295ac472faf199fdb2f99caa08d1235599646bb5
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         tsec->magic = SELINUX_MAGIC;
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140
141         if (!tsec || tsec->magic != SELINUX_MAGIC)
142                 return;
143
144         task->security = NULL;
145         kfree(tsec);
146 }
147
148 static int inode_alloc_security(struct inode *inode)
149 {
150         struct task_security_struct *tsec = current->security;
151         struct inode_security_struct *isec;
152
153         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154         if (!isec)
155                 return -ENOMEM;
156
157         init_MUTEX(&isec->sem);
158         INIT_LIST_HEAD(&isec->list);
159         isec->magic = SELINUX_MAGIC;
160         isec->inode = inode;
161         isec->sid = SECINITSID_UNLABELED;
162         isec->sclass = SECCLASS_FILE;
163         if (tsec && tsec->magic == SELINUX_MAGIC)
164                 isec->task_sid = tsec->sid;
165         else
166                 isec->task_sid = SECINITSID_UNLABELED;
167         inode->i_security = isec;
168
169         return 0;
170 }
171
172 static void inode_free_security(struct inode *inode)
173 {
174         struct inode_security_struct *isec = inode->i_security;
175         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
176
177         if (!isec || isec->magic != SELINUX_MAGIC)
178                 return;
179
180         spin_lock(&sbsec->isec_lock);
181         if (!list_empty(&isec->list))
182                 list_del_init(&isec->list);
183         spin_unlock(&sbsec->isec_lock);
184
185         inode->i_security = NULL;
186         kfree(isec);
187 }
188
189 static int file_alloc_security(struct file *file)
190 {
191         struct task_security_struct *tsec = current->security;
192         struct file_security_struct *fsec;
193
194         fsec = kzalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
195         if (!fsec)
196                 return -ENOMEM;
197
198         fsec->magic = SELINUX_MAGIC;
199         fsec->file = file;
200         if (tsec && tsec->magic == SELINUX_MAGIC) {
201                 fsec->sid = tsec->sid;
202                 fsec->fown_sid = tsec->sid;
203         } else {
204                 fsec->sid = SECINITSID_UNLABELED;
205                 fsec->fown_sid = SECINITSID_UNLABELED;
206         }
207         file->f_security = fsec;
208
209         return 0;
210 }
211
212 static void file_free_security(struct file *file)
213 {
214         struct file_security_struct *fsec = file->f_security;
215
216         if (!fsec || fsec->magic != SELINUX_MAGIC)
217                 return;
218
219         file->f_security = NULL;
220         kfree(fsec);
221 }
222
223 static int superblock_alloc_security(struct super_block *sb)
224 {
225         struct superblock_security_struct *sbsec;
226
227         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
228         if (!sbsec)
229                 return -ENOMEM;
230
231         init_MUTEX(&sbsec->sem);
232         INIT_LIST_HEAD(&sbsec->list);
233         INIT_LIST_HEAD(&sbsec->isec_head);
234         spin_lock_init(&sbsec->isec_lock);
235         sbsec->magic = SELINUX_MAGIC;
236         sbsec->sb = sb;
237         sbsec->sid = SECINITSID_UNLABELED;
238         sbsec->def_sid = SECINITSID_FILE;
239         sb->s_security = sbsec;
240
241         return 0;
242 }
243
244 static void superblock_free_security(struct super_block *sb)
245 {
246         struct superblock_security_struct *sbsec = sb->s_security;
247
248         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
249                 return;
250
251         spin_lock(&sb_security_lock);
252         if (!list_empty(&sbsec->list))
253                 list_del_init(&sbsec->list);
254         spin_unlock(&sb_security_lock);
255
256         sb->s_security = NULL;
257         kfree(sbsec);
258 }
259
260 #ifdef CONFIG_SECURITY_NETWORK
261 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
262 {
263         struct sk_security_struct *ssec;
264
265         if (family != PF_UNIX)
266                 return 0;
267
268         ssec = kzalloc(sizeof(*ssec), priority);
269         if (!ssec)
270                 return -ENOMEM;
271
272         ssec->magic = SELINUX_MAGIC;
273         ssec->sk = sk;
274         ssec->peer_sid = SECINITSID_UNLABELED;
275         sk->sk_security = ssec;
276
277         return 0;
278 }
279
280 static void sk_free_security(struct sock *sk)
281 {
282         struct sk_security_struct *ssec = sk->sk_security;
283
284         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
285                 return;
286
287         sk->sk_security = NULL;
288         kfree(ssec);
289 }
290 #endif  /* CONFIG_SECURITY_NETWORK */
291
292 /* The security server must be initialized before
293    any labeling or access decisions can be provided. */
294 extern int ss_initialized;
295
296 /* The file system's label must be initialized prior to use. */
297
298 static char *labeling_behaviors[6] = {
299         "uses xattr",
300         "uses transition SIDs",
301         "uses task SIDs",
302         "uses genfs_contexts",
303         "not configured for labeling",
304         "uses mountpoint labeling",
305 };
306
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308
309 static inline int inode_doinit(struct inode *inode)
310 {
311         return inode_doinit_with_dentry(inode, NULL);
312 }
313
314 enum {
315         Opt_context = 1,
316         Opt_fscontext = 2,
317         Opt_defcontext = 4,
318 };
319
320 static match_table_t tokens = {
321         {Opt_context, "context=%s"},
322         {Opt_fscontext, "fscontext=%s"},
323         {Opt_defcontext, "defcontext=%s"},
324 };
325
326 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
327
328 static int try_context_mount(struct super_block *sb, void *data)
329 {
330         char *context = NULL, *defcontext = NULL;
331         const char *name;
332         u32 sid;
333         int alloc = 0, rc = 0, seen = 0;
334         struct task_security_struct *tsec = current->security;
335         struct superblock_security_struct *sbsec = sb->s_security;
336
337         if (!data)
338                 goto out;
339
340         name = sb->s_type->name;
341
342         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
343
344                 /* NFS we understand. */
345                 if (!strcmp(name, "nfs")) {
346                         struct nfs_mount_data *d = data;
347
348                         if (d->version <  NFS_MOUNT_VERSION)
349                                 goto out;
350
351                         if (d->context[0]) {
352                                 context = d->context;
353                                 seen |= Opt_context;
354                         }
355                 } else
356                         goto out;
357
358         } else {
359                 /* Standard string-based options. */
360                 char *p, *options = data;
361
362                 while ((p = strsep(&options, ",")) != NULL) {
363                         int token;
364                         substring_t args[MAX_OPT_ARGS];
365
366                         if (!*p)
367                                 continue;
368
369                         token = match_token(p, tokens, args);
370
371                         switch (token) {
372                         case Opt_context:
373                                 if (seen) {
374                                         rc = -EINVAL;
375                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
376                                         goto out_free;
377                                 }
378                                 context = match_strdup(&args[0]);
379                                 if (!context) {
380                                         rc = -ENOMEM;
381                                         goto out_free;
382                                 }
383                                 if (!alloc)
384                                         alloc = 1;
385                                 seen |= Opt_context;
386                                 break;
387
388                         case Opt_fscontext:
389                                 if (seen & (Opt_context|Opt_fscontext)) {
390                                         rc = -EINVAL;
391                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
392                                         goto out_free;
393                                 }
394                                 context = match_strdup(&args[0]);
395                                 if (!context) {
396                                         rc = -ENOMEM;
397                                         goto out_free;
398                                 }
399                                 if (!alloc)
400                                         alloc = 1;
401                                 seen |= Opt_fscontext;
402                                 break;
403
404                         case Opt_defcontext:
405                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
406                                         rc = -EINVAL;
407                                         printk(KERN_WARNING "SELinux:  "
408                                                "defcontext option is invalid "
409                                                "for this filesystem type\n");
410                                         goto out_free;
411                                 }
412                                 if (seen & (Opt_context|Opt_defcontext)) {
413                                         rc = -EINVAL;
414                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
415                                         goto out_free;
416                                 }
417                                 defcontext = match_strdup(&args[0]);
418                                 if (!defcontext) {
419                                         rc = -ENOMEM;
420                                         goto out_free;
421                                 }
422                                 if (!alloc)
423                                         alloc = 1;
424                                 seen |= Opt_defcontext;
425                                 break;
426
427                         default:
428                                 rc = -EINVAL;
429                                 printk(KERN_WARNING "SELinux:  unknown mount "
430                                        "option\n");
431                                 goto out_free;
432
433                         }
434                 }
435         }
436
437         if (!seen)
438                 goto out;
439
440         if (context) {
441                 rc = security_context_to_sid(context, strlen(context), &sid);
442                 if (rc) {
443                         printk(KERN_WARNING "SELinux: security_context_to_sid"
444                                "(%s) failed for (dev %s, type %s) errno=%d\n",
445                                context, sb->s_id, name, rc);
446                         goto out_free;
447                 }
448
449                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450                                   FILESYSTEM__RELABELFROM, NULL);
451                 if (rc)
452                         goto out_free;
453
454                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELTO, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 sbsec->sid = sid;
460
461                 if (seen & Opt_context)
462                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
463         }
464
465         if (defcontext) {
466                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
467                 if (rc) {
468                         printk(KERN_WARNING "SELinux: security_context_to_sid"
469                                "(%s) failed for (dev %s, type %s) errno=%d\n",
470                                defcontext, sb->s_id, name, rc);
471                         goto out_free;
472                 }
473
474                 if (sid == sbsec->def_sid)
475                         goto out_free;
476
477                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
478                                   FILESYSTEM__RELABELFROM, NULL);
479                 if (rc)
480                         goto out_free;
481
482                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__ASSOCIATE, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 sbsec->def_sid = sid;
488         }
489
490 out_free:
491         if (alloc) {
492                 kfree(context);
493                 kfree(defcontext);
494         }
495 out:
496         return rc;
497 }
498
499 static int superblock_doinit(struct super_block *sb, void *data)
500 {
501         struct superblock_security_struct *sbsec = sb->s_security;
502         struct dentry *root = sb->s_root;
503         struct inode *inode = root->d_inode;
504         int rc = 0;
505
506         down(&sbsec->sem);
507         if (sbsec->initialized)
508                 goto out;
509
510         if (!ss_initialized) {
511                 /* Defer initialization until selinux_complete_init,
512                    after the initial policy is loaded and the security
513                    server is ready to handle calls. */
514                 spin_lock(&sb_security_lock);
515                 if (list_empty(&sbsec->list))
516                         list_add(&sbsec->list, &superblock_security_head);
517                 spin_unlock(&sb_security_lock);
518                 goto out;
519         }
520
521         /* Determine the labeling behavior to use for this filesystem type. */
522         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
523         if (rc) {
524                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
525                        __FUNCTION__, sb->s_type->name, rc);
526                 goto out;
527         }
528
529         rc = try_context_mount(sb, data);
530         if (rc)
531                 goto out;
532
533         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
534                 /* Make sure that the xattr handler exists and that no
535                    error other than -ENODATA is returned by getxattr on
536                    the root directory.  -ENODATA is ok, as this may be
537                    the first boot of the SELinux kernel before we have
538                    assigned xattr values to the filesystem. */
539                 if (!inode->i_op->getxattr) {
540                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
541                                "xattr support\n", sb->s_id, sb->s_type->name);
542                         rc = -EOPNOTSUPP;
543                         goto out;
544                 }
545                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
546                 if (rc < 0 && rc != -ENODATA) {
547                         if (rc == -EOPNOTSUPP)
548                                 printk(KERN_WARNING "SELinux: (dev %s, type "
549                                        "%s) has no security xattr handler\n",
550                                        sb->s_id, sb->s_type->name);
551                         else
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) getxattr errno %d\n", sb->s_id,
554                                        sb->s_type->name, -rc);
555                         goto out;
556                 }
557         }
558
559         if (strcmp(sb->s_type->name, "proc") == 0)
560                 sbsec->proc = 1;
561
562         sbsec->initialized = 1;
563
564         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
565                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
566                        sb->s_id, sb->s_type->name);
567         }
568         else {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
570                        sb->s_id, sb->s_type->name,
571                        labeling_behaviors[sbsec->behavior-1]);
572         }
573
574         /* Initialize the root inode. */
575         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
576
577         /* Initialize any other inodes associated with the superblock, e.g.
578            inodes created prior to initial policy load or inodes created
579            during get_sb by a pseudo filesystem that directly
580            populates itself. */
581         spin_lock(&sbsec->isec_lock);
582 next_inode:
583         if (!list_empty(&sbsec->isec_head)) {
584                 struct inode_security_struct *isec =
585                                 list_entry(sbsec->isec_head.next,
586                                            struct inode_security_struct, list);
587                 struct inode *inode = isec->inode;
588                 spin_unlock(&sbsec->isec_lock);
589                 inode = igrab(inode);
590                 if (inode) {
591                         if (!IS_PRIVATE (inode))
592                                 inode_doinit(inode);
593                         iput(inode);
594                 }
595                 spin_lock(&sbsec->isec_lock);
596                 list_del_init(&isec->list);
597                 goto next_inode;
598         }
599         spin_unlock(&sbsec->isec_lock);
600 out:
601         up(&sbsec->sem);
602         return rc;
603 }
604
605 static inline u16 inode_mode_to_security_class(umode_t mode)
606 {
607         switch (mode & S_IFMT) {
608         case S_IFSOCK:
609                 return SECCLASS_SOCK_FILE;
610         case S_IFLNK:
611                 return SECCLASS_LNK_FILE;
612         case S_IFREG:
613                 return SECCLASS_FILE;
614         case S_IFBLK:
615                 return SECCLASS_BLK_FILE;
616         case S_IFDIR:
617                 return SECCLASS_DIR;
618         case S_IFCHR:
619                 return SECCLASS_CHR_FILE;
620         case S_IFIFO:
621                 return SECCLASS_FIFO_FILE;
622
623         }
624
625         return SECCLASS_FILE;
626 }
627
628 static inline int default_protocol_stream(int protocol)
629 {
630         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
631 }
632
633 static inline int default_protocol_dgram(int protocol)
634 {
635         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
636 }
637
638 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
639 {
640         switch (family) {
641         case PF_UNIX:
642                 switch (type) {
643                 case SOCK_STREAM:
644                 case SOCK_SEQPACKET:
645                         return SECCLASS_UNIX_STREAM_SOCKET;
646                 case SOCK_DGRAM:
647                         return SECCLASS_UNIX_DGRAM_SOCKET;
648                 }
649                 break;
650         case PF_INET:
651         case PF_INET6:
652                 switch (type) {
653                 case SOCK_STREAM:
654                         if (default_protocol_stream(protocol))
655                                 return SECCLASS_TCP_SOCKET;
656                         else
657                                 return SECCLASS_RAWIP_SOCKET;
658                 case SOCK_DGRAM:
659                         if (default_protocol_dgram(protocol))
660                                 return SECCLASS_UDP_SOCKET;
661                         else
662                                 return SECCLASS_RAWIP_SOCKET;
663                 default:
664                         return SECCLASS_RAWIP_SOCKET;
665                 }
666                 break;
667         case PF_NETLINK:
668                 switch (protocol) {
669                 case NETLINK_ROUTE:
670                         return SECCLASS_NETLINK_ROUTE_SOCKET;
671                 case NETLINK_FIREWALL:
672                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
673                 case NETLINK_INET_DIAG:
674                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
675                 case NETLINK_NFLOG:
676                         return SECCLASS_NETLINK_NFLOG_SOCKET;
677                 case NETLINK_XFRM:
678                         return SECCLASS_NETLINK_XFRM_SOCKET;
679                 case NETLINK_SELINUX:
680                         return SECCLASS_NETLINK_SELINUX_SOCKET;
681                 case NETLINK_AUDIT:
682                         return SECCLASS_NETLINK_AUDIT_SOCKET;
683                 case NETLINK_IP6_FW:
684                         return SECCLASS_NETLINK_IP6FW_SOCKET;
685                 case NETLINK_DNRTMSG:
686                         return SECCLASS_NETLINK_DNRT_SOCKET;
687                 case NETLINK_KOBJECT_UEVENT:
688                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
689                 default:
690                         return SECCLASS_NETLINK_SOCKET;
691                 }
692         case PF_PACKET:
693                 return SECCLASS_PACKET_SOCKET;
694         case PF_KEY:
695                 return SECCLASS_KEY_SOCKET;
696         }
697
698         return SECCLASS_SOCKET;
699 }
700
701 #ifdef CONFIG_PROC_FS
702 static int selinux_proc_get_sid(struct proc_dir_entry *de,
703                                 u16 tclass,
704                                 u32 *sid)
705 {
706         int buflen, rc;
707         char *buffer, *path, *end;
708
709         buffer = (char*)__get_free_page(GFP_KERNEL);
710         if (!buffer)
711                 return -ENOMEM;
712
713         buflen = PAGE_SIZE;
714         end = buffer+buflen;
715         *--end = '\0';
716         buflen--;
717         path = end-1;
718         *path = '/';
719         while (de && de != de->parent) {
720                 buflen -= de->namelen + 1;
721                 if (buflen < 0)
722                         break;
723                 end -= de->namelen;
724                 memcpy(end, de->name, de->namelen);
725                 *--end = '/';
726                 path = end;
727                 de = de->parent;
728         }
729         rc = security_genfs_sid("proc", path, tclass, sid);
730         free_page((unsigned long)buffer);
731         return rc;
732 }
733 #else
734 static int selinux_proc_get_sid(struct proc_dir_entry *de,
735                                 u16 tclass,
736                                 u32 *sid)
737 {
738         return -EINVAL;
739 }
740 #endif
741
742 /* The inode's security attributes must be initialized before first use. */
743 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
744 {
745         struct superblock_security_struct *sbsec = NULL;
746         struct inode_security_struct *isec = inode->i_security;
747         u32 sid;
748         struct dentry *dentry;
749 #define INITCONTEXTLEN 255
750         char *context = NULL;
751         unsigned len = 0;
752         int rc = 0;
753         int hold_sem = 0;
754
755         if (isec->initialized)
756                 goto out;
757
758         down(&isec->sem);
759         hold_sem = 1;
760         if (isec->initialized)
761                 goto out;
762
763         sbsec = inode->i_sb->s_security;
764         if (!sbsec->initialized) {
765                 /* Defer initialization until selinux_complete_init,
766                    after the initial policy is loaded and the security
767                    server is ready to handle calls. */
768                 spin_lock(&sbsec->isec_lock);
769                 if (list_empty(&isec->list))
770                         list_add(&isec->list, &sbsec->isec_head);
771                 spin_unlock(&sbsec->isec_lock);
772                 goto out;
773         }
774
775         switch (sbsec->behavior) {
776         case SECURITY_FS_USE_XATTR:
777                 if (!inode->i_op->getxattr) {
778                         isec->sid = sbsec->def_sid;
779                         break;
780                 }
781
782                 /* Need a dentry, since the xattr API requires one.
