *inode)
1950 {
1951         return inode_alloc_security(inode);
1952 }
1953
1954 static void selinux_inode_free_security(struct inode *inode)
1955 {
1956         inode_free_security(inode);
1957 }
1958
1959 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1960                                        char **name, void **value,
1961                                        size_t *len)
1962 {
1963         struct task_security_struct *tsec;
1964         struct inode_security_struct *dsec;
1965         struct superblock_security_struct *sbsec;
1966         u32 newsid, clen;
1967         int rc;
1968         char *namep = NULL, *context;
1969
1970         tsec = current->security;
1971         dsec = dir->i_security;
1972         sbsec = dir->i_sb->s_security;
1973
1974         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1975                 newsid = tsec->create_sid;
1976         } else {
1977                 rc = security_transition_sid(tsec->sid, dsec->sid,
1978                                              inode_mode_to_security_class(inode->i_mode),
1979                                              &newsid);
1980                 if (rc) {
1981                         printk(KERN_WARNING "%s:  "
1982                                "security_transition_sid failed, rc=%d (dev=%s "
1983                                "ino=%ld)\n",
1984                                __FUNCTION__,
1985                                -rc, inode->i_sb->s_id, inode->i_ino);
1986                         return rc;
1987                 }
1988         }
1989
1990         inode_security_set_sid(inode, newsid);
1991
1992         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1993                 return -EOPNOTSUPP;
1994
1995         if (name) {
1996                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1997                 if (!namep)
1998                         return -ENOMEM;
1999                 *name = namep;
2000         }
2001
2002         if (value && len) {
2003                 rc = security_sid_to_context(newsid, &context, &clen);
2004                 if (rc) {
2005                         kfree(namep);
2006                         return rc;
2007                 }
2008                 *value = context;
2009                 *len = clen;
2010         }
2011
2012         return 0;
2013 }
2014
2015 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2016 {
2017         return may_create(dir, dentry, SECCLASS_FILE);
2018 }
2019
2020 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2021 {
2022         int rc;
2023
2024         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2025         if (rc)
2026                 return rc;
2027         return may_link(dir, old_dentry, MAY_LINK);
2028 }
2029
2030 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2031 {
2032         int rc;
2033
2034         rc = secondary_ops->inode_unlink(dir, dentry);
2035         if (rc)
2036                 return rc;
2037         return may_link(dir, dentry, MAY_UNLINK);
2038 }
2039
2040 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2041 {
2042         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2043 }
2044
2045 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2046 {
2047         return may_create(dir, dentry, SECCLASS_DIR);
2048 }
2049
2050 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2051 {
2052         return may_link(dir, dentry, MAY_RMDIR);
2053 }
2054
2055 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2056 {
2057         int rc;
2058
2059         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2060         if (rc)
2061                 return rc;
2062
2063         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2064 }
2065
2066 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2067                                 struct inode *new_inode, struct dentry *new_dentry)
2068 {
2069         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2070 }
2071
2072 static int selinux_inode_readlink(struct dentry *dentry)
2073 {
2074         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2075 }
2076
2077 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2078 {
2079         int rc;
2080
2081         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2082         if (rc)
2083                 return rc;
2084         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2085 }
2086
2087 static int selinux_inode_permission(struct inode *inode, int mask,
2088                                     struct nameidata *nd)
2089 {
2090         int rc;
2091
2092         rc = secondary_ops->inode_permission(inode, mask, nd);
2093         if (rc)
2094                 return rc;
2095
2096         if (!mask) {
2097                 /* No permission to check.  Existence test. */
2098                 return 0;
2099         }
2100
2101         return inode_has_perm(current, inode,
2102                                file_mask_to_av(inode->i_mode, mask), NULL);
2103 }
2104
2105 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2106 {
2107         int rc;
2108
2109         rc = secondary_ops->inode_setattr(dentry, iattr);
2110         if (rc)
2111                 return rc;
2112
2113         if (iattr->ia_valid & ATTR_FORCE)
2114                 return 0;
2115
2116         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2117                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2118                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2119
2120         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2121 }
2122
2123 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2124 {
2125         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2126 }
2127
2128 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2129 {
2130         struct task_security_struct *tsec = current->security;
2131         struct inode *inode = dentry->d_inode;
2132         struct inode_security_struct *isec = inode->i_security;
2133         struct superblock_security_struct *sbsec;
2134         struct avc_audit_data ad;
2135         u32 newsid;
2136         int rc = 0;
2137
2138         if (strcmp(name, XATTR_NAME_SELINUX)) {
2139                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2140                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2141                     !capable(CAP_SYS_ADMIN)) {
2142                         /* A different attribute in the security namespace.
2143                            Restrict to administrator. */
2144                         return -EPERM;
2145                 }
2146
2147                 /* Not an attribute we recognize, so just check the
2148                    ordinary setattr permission. */
2149                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2150         }
2151
2152         sbsec = inode->i_sb->s_security;
2153         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2154                 return -EOPNOTSUPP;
2155
2156         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2157                 return -EPERM;
2158
2159         AVC_AUDIT_DATA_INIT(&ad,FS);
2160         ad.u.fs.dentry = dentry;
2161
2162         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2163                           FILE__RELABELFROM, &ad);
2164         if (rc)
2165                 return rc;
2166
2167         rc = security_context_to_sid(value, size, &newsid);
2168         if (rc)
2169                 return rc;
2170
2171         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2172                           FILE__RELABELTO, &ad);
2173         if (rc)
2174                 return rc;
2175
2176         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2177                                           isec->sclass);
2178         if (rc)
2179                 return rc;
2180
2181         return avc_has_perm(newsid,
2182                             sbsec->sid,
2183                             SECCLASS_FILESYSTEM,
2184                             FILESYSTEM__ASSOCIATE,
2185                             &ad);
2186 }
2187
2188 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2189                                         void *value, size_t size, int flags)
2190 {
2191         struct inode *inode = dentry->d_inode;
2192         struct inode_security_struct *isec = inode->i_security;
2193         u32 newsid;
2194         int rc;
2195
2196         if (strcmp(name, XATTR_NAME_SELINUX)) {
2197                 /* Not an attribute we recognize, so nothing to do. */
2198                 return;
2199         }
2200
2201         rc = security_context_to_sid(value, size, &newsid);
2202         if (rc) {
2203                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2204                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2205                 return;
2206         }
2207
2208         isec->sid = newsid;
2209         return;
2210 }
2211
2212 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2213 {
2214         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2215 }
2216
2217 static int selinux_inode_listxattr (struct dentry *dentry)
2218 {
2219         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2220 }
2221
2222 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2223 {
2224         if (strcmp(name, XATTR_NAME_SELINUX)) {
2225                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2226                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2227                     !capable(CAP_SYS_ADMIN)) {
2228                         /* A different attribute in the security namespace.
2229                            Restrict to administrator. */
2230                         return -EPERM;
2231                 }
2232
2233                 /* Not an attribute we recognize, so just check the
2234                    ordinary setattr permission. Might want a separate
2235                    permission for removexattr. */
2236                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2237         }
2238
2239         /* No one is allowed to remove a SELinux security label.
2240            You can change the label, but all data must be labeled. */
2241         return -EACCES;
2242 }
2243
2244 static const char *selinux_inode_xattr_getsuffix(void)
2245 {
2246       return XATTR_SELINUX_SUFFIX;
2247 }
2248
2249 /*
2250  * Copy the in-core inode security context value to the user.  If the
2251  * getxattr() prior to this succeeded, check to see if we need to
2252  * canonicalize the value to be finally returned to the user.
2253  *
2254  * Permission check is handled by selinux_inode_getxattr hook.
2255  */
2256 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2257 {
2258         struct inode_security_struct *isec = inode->i_security;
2259
2260         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2261                 return -EOPNOTSUPP;
2262
2263         return selinux_getsecurity(isec->sid, buffer, size);
2264 }
2265
2266 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2267                                      const void *value, size_t size, int flags)
2268 {
2269         struct inode_security_struct *isec = inode->i_security;
2270         u32 newsid;
2271         int rc;
2272
2273         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2274                 return -EOPNOTSUPP;
2275
2276         if (!value || !size)
2277                 return -EACCES;
2278
2279         rc = security_context_to_sid((void*)value, size, &newsid);
2280         if (rc)
2281                 return rc;
2282
2283         isec->sid = newsid;
2284         return 0;
2285 }
2286
2287 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2288 {
2289         const int len = sizeof(XATTR_NAME_SELINUX);
2290         if (buffer && len <= buffer_size)
2291                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2292         return len;
2293 }
2294
2295 /* file security operations */
2296
2297 static int selinux_file_permission(struct file *file, int mask)
2298 {
2299         struct inode *inode = file->f_dentry->d_inode;
2300
2301         if (!mask) {
2302                 /* No permission to check.  Existence test. */
2303                 return 0;
2304         }
2305
2306         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2307         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2308                 mask |= MAY_APPEND;
2309
2310         return file_has_perm(current, file,
2311                              file_mask_to_av(inode->i_mode, mask));
2312 }
2313
2314 static int selinux_file_alloc_security(struct file *file)
2315 {
2316         return file_alloc_security(file);
2317 }
2318
2319 static void selinux_file_free_security(struct file *file)
2320 {
2321         file_free_security(file);
2322 }
2323
2324 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2325                               unsigned long arg)
2326 {
2327         int error = 0;
2328
2329         switch (cmd) {
2330                 case FIONREAD:
2331                 /* fall through */
2332                 case FIBMAP:
2333                 /* fall through */
2334                 case FIGETBSZ:
2335                 /* fall through */
2336                 case EXT2_IOC_GETFLAGS:
2337                 /* fall through */
2338                 case EXT2_IOC_GETVERSION:
2339                         error = file_has_perm(current, file, FILE__GETATTR);
2340                         break;
2341
2342                 case EXT2_IOC_SETFLAGS:
2343                 /* fall through */
2344                 case EXT2_IOC_SETVERSION:
2345                         error = file_has_perm(current, file, FILE__SETATTR);
2346                         break;
2347
2348                 /* sys_ioctl() checks */
2349                 case FIONBIO:
2350                 /* fall through */
2351                 case FIOASYNC:
2352                         error = file_has_perm(current, file, 0);
2353                         break;
2354
2355                 case KDSKBENT:
2356                 case KDSKBSENT:
2357                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2358                         break;
2359
2360                 /* default case assumes that the command will go
2361                  * to the file's ioctl() function.
