[INET]: local port range robustness
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16  *                     Paul Moore, <paul.moore@hp.com>
17  *
18  *      This program is free software; you can redistribute it and/or modify
19  *      it under the terms of the GNU General Public License version 2,
20  *      as published by the Free Software Foundation.
21  */
22
23 #include <linux/module.h>
24 #include <linux/init.h>
25 #include <linux/kernel.h>
26 #include <linux/ptrace.h>
27 #include <linux/errno.h>
28 #include <linux/sched.h>
29 #include <linux/security.h>
30 #include <linux/xattr.h>
31 #include <linux/capability.h>
32 #include <linux/unistd.h>
33 #include <linux/mm.h>
34 #include <linux/mman.h>
35 #include <linux/slab.h>
36 #include <linux/pagemap.h>
37 #include <linux/swap.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h>    /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/dccp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72 #include <linux/selinux.h>
73 #include <linux/mutex.h>
74
75 #include "avc.h"
76 #include "objsec.h"
77 #include "netif.h"
78 #include "xfrm.h"
79 #include "netlabel.h"
80
81 #define XATTR_SELINUX_SUFFIX "selinux"
82 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
83
84 extern unsigned int policydb_loaded_version;
85 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
86 extern int selinux_compat_net;
87
88 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
89 int selinux_enforcing = 0;
90
91 static int __init enforcing_setup(char *str)
92 {
93         selinux_enforcing = simple_strtol(str,NULL,0);
94         return 1;
95 }
96 __setup("enforcing=", enforcing_setup);
97 #endif
98
99 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
100 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
101
102 static int __init selinux_enabled_setup(char *str)
103 {
104         selinux_enabled = simple_strtol(str, NULL, 0);
105         return 1;
106 }
107 __setup("selinux=", selinux_enabled_setup);
108 #else
109 int selinux_enabled = 1;
110 #endif
111
112 /* Original (dummy) security module. */
113 static struct security_operations *original_ops = NULL;
114
115 /* Minimal support for a secondary security module,
116    just to allow the use of the dummy or capability modules.
117    The owlsm module can alternatively be used as a secondary
118    module as long as CONFIG_OWLSM_FD is not enabled. */
119 static struct security_operations *secondary_ops = NULL;
120
121 /* Lists of inode and superblock security structures initialized
122    before the policy was loaded. */
123 static LIST_HEAD(superblock_security_head);
124 static DEFINE_SPINLOCK(sb_security_lock);
125
126 static struct kmem_cache *sel_inode_cache;
127
128 /* Return security context for a given sid or just the context 
129    length if the buffer is null or length is 0 */
130 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
131 {
132         char *context;
133         unsigned len;
134         int rc;
135
136         rc = security_sid_to_context(sid, &context, &len);
137         if (rc)
138                 return rc;
139
140         if (!buffer || !size)
141                 goto getsecurity_exit;
142
143         if (size < len) {
144                 len = -ERANGE;
145                 goto getsecurity_exit;
146         }
147         memcpy(buffer, context, len);
148
149 getsecurity_exit:
150         kfree(context);
151         return len;
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->file = file;
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_init(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323         Opt_rootcontext = 8,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int try_context_mount(struct super_block *sb, void *data)
368 {
369         char *context = NULL, *defcontext = NULL;
370         char *fscontext = NULL, *rootcontext = NULL;
371         const char *name;
372         u32 sid;
373         int alloc = 0, rc = 0, seen = 0;
374         struct task_security_struct *tsec = current->security;
375         struct superblock_security_struct *sbsec = sb->s_security;
376
377         if (!data)
378                 goto out;
379
380         name = sb->s_type->name;
381
382         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383
384                 /* NFS we understand. */
385                 if (!strcmp(name, "nfs")) {
386                         struct nfs_mount_data *d = data;
387
388                         if (d->version <  NFS_MOUNT_VERSION)
389                                 goto out;
390
391                         if (d->context[0]) {
392                                 context = d->context;
393                                 seen |= Opt_context;
394                         }
395                 } else
396                         goto out;
397
398         } else {
399                 /* Standard string-based options. */
400                 char *p, *options = data;
401
402                 while ((p = strsep(&options, "|")) != NULL) {
403                         int token;
404                         substring_t args[MAX_OPT_ARGS];
405
406                         if (!*p)
407                                 continue;
408
409                         token = match_token(p, tokens, args);
410
411                         switch (token) {
412                         case Opt_context:
413                                 if (seen & (Opt_context|Opt_defcontext)) {
414                                         rc = -EINVAL;
415                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416                                         goto out_free;
417                                 }
418                                 context = match_strdup(&args[0]);
419                                 if (!context) {
420                                         rc = -ENOMEM;
421                                         goto out_free;
422                                 }
423                                 if (!alloc)
424                                         alloc = 1;
425                                 seen |= Opt_context;
426                                 break;
427
428                         case Opt_fscontext:
429                                 if (seen & Opt_fscontext) {
430                                         rc = -EINVAL;
431                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432                                         goto out_free;
433                                 }
434                                 fscontext = match_strdup(&args[0]);
435                                 if (!fscontext) {
436                                         rc = -ENOMEM;
437                                         goto out_free;
438                                 }
439                                 if (!alloc)
440                                         alloc = 1;
441                                 seen |= Opt_fscontext;
442                                 break;
443
444                         case Opt_rootcontext:
445                                 if (seen & Opt_rootcontext) {
446                                         rc = -EINVAL;
447                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448                                         goto out_free;
449                                 }
450                                 rootcontext = match_strdup(&args[0]);
451                                 if (!rootcontext) {
452                                         rc = -ENOMEM;
453                                         goto out_free;
454                                 }
455                                 if (!alloc)
456                                         alloc = 1;
457                                 seen |= Opt_rootcontext;
458                                 break;
459
460                         case Opt_defcontext:
461                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462                                         rc = -EINVAL;
463                                         printk(KERN_WARNING "SELinux:  "
464                                                "defcontext option is invalid "
465                                                "for this filesystem type\n");
466                                         goto out_free;
467                                 }
468                                 if (seen & (Opt_context|Opt_defcontext)) {
469                                         rc = -EINVAL;
470                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471                                         goto out_free;
472                                 }
473                                 defcontext = match_strdup(&args[0]);
474                                 if (!defcontext) {
475                                         rc = -ENOMEM;
476                                         goto out_free;
477                                 }
478                                 if (!alloc)
479                                         alloc = 1;
480                                 seen |= Opt_defcontext;
481                                 break;
482
483                         default:
484                                 rc = -EINVAL;
485                                 printk(KERN_WARNING "SELinux:  unknown mount "
486                                        "option\n");
487                                 goto out_free;
488
489                         }
490                 }
491         }
492
493         if (!seen)
494                 goto out;
495
496         /* sets the context of the superblock for the fs being mounted. */
497         if (fscontext) {
498                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
499                 if (rc) {
500                         printk(KERN_WARNING "SELinux: security_context_to_sid"
501                                "(%s) failed for (dev %s, type %s) errno=%d\n",
502                                fscontext, sb->s_id, name, rc);
503                         goto out_free;
504                 }
505
506                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
507                 if (rc)
508                         goto out_free;
509
510                 sbsec->sid = sid;
511         }
512
513         /*
514          * Switch to using mount point labeling behavior.
515          * sets the label used on all file below the mountpoint, and will set
516          * the superblock context if not already set.
517          */
518         if (context) {
519                 rc = security_context_to_sid(context, strlen(context), &sid);
520                 if (rc) {
521                         printk(KERN_WARNING "SELinux: security_context_to_sid"
522                                "(%s) failed for (dev %s, type %s) errno=%d\n",
523                                context, sb->s_id, name, rc);
524                         goto out_free;
525                 }
526
527                 if (!fscontext) {
528                         rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
529                         if (rc)
530                                 goto out_free;
531                         sbsec->sid = sid;
532                 } else {
533                         rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
534                         if (rc)
535                                 goto out_free;
536                 }
537                 sbsec->mntpoint_sid = sid;
538
539                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
540         }
541
542         if (rootcontext) {
543                 struct inode *inode = sb->s_root->d_inode;
544                 struct inode_security_struct *isec = inode->i_security;
545                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546                 if (rc) {
547                         printk(KERN_WARNING "SELinux: security_context_to_sid"
548                                "(%s) failed for (dev %s, type %s) errno=%d\n",
549                                rootcontext, sb->s_id, name, rc);
550                         goto out_free;
551                 }
552
553                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
554                 if (rc)
555                         goto out_free;
556
557                 isec->sid = sid;
558                 isec->initialized = 1;
559         }
560
561         if (defcontext) {
562                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563                 if (rc) {
564                         printk(KERN_WARNING "SELinux: security_context_to_sid"
565                                "(%s) failed for (dev %s, type %s) errno=%d\n",
566                                defcontext, sb->s_id, name, rc);
567                         goto out_free;
568                 }
569
570                 if (sid == sbsec->def_sid)
571                         goto out_free;
572
573                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
574                 if (rc)
575                         goto out_free;
576
577                 sbsec->def_sid = sid;
578         }
579
580 out_free:
581         if (alloc) {
582                 kfree(context);
583                 kfree(defcontext);
584                 kfree(fscontext);
585                 kfree(rootcontext);
586         }
587 out:
588         return rc;
589 }
590
591 static int superblock_doinit(struct super_block *sb, void *data)
592 {
593         struct superblock_security_struct *sbsec = sb->s_security;
594         struct dentry *root = sb->s_root;
595         struct inode *inode = root->d_inode;
596         int rc = 0;
597
598         mutex_lock(&sbsec->lock);
599         if (sbsec->initialized)
600                 goto out;
601
602         if (!ss_initialized) {
603                 /* Defer initialization until selinux_complete_init,
604                    after the initial policy is loaded and the security
605                    server is ready to handle calls. */
606                 spin_lock(&sb_security_lock);
607                 if (list_empty(&sbsec->list))
608                         list_add(&sbsec->list, &superblock_security_head);
609                 spin_unlock(&sb_security_lock);
610                 goto out;
611         }
612
613         /* Determine the labeling behavior to use for this filesystem type. */
614         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615         if (rc) {
616                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
617                        __FUNCTION__, sb->s_type->name, rc);
618                 goto out;
619         }
620
621         rc = try_context_mount(sb, data);
622         if (rc)
623                 goto out;
624
625         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
626                 /* Make sure that the xattr handler exists and that no
627                    error other than -ENODATA is returned by getxattr on
628                    the root directory.  -ENODATA is ok, as this may be
629                    the first boot of the SELinux kernel before we have
630                    assigned xattr values to the filesystem. */
631                 if (!inode->i_op->getxattr) {
632                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
633                                "xattr support\n", sb->s_id, sb->s_type->name);
634                         rc = -EOPNOTSUPP;
635                         goto out;
636                 }
637                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
638                 if (rc < 0 && rc != -ENODATA) {
639                         if (rc == -EOPNOTSUPP)
640                                 printk(KERN_WARNING "SELinux: (dev %s, type "
641                                        "%s) has no security xattr handler\n",
642                                        sb->s_id, sb->s_type->name);
643                         else
644                                 printk(KERN_WARNING "SELinux: (dev %s, type "
645                                        "%s) getxattr errno %d\n", sb->s_id,
646                                        sb->s_type->name, -rc);
647                         goto out;
648                 }
649         }
650
651         if (strcmp(sb->s_type->name, "proc") == 0)
652                 sbsec->proc = 1;
653
654         sbsec->initialized = 1;
655
656         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
657                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
658                        sb->s_id, sb->s_type->name);
659         }
660         else {
661                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
662                        sb->s_id, sb->s_type->name,
663                        labeling_behaviors[sbsec->behavior-1]);
664         }
665
666         /* Initialize the root inode. */
667         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668
669         /* Initialize any other inodes associated with the superblock, e.g.
670            inodes created prior to initial policy load or inodes created
671            during get_sb by a pseudo filesystem that directly
672            populates itself. */
673         spin_lock(&sbsec->isec_lock);
674 next_inode:
675         if (!list_empty(&sbsec->isec_head)) {
676                 struct inode_security_struct *isec =
677                                 list_entry(sbsec->isec_head.next,
678                                            struct inode_security_struct, list);
679                 struct inode *inode = isec->inode;
680                 spin_unlock(&sbsec->isec_lock);
681                 inode = igrab(inode);
682                 if (inode) {
683                         if (!IS_PRIVATE (inode))
684                                 inode_doinit(inode);
685                         iput(inode);
686                 }
687                 spin_lock(&sbsec->isec_lock);
688                 list_del_init(&isec->list);
689                 goto next_inode;
690         }
691         spin_unlock(&sbsec->isec_lock);
692 out:
693         mutex_unlock(&sbsec->lock);
694         return rc;
695 }
696
697 static inline u16 inode_mode_to_security_class(umode_t mode)
698 {
699         switch (mode & S_IFMT) {
700         case S_IFSOCK:
701                 return SECCLASS_SOCK_FILE;
702         case S_IFLNK:
703                 return SECCLASS_LNK_FILE;
704         case S_IFREG:
705                 return SECCLASS_FILE;
706         case S_IFBLK:
707                 return SECCLASS_BLK_FILE;
708         case S_IFDIR:
709                 return SECCLASS_DIR;
710         case S_IFCHR:
711                 return SECCLASS_CHR_FILE;
712         case S_IFIFO:
713                 return SECCLASS_FIFO_FILE;
714
715         }
716
717         return SECCLASS_FILE;
718 }
719
720 static inline int default_protocol_stream(int protocol)
721 {
722         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723 }
724
725 static inline int default_protocol_dgram(int protocol)
726 {
727         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728 }
729
730 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
731 {
732         switch (family) {
733         case PF_UNIX:
734                 switch (type) {
735                 case SOCK_STREAM:
736                 case SOCK_SEQPACKET:
737                         return SECCLASS_UNIX_STREAM_SOCKET;
738                 case SOCK_DGRAM:
739                         return SECCLASS_UNIX_DGRAM_SOCKET;
740                 }
741                 break;
742         case PF_INET:
743         case PF_INET6:
744                 switch (type) {
745                 case SOCK_STREAM:
746                         if (default_protocol_stream(protocol))
747                                 return SECCLASS_TCP_SOCKET;
748                         else
749                                 return SECCLASS_RAWIP_SOCKET;
750                 case SOCK_DGRAM:
751                         if (default_protocol_dgram(protocol))
752                                 return SECCLASS_UDP_SOCKET;
753                         else
754                                 return SECCLASS_RAWIP_SOCKET;
755                 case SOCK_DCCP:
756                         return SECCLASS_DCCP_SOCKET;
757                 default:
758                         return SECCLASS_RAWIP_SOCKET;
759                 }
760                 break;
761         case PF_NETLINK:
762                 switch (protocol) {
763                 case NETLINK_ROUTE:
764                         return SECCLASS_NETLINK_ROUTE_SOCKET;
765                 case NETLINK_FIREWALL:
766                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
767                 case NETLINK_INET_DIAG:
768                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
769                 case NETLINK_NFLOG:
770                         return SECCLASS_NETLINK_NFLOG_SOCKET;
771                 case NETLINK_XFRM:
772                         return SECCLASS_NETLINK_XFRM_SOCKET;
773                 case NETLINK_SELINUX:
774                         return SECCLASS_NETLINK_SELINUX_SOCKET;
775                 case NETLINK_AUDIT:
776                         return SECCLASS_NETLINK_AUDIT_SOCKET;
777                 case NETLINK_IP6_FW:
778                         return SECCLASS_NETLINK_IP6FW_SOCKET;
779                 case NETLINK_DNRTMSG:
780                         return SECCLASS_NETLINK_DNRT_SOCKET;
781                 case NETLINK_KOBJECT_UEVENT:
782                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
783                 default:
784                         return SECCLASS_NETLINK_SOCKET;
785                 }
786         case PF_PACKET:
787                 return SECCLASS_PACKET_SOCKET;
788         case PF_KEY:
789                 return SECCLASS_KEY_SOCKET;
790         case PF_APPLETALK:
791                 return SECCLASS_APPLETALK_SOCKET;
792         }
793
794         return SECCLASS_SOCKET;
795 }
796
797 #ifdef CONFIG_PROC_FS
798 static int selinux_proc_get_sid(struct proc_dir_entry *de,
799                                 u16 tclass,
800                                 u32 *sid)
801 {
802         int buflen, rc;
803         char *buffer, *path, *end;
804
805         buffer = (char*)__get_free_page(GFP_KERNEL);
806         if (!buffer)
807                 return -ENOMEM;
808
809         buflen = PAGE_SIZE;
810         end = buffer+buflen;
811         *--end = '\0';
812         buflen--;
813         path = end-1;
814         *path = '/';
815         while (de && de != de->parent) {
816                 buflen -= de->namelen + 1;
817                 if (buflen < 0)
818                         break;
819                 end -= de->namelen;
820                 memcpy(end, de->name, de->namelen);
821                 *--end = '/';
822                 path = end;
823                 de = de->parent;
824         }
825         rc = security_genfs_sid("proc", path, tclass, sid);
826         free_page((unsigned long)buffer);
827         return rc;
828 }
829 #else
830 static int selinux_proc_get_sid(struct proc_dir_entry *de,
831                                 u16 tclass,
832                                 u32 *sid)
833 {
834         return -EINVAL;
835 }
836 #endif
837
838 /* The inode's security attributes must be initialized before first use. */
839 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
840 {
841         struct superblock_security_struct *sbsec = NULL;
842         struct inode_security_struct *isec = inode->i_security;
843         u32 sid;
844         struct dentry *dentry;
845 #define INITCONTEXTLEN 255
846         char *context = NULL;
847         unsigned len = 0;
848         int rc = 0;
849
850         if (isec->initialized)
851                 goto out;
852
853         mutex_lock(&isec->lock);
854         if (isec->initialized)
855                 goto out_unlock;
856
857         sbsec = inode->i_sb->s_security;
858         if (!sbsec->initialized) {
859                 /* Defer initialization until selinux_complete_init,
860                    after the initial policy is loaded and the security
861                    server is ready to handle calls. */
862                 spin_lock(&sbsec->isec_lock);
863                 if (list_empty(&isec->list))
864                         list_add(&isec->list, &sbsec->isec_head);
865                 spin_unlock(&sbsec->isec_lock);
866                 goto out_unlock;
867         }
868
869         switch (sbsec->behavior) {
870         case SECURITY_FS_USE_XATTR:
871                 if (!inode->i_op->getxattr) {
872                         isec->sid = sbsec->def_sid;
873                         break;
874                 }
875
876                 /* Need a dentry, since the xattr API requires one.