783                    Life would be simpler if we could just pass the inode. */
784                 if (opt_dentry) {
785                         /* Called from d_instantiate or d_splice_alias. */
786                         dentry = dget(opt_dentry);
787                 } else {
788                         /* Called from selinux_complete_init, try to find a dentry. */
789                         dentry = d_find_alias(inode);
790                 }
791                 if (!dentry) {
792                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
793                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
794                                inode->i_ino);
795                         goto out;
796                 }
797
798                 len = INITCONTEXTLEN;
799                 context = kmalloc(len, GFP_KERNEL);
800                 if (!context) {
801                         rc = -ENOMEM;
802                         dput(dentry);
803                         goto out;
804                 }
805                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
806                                            context, len);
807                 if (rc == -ERANGE) {
808                         /* Need a larger buffer.  Query for the right size. */
809                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
810                                                    NULL, 0);
811                         if (rc < 0) {
812                                 dput(dentry);
813                                 goto out;
814                         }
815                         kfree(context);
816                         len = rc;
817                         context = kmalloc(len, GFP_KERNEL);
818                         if (!context) {
819                                 rc = -ENOMEM;
820                                 dput(dentry);
821                                 goto out;
822                         }
823                         rc = inode->i_op->getxattr(dentry,
824                                                    XATTR_NAME_SELINUX,
825                                                    context, len);
826                 }
827                 dput(dentry);
828                 if (rc < 0) {
829                         if (rc != -ENODATA) {
830                                 printk(KERN_WARNING "%s:  getxattr returned "
831                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
832                                        -rc, inode->i_sb->s_id, inode->i_ino);
833                                 kfree(context);
834                                 goto out;
835                         }
836                         /* Map ENODATA to the default file SID */
837                         sid = sbsec->def_sid;
838                         rc = 0;
839                 } else {
840                         rc = security_context_to_sid_default(context, rc, &sid,
841                                                              sbsec->def_sid);
842                         if (rc) {
843                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
844                                        "returned %d for dev=%s ino=%ld\n",
845                                        __FUNCTION__, context, -rc,
846                                        inode->i_sb->s_id, inode->i_ino);
847                                 kfree(context);
848                                 /* Leave with the unlabeled SID */
849                                 rc = 0;
850                                 break;
851                         }
852                 }
853                 kfree(context);
854                 isec->sid = sid;
855                 break;
856         case SECURITY_FS_USE_TASK:
857                 isec->sid = isec->task_sid;
858                 break;
859         case SECURITY_FS_USE_TRANS:
860                 /* Default to the fs SID. */
861                 isec->sid = sbsec->sid;
862
863                 /* Try to obtain a transition SID. */
864                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
865                 rc = security_transition_sid(isec->task_sid,
866                                              sbsec->sid,
867                                              isec->sclass,
868                                              &sid);
869                 if (rc)
870                         goto out;
871                 isec->sid = sid;
872                 break;
873         default:
874                 /* Default to the fs SID. */
875                 isec->sid = sbsec->sid;
876
877                 if (sbsec->proc) {
878                         struct proc_inode *proci = PROC_I(inode);
879                         if (proci->pde) {
880                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
881                                 rc = selinux_proc_get_sid(proci->pde,
882                                                           isec->sclass,
883                                                           &sid);
884                                 if (rc)
885                                         goto out;
886                                 isec->sid = sid;
887                         }
888                 }
889                 break;
890         }
891
892         isec->initialized = 1;
893
894 out:
895         if (isec->sclass == SECCLASS_FILE)
896                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
897
898         if (hold_sem)
899                 up(&isec->sem);
900         return rc;
901 }
902
903 /* Convert a Linux signal to an access vector. */
904 static inline u32 signal_to_av(int sig)
905 {
906         u32 perm = 0;
907
908         switch (sig) {
909         case SIGCHLD:
910                 /* Commonly granted from child to parent. */
911                 perm = PROCESS__SIGCHLD;
912                 break;
913         case SIGKILL:
914                 /* Cannot be caught or ignored */
915                 perm = PROCESS__SIGKILL;
916                 break;
917         case SIGSTOP:
918                 /* Cannot be caught or ignored */
919                 perm = PROCESS__SIGSTOP;
920                 break;
921         default:
922                 /* All other signals. */
923                 perm = PROCESS__SIGNAL;
924                 break;
925         }
926
927         return perm;
928 }
929
930 /* Check permission betweeen a pair of tasks, e.g. signal checks,
931    fork check, ptrace check, etc. */
932 static int task_has_perm(struct task_struct *tsk1,
933                          struct task_struct *tsk2,
934                          u32 perms)
935 {
936         struct task_security_struct *tsec1, *tsec2;
937
938         tsec1 = tsk1->security;
939         tsec2 = tsk2->security;
940         return avc_has_perm(tsec1->sid, tsec2->sid,
941                             SECCLASS_PROCESS, perms, NULL);
942 }
943
944 /* Check whether a task is allowed to use a capability. */
945 static int task_has_capability(struct task_struct *tsk,
946                                int cap)
947 {
948         struct task_security_struct *tsec;
949         struct avc_audit_data ad;
950
951         tsec = tsk->security;
952
953         AVC_AUDIT_DATA_INIT(&ad,CAP);
954         ad.tsk = tsk;
955         ad.u.cap = cap;
956
957         return avc_has_perm(tsec->sid, tsec->sid,
958                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
959 }
960
961 /* Check whether a task is allowed to use a system operation. */
962 static int task_has_system(struct task_struct *tsk,
963                            u32 perms)
964 {
965         struct task_security_struct *tsec;
966
967         tsec = tsk->security;
968
969         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
970                             SECCLASS_SYSTEM, perms, NULL);
971 }
972
973 /* Check whether a task has a particular permission to an inode.
974    The 'adp' parameter is optional and allows other audit
975    data to be passed (e.g. the dentry). */
976 static int inode_has_perm(struct task_struct *tsk,
977                           struct inode *inode,
978                           u32 perms,
979                           struct avc_audit_data *adp)
980 {
981         struct task_security_struct *tsec;
982         struct inode_security_struct *isec;
983         struct avc_audit_data ad;
984
985         tsec = tsk->security;
986         isec = inode->i_security;
987
988         if (!adp) {
989                 adp = &ad;
990                 AVC_AUDIT_DATA_INIT(&ad, FS);
991                 ad.u.fs.inode = inode;
992         }
993
994         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
995 }
996
997 /* Same as inode_has_perm, but pass explicit audit data containing
998    the dentry to help the auditing code to more easily generate the
999    pathname if needed. */
1000 static inline int dentry_has_perm(struct task_struct *tsk,
1001                                   struct vfsmount *mnt,
1002                                   struct dentry *dentry,
1003                                   u32 av)
1004 {
1005         struct inode *inode = dentry->d_inode;
1006         struct avc_audit_data ad;
1007         AVC_AUDIT_DATA_INIT(&ad,FS);
1008         ad.u.fs.mnt = mnt;
1009         ad.u.fs.dentry = dentry;
1010         return inode_has_perm(tsk, inode, av, &ad);
1011 }
1012
1013 /* Check whether a task can use an open file descriptor to
1014    access an inode in a given way.  Check access to the
1015    descriptor itself, and then use dentry_has_perm to
1016    check a particular permission to the file.
1017    Access to the descriptor is implicitly granted if it
1018    has the same SID as the process.  If av is zero, then
1019    access to the file is not checked, e.g. for cases
1020    where only the descriptor is affected like seek. */
1021 static inline int file_has_perm(struct task_struct *tsk,
1022                                 struct file *file,
1023                                 u32 av)
1024 {
1025         struct task_security_struct *tsec = tsk->security;
1026         struct file_security_struct *fsec = file->f_security;
1027         struct vfsmount *mnt = file->f_vfsmnt;
1028         struct dentry *dentry = file->f_dentry;
1029         struct inode *inode = dentry->d_inode;
1030         struct avc_audit_data ad;
1031         int rc;
1032
1033         AVC_AUDIT_DATA_INIT(&ad, FS);
1034         ad.u.fs.mnt = mnt;
1035         ad.u.fs.dentry = dentry;
1036
1037         if (tsec->sid != fsec->sid) {
1038                 rc = avc_has_perm(tsec->sid, fsec->sid,
1039                                   SECCLASS_FD,
1040                                   FD__USE,
1041                                   &ad);
1042                 if (rc)
1043                         return rc;
1044         }
1045
1046         /* av is zero if only checking access to the descriptor. */
1047         if (av)
1048                 return inode_has_perm(tsk, inode, av, &ad);
1049
1050         return 0;
1051 }
1052
1053 /* Check whether a task can create a file. */
1054 static int may_create(struct inode *dir,
1055                       struct dentry *dentry,
1056                       u16 tclass)
1057 {
1058         struct task_security_struct *tsec;
1059         struct inode_security_struct *dsec;
1060         struct superblock_security_struct *sbsec;
1061         u32 newsid;
1062         struct avc_audit_data ad;
1063         int rc;
1064
1065         tsec = current->security;
1066         dsec = dir->i_security;
1067         sbsec = dir->i_sb->s_security;
1068
1069         AVC_AUDIT_DATA_INIT(&ad, FS);
1070         ad.u.fs.dentry = dentry;
1071
1072         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1073                           DIR__ADD_NAME | DIR__SEARCH,
1074                           &ad);
1075         if (rc)
1076                 return rc;
1077
1078         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1079                 newsid = tsec->create_sid;
1080         } else {
1081                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1082                                              &newsid);
1083                 if (rc)
1084                         return rc;
1085         }
1086
1087         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1088         if (rc)
1089                 return rc;
1090
1091         return avc_has_perm(newsid, sbsec->sid,
1092                             SECCLASS_FILESYSTEM,
1093                             FILESYSTEM__ASSOCIATE, &ad);
1094 }
1095
1096 #define MAY_LINK   0
1097 #define MAY_UNLINK 1
1098 #define MAY_RMDIR  2
1099
1100 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1101 static int may_link(struct inode *dir,
1102                     struct dentry *dentry,
1103                     int kind)
1104
1105 {
1106         struct task_security_struct *tsec;
1107         struct inode_security_struct *dsec, *isec;
1108         struct avc_audit_data ad;
1109         u32 av;
1110         int rc;
1111
1112         tsec = current->security;
1113         dsec = dir->i_security;
1114         isec = dentry->d_inode->i_security;
1115
1116         AVC_AUDIT_DATA_INIT(&ad, FS);
1117         ad.u.fs.dentry = dentry;
1118
1119         av = DIR__SEARCH;
1120         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1121         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1122         if (rc)
1123                 return rc;
1124
1125         switch (kind) {
1126         case MAY_LINK:
1127                 av = FILE__LINK;
1128                 break;
1129         case MAY_UNLINK:
1130                 av = FILE__UNLINK;
1131                 break;
1132         case MAY_RMDIR:
1133                 av = DIR__RMDIR;
1134                 break;
1135         default:
1136                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1137                 return 0;
1138         }
1139
1140         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1141         return rc;
1142 }
1143
1144 static inline int may_rename(struct inode *old_dir,
1145                              struct dentry *old_dentry,
1146                              struct inode *new_dir,
1147                              struct dentry *new_dentry)
1148 {
1149         struct task_security_struct *tsec;
1150         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1151         struct avc_audit_data ad;
1152         u32 av;
1153         int old_is_dir, new_is_dir;
1154         int rc;
1155
1156         tsec = current->security;
1157         old_dsec = old_dir->i_security;
1158         old_isec = old_dentry->d_inode->i_security;
1159         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1160         new_dsec = new_dir->i_security;
1161
1162         AVC_AUDIT_DATA_INIT(&ad, FS);
1163
1164         ad.u.fs.dentry = old_dentry;
1165         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1166                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1167         if (rc)
1168                 return rc;
1169         rc = avc_has_perm(tsec->sid, old_isec->sid,
1170                           old_isec->sclass, FILE__RENAME, &ad);
1171         if (rc)
1172                 return rc;
1173         if (old_is_dir && new_dir != old_dir) {
1174                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1175                                   old_isec->sclass, DIR__REPARENT, &ad);
1176                 if (rc)
1177                         return rc;
1178         }
1179
1180         ad.u.fs.dentry = new_dentry;
1181         av = DIR__ADD_NAME | DIR__SEARCH;
1182         if (new_dentry->d_inode)
1183                 av |= DIR__REMOVE_NAME;
1184         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1185         if (rc)
1186                 return rc;
1187         if (new_dentry->d_inode) {
1188                 new_isec = new_dentry->d_inode->i_security;
1189                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1190                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1191                                   new_isec->sclass,
1192                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1193                 if (rc)
1194                         return rc;
1195         }
1196
1197         return 0;
1198 }
1199
1200 /* Check whether a task can perform a filesystem operation. */
1201 static int superblock_has_perm(struct task_struct *tsk,
1202                                struct super_block *sb,
1203                                u32 perms,
1204                                struct avc_audit_data *ad)
1205 {
1206         struct task_security_struct *tsec;
1207         struct superblock_security_struct *sbsec;
1208
1209         tsec = tsk->security;
1210         sbsec = sb->s_security;
1211         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1212                             perms, ad);
1213 }
1214
1215 /* Convert a Linux mode and permission mask to an access vector. */
1216 static inline u32 file_mask_to_av(int mode, int mask)
1217 {
1218         u32 av = 0;
1219
1220         if ((mode & S_IFMT) != S_IFDIR) {
1221                 if (mask & MAY_EXEC)
1222                         av |= FILE__EXECUTE;
1223                 if (mask & MAY_READ)
1224                         av |= FILE__READ;
1225
1226                 if (mask & MAY_APPEND)
1227                         av |= FILE__APPEND;
1228                 else if (mask & MAY_WRITE)
1229                         av |= FILE__WRITE;
1230
1231         } else {
1232                 if (mask & MAY_EXEC)
1233                         av |= DIR__SEARCH;
1234                 if (mask & MAY_WRITE)
1235                         av |= DIR__WRITE;
1236                 if (mask & MAY_READ)
1237                         av |= DIR__READ;
1238         }
1239
1240         return av;
1241 }
1242
1243 /* Convert a Linux file to an access vector. */
1244 static inline u32 file_to_av(struct file *file)
1245 {
1246         u32 av = 0;
1247
1248         if (file->f_mode & FMODE_READ)
1249                 av |= FILE__READ;
1250         if (file->f_mode & FMODE_WRITE) {
1251                 if (file->f_flags & O_APPEND)
1252                         av |= FILE__APPEND;
1253                 else
1254                         av |= FILE__WRITE;
1255         }
1256
1257         return av;
1258 }
1259
1260 /* Set an inode's SID to a specified value. */
1261 static int inode_security_set_sid(struct inode *inode, u32 sid)
1262 {
1263         struct inode_security_struct *isec = inode->i_security;
1264         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1265
1266         if (!sbsec->initialized) {
1267                 /* Defer initialization to selinux_complete_init. */
1268                 return 0;
1269         }
1270
1271         down(&isec->sem);
1272         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1273         isec->sid = sid;
1274         isec->initialized = 1;
1275         up(&isec->sem);
1276         return 0;
1277 }
1278
1279 /* Hook functions begin here. */
1280
1281 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1282 {
1283         struct task_security_struct *psec = parent->security;
1284         struct task_security_struct *csec = child->security;
1285         int rc;
1286
1287         rc = secondary_ops->ptrace(parent,child);
1288         if (rc)
1289                 return rc;
1290
1291         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1292         /* Save the SID of the tracing process for later use in apply_creds. */
1293         if (!rc)
1294                 csec->ptrace_sid = psec->sid;
1295         return rc;
1296 }
1297
