keys: don't generate user and user session keyrings unless they're accessed
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *              Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         selinux_enforcing = simple_strtol(str, NULL, 0);
107         return 1;
108 }
109 __setup("enforcing=", enforcing_setup);
110 #endif
111
112 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
113 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
114
115 static int __init selinux_enabled_setup(char *str)
116 {
117         selinux_enabled = simple_strtol(str, NULL, 0);
118         return 1;
119 }
120 __setup("selinux=", selinux_enabled_setup);
121 #else
122 int selinux_enabled = 1;
123 #endif
124
125 /* Original (dummy) security module. */
126 static struct security_operations *original_ops;
127
128 /* Minimal support for a secondary security module,
129    just to allow the use of the dummy or capability modules.
130    The owlsm module can alternatively be used as a secondary
131    module as long as CONFIG_OWLSM_FD is not enabled. */
132 static struct security_operations *secondary_ops;
133
134 /* Lists of inode and superblock security structures initialized
135    before the policy was loaded. */
136 static LIST_HEAD(superblock_security_head);
137 static DEFINE_SPINLOCK(sb_security_lock);
138
139 static struct kmem_cache *sel_inode_cache;
140
141 /**
142  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143  *
144  * Description:
145  * This function checks the SECMARK reference counter to see if any SECMARK
146  * targets are currently configured, if the reference counter is greater than
147  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
148  * enabled, false (0) if SECMARK is disabled.
149  *
150  */
151 static int selinux_secmark_enabled(void)
152 {
153         return (atomic_read(&selinux_secmark_refcount) > 0);
154 }
155
156 /* Allocate and free functions for each kind of security blob. */
157
158 static int task_alloc_security(struct task_struct *task)
159 {
160         struct task_security_struct *tsec;
161
162         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
163         if (!tsec)
164                 return -ENOMEM;
165
166         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
167         task->security = tsec;
168
169         return 0;
170 }
171
172 static void task_free_security(struct task_struct *task)
173 {
174         struct task_security_struct *tsec = task->security;
175         task->security = NULL;
176         kfree(tsec);
177 }
178
179 static int inode_alloc_security(struct inode *inode)
180 {
181         struct task_security_struct *tsec = current->security;
182         struct inode_security_struct *isec;
183
184         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
185         if (!isec)
186                 return -ENOMEM;
187
188         mutex_init(&isec->lock);
189         INIT_LIST_HEAD(&isec->list);
190         isec->inode = inode;
191         isec->sid = SECINITSID_UNLABELED;
192         isec->sclass = SECCLASS_FILE;
193         isec->task_sid = tsec->sid;
194         inode->i_security = isec;
195
196         return 0;
197 }
198
199 static void inode_free_security(struct inode *inode)
200 {
201         struct inode_security_struct *isec = inode->i_security;
202         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203
204         spin_lock(&sbsec->isec_lock);
205         if (!list_empty(&isec->list))
206                 list_del_init(&isec->list);
207         spin_unlock(&sbsec->isec_lock);
208
209         inode->i_security = NULL;
210         kmem_cache_free(sel_inode_cache, isec);
211 }
212
213 static int file_alloc_security(struct file *file)
214 {
215         struct task_security_struct *tsec = current->security;
216         struct file_security_struct *fsec;
217
218         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
219         if (!fsec)
220                 return -ENOMEM;
221
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->peer_sid = SECINITSID_UNLABELED;
279         ssec->sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         selinux_netlbl_sk_security_reset(ssec, family);
283
284         return 0;
285 }
286
287 static void sk_free_security(struct sock *sk)
288 {
289         struct sk_security_struct *ssec = sk->sk_security;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294
295 /* The security server must be initialized before
296    any labeling or access decisions can be provided. */
297 extern int ss_initialized;
298
299 /* The file system's label must be initialized prior to use. */
300
301 static char *labeling_behaviors[6] = {
302         "uses xattr",
303         "uses transition SIDs",
304         "uses task SIDs",
305         "uses genfs_contexts",
306         "not configured for labeling",
307         "uses mountpoint labeling",
308 };
309
310 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312 static inline int inode_doinit(struct inode *inode)
313 {
314         return inode_doinit_with_dentry(inode, NULL);
315 }
316
317 enum {
318         Opt_error = -1,
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 3,
322         Opt_rootcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, CONTEXT_STR "%s"},
327         {Opt_fscontext, FSCONTEXT_STR "%s"},
328         {Opt_defcontext, DEFCONTEXT_STR "%s"},
329         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
330         {Opt_error, NULL},
331 };
332
333 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
334
335 static int may_context_mount_sb_relabel(u32 sid,
336                         struct superblock_security_struct *sbsec,
337                         struct task_security_struct *tsec)
338 {
339         int rc;
340
341         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342                           FILESYSTEM__RELABELFROM, NULL);
343         if (rc)
344                 return rc;
345
346         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELTO, NULL);
348         return rc;
349 }
350
351 static int may_context_mount_inode_relabel(u32 sid,
352                         struct superblock_security_struct *sbsec,
353                         struct task_security_struct *tsec)
354 {
355         int rc;
356         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357                           FILESYSTEM__RELABELFROM, NULL);
358         if (rc)
359                 return rc;
360
361         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362                           FILESYSTEM__ASSOCIATE, NULL);
363         return rc;
364 }
365
366 static int sb_finish_set_opts(struct super_block *sb)
367 {
368         struct superblock_security_struct *sbsec = sb->s_security;
369         struct dentry *root = sb->s_root;
370         struct inode *root_inode = root->d_inode;
371         int rc = 0;
372
373         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
374                 /* Make sure that the xattr handler exists and that no
375                    error other than -ENODATA is returned by getxattr on
376                    the root directory.  -ENODATA is ok, as this may be
377                    the first boot of the SELinux kernel before we have
378                    assigned xattr values to the filesystem. */
379                 if (!root_inode->i_op->getxattr) {
380                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
381                                "xattr support\n", sb->s_id, sb->s_type->name);
382                         rc = -EOPNOTSUPP;
383                         goto out;
384                 }
385                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
386                 if (rc < 0 && rc != -ENODATA) {
387                         if (rc == -EOPNOTSUPP)
388                                 printk(KERN_WARNING "SELinux: (dev %s, type "
389                                        "%s) has no security xattr handler\n",
390                                        sb->s_id, sb->s_type->name);
391                         else
392                                 printk(KERN_WARNING "SELinux: (dev %s, type "
393                                        "%s) getxattr errno %d\n", sb->s_id,
394                                        sb->s_type->name, -rc);
395                         goto out;
396                 }
397         }
398
399         sbsec->initialized = 1;
400
401         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
403                        sb->s_id, sb->s_type->name);
404         else
405                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
406                        sb->s_id, sb->s_type->name,
407                        labeling_behaviors[sbsec->behavior-1]);
408
409         /* Initialize the root inode. */
410         rc = inode_doinit_with_dentry(root_inode, root);
411
412         /* Initialize any other inodes associated with the superblock, e.g.
413            inodes created prior to initial policy load or inodes created
414            during get_sb by a pseudo filesystem that directly
415            populates itself. */
416         spin_lock(&sbsec->isec_lock);
417 next_inode:
418         if (!list_empty(&sbsec->isec_head)) {
419                 struct inode_security_struct *isec =
420                                 list_entry(sbsec->isec_head.next,
421                                            struct inode_security_struct, list);
422                 struct inode *inode = isec->inode;
423                 spin_unlock(&sbsec->isec_lock);
424                 inode = igrab(inode);
425                 if (inode) {
426                         if (!IS_PRIVATE(inode))
427                                 inode_doinit(inode);
428                         iput(inode);
429                 }
430                 spin_lock(&sbsec->isec_lock);
431                 list_del_init(&isec->list);
432                 goto next_inode;
433         }
434         spin_unlock(&sbsec->isec_lock);
435 out:
436         return rc;
437 }
438
439 /*
440  * This function should allow an FS to ask what it's mount security
441  * options were so it can use those later for submounts, displaying
442  * mount options, or whatever.
443  */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445                                 struct security_mnt_opts *opts)
446 {
447         int rc = 0, i;
448         struct superblock_security_struct *sbsec = sb->s_security;
449         char *context = NULL;
450         u32 len;
451         char tmp;
452
453         security_init_mnt_opts(opts);
454
455         if (!sbsec->initialized)
456                 return -EINVAL;
457
458         if (!ss_initialized)
459                 return -EINVAL;
460
461         /*
462          * if we ever use sbsec flags for anything other than tracking mount
463          * settings this is going to need a mask
464          */
465         tmp = sbsec->flags;
466         /* count the number of mount options for this sb */
467         for (i = 0; i < 8; i++) {
468                 if (tmp & 0x01)
469                         opts->num_mnt_opts++;
470                 tmp >>= 1;
471         }
472
473         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474         if (!opts->mnt_opts) {
475                 rc = -ENOMEM;
476                 goto out_free;
477         }
478
479         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480         if (!opts->mnt_opts_flags) {
481                 rc = -ENOMEM;
482                 goto out_free;
483         }
484
485         i = 0;
486         if (sbsec->flags & FSCONTEXT_MNT) {
487                 rc = security_sid_to_context(sbsec->sid, &context, &len);
488                 if (rc)
489                         goto out_free;
490                 opts->mnt_opts[i] = context;
491                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492         }
493         if (sbsec->flags & CONTEXT_MNT) {
494                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495                 if (rc)
496                         goto out_free;
497                 opts->mnt_opts[i] = context;
498                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499         }
500         if (sbsec->flags & DEFCONTEXT_MNT) {
501                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502                 if (rc)
503                         goto out_free;
504                 opts->mnt_opts[i] = context;
505                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506         }
507         if (sbsec->flags & ROOTCONTEXT_MNT) {
508                 struct inode *root = sbsec->sb->s_root->d_inode;
509                 struct inode_security_struct *isec = root->i_security;
510
511                 rc = security_sid_to_context(isec->sid, &context, &len);
512                 if (rc)
513                         goto out_free;
514                 opts->mnt_opts[i] = context;
515                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516         }
517
518         BUG_ON(i != opts->num_mnt_opts);
519
520         return 0;
521
522 out_free:
523         security_free_mnt_opts(opts);
524         return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528                       u32 old_sid, u32 new_sid)
529 {
530         /* check if the old mount command had the same options */
531         if (sbsec->initialized)
532                 if (!(sbsec->flags & flag) ||
533                     (old_sid != new_sid))
534                         return 1;
535
536         /* check if we were passed the same options twice,
537          * aka someone passed context=a,context=b
538          */
539         if (!sbsec->initialized)
540                 if (sbsec->flags & flag)
541                         return 1;
542         return 0;
543 }
544
545 /*
546  * Allow filesystems with binary mount data to explicitly set mount point
547  * labeling information.
548  */
549 static int selinux_set_mnt_opts(struct super_block *sb,
550                                 struct security_mnt_opts *opts)
551 {
552         int rc = 0, i;
553         struct task_security_struct *tsec = current->security;
554         struct superblock_security_struct *sbsec = sb->s_security;
555         const char *name = sb->s_type->name;
556         struct inode *inode = sbsec->sb->s_root->d_inode;
557         struct inode_security_struct *root_isec = inode->i_security;
558         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
559         u32 defcontext_sid = 0;
560         char **mount_options = opts->mnt_opts;
561         int *flags = opts->mnt_opts_flags;
562         int num_opts = opts->num_mnt_opts;
563
564         mutex_lock(&sbsec->lock);
565
566         if (!ss_initialized) {
567                 if (!num_opts) {
568                         /* Defer initialization until selinux_complete_init,
569                            after the initial policy is loaded and the security
570                            server is ready to handle calls. */
571                         spin_lock(&sb_security_lock);
572                         if (list_empty(&sbsec->list))
573                                 list_add(&sbsec->list, &superblock_security_head);
574                         spin_unlock(&sb_security_lock);
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605                 rc = security_context_to_sid(mount_options[i],
606                                              strlen(mount_options[i]), &sid);
607                 if (rc) {
608                         printk(KERN_WARNING "SELinux: security_context_to_sid"
609                                "(%s) failed for (dev %s, type %s) errno=%d\n",
610                                mount_options[i], sb->s_id, name, rc);
611                         goto out;
612                 }
613                 switch (flags[i]) {
614                 case FSCONTEXT_MNT:
615                         fscontext_sid = sid;
616
617                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
618                                         fscontext_sid))
619                                 goto out_double_mount;
620
621                         sbsec->flags |= FSCONTEXT_MNT;
622                         break;
623                 case CONTEXT_MNT:
624                         context_sid = sid;
625
626                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
627                                         context_sid))
628                                 goto out_double_mount;
629
630                         sbsec->flags |= CONTEXT_MNT;
631                         break;
632                 case ROOTCONTEXT_MNT:
633                         rootcontext_sid = sid;
634
635                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
636                                         rootcontext_sid))
637                                 goto out_double_mount;
638
639                         sbsec->flags |= ROOTCONTEXT_MNT;
640
641                         break;
642                 case DEFCONTEXT_MNT:
643                         defcontext_sid = sid;
644
645                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
646                                         defcontext_sid))
647                                 goto out_double_mount;
648
649                         sbsec->flags |= DEFCONTEXT_MNT;
650
651                         break;
652                 default:
653                         rc = -EINVAL;
654                         goto out;
655                 }
656         }
657
658         if (sbsec->initialized) {
659                 /* previously mounted with options, but not on this attempt? */
660                 if (sbsec->flags && !num_opts)
661                         goto out_double_mount;
662                 rc = 0;
663                 goto out;
664         }
665
666         if (strcmp(sb->s_type->name, "proc") == 0)
667                 sbsec->proc = 1;
668
669         /* Determine the labeling behavior to use for this filesystem type. */
670         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
671         if (rc) {
672                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
673                        __func__, sb->s_type->name, rc);
674                 goto out;
675         }
676
677         /* sets the context of the superblock for the fs being mounted. */
678         if (fscontext_sid) {
679
680                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
681                 if (rc)
682                         goto out;
683
684                 sbsec->sid = fscontext_sid;
685         }
686
687         /*
688          * Switch to using mount point labeling behavior.
689          * sets the label used on all file below the mountpoint, and will set
690          * the superblock context if not already set.
691          */
692         if (context_sid) {
693                 if (!fscontext_sid) {
694                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
695                         if (rc)
696                                 goto out;
697                         sbsec->sid = context_sid;
698                 } else {
699                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
700                         if (rc)
701                                 goto out;
702                 }
703                 if (!rootcontext_sid)
704                         rootcontext_sid = context_sid;
705
706                 sbsec->mntpoint_sid = context_sid;
707                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
708         }
709
710         if (rootcontext_sid) {
711                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
712                 if (rc)
713                         goto out;
714
715                 root_isec->sid = rootcontext_sid;
716                 root_isec->initialized = 1;
717         }
718
719         if (defcontext_sid) {
720                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
721                         rc = -EINVAL;
722                         printk(KERN_WARNING "SELinux: defcontext option is "
723                                "invalid for this filesystem type\n");
724                         goto out;
725                 }
726
727                 if (defcontext_sid != sbsec->def_sid) {
728                         rc = may_context_mount_inode_relabel(defcontext_sid,
729                                                              sbsec, tsec);
730                         if (rc)
731                                 goto out;
732                 }
733
734                 sbsec->def_sid = defcontext_sid;
735         }
736
737         rc = sb_finish_set_opts(sb);
738 out:
739         mutex_unlock(&sbsec->lock);
740         return rc;
741 out_double_mount:
742         rc = -EINVAL;
743         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
744                "security settings for (dev %s, type %s)\n", sb->s_id, name);
745         goto out;
746 }
747
748 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
749                                         struct super_block *newsb)
750 {
751         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
752         struct superblock_security_struct *newsbsec = newsb->s_security;
753
754         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
755         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
756         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
757
758         /*
759          * if the parent was able to be mounted it clearly had no special lsm
760          * mount options.  thus we can safely put this sb on the list and deal
761          * with it later
762          */
763         if (!ss_initialized) {
764                 spin_lock(&sb_security_lock);
765                 if (list_empty(&newsbsec->list))
766                         list_add(&newsbsec->list, &superblock_security_head);
767                 spin_unlock(&sb_security_lock);
768                 return;
769         }
770
771         /* how can we clone if the old one wasn't set up?? */
772         BUG_ON(!oldsbsec->initialized);
773
774         /* if fs is reusing a sb, just let its options stand... */
775         if (newsbsec->initialized)
776                 return;
777
778         mutex_lock(&newsbsec->lock);
779
780         newsbsec->flags = oldsbsec->flags;
781
782         newsbsec->sid = oldsbsec->sid;
783         newsbsec->def_sid = oldsbsec->def_sid;
784         newsbsec->behavior = oldsbsec->behavior;
785
786         if (set_context) {
787                 u32 sid = oldsbsec->mntpoint_sid;
788
789                 if (!set_fscontext)
790                         newsbsec->sid = sid;
791                 if (!set_rootcontext) {
792                         struct inode *newinode = newsb->s_root->d_inode;
793                         struct inode_security_struct *newisec = newinode->i_security;
794                         newisec->sid = sid;
795                 }
796                 newsbsec->mntpoint_sid = sid;
797         }
798         if (set_rootcontext) {
799                 const struct inode *oldinode = oldsb->s_root->d_inode;
800                 const struct inode_security_struct *oldisec = oldinode->i_security;
801                 struct inode *newinode = newsb->s_root->d_inode;
802                 struct inode_security_struct *newisec = newinode->i_security;
803
804                 newisec->sid = oldisec->sid;
805         }
806
807         sb_finish_set_opts(newsb);
808         mutex_unlock(&newsbsec->lock);
809 }
810
811 static int selinux_parse_opts_str(char *options,
812                                   struct security_mnt_opts *opts)
813 {
814         char *p;
815         char *context = NULL, *defcontext = NULL;
816         char *fscontext = NULL, *rootcontext = NULL;
817         int rc, num_mnt_opts = 0;
818
819         opts->num_mnt_opts = 0;
820
821         /* Standard string-based options. */
822         while ((p = strsep(&options, "|")) != NULL) {
823                 int token;
824                 substring_t args[MAX_OPT_ARGS];
825
826                 if (!*p)
827                         continue;
828
829                 token = match_token(p, tokens, args);
830
831                 switch (token) {
832                 case Opt_context:
833                         if (context || defcontext) {
834                                 rc = -EINVAL;
835                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836                                 goto out_err;
837                         }
838                         context = match_strdup(&args[0]);
839                         if (!context) {
840                                 rc = -ENOMEM;
841                                 goto out_err;
842                         }
843                         break;
844
845                 case Opt_fscontext:
846                         if (fscontext) {
847                                 rc = -EINVAL;
848                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849                                 goto out_err;
850                         }
851                         fscontext = match_strdup(&args[0]);
852                         if (!fscontext) {
853                                 rc = -ENOMEM;
854                                 goto out_err;
855                         }
856                         break;
857
858                 case Opt_rootcontext:
859                         if (rootcontext) {
860                                 rc = -EINVAL;
861                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862                                 goto out_err;
863                         }
864                         rootcontext = match_strdup(&args[0]);
865                         if (!rootcontext) {
866                                 rc = -ENOMEM;
867                                 goto out_err;
868                         }
869                         break;
870
871                 case Opt_defcontext:
872                         if (context || defcontext) {
873                                 rc = -EINVAL;
874                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875                                 goto out_err;
876                         }
877                         defcontext = match_strdup(&args[0]);
878                         if (!defcontext) {
879                                 rc = -ENOMEM;
880                                 goto out_err;
881                         }
882                         break;
883
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static inline u16 inode_mode_to_security_class(umode_t mode)
959 {
960         switch (mode & S_IFMT) {
961         case S_IFSOCK:
962                 return SECCLASS_SOCK_FILE;
963         case S_IFLNK:
964                 return SECCLASS_LNK_FILE;
965         case S_IFREG:
966                 return SECCLASS_FILE;
967         case S_IFBLK:
968                 return SECCLASS_BLK_FILE;
969         case S_IFDIR:
970                 return SECCLASS_DIR;
971         case S_IFCHR:
972                 return SECCLASS_CHR_FILE;
973         case S_IFIFO:
974                 return SECCLASS_FIFO_FILE;
975
976         }
977
978         return SECCLASS_FILE;
979 }
980
981 static inline int default_protocol_stream(int protocol)
982 {
983         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
984 }
985
986 static inline int default_protocol_dgram(int protocol)
987 {
988         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
989 }
990
991 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
992 {
993         switch (family) {
994         case PF_UNIX:
995                 switch (type) {
996                 case SOCK_STREAM:
997                 case SOCK_SEQPACKET:
998                         return SECCLASS_UNIX_STREAM_SOCKET;
999                 case SOCK_DGRAM:
1000                         return SECCLASS_UNIX_DGRAM_SOCKET;
1001                 }
1002                 break;
1003         case PF_INET:
1004         case PF_INET6:
1005                 switch (type) {
1006                 case SOCK_STREAM:
1007                         if (default_protocol_stream(protocol))
1008                                 return SECCLASS_TCP_SOCKET;
1009                         else
1010                                 return SECCLASS_RAWIP_SOCKET;
1011                 case SOCK_DGRAM:
1012                         if (default_protocol_dgram(protocol))
1013                                 return SECCLASS_UDP_SOCKET;
1014                         else
1015                                 return SECCLASS_RAWIP_SOCKET;
1016                 case SOCK_DCCP:
1017                         return SECCLASS_DCCP_SOCKET;
1018                 default:
1019                         return SECCLASS_RAWIP_SOCKET;
1020                 }
1021                 break;
1022         case PF_NETLINK:
1023                 switch (protocol) {
1024                 case NETLINK_ROUTE:
1025                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1026                 case NETLINK_FIREWALL:
1027                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1028                 case NETLINK_INET_DIAG:
1029                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1030                 case NETLINK_NFLOG:
1031                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1032                 case NETLINK_XFRM:
1033                         return SECCLASS_NETLINK_XFRM_SOCKET;
1034                 case NETLINK_SELINUX:
1035                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1036                 case NETLINK_AUDIT:
1037                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1038                 case NETLINK_IP6_FW:
1039                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1040                 case NETLINK_DNRTMSG:
1041                         return SECCLASS_NETLINK_DNRT_SOCKET;
1042                 case NETLINK_KOBJECT_UEVENT:
1043                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1044                 default:
1045                         return SECCLASS_NETLINK_SOCKET;
1046                 }
1047         case PF_PACKET:
1048                 return SECCLASS_PACKET_SOCKET;
1049         case PF_KEY:
1050                 return SECCLASS_KEY_SOCKET;
1051         case PF_APPLETALK:
1052                 return SECCLASS_APPLETALK_SOCKET;
1053         }
1054
1055         return SECCLASS_SOCKET;
1056 }
1057
1058 #ifdef CONFIG_PROC_FS
1059 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1060                                 u16 tclass,
1061                                 u32 *sid)
1062 {
1063         int buflen, rc;
1064         char *buffer, *path, *end;
1065
1066         buffer = (char *)__get_free_page(GFP_KERNEL);
1067         if (!buffer)
1068                 return -ENOMEM;
1069
1070         buflen = PAGE_SIZE;
1071         end = buffer+buflen;
1072         *--end = '\0';
1073         buflen--;
1074         path = end-1;
1075         *path = '/';
1076         while (de && de != de->parent) {
1077                 buflen -= de->namelen + 1;
1078                 if (buflen < 0)
1079                         break;
1080                 end -= de->namelen;
1081                 memcpy(end, de->name, de->namelen);
1082                 *--end = '/';
1083                 path = end;
1084                 de = de->parent;
1085         }
1086         rc = security_genfs_sid("proc", path, tclass, sid);
1087         free_page((unsigned long)buffer);
1088         return rc;
1089 }
1090 #else
1091 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1092                                 u16 tclass,
1093                                 u32 *sid)
1094 {
1095         return -EINVAL;
1096 }
1097 #endif
1098
1099 /* The inode's security attributes must be initialized before first use. */
1100 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1101 {
1102         struct superblock_security_struct *sbsec = NULL;
1103         struct inode_security_struct *isec = inode->i_security;
1104         u32 sid;
1105         struct dentry *dentry;
1106 #define INITCONTEXTLEN 255
1107         char *context = NULL;
1108         unsigned len = 0;
1109         int rc = 0;
1110
1111         if (isec->initialized)
1112                 goto out;
1113
1114         mutex_lock(&isec->lock);
1115         if (isec->initialized)
1116                 goto out_unlock;
1117
1118         sbsec = inode->i_sb->s_security;
1119         if (!sbsec->initialized) {
1120                 /* Defer initialization until selinux_complete_init,
1121                    after the initial policy is loaded and the security
1122                    server is ready to handle calls. */
1123                 spin_lock(&sbsec->isec_lock);
1124                 if (list_empty(&isec->list))
1125                         list_add(&isec->list, &sbsec->isec_head);
1126                 spin_unlock(&sbsec->isec_lock);
1127                 goto out_unlock;
1128         }
1129
1130         switch (sbsec->behavior) {
1131         case SECURITY_FS_USE_XATTR:
1132                 if (!inode->i_op->getxattr) {
1133                         isec->sid = sbsec->def_sid;
1134                         break;
1135                 }
1136
1137                 /* Need a dentry, since the xattr API requires one.