877                    Life would be simpler if we could just pass the inode. */
878                 if (opt_dentry) {
879                         /* Called from d_instantiate or d_splice_alias. */
880                         dentry = dget(opt_dentry);
881                 } else {
882                         /* Called from selinux_complete_init, try to find a dentry. */
883                         dentry = d_find_alias(inode);
884                 }
885                 if (!dentry) {
886                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
887                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
888                                inode->i_ino);
889                         goto out_unlock;
890                 }
891
892                 len = INITCONTEXTLEN;
893                 context = kmalloc(len, GFP_KERNEL);
894                 if (!context) {
895                         rc = -ENOMEM;
896                         dput(dentry);
897                         goto out_unlock;
898                 }
899                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
900                                            context, len);
901                 if (rc == -ERANGE) {
902                         /* Need a larger buffer.  Query for the right size. */
903                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
904                                                    NULL, 0);
905                         if (rc < 0) {
906                                 dput(dentry);
907                                 goto out_unlock;
908                         }
909                         kfree(context);
910                         len = rc;
911                         context = kmalloc(len, GFP_KERNEL);
912                         if (!context) {
913                                 rc = -ENOMEM;
914                                 dput(dentry);
915                                 goto out_unlock;
916                         }
917                         rc = inode->i_op->getxattr(dentry,
918                                                    XATTR_NAME_SELINUX,
919                                                    context, len);
920                 }
921                 dput(dentry);
922                 if (rc < 0) {
923                         if (rc != -ENODATA) {
924                                 printk(KERN_WARNING "%s:  getxattr returned "
925                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
926                                        -rc, inode->i_sb->s_id, inode->i_ino);
927                                 kfree(context);
928                                 goto out_unlock;
929                         }
930                         /* Map ENODATA to the default file SID */
931                         sid = sbsec->def_sid;
932                         rc = 0;
933                 } else {
934                         rc = security_context_to_sid_default(context, rc, &sid,
935                                                              sbsec->def_sid);
936                         if (rc) {
937                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
938                                        "returned %d for dev=%s ino=%ld\n",
939                                        __FUNCTION__, context, -rc,
940                                        inode->i_sb->s_id, inode->i_ino);
941                                 kfree(context);
942                                 /* Leave with the unlabeled SID */
943                                 rc = 0;
944                                 break;
945                         }
946                 }
947                 kfree(context);
948                 isec->sid = sid;
949                 break;
950         case SECURITY_FS_USE_TASK:
951                 isec->sid = isec->task_sid;
952                 break;
953         case SECURITY_FS_USE_TRANS:
954                 /* Default to the fs SID. */
955                 isec->sid = sbsec->sid;
956
957                 /* Try to obtain a transition SID. */
958                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
959                 rc = security_transition_sid(isec->task_sid,
960                                              sbsec->sid,
961                                              isec->sclass,
962                                              &sid);
963                 if (rc)
964                         goto out_unlock;
965                 isec->sid = sid;
966                 break;
967         case SECURITY_FS_USE_MNTPOINT:
968                 isec->sid = sbsec->mntpoint_sid;
969                 break;
970         default:
971                 /* Default to the fs superblock SID. */
972                 isec->sid = sbsec->sid;
973
974                 if (sbsec->proc) {
975                         struct proc_inode *proci = PROC_I(inode);
976                         if (proci->pde) {
977                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
978                                 rc = selinux_proc_get_sid(proci->pde,
979                                                           isec->sclass,
980                                                           &sid);
981                                 if (rc)
982                                         goto out_unlock;
983                                 isec->sid = sid;
984                         }
985                 }
986                 break;
987         }
988
989         isec->initialized = 1;
990
991 out_unlock:
992         mutex_unlock(&isec->lock);
993 out:
994         if (isec->sclass == SECCLASS_FILE)
995                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
996         return rc;
997 }
998
999 /* Convert a Linux signal to an access vector. */
1000 static inline u32 signal_to_av(int sig)
1001 {
1002         u32 perm = 0;
1003
1004         switch (sig) {
1005         case SIGCHLD:
1006                 /* Commonly granted from child to parent. */
1007                 perm = PROCESS__SIGCHLD;
1008                 break;
1009         case SIGKILL:
1010                 /* Cannot be caught or ignored */
1011                 perm = PROCESS__SIGKILL;
1012                 break;
1013         case SIGSTOP:
1014                 /* Cannot be caught or ignored */
1015                 perm = PROCESS__SIGSTOP;
1016                 break;
1017         default:
1018                 /* All other signals. */
1019                 perm = PROCESS__SIGNAL;
1020                 break;
1021         }
1022
1023         return perm;
1024 }
1025
1026 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1027    fork check, ptrace check, etc. */
1028 static int task_has_perm(struct task_struct *tsk1,
1029                          struct task_struct *tsk2,
1030                          u32 perms)
1031 {
1032         struct task_security_struct *tsec1, *tsec2;
1033
1034         tsec1 = tsk1->security;
1035         tsec2 = tsk2->security;
1036         return avc_has_perm(tsec1->sid, tsec2->sid,
1037                             SECCLASS_PROCESS, perms, NULL);
1038 }
1039
1040 /* Check whether a task is allowed to use a capability. */
1041 static int task_has_capability(struct task_struct *tsk,
1042                                int cap)
1043 {
1044         struct task_security_struct *tsec;
1045         struct avc_audit_data ad;
1046
1047         tsec = tsk->security;
1048
1049         AVC_AUDIT_DATA_INIT(&ad,CAP);
1050         ad.tsk = tsk;
1051         ad.u.cap = cap;
1052
1053         return avc_has_perm(tsec->sid, tsec->sid,
1054                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1055 }
1056
1057 /* Check whether a task is allowed to use a system operation. */
1058 static int task_has_system(struct task_struct *tsk,
1059                            u32 perms)
1060 {
1061         struct task_security_struct *tsec;
1062
1063         tsec = tsk->security;
1064
1065         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1066                             SECCLASS_SYSTEM, perms, NULL);
1067 }
1068
1069 /* Check whether a task has a particular permission to an inode.
1070    The 'adp' parameter is optional and allows other audit
1071    data to be passed (e.g. the dentry). */
1072 static int inode_has_perm(struct task_struct *tsk,
1073                           struct inode *inode,
1074                           u32 perms,
1075                           struct avc_audit_data *adp)
1076 {
1077         struct task_security_struct *tsec;
1078         struct inode_security_struct *isec;
1079         struct avc_audit_data ad;
1080
1081         if (unlikely (IS_PRIVATE (inode)))
1082                 return 0;
1083
1084         tsec = tsk->security;
1085         isec = inode->i_security;
1086
1087         if (!adp) {
1088                 adp = &ad;
1089                 AVC_AUDIT_DATA_INIT(&ad, FS);
1090                 ad.u.fs.inode = inode;
1091         }
1092
1093         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1094 }
1095
1096 /* Same as inode_has_perm, but pass explicit audit data containing
1097    the dentry to help the auditing code to more easily generate the
1098    pathname if needed. */
1099 static inline int dentry_has_perm(struct task_struct *tsk,
1100                                   struct vfsmount *mnt,
1101                                   struct dentry *dentry,
1102                                   u32 av)
1103 {
1104         struct inode *inode = dentry->d_inode;
1105         struct avc_audit_data ad;
1106         AVC_AUDIT_DATA_INIT(&ad,FS);
1107         ad.u.fs.mnt = mnt;
1108         ad.u.fs.dentry = dentry;
1109         return inode_has_perm(tsk, inode, av, &ad);
1110 }
1111
1112 /* Check whether a task can use an open file descriptor to
1113    access an inode in a given way.  Check access to the
1114    descriptor itself, and then use dentry_has_perm to
1115    check a particular permission to the file.
1116    Access to the descriptor is implicitly granted if it
1117    has the same SID as the process.  If av is zero, then
1118    access to the file is not checked, e.g. for cases
1119    where only the descriptor is affected like seek. */
1120 static int file_has_perm(struct task_struct *tsk,
1121                                 struct file *file,
1122                                 u32 av)
1123 {
1124         struct task_security_struct *tsec = tsk->security;
1125         struct file_security_struct *fsec = file->f_security;
1126         struct vfsmount *mnt = file->f_path.mnt;
1127         struct dentry *dentry = file->f_path.dentry;
1128         struct inode *inode = dentry->d_inode;
1129         struct avc_audit_data ad;
1130         int rc;
1131
1132         AVC_AUDIT_DATA_INIT(&ad, FS);
1133         ad.u.fs.mnt = mnt;
1134         ad.u.fs.dentry = dentry;
1135
1136         if (tsec->sid != fsec->sid) {
1137                 rc = avc_has_perm(tsec->sid, fsec->sid,
1138                                   SECCLASS_FD,
1139                                   FD__USE,
1140                                   &ad);
1141                 if (rc)
1142                         return rc;
1143         }
1144
1145         /* av is zero if only checking access to the descriptor. */
1146         if (av)
1147                 return inode_has_perm(tsk, inode, av, &ad);
1148
1149         return 0;
1150 }
1151
1152 /* Check whether a task can create a file. */
1153 static int may_create(struct inode *dir,
1154                       struct dentry *dentry,
1155                       u16 tclass)
1156 {
1157         struct task_security_struct *tsec;
1158         struct inode_security_struct *dsec;
1159         struct superblock_security_struct *sbsec;
1160         u32 newsid;
1161         struct avc_audit_data ad;
1162         int rc;
1163
1164         tsec = current->security;
1165         dsec = dir->i_security;
1166         sbsec = dir->i_sb->s_security;
1167
1168         AVC_AUDIT_DATA_INIT(&ad, FS);
1169         ad.u.fs.dentry = dentry;
1170
1171         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1172                           DIR__ADD_NAME | DIR__SEARCH,
1173                           &ad);
1174         if (rc)
1175                 return rc;
1176
1177         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1178                 newsid = tsec->create_sid;
1179         } else {
1180                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1181                                              &newsid);
1182                 if (rc)
1183                         return rc;
1184         }
1185
1186         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1187         if (rc)
1188                 return rc;
1189
1190         return avc_has_perm(newsid, sbsec->sid,
1191                             SECCLASS_FILESYSTEM,
1192                             FILESYSTEM__ASSOCIATE, &ad);
1193 }
1194
1195 /* Check whether a task can create a key. */
1196 static int may_create_key(u32 ksid,
1197                           struct task_struct *ctx)
1198 {
1199         struct task_security_struct *tsec;
1200
1201         tsec = ctx->security;
1202
1203         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1204 }
1205
1206 #define MAY_LINK   0
1207 #define MAY_UNLINK 1
1208 #define MAY_RMDIR  2
1209
1210 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1211 static int may_link(struct inode *dir,
1212                     struct dentry *dentry,
1213                     int kind)
1214
1215 {
1216         struct task_security_struct *tsec;
1217         struct inode_security_struct *dsec, *isec;
1218         struct avc_audit_data ad;
1219         u32 av;
1220         int rc;
1221
1222         tsec = current->security;
1223         dsec = dir->i_security;
1224         isec = dentry->d_inode->i_security;
1225
1226         AVC_AUDIT_DATA_INIT(&ad, FS);
1227         ad.u.fs.dentry = dentry;
1228
1229         av = DIR__SEARCH;
1230         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1231         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1232         if (rc)
1233                 return rc;
1234
1235         switch (kind) {
1236         case MAY_LINK:
1237                 av = FILE__LINK;
1238                 break;
1239         case MAY_UNLINK:
1240                 av = FILE__UNLINK;
1241                 break;
1242         case MAY_RMDIR:
1243                 av = DIR__RMDIR;
1244                 break;
1245         default:
1246                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1247                 return 0;
1248         }
1249
1250         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1251         return rc;
1252 }
1253
1254 static inline int may_rename(struct inode *old_dir,
1255                              struct dentry *old_dentry,
1256                              struct inode *new_dir,
1257                              struct dentry *new_dentry)
1258 {
1259         struct task_security_struct *tsec;
1260         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1261         struct avc_audit_data ad;
1262         u32 av;
1263         int old_is_dir, new_is_dir;
1264         int rc;
1265
1266         tsec = current->security;
1267         old_dsec = old_dir->i_security;
1268         old_isec = old_dentry->d_inode->i_security;
1269         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1270         new_dsec = new_dir->i_security;
1271
1272         AVC_AUDIT_DATA_INIT(&ad, FS);
1273
1274         ad.u.fs.dentry = old_dentry;
1275         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1276                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1277         if (rc)
1278                 return rc;
1279         rc = avc_has_perm(tsec->sid, old_isec->sid,
1280                           old_isec->sclass, FILE__RENAME, &ad);
1281         if (rc)
1282                 return rc;
1283         if (old_is_dir && new_dir != old_dir) {
1284                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1285                                   old_isec->sclass, DIR__REPARENT, &ad);
1286                 if (rc)
1287                         return rc;
1288         }
1289
1290         ad.u.fs.dentry = new_dentry;
1291         av = DIR__ADD_NAME | DIR__SEARCH;
1292         if (new_dentry->d_inode)
1293                 av |= DIR__REMOVE_NAME;
1294         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1295         if (rc)
1296                 return rc;
1297         if (new_dentry->d_inode) {
1298                 new_isec = new_dentry->d_inode->i_security;
1299                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1300                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1301                                   new_isec->sclass,
1302                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1303                 if (rc)
1304                         return rc;
1305         }
1306
1307         return 0;
1308 }
1309
1310 /* Check whether a task can perform a filesystem operation. */
1311 static int superblock_has_perm(struct task_struct *tsk,
1312                                struct super_block *sb,
1313                                u32 perms,
1314                                struct avc_audit_data *ad)
1315 {
1316         struct task_security_struct *tsec;
1317         struct superblock_security_struct *sbsec;
1318
1319         tsec = tsk->security;
1320         sbsec = sb->s_security;
1321         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1322                             perms, ad);
1323 }
1324
1325 /* Convert a Linux mode and permission mask to an access vector. */
1326 static inline u32 file_mask_to_av(int mode, int mask)
1327 {
1328         u32 av = 0;
1329
1330         if ((mode & S_IFMT) != S_IFDIR) {
1331                 if (mask & MAY_EXEC)
1332                         av |= FILE__EXECUTE;
1333                 if (mask & MAY_READ)
1334                         av |= FILE__READ;
1335
1336                 if (mask & MAY_APPEND)
1337                         av |= FILE__APPEND;
1338                 else if (mask & MAY_WRITE)
1339                         av |= FILE__WRITE;
1340
1341         } else {
1342                 if (mask & MAY_EXEC)
1343                         av |= DIR__SEARCH;
1344                 if (mask & MAY_WRITE)
1345                         av |= DIR__WRITE;
1346                 if (mask & MAY_READ)
1347                         av |= DIR__READ;
1348         }
1349
1350         return av;
1351 }
1352
1353 /* Convert a Linux file to an access vector. */
1354 static inline u32 file_to_av(struct file *file)
1355 {
1356         u32 av = 0;
1357
1358         if (file->f_mode & FMODE_READ)
1359                 av |= FILE__READ;
1360         if (file->f_mode & FMODE_WRITE) {
1361                 if (file->f_flags & O_APPEND)
1362                         av |= FILE__APPEND;
1363                 else
1364                         av |= FILE__WRITE;
1365         }
1366
1367         return av;
1368 }
1369
1370 /* Hook functions begin here. */
1371
1372 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1373 {
1374         struct task_security_struct *psec = parent->security;
1375         struct task_security_struct *csec = child->security;
1376         int rc;
1377
1378         rc = secondary_ops->ptrace(parent,child);
1379         if (rc)
1380                 return rc;
1381
1382         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1383         /* Save the SID of the tracing process for later use in apply_creds. */
1384         if (!(child->ptrace & PT_PTRACED) && !rc)
1385                 csec->ptrace_sid = psec->sid;
1386         return rc;
1387 }
1388
1389 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1390                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1391 {
1392         int error;
1393
1394         error = task_has_perm(current, target, PROCESS__GETCAP);
1395         if (error)
1396                 return error;
1397
1398         return secondary_ops->capget(target, effective, inheritable, permitted);
1399 }
1400
1401 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1402                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1403 {
1404         int error;
1405
1406         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1407         if (error)
1408                 return error;
1409
1410         return task_has_perm(current, target, PROCESS__SETCAP);
1411 }
1412
1413 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1414                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1415 {
1416         secondary_ops->capset_set(target, effective, inheritable, permitted);
1417 }
1418
1419 static int selinux_capable(struct task_struct *tsk, int cap)
1420 {
1421         int rc;
1422
1423         rc = secondary_ops->capable(tsk, cap);
1424         if (rc)
1425                 return rc;
1426
1427         return task_has_capability(tsk,cap);
1428 }
1429
1430 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1431 {
1432         int buflen, rc;
1433         char *buffer, *path, *end;
1434
1435         rc = -ENOMEM;
1436         buffer = (char*)__get_free_page(GFP_KERNEL);
1437         if (!buffer)
1438                 goto out;
1439
1440         buflen = PAGE_SIZE;
1441         end = buffer+buflen;
1442         *--end = '\0';
1443         buflen--;
1444         path = end-1;
1445         *path = '/';
1446         while (table) {
1447                 const char *name = table->procname;
1448                 size_t namelen = strlen(name);
1449                 buflen -= namelen + 1;
1450                 if (buflen < 0)
1451                         goto out_free;
1452                 end -= namelen;
1453                 memcpy(end, name, namelen);
1454                 *--end = '/';
1455                 path = end;
1456                 table = table->parent;
1457         }
1458         buflen -= 4;
1459         if (buflen < 0)
1460                 goto out_free;
1461         end -= 4;
1462         memcpy(end, "/sys", 4);
1463         path = end;
1464         rc = security_genfs_sid("proc", path, tclass, sid);
1465 out_free:
1466         free_page((unsigned long)buffer);
1467 out:
1468         return rc;
1469 }
1470
1471 static int selinux_sysctl(ctl_table *table, int op)
1472 {
1473         int error = 0;
1474         u32 av;
1475         struct task_security_struct *tsec;
1476         u32 tsid;
1477         int rc;
1478
1479         rc = secondary_ops->sysctl(table, op);
1480         if (rc)
1481                 return rc;
1482
1483         tsec = current->security;
1484
1485         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1486                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1487         if (rc) {
1488                 /* Default to the well-defined sysctl SID. */
1489                 tsid = SECINITSID_SYSCTL;
1490         }
1491
1492         /* The op values are "defined" in sysctl.c, thereby creating
1493          * a bad coupling between this module and sysctl.c */
1494         if(op == 001) {
1495                 error = avc_has_perm(tsec->sid, tsid,
1496                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1497         } else {
1498                 av = 0;
1499                 if (op & 004)
1500                         av |= FILE__READ;
1501                 if (op & 002)
1502                         av |= FILE__WRITE;
1503                 if (av)
1504                         error = avc_has_perm(tsec->sid, tsid,
1505                                              SECCLASS_FILE, av, NULL);
1506         }
1507
1508         return error;
1509 }
1510
1511 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1512 {
1513         int rc = 0;
1514
1515         if (!sb)
1516                 return 0;
1517
1518         switch (cmds) {
1519                 case Q_SYNC:
1520                 case Q_QUOTAON:
1521                 case Q_QUOTAOFF:
1522                 case Q_SETINFO:
1523                 case Q_SETQUOTA:
1524                         rc = superblock_has_perm(current,
1525                                                  sb,
1526                                                  FILESYSTEM__QUOTAMOD, NULL);
1527                         break;
1528                 case Q_GETFMT:
1529                 case Q_GETINFO:
1530                 case Q_GETQUOTA:
1531                         rc = superblock_has_perm(current,
1532                                                  sb,
1533                                                  FILESYSTEM__QUOTAGET, NULL);
1534                         break;
1535                 default:
1536                         rc = 0;  /* let the kernel handle invalid cmds */
1537                         break;
1538         }
1539         return rc;
1540 }
1541
1542 static int selinux_quota_on(struct dentry *dentry)
1543 {
1544         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1545 }
1546
1547 static int selinux_syslog(int type)
1548 {
1549         int rc;
1550
1551         rc = secondary_ops->syslog(type);
1552         if (rc)
1553                 return rc;
1554
1555         switch (type) {
1556                 case 3:         /* Read last kernel messages */
1557                 case 10:        /* Return size of the log buffer */
1558                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1559                         break;
1560                 case 6:         /* Disable logging to console */
1561                 case 7:         /* Enable logging to console */
1562                 case 8:         /* Set level of messages printed to console */
1563                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1564                         break;
1565                 case 0:         /* Close log */
1566                 case 1:         /* Open log */
1567                 case 2:         /* Read from log */
1568                 case 4:         /* Read/clear last kernel messages */
1569                 case 5:         /* Clear ring buffer */
1570                 default:
1571                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1572                         break;
1573         }
1574         return rc;
1575 }
1576
1577 /*
1578  * Check that a process has enough memory to allocate a new virtual
1579  * mapping. 0 means there is enough memory for the allocation to
1580  * succeed and -ENOMEM implies there is not.