1298 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1299                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1300 {
1301         int error;
1302
1303         error = task_has_perm(current, target, PROCESS__GETCAP);
1304         if (error)
1305                 return error;
1306
1307         return secondary_ops->capget(target, effective, inheritable, permitted);
1308 }
1309
1310 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1311                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1312 {
1313         int error;
1314
1315         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1316         if (error)
1317                 return error;
1318
1319         return task_has_perm(current, target, PROCESS__SETCAP);
1320 }
1321
1322 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1323                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1324 {
1325         secondary_ops->capset_set(target, effective, inheritable, permitted);
1326 }
1327
1328 static int selinux_capable(struct task_struct *tsk, int cap)
1329 {
1330         int rc;
1331
1332         rc = secondary_ops->capable(tsk, cap);
1333         if (rc)
1334                 return rc;
1335
1336         return task_has_capability(tsk,cap);
1337 }
1338
1339 static int selinux_sysctl(ctl_table *table, int op)
1340 {
1341         int error = 0;
1342         u32 av;
1343         struct task_security_struct *tsec;
1344         u32 tsid;
1345         int rc;
1346
1347         rc = secondary_ops->sysctl(table, op);
1348         if (rc)
1349                 return rc;
1350
1351         tsec = current->security;
1352
1353         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1354                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1355         if (rc) {
1356                 /* Default to the well-defined sysctl SID. */
1357                 tsid = SECINITSID_SYSCTL;
1358         }
1359
1360         /* The op values are "defined" in sysctl.c, thereby creating
1361          * a bad coupling between this module and sysctl.c */
1362         if(op == 001) {
1363                 error = avc_has_perm(tsec->sid, tsid,
1364                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1365         } else {
1366                 av = 0;
1367                 if (op & 004)
1368                         av |= FILE__READ;
1369                 if (op & 002)
1370                         av |= FILE__WRITE;
1371                 if (av)
1372                         error = avc_has_perm(tsec->sid, tsid,
1373                                              SECCLASS_FILE, av, NULL);
1374         }
1375
1376         return error;
1377 }
1378
1379 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1380 {
1381         int rc = 0;
1382
1383         if (!sb)
1384                 return 0;
1385
1386         switch (cmds) {
1387                 case Q_SYNC:
1388                 case Q_QUOTAON:
1389                 case Q_QUOTAOFF:
1390                 case Q_SETINFO:
1391                 case Q_SETQUOTA:
1392                         rc = superblock_has_perm(current,
1393                                                  sb,
1394                                                  FILESYSTEM__QUOTAMOD, NULL);
1395                         break;
1396                 case Q_GETFMT:
1397                 case Q_GETINFO:
1398                 case Q_GETQUOTA:
1399                         rc = superblock_has_perm(current,
1400                                                  sb,
1401                                                  FILESYSTEM__QUOTAGET, NULL);
1402                         break;
1403                 default:
1404                         rc = 0;  /* let the kernel handle invalid cmds */
1405                         break;
1406         }
1407         return rc;
1408 }
1409
1410 static int selinux_quota_on(struct dentry *dentry)
1411 {
1412         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1413 }
1414
1415 static int selinux_syslog(int type)
1416 {
1417         int rc;
1418
1419         rc = secondary_ops->syslog(type);
1420         if (rc)
1421                 return rc;
1422
1423         switch (type) {
1424                 case 3:         /* Read last kernel messages */
1425                 case 10:        /* Return size of the log buffer */
1426                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1427                         break;
1428                 case 6:         /* Disable logging to console */
1429                 case 7:         /* Enable logging to console */
1430                 case 8:         /* Set level of messages printed to console */
1431                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1432                         break;
1433                 case 0:         /* Close log */
1434                 case 1:         /* Open log */
1435                 case 2:         /* Read from log */
1436                 case 4:         /* Read/clear last kernel messages */
1437                 case 5:         /* Clear ring buffer */
1438                 default:
1439                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1440                         break;
1441         }
1442         return rc;
1443 }
1444
1445 /*
1446  * Check that a process has enough memory to allocate a new virtual
1447  * mapping. 0 means there is enough memory for the allocation to
1448  * succeed and -ENOMEM implies there is not.
1449  *
1450  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1451  * if the capability is granted, but __vm_enough_memory requires 1 if
1452  * the capability is granted.
1453  *
1454  * Do not audit the selinux permission check, as this is applied to all
1455  * processes that allocate mappings.
1456  */
1457 static int selinux_vm_enough_memory(long pages)
1458 {
1459         int rc, cap_sys_admin = 0;
1460         struct task_security_struct *tsec = current->security;
1461
1462         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1463         if (rc == 0)
1464                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1465                                         SECCLASS_CAPABILITY,
1466                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1467                                         NULL);
1468
1469         if (rc == 0)
1470                 cap_sys_admin = 1;
1471
1472         return __vm_enough_memory(pages, cap_sys_admin);
1473 }
1474
1475 /* binprm security operations */
1476
1477 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1478 {
1479         struct bprm_security_struct *bsec;
1480
1481         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1482         if (!bsec)
1483                 return -ENOMEM;
1484
1485         bsec->magic = SELINUX_MAGIC;
1486         bsec->bprm = bprm;
1487         bsec->sid = SECINITSID_UNLABELED;
1488         bsec->set = 0;
1489
1490         bprm->security = bsec;
1491         return 0;
1492 }
1493
1494 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1495 {
1496         struct task_security_struct *tsec;
1497         struct inode *inode = bprm->file->f_dentry->d_inode;
1498         struct inode_security_struct *isec;
1499         struct bprm_security_struct *bsec;
1500         u32 newsid;
1501         struct avc_audit_data ad;
1502         int rc;
1503
1504         rc = secondary_ops->bprm_set_security(bprm);
1505         if (rc)
1506                 return rc;
1507
1508         bsec = bprm->security;
1509
1510         if (bsec->set)
1511                 return 0;
1512
1513         tsec = current->security;
1514         isec = inode->i_security;
1515
1516         /* Default to the current task SID. */
1517         bsec->sid = tsec->sid;
1518
1519         /* Reset create SID on execve. */
1520         tsec->create_sid = 0;
1521
1522         if (tsec->exec_sid) {
1523                 newsid = tsec->exec_sid;
1524                 /* Reset exec SID on execve. */
1525                 tsec->exec_sid = 0;
1526         } else {
1527                 /* Check for a default transition on this program. */
1528                 rc = security_transition_sid(tsec->sid, isec->sid,
1529                                              SECCLASS_PROCESS, &newsid);
1530                 if (rc)
1531                         return rc;
1532         }
1533
1534         AVC_AUDIT_DATA_INIT(&ad, FS);
1535         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1536         ad.u.fs.dentry = bprm->file->f_dentry;
1537
1538         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1539                 newsid = tsec->sid;
1540
1541         if (tsec->sid == newsid) {
1542                 rc = avc_has_perm(tsec->sid, isec->sid,
1543                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1544                 if (rc)
1545                         return rc;
1546         } else {
1547                 /* Check permissions for the transition. */
1548                 rc = avc_has_perm(tsec->sid, newsid,
1549                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1550                 if (rc)
1551                         return rc;
1552
1553                 rc = avc_has_perm(newsid, isec->sid,
1554                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1555                 if (rc)
1556                         return rc;
1557
1558                 /* Clear any possibly unsafe personality bits on exec: */
1559                 current->personality &= ~PER_CLEAR_ON_SETID;
1560
1561                 /* Set the security field to the new SID. */
1562                 bsec->sid = newsid;
1563         }
1564
1565         bsec->set = 1;
1566         return 0;
1567 }
1568
1569 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1570 {
1571         return secondary_ops->bprm_check_security(bprm);
1572 }
1573
1574
1575 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1576 {
1577         struct task_security_struct *tsec = current->security;
1578         int atsecure = 0;
1579
1580         if (tsec->osid != tsec->sid) {
1581                 /* Enable secure mode for SIDs transitions unless
1582                    the noatsecure permission is granted between
1583                    the two SIDs, i.e. ahp returns 0. */
1584                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1585                                          SECCLASS_PROCESS,
1586                                          PROCESS__NOATSECURE, NULL);
1587         }
1588
1589         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1590 }
1591
1592 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1593 {
1594         kfree(bprm->security);
1595         bprm->security = NULL;
1596 }
1597
1598 extern struct vfsmount *selinuxfs_mount;
1599 extern struct dentry *selinux_null;
1600
1601 /* Derived from fs/exec.c:flush_old_files. */
1602 static inline void flush_unauthorized_files(struct files_struct * files)
1603 {
1604         struct avc_audit_data ad;
1605         struct file *file, *devnull = NULL;
1606         struct tty_struct *tty = current->signal->tty;
1607         struct fdtable *fdt;
1608         long j = -1;
1609
1610         if (tty) {
1611                 file_list_lock();
1612                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1613                 if (file) {
1614                         /* Revalidate access to controlling tty.
1615                            Use inode_has_perm on the tty inode directly rather
1616                            than using file_has_perm, as this particular open
1617                            file may belong to another process and we are only
1618                            interested in the inode-based check here. */
1619                         struct inode *inode = file->f_dentry->d_inode;
1620                         if (inode_has_perm(current, inode,
1621                                            FILE__READ | FILE__WRITE, NULL)) {
1622                                 /* Reset controlling tty. */
1623                                 current->signal->tty = NULL;
1624                                 current->signal->tty_old_pgrp = 0;
1625                         }
1626                 }
1627                 file_list_unlock();
1628         }
1629
1630         /* Revalidate access to inherited open files. */
1631
1632         AVC_AUDIT_DATA_INIT(&ad,FS);
1633
1634         spin_lock(&files->file_lock);
1635         for (;;) {
1636                 unsigned long set, i;
1637                 int fd;
1638
1639                 j++;
1640                 i = j * __NFDBITS;
1641                 fdt = files_fdtable(files);
1642                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1643                         break;
1644                 set = fdt->open_fds->fds_bits[j];
1645                 if (!set)
1646                         continue;
1647                 spin_unlock(&files->file_lock);
1648                 for ( ; set ; i++,set >>= 1) {
1649                         if (set & 1) {
1650                                 file = fget(i);
1651                                 if (!file)
1652                                         continue;
1653                                 if (file_has_perm(current,
1654                                                   file,
1655                                                   file_to_av(file))) {
1656                                         sys_close(i);
1657                                         fd = get_unused_fd();
1658                                         if (fd != i) {
1659                                                 if (fd >= 0)
1660                                                         put_unused_fd(fd);
1661                                                 fput(file);
1662                                                 continue;
1663                                         }
1664                                         if (devnull) {
1665                                                 rcuref_inc(&devnull->f_count);
1666                                         } else {
1667                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1668                                                 if (!devnull) {
1669                                                         put_unused_fd(fd);
1670                                                         fput(file);
1671                                                         continue;
1672                                                 }
1673                                         }
1674                                         fd_install(fd, devnull);
1675                                 }
1676                                 fput(file);
1677                         }
1678                 }
1679                 spin_lock(&files->file_lock);
1680
1681         }
1682         spin_unlock(&files->file_lock);
1683 }
1684
1685 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1686 {
1687         struct task_security_struct *tsec;
1688         struct bprm_security_struct *bsec;
1689         u32 sid;
1690         int rc;
1691
1692         secondary_ops->bprm_apply_creds(bprm, unsafe);
1693
1694         tsec = current->security;
1695
1696         bsec = bprm->security;
1697         sid = bsec->sid;
1698
1699         tsec->osid = tsec->sid;
1700         bsec->unsafe = 0;
1701         if (tsec->sid != sid) {
1702                 /* Check for shared state.  If not ok, leave SID
1703                    unchanged and kill. */
1704                 if (unsafe & LSM_UNSAFE_SHARE) {
1705                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1706                                         PROCESS__SHARE, NULL);
1707                         if (rc) {
1708                                 bsec->unsafe = 1;
1709                                 return;
1710                         }
1711                 }
1712
1713                 /* Check for ptracing, and update the task SID if ok.
1714                    Otherwise, leave SID unchanged and kill. */
1715                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1716                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1717                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1718                                           NULL);
1719                         if (rc) {
1720                                 bsec->unsafe = 1;
1721                                 return;
1722                         }
1723                 }
1724                 tsec->sid = sid;
1725         }
1726 }
1727
1728 /*
1729  * called after apply_creds without the task lock held
1730  */
1731 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1732 {
1733         struct task_security_struct *tsec;
1734         struct rlimit *rlim, *initrlim;
1735         struct itimerval itimer;
1736         struct bprm_security_struct *bsec;
1737         int rc, i;
1738
1739         tsec = current->security;
1740         bsec = bprm->security;
1741
1742         if (bsec->unsafe) {
1743                 force_sig_specific(SIGKILL, current);
1744                 return;
1745         }
1746         if (tsec->osid == tsec->sid)
1747                 return;
1748
1749         /* Close files for which the new task SID is not authorized. */
1750         flush_unauthorized_files(current->files);
1751
1752         /* Check whether the new SID can inherit signal state
1753            from the old SID.  If not, clear itimers to avoid
1754            subsequent signal generation and flush and unblock
1755            signals. This must occur _after_ the task SID has
1756           been updated so that any kill done after the flush
1757           will be checked against the new SID. */
1758         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1759                           PROCESS__SIGINH, NULL);
1760         if (rc) {
1761                 memset(&itimer, 0, sizeof itimer);
1762                 for (i = 0; i < 3; i++)
1763                         do_setitimer(i, &itimer, NULL);
1764                 flush_signals(current);
1765                 spin_lock_irq(&current->sighand->siglock);
1766                 flush_signal_handlers(current, 1);
1767                 sigemptyset(&current->blocked);
1768                 recalc_sigpending();
1769                 spin_unlock_irq(&current->sighand->siglock);
1770         }
1771
1772         /* Check whether the new SID can inherit resource limits
1773            from the old SID.  If not, reset all soft limits to
1774            the lower of the current task's hard limit and the init
1775            task's soft limit.  Note that the setting of hard limits
1776            (even to lower them) can be controlled by the setrlimit
1777            check. The inclusion of the init task's soft limit into
1778            the computation is to avoid resetting soft limits higher
1779            than the default soft limit for cases where the default
1780            is lower than the hard limit, e.g. RLIMIT_CORE or
1781            RLIMIT_STACK.*/
1782         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1783                           PROCESS__RLIMITINH, NULL);
1784         if (rc) {
1785                 for (i = 0; i < RLIM_NLIMITS; i++) {
1786                         rlim = current->signal->rlim + i;
1787                         initrlim = init_task.signal->rlim+i;
1788                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1789                 }
1790                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1791                         /*
1792                          * This will cause RLIMIT_CPU calculations
1793                          * to be refigured.