2362                  */
2363                 default:
2364                         error = file_has_perm(current, file, FILE__IOCTL);
2365
2366         }
2367         return error;
2368 }
2369
2370 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2371 {
2372 #ifndef CONFIG_PPC32
2373         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2374                 /*
2375                  * We are making executable an anonymous mapping or a
2376                  * private file mapping that will also be writable.
2377                  * This has an additional check.
2378                  */
2379                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2380                 if (rc)
2381                         return rc;
2382         }
2383 #endif
2384
2385         if (file) {
2386                 /* read access is always possible with a mapping */
2387                 u32 av = FILE__READ;
2388
2389                 /* write access only matters if the mapping is shared */
2390                 if (shared && (prot & PROT_WRITE))
2391                         av |= FILE__WRITE;
2392
2393                 if (prot & PROT_EXEC)
2394                         av |= FILE__EXECUTE;
2395
2396                 return file_has_perm(current, file, av);
2397         }
2398         return 0;
2399 }
2400
2401 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2402                              unsigned long prot, unsigned long flags)
2403 {
2404         int rc;
2405
2406         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2407         if (rc)
2408                 return rc;
2409
2410         if (selinux_checkreqprot)
2411                 prot = reqprot;
2412
2413         return file_map_prot_check(file, prot,
2414                                    (flags & MAP_TYPE) == MAP_SHARED);
2415 }
2416
2417 static int selinux_file_mprotect(struct vm_area_struct *vma,
2418                                  unsigned long reqprot,
2419                                  unsigned long prot)
2420 {
2421         int rc;
2422
2423         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2424         if (rc)
2425                 return rc;
2426
2427         if (selinux_checkreqprot)
2428                 prot = reqprot;
2429
2430 #ifndef CONFIG_PPC32
2431         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2432                 rc = 0;
2433                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2434                     vma->vm_end <= vma->vm_mm->brk) {
2435                         rc = task_has_perm(current, current,
2436                                            PROCESS__EXECHEAP);
2437                 } else if (!vma->vm_file &&
2438                            vma->vm_start <= vma->vm_mm->start_stack &&
2439                            vma->vm_end >= vma->vm_mm->start_stack) {
2440                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2441                 } else if (vma->vm_file && vma->anon_vma) {
2442                         /*
2443                          * We are making executable a file mapping that has
2444                          * had some COW done. Since pages might have been
2445                          * written, check ability to execute the possibly
2446                          * modified content.  This typically should only
2447                          * occur for text relocations.
2448                          */
2449                         rc = file_has_perm(current, vma->vm_file,
2450                                            FILE__EXECMOD);
2451                 }
2452                 if (rc)
2453                         return rc;
2454         }
2455 #endif
2456
2457         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2458 }
2459
2460 static int selinux_file_lock(struct file *file, unsigned int cmd)
2461 {
2462         return file_has_perm(current, file, FILE__LOCK);
2463 }
2464
2465 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2466                               unsigned long arg)
2467 {
2468         int err = 0;
2469
2470         switch (cmd) {
2471                 case F_SETFL:
2472                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2473                                 err = -EINVAL;
2474                                 break;
2475                         }
2476
2477                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2478                                 err = file_has_perm(current, file,FILE__WRITE);
2479                                 break;
2480                         }
2481                         /* fall through */
2482                 case F_SETOWN:
2483                 case F_SETSIG:
2484                 case F_GETFL:
2485                 case F_GETOWN:
2486                 case F_GETSIG:
2487                         /* Just check FD__USE permission */
2488                         err = file_has_perm(current, file, 0);
2489                         break;
2490                 case F_GETLK:
2491                 case F_SETLK:
2492                 case F_SETLKW:
2493 #if BITS_PER_LONG == 32
2494                 case F_GETLK64:
2495                 case F_SETLK64:
2496                 case F_SETLKW64:
2497 #endif
2498                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2499                                 err = -EINVAL;
2500                                 break;
2501                         }
2502                         err = file_has_perm(current, file, FILE__LOCK);
2503                         break;
2504         }
2505
2506         return err;
2507 }
2508
2509 static int selinux_file_set_fowner(struct file *file)
2510 {
2511         struct task_security_struct *tsec;
2512         struct file_security_struct *fsec;
2513
2514         tsec = current->security;
2515         fsec = file->f_security;
2516         fsec->fown_sid = tsec->sid;
2517
2518         return 0;
2519 }
2520
2521 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2522                                        struct fown_struct *fown, int signum)
2523 {
2524         struct file *file;
2525         u32 perm;
2526         struct task_security_struct *tsec;
2527         struct file_security_struct *fsec;
2528
2529         /* struct fown_struct is never outside the context of a struct file */
2530         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2531
2532         tsec = tsk->security;
2533         fsec = file->f_security;
2534
2535         if (!signum)
2536                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2537         else
2538                 perm = signal_to_av(signum);
2539
2540         return avc_has_perm(fsec->fown_sid, tsec->sid,
2541                             SECCLASS_PROCESS, perm, NULL);
2542 }
2543
2544 static int selinux_file_receive(struct file *file)
2545 {
2546         return file_has_perm(current, file, file_to_av(file));
2547 }
2548
2549 /* task security operations */
2550
2551 static int selinux_task_create(unsigned long clone_flags)
2552 {
2553         int rc;
2554
2555         rc = secondary_ops->task_create(clone_flags);
2556         if (rc)
2557                 return rc;
2558
2559         return task_has_perm(current, current, PROCESS__FORK);
2560 }
2561
2562 static int selinux_task_alloc_security(struct task_struct *tsk)
2563 {
2564         struct task_security_struct *tsec1, *tsec2;
2565         int rc;
2566
2567         tsec1 = current->security;
2568
2569         rc = task_alloc_security(tsk);
2570         if (rc)
2571                 return rc;
2572         tsec2 = tsk->security;
2573
2574         tsec2->osid = tsec1->osid;
2575         tsec2->sid = tsec1->sid;
2576
2577         /* Retain the exec and create SIDs across fork */
2578         tsec2->exec_sid = tsec1->exec_sid;
2579         tsec2->create_sid = tsec1->create_sid;
2580
2581         /* Retain ptracer SID across fork, if any.
2582            This will be reset by the ptrace hook upon any
2583            subsequent ptrace_attach operations. */
2584         tsec2->ptrace_sid = tsec1->ptrace_sid;
2585
2586         return 0;
2587 }
2588
2589 static void selinux_task_free_security(struct task_struct *tsk)
2590 {
2591         task_free_security(tsk);
2592 }
2593
2594 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2595 {
2596         /* Since setuid only affects the current process, and
2597            since the SELinux controls are not based on the Linux
2598            identity attributes, SELinux does not need to control
2599            this operation.  However, SELinux does control the use
2600            of the CAP_SETUID and CAP_SETGID capabilities using the
2601            capable hook. */
2602         return 0;
2603 }
2604
2605 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2606 {
2607         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2608 }
2609
2610 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2611 {
2612         /* See the comment for setuid above. */
2613         return 0;
2614 }
2615
2616 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2617 {
2618         return task_has_perm(current, p, PROCESS__SETPGID);
2619 }
2620
2621 static int selinux_task_getpgid(struct task_struct *p)
2622 {
2623         return task_has_perm(current, p, PROCESS__GETPGID);
2624 }
2625
2626 static int selinux_task_getsid(struct task_struct *p)
2627 {
2628         return task_has_perm(current, p, PROCESS__GETSESSION);
2629 }
2630
2631 static int selinux_task_setgroups(struct group_info *group_info)
2632 {
2633         /* See the comment for setuid above. */
2634         return 0;
2635 }
2636
2637 static int selinux_task_setnice(struct task_struct *p, int nice)
2638 {
2639         int rc;
2640
2641         rc = secondary_ops->task_setnice(p, nice);
2642         if (rc)
2643                 return rc;
2644
2645         return task_has_perm(current,p, PROCESS__SETSCHED);
2646 }
2647
2648 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2649 {
2650         return task_has_perm(current, p, PROCESS__SETSCHED);
2651 }
2652
2653 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2654 {
2655         struct rlimit *old_rlim = current->signal->rlim + resource;
2656         int rc;
2657
2658         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2659         if (rc)
2660                 return rc;
2661
2662         /* Control the ability to change the hard limit (whether
2663            lowering or raising it), so that the hard limit can
2664            later be used as a safe reset point for the soft limit
2665            upon context transitions. See selinux_bprm_apply_creds. */
2666         if (old_rlim->rlim_max != new_rlim->rlim_max)
2667                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2668
2669         return 0;
2670 }
2671
2672 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2673 {
2674         return task_has_perm(current, p, PROCESS__SETSCHED);
2675 }
2676
2677 static int selinux_task_getscheduler(struct task_struct *p)
2678 {
2679         return task_has_perm(current, p, PROCESS__GETSCHED);
2680 }
2681
2682 static int selinux_task_movememory(struct task_struct *p)
2683 {
2684         return task_has_perm(current, p, PROCESS__SETSCHED);
2685 }
2686
2687 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2688 {
2689         u32 perm;
2690         int rc;
2691
2692         rc = secondary_ops->task_kill(p, info, sig);
2693         if (rc)
2694                 return rc;
2695
2696         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2697                 return 0;
2698
2699         if (!sig)
2700                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2701         else
2702                 perm = signal_to_av(sig);
2703
2704         return task_has_perm(current, p, perm);
2705 }
2706
2707 static int selinux_task_prctl(int option,
2708                               unsigned long arg2,
2709                               unsigned long arg3,
2710                               unsigned long arg4,
2711                               unsigned long arg5)
2712 {
2713         /* The current prctl operations do not appear to require
2714            any SELinux controls since they merely observe or modify
2715            the state of the current process. */
2716         return 0;
2717 }
2718
