51bec4c88f19fd020b9fd7f3f1a0556069c907d3
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72 #include <linux/selinux.h>
73
74 #include "avc.h"
75 #include "objsec.h"
76 #include "netif.h"
77 #include "xfrm.h"
78
79 #define XATTR_SELINUX_SUFFIX "selinux"
80 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81
82 extern unsigned int policydb_loaded_version;
83 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
84 extern int selinux_compat_net;
85
86 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
87 int selinux_enforcing = 0;
88
89 static int __init enforcing_setup(char *str)
90 {
91         selinux_enforcing = simple_strtol(str,NULL,0);
92         return 1;
93 }
94 __setup("enforcing=", enforcing_setup);
95 #endif
96
97 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
98 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
99
100 static int __init selinux_enabled_setup(char *str)
101 {
102         selinux_enabled = simple_strtol(str, NULL, 0);
103         return 1;
104 }
105 __setup("selinux=", selinux_enabled_setup);
106 #else
107 int selinux_enabled = 1;
108 #endif
109
110 /* Original (dummy) security module. */
111 static struct security_operations *original_ops = NULL;
112
113 /* Minimal support for a secondary security module,
114    just to allow the use of the dummy or capability modules.
115    The owlsm module can alternatively be used as a secondary
116    module as long as CONFIG_OWLSM_FD is not enabled. */
117 static struct security_operations *secondary_ops = NULL;
118
119 /* Lists of inode and superblock security structures initialized
120    before the policy was loaded. */
121 static LIST_HEAD(superblock_security_head);
122 static DEFINE_SPINLOCK(sb_security_lock);
123
124 static kmem_cache_t *sel_inode_cache;
125
126 /* Return security context for a given sid or just the context 
127    length if the buffer is null or length is 0 */
128 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
129 {
130         char *context;
131         unsigned len;
132         int rc;
133
134         rc = security_sid_to_context(sid, &context, &len);
135         if (rc)
136                 return rc;
137
138         if (!buffer || !size)
139                 goto getsecurity_exit;
140
141         if (size < len) {
142                 len = -ERANGE;
143                 goto getsecurity_exit;
144         }
145         memcpy(buffer, context, len);
146
147 getsecurity_exit:
148         kfree(context);
149         return len;
150 }
151
152 /* Allocate and free functions for each kind of security blob. */
153
154 static int task_alloc_security(struct task_struct *task)
155 {
156         struct task_security_struct *tsec;
157
158         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
159         if (!tsec)
160                 return -ENOMEM;
161
162         tsec->task = task;
163         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
164         task->security = tsec;
165
166         return 0;
167 }
168
169 static void task_free_security(struct task_struct *task)
170 {
171         struct task_security_struct *tsec = task->security;
172         task->security = NULL;
173         kfree(tsec);
174 }
175
176 static int inode_alloc_security(struct inode *inode)
177 {
178         struct task_security_struct *tsec = current->security;
179         struct inode_security_struct *isec;
180
181         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
182         if (!isec)
183                 return -ENOMEM;
184
185         memset(isec, 0, sizeof(*isec));
186         init_MUTEX(&isec->sem);
187         INIT_LIST_HEAD(&isec->list);
188         isec->inode = inode;
189         isec->sid = SECINITSID_UNLABELED;
190         isec->sclass = SECCLASS_FILE;
191         isec->task_sid = tsec->sid;
192         inode->i_security = isec;
193
194         return 0;
195 }
196
197 static void inode_free_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec = inode->i_security;
200         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201
202         spin_lock(&sbsec->isec_lock);
203         if (!list_empty(&isec->list))
204                 list_del_init(&isec->list);
205         spin_unlock(&sbsec->isec_lock);
206
207         inode->i_security = NULL;
208         kmem_cache_free(sel_inode_cache, isec);
209 }
210
211 static int file_alloc_security(struct file *file)
212 {
213         struct task_security_struct *tsec = current->security;
214         struct file_security_struct *fsec;
215
216         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
217         if (!fsec)
218                 return -ENOMEM;
219
220         fsec->file = file;
221         fsec->sid = tsec->sid;
222         fsec->fown_sid = tsec->sid;
223         file->f_security = fsec;
224
225         return 0;
226 }
227
228 static void file_free_security(struct file *file)
229 {
230         struct file_security_struct *fsec = file->f_security;
231         file->f_security = NULL;
232         kfree(fsec);
233 }
234
235 static int superblock_alloc_security(struct super_block *sb)
236 {
237         struct superblock_security_struct *sbsec;
238
239         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
240         if (!sbsec)
241                 return -ENOMEM;
242
243         init_MUTEX(&sbsec->sem);
244         INIT_LIST_HEAD(&sbsec->list);
245         INIT_LIST_HEAD(&sbsec->isec_head);
246         spin_lock_init(&sbsec->isec_lock);
247         sbsec->sb = sb;
248         sbsec->sid = SECINITSID_UNLABELED;
249         sbsec->def_sid = SECINITSID_FILE;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         if (family != PF_UNIX)
273                 return 0;
274
275         ssec = kzalloc(sizeof(*ssec), priority);
276         if (!ssec)
277                 return -ENOMEM;
278
279         ssec->sk = sk;
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         return 0;
284 }
285
286 static void sk_free_security(struct sock *sk)
287 {
288         struct sk_security_struct *ssec = sk->sk_security;
289
290         if (sk->sk_family != PF_UNIX)
291                 return;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335         char *context = NULL, *defcontext = NULL;
336         const char *name;
337         u32 sid;
338         int alloc = 0, rc = 0, seen = 0;
339         struct task_security_struct *tsec = current->security;
340         struct superblock_security_struct *sbsec = sb->s_security;
341
342         if (!data)
343                 goto out;
344
345         name = sb->s_type->name;
346
347         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349                 /* NFS we understand. */
350                 if (!strcmp(name, "nfs")) {
351                         struct nfs_mount_data *d = data;
352
353                         if (d->version <  NFS_MOUNT_VERSION)
354                                 goto out;
355
356                         if (d->context[0]) {
357                                 context = d->context;
358                                 seen |= Opt_context;
359                         }
360                 } else
361                         goto out;
362
363         } else {
364                 /* Standard string-based options. */
365                 char *p, *options = data;
366
367                 while ((p = strsep(&options, ",")) != NULL) {
368                         int token;
369                         substring_t args[MAX_OPT_ARGS];
370
371                         if (!*p)
372                                 continue;
373
374                         token = match_token(p, tokens, args);
375
376                         switch (token) {
377                         case Opt_context:
378                                 if (seen) {
379                                         rc = -EINVAL;
380                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381                                         goto out_free;
382                                 }
383                                 context = match_strdup(&args[0]);
384                                 if (!context) {
385                                         rc = -ENOMEM;
386                                         goto out_free;
387                                 }
388                                 if (!alloc)
389                                         alloc = 1;
390                                 seen |= Opt_context;
391                                 break;
392
393                         case Opt_fscontext:
394                                 if (seen & (Opt_context|Opt_fscontext)) {
395                                         rc = -EINVAL;
396                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397                                         goto out_free;
398                                 }
399                                 context = match_strdup(&args[0]);
400                                 if (!context) {
401                                         rc = -ENOMEM;
402                                         goto out_free;
403                                 }
404                                 if (!alloc)
405                                         alloc = 1;
406                                 seen |= Opt_fscontext;
407                                 break;
408
409                         case Opt_defcontext:
410                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING "SELinux:  "
413                                                "defcontext option is invalid "
414                                                "for this filesystem type\n");
415                                         goto out_free;
416                                 }
417                                 if (seen & (Opt_context|Opt_defcontext)) {
418                                         rc = -EINVAL;
419                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420                                         goto out_free;
421                                 }
422                                 defcontext = match_strdup(&args[0]);
423                                 if (!defcontext) {
424                                         rc = -ENOMEM;
425                                         goto out_free;
426                                 }
427                                 if (!alloc)
428                                         alloc = 1;
429                                 seen |= Opt_defcontext;
430                                 break;
431
432                         default:
433                                 rc = -EINVAL;
434                                 printk(KERN_WARNING "SELinux:  unknown mount "
435                                        "option\n");
436                                 goto out_free;
437
438                         }
439                 }
440         }
441
442         if (!seen)
443                 goto out;
444
445         if (context) {
446                 rc = security_context_to_sid(context, strlen(context), &sid);
447                 if (rc) {
448                         printk(KERN_WARNING "SELinux: security_context_to_sid"
449                                "(%s) failed for (dev %s, type %s) errno=%d\n",
450                                context, sb->s_id, name, rc);
451                         goto out_free;
452                 }
453
454                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELFROM, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460                                   FILESYSTEM__RELABELTO, NULL);
461                 if (rc)
462                         goto out_free;
463
464                 sbsec->sid = sid;
465
466                 if (seen & Opt_context)
467                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468         }
469
470         if (defcontext) {
471                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472                 if (rc) {
473                         printk(KERN_WARNING "SELinux: security_context_to_sid"
474                                "(%s) failed for (dev %s, type %s) errno=%d\n",
475                                defcontext, sb->s_id, name, rc);
476                         goto out_free;
477                 }
478
479                 if (sid == sbsec->def_sid)
480                         goto out_free;
481
482                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__RELABELFROM, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488                                   FILESYSTEM__ASSOCIATE, NULL);
489                 if (rc)
490                         goto out_free;
491
492                 sbsec->def_sid = sid;
493         }
494
495 out_free:
496         if (alloc) {
497                 kfree(context);
498                 kfree(defcontext);
499         }
500 out:
501         return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506         struct superblock_security_struct *sbsec = sb->s_security;
507         struct dentry *root = sb->s_root;
508         struct inode *inode = root->d_inode;
509         int rc = 0;
510
511         down(&sbsec->sem);
512         if (sbsec->initialized)
513                 goto out;
514
515         if (!ss_initialized) {
516                 /* Defer initialization until selinux_complete_init,
517                    after the initial policy is loaded and the security
518                    server is ready to handle calls. */
519                 spin_lock(&sb_security_lock);
520                 if (list_empty(&sbsec->list))
521                         list_add(&sbsec->list, &superblock_security_head);
522                 spin_unlock(&sb_security_lock);
523                 goto out;
524         }
525
526         /* Determine the labeling behavior to use for this filesystem type. */
527         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528         if (rc) {
529                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
530                        __FUNCTION__, sb->s_type->name, rc);
531                 goto out;
532         }
533
534         rc = try_context_mount(sb, data);
535         if (rc)
536                 goto out;
537
538         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539                 /* Make sure that the xattr handler exists and that no
540                    error other than -ENODATA is returned by getxattr on
541                    the root directory.  -ENODATA is ok, as this may be
542                    the first boot of the SELinux kernel before we have
543                    assigned xattr values to the filesystem. */
544                 if (!inode->i_op->getxattr) {
545                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546                                "xattr support\n", sb->s_id, sb->s_type->name);
547                         rc = -EOPNOTSUPP;
548                         goto out;
549                 }
550                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551                 if (rc < 0 && rc != -ENODATA) {
552                         if (rc == -EOPNOTSUPP)
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) has no security xattr handler\n",
555                                        sb->s_id, sb->s_type->name);
556                         else
557                                 printk(KERN_WARNING "SELinux: (dev %s, type "
558                                        "%s) getxattr errno %d\n", sb->s_id,
559                                        sb->s_type->name, -rc);
560                         goto out;
561                 }
562         }
563
564         if (strcmp(sb->s_type->name, "proc") == 0)
565                 sbsec->proc = 1;
566
567         sbsec->initialized = 1;
568
569         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571                        sb->s_id, sb->s_type->name);
572         }
573         else {
574                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575                        sb->s_id, sb->s_type->name,
576                        labeling_behaviors[sbsec->behavior-1]);
577         }
578
579         /* Initialize the root inode. */
580         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582         /* Initialize any other inodes associated with the superblock, e.g.