1138                    Life would be simpler if we could just pass the inode. */
1139                 if (opt_dentry) {
1140                         /* Called from d_instantiate or d_splice_alias. */
1141                         dentry = dget(opt_dentry);
1142                 } else {
1143                         /* Called from selinux_complete_init, try to find a dentry. */
1144                         dentry = d_find_alias(inode);
1145                 }
1146                 if (!dentry) {
1147                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1148                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1149                                inode->i_ino);
1150                         goto out_unlock;
1151                 }
1152
1153                 len = INITCONTEXTLEN;
1154                 context = kmalloc(len, GFP_NOFS);
1155                 if (!context) {
1156                         rc = -ENOMEM;
1157                         dput(dentry);
1158                         goto out_unlock;
1159                 }
1160                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1161                                            context, len);
1162                 if (rc == -ERANGE) {
1163                         /* Need a larger buffer.  Query for the right size. */
1164                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1165                                                    NULL, 0);
1166                         if (rc < 0) {
1167                                 dput(dentry);
1168                                 goto out_unlock;
1169                         }
1170                         kfree(context);
1171                         len = rc;
1172                         context = kmalloc(len, GFP_NOFS);
1173                         if (!context) {
1174                                 rc = -ENOMEM;
1175                                 dput(dentry);
1176                                 goto out_unlock;
1177                         }
1178                         rc = inode->i_op->getxattr(dentry,
1179                                                    XATTR_NAME_SELINUX,
1180                                                    context, len);
1181                 }
1182                 dput(dentry);
1183                 if (rc < 0) {
1184                         if (rc != -ENODATA) {
1185                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1186                                        "%d for dev=%s ino=%ld\n", __func__,
1187                                        -rc, inode->i_sb->s_id, inode->i_ino);
1188                                 kfree(context);
1189                                 goto out_unlock;
1190                         }
1191                         /* Map ENODATA to the default file SID */
1192                         sid = sbsec->def_sid;
1193                         rc = 0;
1194                 } else {
1195                         rc = security_context_to_sid_default(context, rc, &sid,
1196                                                              sbsec->def_sid,
1197                                                              GFP_NOFS);
1198                         if (rc) {
1199                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1200                                        "returned %d for dev=%s ino=%ld\n",
1201                                        __func__, context, -rc,
1202                                        inode->i_sb->s_id, inode->i_ino);
1203                                 kfree(context);
1204                                 /* Leave with the unlabeled SID */
1205                                 rc = 0;
1206                                 break;
1207                         }
1208                 }
1209                 kfree(context);
1210                 isec->sid = sid;
1211                 break;
1212         case SECURITY_FS_USE_TASK:
1213                 isec->sid = isec->task_sid;
1214                 break;
1215         case SECURITY_FS_USE_TRANS:
1216                 /* Default to the fs SID. */
1217                 isec->sid = sbsec->sid;
1218
1219                 /* Try to obtain a transition SID. */
1220                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1221                 rc = security_transition_sid(isec->task_sid,
1222                                              sbsec->sid,
1223                                              isec->sclass,
1224                                              &sid);
1225                 if (rc)
1226                         goto out_unlock;
1227                 isec->sid = sid;
1228                 break;
1229         case SECURITY_FS_USE_MNTPOINT:
1230                 isec->sid = sbsec->mntpoint_sid;
1231                 break;
1232         default:
1233                 /* Default to the fs superblock SID. */
1234                 isec->sid = sbsec->sid;
1235
1236                 if (sbsec->proc) {
1237                         struct proc_inode *proci = PROC_I(inode);
1238                         if (proci->pde) {
1239                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1240                                 rc = selinux_proc_get_sid(proci->pde,
1241                                                           isec->sclass,
1242                                                           &sid);
1243                                 if (rc)
1244                                         goto out_unlock;
1245                                 isec->sid = sid;
1246                         }
1247                 }
1248                 break;
1249         }
1250
1251         isec->initialized = 1;
1252
1253 out_unlock:
1254         mutex_unlock(&isec->lock);
1255 out:
1256         if (isec->sclass == SECCLASS_FILE)
1257                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1258         return rc;
1259 }
1260
1261 /* Convert a Linux signal to an access vector. */
1262 static inline u32 signal_to_av(int sig)
1263 {
1264         u32 perm = 0;
1265
1266         switch (sig) {
1267         case SIGCHLD:
1268                 /* Commonly granted from child to parent. */
1269                 perm = PROCESS__SIGCHLD;
1270                 break;
1271         case SIGKILL:
1272                 /* Cannot be caught or ignored */
1273                 perm = PROCESS__SIGKILL;
1274                 break;
1275         case SIGSTOP:
1276                 /* Cannot be caught or ignored */
1277                 perm = PROCESS__SIGSTOP;
1278                 break;
1279         default:
1280                 /* All other signals. */
1281                 perm = PROCESS__SIGNAL;
1282                 break;
1283         }
1284
1285         return perm;
1286 }
1287
1288 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1289    fork check, ptrace check, etc. */
1290 static int task_has_perm(struct task_struct *tsk1,
1291                          struct task_struct *tsk2,
1292                          u32 perms)
1293 {
1294         struct task_security_struct *tsec1, *tsec2;
1295
1296         tsec1 = tsk1->security;
1297         tsec2 = tsk2->security;
1298         return avc_has_perm(tsec1->sid, tsec2->sid,
1299                             SECCLASS_PROCESS, perms, NULL);
1300 }
1301
1302 #if CAP_LAST_CAP > 63
1303 #error Fix SELinux to handle capabilities > 63.
1304 #endif
1305
1306 /* Check whether a task is allowed to use a capability. */
1307 static int task_has_capability(struct task_struct *tsk,
1308                                int cap)
1309 {
1310         struct task_security_struct *tsec;
1311         struct avc_audit_data ad;
1312         u16 sclass;
1313         u32 av = CAP_TO_MASK(cap);
1314
1315         tsec = tsk->security;
1316
1317         AVC_AUDIT_DATA_INIT(&ad, CAP);
1318         ad.tsk = tsk;
1319         ad.u.cap = cap;
1320
1321         switch (CAP_TO_INDEX(cap)) {
1322         case 0:
1323                 sclass = SECCLASS_CAPABILITY;
1324                 break;
1325         case 1:
1326                 sclass = SECCLASS_CAPABILITY2;
1327                 break;
1328         default:
1329                 printk(KERN_ERR
1330                        "SELinux:  out of range capability %d\n", cap);
1331                 BUG();
1332         }
1333         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1334 }
1335
1336 /* Check whether a task is allowed to use a system operation. */
1337 static int task_has_system(struct task_struct *tsk,
1338                            u32 perms)
1339 {
1340         struct task_security_struct *tsec;
1341
1342         tsec = tsk->security;
1343
1344         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1345                             SECCLASS_SYSTEM, perms, NULL);
1346 }
1347
1348 /* Check whether a task has a particular permission to an inode.
1349    The 'adp' parameter is optional and allows other audit
1350    data to be passed (e.g. the dentry). */
1351 static int inode_has_perm(struct task_struct *tsk,
1352                           struct inode *inode,
1353                           u32 perms,
1354                           struct avc_audit_data *adp)
1355 {
1356         struct task_security_struct *tsec;
1357         struct inode_security_struct *isec;
1358         struct avc_audit_data ad;
1359
1360         if (unlikely(IS_PRIVATE(inode)))
1361                 return 0;
1362
1363         tsec = tsk->security;
1364         isec = inode->i_security;
1365
1366         if (!adp) {
1367                 adp = &ad;
1368                 AVC_AUDIT_DATA_INIT(&ad, FS);
1369                 ad.u.fs.inode = inode;
1370         }
1371
1372         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1373 }
1374
1375 /* Same as inode_has_perm, but pass explicit audit data containing
1376    the dentry to help the auditing code to more easily generate the
1377    pathname if needed. */
1378 static inline int dentry_has_perm(struct task_struct *tsk,
1379                                   struct vfsmount *mnt,
1380                                   struct dentry *dentry,
1381                                   u32 av)
1382 {
1383         struct inode *inode = dentry->d_inode;
1384         struct avc_audit_data ad;
1385         AVC_AUDIT_DATA_INIT(&ad, FS);
1386         ad.u.fs.path.mnt = mnt;
1387         ad.u.fs.path.dentry = dentry;
1388         return inode_has_perm(tsk, inode, av, &ad);
1389 }
1390
1391 /* Check whether a task can use an open file descriptor to
1392    access an inode in a given way.  Check access to the
1393    descriptor itself, and then use dentry_has_perm to
1394    check a particular permission to the file.
1395    Access to the descriptor is implicitly granted if it
1396    has the same SID as the process.  If av is zero, then
1397    access to the file is not checked, e.g. for cases
1398    where only the descriptor is affected like seek. */
1399 static int file_has_perm(struct task_struct *tsk,
1400                                 struct file *file,
1401                                 u32 av)
1402 {
1403         struct task_security_struct *tsec = tsk->security;
1404         struct file_security_struct *fsec = file->f_security;
1405         struct inode *inode = file->f_path.dentry->d_inode;
1406         struct avc_audit_data ad;
1407         int rc;
1408
1409         AVC_AUDIT_DATA_INIT(&ad, FS);
1410         ad.u.fs.path = file->f_path;
1411
1412         if (tsec->sid != fsec->sid) {
1413                 rc = avc_has_perm(tsec->sid, fsec->sid,
1414                                   SECCLASS_FD,
1415                                   FD__USE,
1416                                   &ad);
1417                 if (rc)
1418                         return rc;
1419         }
1420
1421         /* av is zero if only checking access to the descriptor. */
1422         if (av)
1423                 return inode_has_perm(tsk, inode, av, &ad);
1424
1425         return 0;
1426 }
1427
1428 /* Check whether a task can create a file. */
1429 static int may_create(struct inode *dir,
1430                       struct dentry *dentry,
1431                       u16 tclass)
1432 {
1433         struct task_security_struct *tsec;
1434         struct inode_security_struct *dsec;
1435         struct superblock_security_struct *sbsec;
1436         u32 newsid;
1437         struct avc_audit_data ad;
1438         int rc;
1439
1440         tsec = current->security;
1441         dsec = dir->i_security;
1442         sbsec = dir->i_sb->s_security;
1443
1444         AVC_AUDIT_DATA_INIT(&ad, FS);
1445         ad.u.fs.path.dentry = dentry;
1446
1447         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1448                           DIR__ADD_NAME | DIR__SEARCH,
1449                           &ad);
1450         if (rc)
1451                 return rc;
1452
1453         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1454                 newsid = tsec->create_sid;
1455         } else {
1456                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1457                                              &newsid);
1458                 if (rc)
1459                         return rc;
1460         }
1461
1462         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1463         if (rc)
1464                 return rc;
1465
1466         return avc_has_perm(newsid, sbsec->sid,
1467                             SECCLASS_FILESYSTEM,
1468                             FILESYSTEM__ASSOCIATE, &ad);
1469 }
1470
1471 /* Check whether a task can create a key. */
1472 static int may_create_key(u32 ksid,
1473                           struct task_struct *ctx)
1474 {
1475         struct task_security_struct *tsec;
1476
1477         tsec = ctx->security;
1478
1479         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1480 }
1481
1482 #define MAY_LINK        0
1483 #define MAY_UNLINK      1
1484 #define MAY_RMDIR       2
1485
1486 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1487 static int may_link(struct inode *dir,
1488                     struct dentry *dentry,
1489                     int kind)
1490
1491 {
1492         struct task_security_struct *tsec;
1493         struct inode_security_struct *dsec, *isec;
1494         struct avc_audit_data ad;
1495         u32 av;
1496         int rc;
1497
1498         tsec = current->security;
1499         dsec = dir->i_security;
1500         isec = dentry->d_inode->i_security;
1501
1502         AVC_AUDIT_DATA_INIT(&ad, FS);
1503         ad.u.fs.path.dentry = dentry;
1504
1505         av = DIR__SEARCH;
1506         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1507         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1508         if (rc)
1509                 return rc;
1510
1511         switch (kind) {
1512         case MAY_LINK:
1513                 av = FILE__LINK;
1514                 break;
1515         case MAY_UNLINK:
1516                 av = FILE__UNLINK;
1517                 break;
1518         case MAY_RMDIR:
1519                 av = DIR__RMDIR;
1520                 break;
1521         default:
1522                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1523                         __func__, kind);
1524                 return 0;
1525         }
1526
1527         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1528         return rc;
1529 }
1530
1531 static inline int may_rename(struct inode *old_dir,
1532                              struct dentry *old_dentry,
1533                              struct inode *new_dir,
1534                              struct dentry *new_dentry)
1535 {
1536         struct task_security_struct *tsec;
1537         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1538         struct avc_audit_data ad;
1539         u32 av;
1540         int old_is_dir, new_is_dir;
1541         int rc;
1542
1543         tsec = current->security;
1544         old_dsec = old_dir->i_security;
1545         old_isec = old_dentry->d_inode->i_security;
1546         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1547         new_dsec = new_dir->i_security;
1548
1549         AVC_AUDIT_DATA_INIT(&ad, FS);
1550
1551         ad.u.fs.path.dentry = old_dentry;
1552         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1553                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1554         if (rc)
1555                 return rc;
1556         rc = avc_has_perm(tsec->sid, old_isec->sid,
1557                           old_isec->sclass, FILE__RENAME, &ad);
1558         if (rc)
1559                 return rc;
1560         if (old_is_dir && new_dir != old_dir) {
1561                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1562                                   old_isec->sclass, DIR__REPARENT, &ad);
1563                 if (rc)
1564                         return rc;
1565         }
1566
1567         ad.u.fs.path.dentry = new_dentry;
1568         av = DIR__ADD_NAME | DIR__SEARCH;
1569         if (new_dentry->d_inode)
1570                 av |= DIR__REMOVE_NAME;
1571         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1572         if (rc)
1573                 return rc;
1574         if (new_dentry->d_inode) {
1575                 new_isec = new_dentry->d_inode->i_security;
1576                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1577                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1578                                   new_isec->sclass,
1579                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1580                 if (rc)
1581                         return rc;
1582         }
1583
1584         return 0;
1585 }
1586
1587 /* Check whether a task can perform a filesystem operation. */
1588 static int superblock_has_perm(struct task_struct *tsk,
1589                                struct super_block *sb,
1590                                u32 perms,
1591                                struct avc_audit_data *ad)
1592 {
1593         struct task_security_struct *tsec;
1594         struct superblock_security_struct *sbsec;
1595
1596         tsec = tsk->security;
1597         sbsec = sb->s_security;
1598         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1599                             perms, ad);
1600 }
1601
1602 /* Convert a Linux mode and permission mask to an access vector. */
1603 static inline u32 file_mask_to_av(int mode, int mask)
1604 {
1605         u32 av = 0;
1606
1607         if ((mode & S_IFMT) != S_IFDIR) {
1608                 if (mask & MAY_EXEC)
1609                         av |= FILE__EXECUTE;
1610                 if (mask & MAY_READ)
1611                         av |= FILE__READ;
1612
1613                 if (mask & MAY_APPEND)
1614                         av |= FILE__APPEND;
1615                 else if (mask & MAY_WRITE)
1616                         av |= FILE__WRITE;
1617
1618         } else {
1619                 if (mask & MAY_EXEC)
1620                         av |= DIR__SEARCH;
1621                 if (mask & MAY_WRITE)
1622                         av |= DIR__WRITE;
1623                 if (mask & MAY_READ)
1624                         av |= DIR__READ;
1625         }
1626
1627         return av;
1628 }
1629
1630 /*
1631  * Convert a file mask to an access vector and include the correct open
1632  * open permission.