2719 static int selinux_task_wait(struct task_struct *p)
2720 {
2721         u32 perm;
2722
2723         perm = signal_to_av(p->exit_signal);
2724
2725         return task_has_perm(p, current, perm);
2726 }
2727
2728 static void selinux_task_reparent_to_init(struct task_struct *p)
2729 {
2730         struct task_security_struct *tsec;
2731
2732         secondary_ops->task_reparent_to_init(p);
2733
2734         tsec = p->security;
2735         tsec->osid = tsec->sid;
2736         tsec->sid = SECINITSID_KERNEL;
2737         return;
2738 }
2739
2740 static void selinux_task_to_inode(struct task_struct *p,
2741                                   struct inode *inode)
2742 {
2743         struct task_security_struct *tsec = p->security;
2744         struct inode_security_struct *isec = inode->i_security;
2745
2746         isec->sid = tsec->sid;
2747         isec->initialized = 1;
2748         return;
2749 }
2750
2751 /* Returns error only if unable to parse addresses */
2752 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2753 {
2754         int offset, ihlen, ret = -EINVAL;
2755         struct iphdr _iph, *ih;
2756
2757         offset = skb->nh.raw - skb->data;
2758         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2759         if (ih == NULL)
2760                 goto out;
2761
2762         ihlen = ih->ihl * 4;
2763         if (ihlen < sizeof(_iph))
2764                 goto out;
2765
2766         ad->u.net.v4info.saddr = ih->saddr;
2767         ad->u.net.v4info.daddr = ih->daddr;
2768         ret = 0;
2769
2770         switch (ih->protocol) {
2771         case IPPROTO_TCP: {
2772                 struct tcphdr _tcph, *th;
2773
2774                 if (ntohs(ih->frag_off) & IP_OFFSET)
2775                         break;
2776
2777                 offset += ihlen;
2778                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2779                 if (th == NULL)
2780                         break;
2781
2782                 ad->u.net.sport = th->source;
2783                 ad->u.net.dport = th->dest;
2784                 break;
2785         }
2786         
2787         case IPPROTO_UDP: {
2788                 struct udphdr _udph, *uh;
2789                 
2790                 if (ntohs(ih->frag_off) & IP_OFFSET)
2791                         break;
2792                         
2793                 offset += ihlen;
2794                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2795                 if (uh == NULL)
2796                         break;  
2797
2798                 ad->u.net.sport = uh->source;
2799                 ad->u.net.dport = uh->dest;
2800                 break;
2801         }
2802
2803         default:
2804                 break;
2805         }
2806 out:
2807         return ret;
2808 }
2809
2810 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2811
2812 /* Returns error only if unable to parse addresses */
2813 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2814 {
2815         u8 nexthdr;
2816         int ret = -EINVAL, offset;
2817         struct ipv6hdr _ipv6h, *ip6;
2818
2819         offset = skb->nh.raw - skb->data;
2820         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2821         if (ip6 == NULL)
2822                 goto out;
2823
2824         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2825         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2826         ret = 0;
2827
2828         nexthdr = ip6->nexthdr;
2829         offset += sizeof(_ipv6h);
2830         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2831         if (offset < 0)
2832                 goto out;
2833
2834         switch (nexthdr) {
2835         case IPPROTO_TCP: {
2836                 struct tcphdr _tcph, *th;
2837
2838                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2839                 if (th == NULL)
2840                         break;
2841
2842                 ad->u.net.sport = th->source;
2843                 ad->u.net.dport = th->dest;
2844                 break;
2845         }
2846
2847         case IPPROTO_UDP: {
2848                 struct udphdr _udph, *uh;
2849
2850                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2851                 if (uh == NULL)
2852                         break;
2853
2854                 ad->u.net.sport = uh->source;
2855                 ad->u.net.dport = uh->dest;
2856                 break;
2857         }
2858
2859         /* includes fragments */
2860         default:
2861                 break;
2862         }
2863 out:
2864         return ret;
2865 }
2866
2867 #endif /* IPV6 */
2868
2869 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2870                              char **addrp, int *len, int src)
2871 {
2872         int ret = 0;
2873
2874         switch (ad->u.net.family) {
2875         case PF_INET:
2876                 ret = selinux_parse_skb_ipv4(skb, ad);
2877                 if (ret || !addrp)
2878                         break;
2879                 *len = 4;
2880                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2881                                         &ad->u.net.v4info.daddr);
2882                 break;
2883
2884 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2885         case PF_INET6:
2886                 ret = selinux_parse_skb_ipv6(skb, ad);
2887                 if (ret || !addrp)
2888                         break;
2889                 *len = 16;
2890                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2891                                         &ad->u.net.v6info.daddr);
2892                 break;
2893 #endif  /* IPV6 */
2894         default:
2895                 break;
2896         }
2897
2898         return ret;
2899 }
2900
2901 /* socket security operations */
2902 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2903                            u32 perms)
2904 {
2905         struct inode_security_struct *isec;
2906         struct task_security_struct *tsec;
2907         struct avc_audit_data ad;
2908         int err = 0;
2909
2910         tsec = task->security;
2911         isec = SOCK_INODE(sock)->i_security;
2912
2913         if (isec->sid == SECINITSID_KERNEL)
2914                 goto out;
2915
2916         AVC_AUDIT_DATA_INIT(&ad,NET);
2917         ad.u.net.sk = sock->sk;
2918         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2919
2920 out:
2921         return err;
2922 }
2923
2924 static int selinux_socket_create(int family, int type,
2925                                  int protocol, int kern)
2926 {
2927         int err = 0;
2928         struct task_security_struct *tsec;
2929
2930         if (kern)
2931                 goto out;
2932
2933         tsec = current->security;
2934         err = avc_has_perm(tsec->sid, tsec->sid,
2935                            socket_type_to_security_class(family, type,
2936                            protocol), SOCKET__CREATE, NULL);
2937
2938 out:
2939         return err;
2940 }
2941
2942 static void selinux_socket_post_create(struct socket *sock, int family,
2943                                        int type, int protocol, int kern)
2944 {
2945         struct inode_security_struct *isec;
2946         struct task_security_struct *tsec;
2947
2948         isec = SOCK_INODE(sock)->i_security;
2949
2950         tsec = current->security;
2951         isec->sclass = socket_type_to_security_class(family, type, protocol);
2952         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2953         isec->initialized = 1;
2954
2955         return;
2956 }
2957
2958 /* Range of port numbers used to automatically bind.
2959    Need to determine whether we should perform a name_bind
2960    permission check between the socket and the port number. */
2961 #define ip_local_port_range_0 sysctl_local_port_range[0]
2962 #define ip_local_port_range_1 sysctl_local_port_range[1]
2963
2964 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2965 {
2966         u16 family;
2967         int err;
2968
2969         err = socket_has_perm(current, sock, SOCKET__BIND);
2970         if (err)
2971                 goto out;
2972
2973         /*
2974          * If PF_INET or PF_INET6, check name_bind permission for the port.
2975          * Multiple address binding for SCTP is not supported yet: we just
2976          * check the first address now.
2977          */
2978         family = sock->sk->sk_family;
2979         if (family == PF_INET || family == PF_INET6) {
2980                 char *addrp;
2981                 struct inode_security_struct *isec;
2982                 struct task_security_struct *tsec;
2983                 struct avc_audit_data ad;
2984                 struct sockaddr_in *addr4 = NULL;
2985                 struct sockaddr_in6 *addr6 = NULL;
2986                 unsigned short snum;
2987                 struct sock *sk = sock->sk;
2988                 u32 sid, node_perm, addrlen;
2989
2990                 tsec = current->security;
2991                 isec = SOCK_INODE(sock)->i_security;
2992
2993                 if (family == PF_INET) {
2994                         addr4 = (struct sockaddr_in *)address;
2995                         snum = ntohs(addr4->sin_port);
2996                         addrlen = sizeof(addr4->sin_addr.s_addr);
2997                         addrp = (char *)&addr4->sin_addr.s_addr;
2998                 } else {
2999                         addr6 = (struct sockaddr_in6 *)address;
3000                         snum = ntohs(addr6->sin6_port);
3001                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3002                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3003                 }
3004
3005                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3006                            snum > ip_local_port_range_1)) {
3007                         err = security_port_sid(sk->sk_family, sk->sk_type,
3008                                                 sk->sk_protocol, snum, &sid);
3009                         if (err)
3010                                 goto out;
3011                         AVC_AUDIT_DATA_INIT(&ad,NET);
3012                         ad.u.net.sport = htons(snum);
3013                         ad.u.net.family = family;
3014                         err = avc_has_perm(isec->sid, sid,
3015                                            isec->sclass,
3016                                            SOCKET__NAME_BIND, &ad);
3017                         if (err)
3018                                 goto out;
3019                 }
3020                 
3021                 switch(isec->sclass) {
3022                 case SECCLASS_TCP_SOCKET:
3023                         node_perm = TCP_SOCKET__NODE_BIND;
3024                         break;
3025                         
3026                 case SECCLASS_UDP_SOCKET:
3027                         node_perm = UDP_SOCKET__NODE_BIND;
3028                         break;
3029                         
3030                 default:
3031                         node_perm = RAWIP_SOCKET__NODE_BIND;
3032                         break;
3033                 }
3034                 
3035                 err = security_node_sid(family, addrp, addrlen, &sid);
3036                 if (err)
3037                         goto out;
3038                 
3039                 AVC_AUDIT_DATA_INIT(&ad,NET);
3040                 ad.u.net.sport = htons(snum);
3041                 ad.u.net.family = family;
3042
3043                 if (family == PF_INET)
3044                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3045                 else
3046                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3047
3048                 err = avc_has_perm(isec->sid, sid,
3049                                    isec->sclass, node_perm, &ad);
3050                 if (err)
3051                         goto out;
3052         }
3053 out:
3054         return err;
3055 }
3056
3057 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3058 {
3059         struct inode_security_struct *isec;
3060         int err;
3061
3062         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3063         if (err)
3064                 return err;
3065
3066         /*
3067          * If a TCP socket, check name_connect permission for the port.