583            inodes created prior to initial policy load or inodes created
584            during get_sb by a pseudo filesystem that directly
585            populates itself. */
586         spin_lock(&sbsec->isec_lock);
587 next_inode:
588         if (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_entry(sbsec->isec_head.next,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 spin_unlock(&sbsec->isec_lock);
594                 inode = igrab(inode);
595                 if (inode) {
596                         if (!IS_PRIVATE (inode))
597                                 inode_doinit(inode);
598                         iput(inode);
599                 }
600                 spin_lock(&sbsec->isec_lock);
601                 list_del_init(&isec->list);
602                 goto next_inode;
603         }
604         spin_unlock(&sbsec->isec_lock);
605 out:
606         up(&sbsec->sem);
607         return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612         switch (mode & S_IFMT) {
613         case S_IFSOCK:
614                 return SECCLASS_SOCK_FILE;
615         case S_IFLNK:
616                 return SECCLASS_LNK_FILE;
617         case S_IFREG:
618                 return SECCLASS_FILE;
619         case S_IFBLK:
620                 return SECCLASS_BLK_FILE;
621         case S_IFDIR:
622                 return SECCLASS_DIR;
623         case S_IFCHR:
624                 return SECCLASS_CHR_FILE;
625         case S_IFIFO:
626                 return SECCLASS_FIFO_FILE;
627
628         }
629
630         return SECCLASS_FILE;
631 }
632
633 static inline int default_protocol_stream(int protocol)
634 {
635         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
636 }
637
638 static inline int default_protocol_dgram(int protocol)
639 {
640         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
641 }
642
643 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
644 {
645         switch (family) {
646         case PF_UNIX:
647                 switch (type) {
648                 case SOCK_STREAM:
649                 case SOCK_SEQPACKET:
650                         return SECCLASS_UNIX_STREAM_SOCKET;
651                 case SOCK_DGRAM:
652                         return SECCLASS_UNIX_DGRAM_SOCKET;
653                 }
654                 break;
655         case PF_INET:
656         case PF_INET6:
657                 switch (type) {
658                 case SOCK_STREAM:
659                         if (default_protocol_stream(protocol))
660                                 return SECCLASS_TCP_SOCKET;
661                         else
662                                 return SECCLASS_RAWIP_SOCKET;
663                 case SOCK_DGRAM:
664                         if (default_protocol_dgram(protocol))
665                                 return SECCLASS_UDP_SOCKET;
666                         else
667                                 return SECCLASS_RAWIP_SOCKET;
668                 default:
669                         return SECCLASS_RAWIP_SOCKET;
670                 }
671                 break;
672         case PF_NETLINK:
673                 switch (protocol) {
674                 case NETLINK_ROUTE:
675                         return SECCLASS_NETLINK_ROUTE_SOCKET;
676                 case NETLINK_FIREWALL:
677                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
678                 case NETLINK_INET_DIAG:
679                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
680                 case NETLINK_NFLOG:
681                         return SECCLASS_NETLINK_NFLOG_SOCKET;
682                 case NETLINK_XFRM:
683                         return SECCLASS_NETLINK_XFRM_SOCKET;
684                 case NETLINK_SELINUX:
685                         return SECCLASS_NETLINK_SELINUX_SOCKET;
686                 case NETLINK_AUDIT:
687                         return SECCLASS_NETLINK_AUDIT_SOCKET;
688                 case NETLINK_IP6_FW:
689                         return SECCLASS_NETLINK_IP6FW_SOCKET;
690                 case NETLINK_DNRTMSG:
691                         return SECCLASS_NETLINK_DNRT_SOCKET;
692                 case NETLINK_KOBJECT_UEVENT:
693                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
694                 default:
695                         return SECCLASS_NETLINK_SOCKET;
696                 }
697         case PF_PACKET:
698                 return SECCLASS_PACKET_SOCKET;
699         case PF_KEY:
700                 return SECCLASS_KEY_SOCKET;
701         case PF_APPLETALK:
702                 return SECCLASS_APPLETALK_SOCKET;
703         }
704
705         return SECCLASS_SOCKET;
706 }
707
708 #ifdef CONFIG_PROC_FS
709 static int selinux_proc_get_sid(struct proc_dir_entry *de,
710                                 u16 tclass,
711                                 u32 *sid)
712 {
713         int buflen, rc;
714         char *buffer, *path, *end;
715
716         buffer = (char*)__get_free_page(GFP_KERNEL);
717         if (!buffer)
718                 return -ENOMEM;
719
720         buflen = PAGE_SIZE;
721         end = buffer+buflen;
722         *--end = '\0';
723         buflen--;
724         path = end-1;
725         *path = '/';
726         while (de && de != de->parent) {
727                 buflen -= de->namelen + 1;
728                 if (buflen < 0)
729                         break;
730                 end -= de->namelen;
731                 memcpy(end, de->name, de->namelen);
732                 *--end = '/';
733                 path = end;
734                 de = de->parent;
735         }
736         rc = security_genfs_sid("proc", path, tclass, sid);
737         free_page((unsigned long)buffer);
738         return rc;
739 }
740 #else
741 static int selinux_proc_get_sid(struct proc_dir_entry *de,
742                                 u16 tclass,
743                                 u32 *sid)
744 {
745         return -EINVAL;
746 }
747 #endif
748
749 /* The inode's security attributes must be initialized before first use. */
750 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
751 {
752         struct superblock_security_struct *sbsec = NULL;
753         struct inode_security_struct *isec = inode->i_security;
754         u32 sid;
755         struct dentry *dentry;
756 #define INITCONTEXTLEN 255
757         char *context = NULL;
758         unsigned len = 0;
759         int rc = 0;
760         int hold_sem = 0;
761
762         if (isec->initialized)
763                 goto out;
764
765         down(&isec->sem);
766         hold_sem = 1;
767         if (isec->initialized)
768                 goto out;
769
770         sbsec = inode->i_sb->s_security;
771         if (!sbsec->initialized) {
772                 /* Defer initialization until selinux_complete_init,
773                    after the initial policy is loaded and the security
774                    server is ready to handle calls. */
775                 spin_lock(&sbsec->isec_lock);
776                 if (list_empty(&isec->list))
777                         list_add(&isec->list, &sbsec->isec_head);
778                 spin_unlock(&sbsec->isec_lock);
779                 goto out;
780         }
781
782         switch (sbsec->behavior) {
783         case SECURITY_FS_USE_XATTR:
784                 if (!inode->i_op->getxattr) {
785                         isec->sid = sbsec->def_sid;
786                         break;
787                 }
788
789                 /* Need a dentry, since the xattr API requires one.
790                    Life would be simpler if we could just pass the inode. */
791                 if (opt_dentry) {
792                         /* Called from d_instantiate or d_splice_alias. */
793                         dentry = dget(opt_dentry);
794                 } else {
795                         /* Called from selinux_complete_init, try to find a dentry. */
796                         dentry = d_find_alias(inode);
797                 }
798                 if (!dentry) {
799                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
800                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
801                                inode->i_ino);
802                         goto out;
803                 }
804
805                 len = INITCONTEXTLEN;
806                 context = kmalloc(len, GFP_KERNEL);
807                 if (!context) {
808                         rc = -ENOMEM;
809                         dput(dentry);
810                         goto out;
811                 }
812                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
813                                            context, len);
814                 if (rc == -ERANGE) {
815                         /* Need a larger buffer.  Query for the right size. */
816                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
817                                                    NULL, 0);
818                         if (rc < 0) {
819                                 dput(dentry);
820                                 goto out;
821                         }
822                         kfree(context);
823                         len = rc;
824                         context = kmalloc(len, GFP_KERNEL);
825                         if (!context) {
826                                 rc = -ENOMEM;
827                                 dput(dentry);
828                                 goto out;
829                         }
830                         rc = inode->i_op->getxattr(dentry,
831                                                    XATTR_NAME_SELINUX,
832                                                    context, len);
833                 }
834                 dput(dentry);
835                 if (rc < 0) {
836                         if (rc != -ENODATA) {
837                                 printk(KERN_WARNING "%s:  getxattr returned "
838                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
839                                        -rc, inode->i_sb->s_id, inode->i_ino);
840                                 kfree(context);
841                                 goto out;
842                         }
843                         /* Map ENODATA to the default file SID */
844                         sid = sbsec->def_sid;
845                         rc = 0;
846                 } else {
847                         rc = security_context_to_sid_default(context, rc, &sid,
848                                                              sbsec->def_sid);
849                         if (rc) {
850                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
851                                        "returned %d for dev=%s ino=%ld\n",
852                                        __FUNCTION__, context, -rc,
853                                        inode->i_sb->s_id, inode->i_ino);
854                                 kfree(context);
855                                 /* Leave with the unlabeled SID */
856                                 rc = 0;
857                                 break;
858                         }
859                 }
860                 kfree(context);
861                 isec->sid = sid;
862                 break;
863         case SECURITY_FS_USE_TASK:
864                 isec->sid = isec->task_sid;
865                 break;
866         case SECURITY_FS_USE_TRANS:
867                 /* Default to the fs SID. */
868                 isec->sid = sbsec->sid;
869
870                 /* Try to obtain a transition SID. */
871                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
872                 rc = security_transition_sid(isec->task_sid,
873                                              sbsec->sid,
874                                              isec->sclass,
875                                              &sid);
876                 if (rc)
877                         goto out;
878                 isec->sid = sid;
879                 break;
880         default:
881                 /* Default to the fs SID. */
882                 isec->sid = sbsec->sid;
883
884                 if (sbsec->proc) {
885                         struct proc_inode *proci = PROC_I(inode);
886                         if (proci->pde) {
887                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
888                                 rc = selinux_proc_get_sid(proci->pde,
889                                                           isec->sclass,
890                                                           &sid);
891                                 if (rc)
892                                         goto out;
893                                 isec->sid = sid;
894                         }
895                 }
896                 break;
897         }
898
899         isec->initialized = 1;
900
901 out:
902         if (isec->sclass == SECCLASS_FILE)
903                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
904
905         if (hold_sem)
906                 up(&isec->sem);
907         return rc;
908 }
909
910 /* Convert a Linux signal to an access vector. */
911 static inline u32 signal_to_av(int sig)
912 {
913         u32 perm = 0;
914
915         switch (sig) {
916         case SIGCHLD:
917                 /* Commonly granted from child to parent. */
918                 perm = PROCESS__SIGCHLD;
919                 break;
920         case SIGKILL:
921                 /* Cannot be caught or ignored */
922                 perm = PROCESS__SIGKILL;
923                 break;
924         case SIGSTOP:
925                 /* Cannot be caught or ignored */
926                 perm = PROCESS__SIGSTOP;
927                 break;
928         default:
929                 /* All other signals. */
930                 perm = PROCESS__SIGNAL;
931                 break;
932         }
933
934         return perm;
935 }
936
937 /* Check permission betweeen a pair of tasks, e.g. signal checks,
938    fork check, ptrace check, etc. */
939 static int task_has_perm(struct task_struct *tsk1,
940                          struct task_struct *tsk2,
941                          u32 perms)
942 {
943         struct task_security_struct *tsec1, *tsec2;
944
945         tsec1 = tsk1->security;
946         tsec2 = tsk2->security;
947         return avc_has_perm(tsec1->sid, tsec2->sid,
948                             SECCLASS_PROCESS, perms, NULL);
949 }
950
951 /* Check whether a task is allowed to use a capability. */
952 static int task_has_capability(struct task_struct *tsk,
953                                int cap)
954 {
955         struct task_security_struct *tsec;
956         struct avc_audit_data ad;
957
958         tsec = tsk->security;
959
960         AVC_AUDIT_DATA_INIT(&ad,CAP);
961         ad.tsk = tsk;
962         ad.u.cap = cap;
963
964         return avc_has_perm(tsec->sid, tsec->sid,
965                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
966 }
967
968 /* Check whether a task is allowed to use a system operation. */
969 static int task_has_system(struct task_struct *tsk,
970                            u32 perms)
971 {
972         struct task_security_struct *tsec;
973
974         tsec = tsk->security;
975
976         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
977                             SECCLASS_SYSTEM, perms, NULL);
978 }
979
980 /* Check whether a task has a particular permission to an inode.
981    The 'adp' parameter is optional and allows other audit
982    data to be passed (e.g. the dentry). */
983 static int inode_has_perm(struct task_struct *tsk,
984                           struct inode *inode,
985                           u32 perms,
986                           struct avc_audit_data *adp)
987 {
988         struct task_security_struct *tsec;
989         struct inode_security_struct *isec;
990         struct avc_audit_data ad;
991
992         tsec = tsk->security;
993         isec = inode->i_security;
994
995         if (!adp) {
996                 adp = &ad;
997                 AVC_AUDIT_DATA_INIT(&ad, FS);
998                 ad.u.fs.inode = inode;
999         }
1000
1001         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1002 }
1003
1004 /* Same as inode_has_perm, but pass explicit audit data containing
1005    the dentry to help the auditing code to more easily generate the
1006    pathname if needed. */
1007 static inline int dentry_has_perm(struct task_struct *tsk,
1008                                   struct vfsmount *mnt,
1009                                   struct dentry *dentry,
1010                                   u32 av)
1011 {
1012         struct inode *inode = dentry->d_inode;
1013         struct avc_audit_data ad;
1014         AVC_AUDIT_DATA_INIT(&ad,FS);
1015         ad.u.fs.mnt = mnt;
1016         ad.u.fs.dentry = dentry;
1017         return inode_has_perm(tsk, inode, av, &ad);
1018 }
1019
1020 /* Check whether a task can use an open file descriptor to
1021    access an inode in a given way.  Check access to the
1022    descriptor itself, and then use dentry_has_perm to
1023    check a particular permission to the file.