1794                          */
1795                         current->it_prof_expires = jiffies_to_cputime(1);
1796                 }
1797         }
1798
1799         /* Wake up the parent if it is waiting so that it can
1800            recheck wait permission to the new task SID. */
1801         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1802 }
1803
1804 /* superblock security operations */
1805
1806 static int selinux_sb_alloc_security(struct super_block *sb)
1807 {
1808         return superblock_alloc_security(sb);
1809 }
1810
1811 static void selinux_sb_free_security(struct super_block *sb)
1812 {
1813         superblock_free_security(sb);
1814 }
1815
1816 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1817 {
1818         if (plen > olen)
1819                 return 0;
1820
1821         return !memcmp(prefix, option, plen);
1822 }
1823
1824 static inline int selinux_option(char *option, int len)
1825 {
1826         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1827                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1828                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1829 }
1830
1831 static inline void take_option(char **to, char *from, int *first, int len)
1832 {
1833         if (!*first) {
1834                 **to = ',';
1835                 *to += 1;
1836         }
1837         else
1838                 *first = 0;
1839         memcpy(*to, from, len);
1840         *to += len;
1841 }
1842
1843 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1844 {
1845         int fnosec, fsec, rc = 0;
1846         char *in_save, *in_curr, *in_end;
1847         char *sec_curr, *nosec_save, *nosec;
1848
1849         in_curr = orig;
1850         sec_curr = copy;
1851
1852         /* Binary mount data: just copy */
1853         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1854                 copy_page(sec_curr, in_curr);
1855                 goto out;
1856         }
1857
1858         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1859         if (!nosec) {
1860                 rc = -ENOMEM;
1861                 goto out;
1862         }
1863
1864         nosec_save = nosec;
1865         fnosec = fsec = 1;
1866         in_save = in_end = orig;
1867
1868         do {
1869                 if (*in_end == ',' || *in_end == '\0') {
1870                         int len = in_end - in_curr;
1871
1872                         if (selinux_option(in_curr, len))
1873                                 take_option(&sec_curr, in_curr, &fsec, len);
1874                         else
1875                                 take_option(&nosec, in_curr, &fnosec, len);
1876
1877                         in_curr = in_end + 1;
1878                 }
1879         } while (*in_end++);
1880
1881         strcpy(in_save, nosec_save);
1882         free_page((unsigned long)nosec_save);
1883 out:
1884         return rc;
1885 }
1886
1887 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1888 {
1889         struct avc_audit_data ad;
1890         int rc;
1891
1892         rc = superblock_doinit(sb, data);
1893         if (rc)
1894                 return rc;
1895
1896         AVC_AUDIT_DATA_INIT(&ad,FS);
1897         ad.u.fs.dentry = sb->s_root;
1898         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1899 }
1900
1901 static int selinux_sb_statfs(struct super_block *sb)
1902 {
1903         struct avc_audit_data ad;
1904
1905         AVC_AUDIT_DATA_INIT(&ad,FS);
1906         ad.u.fs.dentry = sb->s_root;
1907         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1908 }
1909
1910 static int selinux_mount(char * dev_name,
1911                          struct nameidata *nd,
1912                          char * type,
1913                          unsigned long flags,
1914                          void * data)
1915 {
1916         int rc;
1917
1918         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1919         if (rc)
1920                 return rc;
1921
1922         if (flags & MS_REMOUNT)
1923                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1924                                            FILESYSTEM__REMOUNT, NULL);
1925         else
1926                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1927                                        FILE__MOUNTON);
1928 }
1929
1930 static int selinux_umount(struct vfsmount *mnt, int flags)
1931 {
1932         int rc;
1933
1934         rc = secondary_ops->sb_umount(mnt, flags);
1935         if (rc)
1936                 return rc;
1937
1938         return superblock_has_perm(current,mnt->mnt_sb,
1939                                    FILESYSTEM__UNMOUNT,NULL);
1940 }
1941
1942 /* inode security operations */
1943
1944 static int selinux_inode_alloc_security(struct inode *inode)
1945 {
1946         return inode_alloc_security(inode);
1947 }
1948
1949 static void selinux_inode_free_security(struct inode *inode)
1950 {
1951         inode_free_security(inode);
1952 }
1953
1954 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1955                                        char **name, void **value,
1956                                        size_t *len)
1957 {
1958         struct task_security_struct *tsec;
1959         struct inode_security_struct *dsec;
1960         struct superblock_security_struct *sbsec;
1961         struct inode_security_struct *isec;
1962         u32 newsid, clen;
1963         int rc;
1964         char *namep = NULL, *context;
1965
1966         tsec = current->security;
1967         dsec = dir->i_security;
1968         sbsec = dir->i_sb->s_security;
1969         isec = inode->i_security;
1970
1971         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1972                 newsid = tsec->create_sid;
1973         } else {
1974                 rc = security_transition_sid(tsec->sid, dsec->sid,
1975                                              inode_mode_to_security_class(inode->i_mode),
1976                                              &newsid);
1977                 if (rc) {
1978                         printk(KERN_WARNING "%s:  "
1979                                "security_transition_sid failed, rc=%d (dev=%s "
1980                                "ino=%ld)\n",
1981                                __FUNCTION__,
1982                                -rc, inode->i_sb->s_id, inode->i_ino);
1983                         return rc;
1984                 }
1985         }
1986
1987         inode_security_set_sid(inode, newsid);
1988
1989         if (name) {
1990                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1991                 if (!namep)
1992                         return -ENOMEM;
1993                 *name = namep;
1994         }
1995
1996         if (value && len) {
1997                 rc = security_sid_to_context(newsid, &context, &clen);
1998                 if (rc) {
1999                         kfree(namep);
2000                         return rc;
2001                 }
2002                 *value = context;
2003                 *len = clen;
2004         }
2005
2006         return 0;
2007 }
2008
2009 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2010 {
2011         return may_create(dir, dentry, SECCLASS_FILE);
2012 }
2013
2014 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2015 {
2016         int rc;
2017
2018         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2019         if (rc)
2020                 return rc;
2021         return may_link(dir, old_dentry, MAY_LINK);
2022 }
2023
2024 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2025 {
2026         int rc;
2027
2028         rc = secondary_ops->inode_unlink(dir, dentry);
2029         if (rc)
2030                 return rc;
2031         return may_link(dir, dentry, MAY_UNLINK);
2032 }
2033
2034 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2035 {
2036         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2037 }
2038
2039 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2040 {
2041         return may_create(dir, dentry, SECCLASS_DIR);
2042 }
2043
2044 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2045 {
2046         return may_link(dir, dentry, MAY_RMDIR);
2047 }
2048
2049 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2050 {
2051         int rc;
2052
2053         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2054         if (rc)
2055                 return rc;
2056
2057         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2058 }
2059
2060 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2061                                 struct inode *new_inode, struct dentry *new_dentry)
2062 {
2063         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2064 }
2065
2066 static int selinux_inode_readlink(struct dentry *dentry)
2067 {
2068         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2069 }
2070
2071 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2072 {
2073         int rc;
2074
2075         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2076         if (rc)
2077                 return rc;
2078         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2079 }
2080
2081 static int selinux_inode_permission(struct inode *inode, int mask,
2082                                     struct nameidata *nd)
2083 {
2084         int rc;
2085
2086         rc = secondary_ops->inode_permission(inode, mask, nd);
2087         if (rc)
2088                 return rc;
2089
2090         if (!mask) {
2091                 /* No permission to check.  Existence test. */
2092                 return 0;
2093         }
2094
2095         return inode_has_perm(current, inode,
2096                                file_mask_to_av(inode->i_mode, mask), NULL);
2097 }
2098
2099 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2100 {
2101         int rc;
2102
2103         rc = secondary_ops->inode_setattr(dentry, iattr);
2104         if (rc)
2105                 return rc;
2106
2107         if (iattr->ia_valid & ATTR_FORCE)
2108                 return 0;
2109
2110         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2111                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2112                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2113
2114         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2115 }
2116
2117 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2118 {
2119         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2120 }
2121
2122 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2123 {
2124         struct task_security_struct *tsec = current->security;
2125         struct inode *inode = dentry->d_inode;
2126         struct inode_security_struct *isec = inode->i_security;
2127         struct superblock_security_struct *sbsec;
2128         struct avc_audit_data ad;
2129         u32 newsid;
2130         int rc = 0;
2131
2132         if (strcmp(name, XATTR_NAME_SELINUX)) {
2133                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2134                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2135                     !capable(CAP_SYS_ADMIN)) {
2136                         /* A different attribute in the security namespace.
2137                            Restrict to administrator. */
2138                         return -EPERM;
2139                 }
2140
2141                 /* Not an attribute we recognize, so just check the
2142                    ordinary setattr permission. */
2143                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2144         }
2145
2146         sbsec = inode->i_sb->s_security;
2147         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2148                 return -EOPNOTSUPP;
2149
2150         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2151                 return -EPERM;
2152
2153         AVC_AUDIT_DATA_INIT(&ad,FS);
2154         ad.u.fs.dentry = dentry;
2155
2156         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2157                           FILE__RELABELFROM, &ad);
2158         if (rc)
2159                 return rc;
2160
2161         rc = security_context_to_sid(value, size, &newsid);
2162         if (rc)
2163                 return rc;
2164
2165         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2166                           FILE__RELABELTO, &ad);
2167         if (rc)
2168                 return rc;
2169
2170         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2171                                           isec->sclass);
2172         if (rc)
2173                 return rc;
2174
2175         return avc_has_perm(newsid,
2176                             sbsec->sid,
2177                             SECCLASS_FILESYSTEM,
2178                             FILESYSTEM__ASSOCIATE,
2179                             &ad);
2180 }
2181
2182 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2183                                         void *value, size_t size, int flags)
2184 {
2185         struct inode *inode = dentry->d_inode;
2186         struct inode_security_struct *isec = inode->i_security;
2187         u32 newsid;
2188         int rc;
2189
2190         if (strcmp(name, XATTR_NAME_SELINUX)) {
2191                 /* Not an attribute we recognize, so nothing to do. */
2192                 return;
2193         }
2194
2195         rc = security_context_to_sid(value, size, &newsid);
2196         if (rc) {
2197                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2198                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2199                 return;
2200         }
2201
2202         isec->sid = newsid;
2203         return;
2204 }
2205
2206 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2207 {
2208         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2209 }
2210
2211 static int selinux_inode_listxattr (struct dentry *dentry)
2212 {
2213         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2214 }
2215
2216 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2217 {
2218         if (strcmp(name, XATTR_NAME_SELINUX)) {
2219                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2220                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2221                     !capable(CAP_SYS_ADMIN)) {
2222                         /* A different attribute in the security namespace.
2223                            Restrict to administrator. */
2224                         return -EPERM;
2225                 }
2226
2227                 /* Not an attribute we recognize, so just check the
2228                    ordinary setattr permission. Might want a separate
2229                    permission for removexattr. */
2230                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2231         }
2232
2233         /* No one is allowed to remove a SELinux security label.
2234            You can change the label, but all data must be labeled. */
2235         return -EACCES;
2236 }
2237
2238 /*
2239  * Copy the in-core inode security context value to the user.  If the
2240  * getxattr() prior to this succeeded, check to see if we need to
2241  * canonicalize the value to be finally returned to the user.
2242  *
2243  * Permission check is handled by selinux_inode_getxattr hook.
2244  */
2245 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2246 {
2247         struct inode_security_struct *isec = inode->i_security;
2248         char *context;
2249         unsigned len;
2250         int rc;
2251
2252         if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2253                 rc = -EOPNOTSUPP;
2254                 goto out;
2255         }
2256
2257         rc = security_sid_to_context(isec->sid, &context, &len);
2258         if (rc)
2259                 goto out;
2260
2261         /* Probe for required buffer size */
2262         if (!buffer || !size) {
2263                 rc = len;
2264                 goto out_free;
2265         }
2266
2267         if (size < len) {
2268                 rc = -ERANGE;
2269                 goto out_free;
2270         }
2271
2272         if (err > 0) {
2273                 if ((len == err) && !(memcmp(context, buffer, len))) {
2274                         /* Don't need to canonicalize value */
2275                         rc = err;
2276                         goto out_free;
2277                 }
2278                 memset(buffer, 0, size);
2279         }
2280         memcpy(buffer, context, len);
2281         rc = len;
2282 out_free:
2283         kfree(context);
2284 out:
2285         return rc;
2286 }
2287
2288 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2289                                      const void *value, size_t size, int flags)
2290 {
2291         struct inode_security_struct *isec = inode->i_security;
2292         u32 newsid;
2293         int rc;
2294
2295         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2296                 return -EOPNOTSUPP;
2297
2298         if (!value || !size)
2299                 return -EACCES;
2300
2301         rc = security_context_to_sid((void*)value, size, &newsid);
2302         if (rc)
2303                 return rc;
2304
2305         isec->sid = newsid;
2306         return 0;
2307 }
2308
2309 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2310 {
2311         const int len = sizeof(XATTR_NAME_SELINUX);
2312         if (buffer && len <= buffer_size)
2313                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2314         return len;
2315 }
2316
2317 /* file security operations */
2318
2319 static int selinux_file_permission(struct file *file, int mask)
2320 {
2321         struct inode *inode = file->f_dentry->d_inode;
2322
2323         if (!mask) {
2324                 /* No permission to check.  Existence test. */
2325                 return 0;
2326         }
2327
2328         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2329         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2330                 mask |= MAY_APPEND;
2331
2332         return file_has_perm(current, file,
2333                              file_mask_to_av(inode->i_mode, mask));
2334 }
2335
2336 static int selinux_file_alloc_security(struct file *file)
2337 {
2338         return file_alloc_security(file);
2339 }
2340
2341 static void selinux_file_free_security(struct file *file)
2342 {
2343         file_free_security(file);
2344 }
2345
2346 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2347                               unsigned long arg)
2348 {
2349         int error = 0;
2350
2351         switch (cmd) {
2352                 case FIONREAD:
2353                 /* fall through */
2354                 case FIBMAP:
2355                 /* fall through */
2356                 case FIGETBSZ:
2357                 /* fall through */
2358                 case EXT2_IOC_GETFLAGS:
2359                 /* fall through */
2360                 case EXT2_IOC_GETVERSION:
2361                         error = file_has_perm(current, file, FILE__GETATTR);
2362                         break;
2363
2364                 case EXT2_IOC_SETFLAGS:
2365                 /* fall through */
2366                 case EXT2_IOC_SETVERSION:
2367                         error = file_has_perm(current, file, FILE__SETATTR);
2368                         break;
2369
2370                 /* sys_ioctl() checks */
2371                 case FIONBIO:
2372                 /* fall through */
2373                 case FIOASYNC:
2374                         error = file_has_perm(current, file, 0);
2375                         break;
2376
2377                 case KDSKBENT:
2378                 case KDSKBSENT:
2379                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2380                         break;
2381
2382                 /* default case assumes that the command will go
2383                  * to the file's ioctl() function.