1581  *
1582  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1583  * if the capability is granted, but __vm_enough_memory requires 1 if
1584  * the capability is granted.
1585  *
1586  * Do not audit the selinux permission check, as this is applied to all
1587  * processes that allocate mappings.
1588  */
1589 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1590 {
1591         int rc, cap_sys_admin = 0;
1592         struct task_security_struct *tsec = current->security;
1593
1594         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1595         if (rc == 0)
1596                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1597                                           SECCLASS_CAPABILITY,
1598                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1599                                           0,
1600                                           NULL);
1601
1602         if (rc == 0)
1603                 cap_sys_admin = 1;
1604
1605         return __vm_enough_memory(mm, pages, cap_sys_admin);
1606 }
1607
1608 /* binprm security operations */
1609
1610 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1611 {
1612         struct bprm_security_struct *bsec;
1613
1614         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1615         if (!bsec)
1616                 return -ENOMEM;
1617
1618         bsec->bprm = bprm;
1619         bsec->sid = SECINITSID_UNLABELED;
1620         bsec->set = 0;
1621
1622         bprm->security = bsec;
1623         return 0;
1624 }
1625
1626 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1627 {
1628         struct task_security_struct *tsec;
1629         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1630         struct inode_security_struct *isec;
1631         struct bprm_security_struct *bsec;
1632         u32 newsid;
1633         struct avc_audit_data ad;
1634         int rc;
1635
1636         rc = secondary_ops->bprm_set_security(bprm);
1637         if (rc)
1638                 return rc;
1639
1640         bsec = bprm->security;
1641
1642         if (bsec->set)
1643                 return 0;
1644
1645         tsec = current->security;
1646         isec = inode->i_security;
1647
1648         /* Default to the current task SID. */
1649         bsec->sid = tsec->sid;
1650
1651         /* Reset fs, key, and sock SIDs on execve. */
1652         tsec->create_sid = 0;
1653         tsec->keycreate_sid = 0;
1654         tsec->sockcreate_sid = 0;
1655
1656         if (tsec->exec_sid) {
1657                 newsid = tsec->exec_sid;
1658                 /* Reset exec SID on execve. */
1659                 tsec->exec_sid = 0;
1660         } else {
1661                 /* Check for a default transition on this program. */
1662                 rc = security_transition_sid(tsec->sid, isec->sid,
1663                                              SECCLASS_PROCESS, &newsid);
1664                 if (rc)
1665                         return rc;
1666         }
1667
1668         AVC_AUDIT_DATA_INIT(&ad, FS);
1669         ad.u.fs.mnt = bprm->file->f_path.mnt;
1670         ad.u.fs.dentry = bprm->file->f_path.dentry;
1671
1672         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1673                 newsid = tsec->sid;
1674
1675         if (tsec->sid == newsid) {
1676                 rc = avc_has_perm(tsec->sid, isec->sid,
1677                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1678                 if (rc)
1679                         return rc;
1680         } else {
1681                 /* Check permissions for the transition. */
1682                 rc = avc_has_perm(tsec->sid, newsid,
1683                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1684                 if (rc)
1685                         return rc;
1686
1687                 rc = avc_has_perm(newsid, isec->sid,
1688                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1689                 if (rc)
1690                         return rc;
1691
1692                 /* Clear any possibly unsafe personality bits on exec: */
1693                 current->personality &= ~PER_CLEAR_ON_SETID;
1694
1695                 /* Set the security field to the new SID. */
1696                 bsec->sid = newsid;
1697         }
1698
1699         bsec->set = 1;
1700         return 0;
1701 }
1702
1703 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1704 {
1705         return secondary_ops->bprm_check_security(bprm);
1706 }
1707
1708
1709 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1710 {
1711         struct task_security_struct *tsec = current->security;
1712         int atsecure = 0;
1713
1714         if (tsec->osid != tsec->sid) {
1715                 /* Enable secure mode for SIDs transitions unless
1716                    the noatsecure permission is granted between
1717                    the two SIDs, i.e. ahp returns 0. */
1718                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1719                                          SECCLASS_PROCESS,
1720                                          PROCESS__NOATSECURE, NULL);
1721         }
1722
1723         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1724 }
1725
1726 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1727 {
1728         kfree(bprm->security);
1729         bprm->security = NULL;
1730 }
1731
1732 extern struct vfsmount *selinuxfs_mount;
1733 extern struct dentry *selinux_null;
1734
1735 /* Derived from fs/exec.c:flush_old_files. */
1736 static inline void flush_unauthorized_files(struct files_struct * files)
1737 {
1738         struct avc_audit_data ad;
1739         struct file *file, *devnull = NULL;
1740         struct tty_struct *tty;
1741         struct fdtable *fdt;
1742         long j = -1;
1743         int drop_tty = 0;
1744
1745         mutex_lock(&tty_mutex);
1746         tty = get_current_tty();
1747         if (tty) {
1748                 file_list_lock();
1749                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1750                 if (file) {
1751                         /* Revalidate access to controlling tty.
1752                            Use inode_has_perm on the tty inode directly rather
1753                            than using file_has_perm, as this particular open
1754                            file may belong to another process and we are only
1755                            interested in the inode-based check here. */
1756                         struct inode *inode = file->f_path.dentry->d_inode;
1757                         if (inode_has_perm(current, inode,
1758                                            FILE__READ | FILE__WRITE, NULL)) {
1759                                 drop_tty = 1;
1760                         }
1761                 }
1762                 file_list_unlock();
1763         }
1764         mutex_unlock(&tty_mutex);
1765         /* Reset controlling tty. */
1766         if (drop_tty)
1767                 no_tty();
1768
1769         /* Revalidate access to inherited open files. */
1770
1771         AVC_AUDIT_DATA_INIT(&ad,FS);
1772
1773         spin_lock(&files->file_lock);
1774         for (;;) {
1775                 unsigned long set, i;
1776                 int fd;
1777
1778                 j++;
1779                 i = j * __NFDBITS;
1780                 fdt = files_fdtable(files);
1781                 if (i >= fdt->max_fds)
1782                         break;
1783                 set = fdt->open_fds->fds_bits[j];
1784                 if (!set)
1785                         continue;
1786                 spin_unlock(&files->file_lock);
1787                 for ( ; set ; i++,set >>= 1) {
1788                         if (set & 1) {
1789                                 file = fget(i);
1790                                 if (!file)
1791                                         continue;
1792                                 if (file_has_perm(current,
1793                                                   file,
1794                                                   file_to_av(file))) {
1795                                         sys_close(i);
1796                                         fd = get_unused_fd();
1797                                         if (fd != i) {
1798                                                 if (fd >= 0)
1799                                                         put_unused_fd(fd);
1800                                                 fput(file);
1801                                                 continue;
1802                                         }
1803                                         if (devnull) {
1804                                                 get_file(devnull);
1805                                         } else {
1806                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1807                                                 if (IS_ERR(devnull)) {
1808                                                         devnull = NULL;
1809                                                         put_unused_fd(fd);
1810                                                         fput(file);
1811                                                         continue;
1812                                                 }
1813                                         }
1814                                         fd_install(fd, devnull);
1815                                 }
1816                                 fput(file);
1817                         }
1818                 }
1819                 spin_lock(&files->file_lock);
1820
1821         }
1822         spin_unlock(&files->file_lock);
1823 }
1824
1825 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1826 {
1827         struct task_security_struct *tsec;
1828         struct bprm_security_struct *bsec;
1829         u32 sid;
1830         int rc;
1831
1832         secondary_ops->bprm_apply_creds(bprm, unsafe);
1833
1834         tsec = current->security;
1835
1836         bsec = bprm->security;
1837         sid = bsec->sid;
1838
1839         tsec->osid = tsec->sid;
1840         bsec->unsafe = 0;
1841         if (tsec->sid != sid) {
1842                 /* Check for shared state.  If not ok, leave SID
1843                    unchanged and kill. */
1844                 if (unsafe & LSM_UNSAFE_SHARE) {
1845                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1846                                         PROCESS__SHARE, NULL);
1847                         if (rc) {
1848                                 bsec->unsafe = 1;
1849                                 return;
1850                         }
1851                 }
1852
1853                 /* Check for ptracing, and update the task SID if ok.
1854                    Otherwise, leave SID unchanged and kill. */
1855                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1856                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1857                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1858                                           NULL);
1859                         if (rc) {
1860                                 bsec->unsafe = 1;
1861                                 return;
1862                         }
1863                 }
1864                 tsec->sid = sid;
1865         }
1866 }
1867
1868 /*
1869  * called after apply_creds without the task lock held
1870  */
1871 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1872 {
1873         struct task_security_struct *tsec;
1874         struct rlimit *rlim, *initrlim;
1875         struct itimerval itimer;
1876         struct bprm_security_struct *bsec;
1877         int rc, i;
1878
1879         tsec = current->security;
1880         bsec = bprm->security;
1881
1882         if (bsec->unsafe) {
1883                 force_sig_specific(SIGKILL, current);
1884                 return;
1885         }
1886         if (tsec->osid == tsec->sid)
1887                 return;
1888
1889         /* Close files for which the new task SID is not authorized. */
1890         flush_unauthorized_files(current->files);
1891
1892         /* Check whether the new SID can inherit signal state
1893            from the old SID.  If not, clear itimers to avoid
1894            subsequent signal generation and flush and unblock
1895            signals. This must occur _after_ the task SID has
1896           been updated so that any kill done after the flush
1897           will be checked against the new SID. */
1898         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1899                           PROCESS__SIGINH, NULL);
1900         if (rc) {
1901                 memset(&itimer, 0, sizeof itimer);
1902                 for (i = 0; i < 3; i++)
1903                         do_setitimer(i, &itimer, NULL);
1904                 flush_signals(current);
1905                 spin_lock_irq(&current->sighand->siglock);
1906                 flush_signal_handlers(current, 1);
1907                 sigemptyset(&current->blocked);
1908                 recalc_sigpending();
1909                 spin_unlock_irq(&current->sighand->siglock);
1910         }
1911
1912         /* Always clear parent death signal on SID transitions. */
1913         current->pdeath_signal = 0;
1914
1915         /* Check whether the new SID can inherit resource limits
1916            from the old SID.  If not, reset all soft limits to
1917            the lower of the current task's hard limit and the init
1918            task's soft limit.  Note that the setting of hard limits
1919            (even to lower them) can be controlled by the setrlimit
1920            check. The inclusion of the init task's soft limit into
1921            the computation is to avoid resetting soft limits higher
1922            than the default soft limit for cases where the default
1923            is lower than the hard limit, e.g. RLIMIT_CORE or
1924            RLIMIT_STACK.*/
1925         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1926                           PROCESS__RLIMITINH, NULL);
1927         if (rc) {
1928                 for (i = 0; i < RLIM_NLIMITS; i++) {
1929                         rlim = current->signal->rlim + i;
1930                         initrlim = init_task.signal->rlim+i;
1931                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1932                 }
1933                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1934                         /*
1935                          * This will cause RLIMIT_CPU calculations
1936                          * to be refigured.