1024    Access to the descriptor is implicitly granted if it
1025    has the same SID as the process.  If av is zero, then
1026    access to the file is not checked, e.g. for cases
1027    where only the descriptor is affected like seek. */
1028 static int file_has_perm(struct task_struct *tsk,
1029                                 struct file *file,
1030                                 u32 av)
1031 {
1032         struct task_security_struct *tsec = tsk->security;
1033         struct file_security_struct *fsec = file->f_security;
1034         struct vfsmount *mnt = file->f_vfsmnt;
1035         struct dentry *dentry = file->f_dentry;
1036         struct inode *inode = dentry->d_inode;
1037         struct avc_audit_data ad;
1038         int rc;
1039
1040         AVC_AUDIT_DATA_INIT(&ad, FS);
1041         ad.u.fs.mnt = mnt;
1042         ad.u.fs.dentry = dentry;
1043
1044         if (tsec->sid != fsec->sid) {
1045                 rc = avc_has_perm(tsec->sid, fsec->sid,
1046                                   SECCLASS_FD,
1047                                   FD__USE,
1048                                   &ad);
1049                 if (rc)
1050                         return rc;
1051         }
1052
1053         /* av is zero if only checking access to the descriptor. */
1054         if (av)
1055                 return inode_has_perm(tsk, inode, av, &ad);
1056
1057         return 0;
1058 }
1059
1060 /* Check whether a task can create a file. */
1061 static int may_create(struct inode *dir,
1062                       struct dentry *dentry,
1063                       u16 tclass)
1064 {
1065         struct task_security_struct *tsec;
1066         struct inode_security_struct *dsec;
1067         struct superblock_security_struct *sbsec;
1068         u32 newsid;
1069         struct avc_audit_data ad;
1070         int rc;
1071
1072         tsec = current->security;
1073         dsec = dir->i_security;
1074         sbsec = dir->i_sb->s_security;
1075
1076         AVC_AUDIT_DATA_INIT(&ad, FS);
1077         ad.u.fs.dentry = dentry;
1078
1079         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1080                           DIR__ADD_NAME | DIR__SEARCH,
1081                           &ad);
1082         if (rc)
1083                 return rc;
1084
1085         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1086                 newsid = tsec->create_sid;
1087         } else {
1088                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1089                                              &newsid);
1090                 if (rc)
1091                         return rc;
1092         }
1093
1094         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1095         if (rc)
1096                 return rc;
1097
1098         return avc_has_perm(newsid, sbsec->sid,
1099                             SECCLASS_FILESYSTEM,
1100                             FILESYSTEM__ASSOCIATE, &ad);
1101 }
1102
1103 /* Check whether a task can create a key. */
1104 static int may_create_key(u32 ksid,
1105                           struct task_struct *ctx)
1106 {
1107         struct task_security_struct *tsec;
1108
1109         tsec = ctx->security;
1110
1111         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1112 }
1113
1114 #define MAY_LINK   0
1115 #define MAY_UNLINK 1
1116 #define MAY_RMDIR  2
1117
1118 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1119 static int may_link(struct inode *dir,
1120                     struct dentry *dentry,
1121                     int kind)
1122
1123 {
1124         struct task_security_struct *tsec;
1125         struct inode_security_struct *dsec, *isec;
1126         struct avc_audit_data ad;
1127         u32 av;
1128         int rc;
1129
1130         tsec = current->security;
1131         dsec = dir->i_security;
1132         isec = dentry->d_inode->i_security;
1133
1134         AVC_AUDIT_DATA_INIT(&ad, FS);
1135         ad.u.fs.dentry = dentry;
1136
1137         av = DIR__SEARCH;
1138         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1139         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1140         if (rc)
1141                 return rc;
1142
1143         switch (kind) {
1144         case MAY_LINK:
1145                 av = FILE__LINK;
1146                 break;
1147         case MAY_UNLINK:
1148                 av = FILE__UNLINK;
1149                 break;
1150         case MAY_RMDIR:
1151                 av = DIR__RMDIR;
1152                 break;
1153         default:
1154                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1155                 return 0;
1156         }
1157
1158         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1159         return rc;
1160 }
1161
1162 static inline int may_rename(struct inode *old_dir,
1163                              struct dentry *old_dentry,
1164                              struct inode *new_dir,
1165                              struct dentry *new_dentry)
1166 {
1167         struct task_security_struct *tsec;
1168         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1169         struct avc_audit_data ad;
1170         u32 av;
1171         int old_is_dir, new_is_dir;
1172         int rc;
1173
1174         tsec = current->security;
1175         old_dsec = old_dir->i_security;
1176         old_isec = old_dentry->d_inode->i_security;
1177         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1178         new_dsec = new_dir->i_security;
1179
1180         AVC_AUDIT_DATA_INIT(&ad, FS);
1181
1182         ad.u.fs.dentry = old_dentry;
1183         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1184                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1185         if (rc)
1186                 return rc;
1187         rc = avc_has_perm(tsec->sid, old_isec->sid,
1188                           old_isec->sclass, FILE__RENAME, &ad);
1189         if (rc)
1190                 return rc;
1191         if (old_is_dir && new_dir != old_dir) {
1192                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1193                                   old_isec->sclass, DIR__REPARENT, &ad);
1194                 if (rc)
1195                         return rc;
1196         }
1197
1198         ad.u.fs.dentry = new_dentry;
1199         av = DIR__ADD_NAME | DIR__SEARCH;
1200         if (new_dentry->d_inode)
1201                 av |= DIR__REMOVE_NAME;
1202         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1203         if (rc)
1204                 return rc;
1205         if (new_dentry->d_inode) {
1206                 new_isec = new_dentry->d_inode->i_security;
1207                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1208                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1209                                   new_isec->sclass,
1210                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1211                 if (rc)
1212                         return rc;
1213         }
1214
1215         return 0;
1216 }
1217
1218 /* Check whether a task can perform a filesystem operation. */
1219 static int superblock_has_perm(struct task_struct *tsk,
1220                                struct super_block *sb,
1221                                u32 perms,
1222                                struct avc_audit_data *ad)
1223 {
1224         struct task_security_struct *tsec;
1225         struct superblock_security_struct *sbsec;
1226
1227         tsec = tsk->security;
1228         sbsec = sb->s_security;
1229         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1230                             perms, ad);
1231 }
1232
1233 /* Convert a Linux mode and permission mask to an access vector. */
1234 static inline u32 file_mask_to_av(int mode, int mask)
1235 {
1236         u32 av = 0;
1237
1238         if ((mode & S_IFMT) != S_IFDIR) {
1239                 if (mask & MAY_EXEC)
1240                         av |= FILE__EXECUTE;
1241                 if (mask & MAY_READ)
1242                         av |= FILE__READ;
1243
1244                 if (mask & MAY_APPEND)
1245                         av |= FILE__APPEND;
1246                 else if (mask & MAY_WRITE)
1247                         av |= FILE__WRITE;
1248
1249         } else {
1250                 if (mask & MAY_EXEC)
1251                         av |= DIR__SEARCH;
1252                 if (mask & MAY_WRITE)
1253                         av |= DIR__WRITE;
1254                 if (mask & MAY_READ)
1255                         av |= DIR__READ;
1256         }
1257
1258         return av;
1259 }
1260
1261 /* Convert a Linux file to an access vector. */
1262 static inline u32 file_to_av(struct file *file)
1263 {
1264         u32 av = 0;
1265
1266         if (file->f_mode & FMODE_READ)
1267                 av |= FILE__READ;
1268         if (file->f_mode & FMODE_WRITE) {
1269                 if (file->f_flags & O_APPEND)
1270                         av |= FILE__APPEND;
1271                 else
1272                         av |= FILE__WRITE;
1273         }
1274
1275         return av;
1276 }
1277
1278 /* Set an inode's SID to a specified value. */
1279 static int inode_security_set_sid(struct inode *inode, u32 sid)
1280 {
1281         struct inode_security_struct *isec = inode->i_security;
1282         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1283
1284         if (!sbsec->initialized) {
1285                 /* Defer initialization to selinux_complete_init. */
1286                 return 0;
1287         }
1288
1289         down(&isec->sem);
1290         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1291         isec->sid = sid;
1292         isec->initialized = 1;
1293         up(&isec->sem);
1294         return 0;
1295 }
1296
1297 /* Hook functions begin here. */
1298
1299 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1300 {
1301         struct task_security_struct *psec = parent->security;
1302         struct task_security_struct *csec = child->security;
1303         int rc;
1304
1305         rc = secondary_ops->ptrace(parent,child);
1306         if (rc)
1307                 return rc;
1308
1309         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1310         /* Save the SID of the tracing process for later use in apply_creds. */
1311         if (!(child->ptrace & PT_PTRACED) && !rc)
1312                 csec->ptrace_sid = psec->sid;
1313         return rc;
1314 }
1315
1316 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1317                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1318 {
1319         int error;
1320
1321         error = task_has_perm(current, target, PROCESS__GETCAP);
1322         if (error)
1323                 return error;
1324
1325         return secondary_ops->capget(target, effective, inheritable, permitted);
1326 }
1327
1328 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1329                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1330 {
1331         int error;
1332
1333         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1334         if (error)
1335                 return error;
1336
1337         return task_has_perm(current, target, PROCESS__SETCAP);
1338 }
1339
1340 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1341                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1342 {
1343         secondary_ops->capset_set(target, effective, inheritable, permitted);
1344 }
1345
1346 static int selinux_capable(struct task_struct *tsk, int cap)
1347 {
1348         int rc;
1349
1350         rc = secondary_ops->capable(tsk, cap);
1351         if (rc)
1352                 return rc;
1353
1354         return task_has_capability(tsk,cap);
1355 }
1356
1357 static int selinux_sysctl(ctl_table *table, int op)
1358 {
1359         int error = 0;
1360         u32 av;
1361         struct task_security_struct *tsec;
1362         u32 tsid;
1363         int rc;
1364
1365         rc = secondary_ops->sysctl(table, op);
1366         if (rc)
1367                 return rc;
1368
1369         tsec = current->security;
1370
1371         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1372                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1373         if (rc) {
1374                 /* Default to the well-defined sysctl SID. */
1375                 tsid = SECINITSID_SYSCTL;
1376         }
1377
1378         /* The op values are "defined" in sysctl.c, thereby creating
1379          * a bad coupling between this module and sysctl.c */
1380         if(op == 001) {
1381                 error = avc_has_perm(tsec->sid, tsid,
1382                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1383         } else {
1384                 av = 0;
1385                 if (op & 004)
1386                         av |= FILE__READ;
1387                 if (op & 002)
1388                         av |= FILE__WRITE;
1389                 if (av)
1390                         error = avc_has_perm(tsec->sid, tsid,
1391                                              SECCLASS_FILE, av, NULL);
1392         }
1393
1394         return error;
1395 }
1396
1397 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1398 {
1399         int rc = 0;
1400
1401         if (!sb)
1402                 return 0;
1403
1404         switch (cmds) {
1405                 case Q_SYNC:
1406                 case Q_QUOTAON:
1407                 case Q_QUOTAOFF:
1408                 case Q_SETINFO:
1409                 case Q_SETQUOTA:
1410                         rc = superblock_has_perm(current,
1411                                                  sb,
1412                                                  FILESYSTEM__QUOTAMOD, NULL);
1413                         break;
1414                 case Q_GETFMT:
1415                 case Q_GETINFO:
1416                 case Q_GETQUOTA:
1417                         rc = superblock_has_perm(current,
1418                                                  sb,
1419                                                  FILESYSTEM__QUOTAGET, NULL);
1420                         break;
1421                 default:
1422                         rc = 0;  /* let the kernel handle invalid cmds */
1423                         break;
1424         }
1425         return rc;
1426 }
1427
1428 static int selinux_quota_on(struct dentry *dentry)
1429 {
1430         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1431 }
1432
1433 static int selinux_syslog(int type)
1434 {
1435         int rc;
1436
1437         rc = secondary_ops->syslog(type);
1438         if (rc)
1439                 return rc;
1440
1441         switch (type) {
1442                 case 3:         /* Read last kernel messages */
1443                 case 10:        /* Return size of the log buffer */
1444                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1445                         break;
1446                 case 6:         /* Disable logging to console */
1447                 case 7:         /* Enable logging to console */
1448                 case 8:         /* Set level of messages printed to console */
1449                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1450                         break;
1451                 case 0:         /* Close log */
1452                 case 1:         /* Open log */
1453                 case 2:         /* Read from log */
1454                 case 4:         /* Read/clear last kernel messages */
1455                 case 5:         /* Clear ring buffer */
1456                 default:
1457                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1458                         break;
1459         }
1460         return rc;
1461 }
1462
1463 /*
1464  * Check that a process has enough memory to allocate a new virtual
1465  * mapping. 0 means there is enough memory for the allocation to
1466  * succeed and -ENOMEM implies there is not.
1467  *
1468  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1469  * if the capability is granted, but __vm_enough_memory requires 1 if
1470  * the capability is granted.
1471  *
1472  * Do not audit the selinux permission check, as this is applied to all
1473  * processes that allocate mappings.