1633  */
1634 static inline u32 open_file_mask_to_av(int mode, int mask)
1635 {
1636         u32 av = file_mask_to_av(mode, mask);
1637
1638         if (selinux_policycap_openperm) {
1639                 /*
1640                  * lnk files and socks do not really have an 'open'
1641                  */
1642                 if (S_ISREG(mode))
1643                         av |= FILE__OPEN;
1644                 else if (S_ISCHR(mode))
1645                         av |= CHR_FILE__OPEN;
1646                 else if (S_ISBLK(mode))
1647                         av |= BLK_FILE__OPEN;
1648                 else if (S_ISFIFO(mode))
1649                         av |= FIFO_FILE__OPEN;
1650                 else if (S_ISDIR(mode))
1651                         av |= DIR__OPEN;
1652                 else
1653                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1654                                 "unknown mode:%x\n", __func__, mode);
1655         }
1656         return av;
1657 }
1658
1659 /* Convert a Linux file to an access vector. */
1660 static inline u32 file_to_av(struct file *file)
1661 {
1662         u32 av = 0;
1663
1664         if (file->f_mode & FMODE_READ)
1665                 av |= FILE__READ;
1666         if (file->f_mode & FMODE_WRITE) {
1667                 if (file->f_flags & O_APPEND)
1668                         av |= FILE__APPEND;
1669                 else
1670                         av |= FILE__WRITE;
1671         }
1672         if (!av) {
1673                 /*
1674                  * Special file opened with flags 3 for ioctl-only use.
1675                  */
1676                 av = FILE__IOCTL;
1677         }
1678
1679         return av;
1680 }
1681
1682 /* Hook functions begin here. */
1683
1684 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1685 {
1686         int rc;
1687
1688         rc = secondary_ops->ptrace(parent, child);
1689         if (rc)
1690                 return rc;
1691
1692         return task_has_perm(parent, child, PROCESS__PTRACE);
1693 }
1694
1695 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1696                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1697 {
1698         int error;
1699
1700         error = task_has_perm(current, target, PROCESS__GETCAP);
1701         if (error)
1702                 return error;
1703
1704         return secondary_ops->capget(target, effective, inheritable, permitted);
1705 }
1706
1707 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1708                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1709 {
1710         int error;
1711
1712         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1713         if (error)
1714                 return error;
1715
1716         return task_has_perm(current, target, PROCESS__SETCAP);
1717 }
1718
1719 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1720                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1721 {
1722         secondary_ops->capset_set(target, effective, inheritable, permitted);
1723 }
1724
1725 static int selinux_capable(struct task_struct *tsk, int cap)
1726 {
1727         int rc;
1728
1729         rc = secondary_ops->capable(tsk, cap);
1730         if (rc)
1731                 return rc;
1732
1733         return task_has_capability(tsk, cap);
1734 }
1735
1736 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1737 {
1738         int buflen, rc;
1739         char *buffer, *path, *end;
1740
1741         rc = -ENOMEM;
1742         buffer = (char *)__get_free_page(GFP_KERNEL);
1743         if (!buffer)
1744                 goto out;
1745
1746         buflen = PAGE_SIZE;
1747         end = buffer+buflen;
1748         *--end = '\0';
1749         buflen--;
1750         path = end-1;
1751         *path = '/';
1752         while (table) {
1753                 const char *name = table->procname;
1754                 size_t namelen = strlen(name);
1755                 buflen -= namelen + 1;
1756                 if (buflen < 0)
1757                         goto out_free;
1758                 end -= namelen;
1759                 memcpy(end, name, namelen);
1760                 *--end = '/';
1761                 path = end;
1762                 table = table->parent;
1763         }
1764         buflen -= 4;
1765         if (buflen < 0)
1766                 goto out_free;
1767         end -= 4;
1768         memcpy(end, "/sys", 4);
1769         path = end;
1770         rc = security_genfs_sid("proc", path, tclass, sid);
1771 out_free:
1772         free_page((unsigned long)buffer);
1773 out:
1774         return rc;
1775 }
1776
1777 static int selinux_sysctl(ctl_table *table, int op)
1778 {
1779         int error = 0;
1780         u32 av;
1781         struct task_security_struct *tsec;
1782         u32 tsid;
1783         int rc;
1784
1785         rc = secondary_ops->sysctl(table, op);
1786         if (rc)
1787                 return rc;
1788
1789         tsec = current->security;
1790
1791         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1792                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1793         if (rc) {
1794                 /* Default to the well-defined sysctl SID. */
1795                 tsid = SECINITSID_SYSCTL;
1796         }
1797
1798         /* The op values are "defined" in sysctl.c, thereby creating
1799          * a bad coupling between this module and sysctl.c */
1800         if (op == 001) {
1801                 error = avc_has_perm(tsec->sid, tsid,
1802                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1803         } else {
1804                 av = 0;
1805                 if (op & 004)
1806                         av |= FILE__READ;
1807                 if (op & 002)
1808                         av |= FILE__WRITE;
1809                 if (av)
1810                         error = avc_has_perm(tsec->sid, tsid,
1811                                              SECCLASS_FILE, av, NULL);
1812         }
1813
1814         return error;
1815 }
1816
1817 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1818 {
1819         int rc = 0;
1820
1821         if (!sb)
1822                 return 0;
1823
1824         switch (cmds) {
1825         case Q_SYNC:
1826         case Q_QUOTAON:
1827         case Q_QUOTAOFF:
1828         case Q_SETINFO:
1829         case Q_SETQUOTA:
1830                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1831                                          NULL);
1832                 break;
1833         case Q_GETFMT:
1834         case Q_GETINFO:
1835         case Q_GETQUOTA:
1836                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1837                                          NULL);
1838                 break;
1839         default:
1840                 rc = 0;  /* let the kernel handle invalid cmds */
1841                 break;
1842         }
1843         return rc;
1844 }
1845
1846 static int selinux_quota_on(struct dentry *dentry)
1847 {
1848         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1849 }
1850
1851 static int selinux_syslog(int type)
1852 {
1853         int rc;
1854
1855         rc = secondary_ops->syslog(type);
1856         if (rc)
1857                 return rc;
1858
1859         switch (type) {
1860         case 3:         /* Read last kernel messages */
1861         case 10:        /* Return size of the log buffer */
1862                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1863                 break;
1864         case 6:         /* Disable logging to console */
1865         case 7:         /* Enable logging to console */
1866         case 8:         /* Set level of messages printed to console */
1867                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1868                 break;
1869         case 0:         /* Close log */
1870         case 1:         /* Open log */
1871         case 2:         /* Read from log */
1872         case 4:         /* Read/clear last kernel messages */
1873         case 5:         /* Clear ring buffer */
1874         default:
1875                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1876                 break;
1877         }
1878         return rc;
1879 }
1880
1881 /*
1882  * Check that a process has enough memory to allocate a new virtual
1883  * mapping. 0 means there is enough memory for the allocation to
1884  * succeed and -ENOMEM implies there is not.
1885  *
1886  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1887  * if the capability is granted, but __vm_enough_memory requires 1 if
1888  * the capability is granted.
1889  *
1890  * Do not audit the selinux permission check, as this is applied to all
1891  * processes that allocate mappings.
1892  */
1893 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1894 {
1895         int rc, cap_sys_admin = 0;
1896         struct task_security_struct *tsec = current->security;
1897
1898         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1899         if (rc == 0)
1900                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1901                                           SECCLASS_CAPABILITY,
1902                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1903                                           0,
1904                                           NULL);
1905
1906         if (rc == 0)
1907                 cap_sys_admin = 1;
1908
1909         return __vm_enough_memory(mm, pages, cap_sys_admin);
1910 }
1911
1912 /**
1913  * task_tracer_task - return the task that is tracing the given task
1914  * @task:               task to consider
1915  *
1916  * Returns NULL if noone is tracing @task, or the &struct task_struct
1917  * pointer to its tracer.
1918  *
1919  * Must be called under rcu_read_lock().
1920  */
1921 static struct task_struct *task_tracer_task(struct task_struct *task)
1922 {
1923         if (task->ptrace & PT_PTRACED)
1924                 return rcu_dereference(task->parent);
1925         return NULL;
1926 }
1927
1928 /* binprm security operations */
1929
1930 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1931 {
1932         struct bprm_security_struct *bsec;
1933
1934         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1935         if (!bsec)
1936                 return -ENOMEM;
1937
1938         bsec->sid = SECINITSID_UNLABELED;
1939         bsec->set = 0;
1940
1941         bprm->security = bsec;
1942         return 0;
1943 }
1944
1945 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1946 {
1947         struct task_security_struct *tsec;
1948         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1949         struct inode_security_struct *isec;
1950         struct bprm_security_struct *bsec;
1951         u32 newsid;
1952         struct avc_audit_data ad;
1953         int rc;
1954
1955         rc = secondary_ops->bprm_set_security(bprm);
1956         if (rc)
1957                 return rc;
1958
1959         bsec = bprm->security;
1960
1961         if (bsec->set)
1962                 return 0;
1963
1964         tsec = current->security;
1965         isec = inode->i_security;
1966
1967         /* Default to the current task SID. */
1968         bsec->sid = tsec->sid;
1969
1970         /* Reset fs, key, and sock SIDs on execve. */
1971         tsec->create_sid = 0;
1972         tsec->keycreate_sid = 0;
1973         tsec->sockcreate_sid = 0;
1974
1975         if (tsec->exec_sid) {
1976                 newsid = tsec->exec_sid;
1977                 /* Reset exec SID on execve. */
1978                 tsec->exec_sid = 0;
1979         } else {
1980                 /* Check for a default transition on this program. */
1981                 rc = security_transition_sid(tsec->sid, isec->sid,
1982                                              SECCLASS_PROCESS, &newsid);
1983                 if (rc)
1984                         return rc;
1985         }
1986
1987         AVC_AUDIT_DATA_INIT(&ad, FS);
1988         ad.u.fs.path = bprm->file->f_path;
1989
1990         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1991                 newsid = tsec->sid;
1992
1993         if (tsec->sid == newsid) {
1994                 rc = avc_has_perm(tsec->sid, isec->sid,
1995                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1996                 if (rc)
1997                         return rc;
1998         } else {
1999                 /* Check permissions for the transition. */
2000                 rc = avc_has_perm(tsec->sid, newsid,
2001                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2002                 if (rc)
2003                         return rc;
2004
2005                 rc = avc_has_perm(newsid, isec->sid,
2006                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2007                 if (rc)
2008                         return rc;
2009
2010                 /* Clear any possibly unsafe personality bits on exec: */
2011                 current->personality &= ~PER_CLEAR_ON_SETID;
2012
2013                 /* Set the security field to the new SID. */
2014                 bsec->sid = newsid;
2015         }
2016
2017         bsec->set = 1;
2018         return 0;
2019 }
2020
2021 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2022 {
2023         return secondary_ops->bprm_check_security(bprm);
2024 }
2025
2026
2027 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2028 {
2029         struct task_security_struct *tsec = current->security;
2030         int atsecure = 0;
2031
2032         if (tsec->osid != tsec->sid) {
2033                 /* Enable secure mode for SIDs transitions unless
2034                    the noatsecure permission is granted between
2035                    the two SIDs, i.e. ahp returns 0. */
2036                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2037                                          SECCLASS_PROCESS,
2038                                          PROCESS__NOATSECURE, NULL);
2039         }
2040
2041         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2042 }
2043
2044 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2045 {
2046         kfree(bprm->security);
2047         bprm->security = NULL;
2048 }
2049
2050 extern struct vfsmount *selinuxfs_mount;
2051 extern struct dentry *selinux_null;
2052
2053 /* Derived from fs/exec.c:flush_old_files. */
2054 static inline void flush_unauthorized_files(struct files_struct *files)
2055 {
2056         struct avc_audit_data ad;
2057         struct file *file, *devnull = NULL;
2058         struct tty_struct *tty;
2059         struct fdtable *fdt;
2060         long j = -1;
2061         int drop_tty = 0;
2062
2063         mutex_lock(&tty_mutex);
2064         tty = get_current_tty();
2065         if (tty) {
2066                 file_list_lock();
2067                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2068                 if (file) {
2069                         /* Revalidate access to controlling tty.
2070                            Use inode_has_perm on the tty inode directly rather
2071                            than using file_has_perm, as this particular open
2072                            file may belong to another process and we are only
2073                            interested in the inode-based check here. */
2074                         struct inode *inode = file->f_path.dentry->d_inode;
2075                         if (inode_has_perm(current, inode,
2076                                            FILE__READ | FILE__WRITE, NULL)) {
2077                                 drop_tty = 1;
2078                         }
2079                 }
2080                 file_list_unlock();
2081         }
2082         mutex_unlock(&tty_mutex);
2083         /* Reset controlling tty. */
2084         if (drop_tty)
2085                 no_tty();
2086
2087         /* Revalidate access to inherited open files. */
2088
2089         AVC_AUDIT_DATA_INIT(&ad, FS);
2090
2091         spin_lock(&files->file_lock);
2092         for (;;) {
2093                 unsigned long set, i;
2094                 int fd;
2095
2096                 j++;
2097                 i = j * __NFDBITS;
2098                 fdt = files_fdtable(files);
2099                 if (i >= fdt->max_fds)
2100                         break;
2101                 set = fdt->open_fds->fds_bits[j];
2102                 if (!set)
2103                         continue;
2104                 spin_unlock(&files->file_lock);
2105                 for ( ; set ; i++, set >>= 1) {
2106                         if (set & 1) {
2107                                 file = fget(i);
2108                                 if (!file)
2109                                         continue;
2110                                 if (file_has_perm(current,
2111                                                   file,
2112                                                   file_to_av(file))) {
2113                                         sys_close(i);
2114                                         fd = get_unused_fd();
2115                                         if (fd != i) {
2116                                                 if (fd >= 0)
2117                                                         put_unused_fd(fd);
2118                                                 fput(file);
2119                                                 continue;
2120                                         }
2121                                         if (devnull) {
2122                                                 get_file(devnull);
2123                                         } else {
2124                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2125                                                 if (IS_ERR(devnull)) {
2126                                                         devnull = NULL;
2127                                                         put_unused_fd(fd);
2128                                                         fput(file);
2129                                                         continue;
2130                                                 }
2131                                         }
2132                                         fd_install(fd, devnull);
2133                                 }
2134                                 fput(file);
2135                         }
2136                 }
2137                 spin_lock(&files->file_lock);
2138
2139         }
2140         spin_unlock(&files->file_lock);
2141 }
2142
2143 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2144 {
2145         struct task_security_struct *tsec;
2146         struct bprm_security_struct *bsec;
2147         u32 sid;
2148         int rc;
2149
2150         secondary_ops->bprm_apply_creds(bprm, unsafe);
2151
2152         tsec = current->security;
2153
2154         bsec = bprm->security;
2155         sid = bsec->sid;
2156
2157         tsec->osid = tsec->sid;
2158         bsec->unsafe = 0;
2159         if (tsec->sid != sid) {
2160                 /* Check for shared state.  If not ok, leave SID
2161                    unchanged and kill. */
2162                 if (unsafe & LSM_UNSAFE_SHARE) {
2163                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2164                                         PROCESS__SHARE, NULL);
2165                         if (rc) {
2166                                 bsec->unsafe = 1;
2167                                 return;
2168                         }
2169                 }
2170
2171                 /* Check for ptracing, and update the task SID if ok.
2172                    Otherwise, leave SID unchanged and kill. */
2173                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2174                         struct task_struct *tracer;
2175                         struct task_security_struct *sec;
2176                         u32 ptsid = 0;
2177
2178                         rcu_read_lock();
2179                         tracer = task_tracer_task(current);
2180                         if (likely(tracer != NULL)) {
2181                                 sec = tracer->security;
2182                                 ptsid = sec->sid;
2183                         }
2184                         rcu_read_unlock();
2185
2186                         if (ptsid != 0) {
2187                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2188                                                   PROCESS__PTRACE, NULL);
2189                                 if (rc) {
2190                                         bsec->unsafe = 1;
2191                                         return;
2192                                 }
2193                         }
2194                 }
2195                 tsec->sid = sid;
2196         }
2197 }
2198
2199 /*
2200  * called after apply_creds without the task lock held
2201  */
2202 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2203 {
2204         struct task_security_struct *tsec;
2205         struct rlimit *rlim, *initrlim;
2206         struct itimerval itimer;
2207         struct bprm_security_struct *bsec;
2208         int rc, i;
2209
2210         tsec = current->security;
2211         bsec = bprm->security;
2212
2213         if (bsec->unsafe) {
2214                 force_sig_specific(SIGKILL, current);
2215                 return;
2216         }
2217         if (tsec->osid == tsec->sid)
2218                 return;
2219
2220         /* Close files for which the new task SID is not authorized. */
2221         flush_unauthorized_files(current->files);
2222
2223         /* Check whether the new SID can inherit signal state
2224            from the old SID.  If not, clear itimers to avoid
2225            subsequent signal generation and flush and unblock
2226            signals. This must occur _after_ the task SID has
2227           been updated so that any kill done after the flush
2228           will be checked against the new SID. */
2229         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2230                           PROCESS__SIGINH, NULL);
2231         if (rc) {
2232                 memset(&itimer, 0, sizeof itimer);
2233                 for (i = 0; i < 3; i++)
2234                         do_setitimer(i, &itimer, NULL);
2235                 flush_signals(current);
2236                 spin_lock_irq(&current->sighand->siglock);
2237                 flush_signal_handlers(current, 1);
2238                 sigemptyset(&current->blocked);
2239                 recalc_sigpending();
2240                 spin_unlock_irq(&current->sighand->siglock);
2241         }
2242
2243         /* Always clear parent death signal on SID transitions. */
2244         current->pdeath_signal = 0;
2245
2246         /* Check whether the new SID can inherit resource limits
2247            from the old SID.  If not, reset all soft limits to
2248            the lower of the current task's hard limit and the init
2249            task's soft limit.  Note that the setting of hard limits
2250            (even to lower them) can be controlled by the setrlimit
2251            check. The inclusion of the init task's soft limit into
2252            the computation is to avoid resetting soft limits higher
2253            than the default soft limit for cases where the default
2254            is lower than the hard limit, e.g. RLIMIT_CORE or
2255            RLIMIT_STACK.*/
2256         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2257                           PROCESS__RLIMITINH, NULL);
2258         if (rc) {
2259                 for (i = 0; i < RLIM_NLIMITS; i++) {
2260                         rlim = current->signal->rlim + i;
2261                         initrlim = init_task.signal->rlim+i;
2262                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2263                 }
2264                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2265                         /*
2266                          * This will cause RLIMIT_CPU calculations
2267                          * to be refigured.