1937                          */
1938                         current->it_prof_expires = jiffies_to_cputime(1);
1939                 }
1940         }
1941
1942         /* Wake up the parent if it is waiting so that it can
1943            recheck wait permission to the new task SID. */
1944         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1945 }
1946
1947 /* superblock security operations */
1948
1949 static int selinux_sb_alloc_security(struct super_block *sb)
1950 {
1951         return superblock_alloc_security(sb);
1952 }
1953
1954 static void selinux_sb_free_security(struct super_block *sb)
1955 {
1956         superblock_free_security(sb);
1957 }
1958
1959 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1960 {
1961         if (plen > olen)
1962                 return 0;
1963
1964         return !memcmp(prefix, option, plen);
1965 }
1966
1967 static inline int selinux_option(char *option, int len)
1968 {
1969         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1970                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1971                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1972                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1973 }
1974
1975 static inline void take_option(char **to, char *from, int *first, int len)
1976 {
1977         if (!*first) {
1978                 **to = ',';
1979                 *to += 1;
1980         } else
1981                 *first = 0;
1982         memcpy(*to, from, len);
1983         *to += len;
1984 }
1985
1986 static inline void take_selinux_option(char **to, char *from, int *first, 
1987                                        int len)
1988 {
1989         int current_size = 0;
1990
1991         if (!*first) {
1992                 **to = '|';
1993                 *to += 1;
1994         }
1995         else
1996                 *first = 0;
1997
1998         while (current_size < len) {
1999                 if (*from != '"') {
2000                         **to = *from;
2001                         *to += 1;
2002                 }
2003                 from += 1;
2004                 current_size += 1;
2005         }
2006 }
2007
2008 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2009 {
2010         int fnosec, fsec, rc = 0;
2011         char *in_save, *in_curr, *in_end;
2012         char *sec_curr, *nosec_save, *nosec;
2013         int open_quote = 0;
2014
2015         in_curr = orig;
2016         sec_curr = copy;
2017
2018         /* Binary mount data: just copy */
2019         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2020                 copy_page(sec_curr, in_curr);
2021                 goto out;
2022         }
2023
2024         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2025         if (!nosec) {
2026                 rc = -ENOMEM;
2027                 goto out;
2028         }
2029
2030         nosec_save = nosec;
2031         fnosec = fsec = 1;
2032         in_save = in_end = orig;
2033
2034         do {
2035                 if (*in_end == '"')
2036                         open_quote = !open_quote;
2037                 if ((*in_end == ',' && open_quote == 0) ||
2038                                 *in_end == '\0') {
2039                         int len = in_end - in_curr;
2040
2041                         if (selinux_option(in_curr, len))
2042                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2043                         else
2044                                 take_option(&nosec, in_curr, &fnosec, len);
2045
2046                         in_curr = in_end + 1;
2047                 }
2048         } while (*in_end++);
2049
2050         strcpy(in_save, nosec_save);
2051         free_page((unsigned long)nosec_save);
2052 out:
2053         return rc;
2054 }
2055
2056 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2057 {
2058         struct avc_audit_data ad;
2059         int rc;
2060
2061         rc = superblock_doinit(sb, data);
2062         if (rc)
2063                 return rc;
2064
2065         AVC_AUDIT_DATA_INIT(&ad,FS);
2066         ad.u.fs.dentry = sb->s_root;
2067         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2068 }
2069
2070 static int selinux_sb_statfs(struct dentry *dentry)
2071 {
2072         struct avc_audit_data ad;
2073
2074         AVC_AUDIT_DATA_INIT(&ad,FS);
2075         ad.u.fs.dentry = dentry->d_sb->s_root;
2076         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2077 }
2078
2079 static int selinux_mount(char * dev_name,
2080                          struct nameidata *nd,
2081                          char * type,
2082                          unsigned long flags,
2083                          void * data)
2084 {
2085         int rc;
2086
2087         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2088         if (rc)
2089                 return rc;
2090
2091         if (flags & MS_REMOUNT)
2092                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2093                                            FILESYSTEM__REMOUNT, NULL);
2094         else
2095                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2096                                        FILE__MOUNTON);
2097 }
2098
2099 static int selinux_umount(struct vfsmount *mnt, int flags)
2100 {
2101         int rc;
2102
2103         rc = secondary_ops->sb_umount(mnt, flags);
2104         if (rc)
2105                 return rc;
2106
2107         return superblock_has_perm(current,mnt->mnt_sb,
2108                                    FILESYSTEM__UNMOUNT,NULL);
2109 }
2110
2111 /* inode security operations */
2112
2113 static int selinux_inode_alloc_security(struct inode *inode)
2114 {
2115         return inode_alloc_security(inode);
2116 }
2117
2118 static void selinux_inode_free_security(struct inode *inode)
2119 {
2120         inode_free_security(inode);
2121 }
2122
2123 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2124                                        char **name, void **value,
2125                                        size_t *len)
2126 {
2127         struct task_security_struct *tsec;
2128         struct inode_security_struct *dsec;
2129         struct superblock_security_struct *sbsec;
2130         u32 newsid, clen;
2131         int rc;
2132         char *namep = NULL, *context;
2133
2134         tsec = current->security;
2135         dsec = dir->i_security;
2136         sbsec = dir->i_sb->s_security;
2137
2138         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2139                 newsid = tsec->create_sid;
2140         } else {
2141                 rc = security_transition_sid(tsec->sid, dsec->sid,
2142                                              inode_mode_to_security_class(inode->i_mode),
2143                                              &newsid);
2144                 if (rc) {
2145                         printk(KERN_WARNING "%s:  "
2146                                "security_transition_sid failed, rc=%d (dev=%s "
2147                                "ino=%ld)\n",
2148                                __FUNCTION__,
2149                                -rc, inode->i_sb->s_id, inode->i_ino);
2150                         return rc;
2151                 }
2152         }
2153
2154         /* Possibly defer initialization to selinux_complete_init. */
2155         if (sbsec->initialized) {
2156                 struct inode_security_struct *isec = inode->i_security;
2157                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2158                 isec->sid = newsid;
2159                 isec->initialized = 1;
2160         }
2161
2162         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2163                 return -EOPNOTSUPP;
2164
2165         if (name) {
2166                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2167                 if (!namep)
2168                         return -ENOMEM;
2169                 *name = namep;
2170         }
2171
2172         if (value && len) {
2173                 rc = security_sid_to_context(newsid, &context, &clen);
2174                 if (rc) {
2175                         kfree(namep);
2176                         return rc;
2177                 }
2178                 *value = context;
2179                 *len = clen;
2180         }
2181
2182         return 0;
2183 }
2184
2185 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2186 {
2187         return may_create(dir, dentry, SECCLASS_FILE);
2188 }
2189
2190 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2191 {
2192         int rc;
2193
2194         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2195         if (rc)
2196                 return rc;
2197         return may_link(dir, old_dentry, MAY_LINK);
2198 }
2199
2200 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2201 {
2202         int rc;
2203
2204         rc = secondary_ops->inode_unlink(dir, dentry);
2205         if (rc)
2206                 return rc;
2207         return may_link(dir, dentry, MAY_UNLINK);
2208 }
2209
2210 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2211 {
2212         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2213 }
2214
2215 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2216 {
2217         return may_create(dir, dentry, SECCLASS_DIR);
2218 }
2219
2220 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2221 {
2222         return may_link(dir, dentry, MAY_RMDIR);
2223 }
2224
2225 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2226 {
2227         int rc;
2228
2229         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2230         if (rc)
2231                 return rc;
2232
2233         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2234 }
2235
2236 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2237                                 struct inode *new_inode, struct dentry *new_dentry)
2238 {
2239         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2240 }
2241
2242 static int selinux_inode_readlink(struct dentry *dentry)
2243 {
2244         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2245 }
2246
2247 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2248 {
2249         int rc;
2250
2251         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2252         if (rc)
2253                 return rc;
2254         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2255 }
2256
2257 static int selinux_inode_permission(struct inode *inode, int mask,
2258                                     struct nameidata *nd)
2259 {
2260         int rc;
2261
2262         rc = secondary_ops->inode_permission(inode, mask, nd);
2263         if (rc)
2264                 return rc;
2265
2266         if (!mask) {
2267                 /* No permission to check.  Existence test. */
2268                 return 0;
2269         }
2270
2271         return inode_has_perm(current, inode,
2272                                file_mask_to_av(inode->i_mode, mask), NULL);
2273 }
2274
2275 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2276 {
2277         int rc;
2278
2279         rc = secondary_ops->inode_setattr(dentry, iattr);
2280         if (rc)
2281                 return rc;
2282
2283         if (iattr->ia_valid & ATTR_FORCE)
2284                 return 0;
2285
2286         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2287                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2288                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2289
2290         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2291 }
2292
2293 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2294 {
2295         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2296 }
2297
2298 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2299 {
2300         struct task_security_struct *tsec = current->security;
2301         struct inode *inode = dentry->d_inode;
2302         struct inode_security_struct *isec = inode->i_security;
2303         struct superblock_security_struct *sbsec;
2304         struct avc_audit_data ad;
2305         u32 newsid;
2306         int rc = 0;
2307
2308         if (strcmp(name, XATTR_NAME_SELINUX)) {
2309                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2310                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2311                     !capable(CAP_SYS_ADMIN)) {
2312                         /* A different attribute in the security namespace.
2313                            Restrict to administrator. */
2314                         return -EPERM;
2315                 }
2316
2317                 /* Not an attribute we recognize, so just check the
2318                    ordinary setattr permission. */
2319                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2320         }
2321
2322         sbsec = inode->i_sb->s_security;
2323         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2324                 return -EOPNOTSUPP;
2325
2326         if (!is_owner_or_cap(inode))
2327                 return -EPERM;
2328
2329         AVC_AUDIT_DATA_INIT(&ad,FS);
2330         ad.u.fs.dentry = dentry;
2331
2332         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2333                           FILE__RELABELFROM, &ad);
2334         if (rc)
2335                 return rc;
2336
2337         rc = security_context_to_sid(value, size, &newsid);
2338         if (rc)
2339                 return rc;
2340
2341         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2342                           FILE__RELABELTO, &ad);
2343         if (rc)
2344                 return rc;
2345
2346         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2347                                           isec->sclass);
2348         if (rc)
2349                 return rc;
2350
2351         return avc_has_perm(newsid,
2352                             sbsec->sid,
2353                             SECCLASS_FILESYSTEM,
2354                             FILESYSTEM__ASSOCIATE,
2355                             &ad);
2356 }
2357
2358 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2359                                         void *value, size_t size, int flags)
2360 {
2361         struct inode *inode = dentry->d_inode;
2362         struct inode_security_struct *isec = inode->i_security;
2363         u32 newsid;
2364         int rc;
2365
2366         if (strcmp(name, XATTR_NAME_SELINUX)) {
2367                 /* Not an attribute we recognize, so nothing to do. */
2368                 return;
2369         }
2370
2371         rc = security_context_to_sid(value, size, &newsid);
2372         if (rc) {
2373                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2374                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2375                 return;
2376         }
2377
2378         isec->sid = newsid;
2379         return;
2380 }
2381
2382 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2383 {
2384         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2385 }
2386
2387 static int selinux_inode_listxattr (struct dentry *dentry)
2388 {
2389         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2390 }
2391
2392 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2393 {
2394         if (strcmp(name, XATTR_NAME_SELINUX)) {
2395                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2396                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2397                     !capable(CAP_SYS_ADMIN)) {
2398                         /* A different attribute in the security namespace.
2399                            Restrict to administrator. */
2400                         return -EPERM;
2401                 }
2402
2403                 /* Not an attribute we recognize, so just check the
2404                    ordinary setattr permission. Might want a separate
2405                    permission for removexattr. */
2406                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2407         }
2408
2409         /* No one is allowed to remove a SELinux security label.
2410            You can change the label, but all data must be labeled. */
2411         return -EACCES;
2412 }
2413
2414 static const char *selinux_inode_xattr_getsuffix(void)
2415 {
2416       return XATTR_SELINUX_SUFFIX;
2417 }
2418
2419 /*
2420  * Copy the in-core inode security context value to the user.  If the
2421  * getxattr() prior to this succeeded, check to see if we need to
2422  * canonicalize the value to be finally returned to the user.
2423  *
2424  * Permission check is handled by selinux_inode_getxattr hook.
2425  */
2426 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2427 {
2428         struct inode_security_struct *isec = inode->i_security;
2429
2430         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2431                 return -EOPNOTSUPP;
2432
2433         return selinux_getsecurity(isec->sid, buffer, size);
2434 }
2435
2436 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2437                                      const void *value, size_t size, int flags)
2438 {
2439         struct inode_security_struct *isec = inode->i_security;
2440         u32 newsid;
2441         int rc;
2442
2443         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2444                 return -EOPNOTSUPP;
2445
2446         if (!value || !size)
2447                 return -EACCES;
2448
2449         rc = security_context_to_sid((void*)value, size, &newsid);
2450         if (rc)
2451                 return rc;
2452
2453         isec->sid = newsid;
2454         return 0;
2455 }
2456
2457 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2458 {
2459         const int len = sizeof(XATTR_NAME_SELINUX);
2460         if (buffer && len <= buffer_size)
2461                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2462         return len;
2463 }
2464
2465 /* file security operations */
2466
2467 static int selinux_file_permission(struct file *file, int mask)
2468 {
2469         int rc;
2470         struct inode *inode = file->f_path.dentry->d_inode;
2471
2472         if (!mask) {
2473                 /* No permission to check.  Existence test. */
2474                 return 0;
2475         }
2476
2477         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2478         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2479                 mask |= MAY_APPEND;
2480
2481         rc = file_has_perm(current, file,
2482                            file_mask_to_av(inode->i_mode, mask));
2483         if (rc)
2484                 return rc;
2485
2486         return selinux_netlbl_inode_permission(inode, mask);
2487 }
2488
2489 static int selinux_file_alloc_security(struct file *file)
2490 {
2491         return file_alloc_security(file);
2492 }
2493
2494 static void selinux_file_free_security(struct file *file)
2495 {
2496         file_free_security(file);
2497 }
2498
2499 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2500                               unsigned long arg)
2501 {
2502         int error = 0;
2503
2504         switch (cmd) {
2505                 case FIONREAD:
2506                 /* fall through */
2507                 case FIBMAP:
2508                 /* fall through */
2509                 case FIGETBSZ:
2510                 /* fall through */
2511                 case EXT2_IOC_GETFLAGS:
2512                 /* fall through */
2513                 case EXT2_IOC_GETVERSION:
2514                         error = file_has_perm(current, file, FILE__GETATTR);
2515                         break;
2516
2517                 case EXT2_IOC_SETFLAGS:
2518                 /* fall through */
2519                 case EXT2_IOC_SETVERSION:
2520                         error = file_has_perm(current, file, FILE__SETATTR);
2521                         break;
2522
2523                 /* sys_ioctl() checks */
2524                 case FIONBIO:
2525                 /* fall through */
2526                 case FIOASYNC:
2527                         error = file_has_perm(current, file, 0);
2528                         break;
2529
2530                 case KDSKBENT:
2531                 case KDSKBSENT:
2532                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2533                         break;
2534
2535                 /* default case assumes that the command will go
2536                  * to the file's ioctl() function.
2537                  */
2538                 default:
2539                         error = file_has_perm(current, file, FILE__IOCTL);
2540
2541         }
2542         return error;
2543 }
2544
2545 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2546 {
2547 #ifndef CONFIG_PPC32
2548         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2549                 /*
2550                  * We are making executable an anonymous mapping or a
2551                  * private file mapping that will also be writable.
2552                  * This has an additional check.
2553                  */
2554                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2555                 if (rc)
2556                         return rc;
2557         }
2558 #endif
2559
2560         if (file) {
2561                 /* read access is always possible with a mapping */
2562                 u32 av = FILE__READ;
2563
2564                 /* write access only matters if the mapping is shared */
2565                 if (shared && (prot & PROT_WRITE))
2566                         av |= FILE__WRITE;
2567
2568                 if (prot & PROT_EXEC)
2569                         av |= FILE__EXECUTE;
2570
2571                 return file_has_perm(current, file, av);
2572         }
2573         return 0;
2574 }
2575
2576 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2577                              unsigned long prot, unsigned long flags,
2578                              unsigned long addr, unsigned long addr_only)
2579 {
2580         int rc = 0;
2581         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2582
2583         if (addr < mmap_min_addr)
2584                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2585                                   MEMPROTECT__MMAP_ZERO, NULL);
2586         if (rc || addr_only)
2587                 return rc;
2588
2589         if (selinux_checkreqprot)
2590                 prot = reqprot;
2591
2592         return file_map_prot_check(file, prot,
2593                                    (flags & MAP_TYPE) == MAP_SHARED);
2594 }
2595
2596 static int selinux_file_mprotect(struct vm_area_struct *vma,
2597                                  unsigned long reqprot,
2598                                  unsigned long prot)
2599 {
2600         int rc;
2601
2602         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2603         if (rc)
2604                 return rc;
2605
2606         if (selinux_checkreqprot)
2607                 prot = reqprot;
2608
2609 #ifndef CONFIG_PPC32
2610         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2611                 rc = 0;
2612                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2613                     vma->vm_end <= vma->vm_mm->brk) {
2614                         rc = task_has_perm(current, current,
2615                                            PROCESS__EXECHEAP);
2616                 } else if (!vma->vm_file &&
2617                            vma->vm_start <= vma->vm_mm->start_stack &&
2618                            vma->vm_end >= vma->vm_mm->start_stack) {
2619                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2620                 } else if (vma->vm_file && vma->anon_vma) {
2621                         /*
2622                          * We are making executable a file mapping that has
2623                          * had some COW done. Since pages might have been
2624                          * written, check ability to execute the possibly
2625                          * modified content.  This typically should only
2626                          * occur for text relocations.
2627                          */
2628                         rc = file_has_perm(current, vma->vm_file,
2629                                            FILE__EXECMOD);
2630                 }
2631                 if (rc)
2632                         return rc;
2633         }
2634 #endif
2635
2636         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2637 }
2638
2639 static int selinux_file_lock(struct file *file, unsigned int cmd)
2640 {
2641         return file_has_perm(current, file, FILE__LOCK);
2642 }
2643
2644 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2645                               unsigned long arg)
2646 {
2647         int err = 0;
2648
2649         switch (cmd) {
2650                 case F_SETFL:
2651                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2652                                 err = -EINVAL;
2653                                 break;
2654                         }
2655
2656                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2657                                 err = file_has_perm(current, file,FILE__WRITE);
2658                                 break;
2659                         }
2660                         /* fall through */
2661                 case F_SETOWN:
2662                 case F_SETSIG:
2663                 case F_GETFL:
2664                 case F_GETOWN:
2665                 case F_GETSIG:
2666                         /* Just check FD__USE permission */
2667                         err = file_has_perm(current, file, 0);
2668                         break;
2669                 case F_GETLK:
2670                 case F_SETLK:
2671                 case F_SETLKW:
2672 #if BITS_PER_LONG == 32
2673                 case F_GETLK64:
2674                 case F_SETLK64:
2675                 case F_SETLKW64:
2676 #endif
2677                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2678                                 err = -EINVAL;
2679                                 break;
2680                         }
2681                         err = file_has_perm(current, file, FILE__LOCK);
2682                         break;
2683         }
2684
2685         return err;
2686 }
2687
2688 static int selinux_file_set_fowner(struct file *file)
2689 {
2690         struct task_security_struct *tsec;
2691         struct file_security_struct *fsec;
2692
2693         tsec = current->security;
2694         fsec = file->f_security;
2695         fsec->fown_sid = tsec->sid;
2696
2697         return 0;
2698 }
2699
2700 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2701                                        struct fown_struct *fown, int signum)
2702 {
2703         struct file *file;
2704         u32 perm;
2705         struct task_security_struct *tsec;
2706         struct file_security_struct *fsec;
2707
2708         /* struct fown_struct is never outside the context of a struct file */
2709         file = container_of(fown, struct file, f_owner);
2710
2711         tsec = tsk->security;
2712         fsec = file->f_security;
2713
2714         if (!signum)
2715                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2716         else
2717                 perm = signal_to_av(signum);
2718
2719         return avc_has_perm(fsec->fown_sid, tsec->sid,
2720                             SECCLASS_PROCESS, perm, NULL);
2721 }
2722
2723 static int selinux_file_receive(struct file *file)
2724 {
2725         return file_has_perm(current, file, file_to_av(file));
2726 }
2727
2728 /* task security operations */
2729
2730 static int selinux_task_create(unsigned long clone_flags)
2731 {
2732         int rc;
2733
2734         rc = secondary_ops->task_create(clone_flags);
2735         if (rc)
2736                 return rc;
2737
2738         return task_has_perm(current, current, PROCESS__FORK);
2739 }
2740
2741 static int selinux_task_alloc_security(struct task_struct *tsk)
2742 {
2743         struct task_security_struct *tsec1, *tsec2;
2744         int rc;
2745
2746         tsec1 = current->security;
2747
2748         rc = task_alloc_security(tsk);
2749         if (rc)
2750                 return rc;
2751         tsec2 = tsk->security;
2752
2753         tsec2->osid = tsec1->osid;
2754         tsec2->sid = tsec1->sid;
2755
2756         /* Retain the exec, fs, key, and sock SIDs across fork */
2757         tsec2->exec_sid = tsec1->exec_sid;
2758         tsec2->create_sid = tsec1->create_sid;
2759         tsec2->keycreate_sid = tsec1->keycreate_sid;
2760         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2761
2762         /* Retain ptracer SID across fork, if any.