1474  */
1475 static int selinux_vm_enough_memory(long pages)
1476 {
1477         int rc, cap_sys_admin = 0;
1478         struct task_security_struct *tsec = current->security;
1479
1480         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1481         if (rc == 0)
1482                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1483                                         SECCLASS_CAPABILITY,
1484                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1485                                         NULL);
1486
1487         if (rc == 0)
1488                 cap_sys_admin = 1;
1489
1490         return __vm_enough_memory(pages, cap_sys_admin);
1491 }
1492
1493 /* binprm security operations */
1494
1495 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1496 {
1497         struct bprm_security_struct *bsec;
1498
1499         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1500         if (!bsec)
1501                 return -ENOMEM;
1502
1503         bsec->bprm = bprm;
1504         bsec->sid = SECINITSID_UNLABELED;
1505         bsec->set = 0;
1506
1507         bprm->security = bsec;
1508         return 0;
1509 }
1510
1511 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1512 {
1513         struct task_security_struct *tsec;
1514         struct inode *inode = bprm->file->f_dentry->d_inode;
1515         struct inode_security_struct *isec;
1516         struct bprm_security_struct *bsec;
1517         u32 newsid;
1518         struct avc_audit_data ad;
1519         int rc;
1520
1521         rc = secondary_ops->bprm_set_security(bprm);
1522         if (rc)
1523                 return rc;
1524
1525         bsec = bprm->security;
1526
1527         if (bsec->set)
1528                 return 0;
1529
1530         tsec = current->security;
1531         isec = inode->i_security;
1532
1533         /* Default to the current task SID. */
1534         bsec->sid = tsec->sid;
1535
1536         /* Reset fs, key, and sock SIDs on execve. */
1537         tsec->create_sid = 0;
1538         tsec->keycreate_sid = 0;
1539         tsec->sockcreate_sid = 0;
1540
1541         if (tsec->exec_sid) {
1542                 newsid = tsec->exec_sid;
1543                 /* Reset exec SID on execve. */
1544                 tsec->exec_sid = 0;
1545         } else {
1546                 /* Check for a default transition on this program. */
1547                 rc = security_transition_sid(tsec->sid, isec->sid,
1548                                              SECCLASS_PROCESS, &newsid);
1549                 if (rc)
1550                         return rc;
1551         }
1552
1553         AVC_AUDIT_DATA_INIT(&ad, FS);
1554         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1555         ad.u.fs.dentry = bprm->file->f_dentry;
1556
1557         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1558                 newsid = tsec->sid;
1559
1560         if (tsec->sid == newsid) {
1561                 rc = avc_has_perm(tsec->sid, isec->sid,
1562                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1563                 if (rc)
1564                         return rc;
1565         } else {
1566                 /* Check permissions for the transition. */
1567                 rc = avc_has_perm(tsec->sid, newsid,
1568                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1569                 if (rc)
1570                         return rc;
1571
1572                 rc = avc_has_perm(newsid, isec->sid,
1573                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1574                 if (rc)
1575                         return rc;
1576
1577                 /* Clear any possibly unsafe personality bits on exec: */
1578                 current->personality &= ~PER_CLEAR_ON_SETID;
1579
1580                 /* Set the security field to the new SID. */
1581                 bsec->sid = newsid;
1582         }
1583
1584         bsec->set = 1;
1585         return 0;
1586 }
1587
1588 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1589 {
1590         return secondary_ops->bprm_check_security(bprm);
1591 }
1592
1593
1594 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1595 {
1596         struct task_security_struct *tsec = current->security;
1597         int atsecure = 0;
1598
1599         if (tsec->osid != tsec->sid) {
1600                 /* Enable secure mode for SIDs transitions unless
1601                    the noatsecure permission is granted between
1602                    the two SIDs, i.e. ahp returns 0. */
1603                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1604                                          SECCLASS_PROCESS,
1605                                          PROCESS__NOATSECURE, NULL);
1606         }
1607
1608         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1609 }
1610
1611 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1612 {
1613         kfree(bprm->security);
1614         bprm->security = NULL;
1615 }
1616
1617 extern struct vfsmount *selinuxfs_mount;
1618 extern struct dentry *selinux_null;
1619
1620 /* Derived from fs/exec.c:flush_old_files. */
1621 static inline void flush_unauthorized_files(struct files_struct * files)
1622 {
1623         struct avc_audit_data ad;
1624         struct file *file, *devnull = NULL;
1625         struct tty_struct *tty = current->signal->tty;
1626         struct fdtable *fdt;
1627         long j = -1;
1628
1629         if (tty) {
1630                 file_list_lock();
1631                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1632                 if (file) {
1633                         /* Revalidate access to controlling tty.
1634                            Use inode_has_perm on the tty inode directly rather
1635                            than using file_has_perm, as this particular open
1636                            file may belong to another process and we are only
1637                            interested in the inode-based check here. */
1638                         struct inode *inode = file->f_dentry->d_inode;
1639                         if (inode_has_perm(current, inode,
1640                                            FILE__READ | FILE__WRITE, NULL)) {
1641                                 /* Reset controlling tty. */
1642                                 current->signal->tty = NULL;
1643                                 current->signal->tty_old_pgrp = 0;
1644                         }
1645                 }
1646                 file_list_unlock();
1647         }
1648
1649         /* Revalidate access to inherited open files. */
1650
1651         AVC_AUDIT_DATA_INIT(&ad,FS);
1652
1653         spin_lock(&files->file_lock);
1654         for (;;) {
1655                 unsigned long set, i;
1656                 int fd;
1657
1658                 j++;
1659                 i = j * __NFDBITS;
1660                 fdt = files_fdtable(files);
1661                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1662                         break;
1663                 set = fdt->open_fds->fds_bits[j];
1664                 if (!set)
1665                         continue;
1666                 spin_unlock(&files->file_lock);
1667                 for ( ; set ; i++,set >>= 1) {
1668                         if (set & 1) {
1669                                 file = fget(i);
1670                                 if (!file)
1671                                         continue;
1672                                 if (file_has_perm(current,
1673                                                   file,
1674                                                   file_to_av(file))) {
1675                                         sys_close(i);
1676                                         fd = get_unused_fd();
1677                                         if (fd != i) {
1678                                                 if (fd >= 0)
1679                                                         put_unused_fd(fd);
1680                                                 fput(file);
1681                                                 continue;
1682                                         }
1683                                         if (devnull) {
1684                                                 get_file(devnull);
1685                                         } else {
1686                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1687                                                 if (!devnull) {
1688                                                         put_unused_fd(fd);
1689                                                         fput(file);
1690                                                         continue;
1691                                                 }
1692                                         }
1693                                         fd_install(fd, devnull);
1694                                 }
1695                                 fput(file);
1696                         }
1697                 }
1698                 spin_lock(&files->file_lock);
1699
1700         }
1701         spin_unlock(&files->file_lock);
1702 }
1703
1704 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1705 {
1706         struct task_security_struct *tsec;
1707         struct bprm_security_struct *bsec;
1708         u32 sid;
1709         int rc;
1710
1711         secondary_ops->bprm_apply_creds(bprm, unsafe);
1712
1713         tsec = current->security;
1714
1715         bsec = bprm->security;
1716         sid = bsec->sid;
1717
1718         tsec->osid = tsec->sid;
1719         bsec->unsafe = 0;
1720         if (tsec->sid != sid) {
1721                 /* Check for shared state.  If not ok, leave SID
1722                    unchanged and kill. */
1723                 if (unsafe & LSM_UNSAFE_SHARE) {
1724                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1725                                         PROCESS__SHARE, NULL);
1726                         if (rc) {
1727                                 bsec->unsafe = 1;
1728                                 return;
1729                         }
1730                 }
1731
1732                 /* Check for ptracing, and update the task SID if ok.
1733                    Otherwise, leave SID unchanged and kill. */
1734                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1735                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1736                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1737                                           NULL);
1738                         if (rc) {
1739                                 bsec->unsafe = 1;
1740                                 return;
1741                         }
1742                 }
1743                 tsec->sid = sid;
1744         }
1745 }
1746
1747 /*
1748  * called after apply_creds without the task lock held
1749  */
1750 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1751 {
1752         struct task_security_struct *tsec;
1753         struct rlimit *rlim, *initrlim;
1754         struct itimerval itimer;
1755         struct bprm_security_struct *bsec;
1756         int rc, i;
1757
1758         tsec = current->security;
1759         bsec = bprm->security;
1760
1761         if (bsec->unsafe) {
1762                 force_sig_specific(SIGKILL, current);
1763                 return;
1764         }
1765         if (tsec->osid == tsec->sid)
1766                 return;
1767
1768         /* Close files for which the new task SID is not authorized. */
1769         flush_unauthorized_files(current->files);
1770
1771         /* Check whether the new SID can inherit signal state
1772            from the old SID.  If not, clear itimers to avoid
1773            subsequent signal generation and flush and unblock
1774            signals. This must occur _after_ the task SID has
1775           been updated so that any kill done after the flush
1776           will be checked against the new SID. */
1777         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1778                           PROCESS__SIGINH, NULL);
1779         if (rc) {
1780                 memset(&itimer, 0, sizeof itimer);
1781                 for (i = 0; i < 3; i++)
1782                         do_setitimer(i, &itimer, NULL);
1783                 flush_signals(current);
1784                 spin_lock_irq(&current->sighand->siglock);
1785                 flush_signal_handlers(current, 1);
1786                 sigemptyset(&current->blocked);
1787                 recalc_sigpending();
1788                 spin_unlock_irq(&current->sighand->siglock);
1789         }
1790
1791         /* Check whether the new SID can inherit resource limits
1792            from the old SID.  If not, reset all soft limits to
1793            the lower of the current task's hard limit and the init
1794            task's soft limit.  Note that the setting of hard limits
1795            (even to lower them) can be controlled by the setrlimit
1796            check. The inclusion of the init task's soft limit into
1797            the computation is to avoid resetting soft limits higher
1798            than the default soft limit for cases where the default
1799            is lower than the hard limit, e.g. RLIMIT_CORE or
1800            RLIMIT_STACK.*/
1801         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1802                           PROCESS__RLIMITINH, NULL);
1803         if (rc) {
1804                 for (i = 0; i < RLIM_NLIMITS; i++) {
1805                         rlim = current->signal->rlim + i;
1806                         initrlim = init_task.signal->rlim+i;
1807                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1808                 }
1809                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1810                         /*
1811                          * This will cause RLIMIT_CPU calculations
1812                          * to be refigured.