2268                          */
2269                         current->it_prof_expires = jiffies_to_cputime(1);
2270                 }
2271         }
2272
2273         /* Wake up the parent if it is waiting so that it can
2274            recheck wait permission to the new task SID. */
2275         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2276 }
2277
2278 /* superblock security operations */
2279
2280 static int selinux_sb_alloc_security(struct super_block *sb)
2281 {
2282         return superblock_alloc_security(sb);
2283 }
2284
2285 static void selinux_sb_free_security(struct super_block *sb)
2286 {
2287         superblock_free_security(sb);
2288 }
2289
2290 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2291 {
2292         if (plen > olen)
2293                 return 0;
2294
2295         return !memcmp(prefix, option, plen);
2296 }
2297
2298 static inline int selinux_option(char *option, int len)
2299 {
2300         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2301                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2302                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2303                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2304 }
2305
2306 static inline void take_option(char **to, char *from, int *first, int len)
2307 {
2308         if (!*first) {
2309                 **to = ',';
2310                 *to += 1;
2311         } else
2312                 *first = 0;
2313         memcpy(*to, from, len);
2314         *to += len;
2315 }
2316
2317 static inline void take_selinux_option(char **to, char *from, int *first,
2318                                        int len)
2319 {
2320         int current_size = 0;
2321
2322         if (!*first) {
2323                 **to = '|';
2324                 *to += 1;
2325         } else
2326                 *first = 0;
2327
2328         while (current_size < len) {
2329                 if (*from != '"') {
2330                         **to = *from;
2331                         *to += 1;
2332                 }
2333                 from += 1;
2334                 current_size += 1;
2335         }
2336 }
2337
2338 static int selinux_sb_copy_data(char *orig, char *copy)
2339 {
2340         int fnosec, fsec, rc = 0;
2341         char *in_save, *in_curr, *in_end;
2342         char *sec_curr, *nosec_save, *nosec;
2343         int open_quote = 0;
2344
2345         in_curr = orig;
2346         sec_curr = copy;
2347
2348         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2349         if (!nosec) {
2350                 rc = -ENOMEM;
2351                 goto out;
2352         }
2353
2354         nosec_save = nosec;
2355         fnosec = fsec = 1;
2356         in_save = in_end = orig;
2357
2358         do {
2359                 if (*in_end == '"')
2360                         open_quote = !open_quote;
2361                 if ((*in_end == ',' && open_quote == 0) ||
2362                                 *in_end == '\0') {
2363                         int len = in_end - in_curr;
2364
2365                         if (selinux_option(in_curr, len))
2366                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2367                         else
2368                                 take_option(&nosec, in_curr, &fnosec, len);
2369
2370                         in_curr = in_end + 1;
2371                 }
2372         } while (*in_end++);
2373
2374         strcpy(in_save, nosec_save);
2375         free_page((unsigned long)nosec_save);
2376 out:
2377         return rc;
2378 }
2379
2380 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2381 {
2382         struct avc_audit_data ad;
2383         int rc;
2384
2385         rc = superblock_doinit(sb, data);
2386         if (rc)
2387                 return rc;
2388
2389         AVC_AUDIT_DATA_INIT(&ad, FS);
2390         ad.u.fs.path.dentry = sb->s_root;
2391         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2392 }
2393
2394 static int selinux_sb_statfs(struct dentry *dentry)
2395 {
2396         struct avc_audit_data ad;
2397
2398         AVC_AUDIT_DATA_INIT(&ad, FS);
2399         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2400         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2401 }
2402
2403 static int selinux_mount(char *dev_name,
2404                          struct path *path,
2405                          char *type,
2406                          unsigned long flags,
2407                          void *data)
2408 {
2409         int rc;
2410
2411         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2412         if (rc)
2413                 return rc;
2414
2415         if (flags & MS_REMOUNT)
2416                 return superblock_has_perm(current, path->mnt->mnt_sb,
2417                                            FILESYSTEM__REMOUNT, NULL);
2418         else
2419                 return dentry_has_perm(current, path->mnt, path->dentry,
2420                                        FILE__MOUNTON);
2421 }
2422
2423 static int selinux_umount(struct vfsmount *mnt, int flags)
2424 {
2425         int rc;
2426
2427         rc = secondary_ops->sb_umount(mnt, flags);
2428         if (rc)
2429                 return rc;
2430
2431         return superblock_has_perm(current, mnt->mnt_sb,
2432                                    FILESYSTEM__UNMOUNT, NULL);
2433 }
2434
2435 /* inode security operations */
2436
2437 static int selinux_inode_alloc_security(struct inode *inode)
2438 {
2439         return inode_alloc_security(inode);
2440 }
2441
2442 static void selinux_inode_free_security(struct inode *inode)
2443 {
2444         inode_free_security(inode);
2445 }
2446
2447 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2448                                        char **name, void **value,
2449                                        size_t *len)
2450 {
2451         struct task_security_struct *tsec;
2452         struct inode_security_struct *dsec;
2453         struct superblock_security_struct *sbsec;
2454         u32 newsid, clen;
2455         int rc;
2456         char *namep = NULL, *context;
2457
2458         tsec = current->security;
2459         dsec = dir->i_security;
2460         sbsec = dir->i_sb->s_security;
2461
2462         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2463                 newsid = tsec->create_sid;
2464         } else {
2465                 rc = security_transition_sid(tsec->sid, dsec->sid,
2466                                              inode_mode_to_security_class(inode->i_mode),
2467                                              &newsid);
2468                 if (rc) {
2469                         printk(KERN_WARNING "%s:  "
2470                                "security_transition_sid failed, rc=%d (dev=%s "
2471                                "ino=%ld)\n",
2472                                __func__,
2473                                -rc, inode->i_sb->s_id, inode->i_ino);
2474                         return rc;
2475                 }
2476         }
2477
2478         /* Possibly defer initialization to selinux_complete_init. */
2479         if (sbsec->initialized) {
2480                 struct inode_security_struct *isec = inode->i_security;
2481                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2482                 isec->sid = newsid;
2483                 isec->initialized = 1;
2484         }
2485
2486         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2487                 return -EOPNOTSUPP;
2488
2489         if (name) {
2490                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2491                 if (!namep)
2492                         return -ENOMEM;
2493                 *name = namep;
2494         }
2495
2496         if (value && len) {
2497                 rc = security_sid_to_context(newsid, &context, &clen);
2498                 if (rc) {
2499                         kfree(namep);
2500                         return rc;
2501                 }
2502                 *value = context;
2503                 *len = clen;
2504         }
2505
2506         return 0;
2507 }
2508
2509 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2510 {
2511         return may_create(dir, dentry, SECCLASS_FILE);
2512 }
2513
2514 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2515 {
2516         int rc;
2517
2518         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2519         if (rc)
2520                 return rc;
2521         return may_link(dir, old_dentry, MAY_LINK);
2522 }
2523
2524 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2525 {
2526         int rc;
2527
2528         rc = secondary_ops->inode_unlink(dir, dentry);
2529         if (rc)
2530                 return rc;
2531         return may_link(dir, dentry, MAY_UNLINK);
2532 }
2533
2534 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2535 {
2536         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2537 }
2538
2539 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2540 {
2541         return may_create(dir, dentry, SECCLASS_DIR);
2542 }
2543
2544 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2545 {
2546         return may_link(dir, dentry, MAY_RMDIR);
2547 }
2548
2549 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2550 {
2551         int rc;
2552
2553         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2554         if (rc)
2555                 return rc;
2556
2557         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2558 }
2559
2560 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2561                                 struct inode *new_inode, struct dentry *new_dentry)
2562 {
2563         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2564 }
2565
2566 static int selinux_inode_readlink(struct dentry *dentry)
2567 {
2568         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2569 }
2570
2571 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2572 {
2573         int rc;
2574
2575         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2576         if (rc)
2577                 return rc;
2578         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2579 }
2580
2581 static int selinux_inode_permission(struct inode *inode, int mask,
2582                                     struct nameidata *nd)
2583 {
2584         int rc;
2585
2586         rc = secondary_ops->inode_permission(inode, mask, nd);
2587         if (rc)
2588                 return rc;
2589
2590         if (!mask) {
2591                 /* No permission to check.  Existence test. */
2592                 return 0;
2593         }
2594
2595         return inode_has_perm(current, inode,
2596                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2597 }
2598
2599 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2600 {
2601         int rc;
2602
2603         rc = secondary_ops->inode_setattr(dentry, iattr);
2604         if (rc)
2605                 return rc;
2606
2607         if (iattr->ia_valid & ATTR_FORCE)
2608                 return 0;
2609
2610         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2611                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2612                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2613
2614         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2615 }
2616
2617 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2618 {
2619         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2620 }
2621
2622 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2623 {
2624         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2625                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2626                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2627                         if (!capable(CAP_SETFCAP))
2628                                 return -EPERM;
2629                 } else if (!capable(CAP_SYS_ADMIN)) {
2630                         /* A different attribute in the security namespace.
2631                            Restrict to administrator. */
2632                         return -EPERM;
2633                 }
2634         }
2635
2636         /* Not an attribute we recognize, so just check the
2637            ordinary setattr permission. */
2638         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2639 }
2640
2641 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2642                                   const void *value, size_t size, int flags)
2643 {
2644         struct task_security_struct *tsec = current->security;
2645         struct inode *inode = dentry->d_inode;
2646         struct inode_security_struct *isec = inode->i_security;
2647         struct superblock_security_struct *sbsec;
2648         struct avc_audit_data ad;
2649         u32 newsid;
2650         int rc = 0;
2651
2652         if (strcmp(name, XATTR_NAME_SELINUX))
2653                 return selinux_inode_setotherxattr(dentry, name);
2654
2655         sbsec = inode->i_sb->s_security;
2656         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2657                 return -EOPNOTSUPP;
2658
2659         if (!is_owner_or_cap(inode))
2660                 return -EPERM;
2661
2662         AVC_AUDIT_DATA_INIT(&ad, FS);
2663         ad.u.fs.path.dentry = dentry;
2664
2665         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2666                           FILE__RELABELFROM, &ad);
2667         if (rc)
2668                 return rc;
2669
2670         rc = security_context_to_sid(value, size, &newsid);
2671         if (rc)
2672                 return rc;
2673
2674         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2675                           FILE__RELABELTO, &ad);
2676         if (rc)
2677                 return rc;
2678
2679         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2680                                           isec->sclass);
2681         if (rc)
2682                 return rc;
2683
2684         return avc_has_perm(newsid,
2685                             sbsec->sid,
2686                             SECCLASS_FILESYSTEM,
2687                             FILESYSTEM__ASSOCIATE,
2688                             &ad);
2689 }
2690
2691 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2692                                         const void *value, size_t size,
2693                                         int flags)
2694 {
2695         struct inode *inode = dentry->d_inode;
2696         struct inode_security_struct *isec = inode->i_security;
2697         u32 newsid;
2698         int rc;
2699
2700         if (strcmp(name, XATTR_NAME_SELINUX)) {
2701                 /* Not an attribute we recognize, so nothing to do. */
2702                 return;
2703         }
2704
2705         rc = security_context_to_sid(value, size, &newsid);
2706         if (rc) {
2707                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2708                        "%s, rc=%d\n", __func__, (char *)value, -rc);
2709                 return;
2710         }
2711
2712         isec->sid = newsid;
2713         return;
2714 }
2715
2716 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2717 {
2718         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2719 }
2720
2721 static int selinux_inode_listxattr(struct dentry *dentry)
2722 {
2723         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2724 }
2725
2726 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2727 {
2728         if (strcmp(name, XATTR_NAME_SELINUX))
2729                 return selinux_inode_setotherxattr(dentry, name);
2730
2731         /* No one is allowed to remove a SELinux security label.
2732            You can change the label, but all data must be labeled. */
2733         return -EACCES;
2734 }
2735
2736 /*
2737  * Copy the in-core inode security context value to the user.  If the
2738  * getxattr() prior to this succeeded, check to see if we need to
2739  * canonicalize the value to be finally returned to the user.
2740  *
2741  * Permission check is handled by selinux_inode_getxattr hook.
2742  */
2743 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2744 {
2745         u32 size;
2746         int error;
2747         char *context = NULL;
2748         struct inode_security_struct *isec = inode->i_security;
2749
2750         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2751                 return -EOPNOTSUPP;
2752
2753         error = security_sid_to_context(isec->sid, &context, &size);
2754         if (error)
2755                 return error;
2756         error = size;
2757         if (alloc) {
2758                 *buffer = context;
2759                 goto out_nofree;
2760         }
2761         kfree(context);
2762 out_nofree:
2763         return error;
2764 }
2765
2766 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2767                                      const void *value, size_t size, int flags)
2768 {
2769         struct inode_security_struct *isec = inode->i_security;
2770         u32 newsid;
2771         int rc;
2772
2773         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2774                 return -EOPNOTSUPP;
2775
2776         if (!value || !size)
2777                 return -EACCES;
2778
2779         rc = security_context_to_sid((void *)value, size, &newsid);
2780         if (rc)
2781                 return rc;
2782
2783         isec->sid = newsid;
2784         return 0;
2785 }
2786
2787 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2788 {
2789         const int len = sizeof(XATTR_NAME_SELINUX);
2790         if (buffer && len <= buffer_size)
2791                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2792         return len;
2793 }
2794
2795 static int selinux_inode_need_killpriv(struct dentry *dentry)
2796 {
2797         return secondary_ops->inode_need_killpriv(dentry);
2798 }
2799
2800 static int selinux_inode_killpriv(struct dentry *dentry)
2801 {
2802         return secondary_ops->inode_killpriv(dentry);
2803 }
2804
2805 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2806 {
2807         struct inode_security_struct *isec = inode->i_security;
2808         *secid = isec->sid;
2809 }
2810
2811 /* file security operations */
2812
2813 static int selinux_revalidate_file_permission(struct file *file, int mask)
2814 {
2815         int rc;
2816         struct inode *inode = file->f_path.dentry->d_inode;
2817
2818         if (!mask) {
2819                 /* No permission to check.  Existence test. */
2820                 return 0;
2821         }
2822
2823         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2824         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2825                 mask |= MAY_APPEND;
2826
2827         rc = file_has_perm(current, file,
2828                            file_mask_to_av(inode->i_mode, mask));
2829         if (rc)
2830                 return rc;
2831
2832         return selinux_netlbl_inode_permission(inode, mask);
2833 }
2834
2835 static int selinux_file_permission(struct file *file, int mask)
2836 {
2837         struct inode *inode = file->f_path.dentry->d_inode;
2838         struct task_security_struct *tsec = current->security;
2839         struct file_security_struct *fsec = file->f_security;
2840         struct inode_security_struct *isec = inode->i_security;
2841
2842         if (!mask) {
2843                 /* No permission to check.  Existence test. */
2844                 return 0;
2845         }
2846
2847         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2848             && fsec->pseqno == avc_policy_seqno())
2849                 return selinux_netlbl_inode_permission(inode, mask);
2850
2851         return selinux_revalidate_file_permission(file, mask);
2852 }
2853
2854 static int selinux_file_alloc_security(struct file *file)
2855 {
2856         return file_alloc_security(file);
2857 }
2858
2859 static void selinux_file_free_security(struct file *file)
2860 {
2861         file_free_security(file);
2862 }
2863
2864 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2865                               unsigned long arg)
2866 {
2867         int error = 0;
2868
2869         switch (cmd) {
2870         case FIONREAD:
2871         /* fall through */
2872         case FIBMAP:
2873         /* fall through */
2874         case FIGETBSZ:
2875         /* fall through */
2876         case EXT2_IOC_GETFLAGS:
2877         /* fall through */
2878         case EXT2_IOC_GETVERSION:
2879                 error = file_has_perm(current, file, FILE__GETATTR);
2880                 break;
2881
2882         case EXT2_IOC_SETFLAGS:
2883         /* fall through */
2884         case EXT2_IOC_SETVERSION:
2885                 error = file_has_perm(current, file, FILE__SETATTR);
2886                 break;
2887
2888         /* sys_ioctl() checks */
2889         case FIONBIO:
2890         /* fall through */
2891         case FIOASYNC:
2892                 error = file_has_perm(current, file, 0);
2893                 break;
2894
2895         case KDSKBENT:
2896         case KDSKBSENT:
2897                 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2898                 break;
2899
2900         /* default case assumes that the command will go
2901          * to the file's ioctl() function.
2902          */
2903         default:
2904                 error = file_has_perm(current, file, FILE__IOCTL);
2905         }
2906         return error;
2907 }
2908
2909 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2910 {
2911 #ifndef CONFIG_PPC32
2912         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2913                 /*
2914                  * We are making executable an anonymous mapping or a
2915                  * private file mapping that will also be writable.
2916                  * This has an additional check.
2917                  */
2918                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2919                 if (rc)
2920                         return rc;
2921         }
2922 #endif
2923
2924         if (file) {
2925                 /* read access is always possible with a mapping */
2926                 u32 av = FILE__READ;
2927
2928                 /* write access only matters if the mapping is shared */
2929                 if (shared && (prot & PROT_WRITE))
2930                         av |= FILE__WRITE;
2931
2932                 if (prot & PROT_EXEC)
2933                         av |= FILE__EXECUTE;
2934
2935                 return file_has_perm(current, file, av);
2936         }
2937         return 0;
2938 }
2939
2940 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2941                              unsigned long prot, unsigned long flags,
2942                              unsigned long addr, unsigned long addr_only)
2943 {
2944         int rc = 0;
2945         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2946
2947         if (addr < mmap_min_addr)
2948                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2949                                   MEMPROTECT__MMAP_ZERO, NULL);
2950         if (rc || addr_only)
2951                 return rc;
2952
2953         if (selinux_checkreqprot)
2954                 prot = reqprot;
2955
2956         return file_map_prot_check(file, prot,
2957                                    (flags & MAP_TYPE) == MAP_SHARED);
2958 }
2959
2960 static int selinux_file_mprotect(struct vm_area_struct *vma,
2961                                  unsigned long reqprot,
2962                                  unsigned long prot)
2963 {
2964         int rc;
2965
2966         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2967         if (rc)
2968                 return rc;
2969
2970         if (selinux_checkreqprot)
2971                 prot = reqprot;
2972
2973 #ifndef CONFIG_PPC32
2974         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2975                 rc = 0;
2976                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2977                     vma->vm_end <= vma->vm_mm->brk) {
2978                         rc = task_has_perm(current, current,
2979                                            PROCESS__EXECHEAP);
2980                 } else if (!vma->vm_file &&
2981                            vma->vm_start <= vma->vm_mm->start_stack &&
2982                            vma->vm_end >= vma->vm_mm->start_stack) {
2983                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2984                 } else if (vma->vm_file && vma->anon_vma) {
2985                         /*
2986                          * We are making executable a file mapping that has
2987                          * had some COW done. Since pages might have been
2988                          * written, check ability to execute the possibly
2989                          * modified content.  This typically should only
2990                          * occur for text relocations.