3068          */
3069         isec = SOCK_INODE(sock)->i_security;
3070         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3071                 struct sock *sk = sock->sk;
3072                 struct avc_audit_data ad;
3073                 struct sockaddr_in *addr4 = NULL;
3074                 struct sockaddr_in6 *addr6 = NULL;
3075                 unsigned short snum;
3076                 u32 sid;
3077
3078                 if (sk->sk_family == PF_INET) {
3079                         addr4 = (struct sockaddr_in *)address;
3080                         if (addrlen < sizeof(struct sockaddr_in))
3081                                 return -EINVAL;
3082                         snum = ntohs(addr4->sin_port);
3083                 } else {
3084                         addr6 = (struct sockaddr_in6 *)address;
3085                         if (addrlen < SIN6_LEN_RFC2133)
3086                                 return -EINVAL;
3087                         snum = ntohs(addr6->sin6_port);
3088                 }
3089
3090                 err = security_port_sid(sk->sk_family, sk->sk_type,
3091                                         sk->sk_protocol, snum, &sid);
3092                 if (err)
3093                         goto out;
3094
3095                 AVC_AUDIT_DATA_INIT(&ad,NET);
3096                 ad.u.net.dport = htons(snum);
3097                 ad.u.net.family = sk->sk_family;
3098                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3099                                    TCP_SOCKET__NAME_CONNECT, &ad);
3100                 if (err)
3101                         goto out;
3102         }
3103
3104 out:
3105         return err;
3106 }
3107
3108 static int selinux_socket_listen(struct socket *sock, int backlog)
3109 {
3110         return socket_has_perm(current, sock, SOCKET__LISTEN);
3111 }
3112
3113 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3114 {
3115         int err;
3116         struct inode_security_struct *isec;
3117         struct inode_security_struct *newisec;
3118
3119         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3120         if (err)
3121                 return err;
3122
3123         newisec = SOCK_INODE(newsock)->i_security;
3124
3125         isec = SOCK_INODE(sock)->i_security;
3126         newisec->sclass = isec->sclass;
3127         newisec->sid = isec->sid;
3128         newisec->initialized = 1;
3129
3130         return 0;
3131 }
3132
3133 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3134                                   int size)
3135 {
3136         return socket_has_perm(current, sock, SOCKET__WRITE);
3137 }
3138
3139 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3140                                   int size, int flags)
3141 {
3142         return socket_has_perm(current, sock, SOCKET__READ);
3143 }
3144
3145 static int selinux_socket_getsockname(struct socket *sock)
3146 {
3147         return socket_has_perm(current, sock, SOCKET__GETATTR);
3148 }
3149
3150 static int selinux_socket_getpeername(struct socket *sock)
3151 {
3152         return socket_has_perm(current, sock, SOCKET__GETATTR);
3153 }
3154
3155 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3156 {
3157         return socket_has_perm(current, sock, SOCKET__SETOPT);
3158 }
3159
3160 static int selinux_socket_getsockopt(struct socket *sock, int level,
3161                                      int optname)
3162 {
3163         return socket_has_perm(current, sock, SOCKET__GETOPT);
3164 }
3165
3166 static int selinux_socket_shutdown(struct socket *sock, int how)
3167 {
3168         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3169 }
3170
3171 static int selinux_socket_unix_stream_connect(struct socket *sock,
3172                                               struct socket *other,
3173                                               struct sock *newsk)
3174 {
3175         struct sk_security_struct *ssec;
3176         struct inode_security_struct *isec;
3177         struct inode_security_struct *other_isec;
3178         struct avc_audit_data ad;
3179         int err;
3180
3181         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3182         if (err)
3183                 return err;
3184
3185         isec = SOCK_INODE(sock)->i_security;
3186         other_isec = SOCK_INODE(other)->i_security;
3187
3188         AVC_AUDIT_DATA_INIT(&ad,NET);
3189         ad.u.net.sk = other->sk;
3190
3191         err = avc_has_perm(isec->sid, other_isec->sid,
3192                            isec->sclass,
3193                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3194         if (err)
3195                 return err;
3196
3197         /* connecting socket */
3198         ssec = sock->sk->sk_security;
3199         ssec->peer_sid = other_isec->sid;
3200         
3201         /* server child socket */
3202         ssec = newsk->sk_security;
3203         ssec->peer_sid = isec->sid;
3204         
3205         return 0;
3206 }
3207
3208 static int selinux_socket_unix_may_send(struct socket *sock,
3209                                         struct socket *other)
3210 {
3211         struct inode_security_struct *isec;
3212         struct inode_security_struct *other_isec;
3213         struct avc_audit_data ad;
3214         int err;
3215
3216         isec = SOCK_INODE(sock)->i_security;
3217         other_isec = SOCK_INODE(other)->i_security;
3218
3219         AVC_AUDIT_DATA_INIT(&ad,NET);
3220         ad.u.net.sk = other->sk;
3221
3222         err = avc_has_perm(isec->sid, other_isec->sid,
3223                            isec->sclass, SOCKET__SENDTO, &ad);
3224         if (err)
3225                 return err;
3226
3227         return 0;
3228 }
3229
3230 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3231                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3232                 u16 family, char *addrp, int len)
3233 {
3234         int err = 0;
3235         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3236
3237         if (!skb->dev)
3238                 goto out;
3239
3240         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3241         if (err)
3242                 goto out;
3243
3244         switch (sock_class) {
3245         case SECCLASS_UDP_SOCKET:
3246                 netif_perm = NETIF__UDP_RECV;
3247                 node_perm = NODE__UDP_RECV;
3248                 recv_perm = UDP_SOCKET__RECV_MSG;
3249                 break;
3250         
3251         case SECCLASS_TCP_SOCKET:
3252                 netif_perm = NETIF__TCP_RECV;
3253                 node_perm = NODE__TCP_RECV;
3254                 recv_perm = TCP_SOCKET__RECV_MSG;
3255                 break;
3256         
3257         default:
3258                 netif_perm = NETIF__RAWIP_RECV;
3259                 node_perm = NODE__RAWIP_RECV;
3260                 break;
3261         }
3262
3263         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3264         if (err)
3265                 goto out;
3266         
3267         err = security_node_sid(family, addrp, len, &node_sid);
3268         if (err)
3269                 goto out;
3270         
3271         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3272         if (err)
3273                 goto out;
3274
3275         if (recv_perm) {
3276                 u32 port_sid;
3277
3278                 err = security_port_sid(sk->sk_family, sk->sk_type,
3279                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3280                                         &port_sid);
3281                 if (err)
3282                         goto out;
3283
3284                 err = avc_has_perm(sock_sid, port_sid,
3285                                    sock_class, recv_perm, ad);
3286         }
3287
3288 out:
3289         return err;
3290 }
3291
3292 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3293 {
3294         u16 family;
3295         u16 sock_class = 0;
3296         char *addrp;
3297         int len, err = 0;
3298         u32 sock_sid = 0;
3299         struct socket *sock;
3300         struct avc_audit_data ad;
3301
3302         family = sk->sk_family;
3303         if (family != PF_INET && family != PF_INET6)
3304                 goto out;
3305
3306         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3307         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3308                 family = PF_INET;
3309
3310         read_lock_bh(&sk->sk_callback_lock);
3311         sock = sk->sk_socket;
3312         if (sock) {
3313                 struct inode *inode;
3314                 inode = SOCK_INODE(sock);
3315                 if (inode) {
3316                         struct inode_security_struct *isec;
3317                         isec = inode->i_security;
3318                         sock_sid = isec->sid;
3319                         sock_class = isec->sclass;
3320                 }
3321         }
3322         read_unlock_bh(&sk->sk_callback_lock);
3323         if (!sock_sid)
3324                 goto out;
3325
3326         AVC_AUDIT_DATA_INIT(&ad, NET);
3327         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3328         ad.u.net.family = family;
3329
3330         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3331         if (err)
3332                 goto out;
3333
3334         if (selinux_compat_net)
3335                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3336                                                   sock_class, family,
3337                                                   addrp, len);
3338         else
3339                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3340                                    PACKET__RECV, &ad);
3341         if (err)
3342                 goto out;
3343
3344         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3345 out:    
3346         return err;
3347 }
3348
3349 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3350                                             int __user *optlen, unsigned len)
3351 {
3352         int err = 0;
3353         char *scontext;
3354         u32 scontext_len;
3355         struct sk_security_struct *ssec;
3356         struct inode_security_struct *isec;
3357         u32 peer_sid = 0;
3358
3359         isec = SOCK_INODE(sock)->i_security;
3360
3361         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3362         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3363                 ssec = sock->sk->sk_security;
3364                 peer_sid = ssec->peer_sid;
3365         }
3366         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3367                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3368
3369                 if (peer_sid == SECSID_NULL) {
3370                         err = -ENOPROTOOPT;
3371                         goto out;
3372                 }
3373         }
3374         else {
3375                 err = -ENOPROTOOPT;
3376                 goto out;
3377         }
3378
3379         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3380
3381         if (err)
3382                 goto out;
3383
3384         if (scontext_len > len) {
3385                 err = -ERANGE;
3386                 goto out_len;
3387         }
3388
3389         if (copy_to_user(optval, scontext, scontext_len))
3390                 err = -EFAULT;
3391
3392 out_len:
3393         if (put_user(scontext_len, optlen))
3394                 err = -EFAULT;
3395
3396         kfree(scontext);
3397 out:    
3398         return err;
3399 }
3400
3401 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3402 {
3403         int err = 0;
3404         u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3405
3406         if (peer_sid == SECSID_NULL)
3407                 return -EINVAL;
3408
3409         err = security_sid_to_context(peer_sid, secdata, seclen);
3410         if (err)
3411                 return err;
3412
3413         return 0;
3414 }
3415
3416
3417
3418 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3419 {
3420         return sk_alloc_security(sk, family, priority);
3421 }
3422
3423 static void selinux_sk_free_security(struct sock *sk)
3424 {
3425         sk_free_security(sk);
3426 }
3427
3428 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3429 {
3430         struct inode_security_struct *isec;
3431         u32 sock_sid = SECINITSID_ANY_SOCKET;