1813                          */
1814                         current->it_prof_expires = jiffies_to_cputime(1);
1815                 }
1816         }
1817
1818         /* Wake up the parent if it is waiting so that it can
1819            recheck wait permission to the new task SID. */
1820         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1821 }
1822
1823 /* superblock security operations */
1824
1825 static int selinux_sb_alloc_security(struct super_block *sb)
1826 {
1827         return superblock_alloc_security(sb);
1828 }
1829
1830 static void selinux_sb_free_security(struct super_block *sb)
1831 {
1832         superblock_free_security(sb);
1833 }
1834
1835 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1836 {
1837         if (plen > olen)
1838                 return 0;
1839
1840         return !memcmp(prefix, option, plen);
1841 }
1842
1843 static inline int selinux_option(char *option, int len)
1844 {
1845         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1846                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1847                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1848 }
1849
1850 static inline void take_option(char **to, char *from, int *first, int len)
1851 {
1852         if (!*first) {
1853                 **to = ',';
1854                 *to += 1;
1855         }
1856         else
1857                 *first = 0;
1858         memcpy(*to, from, len);
1859         *to += len;
1860 }
1861
1862 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1863 {
1864         int fnosec, fsec, rc = 0;
1865         char *in_save, *in_curr, *in_end;
1866         char *sec_curr, *nosec_save, *nosec;
1867
1868         in_curr = orig;
1869         sec_curr = copy;
1870
1871         /* Binary mount data: just copy */
1872         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1873                 copy_page(sec_curr, in_curr);
1874                 goto out;
1875         }
1876
1877         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1878         if (!nosec) {
1879                 rc = -ENOMEM;
1880                 goto out;
1881         }
1882
1883         nosec_save = nosec;
1884         fnosec = fsec = 1;
1885         in_save = in_end = orig;
1886
1887         do {
1888                 if (*in_end == ',' || *in_end == '\0') {
1889                         int len = in_end - in_curr;
1890
1891                         if (selinux_option(in_curr, len))
1892                                 take_option(&sec_curr, in_curr, &fsec, len);
1893                         else
1894                                 take_option(&nosec, in_curr, &fnosec, len);
1895
1896                         in_curr = in_end + 1;
1897                 }
1898         } while (*in_end++);
1899
1900         strcpy(in_save, nosec_save);
1901         free_page((unsigned long)nosec_save);
1902 out:
1903         return rc;
1904 }
1905
1906 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1907 {
1908         struct avc_audit_data ad;
1909         int rc;
1910
1911         rc = superblock_doinit(sb, data);
1912         if (rc)
1913                 return rc;
1914
1915         AVC_AUDIT_DATA_INIT(&ad,FS);
1916         ad.u.fs.dentry = sb->s_root;
1917         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1918 }
1919
1920 static int selinux_sb_statfs(struct dentry *dentry)
1921 {
1922         struct avc_audit_data ad;
1923
1924         AVC_AUDIT_DATA_INIT(&ad,FS);
1925         ad.u.fs.dentry = dentry->d_sb->s_root;
1926         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1927 }
1928
1929 static int selinux_mount(char * dev_name,
1930                          struct nameidata *nd,
1931                          char * type,
1932                          unsigned long flags,
1933                          void * data)
1934 {
1935         int rc;
1936
1937         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1938         if (rc)
1939                 return rc;
1940
1941         if (flags & MS_REMOUNT)
1942                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1943                                            FILESYSTEM__REMOUNT, NULL);
1944         else
1945                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1946                                        FILE__MOUNTON);
1947 }
1948
1949 static int selinux_umount(struct vfsmount *mnt, int flags)
1950 {
1951         int rc;
1952
1953         rc = secondary_ops->sb_umount(mnt, flags);
1954         if (rc)
1955                 return rc;
1956
1957         return superblock_has_perm(current,mnt->mnt_sb,
1958                                    FILESYSTEM__UNMOUNT,NULL);
1959 }
1960
1961 /* inode security operations */
1962
1963 static int selinux_inode_alloc_security(struct inode *inode)
1964 {
1965         return inode_alloc_security(inode);
1966 }
1967
1968 static void selinux_inode_free_security(struct inode *inode)
1969 {
1970         inode_free_security(inode);
1971 }
1972
1973 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1974                                        char **name, void **value,
1975                                        size_t *len)
1976 {
1977         struct task_security_struct *tsec;
1978         struct inode_security_struct *dsec;
1979         struct superblock_security_struct *sbsec;
1980         u32 newsid, clen;
1981         int rc;
1982         char *namep = NULL, *context;
1983
1984         tsec = current->security;
1985         dsec = dir->i_security;
1986         sbsec = dir->i_sb->s_security;
1987
1988         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1989                 newsid = tsec->create_sid;
1990         } else {
1991                 rc = security_transition_sid(tsec->sid, dsec->sid,
1992                                              inode_mode_to_security_class(inode->i_mode),
1993                                              &newsid);
1994                 if (rc) {
1995                         printk(KERN_WARNING "%s:  "
1996                                "security_transition_sid failed, rc=%d (dev=%s "
1997                                "ino=%ld)\n",
1998                                __FUNCTION__,
1999                                -rc, inode->i_sb->s_id, inode->i_ino);
2000                         return rc;
2001                 }
2002         }
2003
2004         inode_security_set_sid(inode, newsid);
2005
2006         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2007                 return -EOPNOTSUPP;
2008
2009         if (name) {
2010                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2011                 if (!namep)
2012                         return -ENOMEM;
2013                 *name = namep;
2014         }
2015
2016         if (value && len) {
2017                 rc = security_sid_to_context(newsid, &context, &clen);
2018                 if (rc) {
2019                         kfree(namep);
2020                         return rc;
2021                 }
2022                 *value = context;
2023                 *len = clen;
2024         }
2025
2026         return 0;
2027 }
2028
2029 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2030 {
2031         return may_create(dir, dentry, SECCLASS_FILE);
2032 }
2033
2034 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2035 {
2036         int rc;
2037
2038         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2039         if (rc)
2040                 return rc;
2041         return may_link(dir, old_dentry, MAY_LINK);
2042 }
2043
2044 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2045 {
2046         int rc;
2047
2048         rc = secondary_ops->inode_unlink(dir, dentry);
2049         if (rc)
2050                 return rc;
2051         return may_link(dir, dentry, MAY_UNLINK);
2052 }
2053
2054 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2055 {
2056         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2057 }
2058
2059 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2060 {
2061         return may_create(dir, dentry, SECCLASS_DIR);
2062 }
2063
2064 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2065 {
2066         return may_link(dir, dentry, MAY_RMDIR);
2067 }
2068
2069 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2070 {
2071         int rc;
2072
2073         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2074         if (rc)
2075                 return rc;
2076
2077         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2078 }
2079
2080 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2081                                 struct inode *new_inode, struct dentry *new_dentry)
2082 {
2083         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2084 }
2085
2086 static int selinux_inode_readlink(struct dentry *dentry)
2087 {
2088         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2089 }
2090
2091 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2092 {
2093         int rc;
2094
2095         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2096         if (rc)
2097                 return rc;
2098         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2099 }
2100
2101 static int selinux_inode_permission(struct inode *inode, int mask,
2102                                     struct nameidata *nd)
2103 {
2104         int rc;
2105
2106         rc = secondary_ops->inode_permission(inode, mask, nd);
2107         if (rc)
2108                 return rc;
2109
2110         if (!mask) {
2111                 /* No permission to check.  Existence test. */
2112                 return 0;
2113         }
2114
2115         return inode_has_perm(current, inode,
2116                                file_mask_to_av(inode->i_mode, mask), NULL);
2117 }
2118
2119 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2120 {
2121         int rc;
2122
2123         rc = secondary_ops->inode_setattr(dentry, iattr);
2124         if (rc)
2125                 return rc;
2126
2127         if (iattr->ia_valid & ATTR_FORCE)
2128                 return 0;
2129
2130         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2131                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2132                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2133
2134         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2135 }
2136
2137 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2138 {
2139         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2140 }
2141
2142 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2143 {
2144         struct task_security_struct *tsec = current->security;
2145         struct inode *inode = dentry->d_inode;
2146         struct inode_security_struct *isec = inode->i_security;
2147         struct superblock_security_struct *sbsec;
2148         struct avc_audit_data ad;
2149         u32 newsid;
2150         int rc = 0;
2151
2152         if (strcmp(name, XATTR_NAME_SELINUX)) {
2153                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2154                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2155                     !capable(CAP_SYS_ADMIN)) {
2156                         /* A different attribute in the security namespace.
2157                            Restrict to administrator. */
2158                         return -EPERM;
2159                 }
2160
2161                 /* Not an attribute we recognize, so just check the
2162                    ordinary setattr permission. */
2163                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2164         }
2165
2166         sbsec = inode->i_sb->s_security;
2167         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2168                 return -EOPNOTSUPP;
2169
2170         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2171                 return -EPERM;
2172
2173         AVC_AUDIT_DATA_INIT(&ad,FS);
2174         ad.u.fs.dentry = dentry;
2175
2176         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2177                           FILE__RELABELFROM, &ad);
2178         if (rc)
2179                 return rc;
2180
2181         rc = security_context_to_sid(value, size, &newsid);
2182         if (rc)
2183                 return rc;
2184
2185         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2186                           FILE__RELABELTO, &ad);
2187         if (rc)
2188                 return rc;
2189
2190         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2191                                           isec->sclass);
2192         if (rc)
2193                 return rc;
2194
2195         return avc_has_perm(newsid,
2196                             sbsec->sid,
2197                             SECCLASS_FILESYSTEM,
2198                             FILESYSTEM__ASSOCIATE,
2199                             &ad);
2200 }
2201
2202 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2203                                         void *value, size_t size, int flags)
2204 {
2205         struct inode *inode = dentry->d_inode;
2206         struct inode_security_struct *isec = inode->i_security;
2207         u32 newsid;
2208         int rc;
2209
2210         if (strcmp(name, XATTR_NAME_SELINUX)) {
2211                 /* Not an attribute we recognize, so nothing to do. */
2212                 return;
2213         }
2214
2215         rc = security_context_to_sid(value, size, &newsid);
2216         if (rc) {
2217                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2218                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2219                 return;
2220         }
2221
2222         isec->sid = newsid;
2223         return;
2224 }
2225
2226 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2227 {
2228         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2229 }
2230
2231 static int selinux_inode_listxattr (struct dentry *dentry)
2232 {
2233         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2234 }
2235
2236 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2237 {
2238         if (strcmp(name, XATTR_NAME_SELINUX)) {
2239                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2240                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2241                     !capable(CAP_SYS_ADMIN)) {
2242                         /* A different attribute in the security namespace.
2243                            Restrict to administrator. */
2244                         return -EPERM;
2245                 }
2246
2247                 /* Not an attribute we recognize, so just check the
2248                    ordinary setattr permission. Might want a separate
2249                    permission for removexattr. */
2250                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2251         }
2252
2253         /* No one is allowed to remove a SELinux security label.
2254            You can change the label, but all data must be labeled. */
2255         return -EACCES;
2256 }
2257
2258 static const char *selinux_inode_xattr_getsuffix(void)
2259 {
2260       return XATTR_SELINUX_SUFFIX;
2261 }
2262
2263 /*
2264  * Copy the in-core inode security context value to the user.  If the
2265  * getxattr() prior to this succeeded, check to see if we need to
2266  * canonicalize the value to be finally returned to the user.
2267  *
2268  * Permission check is handled by selinux_inode_getxattr hook.
2269  */
2270 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2271 {
2272         struct inode_security_struct *isec = inode->i_security;
2273
2274         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2275                 return -EOPNOTSUPP;
2276
2277         return selinux_getsecurity(isec->sid, buffer, size);
2278 }
2279
2280 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2281                                      const void *value, size_t size, int flags)
2282 {
2283         struct inode_security_struct *isec = inode->i_security;
2284         u32 newsid;
2285         int rc;
2286
2287         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2288                 return -EOPNOTSUPP;
2289
2290         if (!value || !size)
2291                 return -EACCES;
2292
2293         rc = security_context_to_sid((void*)value, size, &newsid);
2294         if (rc)
2295                 return rc;
2296
2297         isec->sid = newsid;
2298         return 0;
2299 }
2300
2301 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2302 {
2303         const int len = sizeof(XATTR_NAME_SELINUX);
2304         if (buffer && len <= buffer_size)
2305                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2306         return len;
2307 }
2308
2309 /* file security operations */
2310
2311 static int selinux_file_permission(struct file *file, int mask)
2312 {
2313         struct inode *inode = file->f_dentry->d_inode;
2314
2315         if (!mask) {
2316                 /* No permission to check.  Existence test. */
2317                 return 0;
2318         }
2319
2320         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2321         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2322                 mask |= MAY_APPEND;
2323
2324         return file_has_perm(current, file,
2325                              file_mask_to_av(inode->i_mode, mask));
2326 }
2327
2328 static int selinux_file_alloc_security(struct file *file)
2329 {
2330         return file_alloc_security(file);
2331 }
2332
2333 static void selinux_file_free_security(struct file *file)
2334 {
2335         file_free_security(file);
2336 }
2337
2338 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2339                               unsigned long arg)
2340 {
2341         int error = 0;
2342
2343         switch (cmd) {
2344                 case FIONREAD:
2345                 /* fall through */
2346                 case FIBMAP:
2347                 /* fall through */
2348                 case FIGETBSZ:
2349                 /* fall through */
2350                 case EXT2_IOC_GETFLAGS:
2351                 /* fall through */
2352                 case EXT2_IOC_GETVERSION:
2353                         error = file_has_perm(current, file, FILE__GETATTR);
2354                         break;
2355
2356                 case EXT2_IOC_SETFLAGS:
2357                 /* fall through */
2358                 case EXT2_IOC_SETVERSION:
2359                         error = file_has_perm(current, file, FILE__SETATTR);
2360                         break;
2361
2362                 /* sys_ioctl() checks */
2363                 case FIONBIO:
2364                 /* fall through */
2365                 case FIOASYNC:
2366                         error = file_has_perm(current, file, 0);
2367                         break;
2368
2369                 case KDSKBENT:
2370                 case KDSKBSENT:
2371                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2372                         break;
2373
2374                 /* default case assumes that the command will go
2375                  * to the file's ioctl() function.
2376                  */
2377                 default:
2378                         error = file_has_perm(current, file, FILE__IOCTL);
2379
2380         }
2381         return error;
2382 }
2383
2384 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2385 {
2386 #ifndef CONFIG_PPC32
2387         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2388                 /*
2389                  * We are making executable an anonymous mapping or a
2390                  * private file mapping that will also be writable.
2391                  * This has an additional check.
2392                  */
2393                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2394                 if (rc)
2395                         return rc;
2396         }
2397 #endif
2398
2399         if (file) {
2400                 /* read access is always possible with a mapping */
2401                 u32 av = FILE__READ;
2402
2403                 /* write access only matters if the mapping is shared */
2404                 if (shared && (prot & PROT_WRITE))
2405                         av |= FILE__WRITE;
2406
2407                 if (prot & PROT_EXEC)
2408                         av |= FILE__EXECUTE;
2409
2410                 return file_has_perm(current, file, av);
2411         }
2412         return 0;
2413 }
2414
2415 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2416                              unsigned long prot, unsigned long flags)
2417 {
2418         int rc;
2419
2420         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2421         if (rc)
2422                 return rc;
2423
2424         if (selinux_checkreqprot)
2425                 prot = reqprot;
2426
2427         return file_map_prot_check(file, prot,
2428                                    (flags & MAP_TYPE) == MAP_SHARED);
2429 }
2430
2431 static int selinux_file_mprotect(struct vm_area_struct *vma,
2432                                  unsigned long reqprot,
2433                                  unsigned long prot)
2434 {
2435         int rc;
2436
2437         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2438         if (rc)
2439                 return rc;
2440
2441         if (selinux_checkreqprot)
2442                 prot = reqprot;
2443
2444 #ifndef CONFIG_PPC32
2445         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2446                 rc = 0;
2447                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2448                     vma->vm_end <= vma->vm_mm->brk) {
2449                         rc = task_has_perm(current, current,
2450                                            PROCESS__EXECHEAP);
2451                 } else if (!vma->vm_file &&
2452                            vma->vm_start <= vma->vm_mm->start_stack &&
2453                            vma->vm_end >= vma->vm_mm->start_stack) {
2454                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2455                 } else if (vma->vm_file && vma->anon_vma) {
2456                         /*
2457                          * We are making executable a file mapping that has
2458                          * had some COW done. Since pages might have been
2459                          * written, check ability to execute the possibly
2460                          * modified content.  This typically should only
2461                          * occur for text relocations.