2384                  */
2385                 default:
2386                         error = file_has_perm(current, file, FILE__IOCTL);
2387
2388         }
2389         return error;
2390 }
2391
2392 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2393 {
2394 #ifndef CONFIG_PPC32
2395         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2396                 /*
2397                  * We are making executable an anonymous mapping or a
2398                  * private file mapping that will also be writable.
2399                  * This has an additional check.
2400                  */
2401                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2402                 if (rc)
2403                         return rc;
2404         }
2405 #endif
2406
2407         if (file) {
2408                 /* read access is always possible with a mapping */
2409                 u32 av = FILE__READ;
2410
2411                 /* write access only matters if the mapping is shared */
2412                 if (shared && (prot & PROT_WRITE))
2413                         av |= FILE__WRITE;
2414
2415                 if (prot & PROT_EXEC)
2416                         av |= FILE__EXECUTE;
2417
2418                 return file_has_perm(current, file, av);
2419         }
2420         return 0;
2421 }
2422
2423 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2424                              unsigned long prot, unsigned long flags)
2425 {
2426         int rc;
2427
2428         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2429         if (rc)
2430                 return rc;
2431
2432         if (selinux_checkreqprot)
2433                 prot = reqprot;
2434
2435         return file_map_prot_check(file, prot,
2436                                    (flags & MAP_TYPE) == MAP_SHARED);
2437 }
2438
2439 static int selinux_file_mprotect(struct vm_area_struct *vma,
2440                                  unsigned long reqprot,
2441                                  unsigned long prot)
2442 {
2443         int rc;
2444
2445         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2446         if (rc)
2447                 return rc;
2448
2449         if (selinux_checkreqprot)
2450                 prot = reqprot;
2451
2452 #ifndef CONFIG_PPC32
2453         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2454            (vma->vm_start >= vma->vm_mm->start_brk &&
2455             vma->vm_end <= vma->vm_mm->brk)) {
2456                 /*
2457                  * We are making an executable mapping in the brk region.
2458                  * This has an additional execheap check.
2459                  */
2460                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2461                 if (rc)
2462                         return rc;
2463         }
2464         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2465                 /*
2466                  * We are making executable a file mapping that has
2467                  * had some COW done. Since pages might have been written,
2468                  * check ability to execute the possibly modified content.
2469                  * This typically should only occur for text relocations.
2470                  */
2471                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2472                 if (rc)
2473                         return rc;
2474         }
2475         if (!vma->vm_file && (prot & PROT_EXEC) &&
2476                 vma->vm_start <= vma->vm_mm->start_stack &&
2477                 vma->vm_end >= vma->vm_mm->start_stack) {
2478                 /* Attempt to make the process stack executable.
2479                  * This has an additional execstack check.
2480                  */
2481                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2482                 if (rc)
2483                         return rc;
2484         }
2485 #endif
2486
2487         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2488 }
2489
2490 static int selinux_file_lock(struct file *file, unsigned int cmd)
2491 {
2492         return file_has_perm(current, file, FILE__LOCK);
2493 }
2494
2495 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2496                               unsigned long arg)
2497 {
2498         int err = 0;
2499
2500         switch (cmd) {
2501                 case F_SETFL:
2502                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2503                                 err = -EINVAL;
2504                                 break;
2505                         }
2506
2507                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2508                                 err = file_has_perm(current, file,FILE__WRITE);
2509                                 break;
2510                         }
2511                         /* fall through */
2512                 case F_SETOWN:
2513                 case F_SETSIG:
2514                 case F_GETFL:
2515                 case F_GETOWN:
2516                 case F_GETSIG:
2517                         /* Just check FD__USE permission */
2518                         err = file_has_perm(current, file, 0);
2519                         break;
2520                 case F_GETLK:
2521                 case F_SETLK:
2522                 case F_SETLKW:
2523 #if BITS_PER_LONG == 32
2524                 case F_GETLK64:
2525                 case F_SETLK64:
2526                 case F_SETLKW64:
2527 #endif
2528                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2529                                 err = -EINVAL;
2530                                 break;
2531                         }
2532                         err = file_has_perm(current, file, FILE__LOCK);
2533                         break;
2534         }
2535
2536         return err;
2537 }
2538
2539 static int selinux_file_set_fowner(struct file *file)
2540 {
2541         struct task_security_struct *tsec;
2542         struct file_security_struct *fsec;
2543
2544         tsec = current->security;
2545         fsec = file->f_security;
2546         fsec->fown_sid = tsec->sid;
2547
2548         return 0;
2549 }
2550
2551 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2552                                        struct fown_struct *fown, int signum)
2553 {
2554         struct file *file;
2555         u32 perm;
2556         struct task_security_struct *tsec;
2557         struct file_security_struct *fsec;
2558
2559         /* struct fown_struct is never outside the context of a struct file */
2560         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2561
2562         tsec = tsk->security;
2563         fsec = file->f_security;
2564
2565         if (!signum)
2566                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2567         else
2568                 perm = signal_to_av(signum);
2569
2570         return avc_has_perm(fsec->fown_sid, tsec->sid,
2571                             SECCLASS_PROCESS, perm, NULL);
2572 }
2573
2574 static int selinux_file_receive(struct file *file)
2575 {
2576         return file_has_perm(current, file, file_to_av(file));
2577 }
2578
2579 /* task security operations */
2580
2581 static int selinux_task_create(unsigned long clone_flags)
2582 {
2583         int rc;
2584
2585         rc = secondary_ops->task_create(clone_flags);
2586         if (rc)
2587                 return rc;
2588
2589         return task_has_perm(current, current, PROCESS__FORK);
2590 }
2591
2592 static int selinux_task_alloc_security(struct task_struct *tsk)
2593 {
2594         struct task_security_struct *tsec1, *tsec2;
2595         int rc;
2596
2597         tsec1 = current->security;
2598
2599         rc = task_alloc_security(tsk);
2600         if (rc)
2601                 return rc;
2602         tsec2 = tsk->security;
2603
2604         tsec2->osid = tsec1->osid;
2605         tsec2->sid = tsec1->sid;
2606
2607         /* Retain the exec and create SIDs across fork */
2608         tsec2->exec_sid = tsec1->exec_sid;
2609         tsec2->create_sid = tsec1->create_sid;
2610
2611         /* Retain ptracer SID across fork, if any.
2612            This will be reset by the ptrace hook upon any
2613            subsequent ptrace_attach operations. */
2614         tsec2->ptrace_sid = tsec1->ptrace_sid;
2615
2616         return 0;
2617 }
2618
2619 static void selinux_task_free_security(struct task_struct *tsk)
2620 {
2621         task_free_security(tsk);
2622 }
2623
2624 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2625 {
2626         /* Since setuid only affects the current process, and
2627            since the SELinux controls are not based on the Linux
2628            identity attributes, SELinux does not need to control
2629            this operation.  However, SELinux does control the use
2630            of the CAP_SETUID and CAP_SETGID capabilities using the
2631            capable hook. */
2632         return 0;
2633 }
2634
2635 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2636 {
2637         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2638 }
2639
2640 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2641 {
2642         /* See the comment for setuid above. */
2643         return 0;
2644 }
2645
2646 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2647 {
2648         return task_has_perm(current, p, PROCESS__SETPGID);
2649 }
2650
2651 static int selinux_task_getpgid(struct task_struct *p)
2652 {
2653         return task_has_perm(current, p, PROCESS__GETPGID);
2654 }
2655
2656 static int selinux_task_getsid(struct task_struct *p)
2657 {
2658         return task_has_perm(current, p, PROCESS__GETSESSION);
2659 }
2660
2661 static int selinux_task_setgroups(struct group_info *group_info)
2662 {
2663         /* See the comment for setuid above. */
2664         return 0;
2665 }
2666
2667 static int selinux_task_setnice(struct task_struct *p, int nice)
2668 {
2669         int rc;
2670
2671         rc = secondary_ops->task_setnice(p, nice);
2672         if (rc)
2673                 return rc;
2674
2675         return task_has_perm(current,p, PROCESS__SETSCHED);
2676 }
2677
2678 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2679 {
2680         struct rlimit *old_rlim = current->signal->rlim + resource;
2681         int rc;
2682
2683         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2684         if (rc)
2685                 return rc;
2686
2687         /* Control the ability to change the hard limit (whether
2688            lowering or raising it), so that the hard limit can
2689            later be used as a safe reset point for the soft limit
2690            upon context transitions. See selinux_bprm_apply_creds. */
2691         if (old_rlim->rlim_max != new_rlim->rlim_max)
2692                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2693
2694         return 0;
2695 }
2696
2697 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2698 {
2699         return task_has_perm(current, p, PROCESS__SETSCHED);
2700 }
2701
2702 static int selinux_task_getscheduler(struct task_struct *p)
2703 {
2704         return task_has_perm(current, p, PROCESS__GETSCHED);
2705 }
2706
2707 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2708 {
2709         u32 perm;
2710         int rc;
2711
2712         rc = secondary_ops->task_kill(p, info, sig);
2713         if (rc)
2714                 return rc;
2715
2716         if (info != SEND_SIG_NOINFO && (info == SEND_SIG_PRIV ||
2717                                         info == SEND_SIG_FORCED || SI_FROMKERNEL(info)))
2718                 return 0;
2719
2720         if (!sig)
2721                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2722         else
2723                 perm = signal_to_av(sig);
2724
2725         return task_has_perm(current, p, perm);
2726 }
2727
2728 static int selinux_task_prctl(int option,
2729                               unsigned long arg2,
2730                               unsigned long arg3,
2731                               unsigned long arg4,
2732                               unsigned long arg5)
2733 {
2734         /* The current prctl operations do not appear to require
2735            any SELinux controls since they merely observe or modify
2736            the state of the current process. */
2737         return 0;
2738 }
2739
2740 static int selinux_task_wait(struct task_struct *p)
2741 {
2742         u32 perm;
2743
2744         perm = signal_to_av(p->exit_signal);
2745
2746         return task_has_perm(p, current, perm);
2747 }
2748
2749 static void selinux_task_reparent_to_init(struct task_struct *p)
2750 {
2751         struct task_security_struct *tsec;
2752
2753         secondary_ops->task_reparent_to_init(p);
2754
2755         tsec = p->security;
2756         tsec->osid = tsec->sid;
2757         tsec->sid = SECINITSID_KERNEL;
2758         return;
2759 }
2760
2761 static void selinux_task_to_inode(struct task_struct *p,
2762                                   struct inode *inode)
2763 {
2764         struct task_security_struct *tsec = p->security;
2765         struct inode_security_struct *isec = inode->i_security;
2766
2767         isec->sid = tsec->sid;
2768         isec->initialized = 1;
2769         return;
2770 }
2771
2772 #ifdef CONFIG_SECURITY_NETWORK
2773
2774 /* Returns error only if unable to parse addresses */
2775 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2776 {
2777         int offset, ihlen, ret = -EINVAL;
2778         struct iphdr _iph, *ih;
2779
2780         offset = skb->nh.raw - skb->data;
2781         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2782         if (ih == NULL)
2783                 goto out;
2784
2785         ihlen = ih->ihl * 4;
2786         if (ihlen < sizeof(_iph))
2787                 goto out;
2788
2789         ad->u.net.v4info.saddr = ih->saddr;
2790         ad->u.net.v4info.daddr = ih->daddr;
2791         ret = 0;
2792
2793         switch (ih->protocol) {
2794         case IPPROTO_TCP: {
2795                 struct tcphdr _tcph, *th;
2796
2797                 if (ntohs(ih->frag_off) & IP_OFFSET)
2798                         break;
2799
2800                 offset += ihlen;
2801                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2802                 if (th == NULL)
2803                         break;
2804
2805                 ad->u.net.sport = th->source;
2806                 ad->u.net.dport = th->dest;
2807                 break;
2808         }
2809         
2810         case IPPROTO_UDP: {
2811                 struct udphdr _udph, *uh;
2812                 
2813                 if (ntohs(ih->frag_off) & IP_OFFSET)
2814                         break;
2815                         
2816                 offset += ihlen;
2817                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2818                 if (uh == NULL)
2819                         break;  
2820
2821                 ad->u.net.sport = uh->source;
2822                 ad->u.net.dport = uh->dest;
2823                 break;
2824         }
2825
2826         default:
2827                 break;
2828         }
2829 out:
2830         return ret;
2831 }
2832
2833 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2834
2835 /* Returns error only if unable to parse addresses */
2836 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2837 {
2838         u8 nexthdr;
2839         int ret = -EINVAL, offset;
2840         struct ipv6hdr _ipv6h, *ip6;
2841
2842         offset = skb->nh.raw - skb->data;
2843         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2844         if (ip6 == NULL)
2845                 goto out;
2846
2847         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2848         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2849         ret = 0;
2850
2851         nexthdr = ip6->nexthdr;
2852         offset += sizeof(_ipv6h);
2853         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2854         if (offset < 0)
2855                 goto out;
2856
2857         switch (nexthdr) {
2858         case IPPROTO_TCP: {
2859                 struct tcphdr _tcph, *th;
2860
2861                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2862                 if (th == NULL)
2863                         break;
2864
2865                 ad->u.net.sport = th->source;
2866                 ad->u.net.dport = th->dest;
2867                 break;
2868         }
2869
2870         case IPPROTO_UDP: {
2871                 struct udphdr _udph, *uh;
2872
2873                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2874                 if (uh == NULL)
2875                         break;
2876
2877                 ad->u.net.sport = uh->source;
2878                 ad->u.net.dport = uh->dest;
2879                 break;
2880         }
2881
2882         /* includes fragments */
2883         default:
2884                 break;
2885         }
2886 out:
2887         return ret;
2888 }
2889
2890 #endif /* IPV6 */
2891
2892 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2893                              char **addrp, int *len, int src)
2894 {
2895         int ret = 0;
2896
2897         switch (ad->u.net.family) {
2898         case PF_INET:
2899                 ret = selinux_parse_skb_ipv4(skb, ad);
2900                 if (ret || !addrp)
2901                         break;
2902                 *len = 4;
2903                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2904                                         &ad->u.net.v4info.daddr);
2905                 break;
2906
2907 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2908         case PF_INET6:
2909                 ret = selinux_parse_skb_ipv6(skb, ad);
2910                 if (ret || !addrp)
2911                         break;
2912                 *len = 16;
2913                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2914                                         &ad->u.net.v6info.daddr);
2915                 break;
2916 #endif  /* IPV6 */
2917         default:
2918                 break;
2919         }
2920
2921         return ret;
2922 }
2923
2924 /* socket security operations */
2925 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2926                            u32 perms)
2927 {
2928         struct inode_security_struct *isec;
2929         struct task_security_struct *tsec;
2930         struct avc_audit_data ad;
2931         int err = 0;
2932
2933         tsec = task->security;
2934         isec = SOCK_INODE(sock)->i_security;
2935
2936         if (isec->sid == SECINITSID_KERNEL)
2937                 goto out;
2938
2939         AVC_AUDIT_DATA_INIT(&ad,NET);
2940         ad.u.net.sk = sock->sk;
2941         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2942
2943 out:
2944         return err;
2945 }
2946
2947 static int selinux_socket_create(int family, int type,
2948                                  int protocol, int kern)
2949 {
2950         int err = 0;
2951         struct task_security_struct *tsec;
2952
2953         if (kern)
2954                 goto out;
2955
2956         tsec = current->security;
2957         err = avc_has_perm(tsec->sid, tsec->sid,
2958                            socket_type_to_security_class(family, type,
2959                            protocol), SOCKET__CREATE, NULL);
2960
2961 out:
2962         return err;
2963 }
2964
2965 static void selinux_socket_post_create(struct socket *sock, int family,
2966                                        int type, int protocol, int kern)
2967 {
2968         struct inode_security_struct *isec;
2969         struct task_security_struct *tsec;
2970
2971         isec = SOCK_INODE(sock)->i_security;
2972
2973         tsec = current->security;
2974         isec->sclass = socket_type_to_security_class(family, type, protocol);
2975         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2976         isec->initialized = 1;
2977
2978         return;
2979 }
2980
2981 /* Range of port numbers used to automatically bind.