3432
3433         if (!sk)
3434                 return selinux_no_sk_sid(fl);
3435
3436         read_lock_bh(&sk->sk_callback_lock);
3437         isec = get_sock_isec(sk);
3438
3439         if (isec)
3440                 sock_sid = isec->sid;
3441
3442         read_unlock_bh(&sk->sk_callback_lock);
3443         return sock_sid;
3444 }
3445
3446 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3447 {
3448         int err = 0;
3449         u32 perm;
3450         struct nlmsghdr *nlh;
3451         struct socket *sock = sk->sk_socket;
3452         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3453         
3454         if (skb->len < NLMSG_SPACE(0)) {
3455                 err = -EINVAL;
3456                 goto out;
3457         }
3458         nlh = (struct nlmsghdr *)skb->data;
3459         
3460         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3461         if (err) {
3462                 if (err == -EINVAL) {
3463                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3464                                   "SELinux:  unrecognized netlink message"
3465                                   " type=%hu for sclass=%hu\n",
3466                                   nlh->nlmsg_type, isec->sclass);
3467                         if (!selinux_enforcing)
3468                                 err = 0;
3469                 }
3470
3471                 /* Ignore */
3472                 if (err == -ENOENT)
3473                         err = 0;
3474                 goto out;
3475         }
3476
3477         err = socket_has_perm(current, sock, perm);
3478 out:
3479         return err;
3480 }
3481
3482 #ifdef CONFIG_NETFILTER
3483
3484 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3485                                             struct inode_security_struct *isec,
3486                                             struct avc_audit_data *ad,
3487                                             u16 family, char *addrp, int len)
3488 {
3489         int err;
3490         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3491         
3492         err = sel_netif_sids(dev, &if_sid, NULL);
3493         if (err)
3494                 goto out;
3495
3496         switch (isec->sclass) {
3497         case SECCLASS_UDP_SOCKET:
3498                 netif_perm = NETIF__UDP_SEND;
3499                 node_perm = NODE__UDP_SEND;
3500                 send_perm = UDP_SOCKET__SEND_MSG;
3501                 break;
3502         
3503         case SECCLASS_TCP_SOCKET:
3504                 netif_perm = NETIF__TCP_SEND;
3505                 node_perm = NODE__TCP_SEND;
3506                 send_perm = TCP_SOCKET__SEND_MSG;
3507                 break;
3508         
3509         default:
3510                 netif_perm = NETIF__RAWIP_SEND;
3511                 node_perm = NODE__RAWIP_SEND;
3512                 break;
3513         }
3514
3515         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3516         if (err)
3517                 goto out;
3518                 
3519         err = security_node_sid(family, addrp, len, &node_sid);
3520         if (err)
3521                 goto out;
3522         
3523         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3524         if (err)
3525                 goto out;
3526
3527         if (send_perm) {
3528                 u32 port_sid;
3529                 
3530                 err = security_port_sid(sk->sk_family,
3531                                         sk->sk_type,
3532                                         sk->sk_protocol,
3533                                         ntohs(ad->u.net.dport),
3534                                         &port_sid);
3535                 if (err)
3536                         goto out;
3537
3538                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3539                                    send_perm, ad);
3540         }
3541 out:
3542         return err;
3543 }
3544
3545 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3546                                               struct sk_buff **pskb,
3547                                               const struct net_device *in,
3548                                               const struct net_device *out,
3549                                               int (*okfn)(struct sk_buff *),
3550                                               u16 family)
3551 {
3552         char *addrp;
3553         int len, err = 0;
3554         struct sock *sk;
3555         struct socket *sock;
3556         struct inode *inode;
3557         struct sk_buff *skb = *pskb;
3558         struct inode_security_struct *isec;
3559         struct avc_audit_data ad;
3560         struct net_device *dev = (struct net_device *)out;
3561
3562         sk = skb->sk;
3563         if (!sk)
3564                 goto out;
3565
3566         sock = sk->sk_socket;
3567         if (!sock)
3568                 goto out;
3569
3570         inode = SOCK_INODE(sock);
3571         if (!inode)
3572                 goto out;
3573
3574         isec = inode->i_security;
3575
3576         AVC_AUDIT_DATA_INIT(&ad, NET);
3577         ad.u.net.netif = dev->name;
3578         ad.u.net.family = family;
3579
3580         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3581         if (err)
3582                 goto out;
3583
3584         if (selinux_compat_net)
3585                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3586                                                        family, addrp, len);
3587         else
3588                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3589                                    PACKET__SEND, &ad);
3590
3591         if (err)
3592                 goto out;
3593
3594         err = selinux_xfrm_postroute_last(isec->sid, skb);
3595 out:
3596         return err ? NF_DROP : NF_ACCEPT;
3597 }
3598
3599 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3600                                                 struct sk_buff **pskb,
3601                                                 const struct net_device *in,
3602                                                 const struct net_device *out,
3603                                                 int (*okfn)(struct sk_buff *))
3604 {
3605         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3606 }
3607
3608 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3609
3610 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3611                                                 struct sk_buff **pskb,
3612                                                 const struct net_device *in,
3613                                                 const struct net_device *out,
3614                                                 int (*okfn)(struct sk_buff *))
3615 {
3616         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3617 }
3618
3619 #endif  /* IPV6 */
3620
3621 #endif  /* CONFIG_NETFILTER */
3622
3623 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3624 {
3625         struct task_security_struct *tsec;
3626         struct av_decision avd;
3627         int err;
3628
3629         err = secondary_ops->netlink_send(sk, skb);
3630         if (err)
3631                 return err;
3632
3633         tsec = current->security;
3634
3635         avd.allowed = 0;
3636         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3637                                 SECCLASS_CAPABILITY, ~0, &avd);
3638         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3639
3640         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3641                 err = selinux_nlmsg_perm(sk, skb);
3642
3643         return err;
3644 }
3645
3646 static int selinux_netlink_recv(struct sk_buff *skb)
3647 {
3648         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3649                 return -EPERM;
3650         return 0;
3651 }
3652
3653 static int ipc_alloc_security(struct task_struct *task,
3654                               struct kern_ipc_perm *perm,
3655                               u16 sclass)
3656 {
3657         struct task_security_struct *tsec = task->security;
3658         struct ipc_security_struct *isec;
3659
3660         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3661         if (!isec)
3662                 return -ENOMEM;
3663
3664         isec->sclass = sclass;
3665         isec->ipc_perm = perm;
3666         isec->sid = tsec->sid;
3667         perm->security = isec;
3668
3669         return 0;
3670 }
3671
3672 static void ipc_free_security(struct kern_ipc_perm *perm)
3673 {
3674         struct ipc_security_struct *isec = perm->security;
3675         perm->security = NULL;
3676         kfree(isec);
3677 }
3678
3679 static int msg_msg_alloc_security(struct msg_msg *msg)
3680 {
3681         struct msg_security_struct *msec;
3682
3683         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3684         if (!msec)
3685                 return -ENOMEM;
3686
3687         msec->msg = msg;
3688         msec->sid = SECINITSID_UNLABELED;
3689         msg->security = msec;
3690
3691         return 0;
3692 }
3693
3694 static void msg_msg_free_security(struct msg_msg *msg)
3695 {
3696         struct msg_security_struct *msec = msg->security;
3697
3698         msg->security = NULL;
3699         kfree(msec);
3700 }
3701
3702 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3703                         u32 perms)
3704 {
3705         struct task_security_struct *tsec;
3706         struct ipc_security_struct *isec;
3707         struct avc_audit_data ad;
3708
3709         tsec = current->security;
3710         isec = ipc_perms->security;
3711
3712         AVC_AUDIT_DATA_INIT(&ad, IPC);
3713         ad.u.ipc_id = ipc_perms->key;
3714
3715         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3716 }
3717
3718 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3719 {
3720         return msg_msg_alloc_security(msg);
3721 }
3722
3723 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3724 {
3725         msg_msg_free_security(msg);
3726 }
3727
3728 /* message queue security operations */
3729 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3730 {
3731         struct task_security_struct *tsec;
3732         struct ipc_security_struct *isec;
3733         struct avc_audit_data ad;
3734         int rc;
3735
3736         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3737         if (rc)
3738                 return rc;
3739
3740         tsec = current->security;
3741         isec = msq->q_perm.security;
3742
3743         AVC_AUDIT_DATA_INIT(&ad, IPC);
3744         ad.u.ipc_id = msq->q_perm.key;
3745
3746         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3747                           MSGQ__CREATE, &ad);
3748         if (rc) {
3749                 ipc_free_security(&msq->q_perm);
3750                 return rc;
3751         }
3752         return 0;
3753 }
3754
3755 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3756 {
3757         ipc_free_security(&msq->q_perm);
3758 }
3759
3760 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3761 {
3762         struct task_security_struct *tsec;
3763         struct ipc_security_struct *isec;
3764         struct avc_audit_data ad;
3765
3766         tsec = current->security;
3767         isec = msq->q_perm.security;
3768
3769         AVC_AUDIT_DATA_INIT(&ad, IPC);
3770         ad.u.ipc_id = msq->q_perm.key;
3771
3772         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3773                             MSGQ__ASSOCIATE, &ad);
3774 }
3775
3776 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3777 {
3778         int err;
3779         int perms;
3780
3781         switch(cmd) {
3782         case IPC_INFO:
3783         case MSG_INFO:
3784                 /* No specific object, just general system-wide information. */
3785                 return task_has_system(current, SYSTEM__IPC_INFO);
3786         case IPC_STAT:
3787         case MSG_STAT:
3788                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3789                 break;
3790         case IPC_SET:
3791                 perms = MSGQ__SETATTR;
3792                 break;
3793         case IPC_RMID:
3794                 perms = MSGQ__DESTROY;
3795                 break;
3796         default:
3797                 return 0;
3798         }