2462                          */
2463                         rc = file_has_perm(current, vma->vm_file,
2464                                            FILE__EXECMOD);
2465                 }
2466                 if (rc)
2467                         return rc;
2468         }
2469 #endif
2470
2471         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2472 }
2473
2474 static int selinux_file_lock(struct file *file, unsigned int cmd)
2475 {
2476         return file_has_perm(current, file, FILE__LOCK);
2477 }
2478
2479 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2480                               unsigned long arg)
2481 {
2482         int err = 0;
2483
2484         switch (cmd) {
2485                 case F_SETFL:
2486                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2487                                 err = -EINVAL;
2488                                 break;
2489                         }
2490
2491                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2492                                 err = file_has_perm(current, file,FILE__WRITE);
2493                                 break;
2494                         }
2495                         /* fall through */
2496                 case F_SETOWN:
2497                 case F_SETSIG:
2498                 case F_GETFL:
2499                 case F_GETOWN:
2500                 case F_GETSIG:
2501                         /* Just check FD__USE permission */
2502                         err = file_has_perm(current, file, 0);
2503                         break;
2504                 case F_GETLK:
2505                 case F_SETLK:
2506                 case F_SETLKW:
2507 #if BITS_PER_LONG == 32
2508                 case F_GETLK64:
2509                 case F_SETLK64:
2510                 case F_SETLKW64:
2511 #endif
2512                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2513                                 err = -EINVAL;
2514                                 break;
2515                         }
2516                         err = file_has_perm(current, file, FILE__LOCK);
2517                         break;
2518         }
2519
2520         return err;
2521 }
2522
2523 static int selinux_file_set_fowner(struct file *file)
2524 {
2525         struct task_security_struct *tsec;
2526         struct file_security_struct *fsec;
2527
2528         tsec = current->security;
2529         fsec = file->f_security;
2530         fsec->fown_sid = tsec->sid;
2531
2532         return 0;
2533 }
2534
2535 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2536                                        struct fown_struct *fown, int signum)
2537 {
2538         struct file *file;
2539         u32 perm;
2540         struct task_security_struct *tsec;
2541         struct file_security_struct *fsec;
2542
2543         /* struct fown_struct is never outside the context of a struct file */
2544         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2545
2546         tsec = tsk->security;
2547         fsec = file->f_security;
2548
2549         if (!signum)
2550                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2551         else
2552                 perm = signal_to_av(signum);
2553
2554         return avc_has_perm(fsec->fown_sid, tsec->sid,
2555                             SECCLASS_PROCESS, perm, NULL);
2556 }
2557
2558 static int selinux_file_receive(struct file *file)
2559 {
2560         return file_has_perm(current, file, file_to_av(file));
2561 }
2562
2563 /* task security operations */
2564
2565 static int selinux_task_create(unsigned long clone_flags)
2566 {
2567         int rc;
2568
2569         rc = secondary_ops->task_create(clone_flags);
2570         if (rc)
2571                 return rc;
2572
2573         return task_has_perm(current, current, PROCESS__FORK);
2574 }
2575
2576 static int selinux_task_alloc_security(struct task_struct *tsk)
2577 {
2578         struct task_security_struct *tsec1, *tsec2;
2579         int rc;
2580
2581         tsec1 = current->security;
2582
2583         rc = task_alloc_security(tsk);
2584         if (rc)
2585                 return rc;
2586         tsec2 = tsk->security;
2587
2588         tsec2->osid = tsec1->osid;
2589         tsec2->sid = tsec1->sid;
2590
2591         /* Retain the exec, fs, key, and sock SIDs across fork */
2592         tsec2->exec_sid = tsec1->exec_sid;
2593         tsec2->create_sid = tsec1->create_sid;
2594         tsec2->keycreate_sid = tsec1->keycreate_sid;
2595         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2596
2597         /* Retain ptracer SID across fork, if any.
2598            This will be reset by the ptrace hook upon any
2599            subsequent ptrace_attach operations. */
2600         tsec2->ptrace_sid = tsec1->ptrace_sid;
2601
2602         return 0;
2603 }
2604
2605 static void selinux_task_free_security(struct task_struct *tsk)
2606 {
2607         task_free_security(tsk);
2608 }
2609
2610 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2611 {
2612         /* Since setuid only affects the current process, and
2613            since the SELinux controls are not based on the Linux
2614            identity attributes, SELinux does not need to control
2615            this operation.  However, SELinux does control the use
2616            of the CAP_SETUID and CAP_SETGID capabilities using the
2617            capable hook. */
2618         return 0;
2619 }
2620
2621 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2622 {
2623         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2624 }
2625
2626 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2627 {
2628         /* See the comment for setuid above. */
2629         return 0;
2630 }
2631
2632 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2633 {
2634         return task_has_perm(current, p, PROCESS__SETPGID);
2635 }
2636
2637 static int selinux_task_getpgid(struct task_struct *p)
2638 {
2639         return task_has_perm(current, p, PROCESS__GETPGID);
2640 }
2641
2642 static int selinux_task_getsid(struct task_struct *p)
2643 {
2644         return task_has_perm(current, p, PROCESS__GETSESSION);
2645 }
2646
2647 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2648 {
2649         selinux_get_task_sid(p, secid);
2650 }
2651
2652 static int selinux_task_setgroups(struct group_info *group_info)
2653 {
2654         /* See the comment for setuid above. */
2655         return 0;
2656 }
2657
2658 static int selinux_task_setnice(struct task_struct *p, int nice)
2659 {
2660         int rc;
2661
2662         rc = secondary_ops->task_setnice(p, nice);
2663         if (rc)
2664                 return rc;
2665
2666         return task_has_perm(current,p, PROCESS__SETSCHED);
2667 }
2668
2669 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2670 {
2671         return task_has_perm(current, p, PROCESS__SETSCHED);
2672 }
2673
2674 static int selinux_task_getioprio(struct task_struct *p)
2675 {
2676         return task_has_perm(current, p, PROCESS__GETSCHED);
2677 }
2678
2679 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2680 {
2681         struct rlimit *old_rlim = current->signal->rlim + resource;
2682         int rc;
2683
2684         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2685         if (rc)
2686                 return rc;
2687
2688         /* Control the ability to change the hard limit (whether
2689            lowering or raising it), so that the hard limit can
2690            later be used as a safe reset point for the soft limit
2691            upon context transitions. See selinux_bprm_apply_creds. */
2692         if (old_rlim->rlim_max != new_rlim->rlim_max)
2693                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2694
2695         return 0;
2696 }
2697
2698 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2699 {
2700         return task_has_perm(current, p, PROCESS__SETSCHED);
2701 }
2702
2703 static int selinux_task_getscheduler(struct task_struct *p)
2704 {
2705         return task_has_perm(current, p, PROCESS__GETSCHED);
2706 }
2707
2708 static int selinux_task_movememory(struct task_struct *p)
2709 {
2710         return task_has_perm(current, p, PROCESS__SETSCHED);
2711 }
2712
2713 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2714                                 int sig, u32 secid)
2715 {
2716         u32 perm;
2717         int rc;
2718         struct task_security_struct *tsec;
2719
2720         rc = secondary_ops->task_kill(p, info, sig, secid);
2721         if (rc)
2722                 return rc;
2723
2724         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2725                 return 0;
2726
2727         if (!sig)
2728                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2729         else
2730                 perm = signal_to_av(sig);
2731         tsec = p->security;
2732         if (secid)
2733                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2734         else
2735                 rc = task_has_perm(current, p, perm);
2736         return rc;
2737 }
2738
2739 static int selinux_task_prctl(int option,
2740                               unsigned long arg2,
2741                               unsigned long arg3,
2742                               unsigned long arg4,
2743                               unsigned long arg5)
2744 {
2745         /* The current prctl operations do not appear to require
2746            any SELinux controls since they merely observe or modify
2747            the state of the current process. */
2748         return 0;
2749 }
2750
2751 static int selinux_task_wait(struct task_struct *p)
2752 {
2753         u32 perm;
2754
2755         perm = signal_to_av(p->exit_signal);
2756
2757         return task_has_perm(p, current, perm);
2758 }
2759
2760 static void selinux_task_reparent_to_init(struct task_struct *p)
2761 {
2762         struct task_security_struct *tsec;
2763
2764         secondary_ops->task_reparent_to_init(p);
2765
2766         tsec = p->security;
2767         tsec->osid = tsec->sid;
2768         tsec->sid = SECINITSID_KERNEL;
2769         return;
2770 }
2771
2772 static void selinux_task_to_inode(struct task_struct *p,
2773                                   struct inode *inode)
2774 {
2775         struct task_security_struct *tsec = p->security;
2776         struct inode_security_struct *isec = inode->i_security;
2777
2778         isec->sid = tsec->sid;
2779         isec->initialized = 1;
2780         return;
2781 }
2782
2783 /* Returns error only if unable to parse addresses */
2784 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2785 {
2786         int offset, ihlen, ret = -EINVAL;
2787         struct iphdr _iph, *ih;
2788
2789         offset = skb->nh.raw - skb->data;
2790         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2791         if (ih == NULL)
2792                 goto out;
2793
2794         ihlen = ih->ihl * 4;
2795         if (ihlen < sizeof(_iph))
2796                 goto out;
2797
2798         ad->u.net.v4info.saddr = ih->saddr;
2799         ad->u.net.v4info.daddr = ih->daddr;
2800         ret = 0;
2801
2802         switch (ih->protocol) {
2803         case IPPROTO_TCP: {
2804                 struct tcphdr _tcph, *th;
2805
2806                 if (ntohs(ih->frag_off) & IP_OFFSET)
2807                         break;
2808
2809                 offset += ihlen;
2810                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2811                 if (th == NULL)
2812                         break;
2813
2814                 ad->u.net.sport = th->source;
2815                 ad->u.net.dport = th->dest;
2816                 break;
2817         }
2818         
2819         case IPPROTO_UDP: {
2820                 struct udphdr _udph, *uh;
2821                 
2822                 if (ntohs(ih->frag_off) & IP_OFFSET)
2823                         break;
2824                         
2825                 offset += ihlen;
2826                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2827                 if (uh == NULL)
2828                         break;  
2829
2830                 ad->u.net.sport = uh->source;
2831                 ad->u.net.dport = uh->dest;
2832                 break;
2833         }
2834
2835         default:
2836                 break;
2837         }
2838 out:
2839         return ret;
2840 }
2841
2842 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2843
2844 /* Returns error only if unable to parse addresses */
2845 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2846 {
2847         u8 nexthdr;
2848         int ret = -EINVAL, offset;
2849         struct ipv6hdr _ipv6h, *ip6;
2850
2851         offset = skb->nh.raw - skb->data;
2852         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2853         if (ip6 == NULL)
2854                 goto out;
2855
2856         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2857         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2858         ret = 0;
2859
2860         nexthdr = ip6->nexthdr;
2861         offset += sizeof(_ipv6h);
2862         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2863         if (offset < 0)
2864                 goto out;
2865
2866         switch (nexthdr) {
2867         case IPPROTO_TCP: {
2868                 struct tcphdr _tcph, *th;
2869
2870                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2871                 if (th == NULL)
2872                         break;
2873
2874                 ad->u.net.sport = th->source;
2875                 ad->u.net.dport = th->dest;
2876                 break;
2877         }
2878
2879         case IPPROTO_UDP: {
2880                 struct udphdr _udph, *uh;
2881
2882                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2883                 if (uh == NULL)
2884                         break;
2885
2886                 ad->u.net.sport = uh->source;
2887                 ad->u.net.dport = uh->dest;
2888                 break;
2889         }
2890
2891         /* includes fragments */
2892         default:
2893                 break;
2894         }
2895 out:
2896         return ret;
2897 }
2898
2899 #endif /* IPV6 */
2900
2901 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2902                              char **addrp, int *len, int src)
2903 {
2904         int ret = 0;
2905
2906         switch (ad->u.net.family) {
2907         case PF_INET:
2908                 ret = selinux_parse_skb_ipv4(skb, ad);
2909                 if (ret || !addrp)
2910                         break;
2911                 *len = 4;
2912                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2913                                         &ad->u.net.v4info.daddr);
2914                 break;
2915
2916 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2917         case PF_INET6:
2918                 ret = selinux_parse_skb_ipv6(skb, ad);
2919                 if (ret || !addrp)
2920                         break;
2921                 *len = 16;
2922                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2923                                         &ad->u.net.v6info.daddr);
2924                 break;
2925 #endif  /* IPV6 */
2926         default:
2927                 break;
2928         }
2929
2930         return ret;
2931 }
2932
2933 /* socket security operations */
2934 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2935                            u32 perms)
2936 {
2937         struct inode_security_struct *isec;
2938         struct task_security_struct *tsec;
2939         struct avc_audit_data ad;
2940         int err = 0;
2941
2942         tsec = task->security;
2943         isec = SOCK_INODE(sock)->i_security;
2944
2945         if (isec->sid == SECINITSID_KERNEL)
2946                 goto out;
2947
2948         AVC_AUDIT_DATA_INIT(&ad,NET);
2949         ad.u.net.sk = sock->sk;
2950         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2951
2952 out:
2953         return err;
2954 }
2955
2956 static int selinux_socket_create(int family, int type,
2957                                  int protocol, int kern)
2958 {
2959         int err = 0;
2960         struct task_security_struct *tsec;
2961         u32 newsid;
2962
2963         if (kern)
2964                 goto out;
2965
2966         tsec = current->security;
2967         newsid = tsec->sockcreate_sid ? : tsec->sid;
2968         err = avc_has_perm(tsec->sid, newsid,
2969                            socket_type_to_security_class(family, type,
2970                            protocol), SOCKET__CREATE, NULL);
2971
2972 out:
2973         return err;
2974 }
2975
2976 static void selinux_socket_post_create(struct socket *sock, int family,
2977                                        int type, int protocol, int kern)
2978 {
2979         struct inode_security_struct *isec;
2980         struct task_security_struct *tsec;
2981         u32 newsid;
2982
2983         isec = SOCK_INODE(sock)->i_security;
2984
2985         tsec = current->security;
2986         newsid = tsec->sockcreate_sid ? : tsec->sid;
2987         isec->sclass = socket_type_to_security_class(family, type, protocol);
2988         isec->sid = kern ? SECINITSID_KERNEL : newsid;
2989         isec->initialized = 1;
2990
2991         return;
2992 }
2993
2994 /* Range of port numbers used to automatically bind.