2991                          */
2992                         rc = file_has_perm(current, vma->vm_file,
2993                                            FILE__EXECMOD);
2994                 }
2995                 if (rc)
2996                         return rc;
2997         }
2998 #endif
2999
3000         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3001 }
3002
3003 static int selinux_file_lock(struct file *file, unsigned int cmd)
3004 {
3005         return file_has_perm(current, file, FILE__LOCK);
3006 }
3007
3008 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3009                               unsigned long arg)
3010 {
3011         int err = 0;
3012
3013         switch (cmd) {
3014         case F_SETFL:
3015                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3016                         err = -EINVAL;
3017                         break;
3018                 }
3019
3020                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3021                         err = file_has_perm(current, file, FILE__WRITE);
3022                         break;
3023                 }
3024                 /* fall through */
3025         case F_SETOWN:
3026         case F_SETSIG:
3027         case F_GETFL:
3028         case F_GETOWN:
3029         case F_GETSIG:
3030                 /* Just check FD__USE permission */
3031                 err = file_has_perm(current, file, 0);
3032                 break;
3033         case F_GETLK:
3034         case F_SETLK:
3035         case F_SETLKW:
3036 #if BITS_PER_LONG == 32
3037         case F_GETLK64:
3038         case F_SETLK64:
3039         case F_SETLKW64:
3040 #endif
3041                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3042                         err = -EINVAL;
3043                         break;
3044                 }
3045                 err = file_has_perm(current, file, FILE__LOCK);
3046                 break;
3047         }
3048
3049         return err;
3050 }
3051
3052 static int selinux_file_set_fowner(struct file *file)
3053 {
3054         struct task_security_struct *tsec;
3055         struct file_security_struct *fsec;
3056
3057         tsec = current->security;
3058         fsec = file->f_security;
3059         fsec->fown_sid = tsec->sid;
3060
3061         return 0;
3062 }
3063
3064 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3065                                        struct fown_struct *fown, int signum)
3066 {
3067         struct file *file;
3068         u32 perm;
3069         struct task_security_struct *tsec;
3070         struct file_security_struct *fsec;
3071
3072         /* struct fown_struct is never outside the context of a struct file */
3073         file = container_of(fown, struct file, f_owner);
3074
3075         tsec = tsk->security;
3076         fsec = file->f_security;
3077
3078         if (!signum)
3079                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3080         else
3081                 perm = signal_to_av(signum);
3082
3083         return avc_has_perm(fsec->fown_sid, tsec->sid,
3084                             SECCLASS_PROCESS, perm, NULL);
3085 }
3086
3087 static int selinux_file_receive(struct file *file)
3088 {
3089         return file_has_perm(current, file, file_to_av(file));
3090 }
3091
3092 static int selinux_dentry_open(struct file *file)
3093 {
3094         struct file_security_struct *fsec;
3095         struct inode *inode;
3096         struct inode_security_struct *isec;
3097         inode = file->f_path.dentry->d_inode;
3098         fsec = file->f_security;
3099         isec = inode->i_security;
3100         /*
3101          * Save inode label and policy sequence number
3102          * at open-time so that selinux_file_permission
3103          * can determine whether revalidation is necessary.
3104          * Task label is already saved in the file security
3105          * struct as its SID.
3106          */
3107         fsec->isid = isec->sid;
3108         fsec->pseqno = avc_policy_seqno();
3109         /*
3110          * Since the inode label or policy seqno may have changed
3111          * between the selinux_inode_permission check and the saving
3112          * of state above, recheck that access is still permitted.
3113          * Otherwise, access might never be revalidated against the
3114          * new inode label or new policy.
3115          * This check is not redundant - do not remove.
3116          */
3117         return inode_has_perm(current, inode, file_to_av(file), NULL);
3118 }
3119
3120 /* task security operations */
3121
3122 static int selinux_task_create(unsigned long clone_flags)
3123 {
3124         int rc;
3125
3126         rc = secondary_ops->task_create(clone_flags);
3127         if (rc)
3128                 return rc;
3129
3130         return task_has_perm(current, current, PROCESS__FORK);
3131 }
3132
3133 static int selinux_task_alloc_security(struct task_struct *tsk)
3134 {
3135         struct task_security_struct *tsec1, *tsec2;
3136         int rc;
3137
3138         tsec1 = current->security;
3139
3140         rc = task_alloc_security(tsk);
3141         if (rc)
3142                 return rc;
3143         tsec2 = tsk->security;
3144
3145         tsec2->osid = tsec1->osid;
3146         tsec2->sid = tsec1->sid;
3147
3148         /* Retain the exec, fs, key, and sock SIDs across fork */
3149         tsec2->exec_sid = tsec1->exec_sid;
3150         tsec2->create_sid = tsec1->create_sid;
3151         tsec2->keycreate_sid = tsec1->keycreate_sid;
3152         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3153
3154         return 0;
3155 }
3156
3157 static void selinux_task_free_security(struct task_struct *tsk)
3158 {
3159         task_free_security(tsk);
3160 }
3161
3162 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3163 {
3164         /* Since setuid only affects the current process, and
3165            since the SELinux controls are not based on the Linux
3166            identity attributes, SELinux does not need to control
3167            this operation.  However, SELinux does control the use
3168            of the CAP_SETUID and CAP_SETGID capabilities using the
3169            capable hook. */
3170         return 0;
3171 }
3172
3173 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3174 {
3175         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3176 }
3177
3178 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3179 {
3180         /* See the comment for setuid above. */
3181         return 0;
3182 }
3183
3184 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3185 {
3186         return task_has_perm(current, p, PROCESS__SETPGID);
3187 }
3188
3189 static int selinux_task_getpgid(struct task_struct *p)
3190 {
3191         return task_has_perm(current, p, PROCESS__GETPGID);
3192 }
3193
3194 static int selinux_task_getsid(struct task_struct *p)
3195 {
3196         return task_has_perm(current, p, PROCESS__GETSESSION);
3197 }
3198
3199 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3200 {
3201         struct task_security_struct *tsec = p->security;
3202         *secid = tsec->sid;
3203 }
3204
3205 static int selinux_task_setgroups(struct group_info *group_info)
3206 {
3207         /* See the comment for setuid above. */
3208         return 0;
3209 }
3210
3211 static int selinux_task_setnice(struct task_struct *p, int nice)
3212 {
3213         int rc;
3214
3215         rc = secondary_ops->task_setnice(p, nice);
3216         if (rc)
3217                 return rc;
3218
3219         return task_has_perm(current, p, PROCESS__SETSCHED);
3220 }
3221
3222 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3223 {
3224         int rc;
3225
3226         rc = secondary_ops->task_setioprio(p, ioprio);
3227         if (rc)
3228                 return rc;
3229
3230         return task_has_perm(current, p, PROCESS__SETSCHED);
3231 }
3232
3233 static int selinux_task_getioprio(struct task_struct *p)
3234 {
3235         return task_has_perm(current, p, PROCESS__GETSCHED);
3236 }
3237
3238 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3239 {
3240         struct rlimit *old_rlim = current->signal->rlim + resource;
3241         int rc;
3242
3243         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3244         if (rc)
3245                 return rc;
3246
3247         /* Control the ability to change the hard limit (whether
3248            lowering or raising it), so that the hard limit can
3249            later be used as a safe reset point for the soft limit
3250            upon context transitions. See selinux_bprm_apply_creds. */
3251         if (old_rlim->rlim_max != new_rlim->rlim_max)
3252                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3253
3254         return 0;
3255 }
3256
3257 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3258 {
3259         int rc;
3260
3261         rc = secondary_ops->task_setscheduler(p, policy, lp);
3262         if (rc)
3263                 return rc;
3264
3265         return task_has_perm(current, p, PROCESS__SETSCHED);
3266 }
3267
3268 static int selinux_task_getscheduler(struct task_struct *p)
3269 {
3270         return task_has_perm(current, p, PROCESS__GETSCHED);
3271 }
3272
3273 static int selinux_task_movememory(struct task_struct *p)
3274 {
3275         return task_has_perm(current, p, PROCESS__SETSCHED);
3276 }
3277
3278 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3279                                 int sig, u32 secid)
3280 {
3281         u32 perm;
3282         int rc;
3283         struct task_security_struct *tsec;
3284
3285         rc = secondary_ops->task_kill(p, info, sig, secid);
3286         if (rc)
3287                 return rc;
3288
3289         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3290                 return 0;
3291
3292         if (!sig)
3293                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3294         else
3295                 perm = signal_to_av(sig);
3296         tsec = p->security;
3297         if (secid)
3298                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3299         else
3300                 rc = task_has_perm(current, p, perm);
3301         return rc;
3302 }
3303
3304 static int selinux_task_prctl(int option,
3305                               unsigned long arg2,
3306                               unsigned long arg3,
3307                               unsigned long arg4,
3308                               unsigned long arg5,
3309                               long *rc_p)
3310 {
3311         /* The current prctl operations do not appear to require
3312            any SELinux controls since they merely observe or modify
3313            the state of the current process. */
3314         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3315 }
3316
3317 static int selinux_task_wait(struct task_struct *p)
3318 {
3319         return task_has_perm(p, current, PROCESS__SIGCHLD);
3320 }
3321
3322 static void selinux_task_reparent_to_init(struct task_struct *p)
3323 {
3324         struct task_security_struct *tsec;
3325
3326         secondary_ops->task_reparent_to_init(p);
3327
3328         tsec = p->security;
3329         tsec->osid = tsec->sid;
3330         tsec->sid = SECINITSID_KERNEL;
3331         return;
3332 }
3333
3334 static void selinux_task_to_inode(struct task_struct *p,
3335                                   struct inode *inode)
3336 {
3337         struct task_security_struct *tsec = p->security;
3338         struct inode_security_struct *isec = inode->i_security;
3339
3340         isec->sid = tsec->sid;
3341         isec->initialized = 1;
3342         return;
3343 }
3344
3345 /* Returns error only if unable to parse addresses */
3346 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3347                         struct avc_audit_data *ad, u8 *proto)
3348 {
3349         int offset, ihlen, ret = -EINVAL;
3350         struct iphdr _iph, *ih;
3351
3352         offset = skb_network_offset(skb);
3353         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3354         if (ih == NULL)
3355                 goto out;
3356
3357         ihlen = ih->ihl * 4;
3358         if (ihlen < sizeof(_iph))
3359                 goto out;
3360
3361         ad->u.net.v4info.saddr = ih->saddr;
3362         ad->u.net.v4info.daddr = ih->daddr;
3363         ret = 0;
3364
3365         if (proto)
3366                 *proto = ih->protocol;
3367
3368         switch (ih->protocol) {
3369         case IPPROTO_TCP: {
3370                 struct tcphdr _tcph, *th;
3371
3372                 if (ntohs(ih->frag_off) & IP_OFFSET)
3373                         break;
3374
3375                 offset += ihlen;
3376                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3377                 if (th == NULL)
3378                         break;
3379
3380                 ad->u.net.sport = th->source;
3381                 ad->u.net.dport = th->dest;
3382                 break;
3383         }
3384
3385         case IPPROTO_UDP: {
3386                 struct udphdr _udph, *uh;
3387
3388                 if (ntohs(ih->frag_off) & IP_OFFSET)
3389                         break;
3390
3391                 offset += ihlen;
3392                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3393                 if (uh == NULL)
3394                         break;
3395
3396                 ad->u.net.sport = uh->source;
3397                 ad->u.net.dport = uh->dest;
3398                 break;
3399         }
3400
3401         case IPPROTO_DCCP: {
3402                 struct dccp_hdr _dccph, *dh;
3403
3404                 if (ntohs(ih->frag_off) & IP_OFFSET)
3405                         break;
3406
3407                 offset += ihlen;
3408                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3409                 if (dh == NULL)
3410                         break;
3411
3412                 ad->u.net.sport = dh->dccph_sport;
3413                 ad->u.net.dport = dh->dccph_dport;
3414                 break;
3415         }
3416
3417         default:
3418                 break;
3419         }
3420 out:
3421         return ret;
3422 }
3423
3424 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3425
3426 /* Returns error only if unable to parse addresses */
3427 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3428                         struct avc_audit_data *ad, u8 *proto)
3429 {
3430         u8 nexthdr;
3431         int ret = -EINVAL, offset;
3432         struct ipv6hdr _ipv6h, *ip6;
3433
3434         offset = skb_network_offset(skb);
3435         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3436         if (ip6 == NULL)
3437                 goto out;
3438
3439         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3440         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3441         ret = 0;
3442
3443         nexthdr = ip6->nexthdr;
3444         offset += sizeof(_ipv6h);
3445         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3446         if (offset < 0)
3447                 goto out;
3448
3449         if (proto)
3450                 *proto = nexthdr;
3451
3452         switch (nexthdr) {
3453         case IPPROTO_TCP: {
3454                 struct tcphdr _tcph, *th;
3455
3456                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3457                 if (th == NULL)
3458                         break;
3459
3460                 ad->u.net.sport = th->source;
3461                 ad->u.net.dport = th->dest;
3462                 break;
3463         }
3464
3465         case IPPROTO_UDP: {
3466                 struct udphdr _udph, *uh;
3467
3468                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3469                 if (uh == NULL)
3470                         break;
3471
3472                 ad->u.net.sport = uh->source;
3473                 ad->u.net.dport = uh->dest;
3474                 break;
3475         }
3476
3477         case IPPROTO_DCCP: {
3478                 struct dccp_hdr _dccph, *dh;
3479
3480                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3481                 if (dh == NULL)
3482                         break;
3483
3484                 ad->u.net.sport = dh->dccph_sport;
3485                 ad->u.net.dport = dh->dccph_dport;
3486                 break;
3487         }
3488
3489         /* includes fragments */
3490         default:
3491                 break;
3492         }
3493 out:
3494         return ret;
3495 }
3496
3497 #endif /* IPV6 */
3498
3499 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3500                              char **addrp, int src, u8 *proto)
3501 {
3502         int ret = 0;
3503
3504         switch (ad->u.net.family) {
3505         case PF_INET:
3506                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3507                 if (ret || !addrp)
3508                         break;
3509                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3510                                         &ad->u.net.v4info.daddr);
3511                 break;
3512
3513 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3514         case PF_INET6:
3515                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3516                 if (ret || !addrp)
3517                         break;
3518                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3519                                         &ad->u.net.v6info.daddr);
3520                 break;
3521 #endif  /* IPV6 */
3522         default:
3523                 break;
3524         }
3525
3526         if (unlikely(ret))
3527                 printk(KERN_WARNING
3528                        "SELinux: failure in selinux_parse_skb(),"
3529                        " unable to parse packet\n");
3530
3531         return ret;
3532 }
3533
3534 /**
3535  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3536  * @skb: the packet
3537  * @family: protocol family
3538  * @sid: the packet's peer label SID
3539  *
3540  * Description:
3541  * Check the various different forms of network peer labeling and determine
3542  * the peer label/SID for the packet; most of the magic actually occurs in
3543  * the security server function security_net_peersid_cmp().  The function
3544  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3545  * or -EACCES if @sid is invalid due to inconsistencies with the different
3546  * peer labels.
3547  *
3548  */
3549 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3550 {
3551         int err;
3552         u32 xfrm_sid;
3553         u32 nlbl_sid;
3554         u32 nlbl_type;
3555
3556         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3557         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3558
3559         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3560         if (unlikely(err)) {
3561                 printk(KERN_WARNING
3562                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3563                        " unable to determine packet's peer label\n");
3564                 return -EACCES;
3565         }
3566
3567         return 0;
3568 }
3569
3570 /* socket security operations */
3571 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3572                            u32 perms)
3573 {
3574         struct inode_security_struct *isec;
3575         struct task_security_struct *tsec;
3576         struct avc_audit_data ad;
3577         int err = 0;
3578
3579         tsec = task->security;
3580         isec = SOCK_INODE(sock)->i_security;
3581
3582         if (isec->sid == SECINITSID_KERNEL)
3583                 goto out;
3584
3585         AVC_AUDIT_DATA_INIT(&ad, NET);
3586         ad.u.net.sk = sock->sk;
3587         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3588
3589 out:
3590         return err;
3591 }
3592
3593 static int selinux_socket_create(int family, int type,
3594                                  int protocol, int kern)
3595 {
3596         int err = 0;
3597         struct task_security_struct *tsec;
3598         u32 newsid;
3599
3600         if (kern)
3601                 goto out;
3602
3603         tsec = current->security;
3604         newsid = tsec->sockcreate_sid ? : tsec->sid;
3605         err = avc_has_perm(tsec->sid, newsid,
3606                            socket_type_to_security_class(family, type,
3607                            protocol), SOCKET__CREATE, NULL);
3608
3609 out:
3610         return err;
3611 }
3612
3613 static int selinux_socket_post_create(struct socket *sock, int family,
3614                                       int type, int protocol, int kern)
3615 {
3616         int err = 0;
3617         struct inode_security_struct *isec;
3618         struct task_security_struct *tsec;
3619         struct sk_security_struct *sksec;
3620         u32 newsid;
3621
3622         isec = SOCK_INODE(sock)->i_security;
3623
3624         tsec = current->security;
3625         newsid = tsec->sockcreate_sid ? : tsec->sid;
3626         isec->sclass = socket_type_to_security_class(family, type, protocol);
3627         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3628         isec->initialized = 1;
3629
3630         if (sock->sk) {
3631                 sksec = sock->sk->sk_security;
3632                 sksec->sid = isec->sid;
3633                 sksec->sclass = isec->sclass;
3634                 err = selinux_netlbl_socket_post_create(sock);
3635         }
3636
3637         return err;
3638 }
3639
3640 /* Range of port numbers used to automatically bind.
3641    Need to determine whether we should perform a name_bind
3642    permission check between the socket and the port number. */
3643
3644 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3645 {
3646         u16 family;
3647         int err;
3648
3649         err = socket_has_perm(current, sock, SOCKET__BIND);
3650         if (err)
3651                 goto out;
3652
3653         /*
3654          * If PF_INET or PF_INET6, check name_bind permission for the port.
3655          * Multiple address binding for SCTP is not supported yet: we just
3656          * check the first address now.
3657          */
3658         family = sock->sk->sk_family;
3659         if (family == PF_INET || family == PF_INET6) {
3660                 char *addrp;
3661                 struct inode_security_struct *isec;
3662                 struct task_security_struct *tsec;
3663                 struct avc_audit_data ad;
3664                 struct sockaddr_in *addr4 = NULL;
3665                 struct sockaddr_in6 *addr6 = NULL;
3666                 unsigned short snum;
3667                 struct sock *sk = sock->sk;
3668                 u32 sid, node_perm, addrlen;
3669
3670                 tsec = current->security;
3671                 isec = SOCK_INODE(sock)->i_security;
3672
3673                 if (family == PF_INET) {
3674                         addr4 = (struct sockaddr_in *)address;
3675                         snum = ntohs(addr4->sin_port);
3676                         addrlen = sizeof(addr4->sin_addr.s_addr);
3677                         addrp = (char *)&addr4->sin_addr.s_addr;
3678                 } else {
3679                         addr6 = (struct sockaddr_in6 *)address;
3680                         snum = ntohs(addr6->sin6_port);
3681                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3682                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3683                 }
3684
3685                 if (snum) {
3686                         int low, high;
3687
3688                         inet_get_local_port_range(&low, &high);
3689
3690                         if (snum < max(PROT_SOCK, low) || snum > high) {
3691                                 err = sel_netport_sid(sk->sk_protocol,
3692                                                       snum, &sid);
3693                                 if (err)
3694                                         goto out;
3695                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3696                                 ad.u.net.sport = htons(snum);
3697                                 ad.u.net.family = family;
3698                                 err = avc_has_perm(isec->sid, sid,
3699                                                    isec->sclass,
3700                                                    SOCKET__NAME_BIND, &ad);
3701                                 if (err)
3702                                         goto out;
3703                         }
3704                 }
3705
3706                 switch (isec->sclass) {
3707                 case SECCLASS_TCP_SOCKET:
3708                         node_perm = TCP_SOCKET__NODE_BIND;
3709                         break;
3710
3711                 case SECCLASS_UDP_SOCKET:
3712                         node_perm = UDP_SOCKET__NODE_BIND;
3713                         break;
3714
3715                 case SECCLASS_DCCP_SOCKET:
3716                         node_perm = DCCP_SOCKET__NODE_BIND;
3717                         break;
3718
3719                 default:
3720                         node_perm = RAWIP_SOCKET__NODE_BIND;
3721                         break;
3722                 }
3723
3724                 err = sel_netnode_sid(addrp, family, &sid);
3725                 if (err)
3726                         goto out;
3727
3728                 AVC_AUDIT_DATA_INIT(&ad, NET);
3729                 ad.u.net.sport = htons(snum);
3730                 ad.u.net.family = family;
3731
3732                 if (family == PF_INET)
3733                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3734                 else
3735                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3736
3737                 err = avc_has_perm(isec->sid, sid,
3738                                    isec->sclass, node_perm, &ad);
3739                 if (err)
3740                         goto out;
3741         }
3742 out:
3743         return err;
3744 }
3745
3746 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3747 {
3748         struct inode_security_struct *isec;
3749         int err;
3750
3751         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3752         if (err)
3753                 return err;
3754
3755         /*
3756          * If a TCP or DCCP socket, check name_connect permission for the port.