3799
3800         err = ipc_has_perm(&msq->q_perm, perms);
3801         return err;
3802 }
3803
3804 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3805 {
3806         struct task_security_struct *tsec;
3807         struct ipc_security_struct *isec;
3808         struct msg_security_struct *msec;
3809         struct avc_audit_data ad;
3810         int rc;
3811
3812         tsec = current->security;
3813         isec = msq->q_perm.security;
3814         msec = msg->security;
3815
3816         /*
3817          * First time through, need to assign label to the message
3818          */
3819         if (msec->sid == SECINITSID_UNLABELED) {
3820                 /*
3821                  * Compute new sid based on current process and
3822                  * message queue this message will be stored in
3823                  */
3824                 rc = security_transition_sid(tsec->sid,
3825                                              isec->sid,
3826                                              SECCLASS_MSG,
3827                                              &msec->sid);
3828                 if (rc)
3829                         return rc;
3830         }
3831
3832         AVC_AUDIT_DATA_INIT(&ad, IPC);
3833         ad.u.ipc_id = msq->q_perm.key;
3834
3835         /* Can this process write to the queue? */
3836         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3837                           MSGQ__WRITE, &ad);
3838         if (!rc)
3839                 /* Can this process send the message */
3840                 rc = avc_has_perm(tsec->sid, msec->sid,
3841                                   SECCLASS_MSG, MSG__SEND, &ad);
3842         if (!rc)
3843                 /* Can the message be put in the queue? */
3844                 rc = avc_has_perm(msec->sid, isec->sid,
3845                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3846
3847         return rc;
3848 }
3849
3850 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3851                                     struct task_struct *target,
3852                                     long type, int mode)
3853 {
3854         struct task_security_struct *tsec;
3855         struct ipc_security_struct *isec;
3856         struct msg_security_struct *msec;
3857         struct avc_audit_data ad;
3858         int rc;
3859
3860         tsec = target->security;
3861         isec = msq->q_perm.security;
3862         msec = msg->security;
3863
3864         AVC_AUDIT_DATA_INIT(&ad, IPC);
3865         ad.u.ipc_id = msq->q_perm.key;
3866
3867         rc = avc_has_perm(tsec->sid, isec->sid,
3868                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3869         if (!rc)
3870                 rc = avc_has_perm(tsec->sid, msec->sid,
3871                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3872         return rc;
3873 }
3874
3875 /* Shared Memory security operations */
3876 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3877 {
3878         struct task_security_struct *tsec;
3879         struct ipc_security_struct *isec;
3880         struct avc_audit_data ad;
3881         int rc;
3882
3883         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3884         if (rc)
3885                 return rc;
3886
3887         tsec = current->security;
3888         isec = shp->shm_perm.security;
3889
3890         AVC_AUDIT_DATA_INIT(&ad, IPC);
3891         ad.u.ipc_id = shp->shm_perm.key;
3892
3893         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3894                           SHM__CREATE, &ad);
3895         if (rc) {
3896                 ipc_free_security(&shp->shm_perm);
3897                 return rc;
3898         }
3899         return 0;
3900 }
3901
3902 static void selinux_shm_free_security(struct shmid_kernel *shp)
3903 {
3904         ipc_free_security(&shp->shm_perm);
3905 }
3906
3907 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3908 {
3909         struct task_security_struct *tsec;
3910         struct ipc_security_struct *isec;
3911         struct avc_audit_data ad;
3912
3913         tsec = current->security;
3914         isec = shp->shm_perm.security;
3915
3916         AVC_AUDIT_DATA_INIT(&ad, IPC);
3917         ad.u.ipc_id = shp->shm_perm.key;
3918
3919         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3920                             SHM__ASSOCIATE, &ad);
3921 }
3922
3923 /* Note, at this point, shp is locked down */
3924 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3925 {
3926         int perms;
3927         int err;
3928
3929         switch(cmd) {
3930         case IPC_INFO:
3931         case SHM_INFO:
3932                 /* No specific object, just general system-wide information. */
3933                 return task_has_system(current, SYSTEM__IPC_INFO);
3934         case IPC_STAT:
3935         case SHM_STAT:
3936                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3937                 break;
3938         case IPC_SET:
3939                 perms = SHM__SETATTR;
3940                 break;
3941         case SHM_LOCK:
3942         case SHM_UNLOCK:
3943                 perms = SHM__LOCK;
3944                 break;
3945         case IPC_RMID:
3946                 perms = SHM__DESTROY;
3947                 break;
3948         default:
3949                 return 0;
3950         }
3951
3952         err = ipc_has_perm(&shp->shm_perm, perms);
3953         return err;
3954 }
3955
3956 static int selinux_shm_shmat(struct shmid_kernel *shp,
3957                              char __user *shmaddr, int shmflg)
3958 {
3959         u32 perms;
3960         int rc;
3961
3962         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3963         if (rc)
3964                 return rc;
3965
3966         if (shmflg & SHM_RDONLY)
3967                 perms = SHM__READ;
3968         else
3969                 perms = SHM__READ | SHM__WRITE;
3970
3971         return ipc_has_perm(&shp->shm_perm, perms);
3972 }
3973
3974 /* Semaphore security operations */
3975 static int selinux_sem_alloc_security(struct sem_array *sma)
3976 {
3977         struct task_security_struct *tsec;
3978         struct ipc_security_struct *isec;
3979         struct avc_audit_data ad;
3980         int rc;
3981
3982         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3983         if (rc)
3984                 return rc;
3985
3986         tsec = current->security;
3987         isec = sma->sem_perm.security;
3988
3989         AVC_AUDIT_DATA_INIT(&ad, IPC);
3990         ad.u.ipc_id = sma->sem_perm.key;
3991
3992         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3993                           SEM__CREATE, &ad);
3994         if (rc) {
3995                 ipc_free_security(&sma->sem_perm);
3996                 return rc;
3997         }
3998         return 0;
3999 }
4000
4001 static void selinux_sem_free_security(struct sem_array *sma)
4002 {
4003         ipc_free_security(&sma->sem_perm);
4004 }
4005
4006 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4007 {
4008         struct task_security_struct *tsec;
4009         struct ipc_security_struct *isec;
4010         struct avc_audit_data ad;
4011
4012         tsec = current->security;
4013         isec = sma->sem_perm.security;
4014
4015         AVC_AUDIT_DATA_INIT(&ad, IPC);
4016         ad.u.ipc_id = sma->sem_perm.key;
4017
4018         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4019                             SEM__ASSOCIATE, &ad);
4020 }
4021
4022 /* Note, at this point, sma is locked down */
4023 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4024 {
4025         int err;
4026         u32 perms;
4027
4028         switch(cmd) {
4029         case IPC_INFO:
4030         case SEM_INFO:
4031                 /* No specific object, just general system-wide information. */
4032                 return task_has_system(current, SYSTEM__IPC_INFO);
4033         case GETPID:
4034         case GETNCNT:
4035         case GETZCNT:
4036                 perms = SEM__GETATTR;
4037                 break;
4038         case GETVAL:
4039         case GETALL:
4040                 perms = SEM__READ;
4041                 break;
4042         case SETVAL:
4043         case SETALL:
4044                 perms = SEM__WRITE;
4045                 break;
4046         case IPC_RMID:
4047                 perms = SEM__DESTROY;
4048                 break;
4049         case IPC_SET:
4050                 perms = SEM__SETATTR;
4051                 break;
4052         case IPC_STAT:
4053         case SEM_STAT:
4054                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4055                 break;
4056         default:
4057                 return 0;
4058         }
4059
4060         err = ipc_has_perm(&sma->sem_perm, perms);
4061         return err;
4062 }
4063
4064 static int selinux_sem_semop(struct sem_array *sma,
4065                              struct sembuf *sops, unsigned nsops, int alter)
4066 {
4067         u32 perms;
4068
4069         if (alter)
4070                 perms = SEM__READ | SEM__WRITE;
4071         else
4072                 perms = SEM__READ;
4073
4074         return ipc_has_perm(&sma->sem_perm, perms);
4075 }
4076
4077 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4078 {
4079         u32 av = 0;
4080
4081         av = 0;
4082         if (flag & S_IRUGO)
4083                 av |= IPC__UNIX_READ;
4084         if (flag & S_IWUGO)
4085                 av |= IPC__UNIX_WRITE;
4086
4087         if (av == 0)
4088                 return 0;
4089
4090         return ipc_has_perm(ipcp, av);
4091 }
4092
4093 /* module stacking operations */
4094 static int selinux_register_security (const char *name, struct security_operations *ops)
4095 {
4096         if (secondary_ops != original_ops) {
4097                 printk(KERN_INFO "%s:  There is already a secondary security "
4098                        "module registered.\n", __FUNCTION__);
4099                 return -EINVAL;
4100         }
4101
4102         secondary_ops = ops;
4103
4104         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4105                __FUNCTION__,
4106                name);
4107
4108         return 0;
4109 }
4110
4111 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4112 {
4113         if (ops != secondary_ops) {
4114                 printk (KERN_INFO "%s:  trying to unregister a security module "
4115                         "that is not registered.\n", __FUNCTION__);
4116                 return -EINVAL;
4117         }
4118
4119         secondary_ops = original_ops;
4120
4121         return 0;
4122 }
4123
4124 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4125 {
4126         if (inode)
4127                 inode_doinit_with_dentry(inode, dentry);
4128 }
4129
4130 static int selinux_getprocattr(struct task_struct *p,
4131                                char *name, void *value, size_t size)
4132 {
4133         struct task_security_struct *tsec;
4134         u32 sid;
4135         int error;
4136
4137         if (current != p) {
4138                 error = task_has_perm(current, p, PROCESS__GETATTR);
4139                 if (error)
4140                         return error;
4141         }
4142
4143         tsec = p->security;
4144
4145         if (!strcmp(name, "current"))
4146                 sid = tsec->sid;
4147         else if (!strcmp(name, "prev"))
4148                 sid = tsec->osid;
4149         else if (!strcmp(name, "exec"))
4150                 sid = tsec->exec_sid;
4151         else if (!strcmp(name, "fscreate"))
4152                 sid = tsec->create_sid;
4153         else
4154                 return -EINVAL;
4155
4156         if (!sid)
4157                 return 0;
4158
4159         return selinux_getsecurity(sid, value, size);
4160 }
4161
4162 static int selinux_setprocattr(struct task_struct *p,
4163                                char *name, void *value, size_t size)
4164 {
4165         struct task_security_struct *tsec;
4166         u32 sid = 0;
4167         int error;
4168         char *str = value;
4169
4170         if (current != p) {
4171                 /* SELinux only allows a process to change its own
4172                    security attributes. */
4173                 return -EACCES;
4174         }
4175
4176         /*
4177          * Basic control over ability to set these attributes at all.