2995    Need to determine whether we should perform a name_bind
2996    permission check between the socket and the port number. */
2997 #define ip_local_port_range_0 sysctl_local_port_range[0]
2998 #define ip_local_port_range_1 sysctl_local_port_range[1]
2999
3000 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3001 {
3002         u16 family;
3003         int err;
3004
3005         err = socket_has_perm(current, sock, SOCKET__BIND);
3006         if (err)
3007                 goto out;
3008
3009         /*
3010          * If PF_INET or PF_INET6, check name_bind permission for the port.
3011          * Multiple address binding for SCTP is not supported yet: we just
3012          * check the first address now.
3013          */
3014         family = sock->sk->sk_family;
3015         if (family == PF_INET || family == PF_INET6) {
3016                 char *addrp;
3017                 struct inode_security_struct *isec;
3018                 struct task_security_struct *tsec;
3019                 struct avc_audit_data ad;
3020                 struct sockaddr_in *addr4 = NULL;
3021                 struct sockaddr_in6 *addr6 = NULL;
3022                 unsigned short snum;
3023                 struct sock *sk = sock->sk;
3024                 u32 sid, node_perm, addrlen;
3025
3026                 tsec = current->security;
3027                 isec = SOCK_INODE(sock)->i_security;
3028
3029                 if (family == PF_INET) {
3030                         addr4 = (struct sockaddr_in *)address;
3031                         snum = ntohs(addr4->sin_port);
3032                         addrlen = sizeof(addr4->sin_addr.s_addr);
3033                         addrp = (char *)&addr4->sin_addr.s_addr;
3034                 } else {
3035                         addr6 = (struct sockaddr_in6 *)address;
3036                         snum = ntohs(addr6->sin6_port);
3037                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3038                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3039                 }
3040
3041                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3042                            snum > ip_local_port_range_1)) {
3043                         err = security_port_sid(sk->sk_family, sk->sk_type,
3044                                                 sk->sk_protocol, snum, &sid);
3045                         if (err)
3046                                 goto out;
3047                         AVC_AUDIT_DATA_INIT(&ad,NET);
3048                         ad.u.net.sport = htons(snum);
3049                         ad.u.net.family = family;
3050                         err = avc_has_perm(isec->sid, sid,
3051                                            isec->sclass,
3052                                            SOCKET__NAME_BIND, &ad);
3053                         if (err)
3054                                 goto out;
3055                 }
3056                 
3057                 switch(isec->sclass) {
3058                 case SECCLASS_TCP_SOCKET:
3059                         node_perm = TCP_SOCKET__NODE_BIND;
3060                         break;
3061                         
3062                 case SECCLASS_UDP_SOCKET:
3063                         node_perm = UDP_SOCKET__NODE_BIND;
3064                         break;
3065                         
3066                 default:
3067                         node_perm = RAWIP_SOCKET__NODE_BIND;
3068                         break;
3069                 }
3070                 
3071                 err = security_node_sid(family, addrp, addrlen, &sid);
3072                 if (err)
3073                         goto out;
3074                 
3075                 AVC_AUDIT_DATA_INIT(&ad,NET);
3076                 ad.u.net.sport = htons(snum);
3077                 ad.u.net.family = family;
3078
3079                 if (family == PF_INET)
3080                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3081                 else
3082                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3083
3084                 err = avc_has_perm(isec->sid, sid,
3085                                    isec->sclass, node_perm, &ad);
3086                 if (err)
3087                         goto out;
3088         }
3089 out:
3090         return err;
3091 }
3092
3093 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3094 {
3095         struct inode_security_struct *isec;
3096         int err;
3097
3098         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3099         if (err)
3100                 return err;
3101
3102         /*
3103          * If a TCP socket, check name_connect permission for the port.
3104          */
3105         isec = SOCK_INODE(sock)->i_security;
3106         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3107                 struct sock *sk = sock->sk;
3108                 struct avc_audit_data ad;
3109                 struct sockaddr_in *addr4 = NULL;
3110                 struct sockaddr_in6 *addr6 = NULL;
3111                 unsigned short snum;
3112                 u32 sid;
3113
3114                 if (sk->sk_family == PF_INET) {
3115                         addr4 = (struct sockaddr_in *)address;
3116                         if (addrlen < sizeof(struct sockaddr_in))
3117                                 return -EINVAL;
3118                         snum = ntohs(addr4->sin_port);
3119                 } else {
3120                         addr6 = (struct sockaddr_in6 *)address;
3121                         if (addrlen < SIN6_LEN_RFC2133)
3122                                 return -EINVAL;
3123                         snum = ntohs(addr6->sin6_port);
3124                 }
3125
3126                 err = security_port_sid(sk->sk_family, sk->sk_type,
3127                                         sk->sk_protocol, snum, &sid);
3128                 if (err)
3129                         goto out;
3130
3131                 AVC_AUDIT_DATA_INIT(&ad,NET);
3132                 ad.u.net.dport = htons(snum);
3133                 ad.u.net.family = sk->sk_family;
3134                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3135                                    TCP_SOCKET__NAME_CONNECT, &ad);
3136                 if (err)
3137                         goto out;
3138         }
3139
3140 out:
3141         return err;
3142 }
3143
3144 static int selinux_socket_listen(struct socket *sock, int backlog)
3145 {
3146         return socket_has_perm(current, sock, SOCKET__LISTEN);
3147 }
3148
3149 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3150 {
3151         int err;
3152         struct inode_security_struct *isec;
3153         struct inode_security_struct *newisec;
3154
3155         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3156         if (err)
3157                 return err;
3158
3159         newisec = SOCK_INODE(newsock)->i_security;
3160
3161         isec = SOCK_INODE(sock)->i_security;
3162         newisec->sclass = isec->sclass;
3163         newisec->sid = isec->sid;
3164         newisec->initialized = 1;
3165
3166         return 0;
3167 }
3168
3169 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3170                                   int size)
3171 {
3172         return socket_has_perm(current, sock, SOCKET__WRITE);
3173 }
3174
3175 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3176                                   int size, int flags)
3177 {
3178         return socket_has_perm(current, sock, SOCKET__READ);
3179 }
3180
3181 static int selinux_socket_getsockname(struct socket *sock)
3182 {
3183         return socket_has_perm(current, sock, SOCKET__GETATTR);
3184 }
3185
3186 static int selinux_socket_getpeername(struct socket *sock)
3187 {
3188         return socket_has_perm(current, sock, SOCKET__GETATTR);
3189 }
3190
3191 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3192 {
3193         return socket_has_perm(current, sock, SOCKET__SETOPT);
3194 }
3195
3196 static int selinux_socket_getsockopt(struct socket *sock, int level,
3197                                      int optname)
3198 {
3199         return socket_has_perm(current, sock, SOCKET__GETOPT);
3200 }
3201
3202 static int selinux_socket_shutdown(struct socket *sock, int how)
3203 {
3204         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3205 }
3206
3207 static int selinux_socket_unix_stream_connect(struct socket *sock,
3208                                               struct socket *other,
3209                                               struct sock *newsk)
3210 {
3211         struct sk_security_struct *ssec;
3212         struct inode_security_struct *isec;
3213         struct inode_security_struct *other_isec;
3214         struct avc_audit_data ad;
3215         int err;
3216
3217         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3218         if (err)
3219                 return err;
3220
3221         isec = SOCK_INODE(sock)->i_security;
3222         other_isec = SOCK_INODE(other)->i_security;
3223
3224         AVC_AUDIT_DATA_INIT(&ad,NET);
3225         ad.u.net.sk = other->sk;
3226
3227         err = avc_has_perm(isec->sid, other_isec->sid,
3228                            isec->sclass,
3229                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3230         if (err)
3231                 return err;
3232
3233         /* connecting socket */
3234         ssec = sock->sk->sk_security;
3235         ssec->peer_sid = other_isec->sid;
3236         
3237         /* server child socket */
3238         ssec = newsk->sk_security;
3239         ssec->peer_sid = isec->sid;
3240         
3241         return 0;
3242 }
3243
3244 static int selinux_socket_unix_may_send(struct socket *sock,
3245                                         struct socket *other)
3246 {
3247         struct inode_security_struct *isec;
3248         struct inode_security_struct *other_isec;
3249         struct avc_audit_data ad;
3250         int err;
3251
3252         isec = SOCK_INODE(sock)->i_security;
3253         other_isec = SOCK_INODE(other)->i_security;
3254
3255         AVC_AUDIT_DATA_INIT(&ad,NET);
3256         ad.u.net.sk = other->sk;
3257
3258         err = avc_has_perm(isec->sid, other_isec->sid,
3259                            isec->sclass, SOCKET__SENDTO, &ad);
3260         if (err)
3261                 return err;
3262
3263         return 0;
3264 }
3265
3266 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3267                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3268                 u16 family, char *addrp, int len)
3269 {
3270         int err = 0;
3271         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3272
3273         if (!skb->dev)
3274                 goto out;
3275
3276         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3277         if (err)
3278                 goto out;
3279
3280         switch (sock_class) {
3281         case SECCLASS_UDP_SOCKET:
3282                 netif_perm = NETIF__UDP_RECV;
3283                 node_perm = NODE__UDP_RECV;
3284                 recv_perm = UDP_SOCKET__RECV_MSG;
3285                 break;
3286         
3287         case SECCLASS_TCP_SOCKET:
3288                 netif_perm = NETIF__TCP_RECV;
3289                 node_perm = NODE__TCP_RECV;
3290                 recv_perm = TCP_SOCKET__RECV_MSG;
3291                 break;
3292         
3293         default:
3294                 netif_perm = NETIF__RAWIP_RECV;
3295                 node_perm = NODE__RAWIP_RECV;
3296                 break;
3297         }
3298
3299         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3300         if (err)
3301                 goto out;
3302         
3303         err = security_node_sid(family, addrp, len, &node_sid);
3304         if (err)
3305                 goto out;
3306         
3307         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3308         if (err)
3309                 goto out;
3310
3311         if (recv_perm) {
3312                 u32 port_sid;
3313
3314                 err = security_port_sid(sk->sk_family, sk->sk_type,
3315                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3316                                         &port_sid);
3317                 if (err)
3318                         goto out;
3319
3320                 err = avc_has_perm(sock_sid, port_sid,
3321                                    sock_class, recv_perm, ad);
3322         }
3323
3324 out:
3325         return err;
3326 }
3327
3328 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3329 {
3330         u16 family;
3331         u16 sock_class = 0;
3332         char *addrp;
3333         int len, err = 0;
3334         u32 sock_sid = 0;
3335         struct socket *sock;
3336         struct avc_audit_data ad;
3337
3338         family = sk->sk_family;
3339         if (family != PF_INET && family != PF_INET6)
3340                 goto out;
3341
3342         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3343         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3344                 family = PF_INET;
3345
3346         read_lock_bh(&sk->sk_callback_lock);
3347         sock = sk->sk_socket;
3348         if (sock) {
3349                 struct inode *inode;
3350                 inode = SOCK_INODE(sock);
3351                 if (inode) {
3352                         struct inode_security_struct *isec;
3353                         isec = inode->i_security;
3354                         sock_sid = isec->sid;
3355                         sock_class = isec->sclass;
3356                 }
3357         }
3358         read_unlock_bh(&sk->sk_callback_lock);
3359         if (!sock_sid)
3360                 goto out;
3361
3362         AVC_AUDIT_DATA_INIT(&ad, NET);
3363         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3364         ad.u.net.family = family;
3365
3366         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3367         if (err)
3368                 goto out;
3369
3370         if (selinux_compat_net)
3371                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3372                                                   sock_class, family,
3373                                                   addrp, len);
3374         else
3375                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3376                                    PACKET__RECV, &ad);
3377         if (err)
3378                 goto out;
3379
3380         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3381 out:    
3382         return err;
3383 }
3384
3385 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3386                                             int __user *optlen, unsigned len)