2982    Need to determine whether we should perform a name_bind
2983    permission check between the socket and the port number. */
2984 #define ip_local_port_range_0 sysctl_local_port_range[0]
2985 #define ip_local_port_range_1 sysctl_local_port_range[1]
2986
2987 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2988 {
2989         u16 family;
2990         int err;
2991
2992         err = socket_has_perm(current, sock, SOCKET__BIND);
2993         if (err)
2994                 goto out;
2995
2996         /*
2997          * If PF_INET or PF_INET6, check name_bind permission for the port.
2998          * Multiple address binding for SCTP is not supported yet: we just
2999          * check the first address now.
3000          */
3001         family = sock->sk->sk_family;
3002         if (family == PF_INET || family == PF_INET6) {
3003                 char *addrp;
3004                 struct inode_security_struct *isec;
3005                 struct task_security_struct *tsec;
3006                 struct avc_audit_data ad;
3007                 struct sockaddr_in *addr4 = NULL;
3008                 struct sockaddr_in6 *addr6 = NULL;
3009                 unsigned short snum;
3010                 struct sock *sk = sock->sk;
3011                 u32 sid, node_perm, addrlen;
3012
3013                 tsec = current->security;
3014                 isec = SOCK_INODE(sock)->i_security;
3015
3016                 if (family == PF_INET) {
3017                         addr4 = (struct sockaddr_in *)address;
3018                         snum = ntohs(addr4->sin_port);
3019                         addrlen = sizeof(addr4->sin_addr.s_addr);
3020                         addrp = (char *)&addr4->sin_addr.s_addr;
3021                 } else {
3022                         addr6 = (struct sockaddr_in6 *)address;
3023                         snum = ntohs(addr6->sin6_port);
3024                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3025                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3026                 }
3027
3028                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3029                            snum > ip_local_port_range_1)) {
3030                         err = security_port_sid(sk->sk_family, sk->sk_type,
3031                                                 sk->sk_protocol, snum, &sid);
3032                         if (err)
3033                                 goto out;
3034                         AVC_AUDIT_DATA_INIT(&ad,NET);
3035                         ad.u.net.sport = htons(snum);
3036                         ad.u.net.family = family;
3037                         err = avc_has_perm(isec->sid, sid,
3038                                            isec->sclass,
3039                                            SOCKET__NAME_BIND, &ad);
3040                         if (err)
3041                                 goto out;
3042                 }
3043                 
3044                 switch(isec->sclass) {
3045                 case SECCLASS_TCP_SOCKET:
3046                         node_perm = TCP_SOCKET__NODE_BIND;
3047                         break;
3048                         
3049                 case SECCLASS_UDP_SOCKET:
3050                         node_perm = UDP_SOCKET__NODE_BIND;
3051                         break;
3052                         
3053                 default:
3054                         node_perm = RAWIP_SOCKET__NODE_BIND;
3055                         break;
3056                 }
3057                 
3058                 err = security_node_sid(family, addrp, addrlen, &sid);
3059                 if (err)
3060                         goto out;
3061                 
3062                 AVC_AUDIT_DATA_INIT(&ad,NET);
3063                 ad.u.net.sport = htons(snum);
3064                 ad.u.net.family = family;
3065
3066                 if (family == PF_INET)
3067                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3068                 else
3069                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3070
3071                 err = avc_has_perm(isec->sid, sid,
3072                                    isec->sclass, node_perm, &ad);
3073                 if (err)
3074                         goto out;
3075         }
3076 out:
3077         return err;
3078 }
3079
3080 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3081 {
3082         struct inode_security_struct *isec;
3083         int err;
3084
3085         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3086         if (err)
3087                 return err;
3088
3089         /*
3090          * If a TCP socket, check name_connect permission for the port.
3091          */
3092         isec = SOCK_INODE(sock)->i_security;
3093         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3094                 struct sock *sk = sock->sk;
3095                 struct avc_audit_data ad;
3096                 struct sockaddr_in *addr4 = NULL;
3097                 struct sockaddr_in6 *addr6 = NULL;
3098                 unsigned short snum;
3099                 u32 sid;
3100
3101                 if (sk->sk_family == PF_INET) {
3102                         addr4 = (struct sockaddr_in *)address;
3103                         if (addrlen < sizeof(struct sockaddr_in))
3104                                 return -EINVAL;
3105                         snum = ntohs(addr4->sin_port);
3106                 } else {
3107                         addr6 = (struct sockaddr_in6 *)address;
3108                         if (addrlen < SIN6_LEN_RFC2133)
3109                                 return -EINVAL;
3110                         snum = ntohs(addr6->sin6_port);
3111                 }
3112
3113                 err = security_port_sid(sk->sk_family, sk->sk_type,
3114                                         sk->sk_protocol, snum, &sid);
3115                 if (err)
3116                         goto out;
3117
3118                 AVC_AUDIT_DATA_INIT(&ad,NET);
3119                 ad.u.net.dport = htons(snum);
3120                 ad.u.net.family = sk->sk_family;
3121                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3122                                    TCP_SOCKET__NAME_CONNECT, &ad);
3123                 if (err)
3124                         goto out;
3125         }
3126
3127 out:
3128         return err;
3129 }
3130
3131 static int selinux_socket_listen(struct socket *sock, int backlog)
3132 {
3133         return socket_has_perm(current, sock, SOCKET__LISTEN);
3134 }
3135
3136 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3137 {
3138         int err;
3139         struct inode_security_struct *isec;
3140         struct inode_security_struct *newisec;
3141
3142         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3143         if (err)
3144                 return err;
3145
3146         newisec = SOCK_INODE(newsock)->i_security;
3147
3148         isec = SOCK_INODE(sock)->i_security;
3149         newisec->sclass = isec->sclass;
3150         newisec->sid = isec->sid;
3151         newisec->initialized = 1;
3152
3153         return 0;
3154 }
3155
3156 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3157                                   int size)
3158 {
3159         return socket_has_perm(current, sock, SOCKET__WRITE);
3160 }
3161
3162 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3163                                   int size, int flags)
3164 {
3165         return socket_has_perm(current, sock, SOCKET__READ);
3166 }
3167
3168 static int selinux_socket_getsockname(struct socket *sock)
3169 {
3170         return socket_has_perm(current, sock, SOCKET__GETATTR);
3171 }
3172
3173 static int selinux_socket_getpeername(struct socket *sock)
3174 {
3175         return socket_has_perm(current, sock, SOCKET__GETATTR);
3176 }
3177
3178 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3179 {
3180         return socket_has_perm(current, sock, SOCKET__SETOPT);
3181 }
3182
3183 static int selinux_socket_getsockopt(struct socket *sock, int level,
3184                                      int optname)
3185 {
3186         return socket_has_perm(current, sock, SOCKET__GETOPT);
3187 }
3188
3189 static int selinux_socket_shutdown(struct socket *sock, int how)
3190 {
3191         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3192 }
3193
3194 static int selinux_socket_unix_stream_connect(struct socket *sock,
3195                                               struct socket *other,
3196                                               struct sock *newsk)
3197 {
3198         struct sk_security_struct *ssec;
3199         struct inode_security_struct *isec;
3200         struct inode_security_struct *other_isec;
3201         struct avc_audit_data ad;
3202         int err;
3203
3204         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3205         if (err)
3206                 return err;
3207
3208         isec = SOCK_INODE(sock)->i_security;
3209         other_isec = SOCK_INODE(other)->i_security;
3210
3211         AVC_AUDIT_DATA_INIT(&ad,NET);
3212         ad.u.net.sk = other->sk;
3213
3214         err = avc_has_perm(isec->sid, other_isec->sid,
3215                            isec->sclass,
3216                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3217         if (err)
3218                 return err;
3219
3220         /* connecting socket */
3221         ssec = sock->sk->sk_security;
3222         ssec->peer_sid = other_isec->sid;
3223         
3224         /* server child socket */
3225         ssec = newsk->sk_security;
3226         ssec->peer_sid = isec->sid;
3227         
3228         return 0;
3229 }
3230
3231 static int selinux_socket_unix_may_send(struct socket *sock,
3232                                         struct socket *other)
3233 {
3234         struct inode_security_struct *isec;
3235         struct inode_security_struct *other_isec;
3236         struct avc_audit_data ad;
3237         int err;
3238
3239         isec = SOCK_INODE(sock)->i_security;
3240         other_isec = SOCK_INODE(other)->i_security;
3241
3242         AVC_AUDIT_DATA_INIT(&ad,NET);
3243         ad.u.net.sk = other->sk;
3244
3245         err = avc_has_perm(isec->sid, other_isec->sid,
3246                            isec->sclass, SOCKET__SENDTO, &ad);
3247         if (err)
3248                 return err;
3249
3250         return 0;
3251 }
3252
3253 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3254 {
3255         u16 family;
3256         char *addrp;
3257         int len, err = 0;
3258         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3259         u32 sock_sid = 0;
3260         u16 sock_class = 0;
3261         struct socket *sock;
3262         struct net_device *dev;
3263         struct avc_audit_data ad;
3264
3265         family = sk->sk_family;
3266         if (family != PF_INET && family != PF_INET6)
3267                 goto out;
3268
3269         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3270         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3271                 family = PF_INET;
3272
3273         read_lock_bh(&sk->sk_callback_lock);
3274         sock = sk->sk_socket;
3275         if (sock) {
3276                 struct inode *inode;
3277                 inode = SOCK_INODE(sock);
3278                 if (inode) {
3279                         struct inode_security_struct *isec;
3280                         isec = inode->i_security;
3281                         sock_sid = isec->sid;
3282                         sock_class = isec->sclass;
3283                 }
3284         }
3285         read_unlock_bh(&sk->sk_callback_lock);
3286         if (!sock_sid)
3287                 goto out;
3288
3289         dev = skb->dev;
3290         if (!dev)
3291                 goto out;
3292
3293         err = sel_netif_sids(dev, &if_sid, NULL);
3294         if (err)
3295                 goto out;
3296
3297         switch (sock_class) {
3298         case SECCLASS_UDP_SOCKET:
3299                 netif_perm = NETIF__UDP_RECV;
3300                 node_perm = NODE__UDP_RECV;
3301                 recv_perm = UDP_SOCKET__RECV_MSG;
3302                 break;
3303         
3304         case SECCLASS_TCP_SOCKET:
3305                 netif_perm = NETIF__TCP_RECV;
3306                 node_perm = NODE__TCP_RECV;
3307                 recv_perm = TCP_SOCKET__RECV_MSG;
3308                 break;
3309         
3310         default:
3311                 netif_perm = NETIF__RAWIP_RECV;
3312                 node_perm = NODE__RAWIP_RECV;
3313                 break;
3314         }
3315
3316         AVC_AUDIT_DATA_INIT(&ad, NET);
3317         ad.u.net.netif = dev->name;
3318         ad.u.net.family = family;
3319
3320         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3321         if (err)
3322                 goto out;
3323
3324         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3325         if (err)
3326                 goto out;
3327         
3328         /* Fixme: this lookup is inefficient */
3329         err = security_node_sid(family, addrp, len, &node_sid);
3330         if (err)
3331                 goto out;
3332         
3333         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3334         if (err)
3335                 goto out;
3336
3337         if (recv_perm) {
3338                 u32 port_sid;
3339
3340                 /* Fixme: make this more efficient */
3341                 err = security_port_sid(sk->sk_family, sk->sk_type,
3342                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3343                                         &port_sid);
3344                 if (err)
3345                         goto out;
3346
3347                 err = avc_has_perm(sock_sid, port_sid,
3348                                    sock_class, recv_perm, &ad);
3349         }
3350 out:    
3351         return err;
3352 }
3353
3354 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3355                                      int __user *optlen, unsigned len)
3356 {
3357         int err = 0;
3358         char *scontext;
3359         u32 scontext_len;
3360         struct sk_security_struct *ssec;
3361         struct inode_security_struct *isec;
3362
3363         isec = SOCK_INODE(sock)->i_security;
3364         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3365                 err = -ENOPROTOOPT;
3366                 goto out;
3367         }
3368
3369         ssec = sock->sk->sk_security;
3370         
3371         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3372         if (err)
3373                 goto out;
3374
3375         if (scontext_len > len) {
3376                 err = -ERANGE;
3377                 goto out_len;
3378         }
3379
3380         if (copy_to_user(optval, scontext, scontext_len))
3381                 err = -EFAULT;
3382
3383 out_len:
3384         if (put_user(scontext_len, optlen))
3385                 err = -EFAULT;
3386
3387         kfree(scontext);
3388 out:    
3389         return err;
3390 }
3391
3392 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3393 {
3394         return sk_alloc_security(sk, family, priority);
3395 }
3396
3397 static void selinux_sk_free_security(struct sock *sk)
3398 {
3399         sk_free_security(sk);
3400 }
3401
3402 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3403 {
3404         int err = 0;
3405         u32 perm;
3406         struct nlmsghdr *nlh;
3407         struct socket *sock = sk->sk_socket;
3408         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3409         
3410         if (skb->len < NLMSG_SPACE(0)) {
3411                 err = -EINVAL;
3412                 goto out;
3413         }
3414         nlh = (struct nlmsghdr *)skb->data;
3415         
3416         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3417         if (err) {
3418                 if (err == -EINVAL) {
3419                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3420                                   "SELinux:  unrecognized netlink message"
3421                                   " type=%hu for sclass=%hu\n",
3422                                   nlh->nlmsg_type, isec->sclass);
3423                         if (!selinux_enforcing)
3424                                 err = 0;
3425                 }
3426
3427                 /* Ignore */
3428                 if (err == -ENOENT)
3429                         err = 0;
3430                 goto out;
3431         }
3432
3433         err = socket_has_perm(current, sock, perm);
3434 out:
3435         return err;
3436 }
3437
3438 #ifdef CONFIG_NETFILTER
3439
3440 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3441                                               struct sk_buff **pskb,
3442                                               const struct net_device *in,
3443                                               const struct net_device *out,
3444                                               int (*okfn)(struct sk_buff *),
3445                                               u16 family)
3446 {
3447         char *addrp;
3448         int len, err = NF_ACCEPT;
3449         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3450         struct sock *sk;
3451         struct socket *sock;
3452         struct inode *inode;
3453         struct sk_buff *skb = *pskb;
3454         struct inode_security_struct *isec;
3455         struct avc_audit_data ad;
3456         struct net_device *dev = (struct net_device *)out;
3457         
3458         sk = skb->sk;
3459         if (!sk)
3460                 goto out;
3461                 
3462         sock = sk->sk_socket;
3463         if (!sock)
3464                 goto out;
3465                 
3466         inode = SOCK_INODE(sock);
3467         if (!inode)
3468                 goto out;
3469
3470         err = sel_netif_sids(dev, &if_sid, NULL);
3471         if (err)
3472                 goto out;
3473
3474         isec = inode->i_security;
3475         
3476         switch (isec->sclass) {
3477         case SECCLASS_UDP_SOCKET:
3478                 netif_perm = NETIF__UDP_SEND;
3479                 node_perm = NODE__UDP_SEND;
3480                 send_perm = UDP_SOCKET__SEND_MSG;
3481                 break;
3482         
3483         case SECCLASS_TCP_SOCKET:
3484                 netif_perm = NETIF__TCP_SEND;
3485                 node_perm = NODE__TCP_SEND;
3486                 send_perm = TCP_SOCKET__SEND_MSG;
3487                 break;
3488         
3489         default:
3490                 netif_perm = NETIF__RAWIP_SEND;
3491                 node_perm = NODE__RAWIP_SEND;
3492                 break;
3493         }
3494
3495
3496         AVC_AUDIT_DATA_INIT(&ad, NET);
3497         ad.u.net.netif = dev->name;
3498         ad.u.net.family = family;
3499
3500         err = selinux_parse_skb(skb, &ad, &addrp,
3501                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3502         if (err != NF_ACCEPT)
3503                 goto out;
3504
3505         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3506                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3507         if (err != NF_ACCEPT)
3508                 goto out;
3509                 
3510         /* Fixme: this lookup is inefficient */
3511         err = security_node_sid(family, addrp, len,
3512                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3513         if (err != NF_ACCEPT)
3514                 goto out;
3515         
3516         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3517                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3518         if (err != NF_ACCEPT)
3519                 goto out;
3520
3521         if (send_perm) {
3522                 u32 port_sid;
3523                 
3524                 /* Fixme: make this more efficient */
3525                 err = security_port_sid(sk->sk_family,
3526                                         sk->sk_type,
3527                                         sk->sk_protocol,
3528                                         ntohs(ad.u.net.dport),