3757          */
3758         isec = SOCK_INODE(sock)->i_security;
3759         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3760             isec->sclass == SECCLASS_DCCP_SOCKET) {
3761                 struct sock *sk = sock->sk;
3762                 struct avc_audit_data ad;
3763                 struct sockaddr_in *addr4 = NULL;
3764                 struct sockaddr_in6 *addr6 = NULL;
3765                 unsigned short snum;
3766                 u32 sid, perm;
3767
3768                 if (sk->sk_family == PF_INET) {
3769                         addr4 = (struct sockaddr_in *)address;
3770                         if (addrlen < sizeof(struct sockaddr_in))
3771                                 return -EINVAL;
3772                         snum = ntohs(addr4->sin_port);
3773                 } else {
3774                         addr6 = (struct sockaddr_in6 *)address;
3775                         if (addrlen < SIN6_LEN_RFC2133)
3776                                 return -EINVAL;
3777                         snum = ntohs(addr6->sin6_port);
3778                 }
3779
3780                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3781                 if (err)
3782                         goto out;
3783
3784                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3785                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3786
3787                 AVC_AUDIT_DATA_INIT(&ad, NET);
3788                 ad.u.net.dport = htons(snum);
3789                 ad.u.net.family = sk->sk_family;
3790                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3791                 if (err)
3792                         goto out;
3793         }
3794
3795 out:
3796         return err;
3797 }
3798
3799 static int selinux_socket_listen(struct socket *sock, int backlog)
3800 {
3801         return socket_has_perm(current, sock, SOCKET__LISTEN);
3802 }
3803
3804 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3805 {
3806         int err;
3807         struct inode_security_struct *isec;
3808         struct inode_security_struct *newisec;
3809
3810         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3811         if (err)
3812                 return err;
3813
3814         newisec = SOCK_INODE(newsock)->i_security;
3815
3816         isec = SOCK_INODE(sock)->i_security;
3817         newisec->sclass = isec->sclass;
3818         newisec->sid = isec->sid;
3819         newisec->initialized = 1;
3820
3821         return 0;
3822 }
3823
3824 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3825                                   int size)
3826 {
3827         int rc;
3828
3829         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3830         if (rc)
3831                 return rc;
3832
3833         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3834 }
3835
3836 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3837                                   int size, int flags)
3838 {
3839         return socket_has_perm(current, sock, SOCKET__READ);
3840 }
3841
3842 static int selinux_socket_getsockname(struct socket *sock)
3843 {
3844         return socket_has_perm(current, sock, SOCKET__GETATTR);
3845 }
3846
3847 static int selinux_socket_getpeername(struct socket *sock)
3848 {
3849         return socket_has_perm(current, sock, SOCKET__GETATTR);
3850 }
3851
3852 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3853 {
3854         int err;
3855
3856         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3857         if (err)
3858                 return err;
3859
3860         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3861 }
3862
3863 static int selinux_socket_getsockopt(struct socket *sock, int level,
3864                                      int optname)
3865 {
3866         return socket_has_perm(current, sock, SOCKET__GETOPT);
3867 }
3868
3869 static int selinux_socket_shutdown(struct socket *sock, int how)
3870 {
3871         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3872 }
3873
3874 static int selinux_socket_unix_stream_connect(struct socket *sock,
3875                                               struct socket *other,
3876                                               struct sock *newsk)
3877 {
3878         struct sk_security_struct *ssec;
3879         struct inode_security_struct *isec;
3880         struct inode_security_struct *other_isec;
3881         struct avc_audit_data ad;
3882         int err;
3883
3884         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3885         if (err)
3886                 return err;
3887
3888         isec = SOCK_INODE(sock)->i_security;
3889         other_isec = SOCK_INODE(other)->i_security;
3890
3891         AVC_AUDIT_DATA_INIT(&ad, NET);
3892         ad.u.net.sk = other->sk;
3893
3894         err = avc_has_perm(isec->sid, other_isec->sid,
3895                            isec->sclass,
3896                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3897         if (err)
3898                 return err;
3899
3900         /* connecting socket */
3901         ssec = sock->sk->sk_security;
3902         ssec->peer_sid = other_isec->sid;
3903
3904         /* server child socket */
3905         ssec = newsk->sk_security;
3906         ssec->peer_sid = isec->sid;
3907         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3908
3909         return err;
3910 }
3911
3912 static int selinux_socket_unix_may_send(struct socket *sock,
3913                                         struct socket *other)
3914 {
3915         struct inode_security_struct *isec;
3916         struct inode_security_struct *other_isec;
3917         struct avc_audit_data ad;
3918         int err;
3919
3920         isec = SOCK_INODE(sock)->i_security;
3921         other_isec = SOCK_INODE(other)->i_security;
3922
3923         AVC_AUDIT_DATA_INIT(&ad, NET);
3924         ad.u.net.sk = other->sk;
3925
3926         err = avc_has_perm(isec->sid, other_isec->sid,
3927                            isec->sclass, SOCKET__SENDTO, &ad);
3928         if (err)
3929                 return err;
3930
3931         return 0;
3932 }
3933
3934 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3935                                     u32 peer_sid,
3936                                     struct avc_audit_data *ad)
3937 {
3938         int err;
3939         u32 if_sid;
3940         u32 node_sid;
3941
3942         err = sel_netif_sid(ifindex, &if_sid);
3943         if (err)
3944                 return err;
3945         err = avc_has_perm(peer_sid, if_sid,
3946                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3947         if (err)
3948                 return err;
3949
3950         err = sel_netnode_sid(addrp, family, &node_sid);
3951         if (err)
3952                 return err;
3953         return avc_has_perm(peer_sid, node_sid,
3954                             SECCLASS_NODE, NODE__RECVFROM, ad);
3955 }
3956
3957 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3958                                                 struct sk_buff *skb,
3959                                                 struct avc_audit_data *ad,
3960                                                 u16 family,
3961                                                 char *addrp)
3962 {
3963         int err;
3964         struct sk_security_struct *sksec = sk->sk_security;
3965         u16 sk_class;
3966         u32 netif_perm, node_perm, recv_perm;
3967         u32 port_sid, node_sid, if_sid, sk_sid;
3968
3969         sk_sid = sksec->sid;
3970         sk_class = sksec->sclass;
3971
3972         switch (sk_class) {
3973         case SECCLASS_UDP_SOCKET:
3974                 netif_perm = NETIF__UDP_RECV;
3975                 node_perm = NODE__UDP_RECV;
3976                 recv_perm = UDP_SOCKET__RECV_MSG;
3977                 break;
3978         case SECCLASS_TCP_SOCKET:
3979                 netif_perm = NETIF__TCP_RECV;
3980                 node_perm = NODE__TCP_RECV;
3981                 recv_perm = TCP_SOCKET__RECV_MSG;
3982                 break;
3983         case SECCLASS_DCCP_SOCKET:
3984                 netif_perm = NETIF__DCCP_RECV;
3985                 node_perm = NODE__DCCP_RECV;
3986                 recv_perm = DCCP_SOCKET__RECV_MSG;
3987                 break;
3988         default:
3989                 netif_perm = NETIF__RAWIP_RECV;
3990                 node_perm = NODE__RAWIP_RECV;
3991                 recv_perm = 0;
3992                 break;
3993         }
3994
3995         err = sel_netif_sid(skb->iif, &if_sid);
3996         if (err)
3997                 return err;
3998         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3999         if (err)
4000                 return err;
4001
4002         err = sel_netnode_sid(addrp, family, &node_sid);
4003         if (err)
4004                 return err;
4005         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4006         if (err)
4007                 return err;
4008
4009         if (!recv_perm)
4010                 return 0;
4011         err = sel_netport_sid(sk->sk_protocol,
4012                               ntohs(ad->u.net.sport), &port_sid);
4013         if (unlikely(err)) {
4014                 printk(KERN_WARNING
4015                        "SELinux: failure in"
4016                        " selinux_sock_rcv_skb_iptables_compat(),"
4017                        " network port label not found\n");
4018                 return err;
4019         }
4020         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4021 }
4022
4023 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4024                                        struct avc_audit_data *ad,
4025                                        u16 family, char *addrp)
4026 {
4027         int err;
4028         struct sk_security_struct *sksec = sk->sk_security;
4029         u32 peer_sid;
4030         u32 sk_sid = sksec->sid;
4031
4032         if (selinux_compat_net)
4033                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4034                                                            family, addrp);
4035         else
4036                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4037                                    PACKET__RECV, ad);
4038         if (err)
4039                 return err;
4040
4041         if (selinux_policycap_netpeer) {
4042                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4043                 if (err)
4044                         return err;
4045                 err = avc_has_perm(sk_sid, peer_sid,
4046                                    SECCLASS_PEER, PEER__RECV, ad);
4047         } else {
4048                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4049                 if (err)
4050                         return err;
4051                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4052         }
4053
4054         return err;
4055 }
4056
4057 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4058 {
4059         int err;
4060         struct sk_security_struct *sksec = sk->sk_security;
4061         u16 family = sk->sk_family;
4062         u32 sk_sid = sksec->sid;
4063         struct avc_audit_data ad;
4064         char *addrp;
4065
4066         if (family != PF_INET && family != PF_INET6)
4067                 return 0;
4068
4069         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4070         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4071                 family = PF_INET;
4072
4073         AVC_AUDIT_DATA_INIT(&ad, NET);
4074         ad.u.net.netif = skb->iif;
4075         ad.u.net.family = family;
4076         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4077         if (err)
4078                 return err;
4079
4080         /* If any sort of compatibility mode is enabled then handoff processing
4081          * to the selinux_sock_rcv_skb_compat() function to deal with the
4082          * special handling.  We do this in an attempt to keep this function
4083          * as fast and as clean as possible. */
4084         if (selinux_compat_net || !selinux_policycap_netpeer)
4085                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4086                                                    family, addrp);
4087
4088         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4089                 u32 peer_sid;
4090
4091                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4092                 if (err)
4093                         return err;
4094                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4095                                                peer_sid, &ad);
4096                 if (err)
4097                         return err;
4098                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4099                                    PEER__RECV, &ad);
4100         }
4101
4102         if (selinux_secmark_enabled()) {
4103                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4104                                    PACKET__RECV, &ad);
4105                 if (err)
4106                         return err;
4107         }
4108
4109         return err;
4110 }
4111
4112 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4113                                             int __user *optlen, unsigned len)
4114 {
4115         int err = 0;
4116         char *scontext;
4117         u32 scontext_len;
4118         struct sk_security_struct *ssec;
4119         struct inode_security_struct *isec;
4120         u32 peer_sid = SECSID_NULL;
4121
4122         isec = SOCK_INODE(sock)->i_security;
4123
4124         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4125             isec->sclass == SECCLASS_TCP_SOCKET) {
4126                 ssec = sock->sk->sk_security;
4127                 peer_sid = ssec->peer_sid;
4128         }
4129         if (peer_sid == SECSID_NULL) {
4130                 err = -ENOPROTOOPT;
4131                 goto out;
4132         }
4133
4134         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4135
4136         if (err)
4137                 goto out;
4138
4139         if (scontext_len > len) {
4140                 err = -ERANGE;
4141                 goto out_len;
4142         }
4143
4144         if (copy_to_user(optval, scontext, scontext_len))
4145                 err = -EFAULT;
4146
4147 out_len:
4148         if (put_user(scontext_len, optlen))
4149                 err = -EFAULT;
4150
4151         kfree(scontext);
4152 out:
4153         return err;
4154 }
4155
4156 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4157 {
4158         u32 peer_secid = SECSID_NULL;
4159         u16 family;
4160
4161         if (sock)
4162                 family = sock->sk->sk_family;
4163         else if (skb && skb->sk)
4164                 family = skb->sk->sk_family;
4165         else
4166                 goto out;
4167
4168         if (sock && family == PF_UNIX)
4169                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4170         else if (skb)
4171                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4172
4173 out:
4174         *secid = peer_secid;
4175         if (peer_secid == SECSID_NULL)
4176                 return -EINVAL;
4177         return 0;
4178 }
4179
4180 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4181 {
4182         return sk_alloc_security(sk, family, priority);
4183 }
4184
4185 static void selinux_sk_free_security(struct sock *sk)
4186 {
4187         sk_free_security(sk);
4188 }
4189
4190 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4191 {
4192         struct sk_security_struct *ssec = sk->sk_security;
4193         struct sk_security_struct *newssec = newsk->sk_security;
4194
4195         newssec->sid = ssec->sid;
4196         newssec->peer_sid = ssec->peer_sid;
4197         newssec->sclass = ssec->sclass;
4198
4199         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4200 }
4201
4202 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4203 {
4204         if (!sk)
4205                 *secid = SECINITSID_ANY_SOCKET;
4206         else {
4207                 struct sk_security_struct *sksec = sk->sk_security;
4208
4209                 *secid = sksec->sid;
4210         }
4211 }
4212
4213 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4214 {
4215         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4216         struct sk_security_struct *sksec = sk->sk_security;
4217
4218         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4219             sk->sk_family == PF_UNIX)
4220                 isec->sid = sksec->sid;
4221         sksec->sclass = isec->sclass;
4222
4223         selinux_netlbl_sock_graft(sk, parent);
4224 }
4225
4226 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4227                                      struct request_sock *req)
4228 {
4229         struct sk_security_struct *sksec = sk->sk_security;
4230         int err;
4231         u32 newsid;
4232         u32 peersid;
4233
4234         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4235         if (err)
4236                 return err;
4237         if (peersid == SECSID_NULL) {
4238                 req->secid = sksec->sid;
4239                 req->peer_secid = SECSID_NULL;
4240                 return 0;
4241         }
4242
4243         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4244         if (err)
4245                 return err;
4246
4247         req->secid = newsid;
4248         req->peer_secid = peersid;
4249         return 0;
4250 }
4251
4252 static void selinux_inet_csk_clone(struct sock *newsk,
4253                                    const struct request_sock *req)
4254 {
4255         struct sk_security_struct *newsksec = newsk->sk_security;
4256
4257         newsksec->sid = req->secid;
4258         newsksec->peer_sid = req->peer_secid;
4259         /* NOTE: Ideally, we should also get the isec->sid for the
4260            new socket in sync, but we don't have the isec available yet.
4261            So we will wait until sock_graft to do it, by which
4262            time it will have been created and available. */
4263
4264         /* We don't need to take any sort of lock here as we are the only
4265          * thread with access to newsksec */
4266         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4267 }
4268
4269 static void selinux_inet_conn_established(struct sock *sk,
4270                                 struct sk_buff *skb)
4271 {
4272         struct sk_security_struct *sksec = sk->sk_security;
4273
4274         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4275 }
4276
4277 static void selinux_req_classify_flow(const struct request_sock *req,
4278                                       struct flowi *fl)
4279 {
4280         fl->secid = req->secid;
4281 }
4282
4283 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4284 {
4285         int err = 0;
4286         u32 perm;
4287         struct nlmsghdr *nlh;
4288         struct socket *sock = sk->sk_socket;
4289         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4290
4291         if (skb->len < NLMSG_SPACE(0)) {
4292                 err = -EINVAL;
4293                 goto out;
4294         }
4295         nlh = nlmsg_hdr(skb);
4296
4297         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4298         if (err) {
4299                 if (err == -EINVAL) {
4300                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4301                                   "SELinux:  unrecognized netlink message"
4302                                   " type=%hu for sclass=%hu\n",
4303                                   nlh->nlmsg_type, isec->sclass);
4304                         if (!selinux_enforcing)
4305                                 err = 0;
4306                 }
4307
4308                 /* Ignore */
4309                 if (err == -ENOENT)
4310                         err = 0;
4311                 goto out;
4312         }
4313
4314         err = socket_has_perm(current, sock, perm);
4315 out:
4316         return err;
4317 }
4318
4319 #ifdef CONFIG_NETFILTER
4320
4321 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4322                                        u16 family)
4323 {
4324         char *addrp;
4325         u32 peer_sid;
4326         struct avc_audit_data ad;
4327         u8 secmark_active;
4328         u8 peerlbl_active;
4329
4330         if (!selinux_policycap_netpeer)
4331                 return NF_ACCEPT;
4332
4333         secmark_active = selinux_secmark_enabled();
4334         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4335         if (!secmark_active && !peerlbl_active)
4336                 return NF_ACCEPT;
4337
4338         AVC_AUDIT_DATA_INIT(&ad, NET);
4339         ad.u.net.netif = ifindex;
4340         ad.u.net.family = family;
4341         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4342                 return NF_DROP;
4343
4344         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4345                 return NF_DROP;
4346
4347         if (peerlbl_active)
4348                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4349                                              peer_sid, &ad) != 0)
4350                         return NF_DROP;
4351
4352         if (secmark_active)
4353                 if (avc_has_perm(peer_sid, skb->secmark,
4354                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4355                         return NF_DROP;
4356
4357         return NF_ACCEPT;
4358 }
4359
4360 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4361                                          struct sk_buff *skb,
4362                                          const struct net_device *in,
4363                                          const struct net_device *out,
4364                                          int (*okfn)(struct sk_buff *))
4365 {
4366         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4367 }
4368
4369 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4370 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4371                                          struct sk_buff *skb,
4372                                          const struct net_device *in,
4373                                          const struct net_device *out,
4374                                          int (*okfn)(struct sk_buff *))
4375 {
4376         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4377 }
4378 #endif  /* IPV6 */
4379
4380 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4381                                                 int ifindex,
4382                                                 struct avc_audit_data *ad,
4383                                                 u16 family, char *addrp)
4384 {
4385         int err;
4386         struct sk_security_struct *sksec = sk->sk_security;
4387         u16 sk_class;
4388         u32 netif_perm, node_perm, send_perm;
4389         u32 port_sid, node_sid, if_sid, sk_sid;
4390
4391         sk_sid = sksec->sid;
4392         sk_class = sksec->sclass;
4393
4394         switch (sk_class) {
4395         case SECCLASS_UDP_SOCKET:
4396                 netif_perm = NETIF__UDP_SEND;
4397                 node_perm = NODE__UDP_SEND;
4398                 send_perm = UDP_SOCKET__SEND_MSG;
4399                 break;
4400         case SECCLASS_TCP_SOCKET:
4401                 netif_perm = NETIF__TCP_SEND;
4402                 node_perm = NODE__TCP_SEND;
4403                 send_perm = TCP_SOCKET__SEND_MSG;
4404                 break;
4405         case SECCLASS_DCCP_SOCKET:
4406                 netif_perm = NETIF__DCCP_SEND;
4407                 node_perm = NODE__DCCP_SEND;
4408                 send_perm = DCCP_SOCKET__SEND_MSG;
4409                 break;
4410         default:
4411                 netif_perm = NETIF__RAWIP_SEND;
4412                 node_perm = NODE__RAWIP_SEND;
4413                 send_perm = 0;
4414                 break;
4415         }
4416
4417         err = sel_netif_sid(ifindex, &if_sid);
4418         if (err)
4419                 return err;
4420         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4421                 return err;
4422
4423         err = sel_netnode_sid(addrp, family, &node_sid);
4424         if (err)
4425                 return err;
4426         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4427         if (err)
4428                 return err;
4429
4430         if (send_perm != 0)
4431                 return 0;
4432
4433         err = sel_netport_sid(sk->sk_protocol,
4434                               ntohs(ad->u.net.dport), &port_sid);
4435         if (unlikely(err)) {
4436                 printk(KERN_WARNING
4437                        "SELinux: failure in"
4438                        " selinux_ip_postroute_iptables_compat(),"
4439                        " network port label not found\n");
4440                 return err;
4441         }
4442         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4443 }
4444
4445 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4446                                                 int ifindex,
4447                                                 struct avc_audit_data *ad,
4448                                                 u16 family,
4449                                                 char *addrp,
4450                                                 u8 proto)
4451 {
4452         struct sock *sk = skb->sk;
4453         struct sk_security_struct *sksec;
4454
4455         if (sk == NULL)
4456                 return NF_ACCEPT;
4457         sksec = sk->sk_security;
4458
4459         if (selinux_compat_net) {
4460                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4461                                                          ad, family, addrp))
4462                         return NF_DROP;
4463         } else {
4464                 if (avc_has_perm(sksec->sid, skb->secmark,
4465                                  SECCLASS_PACKET, PACKET__SEND, ad))
4466                         return NF_DROP;
4467         }
4468
4469         if (selinux_policycap_netpeer)
4470                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4471                         return NF_DROP;
4472
4473         return NF_ACCEPT;
4474 }
4475
4476 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4477                                          u16 family)
4478 {
4479         u32 secmark_perm;
4480         u32 peer_sid;
4481         struct sock *sk;
4482         struct avc_audit_data ad;
4483         char *addrp;
4484         u8 proto;
4485         u8 secmark_active;
4486         u8 peerlbl_active;
4487
4488         AVC_AUDIT_DATA_INIT(&ad, NET);
4489         ad.u.net.netif = ifindex;
4490         ad.u.net.family = family;
4491         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4492                 return NF_DROP;
4493
4494         /* If any sort of compatibility mode is enabled then handoff processing
4495          * to the selinux_ip_postroute_compat() function to deal with the
4496          * special handling.  We do this in an attempt to keep this function
4497          * as fast and as clean as possible. */
4498         if (selinux_compat_net || !selinux_policycap_netpeer)
4499                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4500                                                    family, addrp, proto);
4501
4502         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4503          * packet transformation so allow the packet to pass without any checks
4504          * since we'll have another chance to perform access control checks
4505          * when the packet is on it's final way out.