4178          * current == p, but we'll pass them separately in case the
4179          * above restriction is ever removed.
4180          */
4181         if (!strcmp(name, "exec"))
4182                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4183         else if (!strcmp(name, "fscreate"))
4184                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4185         else if (!strcmp(name, "current"))
4186                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4187         else
4188                 error = -EINVAL;
4189         if (error)
4190                 return error;
4191
4192         /* Obtain a SID for the context, if one was specified. */
4193         if (size && str[1] && str[1] != '\n') {
4194                 if (str[size-1] == '\n') {
4195                         str[size-1] = 0;
4196                         size--;
4197                 }
4198                 error = security_context_to_sid(value, size, &sid);
4199                 if (error)
4200                         return error;
4201         }
4202
4203         /* Permission checking based on the specified context is
4204            performed during the actual operation (execve,
4205            open/mkdir/...), when we know the full context of the
4206            operation.  See selinux_bprm_set_security for the execve
4207            checks and may_create for the file creation checks. The
4208            operation will then fail if the context is not permitted. */
4209         tsec = p->security;
4210         if (!strcmp(name, "exec"))
4211                 tsec->exec_sid = sid;
4212         else if (!strcmp(name, "fscreate"))
4213                 tsec->create_sid = sid;
4214         else if (!strcmp(name, "current")) {
4215                 struct av_decision avd;
4216
4217                 if (sid == 0)
4218                         return -EINVAL;
4219
4220                 /* Only allow single threaded processes to change context */
4221                 if (atomic_read(&p->mm->mm_users) != 1) {
4222                         struct task_struct *g, *t;
4223                         struct mm_struct *mm = p->mm;
4224                         read_lock(&tasklist_lock);
4225                         do_each_thread(g, t)
4226                                 if (t->mm == mm && t != p) {
4227                                         read_unlock(&tasklist_lock);
4228                                         return -EPERM;
4229                                 }
4230                         while_each_thread(g, t);
4231                         read_unlock(&tasklist_lock);
4232                 }
4233
4234                 /* Check permissions for the transition. */
4235                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4236                                      PROCESS__DYNTRANSITION, NULL);
4237                 if (error)
4238                         return error;
4239
4240                 /* Check for ptracing, and update the task SID if ok.
4241                    Otherwise, leave SID unchanged and fail. */
4242                 task_lock(p);
4243                 if (p->ptrace & PT_PTRACED) {
4244                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4245                                                      SECCLASS_PROCESS,
4246                                                      PROCESS__PTRACE, &avd);
4247                         if (!error)
4248                                 tsec->sid = sid;
4249                         task_unlock(p);
4250                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4251                                   PROCESS__PTRACE, &avd, error, NULL);
4252                         if (error)
4253                                 return error;
4254                 } else {
4255                         tsec->sid = sid;
4256                         task_unlock(p);
4257                 }
4258         }
4259         else
4260                 return -EINVAL;
4261
4262         return size;
4263 }
4264
4265 #ifdef CONFIG_KEYS
4266
4267 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4268                              unsigned long flags)
4269 {
4270         struct task_security_struct *tsec = tsk->security;
4271         struct key_security_struct *ksec;
4272
4273         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4274         if (!ksec)
4275                 return -ENOMEM;
4276
4277         ksec->obj = k;
4278         ksec->sid = tsec->sid;
4279         k->security = ksec;
4280
4281         return 0;
4282 }
4283
4284 static void selinux_key_free(struct key *k)
4285 {
4286         struct key_security_struct *ksec = k->security;
4287
4288         k->security = NULL;
4289         kfree(ksec);
4290 }
4291
4292 static int selinux_key_permission(key_ref_t key_ref,
4293                             struct task_struct *ctx,
4294                             key_perm_t perm)
4295 {
4296         struct key *key;
4297         struct task_security_struct *tsec;
4298         struct key_security_struct *ksec;
4299
4300         key = key_ref_to_ptr(key_ref);
4301
4302         tsec = ctx->security;
4303         ksec = key->security;
4304
4305         /* if no specific permissions are requested, we skip the
4306            permission check. No serious, additional covert channels
4307            appear to be created. */
4308         if (perm == 0)
4309                 return 0;
4310
4311         return avc_has_perm(tsec->sid, ksec->sid,
4312                             SECCLASS_KEY, perm, NULL);
4313 }
4314
4315 #endif
4316
4317 static struct security_operations selinux_ops = {
4318         .ptrace =                       selinux_ptrace,
4319         .capget =                       selinux_capget,
4320         .capset_check =                 selinux_capset_check,
4321         .capset_set =                   selinux_capset_set,
4322         .sysctl =                       selinux_sysctl,
4323         .capable =                      selinux_capable,
4324         .quotactl =                     selinux_quotactl,
4325         .quota_on =                     selinux_quota_on,
4326         .syslog =                       selinux_syslog,
4327         .vm_enough_memory =             selinux_vm_enough_memory,
4328
4329         .netlink_send =                 selinux_netlink_send,
4330         .netlink_recv =                 selinux_netlink_recv,
4331
4332         .bprm_alloc_security =          selinux_bprm_alloc_security,
4333         .bprm_free_security =           selinux_bprm_free_security,
4334         .bprm_apply_creds =             selinux_bprm_apply_creds,
4335         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4336         .bprm_set_security =            selinux_bprm_set_security,
4337         .bprm_check_security =          selinux_bprm_check_security,
4338         .bprm_secureexec =              selinux_bprm_secureexec,
4339
4340         .sb_alloc_security =            selinux_sb_alloc_security,
4341         .sb_free_security =             selinux_sb_free_security,
4342         .sb_copy_data =                 selinux_sb_copy_data,
4343         .sb_kern_mount =                selinux_sb_kern_mount,
4344         .sb_statfs =                    selinux_sb_statfs,
4345         .sb_mount =                     selinux_mount,
4346         .sb_umount =                    selinux_umount,
4347
4348         .inode_alloc_security =         selinux_inode_alloc_security,
4349         .inode_free_security =          selinux_inode_free_security,
4350         .inode_init_security =          selinux_inode_init_security,
4351         .inode_create =                 selinux_inode_create,
4352         .inode_link =                   selinux_inode_link,
4353         .inode_unlink =                 selinux_inode_unlink,
4354         .inode_symlink =                selinux_inode_symlink,
4355         .inode_mkdir =                  selinux_inode_mkdir,
4356         .inode_rmdir =                  selinux_inode_rmdir,
4357         .inode_mknod =                  selinux_inode_mknod,
4358         .inode_rename =                 selinux_inode_rename,
4359         .inode_readlink =               selinux_inode_readlink,
4360         .inode_follow_link =            selinux_inode_follow_link,
4361         .inode_permission =             selinux_inode_permission,
4362         .inode_setattr =                selinux_inode_setattr,
4363         .inode_getattr =                selinux_inode_getattr,
4364         .inode_setxattr =               selinux_inode_setxattr,
4365         .inode_post_setxattr =          selinux_inode_post_setxattr,
4366         .inode_getxattr =               selinux_inode_getxattr,
4367         .inode_listxattr =              selinux_inode_listxattr,
4368         .inode_removexattr =            selinux_inode_removexattr,
4369         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4370         .inode_getsecurity =            selinux_inode_getsecurity,
4371         .inode_setsecurity =            selinux_inode_setsecurity,
4372         .inode_listsecurity =           selinux_inode_listsecurity,
4373
4374         .file_permission =              selinux_file_permission,
4375         .file_alloc_security =          selinux_file_alloc_security,
4376         .file_free_security =           selinux_file_free_security,
4377         .file_ioctl =                   selinux_file_ioctl,
4378         .file_mmap =                    selinux_file_mmap,
4379         .file_mprotect =                selinux_file_mprotect,
4380         .file_lock =                    selinux_file_lock,
4381         .file_fcntl =                   selinux_file_fcntl,
4382         .file_set_fowner =              selinux_file_set_fowner,
4383         .file_send_sigiotask =          selinux_file_send_sigiotask,
4384         .file_receive =                 selinux_file_receive,
4385
4386         .task_create =                  selinux_task_create,
4387         .task_alloc_security =          selinux_task_alloc_security,
4388         .task_free_security =           selinux_task_free_security,
4389         .task_setuid =                  selinux_task_setuid,
4390         .task_post_setuid =             selinux_task_post_setuid,
4391         .task_setgid =                  selinux_task_setgid,
4392         .task_setpgid =                 selinux_task_setpgid,
4393         .task_getpgid =                 selinux_task_getpgid,
4394         .task_getsid =                  selinux_task_getsid,
4395         .task_setgroups =               selinux_task_setgroups,
4396         .task_setnice =                 selinux_task_setnice,
4397         .task_setioprio =               selinux_task_setioprio,
4398         .task_setrlimit =               selinux_task_setrlimit,
4399         .task_setscheduler =            selinux_task_setscheduler,