3529                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3530                 if (err != NF_ACCEPT)
3531                         goto out;
3532
3533                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3534                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3535         }
3536
3537 out:
3538         return err;
3539 }
3540
3541 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3542                                                 struct sk_buff **pskb,
3543                                                 const struct net_device *in,
3544                                                 const struct net_device *out,
3545                                                 int (*okfn)(struct sk_buff *))
3546 {
3547         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3548 }
3549
3550 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3551
3552 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3553                                                 struct sk_buff **pskb,
3554                                                 const struct net_device *in,
3555                                                 const struct net_device *out,
3556                                                 int (*okfn)(struct sk_buff *))
3557 {
3558         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3559 }
3560
3561 #endif  /* IPV6 */
3562
3563 #endif  /* CONFIG_NETFILTER */
3564
3565 #else
3566
3567 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3568 {
3569         return 0;
3570 }
3571
3572 #endif  /* CONFIG_SECURITY_NETWORK */
3573
3574 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3575 {
3576         struct task_security_struct *tsec;
3577         struct av_decision avd;
3578         int err;
3579
3580         err = secondary_ops->netlink_send(sk, skb);
3581         if (err)
3582                 return err;
3583
3584         tsec = current->security;
3585
3586         avd.allowed = 0;
3587         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3588                                 SECCLASS_CAPABILITY, ~0, &avd);
3589         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3590
3591         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3592                 err = selinux_nlmsg_perm(sk, skb);
3593
3594         return err;
3595 }
3596
3597 static int selinux_netlink_recv(struct sk_buff *skb)
3598 {
3599         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3600                 return -EPERM;
3601         return 0;
3602 }
3603
3604 static int ipc_alloc_security(struct task_struct *task,
3605                               struct kern_ipc_perm *perm,
3606                               u16 sclass)
3607 {
3608         struct task_security_struct *tsec = task->security;
3609         struct ipc_security_struct *isec;
3610
3611         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3612         if (!isec)
3613                 return -ENOMEM;
3614
3615         isec->magic = SELINUX_MAGIC;
3616         isec->sclass = sclass;
3617         isec->ipc_perm = perm;
3618         if (tsec) {
3619                 isec->sid = tsec->sid;
3620         } else {
3621                 isec->sid = SECINITSID_UNLABELED;
3622         }
3623         perm->security = isec;
3624
3625         return 0;
3626 }
3627
3628 static void ipc_free_security(struct kern_ipc_perm *perm)
3629 {
3630         struct ipc_security_struct *isec = perm->security;
3631         if (!isec || isec->magic != SELINUX_MAGIC)
3632                 return;
3633
3634         perm->security = NULL;
3635         kfree(isec);
3636 }
3637
3638 static int msg_msg_alloc_security(struct msg_msg *msg)
3639 {
3640         struct msg_security_struct *msec;
3641
3642         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3643         if (!msec)
3644                 return -ENOMEM;
3645
3646         msec->magic = SELINUX_MAGIC;
3647         msec->msg = msg;
3648         msec->sid = SECINITSID_UNLABELED;
3649         msg->security = msec;
3650
3651         return 0;
3652 }
3653
3654 static void msg_msg_free_security(struct msg_msg *msg)
3655 {
3656         struct msg_security_struct *msec = msg->security;
3657         if (!msec || msec->magic != SELINUX_MAGIC)
3658                 return;
3659
3660         msg->security = NULL;
3661         kfree(msec);
3662 }
3663
3664 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3665                         u32 perms)
3666 {
3667         struct task_security_struct *tsec;
3668         struct ipc_security_struct *isec;
3669         struct avc_audit_data ad;
3670
3671         tsec = current->security;
3672         isec = ipc_perms->security;
3673
3674         AVC_AUDIT_DATA_INIT(&ad, IPC);
3675         ad.u.ipc_id = ipc_perms->key;
3676
3677         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3678 }
3679
3680 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3681 {
3682         return msg_msg_alloc_security(msg);
3683 }
3684
3685 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3686 {
3687         msg_msg_free_security(msg);
3688 }
3689
3690 /* message queue security operations */
3691 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3692 {
3693         struct task_security_struct *tsec;
3694         struct ipc_security_struct *isec;
3695         struct avc_audit_data ad;
3696         int rc;
3697
3698         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3699         if (rc)
3700                 return rc;
3701
3702         tsec = current->security;
3703         isec = msq->q_perm.security;
3704
3705         AVC_AUDIT_DATA_INIT(&ad, IPC);
3706         ad.u.ipc_id = msq->q_perm.key;
3707
3708         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3709                           MSGQ__CREATE, &ad);
3710         if (rc) {
3711                 ipc_free_security(&msq->q_perm);
3712                 return rc;
3713         }
3714         return 0;
3715 }
3716
3717 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3718 {
3719         ipc_free_security(&msq->q_perm);
3720 }
3721
3722 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3723 {
3724         struct task_security_struct *tsec;
3725         struct ipc_security_struct *isec;
3726         struct avc_audit_data ad;
3727
3728         tsec = current->security;
3729         isec = msq->q_perm.security;
3730
3731         AVC_AUDIT_DATA_INIT(&ad, IPC);
3732         ad.u.ipc_id = msq->q_perm.key;
3733
3734         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3735                             MSGQ__ASSOCIATE, &ad);
3736 }
3737
3738 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3739 {
3740         int err;
3741         int perms;
3742
3743         switch(cmd) {
3744         case IPC_INFO:
3745         case MSG_INFO:
3746                 /* No specific object, just general system-wide information. */
3747                 return task_has_system(current, SYSTEM__IPC_INFO);
3748         case IPC_STAT:
3749         case MSG_STAT:
3750                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3751                 break;
3752         case IPC_SET:
3753                 perms = MSGQ__SETATTR;
3754                 break;
3755         case IPC_RMID:
3756                 perms = MSGQ__DESTROY;
3757                 break;
3758         default:
3759                 return 0;
3760         }
3761
3762         err = ipc_has_perm(&msq->q_perm, perms);
3763         return err;
3764 }
3765
3766 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3767 {
3768         struct task_security_struct *tsec;
3769         struct ipc_security_struct *isec;
3770         struct msg_security_struct *msec;
3771         struct avc_audit_data ad;
3772         int rc;
3773
3774         tsec = current->security;
3775         isec = msq->q_perm.security;
3776         msec = msg->security;
3777
3778         /*
3779          * First time through, need to assign label to the message
3780          */
3781         if (msec->sid == SECINITSID_UNLABELED) {
3782                 /*
3783                  * Compute new sid based on current process and
3784                  * message queue this message will be stored in
3785                  */
3786                 rc = security_transition_sid(tsec->sid,
3787                                              isec->sid,
3788                                              SECCLASS_MSG,
3789                                              &msec->sid);
3790                 if (rc)
3791                         return rc;
3792         }
3793
3794         AVC_AUDIT_DATA_INIT(&ad, IPC);
3795         ad.u.ipc_id = msq->q_perm.key;
3796
3797         /* Can this process write to the queue? */
3798         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3799                           MSGQ__WRITE, &ad);
3800         if (!rc)
3801                 /* Can this process send the message */
3802                 rc = avc_has_perm(tsec->sid, msec->sid,
3803                                   SECCLASS_MSG, MSG__SEND, &ad);
3804         if (!rc)
3805                 /* Can the message be put in the queue? */
3806                 rc = avc_has_perm(msec->sid, isec->sid,
3807                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3808
3809         return rc;
3810 }
3811
3812 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3813                                     struct task_struct *target,
3814                                     long type, int mode)
3815 {
3816         struct task_security_struct *tsec;
3817         struct ipc_security_struct *isec;
3818         struct msg_security_struct *msec;
3819         struct avc_audit_data ad;
3820         int rc;
3821
3822         tsec = target->security;
3823         isec = msq->q_perm.security;
3824         msec = msg->security;
3825
3826         AVC_AUDIT_DATA_INIT(&ad, IPC);
3827         ad.u.ipc_id = msq->q_perm.key;
3828
3829         rc = avc_has_perm(tsec->sid, isec->sid,
3830                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3831         if (!rc)
3832                 rc = avc_has_perm(tsec->sid, msec->sid,
3833                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3834         return rc;
3835 }
3836
3837 /* Shared Memory security operations */
3838 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3839 {
3840         struct task_security_struct *tsec;
3841         struct ipc_security_struct *isec;
3842         struct avc_audit_data ad;
3843         int rc;
3844
3845         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3846         if (rc)
3847                 return rc;
3848
3849         tsec = current->security;
3850         isec = shp->shm_perm.security;
3851
3852         AVC_AUDIT_DATA_INIT(&ad, IPC);
3853         ad.u.ipc_id = shp->shm_perm.key;
3854
3855         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3856                           SHM__CREATE, &ad);
3857         if (rc) {
3858                 ipc_free_security(&shp->shm_perm);
3859                 return rc;
3860         }
3861         return 0;
3862 }
3863
3864 static void selinux_shm_free_security(struct shmid_kernel *shp)
3865 {
3866         ipc_free_security(&shp->shm_perm);
3867 }
3868
3869 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3870 {
3871         struct task_security_struct *tsec;
3872         struct ipc_security_struct *isec;
3873         struct avc_audit_data ad;
3874
3875         tsec = current->security;
3876         isec = shp->shm_perm.security;
3877
3878         AVC_AUDIT_DATA_INIT(&ad, IPC);
3879         ad.u.ipc_id = shp->shm_perm.key;
3880
3881         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3882                             SHM__ASSOCIATE, &ad);
3883 }
3884
3885 /* Note, at this point, shp is locked down */
3886 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3887 {
3888         int perms;
3889         int err;
3890
3891         switch(cmd) {
3892         case IPC_INFO:
3893         case SHM_INFO:
3894                 /* No specific object, just general system-wide information. */
3895                 return task_has_system(current, SYSTEM__IPC_INFO);
3896         case IPC_STAT:
3897         case SHM_STAT:
3898                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3899                 break;
3900         case IPC_SET:
3901                 perms = SHM__SETATTR;
3902                 break;
3903         case SHM_LOCK:
3904         case SHM_UNLOCK:
3905                 perms = SHM__LOCK;
3906                 break;
3907         case IPC_RMID:
3908                 perms = SHM__DESTROY;
3909                 break;
3910         default:
3911                 return 0;
3912         }
3913
3914         err = ipc_has_perm(&shp->shm_perm, perms);
3915         return err;
3916 }
3917
3918 static int selinux_shm_shmat(struct shmid_kernel *shp,
3919                              char __user *shmaddr, int shmflg)
3920 {
3921         u32 perms;
3922         int rc;
3923
3924         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3925         if (rc)
3926                 return rc;
3927
3928         if (shmflg & SHM_RDONLY)
3929                 perms = SHM__READ;
3930         else
3931                 perms = SHM__READ | SHM__WRITE;
3932
3933         return ipc_has_perm(&shp->shm_perm, perms);
3934 }
3935
3936 /* Semaphore security operations */
3937 static int selinux_sem_alloc_security(struct sem_array *sma)
3938 {
3939         struct task_security_struct *tsec;
3940         struct ipc_security_struct *isec;
3941         struct avc_audit_data ad;
3942         int rc;
3943
3944         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3945         if (rc)
3946                 return rc;
3947
3948         tsec = current->security;
3949         isec = sma->sem_perm.security;
3950
3951         AVC_AUDIT_DATA_INIT(&ad, IPC);
3952         ad.u.ipc_id = sma->sem_perm.key;
3953
3954         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3955                           SEM__CREATE, &ad);
3956         if (rc) {
3957                 ipc_free_security(&sma->sem_perm);
3958                 return rc;
3959         }
3960         return 0;
3961 }
3962
3963 static void selinux_sem_free_security(struct sem_array *sma)
3964 {
3965         ipc_free_security(&sma->sem_perm);
3966 }
3967
3968 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3969 {
3970         struct task_security_struct *tsec;
3971         struct ipc_security_struct *isec;
3972         struct avc_audit_data ad;
3973
3974         tsec = current->security;
3975         isec = sma->sem_perm.security;
3976
3977         AVC_AUDIT_DATA_INIT(&ad, IPC);
3978         ad.u.ipc_id = sma->sem_perm.key;
3979
3980         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3981                             SEM__ASSOCIATE, &ad);
3982 }
3983
3984 /* Note, at this point, sma is locked down */
3985 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3986 {
3987         int err;
3988         u32 perms;
3989
3990         switch(cmd) {
3991         case IPC_INFO:
3992         case SEM_INFO:
3993                 /* No specific object, just general system-wide information. */
3994                 return task_has_system(current, SYSTEM__IPC_INFO);
3995         case GETPID:
3996         case GETNCNT:
3997         case GETZCNT:
3998                 perms = SEM__GETATTR;
3999                 break;
4000         case GETVAL:
4001         case GETALL:
4002                 perms = SEM__READ;
4003                 break;
4004         case SETVAL:
4005         case SETALL:
4006                 perms = SEM__WRITE;
4007                 break;
4008         case IPC_RMID:
4009                 perms = SEM__DESTROY;
4010                 break;
4011         case IPC_SET:
4012                 perms = SEM__SETATTR;
4013                 break;
4014         case IPC_STAT:
4015         case SEM_STAT:
4016                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4017                 break;
4018         default:
4019                 return 0;
4020         }
4021
4022         err = ipc_has_perm(&sma->sem_perm, perms);
4023         return err;
4024 }
4025
4026 static int selinux_sem_semop(struct sem_array *sma,
4027                              struct sembuf *sops, unsigned nsops, int alter)
4028 {
4029         u32 perms;
4030
4031         if (alter)
4032                 perms = SEM__READ | SEM__WRITE;
4033         else
4034                 perms = SEM__READ;
4035
4036         return ipc_has_perm(&sma->sem_perm, perms);
4037 }
4038
4039 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4040 {
4041         u32 av = 0;
4042
4043         av = 0;
4044         if (flag & S_IRUGO)
4045                 av |= IPC__UNIX_READ;
4046         if (flag & S_IWUGO)
4047                 av |= IPC__UNIX_WRITE;
4048
4049         if (av == 0)
4050                 return 0;
4051
4052         return ipc_has_perm(ipcp, av);
4053 }
4054
4055 /* module stacking operations */
4056 static int selinux_register_security (const char *name, struct security_operations *ops)
4057 {
4058         if (secondary_ops != original_ops) {
4059                 printk(KERN_INFO "%s:  There is already a secondary security "
4060                        "module registered.\n", __FUNCTION__);
4061                 return -EINVAL;
4062         }
4063
4064         secondary_ops = ops;
4065
4066         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4067                __FUNCTION__,
4068                name);
4069
4070         return 0;
4071 }
4072
4073 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4074 {
4075         if (ops != secondary_ops) {
4076                 printk (KERN_INFO "%s:  trying to unregister a security module "
4077                         "that is not registered.\n", __FUNCTION__);
4078                 return -EINVAL;
4079         }
4080
4081         secondary_ops = original_ops;
4082
4083         return 0;
4084 }
4085
4086 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4087 {
4088         if (inode)
4089                 inode_doinit_with_dentry(inode, dentry);
4090 }
4091
4092 static int selinux_getprocattr(struct task_struct *p,
4093                                char *name, void *value, size_t size)
4094 {
4095         struct task_security_struct *tsec;
4096         u32 sid, len;
4097         char *context;
4098         int error;
4099
4100         if (current != p) {
4101                 error = task_has_perm(current, p, PROCESS__GETATTR);
4102                 if (error)
4103                         return error;
4104         }
4105
4106         if (!size)
4107                 return -ERANGE;
4108
4109         tsec = p->security;
4110
4111         if (!strcmp(name, "current"))
4112                 sid = tsec->sid;
4113         else if (!strcmp(name, "prev"))
4114                 sid = tsec->osid;
4115         else if (!strcmp(name, "exec"))
4116                 sid = tsec->exec_sid;
4117         else if (!strcmp(name, "fscreate"))
4118                 sid = tsec->create_sid;
4119         else
4120                 return -EINVAL;
4121
4122         if (!sid)
4123                 return 0;
4124
4125         error = security_sid_to_context(sid, &context, &len);
4126         if (error)
4127                 return error;
4128         if (len > size) {
4129                 kfree(context);
4130                 return -ERANGE;
4131         }
4132         memcpy(value, context, len);
4133         kfree(context);
4134         return len;
4135 }
4136
4137 static int selinux_setprocattr(struct task_struct *p,
4138                                char *name, void *value, size_t size)
4139 {
4140         struct task_security_struct *tsec;
4141         u32 sid = 0;
4142         int error;
4143         char *str = value;
4144
4145         if (current != p) {
4146                 /* SELinux only allows a process to change its own
4147                    security attributes. */
4148                 return -EACCES;
4149         }
4150
4151         /*
4152          * Basic control over ability to set these attributes at all.