4506          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4507          *       is NULL, in this case go ahead and apply access control. */
4508         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4509                 return NF_ACCEPT;
4510
4511         secmark_active = selinux_secmark_enabled();
4512         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4513         if (!secmark_active && !peerlbl_active)
4514                 return NF_ACCEPT;
4515
4516         /* if the packet is locally generated (skb->sk != NULL) then use the
4517          * socket's label as the peer label, otherwise the packet is being
4518          * forwarded through this system and we need to fetch the peer label
4519          * directly from the packet */
4520         sk = skb->sk;
4521         if (sk) {
4522                 struct sk_security_struct *sksec = sk->sk_security;
4523                 peer_sid = sksec->sid;
4524                 secmark_perm = PACKET__SEND;
4525         } else {
4526                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4527                                 return NF_DROP;
4528                 secmark_perm = PACKET__FORWARD_OUT;
4529         }
4530
4531         if (secmark_active)
4532                 if (avc_has_perm(peer_sid, skb->secmark,
4533                                  SECCLASS_PACKET, secmark_perm, &ad))
4534                         return NF_DROP;
4535
4536         if (peerlbl_active) {
4537                 u32 if_sid;
4538                 u32 node_sid;
4539
4540                 if (sel_netif_sid(ifindex, &if_sid))
4541                         return NF_DROP;
4542                 if (avc_has_perm(peer_sid, if_sid,
4543                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4544                         return NF_DROP;
4545
4546                 if (sel_netnode_sid(addrp, family, &node_sid))
4547                         return NF_DROP;
4548                 if (avc_has_perm(peer_sid, node_sid,
4549                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4550                         return NF_DROP;
4551         }
4552
4553         return NF_ACCEPT;
4554 }
4555
4556 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4557                                            struct sk_buff *skb,
4558                                            const struct net_device *in,
4559                                            const struct net_device *out,
4560                                            int (*okfn)(struct sk_buff *))
4561 {
4562         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4563 }
4564
4565 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4566 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4567                                            struct sk_buff *skb,
4568                                            const struct net_device *in,
4569                                            const struct net_device *out,
4570                                            int (*okfn)(struct sk_buff *))
4571 {
4572         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4573 }
4574 #endif  /* IPV6 */
4575
4576 #endif  /* CONFIG_NETFILTER */
4577
4578 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4579 {
4580         int err;
4581
4582         err = secondary_ops->netlink_send(sk, skb);
4583         if (err)
4584                 return err;
4585
4586         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4587                 err = selinux_nlmsg_perm(sk, skb);
4588
4589         return err;
4590 }
4591
4592 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4593 {
4594         int err;
4595         struct avc_audit_data ad;
4596
4597         err = secondary_ops->netlink_recv(skb, capability);
4598         if (err)
4599                 return err;
4600
4601         AVC_AUDIT_DATA_INIT(&ad, CAP);
4602         ad.u.cap = capability;
4603
4604         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4605                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4606 }
4607
4608 static int ipc_alloc_security(struct task_struct *task,
4609                               struct kern_ipc_perm *perm,
4610                               u16 sclass)
4611 {
4612         struct task_security_struct *tsec = task->security;
4613         struct ipc_security_struct *isec;
4614
4615         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4616         if (!isec)
4617                 return -ENOMEM;
4618
4619         isec->sclass = sclass;
4620         isec->sid = tsec->sid;
4621         perm->security = isec;
4622
4623         return 0;
4624 }
4625
4626 static void ipc_free_security(struct kern_ipc_perm *perm)
4627 {
4628         struct ipc_security_struct *isec = perm->security;
4629         perm->security = NULL;
4630         kfree(isec);
4631 }
4632
4633 static int msg_msg_alloc_security(struct msg_msg *msg)
4634 {
4635         struct msg_security_struct *msec;
4636
4637         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4638         if (!msec)
4639                 return -ENOMEM;
4640
4641         msec->sid = SECINITSID_UNLABELED;
4642         msg->security = msec;
4643
4644         return 0;
4645 }
4646
4647 static void msg_msg_free_security(struct msg_msg *msg)
4648 {
4649         struct msg_security_struct *msec = msg->security;
4650
4651         msg->security = NULL;
4652         kfree(msec);
4653 }
4654
4655 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4656                         u32 perms)
4657 {
4658         struct task_security_struct *tsec;
4659         struct ipc_security_struct *isec;
4660         struct avc_audit_data ad;
4661
4662         tsec = current->security;
4663         isec = ipc_perms->security;
4664
4665         AVC_AUDIT_DATA_INIT(&ad, IPC);
4666         ad.u.ipc_id = ipc_perms->key;
4667
4668         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4669 }
4670
4671 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4672 {
4673         return msg_msg_alloc_security(msg);
4674 }
4675
4676 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4677 {
4678         msg_msg_free_security(msg);
4679 }
4680
4681 /* message queue security operations */
4682 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4683 {
4684         struct task_security_struct *tsec;
4685         struct ipc_security_struct *isec;
4686         struct avc_audit_data ad;
4687         int rc;
4688
4689         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4690         if (rc)
4691                 return rc;
4692
4693         tsec = current->security;
4694         isec = msq->q_perm.security;
4695
4696         AVC_AUDIT_DATA_INIT(&ad, IPC);
4697         ad.u.ipc_id = msq->q_perm.key;
4698
4699         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4700                           MSGQ__CREATE, &ad);
4701         if (rc) {
4702                 ipc_free_security(&msq->q_perm);
4703                 return rc;
4704         }
4705         return 0;
4706 }
4707
4708 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4709 {
4710         ipc_free_security(&msq->q_perm);
4711 }
4712
4713 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4714 {
4715         struct task_security_struct *tsec;
4716         struct ipc_security_struct *isec;
4717         struct avc_audit_data ad;
4718
4719         tsec = current->security;
4720         isec = msq->q_perm.security;
4721
4722         AVC_AUDIT_DATA_INIT(&ad, IPC);
4723         ad.u.ipc_id = msq->q_perm.key;
4724
4725         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4726                             MSGQ__ASSOCIATE, &ad);
4727 }
4728
4729 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4730 {
4731         int err;
4732         int perms;
4733
4734         switch (cmd) {
4735         case IPC_INFO:
4736         case MSG_INFO:
4737                 /* No specific object, just general system-wide information. */
4738                 return task_has_system(current, SYSTEM__IPC_INFO);
4739         case IPC_STAT:
4740         case MSG_STAT:
4741                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4742                 break;
4743         case IPC_SET:
4744                 perms = MSGQ__SETATTR;
4745                 break;
4746         case IPC_RMID:
4747                 perms = MSGQ__DESTROY;
4748                 break;
4749         default:
4750                 return 0;
4751         }
4752
4753         err = ipc_has_perm(&msq->q_perm, perms);
4754         return err;
4755 }
4756
4757 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4758 {
4759         struct task_security_struct *tsec;
4760         struct ipc_security_struct *isec;
4761         struct msg_security_struct *msec;
4762         struct avc_audit_data ad;
4763         int rc;
4764
4765         tsec = current->security;
4766         isec = msq->q_perm.security;
4767         msec = msg->security;
4768
4769         /*
4770          * First time through, need to assign label to the message
4771          */
4772         if (msec->sid == SECINITSID_UNLABELED) {
4773                 /*
4774                  * Compute new sid based on current process and
4775                  * message queue this message will be stored in
4776                  */
4777                 rc = security_transition_sid(tsec->sid,
4778                                              isec->sid,
4779                                              SECCLASS_MSG,
4780                                              &msec->sid);
4781                 if (rc)
4782                         return rc;
4783         }
4784
4785         AVC_AUDIT_DATA_INIT(&ad, IPC);
4786         ad.u.ipc_id = msq->q_perm.key;
4787
4788         /* Can this process write to the queue? */
4789         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4790                           MSGQ__WRITE, &ad);
4791         if (!rc)
4792                 /* Can this process send the message */
4793                 rc = avc_has_perm(tsec->sid, msec->sid,
4794                                   SECCLASS_MSG, MSG__SEND, &ad);
4795         if (!rc)
4796                 /* Can the message be put in the queue? */
4797                 rc = avc_has_perm(msec->sid, isec->sid,
4798                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4799
4800         return rc;
4801 }
4802
4803 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4804                                     struct task_struct *target,
4805                                     long type, int mode)
4806 {
4807         struct task_security_struct *tsec;
4808         struct ipc_security_struct *isec;
4809         struct msg_security_struct *msec;
4810         struct avc_audit_data ad;
4811         int rc;
4812
4813         tsec = target->security;
4814         isec = msq->q_perm.security;
4815         msec = msg->security;
4816
4817         AVC_AUDIT_DATA_INIT(&ad, IPC);
4818         ad.u.ipc_id = msq->q_perm.key;
4819
4820         rc = avc_has_perm(tsec->sid, isec->sid,
4821                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4822         if (!rc)
4823                 rc = avc_has_perm(tsec->sid, msec->sid,
4824                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4825         return rc;
4826 }
4827
4828 /* Shared Memory security operations */
4829 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4830 {
4831         struct task_security_struct *tsec;
4832         struct ipc_security_struct *isec;
4833         struct avc_audit_data ad;
4834         int rc;
4835
4836         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4837         if (rc)
4838                 return rc;
4839
4840         tsec = current->security;
4841         isec = shp->shm_perm.security;
4842
4843         AVC_AUDIT_DATA_INIT(&ad, IPC);
4844         ad.u.ipc_id = shp->shm_perm.key;
4845
4846         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4847                           SHM__CREATE, &ad);
4848         if (rc) {
4849                 ipc_free_security(&shp->shm_perm);
4850                 return rc;
4851         }
4852         return 0;
4853 }
4854
4855 static void selinux_shm_free_security(struct shmid_kernel *shp)
4856 {
4857         ipc_free_security(&shp->shm_perm);
4858 }
4859
4860 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4861 {
4862         struct task_security_struct *tsec;
4863         struct ipc_security_struct *isec;
4864         struct avc_audit_data ad;
4865
4866         tsec = current->security;
4867         isec = shp->shm_perm.security;
4868
4869         AVC_AUDIT_DATA_INIT(&ad, IPC);
4870         ad.u.ipc_id = shp->shm_perm.key;
4871
4872         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4873                             SHM__ASSOCIATE, &ad);
4874 }
4875
4876 /* Note, at this point, shp is locked down */
4877 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4878 {
4879         int perms;
4880         int err;
4881
4882         switch (cmd) {
4883         case IPC_INFO:
4884         case SHM_INFO:
4885                 /* No specific object, just general system-wide information. */
4886                 return task_has_system(current, SYSTEM__IPC_INFO);
4887         case IPC_STAT:
4888         case SHM_STAT:
4889                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4890                 break;
4891         case IPC_SET:
4892                 perms = SHM__SETATTR;
4893                 break;
4894         case SHM_LOCK:
4895         case SHM_UNLOCK:
4896                 perms = SHM__LOCK;
4897                 break;
4898         case IPC_RMID:
4899                 perms = SHM__DESTROY;
4900                 break;
4901         default:
4902                 return 0;
4903         }
4904
4905         err = ipc_has_perm(&shp->shm_perm, perms);
4906         return err;
4907 }
4908
4909 static int selinux_shm_shmat(struct shmid_kernel *shp,
4910                              char __user *shmaddr, int shmflg)
4911 {
4912         u32 perms;
4913         int rc;
4914
4915         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4916         if (rc)
4917                 return rc;
4918
4919         if (shmflg & SHM_RDONLY)
4920                 perms = SHM__READ;
4921         else
4922                 perms = SHM__READ | SHM__WRITE;
4923
4924         return ipc_has_perm(&shp->shm_perm, perms);
4925 }
4926
4927 /* Semaphore security operations */
4928 static int selinux_sem_alloc_security(struct sem_array *sma)
4929 {
4930         struct task_security_struct *tsec;
4931         struct ipc_security_struct *isec;
4932         struct avc_audit_data ad;
4933         int rc;
4934
4935         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4936         if (rc)
4937                 return rc;
4938
4939         tsec = current->security;
4940         isec = sma->sem_perm.security;
4941
4942         AVC_AUDIT_DATA_INIT(&ad, IPC);
4943         ad.u.ipc_id = sma->sem_perm.key;
4944
4945         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4946                           SEM__CREATE, &ad);
4947         if (rc) {
4948                 ipc_free_security(&sma->sem_perm);
4949                 return rc;
4950         }
4951         return 0;
4952 }
4953
4954 static void selinux_sem_free_security(struct sem_array *sma)
4955 {
4956         ipc_free_security(&sma->sem_perm);
4957 }
4958
4959 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4960 {
4961         struct task_security_struct *tsec;
4962         struct ipc_security_struct *isec;
4963         struct avc_audit_data ad;
4964
4965         tsec = current->security;
4966         isec = sma->sem_perm.security;
4967
4968         AVC_AUDIT_DATA_INIT(&ad, IPC);
4969         ad.u.ipc_id = sma->sem_perm.key;
4970
4971         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4972                             SEM__ASSOCIATE, &ad);
4973 }
4974
4975 /* Note, at this point, sma is locked down */
4976 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4977 {
4978         int err;
4979         u32 perms;
4980
4981         switch (cmd) {
4982         case IPC_INFO:
4983         case SEM_INFO:
4984                 /* No specific object, just general system-wide information. */
4985                 return task_has_system(current, SYSTEM__IPC_INFO);
4986         case GETPID:
4987         case GETNCNT:
4988         case GETZCNT:
4989                 perms = SEM__GETATTR;
4990                 break;
4991         case GETVAL:
4992         case GETALL:
4993                 perms = SEM__READ;
4994                 break;
4995         case SETVAL:
4996         case SETALL:
4997                 perms = SEM__WRITE;
4998                 break;
4999         case IPC_RMID:
5000                 perms = SEM__DESTROY;
5001                 break;
5002         case IPC_SET:
5003                 perms = SEM__SETATTR;
5004                 break;
5005         case IPC_STAT:
5006         case SEM_STAT:
5007                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5008                 break;
5009         default:
5010                 return 0;
5011         }
5012
5013         err = ipc_has_perm(&sma->sem_perm, perms);
5014         return err;
5015 }
5016
5017 static int selinux_sem_semop(struct sem_array *sma,
5018                              struct sembuf *sops, unsigned nsops, int alter)
5019 {
5020         u32 perms;
5021
5022         if (alter)
5023                 perms = SEM__READ | SEM__WRITE;
5024         else
5025                 perms = SEM__READ;
5026
5027         return ipc_has_perm(&sma->sem_perm, perms);
5028 }
5029
5030 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5031 {
5032         u32 av = 0;
5033
5034         av = 0;
5035         if (flag & S_IRUGO)
5036                 av |= IPC__UNIX_READ;
5037         if (flag & S_IWUGO)
5038                 av |= IPC__UNIX_WRITE;
5039
5040         if (av == 0)
5041                 return 0;
5042
5043         return ipc_has_perm(ipcp, av);
5044 }
5045
5046 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5047 {
5048         struct ipc_security_struct *isec = ipcp->security;
5049         *secid = isec->sid;
5050 }
5051
5052 /* module stacking operations */
5053 static int selinux_register_security(const char *name, struct security_operations *ops)
5054 {
5055         if (secondary_ops != original_ops) {
5056                 printk(KERN_ERR "%s:  There is already a secondary security "
5057                        "module registered.\n", __func__);
5058                 return -EINVAL;
5059         }
5060
5061         secondary_ops = ops;
5062
5063         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5064                __func__,
5065                name);
5066
5067         return 0;
5068 }
5069
5070 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5071 {
5072         if (inode)
5073                 inode_doinit_with_dentry(inode, dentry);
5074 }
5075
5076 static int selinux_getprocattr(struct task_struct *p,
5077                                char *name, char **value)
5078 {
5079         struct task_security_struct *tsec;
5080         u32 sid;
5081         int error;
5082         unsigned len;
5083
5084         if (current != p) {
5085                 error = task_has_perm(current, p, PROCESS__GETATTR);
5086                 if (error)
5087                         return error;
5088         }
5089
5090         tsec = p->security;
5091
5092         if (!strcmp(name, "current"))
5093                 sid = tsec->sid;
5094         else if (!strcmp(name, "prev"))
5095                 sid = tsec->osid;
5096         else if (!strcmp(name, "exec"))
5097                 sid = tsec->exec_sid;
5098         else if (!strcmp(name, "fscreate"))
5099                 sid = tsec->create_sid;
5100         else if (!strcmp(name, "keycreate"))
5101                 sid = tsec->keycreate_sid;
5102         else if (!strcmp(name, "sockcreate"))
5103                 sid = tsec->sockcreate_sid;
5104         else
5105                 return -EINVAL;
5106
5107         if (!sid)
5108                 return 0;
5109
5110         error = security_sid_to_context(sid, value, &len);
5111         if (error)
5112                 return error;
5113         return len;
5114 }
5115
5116 static int selinux_setprocattr(struct task_struct *p,
5117                                char *name, void *value, size_t size)
5118 {
5119         struct task_security_struct *tsec;
5120         struct task_struct *tracer;
5121         u32 sid = 0;
5122         int error;
5123         char *str = value;
5124
5125         if (current != p) {
5126                 /* SELinux only allows a process to change its own
5127                    security attributes. */
5128                 return -EACCES;
5129         }
5130
5131         /*
5132          * Basic control over ability to set these attributes at all.
5133          * current == p, but we'll pass them separately in case the
5134          * above restriction is ever removed.