2763            This will be reset by the ptrace hook upon any
2764            subsequent ptrace_attach operations. */
2765         tsec2->ptrace_sid = tsec1->ptrace_sid;
2766
2767         return 0;
2768 }
2769
2770 static void selinux_task_free_security(struct task_struct *tsk)
2771 {
2772         task_free_security(tsk);
2773 }
2774
2775 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2776 {
2777         /* Since setuid only affects the current process, and
2778            since the SELinux controls are not based on the Linux
2779            identity attributes, SELinux does not need to control
2780            this operation.  However, SELinux does control the use
2781            of the CAP_SETUID and CAP_SETGID capabilities using the
2782            capable hook. */
2783         return 0;
2784 }
2785
2786 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2787 {
2788         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2789 }
2790
2791 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2792 {
2793         /* See the comment for setuid above. */
2794         return 0;
2795 }
2796
2797 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2798 {
2799         return task_has_perm(current, p, PROCESS__SETPGID);
2800 }
2801
2802 static int selinux_task_getpgid(struct task_struct *p)
2803 {
2804         return task_has_perm(current, p, PROCESS__GETPGID);
2805 }
2806
2807 static int selinux_task_getsid(struct task_struct *p)
2808 {
2809         return task_has_perm(current, p, PROCESS__GETSESSION);
2810 }
2811
2812 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2813 {
2814         selinux_get_task_sid(p, secid);
2815 }
2816
2817 static int selinux_task_setgroups(struct group_info *group_info)
2818 {
2819         /* See the comment for setuid above. */
2820         return 0;
2821 }
2822
2823 static int selinux_task_setnice(struct task_struct *p, int nice)
2824 {
2825         int rc;
2826
2827         rc = secondary_ops->task_setnice(p, nice);
2828         if (rc)
2829                 return rc;
2830
2831         return task_has_perm(current,p, PROCESS__SETSCHED);
2832 }
2833
2834 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2835 {
2836         return task_has_perm(current, p, PROCESS__SETSCHED);
2837 }
2838
2839 static int selinux_task_getioprio(struct task_struct *p)
2840 {
2841         return task_has_perm(current, p, PROCESS__GETSCHED);
2842 }
2843
2844 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2845 {
2846         struct rlimit *old_rlim = current->signal->rlim + resource;
2847         int rc;
2848
2849         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2850         if (rc)
2851                 return rc;
2852
2853         /* Control the ability to change the hard limit (whether
2854            lowering or raising it), so that the hard limit can
2855            later be used as a safe reset point for the soft limit
2856            upon context transitions. See selinux_bprm_apply_creds. */
2857         if (old_rlim->rlim_max != new_rlim->rlim_max)
2858                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2859
2860         return 0;
2861 }
2862
2863 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2864 {
2865         return task_has_perm(current, p, PROCESS__SETSCHED);
2866 }
2867
2868 static int selinux_task_getscheduler(struct task_struct *p)
2869 {
2870         return task_has_perm(current, p, PROCESS__GETSCHED);
2871 }
2872
2873 static int selinux_task_movememory(struct task_struct *p)
2874 {
2875         return task_has_perm(current, p, PROCESS__SETSCHED);
2876 }
2877
2878 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2879                                 int sig, u32 secid)
2880 {
2881         u32 perm;
2882         int rc;
2883         struct task_security_struct *tsec;
2884
2885         rc = secondary_ops->task_kill(p, info, sig, secid);
2886         if (rc)
2887                 return rc;
2888
2889         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2890                 return 0;
2891
2892         if (!sig)
2893                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2894         else
2895                 perm = signal_to_av(sig);
2896         tsec = p->security;
2897         if (secid)
2898                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2899         else
2900                 rc = task_has_perm(current, p, perm);
2901         return rc;
2902 }
2903
2904 static int selinux_task_prctl(int option,
2905                               unsigned long arg2,
2906                               unsigned long arg3,
2907                               unsigned long arg4,
2908                               unsigned long arg5)
2909 {
2910         /* The current prctl operations do not appear to require
2911            any SELinux controls since they merely observe or modify
2912            the state of the current process. */
2913         return 0;
2914 }
2915
2916 static int selinux_task_wait(struct task_struct *p)
2917 {
2918         u32 perm;
2919
2920         perm = signal_to_av(p->exit_signal);
2921
2922         return task_has_perm(p, current, perm);
2923 }
2924
2925 static void selinux_task_reparent_to_init(struct task_struct *p)
2926 {
2927         struct task_security_struct *tsec;
2928
2929         secondary_ops->task_reparent_to_init(p);
2930
2931         tsec = p->security;
2932         tsec->osid = tsec->sid;
2933         tsec->sid = SECINITSID_KERNEL;
2934         return;
2935 }
2936
2937 static void selinux_task_to_inode(struct task_struct *p,
2938                                   struct inode *inode)
2939 {
2940         struct task_security_struct *tsec = p->security;
2941         struct inode_security_struct *isec = inode->i_security;
2942
2943         isec->sid = tsec->sid;
2944         isec->initialized = 1;
2945         return;
2946 }
2947
2948 /* Returns error only if unable to parse addresses */
2949 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
2950                         struct avc_audit_data *ad, u8 *proto)
2951 {
2952         int offset, ihlen, ret = -EINVAL;
2953         struct iphdr _iph, *ih;
2954
2955         offset = skb_network_offset(skb);
2956         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2957         if (ih == NULL)
2958                 goto out;
2959
2960         ihlen = ih->ihl * 4;
2961         if (ihlen < sizeof(_iph))
2962                 goto out;
2963
2964         ad->u.net.v4info.saddr = ih->saddr;
2965         ad->u.net.v4info.daddr = ih->daddr;
2966         ret = 0;
2967
2968         if (proto)
2969                 *proto = ih->protocol;
2970
2971         switch (ih->protocol) {
2972         case IPPROTO_TCP: {
2973                 struct tcphdr _tcph, *th;
2974
2975                 if (ntohs(ih->frag_off) & IP_OFFSET)
2976                         break;
2977
2978                 offset += ihlen;
2979                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2980                 if (th == NULL)
2981                         break;
2982
2983                 ad->u.net.sport = th->source;
2984                 ad->u.net.dport = th->dest;
2985                 break;
2986         }
2987         
2988         case IPPROTO_UDP: {
2989                 struct udphdr _udph, *uh;
2990                 
2991                 if (ntohs(ih->frag_off) & IP_OFFSET)
2992                         break;
2993                         
2994                 offset += ihlen;
2995                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2996                 if (uh == NULL)
2997                         break;  
2998
2999                 ad->u.net.sport = uh->source;
3000                 ad->u.net.dport = uh->dest;
3001                 break;
3002         }
3003
3004         case IPPROTO_DCCP: {
3005                 struct dccp_hdr _dccph, *dh;
3006
3007                 if (ntohs(ih->frag_off) & IP_OFFSET)
3008                         break;
3009
3010                 offset += ihlen;
3011                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3012                 if (dh == NULL)
3013                         break;
3014
3015                 ad->u.net.sport = dh->dccph_sport;
3016                 ad->u.net.dport = dh->dccph_dport;
3017                 break;
3018         }
3019
3020         default:
3021                 break;
3022         }
3023 out:
3024         return ret;
3025 }
3026
3027 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3028
3029 /* Returns error only if unable to parse addresses */
3030 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3031                         struct avc_audit_data *ad, u8 *proto)
3032 {
3033         u8 nexthdr;
3034         int ret = -EINVAL, offset;
3035         struct ipv6hdr _ipv6h, *ip6;
3036
3037         offset = skb_network_offset(skb);
3038         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3039         if (ip6 == NULL)
3040                 goto out;
3041
3042         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3043         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3044         ret = 0;
3045
3046         nexthdr = ip6->nexthdr;
3047         offset += sizeof(_ipv6h);
3048         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3049         if (offset < 0)
3050                 goto out;
3051
3052         if (proto)
3053                 *proto = nexthdr;
3054
3055         switch (nexthdr) {
3056         case IPPROTO_TCP: {
3057                 struct tcphdr _tcph, *th;
3058
3059                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3060                 if (th == NULL)
3061                         break;
3062
3063                 ad->u.net.sport = th->source;
3064                 ad->u.net.dport = th->dest;
3065                 break;
3066         }
3067
3068         case IPPROTO_UDP: {
3069                 struct udphdr _udph, *uh;
3070
3071                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3072                 if (uh == NULL)
3073                         break;
3074
3075                 ad->u.net.sport = uh->source;
3076                 ad->u.net.dport = uh->dest;
3077                 break;
3078         }
3079
3080         case IPPROTO_DCCP: {
3081                 struct dccp_hdr _dccph, *dh;
3082
3083                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3084                 if (dh == NULL)
3085                         break;
3086
3087                 ad->u.net.sport = dh->dccph_sport;
3088                 ad->u.net.dport = dh->dccph_dport;
3089                 break;
3090         }
3091
3092         /* includes fragments */
3093         default:
3094                 break;
3095         }
3096 out:
3097         return ret;
3098 }
3099
3100 #endif /* IPV6 */
3101
3102 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3103                              char **addrp, int *len, int src, u8 *proto)
3104 {
3105         int ret = 0;
3106
3107         switch (ad->u.net.family) {
3108         case PF_INET:
3109                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3110                 if (ret || !addrp)
3111                         break;
3112                 *len = 4;
3113                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3114                                         &ad->u.net.v4info.daddr);
3115                 break;
3116
3117 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3118         case PF_INET6:
3119                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3120                 if (ret || !addrp)
3121                         break;
3122                 *len = 16;
3123                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3124                                         &ad->u.net.v6info.daddr);
3125                 break;
3126 #endif  /* IPV6 */
3127         default:
3128                 break;
3129         }
3130
3131         return ret;
3132 }
3133
3134 /**
3135  * selinux_skb_extlbl_sid - Determine the external label of a packet
3136  * @skb: the packet
3137  * @sid: the packet's SID
3138  *
3139  * Description:
3140  * Check the various different forms of external packet labeling and determine
3141  * the external SID for the packet.  If only one form of external labeling is
3142  * present then it is used, if both labeled IPsec and NetLabel labels are
3143  * present then the SELinux type information is taken from the labeled IPsec
3144  * SA and the MLS sensitivity label information is taken from the NetLabel
3145  * security attributes.  This bit of "magic" is done in the call to
3146  * selinux_netlbl_skbuff_getsid().
3147  *
3148  */
3149 static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
3150 {
3151         u32 xfrm_sid;
3152         u32 nlbl_sid;
3153
3154         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3155         if (selinux_netlbl_skbuff_getsid(skb,
3156                                          (xfrm_sid == SECSID_NULL ?
3157                                           SECINITSID_NETMSG : xfrm_sid),
3158                                          &nlbl_sid) != 0)
3159                 nlbl_sid = SECSID_NULL;
3160         *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3161 }
3162
3163 /* socket security operations */
3164 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3165                            u32 perms)
3166 {
3167         struct inode_security_struct *isec;
3168         struct task_security_struct *tsec;
3169         struct avc_audit_data ad;
3170         int err = 0;
3171
3172         tsec = task->security;
3173         isec = SOCK_INODE(sock)->i_security;
3174
3175         if (isec->sid == SECINITSID_KERNEL)
3176                 goto out;
3177
3178         AVC_AUDIT_DATA_INIT(&ad,NET);
3179         ad.u.net.sk = sock->sk;
3180         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3181
3182 out:
3183         return err;
3184 }
3185
3186 static int selinux_socket_create(int family, int type,
3187                                  int protocol, int kern)
3188 {
3189         int err = 0;
3190         struct task_security_struct *tsec;
3191         u32 newsid;
3192
3193         if (kern)
3194                 goto out;
3195
3196         tsec = current->security;
3197         newsid = tsec->sockcreate_sid ? : tsec->sid;
3198         err = avc_has_perm(tsec->sid, newsid,
3199                            socket_type_to_security_class(family, type,
3200                            protocol), SOCKET__CREATE, NULL);
3201
3202 out:
3203         return err;
3204 }
3205
3206 static int selinux_socket_post_create(struct socket *sock, int family,
3207                                       int type, int protocol, int kern)
3208 {
3209         int err = 0;
3210         struct inode_security_struct *isec;
3211         struct task_security_struct *tsec;
3212         struct sk_security_struct *sksec;
3213         u32 newsid;
3214
3215         isec = SOCK_INODE(sock)->i_security;
3216
3217         tsec = current->security;
3218         newsid = tsec->sockcreate_sid ? : tsec->sid;
3219         isec->sclass = socket_type_to_security_class(family, type, protocol);
3220         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3221         isec->initialized = 1;
3222
3223         if (sock->sk) {
3224                 sksec = sock->sk->sk_security;
3225                 sksec->sid = isec->sid;
3226                 err = selinux_netlbl_socket_post_create(sock);
3227         }
3228
3229         return err;
3230 }
3231
3232 /* Range of port numbers used to automatically bind.
3233    Need to determine whether we should perform a name_bind
3234    permission check between the socket and the port number. */
3235
3236 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3237 {
3238         u16 family;
3239         int err;
3240
3241         err = socket_has_perm(current, sock, SOCKET__BIND);
3242         if (err)
3243                 goto out;
3244
3245         /*
3246          * If PF_INET or PF_INET6, check name_bind permission for the port.
3247          * Multiple address binding for SCTP is not supported yet: we just
3248          * check the first address now.
3249          */
3250         family = sock->sk->sk_family;
3251         if (family == PF_INET || family == PF_INET6) {
3252                 char *addrp;
3253                 struct inode_security_struct *isec;
3254                 struct task_security_struct *tsec;
3255                 struct avc_audit_data ad;
3256                 struct sockaddr_in *addr4 = NULL;
3257                 struct sockaddr_in6 *addr6 = NULL;
3258                 unsigned short snum;
3259                 struct sock *sk = sock->sk;
3260                 u32 sid, node_perm, addrlen;
3261
3262                 tsec = current->security;
3263                 isec = SOCK_INODE(sock)->i_security;
3264
3265                 if (family == PF_INET) {
3266                         addr4 = (struct sockaddr_in *)address;
3267                         snum = ntohs(addr4->sin_port);
3268                         addrlen = sizeof(addr4->sin_addr.s_addr);
3269                         addrp = (char *)&addr4->sin_addr.s_addr;
3270                 } else {
3271                         addr6 = (struct sockaddr_in6 *)address;
3272                         snum = ntohs(addr6->sin6_port);
3273                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3274                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3275                 }
3276
3277                 if (snum) {
3278                         int low, high;
3279
3280                         inet_get_local_port_range(&low, &high);
3281
3282                         if (snum < max(PROT_SOCK, low) || snum > high) {
3283                                 err = security_port_sid(sk->sk_family,
3284                                                         sk->sk_type,
3285                                                         sk->sk_protocol, snum,
3286                                                         &sid);
3287                                 if (err)
3288                                         goto out;
3289                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3290                                 ad.u.net.sport = htons(snum);
3291                                 ad.u.net.family = family;
3292                                 err = avc_has_perm(isec->sid, sid,
3293                                                    isec->sclass,
3294                                                    SOCKET__NAME_BIND, &ad);
3295                                 if (err)
3296                                         goto out;
3297                         }
3298                 }
3299                 
3300                 switch(isec->sclass) {
3301                 case SECCLASS_TCP_SOCKET:
3302                         node_perm = TCP_SOCKET__NODE_BIND;
3303                         break;
3304                         
3305                 case SECCLASS_UDP_SOCKET:
3306                         node_perm = UDP_SOCKET__NODE_BIND;
3307                         break;
3308
3309                 case SECCLASS_DCCP_SOCKET:
3310                         node_perm = DCCP_SOCKET__NODE_BIND;
3311                         break;
3312
3313                 default:
3314                         node_perm = RAWIP_SOCKET__NODE_BIND;
3315                         break;
3316                 }
3317                 
3318                 err = security_node_sid(family, addrp, addrlen, &sid);
3319                 if (err)
3320                         goto out;
3321                 
3322                 AVC_AUDIT_DATA_INIT(&ad,NET);
3323                 ad.u.net.sport = htons(snum);
3324                 ad.u.net.family = family;
3325
3326                 if (family == PF_INET)
3327                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3328                 else
3329                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3330
3331                 err = avc_has_perm(isec->sid, sid,
3332                                    isec->sclass, node_perm, &ad);
3333                 if (err)
3334                         goto out;
3335         }
3336 out:
3337         return err;
3338 }
3339
3340 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3341 {
3342         struct inode_security_struct *isec;
3343         int err;
3344
3345         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3346         if (err)
3347                 return err;
3348
3349         /*
3350          * If a TCP or DCCP socket, check name_connect permission for the port.