4400         .task_getscheduler =            selinux_task_getscheduler,
4401         .task_movememory =              selinux_task_movememory,
4402         .task_kill =                    selinux_task_kill,
4403         .task_wait =                    selinux_task_wait,
4404         .task_prctl =                   selinux_task_prctl,
4405         .task_reparent_to_init =        selinux_task_reparent_to_init,
4406         .task_to_inode =                selinux_task_to_inode,
4407
4408         .ipc_permission =               selinux_ipc_permission,
4409
4410         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4411         .msg_msg_free_security =        selinux_msg_msg_free_security,
4412
4413         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4414         .msg_queue_free_security =      selinux_msg_queue_free_security,
4415         .msg_queue_associate =          selinux_msg_queue_associate,
4416         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4417         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4418         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4419
4420         .shm_alloc_security =           selinux_shm_alloc_security,
4421         .shm_free_security =            selinux_shm_free_security,
4422         .shm_associate =                selinux_shm_associate,
4423         .shm_shmctl =                   selinux_shm_shmctl,
4424         .shm_shmat =                    selinux_shm_shmat,
4425
4426         .sem_alloc_security =           selinux_sem_alloc_security,
4427         .sem_free_security =            selinux_sem_free_security,
4428         .sem_associate =                selinux_sem_associate,
4429         .sem_semctl =                   selinux_sem_semctl,
4430         .sem_semop =                    selinux_sem_semop,
4431
4432         .register_security =            selinux_register_security,
4433         .unregister_security =          selinux_unregister_security,
4434
4435         .d_instantiate =                selinux_d_instantiate,
4436
4437         .getprocattr =                  selinux_getprocattr,
4438         .setprocattr =                  selinux_setprocattr,
4439
4440         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4441         .unix_may_send =                selinux_socket_unix_may_send,
4442
4443         .socket_create =                selinux_socket_create,
4444         .socket_post_create =           selinux_socket_post_create,
4445         .socket_bind =                  selinux_socket_bind,
4446         .socket_connect =               selinux_socket_connect,
4447         .socket_listen =                selinux_socket_listen,
4448         .socket_accept =                selinux_socket_accept,
4449         .socket_sendmsg =               selinux_socket_sendmsg,
4450         .socket_recvmsg =               selinux_socket_recvmsg,
4451         .socket_getsockname =           selinux_socket_getsockname,
4452         .socket_getpeername =           selinux_socket_getpeername,
4453         .socket_getsockopt =            selinux_socket_getsockopt,
4454         .socket_setsockopt =            selinux_socket_setsockopt,
4455         .socket_shutdown =              selinux_socket_shutdown,
4456         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4457         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4458         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4459         .sk_alloc_security =            selinux_sk_alloc_security,
4460         .sk_free_security =             selinux_sk_free_security,
4461         .sk_getsid =                    selinux_sk_getsid_security,
4462
4463 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4464         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4465         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4466         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4467         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4468         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4469         .xfrm_state_free_security =     selinux_xfrm_state_free,
4470         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4471         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4472 #endif
4473
4474 #ifdef CONFIG_KEYS
4475         .key_alloc =                    selinux_key_alloc,
4476         .key_free =                     selinux_key_free,
4477         .key_permission =               selinux_key_permission,
4478 #endif
4479 };
4480
4481 static __init int selinux_init(void)
4482 {
4483         struct task_security_struct *tsec;
4484
4485         if (!selinux_enabled) {
4486                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4487                 return 0;
4488         }
4489
4490         printk(KERN_INFO "SELinux:  Initializing.\n");
4491
4492         /* Set the security state for the initial task. */
4493         if (task_alloc_security(current))
4494                 panic("SELinux:  Failed to initialize initial task.\n");
4495         tsec = current->security;
4496         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4497
4498         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4499                                             sizeof(struct inode_security_struct),
4500                                             0, SLAB_PANIC, NULL, NULL);
4501         avc_init();
4502
4503         original_ops = secondary_ops = security_ops;
4504         if (!secondary_ops)
4505                 panic ("SELinux: No initial security operations\n");
4506         if (register_security (&selinux_ops))
4507                 panic("SELinux: Unable to register with kernel.\n");
4508
4509         if (selinux_enforcing) {
4510                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4511         } else {
4512                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4513         }
4514
4515 #ifdef CONFIG_KEYS
4516         /* Add security information to initial keyrings */
4517         security_key_alloc(&root_user_keyring, current,
4518                            KEY_ALLOC_NOT_IN_QUOTA);
4519         security_key_alloc(&root_session_keyring, current,
4520                            KEY_ALLOC_NOT_IN_QUOTA);
4521 #endif
4522
4523         return 0;
4524 }
4525
4526 void selinux_complete_init(void)
4527 {
4528         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4529
4530         /* Set up any superblocks initialized prior to the policy load. */
4531         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4532         spin_lock(&sb_lock);
4533         spin_lock(&sb_security_lock);
4534 next_sb:
4535         if (!list_empty(&superblock_security_head)) {
4536                 struct superblock_security_struct *sbsec =
4537                                 list_entry(superblock_security_head.next,
4538                                            struct superblock_security_struct,
4539                                            list);
4540                 struct super_block *sb = sbsec->sb;
4541                 sb->s_count++;
4542                 spin_unlock(&sb_security_lock);
4543                 spin_unlock(&sb_lock);
4544                 down_read(&sb->s_umount);
4545                 if (sb->s_root)
4546                         superblock_doinit(sb, NULL);
4547                 drop_super(sb);
4548                 spin_lock(&sb_lock);
4549                 spin_lock(&sb_security_lock);
4550                 list_del_init(&sbsec->list);
4551                 goto next_sb;
4552         }
4553         spin_unlock(&sb_security_lock);
4554         spin_unlock(&sb_lock);
4555 }
4556
4557 /* SELinux requires early initialization in order to label
4558    all processes and objects when they are created. */
4559 security_initcall(selinux_init);
4560
4561 #if defined(CONFIG_NETFILTER)
4562
4563 static struct nf_hook_ops selinux_ipv4_op = {
4564         .hook =         selinux_ipv4_postroute_last,
4565         .owner =        THIS_MODULE,
4566         .pf =           PF_INET,
4567         .hooknum =      NF_IP_POST_ROUTING,
4568         .priority =     NF_IP_PRI_SELINUX_LAST,
4569 };
4570
4571 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4572
4573 static struct nf_hook_ops selinux_ipv6_op = {
4574         .hook =         selinux_ipv6_postroute_last,
4575         .owner =        THIS_MODULE,
4576         .pf =           PF_INET6,
4577         .hooknum =      NF_IP6_POST_ROUTING,
4578         .priority =     NF_IP6_PRI_SELINUX_LAST,
4579 };
4580
4581 #endif  /* IPV6 */
4582
4583 static int __init selinux_nf_ip_init(void)
4584 {
4585         int err = 0;
4586
4587         if (!selinux_enabled)
4588                 goto out;
4589                 
4590         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4591         
4592         err = nf_register_hook(&selinux_ipv4_op);
4593         if (err)
4594                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4595
4596 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4597
4598         err = nf_register_hook(&selinux_ipv6_op);
4599         if (err)
4600                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4601
4602 #endif  /* IPV6 */
4603
4604 out:
4605         return err;
4606 }
4607
4608 __initcall(selinux_nf_ip_init);
4609
4610 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4611 static void selinux_nf_ip_exit(void)
4612 {
4613         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4614
4615         nf_unregister_hook(&selinux_ipv4_op);
4616 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4617         nf_unregister_hook(&selinux_ipv6_op);
4618 #endif  /* IPV6 */
4619 }
4620 #endif
4621
4622 #else /* CONFIG_NETFILTER */
4623
4624 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4625 #define selinux_nf_ip_exit()
4626 #endif
4627
4628 #endif /* CONFIG_NETFILTER */
4629
4630 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4631 int selinux_disable(void)
4632 {
4633         extern void exit_sel_fs(void);
4634         static int selinux_disabled = 0;
4635
4636         if (ss_initialized) {
4637                 /* Not permitted after initial policy load. */
4638                 return -EINVAL;
4639         }
4640
4641         if (selinux_disabled) {
4642                 /* Only do this once. */
4643                 return -EINVAL;
4644         }
4645
4646         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4647
4648         selinux_disabled = 1;
4649         selinux_enabled = 0;
4650
4651         /* Reset security_ops to the secondary module, dummy or capability. */
4652         security_ops = secondary_ops;
4653
4654         /* Unregister netfilter hooks. */
4655         selinux_nf_ip_exit();
4656
4657         /* Unregister selinuxfs. */
4658         exit_sel_fs();
4659
4660         return 0;
4661 }
4662 #endif
4663
4664