4153          * current == p, but we'll pass them separately in case the
4154          * above restriction is ever removed.
4155          */
4156         if (!strcmp(name, "exec"))
4157                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4158         else if (!strcmp(name, "fscreate"))
4159                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4160         else if (!strcmp(name, "current"))
4161                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4162         else
4163                 error = -EINVAL;
4164         if (error)
4165                 return error;
4166
4167         /* Obtain a SID for the context, if one was specified. */
4168         if (size && str[1] && str[1] != '\n') {
4169                 if (str[size-1] == '\n') {
4170                         str[size-1] = 0;
4171                         size--;
4172                 }
4173                 error = security_context_to_sid(value, size, &sid);
4174                 if (error)
4175                         return error;
4176         }
4177
4178         /* Permission checking based on the specified context is
4179            performed during the actual operation (execve,
4180            open/mkdir/...), when we know the full context of the
4181            operation.  See selinux_bprm_set_security for the execve
4182            checks and may_create for the file creation checks. The
4183            operation will then fail if the context is not permitted. */
4184         tsec = p->security;
4185         if (!strcmp(name, "exec"))
4186                 tsec->exec_sid = sid;
4187         else if (!strcmp(name, "fscreate"))
4188                 tsec->create_sid = sid;
4189         else if (!strcmp(name, "current")) {
4190                 struct av_decision avd;
4191
4192                 if (sid == 0)
4193                         return -EINVAL;
4194
4195                 /* Only allow single threaded processes to change context */
4196                 if (atomic_read(&p->mm->mm_users) != 1) {
4197                         struct task_struct *g, *t;
4198                         struct mm_struct *mm = p->mm;
4199                         read_lock(&tasklist_lock);
4200                         do_each_thread(g, t)
4201                                 if (t->mm == mm && t != p) {
4202                                         read_unlock(&tasklist_lock);
4203                                         return -EPERM;
4204                                 }
4205                         while_each_thread(g, t);
4206                         read_unlock(&tasklist_lock);
4207                 }
4208
4209                 /* Check permissions for the transition. */
4210                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4211                                      PROCESS__DYNTRANSITION, NULL);
4212                 if (error)
4213                         return error;
4214
4215                 /* Check for ptracing, and update the task SID if ok.
4216                    Otherwise, leave SID unchanged and fail. */
4217                 task_lock(p);
4218                 if (p->ptrace & PT_PTRACED) {
4219                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4220                                                      SECCLASS_PROCESS,
4221                                                      PROCESS__PTRACE, &avd);
4222                         if (!error)
4223                                 tsec->sid = sid;
4224                         task_unlock(p);
4225                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4226                                   PROCESS__PTRACE, &avd, error, NULL);
4227                         if (error)
4228                                 return error;
4229                 } else {
4230                         tsec->sid = sid;
4231                         task_unlock(p);
4232                 }
4233         }
4234         else
4235                 return -EINVAL;
4236
4237         return size;
4238 }
4239
4240 static struct security_operations selinux_ops = {
4241         .ptrace =                       selinux_ptrace,
4242         .capget =                       selinux_capget,
4243         .capset_check =                 selinux_capset_check,
4244         .capset_set =                   selinux_capset_set,
4245         .sysctl =                       selinux_sysctl,
4246         .capable =                      selinux_capable,
4247         .quotactl =                     selinux_quotactl,
4248         .quota_on =                     selinux_quota_on,
4249         .syslog =                       selinux_syslog,
4250         .vm_enough_memory =             selinux_vm_enough_memory,
4251
4252         .netlink_send =                 selinux_netlink_send,
4253         .netlink_recv =                 selinux_netlink_recv,
4254
4255         .bprm_alloc_security =          selinux_bprm_alloc_security,
4256         .bprm_free_security =           selinux_bprm_free_security,
4257         .bprm_apply_creds =             selinux_bprm_apply_creds,
4258         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4259         .bprm_set_security =            selinux_bprm_set_security,
4260         .bprm_check_security =          selinux_bprm_check_security,
4261         .bprm_secureexec =              selinux_bprm_secureexec,
4262
4263         .sb_alloc_security =            selinux_sb_alloc_security,
4264         .sb_free_security =             selinux_sb_free_security,
4265         .sb_copy_data =                 selinux_sb_copy_data,
4266         .sb_kern_mount =                selinux_sb_kern_mount,
4267         .sb_statfs =                    selinux_sb_statfs,
4268         .sb_mount =                     selinux_mount,
4269         .sb_umount =                    selinux_umount,
4270
4271         .inode_alloc_security =         selinux_inode_alloc_security,
4272         .inode_free_security =          selinux_inode_free_security,
4273         .inode_init_security =          selinux_inode_init_security,
4274         .inode_create =                 selinux_inode_create,
4275         .inode_link =                   selinux_inode_link,
4276         .inode_unlink =                 selinux_inode_unlink,
4277         .inode_symlink =                selinux_inode_symlink,
4278         .inode_mkdir =                  selinux_inode_mkdir,
4279         .inode_rmdir =                  selinux_inode_rmdir,
4280         .inode_mknod =                  selinux_inode_mknod,
4281         .inode_rename =                 selinux_inode_rename,
4282         .inode_readlink =               selinux_inode_readlink,
4283         .inode_follow_link =            selinux_inode_follow_link,
4284         .inode_permission =             selinux_inode_permission,
4285         .inode_setattr =                selinux_inode_setattr,
4286         .inode_getattr =                selinux_inode_getattr,
4287         .inode_setxattr =               selinux_inode_setxattr,
4288         .inode_post_setxattr =          selinux_inode_post_setxattr,
4289         .inode_getxattr =               selinux_inode_getxattr,
4290         .inode_listxattr =              selinux_inode_listxattr,
4291         .inode_removexattr =            selinux_inode_removexattr,
4292         .inode_getsecurity =            selinux_inode_getsecurity,
4293         .inode_setsecurity =            selinux_inode_setsecurity,
4294         .inode_listsecurity =           selinux_inode_listsecurity,
4295
4296         .file_permission =              selinux_file_permission,
4297         .file_alloc_security =          selinux_file_alloc_security,
4298         .file_free_security =           selinux_file_free_security,
4299         .file_ioctl =                   selinux_file_ioctl,
4300         .file_mmap =                    selinux_file_mmap,
4301         .file_mprotect =                selinux_file_mprotect,
4302         .file_lock =                    selinux_file_lock,
4303         .file_fcntl =                   selinux_file_fcntl,
4304         .file_set_fowner =              selinux_file_set_fowner,
4305         .file_send_sigiotask =          selinux_file_send_sigiotask,
4306         .file_receive =                 selinux_file_receive,
4307
4308         .task_create =                  selinux_task_create,
4309         .task_alloc_security =          selinux_task_alloc_security,
4310         .task_free_security =           selinux_task_free_security,
4311         .task_setuid =                  selinux_task_setuid,
4312         .task_post_setuid =             selinux_task_post_setuid,
4313         .task_setgid =                  selinux_task_setgid,
4314         .task_setpgid =                 selinux_task_setpgid,
4315         .task_getpgid =                 selinux_task_getpgid,
4316         .task_getsid =                  selinux_task_getsid,
4317         .task_setgroups =               selinux_task_setgroups,
4318         .task_setnice =                 selinux_task_setnice,
4319         .task_setrlimit =               selinux_task_setrlimit,
4320         .task_setscheduler =            selinux_task_setscheduler,
4321         .task_getscheduler =            selinux_task_getscheduler,
4322         .task_kill =                    selinux_task_kill,
4323         .task_wait =                    selinux_task_wait,
4324         .task_prctl =                   selinux_task_prctl,
4325         .task_reparent_to_init =        selinux_task_reparent_to_init,
4326         .task_to_inode =                selinux_task_to_inode,
4327
4328         .ipc_permission =               selinux_ipc_permission,
4329
4330         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4331         .msg_msg_free_security =        selinux_msg_msg_free_security,
4332
4333         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4334         .msg_queue_free_security =      selinux_msg_queue_free_security,
4335         .msg_queue_associate =          selinux_msg_queue_associate,
4336         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4337         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4338         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4339
4340         .shm_alloc_security =           selinux_shm_alloc_security,
4341         .shm_free_security =            selinux_shm_free_security,
4342         .shm_associate =                selinux_shm_associate,
4343         .shm_shmctl =                   selinux_shm_shmctl,
4344         .shm_shmat =                    selinux_shm_shmat,
4345
4346         .sem_alloc_security =           selinux_sem_alloc_security,
4347         .sem_free_security =            selinux_sem_free_security,
4348         .sem_associate =                selinux_sem_associate,
4349         .sem_semctl =                   selinux_sem_semctl,
4350         .sem_semop =                    selinux_sem_semop,
4351
4352         .register_security =            selinux_register_security,
4353         .unregister_security =          selinux_unregister_security,
4354
4355         .d_instantiate =                selinux_d_instantiate,
4356
4357         .getprocattr =                  selinux_getprocattr,
4358         .setprocattr =                  selinux_setprocattr,
4359
4360 #ifdef CONFIG_SECURITY_NETWORK
4361         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4362         .unix_may_send =                selinux_socket_unix_may_send,
4363
4364         .socket_create =                selinux_socket_create,
4365         .socket_post_create =           selinux_socket_post_create,
4366         .socket_bind =                  selinux_socket_bind,
4367         .socket_connect =               selinux_socket_connect,
4368         .socket_listen =                selinux_socket_listen,
4369         .socket_accept =                selinux_socket_accept,
4370         .socket_sendmsg =               selinux_socket_sendmsg,
4371         .socket_recvmsg =               selinux_socket_recvmsg,
4372         .socket_getsockname =           selinux_socket_getsockname,
4373         .socket_getpeername =           selinux_socket_getpeername,
4374         .socket_getsockopt =            selinux_socket_getsockopt,
4375         .socket_setsockopt =            selinux_socket_setsockopt,
4376         .socket_shutdown =              selinux_socket_shutdown,
4377         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4378         .socket_getpeersec =            selinux_socket_getpeersec,
4379         .sk_alloc_security =            selinux_sk_alloc_security,
4380         .sk_free_security =             selinux_sk_free_security,
4381 #endif
4382 };
4383
4384 static __init int selinux_init(void)
4385 {
4386         struct task_security_struct *tsec;
4387
4388         if (!selinux_enabled) {
4389                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4390                 return 0;
4391         }
4392
4393         printk(KERN_INFO "SELinux:  Initializing.\n");
4394
4395         /* Set the security state for the initial task. */
4396         if (task_alloc_security(current))
4397                 panic("SELinux:  Failed to initialize initial task.\n");
4398         tsec = current->security;
4399         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4400
4401         avc_init();
4402
4403         original_ops = secondary_ops = security_ops;
4404         if (!secondary_ops)
4405                 panic ("SELinux: No initial security operations\n");
4406         if (register_security (&selinux_ops))
4407                 panic("SELinux: Unable to register with kernel.\n");
4408
4409         if (selinux_enforcing) {
4410                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4411         } else {
4412                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4413         }
4414         return 0;
4415 }
4416
4417 void selinux_complete_init(void)
4418 {
4419         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4420
4421         /* Set up any superblocks initialized prior to the policy load. */
4422         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4423         spin_lock(&sb_security_lock);
4424 next_sb:
4425         if (!list_empty(&superblock_security_head)) {
4426                 struct superblock_security_struct *sbsec =
4427                                 list_entry(superblock_security_head.next,
4428                                            struct superblock_security_struct,
4429                                            list);
4430                 struct super_block *sb = sbsec->sb;
4431                 spin_lock(&sb_lock);
4432                 sb->s_count++;
4433                 spin_unlock(&sb_lock);
4434                 spin_unlock(&sb_security_lock);
4435                 down_read(&sb->s_umount);
4436                 if (sb->s_root)
4437                         superblock_doinit(sb, NULL);
4438                 drop_super(sb);
4439                 spin_lock(&sb_security_lock);
4440                 list_del_init(&sbsec->list);
4441                 goto next_sb;
4442         }
4443         spin_unlock(&sb_security_lock);
4444 }
4445
4446 /* SELinux requires early initialization in order to label
4447    all processes and objects when they are created. */
4448 security_initcall(selinux_init);
4449
4450 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4451
4452 static struct nf_hook_ops selinux_ipv4_op = {
4453         .hook =         selinux_ipv4_postroute_last,
4454         .owner =        THIS_MODULE,
4455         .pf =           PF_INET,
4456         .hooknum =      NF_IP_POST_ROUTING,
4457         .priority =     NF_IP_PRI_SELINUX_LAST,
4458 };
4459
4460 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4461
4462 static struct nf_hook_ops selinux_ipv6_op = {
4463         .hook =         selinux_ipv6_postroute_last,
4464         .owner =        THIS_MODULE,
4465         .pf =           PF_INET6,
4466         .hooknum =      NF_IP6_POST_ROUTING,
4467         .priority =     NF_IP6_PRI_SELINUX_LAST,
4468 };
4469
4470 #endif  /* IPV6 */
4471
4472 static int __init selinux_nf_ip_init(void)
4473 {
4474         int err = 0;
4475
4476         if (!selinux_enabled)
4477                 goto out;
4478                 
4479         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4480         
4481         err = nf_register_hook(&selinux_ipv4_op);
4482         if (err)
4483                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4484
4485 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4486
4487         err = nf_register_hook(&selinux_ipv6_op);
4488         if (err)
4489                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4490
4491 #endif  /* IPV6 */
4492 out:
4493         return err;
4494 }
4495
4496 __initcall(selinux_nf_ip_init);
4497
4498 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4499 static void selinux_nf_ip_exit(void)
4500 {
4501         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4502
4503         nf_unregister_hook(&selinux_ipv4_op);
4504 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4505         nf_unregister_hook(&selinux_ipv6_op);
4506 #endif  /* IPV6 */
4507 }
4508 #endif
4509
4510 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4511
4512 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4513 #define selinux_nf_ip_exit()
4514 #endif
4515
4516 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4517
4518 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4519 int selinux_disable(void)
4520 {
4521         extern void exit_sel_fs(void);
4522         static int selinux_disabled = 0;
4523
4524         if (ss_initialized) {
4525                 /* Not permitted after initial policy load. */
4526                 return -EINVAL;
4527         }
4528
4529         if (selinux_disabled) {
4530                 /* Only do this once. */
4531                 return -EINVAL;
4532         }
4533
4534         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4535
4536         selinux_disabled = 1;
4537
4538         /* Reset security_ops to the secondary module, dummy or capability. */
4539         security_ops = secondary_ops;
4540
4541         /* Unregister netfilter hooks. */
4542         selinux_nf_ip_exit();
4543
4544         /* Unregister selinuxfs. */
4545         exit_sel_fs();
4546
4547         return 0;
4548 }
4549 #endif
4550
4551