3351          */
3352         isec = SOCK_INODE(sock)->i_security;
3353         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3354             isec->sclass == SECCLASS_DCCP_SOCKET) {
3355                 struct sock *sk = sock->sk;
3356                 struct avc_audit_data ad;
3357                 struct sockaddr_in *addr4 = NULL;
3358                 struct sockaddr_in6 *addr6 = NULL;
3359                 unsigned short snum;
3360                 u32 sid, perm;
3361
3362                 if (sk->sk_family == PF_INET) {
3363                         addr4 = (struct sockaddr_in *)address;
3364                         if (addrlen < sizeof(struct sockaddr_in))
3365                                 return -EINVAL;
3366                         snum = ntohs(addr4->sin_port);
3367                 } else {
3368                         addr6 = (struct sockaddr_in6 *)address;
3369                         if (addrlen < SIN6_LEN_RFC2133)
3370                                 return -EINVAL;
3371                         snum = ntohs(addr6->sin6_port);
3372                 }
3373
3374                 err = security_port_sid(sk->sk_family, sk->sk_type,
3375                                         sk->sk_protocol, snum, &sid);
3376                 if (err)
3377                         goto out;
3378
3379                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3380                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3381
3382                 AVC_AUDIT_DATA_INIT(&ad,NET);
3383                 ad.u.net.dport = htons(snum);
3384                 ad.u.net.family = sk->sk_family;
3385                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3386                 if (err)
3387                         goto out;
3388         }
3389
3390 out:
3391         return err;
3392 }
3393
3394 static int selinux_socket_listen(struct socket *sock, int backlog)
3395 {
3396         return socket_has_perm(current, sock, SOCKET__LISTEN);
3397 }
3398
3399 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3400 {
3401         int err;
3402         struct inode_security_struct *isec;
3403         struct inode_security_struct *newisec;
3404
3405         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3406         if (err)
3407                 return err;
3408
3409         newisec = SOCK_INODE(newsock)->i_security;
3410
3411         isec = SOCK_INODE(sock)->i_security;
3412         newisec->sclass = isec->sclass;
3413         newisec->sid = isec->sid;
3414         newisec->initialized = 1;
3415
3416         return 0;
3417 }
3418
3419 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3420                                   int size)
3421 {
3422         int rc;
3423
3424         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3425         if (rc)
3426                 return rc;
3427
3428         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3429 }
3430
3431 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3432                                   int size, int flags)
3433 {
3434         return socket_has_perm(current, sock, SOCKET__READ);
3435 }
3436
3437 static int selinux_socket_getsockname(struct socket *sock)
3438 {
3439         return socket_has_perm(current, sock, SOCKET__GETATTR);
3440 }
3441
3442 static int selinux_socket_getpeername(struct socket *sock)
3443 {
3444         return socket_has_perm(current, sock, SOCKET__GETATTR);
3445 }
3446
3447 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3448 {
3449         int err;
3450
3451         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3452         if (err)
3453                 return err;
3454
3455         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3456 }
3457
3458 static int selinux_socket_getsockopt(struct socket *sock, int level,
3459                                      int optname)
3460 {
3461         return socket_has_perm(current, sock, SOCKET__GETOPT);
3462 }
3463
3464 static int selinux_socket_shutdown(struct socket *sock, int how)
3465 {
3466         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3467 }
3468
3469 static int selinux_socket_unix_stream_connect(struct socket *sock,
3470                                               struct socket *other,
3471                                               struct sock *newsk)
3472 {
3473         struct sk_security_struct *ssec;
3474         struct inode_security_struct *isec;
3475         struct inode_security_struct *other_isec;
3476         struct avc_audit_data ad;
3477         int err;
3478
3479         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3480         if (err)
3481                 return err;
3482
3483         isec = SOCK_INODE(sock)->i_security;
3484         other_isec = SOCK_INODE(other)->i_security;
3485
3486         AVC_AUDIT_DATA_INIT(&ad,NET);
3487         ad.u.net.sk = other->sk;
3488
3489         err = avc_has_perm(isec->sid, other_isec->sid,
3490                            isec->sclass,
3491                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3492         if (err)
3493                 return err;
3494
3495         /* connecting socket */
3496         ssec = sock->sk->sk_security;
3497         ssec->peer_sid = other_isec->sid;
3498         
3499         /* server child socket */
3500         ssec = newsk->sk_security;
3501         ssec->peer_sid = isec->sid;
3502         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3503
3504         return err;
3505 }
3506
3507 static int selinux_socket_unix_may_send(struct socket *sock,
3508                                         struct socket *other)
3509 {
3510         struct inode_security_struct *isec;
3511         struct inode_security_struct *other_isec;
3512         struct avc_audit_data ad;
3513         int err;
3514
3515         isec = SOCK_INODE(sock)->i_security;
3516         other_isec = SOCK_INODE(other)->i_security;
3517
3518         AVC_AUDIT_DATA_INIT(&ad,NET);
3519         ad.u.net.sk = other->sk;
3520
3521         err = avc_has_perm(isec->sid, other_isec->sid,
3522                            isec->sclass, SOCKET__SENDTO, &ad);
3523         if (err)
3524                 return err;
3525
3526         return 0;
3527 }
3528
3529 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3530                 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3531 {
3532         int err = 0;
3533         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3534         struct socket *sock;
3535         u16 sock_class = 0;
3536         u32 sock_sid = 0;
3537
3538         read_lock_bh(&sk->sk_callback_lock);
3539         sock = sk->sk_socket;
3540         if (sock) {
3541                 struct inode *inode;
3542                 inode = SOCK_INODE(sock);
3543                 if (inode) {
3544                         struct inode_security_struct *isec;
3545                         isec = inode->i_security;
3546                         sock_sid = isec->sid;
3547                         sock_class = isec->sclass;
3548                 }
3549         }
3550         read_unlock_bh(&sk->sk_callback_lock);
3551         if (!sock_sid)
3552                 goto out;
3553
3554         if (!skb->dev)
3555                 goto out;
3556
3557         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3558         if (err)
3559                 goto out;
3560
3561         switch (sock_class) {
3562         case SECCLASS_UDP_SOCKET:
3563                 netif_perm = NETIF__UDP_RECV;
3564                 node_perm = NODE__UDP_RECV;
3565                 recv_perm = UDP_SOCKET__RECV_MSG;
3566                 break;
3567         
3568         case SECCLASS_TCP_SOCKET:
3569                 netif_perm = NETIF__TCP_RECV;
3570                 node_perm = NODE__TCP_RECV;
3571                 recv_perm = TCP_SOCKET__RECV_MSG;
3572                 break;
3573
3574         case SECCLASS_DCCP_SOCKET:
3575                 netif_perm = NETIF__DCCP_RECV;
3576                 node_perm = NODE__DCCP_RECV;
3577                 recv_perm = DCCP_SOCKET__RECV_MSG;
3578                 break;
3579
3580         default:
3581                 netif_perm = NETIF__RAWIP_RECV;
3582                 node_perm = NODE__RAWIP_RECV;
3583                 break;
3584         }
3585
3586         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3587         if (err)
3588                 goto out;
3589         
3590         err = security_node_sid(family, addrp, len, &node_sid);
3591         if (err)
3592                 goto out;
3593         
3594         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3595         if (err)
3596                 goto out;
3597
3598         if (recv_perm) {
3599                 u32 port_sid;
3600
3601                 err = security_port_sid(sk->sk_family, sk->sk_type,
3602                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3603                                         &port_sid);
3604                 if (err)
3605                         goto out;
3606
3607                 err = avc_has_perm(sock_sid, port_sid,
3608                                    sock_class, recv_perm, ad);
3609         }
3610
3611 out:
3612         return err;
3613 }
3614
3615 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3616 {
3617         u16 family;
3618         char *addrp;
3619         int len, err = 0;
3620         struct avc_audit_data ad;
3621         struct sk_security_struct *sksec = sk->sk_security;
3622
3623         family = sk->sk_family;
3624         if (family != PF_INET && family != PF_INET6)
3625                 goto out;
3626
3627         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3628         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3629                 family = PF_INET;
3630
3631         AVC_AUDIT_DATA_INIT(&ad, NET);
3632         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3633         ad.u.net.family = family;
3634
3635         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
3636         if (err)
3637                 goto out;
3638
3639         if (selinux_compat_net)
3640                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3641                                                   addrp, len);
3642         else
3643                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3644                                    PACKET__RECV, &ad);
3645         if (err)
3646                 goto out;
3647
3648         err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
3649         if (err)
3650                 goto out;
3651
3652         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3653 out:    
3654         return err;
3655 }
3656
3657 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3658                                             int __user *optlen, unsigned len)
3659 {
3660         int err = 0;
3661         char *scontext;
3662         u32 scontext_len;
3663         struct sk_security_struct *ssec;
3664         struct inode_security_struct *isec;
3665         u32 peer_sid = SECSID_NULL;
3666
3667         isec = SOCK_INODE(sock)->i_security;
3668
3669         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
3670             isec->sclass == SECCLASS_TCP_SOCKET) {
3671                 ssec = sock->sk->sk_security;
3672                 peer_sid = ssec->peer_sid;
3673         }
3674         if (peer_sid == SECSID_NULL) {
3675                 err = -ENOPROTOOPT;
3676                 goto out;
3677         }
3678
3679         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3680
3681         if (err)
3682                 goto out;
3683
3684         if (scontext_len > len) {
3685                 err = -ERANGE;
3686                 goto out_len;
3687         }
3688
3689         if (copy_to_user(optval, scontext, scontext_len))
3690                 err = -EFAULT;
3691
3692 out_len:
3693         if (put_user(scontext_len, optlen))
3694                 err = -EFAULT;
3695
3696         kfree(scontext);
3697 out:    
3698         return err;
3699 }
3700
3701 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3702 {
3703         u32 peer_secid = SECSID_NULL;
3704         int err = 0;
3705
3706         if (sock && sock->sk->sk_family == PF_UNIX)
3707                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3708         else if (skb)
3709                 selinux_skb_extlbl_sid(skb, &peer_secid);
3710
3711         if (peer_secid == SECSID_NULL)
3712                 err = -EINVAL;
3713         *secid = peer_secid;
3714
3715         return err;
3716 }
3717
3718 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3719 {
3720         return sk_alloc_security(sk, family, priority);
3721 }
3722
3723 static void selinux_sk_free_security(struct sock *sk)
3724 {
3725         sk_free_security(sk);
3726 }
3727
3728 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3729 {
3730         struct sk_security_struct *ssec = sk->sk_security;
3731         struct sk_security_struct *newssec = newsk->sk_security;
3732
3733         newssec->sid = ssec->sid;
3734         newssec->peer_sid = ssec->peer_sid;
3735
3736         selinux_netlbl_sk_security_clone(ssec, newssec);
3737 }
3738
3739 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3740 {
3741         if (!sk)
3742                 *secid = SECINITSID_ANY_SOCKET;
3743         else {
3744                 struct sk_security_struct *sksec = sk->sk_security;
3745
3746                 *secid = sksec->sid;
3747         }
3748 }
3749
3750 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
3751 {
3752         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
3753         struct sk_security_struct *sksec = sk->sk_security;
3754
3755         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
3756             sk->sk_family == PF_UNIX)
3757                 isec->sid = sksec->sid;
3758
3759         selinux_netlbl_sock_graft(sk, parent);
3760 }
3761
3762 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3763                                      struct request_sock *req)
3764 {
3765         struct sk_security_struct *sksec = sk->sk_security;
3766         int err;
3767         u32 newsid;
3768         u32 peersid;
3769
3770         selinux_skb_extlbl_sid(skb, &peersid);
3771         if (peersid == SECSID_NULL) {
3772                 req->secid = sksec->sid;
3773                 req->peer_secid = SECSID_NULL;
3774                 return 0;
3775         }
3776
3777         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3778         if (err)
3779                 return err;
3780
3781         req->secid = newsid;
3782         req->peer_secid = peersid;
3783         return 0;
3784 }
3785
3786 static void selinux_inet_csk_clone(struct sock *newsk,
3787                                    const struct request_sock *req)
3788 {
3789         struct sk_security_struct *newsksec = newsk->sk_security;
3790
3791         newsksec->sid = req->secid;
3792         newsksec->peer_sid = req->peer_secid;
3793         /* NOTE: Ideally, we should also get the isec->sid for the
3794            new socket in sync, but we don't have the isec available yet.