5135          */
5136         if (!strcmp(name, "exec"))
5137                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5138         else if (!strcmp(name, "fscreate"))
5139                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5140         else if (!strcmp(name, "keycreate"))
5141                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5142         else if (!strcmp(name, "sockcreate"))
5143                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5144         else if (!strcmp(name, "current"))
5145                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5146         else
5147                 error = -EINVAL;
5148         if (error)
5149                 return error;
5150
5151         /* Obtain a SID for the context, if one was specified. */
5152         if (size && str[1] && str[1] != '\n') {
5153                 if (str[size-1] == '\n') {
5154                         str[size-1] = 0;
5155                         size--;
5156                 }
5157                 error = security_context_to_sid(value, size, &sid);
5158                 if (error)
5159                         return error;
5160         }
5161
5162         /* Permission checking based on the specified context is
5163            performed during the actual operation (execve,
5164            open/mkdir/...), when we know the full context of the
5165            operation.  See selinux_bprm_set_security for the execve
5166            checks and may_create for the file creation checks. The
5167            operation will then fail if the context is not permitted. */
5168         tsec = p->security;
5169         if (!strcmp(name, "exec"))
5170                 tsec->exec_sid = sid;
5171         else if (!strcmp(name, "fscreate"))
5172                 tsec->create_sid = sid;
5173         else if (!strcmp(name, "keycreate")) {
5174                 error = may_create_key(sid, p);
5175                 if (error)
5176                         return error;
5177                 tsec->keycreate_sid = sid;
5178         } else if (!strcmp(name, "sockcreate"))
5179                 tsec->sockcreate_sid = sid;
5180         else if (!strcmp(name, "current")) {
5181                 struct av_decision avd;
5182
5183                 if (sid == 0)
5184                         return -EINVAL;
5185
5186                 /* Only allow single threaded processes to change context */
5187                 if (atomic_read(&p->mm->mm_users) != 1) {
5188                         struct task_struct *g, *t;
5189                         struct mm_struct *mm = p->mm;
5190                         read_lock(&tasklist_lock);
5191                         do_each_thread(g, t)
5192                                 if (t->mm == mm && t != p) {
5193                                         read_unlock(&tasklist_lock);
5194                                         return -EPERM;
5195                                 }
5196                         while_each_thread(g, t);
5197                         read_unlock(&tasklist_lock);
5198                 }
5199
5200                 /* Check permissions for the transition. */
5201                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5202                                      PROCESS__DYNTRANSITION, NULL);
5203                 if (error)
5204                         return error;
5205
5206                 /* Check for ptracing, and update the task SID if ok.
5207                    Otherwise, leave SID unchanged and fail. */
5208                 task_lock(p);
5209                 rcu_read_lock();
5210                 tracer = task_tracer_task(p);
5211                 if (tracer != NULL) {
5212                         struct task_security_struct *ptsec = tracer->security;
5213                         u32 ptsid = ptsec->sid;
5214                         rcu_read_unlock();
5215                         error = avc_has_perm_noaudit(ptsid, sid,
5216                                                      SECCLASS_PROCESS,
5217                                                      PROCESS__PTRACE, 0, &avd);
5218                         if (!error)
5219                                 tsec->sid = sid;
5220                         task_unlock(p);
5221                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5222                                   PROCESS__PTRACE, &avd, error, NULL);
5223                         if (error)
5224                                 return error;
5225                 } else {
5226                         rcu_read_unlock();
5227                         tsec->sid = sid;
5228                         task_unlock(p);
5229                 }
5230         } else
5231                 return -EINVAL;
5232
5233         return size;
5234 }
5235
5236 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5237 {
5238         return security_sid_to_context(secid, secdata, seclen);
5239 }
5240
5241 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5242 {
5243         return security_context_to_sid(secdata, seclen, secid);
5244 }
5245
5246 static void selinux_release_secctx(char *secdata, u32 seclen)
5247 {
5248         kfree(secdata);
5249 }
5250
5251 #ifdef CONFIG_KEYS
5252
5253 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5254                              unsigned long flags)
5255 {
5256         struct task_security_struct *tsec = tsk->security;
5257         struct key_security_struct *ksec;
5258
5259         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5260         if (!ksec)
5261                 return -ENOMEM;
5262
5263         if (tsec->keycreate_sid)
5264                 ksec->sid = tsec->keycreate_sid;
5265         else
5266                 ksec->sid = tsec->sid;
5267         k->security = ksec;
5268
5269         return 0;
5270 }
5271
5272 static void selinux_key_free(struct key *k)
5273 {
5274         struct key_security_struct *ksec = k->security;
5275
5276         k->security = NULL;
5277         kfree(ksec);
5278 }
5279
5280 static int selinux_key_permission(key_ref_t key_ref,
5281                             struct task_struct *ctx,
5282                             key_perm_t perm)
5283 {
5284         struct key *key;
5285         struct task_security_struct *tsec;
5286         struct key_security_struct *ksec;
5287
5288         key = key_ref_to_ptr(key_ref);
5289
5290         tsec = ctx->security;
5291         ksec = key->security;
5292
5293         /* if no specific permissions are requested, we skip the
5294            permission check. No serious, additional covert channels
5295            appear to be created. */
5296         if (perm == 0)
5297                 return 0;
5298
5299         return avc_has_perm(tsec->sid, ksec->sid,
5300                             SECCLASS_KEY, perm, NULL);
5301 }
5302
5303 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5304 {
5305         struct key_security_struct *ksec = key->security;
5306         char *context = NULL;
5307         unsigned len;
5308         int rc;
5309
5310         rc = security_sid_to_context(ksec->sid, &context, &len);
5311         if (!rc)
5312                 rc = len;
5313         *_buffer = context;
5314         return rc;
5315 }
5316
5317 #endif
5318
5319 static struct security_operations selinux_ops = {
5320         .name =                         "selinux",
5321
5322         .ptrace =                       selinux_ptrace,
5323         .capget =                       selinux_capget,
5324         .capset_check =                 selinux_capset_check,
5325         .capset_set =                   selinux_capset_set,
5326         .sysctl =                       selinux_sysctl,
5327         .capable =                      selinux_capable,
5328         .quotactl =                     selinux_quotactl,
5329         .quota_on =                     selinux_quota_on,
5330         .syslog =                       selinux_syslog,
5331         .vm_enough_memory =             selinux_vm_enough_memory,
5332
5333         .netlink_send =                 selinux_netlink_send,
5334         .netlink_recv =                 selinux_netlink_recv,
5335
5336         .bprm_alloc_security =          selinux_bprm_alloc_security,
5337         .bprm_free_security =           selinux_bprm_free_security,
5338         .bprm_apply_creds =             selinux_bprm_apply_creds,
5339         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5340         .bprm_set_security =            selinux_bprm_set_security,
5341         .bprm_check_security =          selinux_bprm_check_security,
5342         .bprm_secureexec =              selinux_bprm_secureexec,
5343
5344         .sb_alloc_security =            selinux_sb_alloc_security,
5345         .sb_free_security =             selinux_sb_free_security,
5346         .sb_copy_data =                 selinux_sb_copy_data,
5347         .sb_kern_mount =                selinux_sb_kern_mount,
5348         .sb_statfs =                    selinux_sb_statfs,
5349         .sb_mount =                     selinux_mount,
5350         .sb_umount =                    selinux_umount,
5351         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5352         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5353         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5354         .sb_parse_opts_str =            selinux_parse_opts_str,
5355
5356
5357         .inode_alloc_security =         selinux_inode_alloc_security,
5358         .inode_free_security =          selinux_inode_free_security,
5359         .inode_init_security =          selinux_inode_init_security,
5360         .inode_create =                 selinux_inode_create,
5361         .inode_link =                   selinux_inode_link,
5362         .inode_unlink =                 selinux_inode_unlink,
5363         .inode_symlink =                selinux_inode_symlink,
5364         .inode_mkdir =                  selinux_inode_mkdir,
5365         .inode_rmdir =                  selinux_inode_rmdir,
5366         .inode_mknod =                  selinux_inode_mknod,
5367         .inode_rename =                 selinux_inode_rename,
5368         .inode_readlink =               selinux_inode_readlink,
5369         .inode_follow_link =            selinux_inode_follow_link,
5370         .inode_permission =             selinux_inode_permission,
5371         .inode_setattr =                selinux_inode_setattr,
5372         .inode_getattr =                selinux_inode_getattr,
5373         .inode_setxattr =               selinux_inode_setxattr,
5374         .inode_post_setxattr =          selinux_inode_post_setxattr,
5375         .inode_getxattr =               selinux_inode_getxattr,
5376         .inode_listxattr =              selinux_inode_listxattr,
5377         .inode_removexattr =            selinux_inode_removexattr,
5378         .inode_getsecurity =            selinux_inode_getsecurity,
5379         .inode_setsecurity =            selinux_inode_setsecurity,
5380         .inode_listsecurity =           selinux_inode_listsecurity,
5381         .inode_need_killpriv =          selinux_inode_need_killpriv,
5382         .inode_killpriv =               selinux_inode_killpriv,
5383         .inode_getsecid =               selinux_inode_getsecid,
5384
5385         .file_permission =              selinux_file_permission,
5386         .file_alloc_security =          selinux_file_alloc_security,
5387         .file_free_security =           selinux_file_free_security,
5388         .file_ioctl =                   selinux_file_ioctl,
5389         .file_mmap =                    selinux_file_mmap,
5390         .file_mprotect =                selinux_file_mprotect,
5391         .file_lock =                    selinux_file_lock,
5392         .file_fcntl =                   selinux_file_fcntl,
5393         .file_set_fowner =              selinux_file_set_fowner,
5394         .file_send_sigiotask =          selinux_file_send_sigiotask,
5395         .file_receive =                 selinux_file_receive,
5396
5397         .dentry_open =                  selinux_dentry_open,
5398
5399         .task_create =                  selinux_task_create,
5400         .task_alloc_security =          selinux_task_alloc_security,
5401         .task_free_security =           selinux_task_free_security,
5402         .task_setuid =                  selinux_task_setuid,
5403         .task_post_setuid =             selinux_task_post_setuid,
5404         .task_setgid =                  selinux_task_setgid,
5405         .task_setpgid =                 selinux_task_setpgid,
5406         .task_getpgid =                 selinux_task_getpgid,
5407         .task_getsid =                  selinux_task_getsid,
5408         .task_getsecid =                selinux_task_getsecid,
5409         .task_setgroups =               selinux_task_setgroups,
5410         .task_setnice =                 selinux_task_setnice,
5411         .task_setioprio =               selinux_task_setioprio,
5412         .task_getioprio =               selinux_task_getioprio,
5413         .task_setrlimit =               selinux_task_setrlimit,
5414         .task_setscheduler =            selinux_task_setscheduler,
5415         .task_getscheduler =            selinux_task_getscheduler,
5416         .task_movememory =              selinux_task_movememory,
5417         .task_kill =                    selinux_task_kill,
5418         .task_wait =                    selinux_task_wait,
5419         .task_prctl =                   selinux_task_prctl,
5420         .task_reparent_to_init =        selinux_task_reparent_to_init,
5421         .task_to_inode =                selinux_task_to_inode,
5422
5423         .ipc_permission =               selinux_ipc_permission,
5424         .ipc_getsecid =                 selinux_ipc_getsecid,
5425
5426         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5427         .msg_msg_free_security =        selinux_msg_msg_free_security,
5428
5429         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5430         .msg_queue_free_security =      selinux_msg_queue_free_security,
5431         .msg_queue_associate =          selinux_msg_queue_associate,
5432         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5433         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5434         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5435
5436         .shm_alloc_security =           selinux_shm_alloc_security,
5437         .shm_free_security =            selinux_shm_free_security,
5438         .shm_associate =                selinux_shm_associate,
5439         .shm_shmctl =                   selinux_shm_shmctl,
5440         .shm_shmat =                    selinux_shm_shmat,
5441
5442         .sem_alloc_security =           selinux_sem_alloc_security,
5443         .sem_free_security =            selinux_sem_free_security,
5444         .sem_associate =                selinux_sem_associate,
5445         .sem_semctl =                   selinux_sem_semctl,
5446         .sem_semop =                    selinux_sem_semop,
5447
5448         .register_security =            selinux_register_security,
5449
5450         .d_instantiate =                selinux_d_instantiate,
5451
5452         .getprocattr =                  selinux_getprocattr,
5453         .setprocattr =                  selinux_setprocattr,
5454
5455         .secid_to_secctx =              selinux_secid_to_secctx,
5456         .secctx_to_secid =              selinux_secctx_to_secid,
5457         .release_secctx =               selinux_release_secctx,
5458
5459         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5460         .unix_may_send =                selinux_socket_unix_may_send,
5461
5462         .socket_create =                selinux_socket_create,
5463         .socket_post_create =           selinux_socket_post_create,
5464         .socket_bind =                  selinux_socket_bind,
5465         .socket_connect =               selinux_socket_connect,
5466         .socket_listen =                selinux_socket_listen,
5467         .socket_accept =                selinux_socket_accept,
5468         .socket_sendmsg =               selinux_socket_sendmsg,
5469         .socket_recvmsg =               selinux_socket_recvmsg,
5470         .socket_getsockname =           selinux_socket_getsockname,
5471         .socket_getpeername =           selinux_socket_getpeername,
5472         .socket_getsockopt =            selinux_socket_getsockopt,
5473         .socket_setsockopt =            selinux_socket_setsockopt,
5474         .socket_shutdown =              selinux_socket_shutdown,
5475         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5476         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5477         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5478         .sk_alloc_security =            selinux_sk_alloc_security,
5479         .sk_free_security =             selinux_sk_free_security,
5480         .sk_clone_security =            selinux_sk_clone_security,
5481         .sk_getsecid =                  selinux_sk_getsecid,
5482         .sock_graft =                   selinux_sock_graft,
5483         .inet_conn_request =            selinux_inet_conn_request,
5484         .inet_csk_clone =               selinux_inet_csk_clone,
5485         .inet_conn_established =        selinux_inet_conn_established,
5486         .req_classify_flow =            selinux_req_classify_flow,
5487
5488 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5489         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5490         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5491         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5492         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5493         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5494         .xfrm_state_free_security =     selinux_xfrm_state_free,
5495         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5496         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5497         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5498         .xfrm_decode_session =          selinux_xfrm_decode_session,
5499 #endif
5500
5501 #ifdef CONFIG_KEYS
5502         .key_alloc =                    selinux_key_alloc,
5503         .key_free =                     selinux_key_free,
5504         .key_permission =               selinux_key_permission,
5505         .key_getsecurity =              selinux_key_getsecurity,
5506 #endif
5507
5508 #ifdef CONFIG_AUDIT
5509         .audit_rule_init =              selinux_audit_rule_init,
5510         .audit_rule_known =             selinux_audit_rule_known,
5511         .audit_rule_match =             selinux_audit_rule_match,
5512         .audit_rule_free =              selinux_audit_rule_free,
5513 #endif
5514 };
5515
5516 static __init int selinux_init(void)
5517 {
5518         struct task_security_struct *tsec;
5519
5520         if (!security_module_enable(&selinux_ops)) {
5521                 selinux_enabled = 0;
5522                 return 0;
5523         }
5524
5525         if (!selinux_enabled) {
5526                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5527                 return 0;
5528         }
5529
5530         printk(KERN_INFO "SELinux:  Initializing.\n");
5531
5532         /* Set the security state for the initial task. */
5533         if (task_alloc_security(current))
5534                 panic("SELinux:  Failed to initialize initial task.\n");
5535         tsec = current->security;
5536         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5537
5538         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5539                                             sizeof(struct inode_security_struct),
5540                                             0, SLAB_PANIC, NULL);
5541         avc_init();
5542
5543         original_ops = secondary_ops = security_ops;
5544         if (!secondary_ops)
5545                 panic("SELinux: No initial security operations\n");
5546         if (register_security(&selinux_ops))
5547                 panic("SELinux: Unable to register with kernel.\n");
5548
5549         if (selinux_enforcing)
5550                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5551         else
5552                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5553
5554         return 0;
5555 }
5556
5557 void selinux_complete_init(void)
5558 {
5559         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5560
5561         /* Set up any superblocks initialized prior to the policy load. */
5562         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5563         spin_lock(&sb_lock);
5564         spin_lock(&sb_security_lock);
5565 next_sb:
5566         if (!list_empty(&superblock_security_head)) {
5567                 struct superblock_security_struct *sbsec =
5568                                 list_entry(superblock_security_head.next,
5569                                            struct superblock_security_struct,
5570                                            list);
5571                 struct super_block *sb = sbsec->sb;
5572                 sb->s_count++;
5573                 spin_unlock(&sb_security_lock);
5574                 spin_unlock(&sb_lock);
5575                 down_read(&sb->s_umount);
5576                 if (sb->s_root)
5577                         superblock_doinit(sb, NULL);
5578                 drop_super(sb);
5579                 spin_lock(&sb_lock);
5580                 spin_lock(&sb_security_lock);
5581                 list_del_init(&sbsec->list);
5582                 goto next_sb;
5583         }
5584         spin_unlock(&sb_security_lock);
5585         spin_unlock(&sb_lock);
5586 }
5587
5588 /* SELinux requires early initialization in order to label
5589    all processes and objects when they are created. */
5590 security_initcall(selinux_init);
5591
5592 #if defined(CONFIG_NETFILTER)
5593
5594 static struct nf_hook_ops selinux_ipv4_ops[] = {
5595         {
5596                 .hook =         selinux_ipv4_postroute,
5597                 .owner =        THIS_MODULE,
5598                 .pf =           PF_INET,
5599                 .hooknum =      NF_INET_POST_ROUTING,
5600                 .priority =     NF_IP_PRI_SELINUX_LAST,
5601         },
5602         {
5603                 .hook =         selinux_ipv4_forward,
5604                 .owner =        THIS_MODULE,
5605                 .pf =           PF_INET,
5606                 .hooknum =      NF_INET_FORWARD,
5607                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5608         }
5609 };
5610
5611 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5612
5613 static struct nf_hook_ops selinux_ipv6_ops[] = {
5614         {
5615                 .hook =         selinux_ipv6_postroute,
5616                 .owner =        THIS_MODULE,
5617                 .pf =           PF_INET6,
5618                 .hooknum =      NF_INET_POST_ROUTING,
5619                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5620         },
5621         {
5622                 .hook =         selinux_ipv6_forward,
5623                 .owner =        THIS_MODULE,
5624                 .pf =           PF_INET6,
5625                 .hooknum =      NF_INET_FORWARD,
5626                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5627         }
5628 };
5629
5630 #endif  /* IPV6 */
5631
5632 static int __init selinux_nf_ip_init(void)
5633 {
5634         int err = 0;
5635         u32 iter;
5636
5637         if (!selinux_enabled)
5638                 goto out;
5639
5640         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5641
5642         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5643                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5644                 if (err)
5645                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5646                               err);
5647         }
5648
5649 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5650         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5651                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5652                 if (err)
5653                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5654                               err);
5655         }
5656 #endif  /* IPV6 */
5657
5658 out:
5659         return err;
5660 }
5661
5662 __initcall(selinux_nf_ip_init);
5663
5664 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5665 static void selinux_nf_ip_exit(void)
5666 {
5667         u32 iter;
5668
5669         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5670
5671         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5672                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5673 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5674         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5675                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5676 #endif  /* IPV6 */
5677 }
5678 #endif
5679
5680 #else /* CONFIG_NETFILTER */
5681
5682 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5683 #define selinux_nf_ip_exit()
5684 #endif
5685
5686 #endif /* CONFIG_NETFILTER */
5687
5688 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5689 static int selinux_disabled;
5690
5691 int selinux_disable(void)
5692 {
5693         extern void exit_sel_fs(void);
5694
5695         if (ss_initialized) {
5696                 /* Not permitted after initial policy load. */
5697                 return -EINVAL;
5698         }
5699
5700         if (selinux_disabled) {
5701                 /* Only do this once. */
5702                 return -EINVAL;
5703         }
5704
5705         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5706
5707         selinux_disabled = 1;
5708         selinux_enabled = 0;
5709
5710         /* Reset security_ops to the secondary module, dummy or capability. */
5711         security_ops = secondary_ops;
5712
5713         /* Unregister netfilter hooks. */
5714         selinux_nf_ip_exit();
5715
5716         /* Unregister selinuxfs. */
5717         exit_sel_fs();
5718
5719         return 0;
5720 }
5721 #endif