3795            So we will wait until sock_graft to do it, by which
3796            time it will have been created and available. */
3797
3798         /* We don't need to take any sort of lock here as we are the only
3799          * thread with access to newsksec */
3800         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
3801 }
3802
3803 static void selinux_inet_conn_established(struct sock *sk,
3804                                 struct sk_buff *skb)
3805 {
3806         struct sk_security_struct *sksec = sk->sk_security;
3807
3808         selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
3809 }
3810
3811 static void selinux_req_classify_flow(const struct request_sock *req,
3812                                       struct flowi *fl)
3813 {
3814         fl->secid = req->secid;
3815 }
3816
3817 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3818 {
3819         int err = 0;
3820         u32 perm;
3821         struct nlmsghdr *nlh;
3822         struct socket *sock = sk->sk_socket;
3823         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3824         
3825         if (skb->len < NLMSG_SPACE(0)) {
3826                 err = -EINVAL;
3827                 goto out;
3828         }
3829         nlh = nlmsg_hdr(skb);
3830         
3831         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3832         if (err) {
3833                 if (err == -EINVAL) {
3834                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3835                                   "SELinux:  unrecognized netlink message"
3836                                   " type=%hu for sclass=%hu\n",
3837                                   nlh->nlmsg_type, isec->sclass);
3838                         if (!selinux_enforcing)
3839                                 err = 0;
3840                 }
3841
3842                 /* Ignore */
3843                 if (err == -ENOENT)
3844                         err = 0;
3845                 goto out;
3846         }
3847
3848         err = socket_has_perm(current, sock, perm);
3849 out:
3850         return err;
3851 }
3852
3853 #ifdef CONFIG_NETFILTER
3854
3855 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3856                                             struct avc_audit_data *ad,
3857                                             u16 family, char *addrp, int len)
3858 {
3859         int err = 0;
3860         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3861         struct socket *sock;
3862         struct inode *inode;
3863         struct inode_security_struct *isec;
3864
3865         sock = sk->sk_socket;
3866         if (!sock)
3867                 goto out;
3868
3869         inode = SOCK_INODE(sock);
3870         if (!inode)
3871                 goto out;
3872
3873         isec = inode->i_security;
3874         
3875         err = sel_netif_sids(dev, &if_sid, NULL);
3876         if (err)
3877                 goto out;
3878
3879         switch (isec->sclass) {
3880         case SECCLASS_UDP_SOCKET:
3881                 netif_perm = NETIF__UDP_SEND;
3882                 node_perm = NODE__UDP_SEND;
3883                 send_perm = UDP_SOCKET__SEND_MSG;
3884                 break;
3885         
3886         case SECCLASS_TCP_SOCKET:
3887                 netif_perm = NETIF__TCP_SEND;
3888                 node_perm = NODE__TCP_SEND;
3889                 send_perm = TCP_SOCKET__SEND_MSG;
3890                 break;
3891
3892         case SECCLASS_DCCP_SOCKET:
3893                 netif_perm = NETIF__DCCP_SEND;
3894                 node_perm = NODE__DCCP_SEND;
3895                 send_perm = DCCP_SOCKET__SEND_MSG;
3896                 break;
3897
3898         default:
3899                 netif_perm = NETIF__RAWIP_SEND;
3900                 node_perm = NODE__RAWIP_SEND;
3901                 break;
3902         }
3903
3904         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3905         if (err)
3906                 goto out;
3907                 
3908         err = security_node_sid(family, addrp, len, &node_sid);
3909         if (err)
3910                 goto out;
3911         
3912         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3913         if (err)
3914                 goto out;
3915
3916         if (send_perm) {
3917                 u32 port_sid;
3918                 
3919                 err = security_port_sid(sk->sk_family,
3920                                         sk->sk_type,
3921                                         sk->sk_protocol,
3922                                         ntohs(ad->u.net.dport),
3923                                         &port_sid);
3924                 if (err)
3925                         goto out;
3926
3927                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3928                                    send_perm, ad);
3929         }
3930 out:
3931         return err;
3932 }
3933
3934 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3935                                               struct sk_buff **pskb,
3936                                               const struct net_device *in,
3937                                               const struct net_device *out,
3938                                               int (*okfn)(struct sk_buff *),
3939                                               u16 family)
3940 {
3941         char *addrp;
3942         int len, err = 0;
3943         struct sock *sk;
3944         struct sk_buff *skb = *pskb;
3945         struct avc_audit_data ad;
3946         struct net_device *dev = (struct net_device *)out;
3947         struct sk_security_struct *sksec;
3948         u8 proto;
3949
3950         sk = skb->sk;
3951         if (!sk)
3952                 goto out;
3953
3954         sksec = sk->sk_security;
3955
3956         AVC_AUDIT_DATA_INIT(&ad, NET);
3957         ad.u.net.netif = dev->name;
3958         ad.u.net.family = family;
3959
3960         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
3961         if (err)
3962                 goto out;
3963
3964         if (selinux_compat_net)
3965                 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
3966                                                        family, addrp, len);
3967         else
3968                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3969                                    PACKET__SEND, &ad);
3970
3971         if (err)
3972                 goto out;
3973
3974         err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
3975 out:
3976         return err ? NF_DROP : NF_ACCEPT;
3977 }
3978
3979 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3980                                                 struct sk_buff **pskb,
3981                                                 const struct net_device *in,
3982                                                 const struct net_device *out,
3983                                                 int (*okfn)(struct sk_buff *))
3984 {
3985         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3986 }
3987
3988 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3989
3990 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3991                                                 struct sk_buff **pskb,
3992                                                 const struct net_device *in,
3993                                                 const struct net_device *out,
3994                                                 int (*okfn)(struct sk_buff *))
3995 {
3996         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3997 }
3998
3999 #endif  /* IPV6 */
4000
4001 #endif  /* CONFIG_NETFILTER */
4002
4003 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4004 {
4005         int err;
4006
4007         err = secondary_ops->netlink_send(sk, skb);
4008         if (err)
4009                 return err;
4010
4011         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4012                 err = selinux_nlmsg_perm(sk, skb);
4013
4014         return err;
4015 }
4016
4017 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4018 {
4019         int err;
4020         struct avc_audit_data ad;
4021
4022         err = secondary_ops->netlink_recv(skb, capability);
4023         if (err)
4024                 return err;
4025
4026         AVC_AUDIT_DATA_INIT(&ad, CAP);
4027         ad.u.cap = capability;
4028
4029         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4030                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4031 }
4032
4033 static int ipc_alloc_security(struct task_struct *task,
4034                               struct kern_ipc_perm *perm,
4035                               u16 sclass)
4036 {
4037         struct task_security_struct *tsec = task->security;
4038         struct ipc_security_struct *isec;
4039
4040         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4041         if (!isec)
4042                 return -ENOMEM;
4043
4044         isec->sclass = sclass;
4045         isec->ipc_perm = perm;
4046         isec->sid = tsec->sid;
4047         perm->security = isec;
4048
4049         return 0;
4050 }
4051
4052 static void ipc_free_security(struct kern_ipc_perm *perm)
4053 {
4054         struct ipc_security_struct *isec = perm->security;
4055         perm->security = NULL;
4056         kfree(isec);
4057 }
4058
4059 static int msg_msg_alloc_security(struct msg_msg *msg)
4060 {
4061         struct msg_security_struct *msec;
4062
4063         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4064         if (!msec)
4065                 return -ENOMEM;
4066
4067         msec->msg = msg;
4068         msec->sid = SECINITSID_UNLABELED;
4069         msg->security = msec;
4070
4071         return 0;
4072 }
4073
4074 static void msg_msg_free_security(struct msg_msg *msg)
4075 {
4076         struct msg_security_struct *msec = msg->security;
4077
4078         msg->security = NULL;
4079         kfree(msec);
4080 }
4081
4082 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4083                         u32 perms)
4084 {
4085         struct task_security_struct *tsec;
4086         struct ipc_security_struct *isec;
4087         struct avc_audit_data ad;
4088
4089         tsec = current->security;
4090         isec = ipc_perms->security;
4091
4092         AVC_AUDIT_DATA_INIT(&ad, IPC);
4093         ad.u.ipc_id = ipc_perms->key;
4094
4095         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4096 }
4097
4098 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4099 {
4100         return msg_msg_alloc_security(msg);
4101 }
4102
4103 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4104 {
4105         msg_msg_free_security(msg);
4106 }
4107
4108 /* message queue security operations */
4109 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4110 {
4111         struct task_security_struct *tsec;
4112         struct ipc_security_struct *isec;
4113         struct avc_audit_data ad;
4114         int rc;
4115
4116         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4117         if (rc)
4118                 return rc;
4119
4120         tsec = current->security;
4121         isec = msq->q_perm.security;
4122
4123         AVC_AUDIT_DATA_INIT(&ad, IPC);
4124         ad.u.ipc_id = msq->q_perm.key;
4125
4126         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4127                           MSGQ__CREATE, &ad);
4128         if (rc) {
4129                 ipc_free_security(&msq->q_perm);
4130                 return rc;
4131         }
4132         return 0;
4133 }
4134
4135 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4136 {
4137         ipc_free_security(&msq->q_perm);
4138 }
4139
4140 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4141 {
4142         struct task_security_struct *tsec;
4143         struct ipc_security_struct *isec;
4144         struct avc_audit_data ad;
4145
4146         tsec = current->security;
4147         isec = msq->q_perm.security;
4148
4149         AVC_AUDIT_DATA_INIT(&ad, IPC);
4150         ad.u.ipc_id = msq->q_perm.key;
4151
4152         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4153                             MSGQ__ASSOCIATE, &ad);
4154 }
4155
4156 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4157 {
4158         int err;
4159         int perms;
4160
4161         switch(cmd) {
4162         case IPC_INFO:
4163         case MSG_INFO:
4164                 /* No specific object, just general system-wide information. */
4165                 return task_has_system(current, SYSTEM__IPC_INFO);
4166         case IPC_STAT:
4167         case MSG_STAT:
4168                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4169                 break;
4170         case IPC_SET:
4171                 perms = MSGQ__SETATTR;
4172                 break;
4173         case IPC_RMID:
4174                 perms = MSGQ__DESTROY;
4175                 break;
4176         default:
4177                 return 0;
4178         }
4179
4180         err = ipc_has_perm(&msq->q_perm, perms);
4181         return err;
4182 }
4183
4184 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4185 {
4186         struct task_security_struct *tsec;
4187         struct ipc_security_struct *isec;
4188         struct msg_security_struct *msec;
4189         struct avc_audit_data ad;
4190         int rc;
4191
4192         tsec = current->security;
4193         isec = msq->q_perm.security;
4194         msec = msg->security;
4195
4196         /*
4197          * First time through, need to assign label to the message
4198          */
4199         if (msec->sid == SECINITSID_UNLABELED) {
4200                 /*
4201                  * Compute new sid based on current process and
4202                  * message queue this message will be stored in
4203                  */
4204                 rc = security_transition_sid(tsec->sid,
4205                                              isec->sid,
4206                                              SECCLASS_MSG,
4207                                              &msec->sid);
4208                 if (rc)
4209                         return rc;
4210         }
4211
4212         AVC_AUDIT_DATA_INIT(&ad, IPC);
4213         ad.u.ipc_id = msq->q_perm.key;
4214
4215         /* Can this process write to the queue? */
4216         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4217                           MSGQ__WRITE, &ad);
4218         if (!rc)
4219                 /* Can this process send the message */
4220                 rc = avc_has_perm(tsec->sid, msec->sid,
4221                                   SECCLASS_MSG, MSG__SEND, &ad);
4222         if (!rc)
4223                 /* Can the message be put in the queue? */
4224                 rc = avc_has_perm(msec->sid, isec->sid,
4225                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4226
4227         return rc;
4228 }
4229
4230 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4231                                     struct task_struct *target,
4232                                     long type, int mode)
4233 {
4234         struct task_security_struct *tsec;
4235         struct ipc_security_struct *isec;
4236         struct msg_security_struct *msec;
4237         struct avc_audit_data ad;
4238         int rc;
4239
4240         tsec = target->security;
4241         isec = msq->q_perm.security;
4242         msec = msg->security;
4243
4244         AVC_AUDIT_DATA_INIT(&ad, IPC);
4245         ad.u.ipc_id = msq->q_perm.key;
4246
4247         rc = avc_has_perm(tsec->sid, isec->sid,
4248                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4249         if (!rc)
4250                 rc = avc_has_perm(tsec->sid, msec->sid,
4251                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4252         return rc;
4253 }
4254
4255 /* Shared Memory security operations */
4256 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4257 {
4258         struct task_security_struct *tsec;
4259         struct ipc_security_struct *isec;
4260         struct avc_audit_data ad;
4261         int rc;
4262
4263         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4264         if (rc)
4265                 return rc;
4266
4267         tsec = current->security;
4268         isec = shp->shm_perm.security;
4269
4270         AVC_AUDIT_DATA_INIT(&ad, IPC);
4271         ad.u.ipc_id = shp->shm_perm.key;
4272
4273         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4274                           SHM__CREATE, &ad);
4275         if (rc) {
4276                 ipc_free_security(&shp->shm_perm);
4277                 return rc;
4278         }
4279         return 0;
4280 }
4281
4282 static void selinux_shm_free_security(struct shmid_kernel *shp)
4283 {
4284         ipc_free_security(&shp->shm_perm);
4285 }
4286
4287 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4288 {
4289         struct task_security_struct *tsec;
4290         struct ipc_security_struct *isec;
4291         struct avc_audit_data ad;
4292
4293         tsec = current->security;
4294         isec = shp->shm_perm.security;
4295
4296         AVC_AUDIT_DATA_INIT(&ad, IPC);
4297         ad.u.ipc_id = shp->shm_perm.key;
4298
4299         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4300                             SHM__ASSOCIATE, &ad);
4301 }
4302
4303 /* Note, at this point, shp is locked down */
4304 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4305 {
4306         int perms;
4307         int err;
4308
4309         switch(cmd) {
4310         case IPC_INFO:
4311         case SHM_INFO:
4312                 /* No specific object, just general system-wide information. */
4313                 return task_has_system(current, SYSTEM__IPC_INFO);
4314         case IPC_STAT:
4315         case SHM_STAT:
4316                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4317                 break;
4318         case IPC_SET:
4319                 perms = SHM__SETATTR;
4320                 break;
4321         case SHM_LOCK:
4322         case SHM_UNLOCK:
4323                 perms = SHM__LOCK;
4324                 break;
4325         case IPC_RMID:
4326                 perms = SHM__DESTROY;
4327                 break;
4328         default:
4329                 return 0;
4330         }
4331
4332         err = ipc_has_perm(&shp->shm_perm, perms);
4333         return err;
4334 }
4335
4336 static int selinux_shm_shmat(struct shmid_kernel *shp,
4337                              char __user *shmaddr, int shmflg)
4338 {
4339         u32 perms;
4340         int rc;
4341
4342         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4343         if (rc)
4344                 return rc;
4345
4346         if (shmflg & SHM_RDONLY)
4347                 perms = SHM__READ;
4348         else
4349                 perms = SHM__READ | SHM__WRITE;
4350
4351         return ipc_has_perm(&shp->shm_perm, perms);
4352 }
4353
4354 /* Semaphore security operations */
4355 static int selinux_sem_alloc_security(struct sem_array *sma)
4356 {
4357         struct task_security_struct *tsec;
4358         struct ipc_security_struct *isec;
4359         struct avc_audit_data ad;
4360         int rc;
4361
4362         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4363         if (rc)
4364                 return rc;
4365
4366         tsec = current->security;
4367         isec = sma->sem_perm.security;
4368
4369         AVC_AUDIT_DATA_INIT(&ad, IPC);
4370         ad.u.ipc_id = sma->sem_perm.key;
4371
4372         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4373                           SEM__CREATE, &ad);
4374         if (rc) {
4375                 ipc_free_security(&sma->sem_perm);
4376                 return rc;
4377         }
4378         return 0;
4379 }
4380
4381 static void selinux_sem_free_security(struct sem_array *sma)
4382 {
4383         ipc_free_security(&sma->sem_perm);
4384 }
4385
4386 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4387 {
4388         struct task_security_struct *tsec;
4389         struct ipc_security_struct *isec;
4390         struct avc_audit_data ad;
4391
4392         tsec = current->security;
4393         isec = sma->sem_perm.security;
4394
4395         AVC_AUDIT_DATA_INIT(&ad, IPC);
4396         ad.u.ipc_id = sma->sem_perm.key;
4397
4398         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4399                             SEM__ASSOCIATE, &ad);
4400 }
4401
4402 /* Note, at this point, sma is locked down */
4403 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4404 {
4405         int err;
4406         u32 perms;
4407
4408         switch(cmd) {
4409         case IPC_INFO:
4410         case SEM_INFO:
4411                 /* No specific object, just general system-wide information. */
4412                 return task_has_system(current, SYSTEM__IPC_INFO);
4413         case GETPID:
4414         case GETNCNT:
4415         case GETZCNT:
4416                 perms = SEM__GETATTR;
4417                 break;
4418         case GETVAL:
4419         case GETALL:
4420                 perms = SEM__READ;
4421                 break;
4422         case SETVAL:
4423         case SETALL:
4424                 perms = SEM__WRITE;
4425                 break;
4426         case IPC_RMID:
4427                 perms = SEM__DESTROY;
4428                 break;
4429         case IPC_SET:
4430                 perms = SEM__SETATTR;
4431                 break;
4432         case IPC_STAT:
4433         case SEM_STAT:
4434                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4435                 break;
4436         default:
4437                 return 0;
4438         }
4439
4440         err = ipc_has_perm(&sma->sem_perm, perms);
4441         return err;
4442 }
4443
4444 static int selinux_sem_semop(struct sem_array *sma,
4445                              struct sembuf *sops, unsigned nsops, int alter)
4446 {
4447         u32 perms;
4448
4449         if (alter)
4450                 perms = SEM__READ | SEM__WRITE;
4451         else
4452                 perms = SEM__READ;
4453
4454         return ipc_has_perm(&sma->sem_perm, perms);
4455 }
4456
4457 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4458 {
4459         u32 av = 0;
4460
4461         av = 0;
4462         if (flag & S_IRUGO)
4463                 av |= IPC__UNIX_READ;
4464         if (flag & S_IWUGO)
4465                 av |= IPC__UNIX_WRITE;
4466
4467         if (av == 0)
4468                 return 0;
4469
4470         return ipc_has_perm(ipcp, av);
4471 }
4472
4473 /* module stacking operations */
4474 static int selinux_register_security (const char *name, struct security_operations *ops)
4475 {
4476         if (secondary_ops != original_ops) {
4477                 printk(KERN_ERR "%s:  There is already a secondary security "
4478                        "module registered.\n", __FUNCTION__);
4479                 return -EINVAL;
4480         }
4481
4482         secondary_ops = ops;
4483
4484         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4485                __FUNCTION__,
4486                name);
4487
4488         return 0;
4489 }
4490
4491 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4492 {
4493         if (ops != secondary_ops) {
4494                 printk(KERN_ERR "%s:  trying to unregister a security module "
4495                         "that is not registered.\n", __FUNCTION__);
4496                 return -EINVAL;
4497         }
4498
4499         secondary_ops = original_ops;
4500
4501         return 0;
4502 }
4503
4504 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4505 {
4506         if (inode)
4507                 inode_doinit_with_dentry(inode, dentry);
4508 }
4509
4510 static int selinux_getprocattr(struct task_struct *p,
4511                                char *name, char **value)
4512 {
4513         struct task_security_struct *tsec;
4514         u32 sid;
4515         int error;
4516         unsigned len;
4517
4518         if (current != p) {
4519                 error = task_has_perm(current, p, PROCESS__GETATTR);
4520                 if (error)
4521                         return error;
4522         }
4523
4524         tsec = p->security;
4525
4526         if (!strcmp(name, "current"))
4527                 sid = tsec->sid;
4528         else if (!strcmp(name, "prev"))
4529                 sid = tsec->osid;
4530         else if (!strcmp(name, "exec"))
4531                 sid = tsec->exec_sid;
4532         else if (!strcmp(name, "fscreate"))
4533                 sid = tsec->create_sid;
4534         else if (!strcmp(name, "keycreate"))
4535                 sid = tsec->keycreate_sid;
4536         else if (!strcmp(name, "sockcreate"))
4537                 sid = tsec->sockcreate_sid;
4538         else
4539                 return -EINVAL;
4540
4541         if (!sid)
4542                 return 0;
4543
4544         error = security_sid_to_context(sid, value, &len);
4545         if (error)
4546                 return error;
4547         return len;
4548 }
4549
4550 static int selinux_setprocattr(struct task_struct *p,
4551                                char *name, void *value, size_t size)
4552 {
4553         struct task_security_struct *tsec;
4554         u32 sid = 0;
4555         int error;
4556         char *str = value;
4557
4558         if (current != p) {
4559                 /* SELinux only allows a process to change its own
4560                    security attributes. */
4561                 return -EACCES;
4562         }
4563
4564         /*
4565          * Basic control over ability to set these attributes at all.
4566          * current == p, but we'll pass them separately in case the
4567          * above restriction is ever removed.
4568          */
4569         if (!strcmp(name, "exec"))
4570                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4571         else if (!strcmp(name, "fscreate"))
4572                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4573         else if (!strcmp(name, "keycreate"))
4574                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4575         else if (!strcmp(name, "sockcreate"))
4576                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4577         else if (!strcmp(name, "current"))
4578                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4579         else
4580                 error = -EINVAL;
4581         if (error)
4582                 return error;
4583
4584         /* Obtain a SID for the context, if one was specified. */
4585         if (size && str[1] && str[1] != '\n') {
4586                 if (str[size-1] == '\n') {
4587                         str[size-1] = 0;
4588                         size--;
4589                 }
4590                 error = security_context_to_sid(value, size, &sid);
4591                 if (error)
4592                         return error;
4593         }
4594
4595         /* Permission checking based on the specified context is
4596            performed during the actual operation (execve,
4597            open/mkdir/...), when we know the full context of the
4598            operation.  See selinux_bprm_set_security for the execve
4599            checks and may_create for the file creation checks. The
4600            operation will then fail if the context is not permitted. */
4601         tsec = p->security;
4602         if (!strcmp(name, "exec"))
4603                 tsec->exec_sid = sid;
4604         else if (!strcmp(name, "fscreate"))
4605                 tsec->create_sid = sid;
4606         else if (!strcmp(name, "keycreate")) {
4607                 error = may_create_key(sid, p);
4608                 if (error)
4609                         return error;
4610                 tsec->keycreate_sid = sid;
4611         } else if (!strcmp(name, "sockcreate"))
4612                 tsec->sockcreate_sid = sid;
4613         else if (!strcmp(name, "current")) {
4614                 struct av_decision avd;
4615
4616                 if (sid == 0)
4617                         return -EINVAL;
4618
4619                 /* Only allow single threaded processes to change context */
4620                 if (atomic_read(&p->mm->mm_users) != 1) {
4621                         struct task_struct *g, *t;
4622                         struct mm_struct *mm = p->mm;
4623                         read_lock(&tasklist_lock);
4624                         do_each_thread(g, t)
4625                                 if (t->mm == mm && t != p) {
4626                                         read_unlock(&tasklist_lock);
4627                                         return -EPERM;
4628                                 }
4629                         while_each_thread(g, t);
4630                         read_unlock(&tasklist_lock);
4631                 }
4632
4633                 /* Check permissions for the transition. */
4634                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4635                                      PROCESS__DYNTRANSITION, NULL);
4636                 if (error)
4637                         return error;
4638
4639                 /* Check for ptracing, and update the task SID if ok.
4640                    Otherwise, leave SID unchanged and fail. */
4641                 task_lock(p);
4642                 if (p->ptrace & PT_PTRACED) {
4643                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4644                                                      SECCLASS_PROCESS,
4645                                                      PROCESS__PTRACE, 0, &avd);
4646                         if (!error)
4647                                 tsec->sid = sid;
4648                         task_unlock(p);
4649                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4650                                   PROCESS__PTRACE, &avd, error, NULL);
4651                         if (error)
4652                                 return error;
4653                 } else {
4654                         tsec->sid = sid;
4655                         task_unlock(p);
4656                 }
4657         }
4658         else
4659                 return -EINVAL;
4660
4661         return size;
4662 }
4663
4664 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4665 {
4666         return security_sid_to_context(secid, secdata, seclen);
4667 }
4668
4669 static void selinux_release_secctx(char *secdata, u32 seclen)
4670 {
4671         kfree(secdata);
4672 }
4673
4674 #ifdef CONFIG_KEYS
4675
4676 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4677                              unsigned long flags)
4678 {
4679         struct task_security_struct *tsec = tsk->security;
4680         struct key_security_struct *ksec;
4681
4682         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4683         if (!ksec)
4684                 return -ENOMEM;
4685
4686         ksec->obj = k;
4687         if (tsec->keycreate_sid)
4688                 ksec->sid = tsec->keycreate_sid;
4689         else
4690                 ksec->sid = tsec->sid;
4691         k->security = ksec;
4692
4693         return 0;
4694 }
4695
4696 static void selinux_key_free(struct key *k)
4697 {
4698         struct key_security_struct *ksec = k->security;
4699
4700         k->security = NULL;
4701         kfree(ksec);
4702 }
4703
4704 static int selinux_key_permission(key_ref_t key_ref,
4705                             struct task_struct *ctx,
4706                             key_perm_t perm)
4707 {
4708         struct key *key;
4709         struct task_security_struct *tsec;
4710         struct key_security_struct *ksec;
4711
4712         key = key_ref_to_ptr(key_ref);
4713
4714         tsec = ctx->security;
4715         ksec = key->security;
4716
4717         /* if no specific permissions are requested, we skip the
4718            permission check. No serious, additional covert channels
4719            appear to be created. */
4720         if (perm == 0)
4721                 return 0;
4722
4723         return avc_has_perm(tsec->sid, ksec->sid,
4724                             SECCLASS_KEY, perm, NULL);
4725 }
4726
4727 #endif
4728
4729 static struct security_operations selinux_ops = {
4730         .ptrace =                       selinux_ptrace,
4731         .capget =                       selinux_capget,
4732         .capset_check =                 selinux_capset_check,
4733         .capset_set =                   selinux_capset_set,
4734         .sysctl =                       selinux_sysctl,
4735         .capable =                      selinux_capable,
4736         .quotactl =                     selinux_quotactl,
4737         .quota_on =                     selinux_quota_on,
4738         .syslog =                       selinux_syslog,
4739         .vm_enough_memory =             selinux_vm_enough_memory,
4740
4741         .netlink_send =                 selinux_netlink_send,
4742         .netlink_recv =                 selinux_netlink_recv,
4743
4744         .bprm_alloc_security =          selinux_bprm_alloc_security,
4745         .bprm_free_security =           selinux_bprm_free_security,
4746         .bprm_apply_creds =             selinux_bprm_apply_creds,
4747         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4748         .bprm_set_security =            selinux_bprm_set_security,
4749         .bprm_check_security =          selinux_bprm_check_security,
4750         .bprm_secureexec =              selinux_bprm_secureexec,
4751
4752         .sb_alloc_security =            selinux_sb_alloc_security,
4753         .sb_free_security =             selinux_sb_free_security,
4754         .sb_copy_data =                 selinux_sb_copy_data,
4755         .sb_kern_mount =                selinux_sb_kern_mount,
4756         .sb_statfs =                    selinux_sb_statfs,
4757         .sb_mount =                     selinux_mount,
4758         .sb_umount =                    selinux_umount,
4759
4760         .inode_alloc_security =         selinux_inode_alloc_security,
4761         .inode_free_security =          selinux_inode_free_security,
4762         .inode_init_security =          selinux_inode_init_security,
4763         .inode_create =                 selinux_inode_create,
4764         .inode_link =                   selinux_inode_link,
4765         .inode_unlink =                 selinux_inode_unlink,
4766         .inode_symlink =                selinux_inode_symlink,
4767         .inode_mkdir =                  selinux_inode_mkdir,
4768         .inode_rmdir =                  selinux_inode_rmdir,
4769         .inode_mknod =                  selinux_inode_mknod,
4770         .inode_rename =                 selinux_inode_rename,
4771         .inode_readlink =               selinux_inode_readlink,
4772         .inode_follow_link =            selinux_inode_follow_link,
4773         .inode_permission =             selinux_inode_permission,
4774         .inode_setattr =                selinux_inode_setattr,
4775         .inode_getattr =                selinux_inode_getattr,
4776         .inode_setxattr =               selinux_inode_setxattr,
4777         .inode_post_setxattr =          selinux_inode_post_setxattr,
4778         .inode_getxattr =               selinux_inode_getxattr,
4779         .inode_listxattr =              selinux_inode_listxattr,
4780         .inode_removexattr =            selinux_inode_removexattr,
4781         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4782         .inode_getsecurity =            selinux_inode_getsecurity,
4783         .inode_setsecurity =            selinux_inode_setsecurity,
4784         .inode_listsecurity =           selinux_inode_listsecurity,
4785
4786         .file_permission =              selinux_file_permission,
4787         .file_alloc_security =          selinux_file_alloc_security,
4788         .file_free_security =           selinux_file_free_security,
4789         .file_ioctl =                   selinux_file_ioctl,
4790         .file_mmap =                    selinux_file_mmap,
4791         .file_mprotect =                selinux_file_mprotect,
4792         .file_lock =                    selinux_file_lock,
4793         .file_fcntl =                   selinux_file_fcntl,
4794         .file_set_fowner =              selinux_file_set_fowner,
4795         .file_send_sigiotask =          selinux_file_send_sigiotask,
4796         .file_receive =                 selinux_file_receive,
4797
4798         .task_create =                  selinux_task_create,
4799         .task_alloc_security =          selinux_task_alloc_security,
4800         .task_free_security =           selinux_task_free_security,
4801         .task_setuid =                  selinux_task_setuid,
4802         .task_post_setuid =             selinux_task_post_setuid,
4803         .task_setgid =                  selinux_task_setgid,
4804         .task_setpgid =                 selinux_task_setpgid,
4805         .task_getpgid =                 selinux_task_getpgid,
4806         .task_getsid =                  selinux_task_getsid,
4807         .task_getsecid =                selinux_task_getsecid,
4808         .task_setgroups =               selinux_task_setgroups,
4809         .task_setnice =                 selinux_task_setnice,
4810         .task_setioprio =               selinux_task_setioprio,
4811         .task_getioprio =               selinux_task_getioprio,
4812         .task_setrlimit =               selinux_task_setrlimit,
4813         .task_setscheduler =            selinux_task_setscheduler,
4814         .task_getscheduler =            selinux_task_getscheduler,
4815         .task_movememory =              selinux_task_movememory,
4816         .task_kill =                    selinux_task_kill,
4817         .task_wait =                    selinux_task_wait,
4818         .task_prctl =                   selinux_task_prctl,
4819         .task_reparent_to_init =        selinux_task_reparent_to_init,
4820         .task_to_inode =                selinux_task_to_inode,
4821
4822         .ipc_permission =               selinux_ipc_permission,
4823
4824         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4825         .msg_msg_free_security =        selinux_msg_msg_free_security,
4826
4827         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4828         .msg_queue_free_security =      selinux_msg_queue_free_security,
4829         .msg_queue_associate =          selinux_msg_queue_associate,
4830         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4831         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4832         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4833
4834         .shm_alloc_security =           selinux_shm_alloc_security,
4835         .shm_free_security =            selinux_shm_free_security,
4836         .shm_associate =                selinux_shm_associate,
4837         .shm_shmctl =                   selinux_shm_shmctl,
4838         .shm_shmat =                    selinux_shm_shmat,
4839
4840         .sem_alloc_security =           selinux_sem_alloc_security,
4841         .sem_free_security =            selinux_sem_free_security,
4842         .sem_associate =                selinux_sem_associate,
4843         .sem_semctl =                   selinux_sem_semctl,
4844         .sem_semop =                    selinux_sem_semop,
4845
4846         .register_security =            selinux_register_security,
4847         .unregister_security =          selinux_unregister_security,
4848
4849         .d_instantiate =                selinux_d_instantiate,
4850
4851         .getprocattr =                  selinux_getprocattr,
4852         .setprocattr =                  selinux_setprocattr,
4853
4854         .secid_to_secctx =              selinux_secid_to_secctx,
4855         .release_secctx =               selinux_release_secctx,
4856
4857         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4858         .unix_may_send =                selinux_socket_unix_may_send,
4859
4860         .socket_create =                selinux_socket_create,
4861         .socket_post_create =           selinux_socket_post_create,
4862         .socket_bind =                  selinux_socket_bind,
4863         .socket_connect =               selinux_socket_connect,
4864         .socket_listen =                selinux_socket_listen,
4865         .socket_accept =                selinux_socket_accept,
4866         .socket_sendmsg =               selinux_socket_sendmsg,
4867         .socket_recvmsg =               selinux_socket_recvmsg,
4868         .socket_getsockname =           selinux_socket_getsockname,
4869         .socket_getpeername =           selinux_socket_getpeername,
4870         .socket_getsockopt =            selinux_socket_getsockopt,
4871         .socket_setsockopt =            selinux_socket_setsockopt,
4872         .socket_shutdown =              selinux_socket_shutdown,
4873         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4874         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4875         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4876         .sk_alloc_security =            selinux_sk_alloc_security,
4877         .sk_free_security =             selinux_sk_free_security,
4878         .sk_clone_security =            selinux_sk_clone_security,
4879         .sk_getsecid =                  selinux_sk_getsecid,
4880         .sock_graft =                   selinux_sock_graft,
4881         .inet_conn_request =            selinux_inet_conn_request,
4882         .inet_csk_clone =               selinux_inet_csk_clone,
4883         .inet_conn_established =        selinux_inet_conn_established,
4884         .req_classify_flow =            selinux_req_classify_flow,
4885
4886 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4887         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4888         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4889         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4890         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4891         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4892         .xfrm_state_free_security =     selinux_xfrm_state_free,
4893         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4894         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4895         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
4896         .xfrm_decode_session =          selinux_xfrm_decode_session,
4897 #endif
4898
4899 #ifdef CONFIG_KEYS
4900         .key_alloc =                    selinux_key_alloc,
4901         .key_free =                     selinux_key_free,
4902         .key_permission =               selinux_key_permission,
4903 #endif
4904 };
4905
4906 static __init int selinux_init(void)
4907 {
4908         struct task_security_struct *tsec;
4909
4910         if (!selinux_enabled) {
4911                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4912                 return 0;
4913         }
4914
4915         printk(KERN_INFO "SELinux:  Initializing.\n");
4916
4917         /* Set the security state for the initial task. */
4918         if (task_alloc_security(current))
4919                 panic("SELinux:  Failed to initialize initial task.\n");
4920         tsec = current->security;
4921         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4922
4923         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4924                                             sizeof(struct inode_security_struct),
4925                                             0, SLAB_PANIC, NULL);
4926         avc_init();
4927
4928         original_ops = secondary_ops = security_ops;
4929         if (!secondary_ops)
4930                 panic ("SELinux: No initial security operations\n");
4931         if (register_security (&selinux_ops))
4932                 panic("SELinux: Unable to register with kernel.\n");
4933
4934         if (selinux_enforcing) {
4935                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
4936         } else {
4937                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
4938         }
4939
4940 #ifdef CONFIG_KEYS
4941         /* Add security information to initial keyrings */
4942         selinux_key_alloc(&root_user_keyring, current,
4943                           KEY_ALLOC_NOT_IN_QUOTA);
4944         selinux_key_alloc(&root_session_keyring, current,
4945                           KEY_ALLOC_NOT_IN_QUOTA);
4946 #endif
4947
4948         return 0;
4949 }
4950
4951 void selinux_complete_init(void)
4952 {
4953         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
4954
4955         /* Set up any superblocks initialized prior to the policy load. */
4956         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
4957         spin_lock(&sb_lock);
4958         spin_lock(&sb_security_lock);
4959 next_sb:
4960         if (!list_empty(&superblock_security_head)) {
4961                 struct superblock_security_struct *sbsec =
4962                                 list_entry(superblock_security_head.next,
4963                                            struct superblock_security_struct,
4964                                            list);
4965                 struct super_block *sb = sbsec->sb;
4966                 sb->s_count++;
4967                 spin_unlock(&sb_security_lock);
4968                 spin_unlock(&sb_lock);
4969                 down_read(&sb->s_umount);
4970                 if (sb->s_root)
4971                         superblock_doinit(sb, NULL);
4972                 drop_super(sb);
4973                 spin_lock(&sb_lock);
4974                 spin_lock(&sb_security_lock);
4975                 list_del_init(&sbsec->list);
4976                 goto next_sb;
4977         }
4978         spin_unlock(&sb_security_lock);
4979         spin_unlock(&sb_lock);
4980 }
4981
4982 /* SELinux requires early initialization in order to label
4983    all processes and objects when they are created. */
4984 security_initcall(selinux_init);
4985
4986 #if defined(CONFIG_NETFILTER)
4987
4988 static struct nf_hook_ops selinux_ipv4_op = {
4989         .hook =         selinux_ipv4_postroute_last,
4990         .owner =        THIS_MODULE,
4991         .pf =           PF_INET,
4992         .hooknum =      NF_IP_POST_ROUTING,
4993         .priority =     NF_IP_PRI_SELINUX_LAST,
4994 };
4995
4996 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4997
4998 static struct nf_hook_ops selinux_ipv6_op = {
4999         .hook =         selinux_ipv6_postroute_last,
5000         .owner =        THIS_MODULE,
5001         .pf =           PF_INET6,
5002         .hooknum =      NF_IP6_POST_ROUTING,
5003         .priority =     NF_IP6_PRI_SELINUX_LAST,
5004 };
5005
5006 #endif  /* IPV6 */
5007
5008 static int __init selinux_nf_ip_init(void)
5009 {
5010         int err = 0;
5011
5012         if (!selinux_enabled)
5013                 goto out;
5014
5015         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5016
5017         err = nf_register_hook(&selinux_ipv4_op);
5018         if (err)
5019                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
5020
5021 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5022
5023         err = nf_register_hook(&selinux_ipv6_op);
5024         if (err)
5025                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
5026
5027 #endif  /* IPV6 */
5028
5029 out:
5030         return err;
5031 }
5032
5033 __initcall(selinux_nf_ip_init);
5034
5035 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5036 static void selinux_nf_ip_exit(void)
5037 {
5038         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5039
5040         nf_unregister_hook(&selinux_ipv4_op);
5041 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5042         nf_unregister_hook(&selinux_ipv6_op);
5043 #endif  /* IPV6 */
5044 }
5045 #endif
5046
5047 #else /* CONFIG_NETFILTER */
5048
5049 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5050 #define selinux_nf_ip_exit()
5051 #endif
5052
5053 #endif /* CONFIG_NETFILTER */
5054
5055 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5056 int selinux_disable(void)
5057 {
5058         extern void exit_sel_fs(void);
5059         static int selinux_disabled = 0;
5060
5061         if (ss_initialized) {
5062                 /* Not permitted after initial policy load. */
5063                 return -EINVAL;
5064         }
5065
5066         if (selinux_disabled) {
5067                 /* Only do this once. */
5068                 return -EINVAL;
5069         }
5070
5071         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5072
5073         selinux_disabled = 1;
5074         selinux_enabled = 0;
5075
5076         /* Reset security_ops to the secondary module, dummy or capability. */
5077         security_ops = secondary_ops;
5078
5079         /* Unregister netfilter hooks. */
5080         selinux_nf_ip_exit();
5081
5082         /* Unregister selinuxfs. */
5083         exit_sel_fs();
5084
5085         return 0;
5086 }
5087 #endif
5088
5089