3387 {
3388         int err = 0;
3389         char *scontext;
3390         u32 scontext_len;
3391         struct sk_security_struct *ssec;
3392         struct inode_security_struct *isec;
3393         u32 peer_sid = 0;
3394
3395         isec = SOCK_INODE(sock)->i_security;
3396
3397         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3398         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3399                 ssec = sock->sk->sk_security;
3400                 peer_sid = ssec->peer_sid;
3401         }
3402         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3403                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3404
3405                 if (peer_sid == SECSID_NULL) {
3406                         err = -ENOPROTOOPT;
3407                         goto out;
3408                 }
3409         }
3410         else {
3411                 err = -ENOPROTOOPT;
3412                 goto out;
3413         }
3414
3415         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3416
3417         if (err)
3418                 goto out;
3419
3420         if (scontext_len > len) {
3421                 err = -ERANGE;
3422                 goto out_len;
3423         }
3424
3425         if (copy_to_user(optval, scontext, scontext_len))
3426                 err = -EFAULT;
3427
3428 out_len:
3429         if (put_user(scontext_len, optlen))
3430                 err = -EFAULT;
3431
3432         kfree(scontext);
3433 out:    
3434         return err;
3435 }
3436
3437 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3438 {
3439         int err = 0;
3440         u32 peer_sid;
3441
3442         if (skb->sk->sk_family == PF_UNIX)
3443                 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
3444                                       &peer_sid);
3445         else
3446                 peer_sid = selinux_socket_getpeer_dgram(skb);
3447
3448         if (peer_sid == SECSID_NULL)
3449                 return -EINVAL;
3450
3451         err = security_sid_to_context(peer_sid, secdata, seclen);
3452         if (err)
3453                 return err;
3454
3455         return 0;
3456 }
3457
3458 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3459 {
3460         return sk_alloc_security(sk, family, priority);
3461 }
3462
3463 static void selinux_sk_free_security(struct sock *sk)
3464 {
3465         sk_free_security(sk);
3466 }
3467
3468 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3469 {
3470         struct inode_security_struct *isec;
3471         u32 sock_sid = SECINITSID_ANY_SOCKET;
3472
3473         if (!sk)
3474                 return selinux_no_sk_sid(fl);
3475
3476         read_lock_bh(&sk->sk_callback_lock);
3477         isec = get_sock_isec(sk);
3478
3479         if (isec)
3480                 sock_sid = isec->sid;
3481
3482         read_unlock_bh(&sk->sk_callback_lock);
3483         return sock_sid;
3484 }
3485
3486 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3487 {
3488         int err = 0;
3489         u32 perm;
3490         struct nlmsghdr *nlh;
3491         struct socket *sock = sk->sk_socket;
3492         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3493         
3494         if (skb->len < NLMSG_SPACE(0)) {
3495                 err = -EINVAL;
3496                 goto out;
3497         }
3498         nlh = (struct nlmsghdr *)skb->data;
3499         
3500         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3501         if (err) {
3502                 if (err == -EINVAL) {
3503                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3504                                   "SELinux:  unrecognized netlink message"
3505                                   " type=%hu for sclass=%hu\n",
3506                                   nlh->nlmsg_type, isec->sclass);
3507                         if (!selinux_enforcing)
3508                                 err = 0;
3509                 }
3510
3511                 /* Ignore */
3512                 if (err == -ENOENT)
3513                         err = 0;
3514                 goto out;
3515         }
3516
3517         err = socket_has_perm(current, sock, perm);
3518 out:
3519         return err;
3520 }
3521
3522 #ifdef CONFIG_NETFILTER
3523
3524 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3525                                             struct inode_security_struct *isec,
3526                                             struct avc_audit_data *ad,
3527                                             u16 family, char *addrp, int len)
3528 {
3529         int err;
3530         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3531         
3532         err = sel_netif_sids(dev, &if_sid, NULL);
3533         if (err)
3534                 goto out;
3535
3536         switch (isec->sclass) {
3537         case SECCLASS_UDP_SOCKET:
3538                 netif_perm = NETIF__UDP_SEND;
3539                 node_perm = NODE__UDP_SEND;
3540                 send_perm = UDP_SOCKET__SEND_MSG;
3541                 break;
3542         
3543         case SECCLASS_TCP_SOCKET:
3544                 netif_perm = NETIF__TCP_SEND;
3545                 node_perm = NODE__TCP_SEND;
3546                 send_perm = TCP_SOCKET__SEND_MSG;
3547                 break;
3548         
3549         default:
3550                 netif_perm = NETIF__RAWIP_SEND;
3551                 node_perm = NODE__RAWIP_SEND;
3552                 break;
3553         }
3554
3555         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3556         if (err)
3557                 goto out;
3558                 
3559         err = security_node_sid(family, addrp, len, &node_sid);
3560         if (err)
3561                 goto out;
3562         
3563         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3564         if (err)
3565                 goto out;
3566
3567         if (send_perm) {
3568                 u32 port_sid;
3569                 
3570                 err = security_port_sid(sk->sk_family,
3571                                         sk->sk_type,
3572                                         sk->sk_protocol,
3573                                         ntohs(ad->u.net.dport),
3574                                         &port_sid);
3575                 if (err)
3576                         goto out;
3577
3578                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3579                                    send_perm, ad);
3580         }
3581 out:
3582         return err;
3583 }
3584
3585 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3586                                               struct sk_buff **pskb,
3587                                               const struct net_device *in,
3588                                               const struct net_device *out,
3589                                               int (*okfn)(struct sk_buff *),
3590                                               u16 family)
3591 {
3592         char *addrp;
3593         int len, err = 0;
3594         struct sock *sk;
3595         struct socket *sock;
3596         struct inode *inode;
3597         struct sk_buff *skb = *pskb;
3598         struct inode_security_struct *isec;
3599         struct avc_audit_data ad;
3600         struct net_device *dev = (struct net_device *)out;
3601
3602         sk = skb->sk;
3603         if (!sk)
3604                 goto out;
3605
3606         sock = sk->sk_socket;
3607         if (!sock)
3608                 goto out;
3609
3610         inode = SOCK_INODE(sock);
3611         if (!inode)
3612                 goto out;
3613
3614         isec = inode->i_security;
3615
3616         AVC_AUDIT_DATA_INIT(&ad, NET);
3617         ad.u.net.netif = dev->name;
3618         ad.u.net.family = family;
3619
3620         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3621         if (err)
3622                 goto out;
3623
3624         if (selinux_compat_net)
3625                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3626                                                        family, addrp, len);
3627         else
3628                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3629                                    PACKET__SEND, &ad);
3630
3631         if (err)
3632                 goto out;
3633
3634         err = selinux_xfrm_postroute_last(isec->sid, skb);
3635 out:
3636         return err ? NF_DROP : NF_ACCEPT;
3637 }
3638
3639 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3640                                                 struct sk_buff **pskb,
3641                                                 const struct net_device *in,
3642                                                 const struct net_device *out,
3643                                                 int (*okfn)(struct sk_buff *))
3644 {
3645         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3646 }
3647
3648 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3649
3650 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3651                                                 struct sk_buff **pskb,
3652                                                 const struct net_device *in,
3653                                                 const struct net_device *out,
3654                                                 int (*okfn)(struct sk_buff *))
3655 {
3656         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3657 }
3658
3659 #endif  /* IPV6 */
3660
3661 #endif  /* CONFIG_NETFILTER */
3662
3663 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3664 {
3665         int err;
3666
3667         err = secondary_ops->netlink_send(sk, skb);
3668         if (err)
3669                 return err;
3670
3671         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3672                 err = selinux_nlmsg_perm(sk, skb);
3673
3674         return err;
3675 }
3676
3677 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3678 {
3679         int err;
3680         struct avc_audit_data ad;
3681
3682         err = secondary_ops->netlink_recv(skb, capability);
3683         if (err)
3684                 return err;
3685
3686         AVC_AUDIT_DATA_INIT(&ad, CAP);
3687         ad.u.cap = capability;
3688
3689         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3690                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3691 }
3692
3693 static int ipc_alloc_security(struct task_struct *task,
3694                               struct kern_ipc_perm *perm,
3695                               u16 sclass)
3696 {
3697         struct task_security_struct *tsec = task->security;
3698         struct ipc_security_struct *isec;
3699
3700         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3701         if (!isec)
3702                 return -ENOMEM;
3703
3704         isec->sclass = sclass;
3705         isec->ipc_perm = perm;
3706         isec->sid = tsec->sid;
3707         perm->security = isec;
3708
3709         return 0;
3710 }
3711
3712 static void ipc_free_security(struct kern_ipc_perm *perm)
3713 {
3714         struct ipc_security_struct *isec = perm->security;
3715         perm->security = NULL;
3716         kfree(isec);
3717 }
3718
3719 static int msg_msg_alloc_security(struct msg_msg *msg)
3720 {
3721         struct msg_security_struct *msec;
3722
3723         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3724         if (!msec)
3725                 return -ENOMEM;
3726
3727         msec->msg = msg;
3728         msec->sid = SECINITSID_UNLABELED;
3729         msg->security = msec;
3730
3731         return 0;
3732 }
3733
3734 static void msg_msg_free_security(struct msg_msg *msg)
3735 {
3736         struct msg_security_struct *msec = msg->security;
3737
3738         msg->security = NULL;
3739         kfree(msec);
3740 }
3741
3742 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3743                         u32 perms)
3744 {
3745         struct task_security_struct *tsec;
3746         struct ipc_security_struct *isec;
3747         struct avc_audit_data ad;
3748
3749         tsec = current->security;
3750         isec = ipc_perms->security;
3751
3752         AVC_AUDIT_DATA_INIT(&ad, IPC);
3753         ad.u.ipc_id = ipc_perms->key;
3754
3755         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3756 }
3757
3758 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3759 {
3760         return msg_msg_alloc_security(msg);
3761 }
3762
3763 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3764 {
3765         msg_msg_free_security(msg);
3766 }
3767
3768 /* message queue security operations */
3769 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3770 {
3771         struct task_security_struct *tsec;
3772         struct ipc_security_struct *isec;
3773         struct avc_audit_data ad;
3774         int rc;
3775
3776         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3777         if (rc)
3778                 return rc;
3779
3780         tsec = current->security;
3781         isec = msq->q_perm.security;
3782
3783         AVC_AUDIT_DATA_INIT(&ad, IPC);
3784         ad.u.ipc_id = msq->q_perm.key;
3785
3786         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3787                           MSGQ__CREATE, &ad);
3788         if (rc) {
3789                 ipc_free_security(&msq->q_perm);
3790                 return rc;
3791         }
3792         return 0;
3793 }
3794
3795 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3796 {
3797         ipc_free_security(&msq->q_perm);
3798 }
3799
3800 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3801 {
3802         struct task_security_struct *tsec;
3803         struct ipc_security_struct *isec;
3804         struct avc_audit_data ad;
3805
3806         tsec = current->security;
3807         isec = msq->q_perm.security;
3808
3809         AVC_AUDIT_DATA_INIT(&ad, IPC);
3810         ad.u.ipc_id = msq->q_perm.key;
3811
3812         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3813                             MSGQ__ASSOCIATE, &ad);
3814 }
3815
3816 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3817 {
3818         int err;
3819         int perms;
3820
3821         switch(cmd) {
3822         case IPC_INFO:
3823         case MSG_INFO:
3824                 /* No specific object, just general system-wide information. */
3825                 return task_has_system(current, SYSTEM__IPC_INFO);
3826         case IPC_STAT:
3827         case MSG_STAT:
3828                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3829                 break;
3830         case IPC_SET:
3831                 perms = MSGQ__SETATTR;
3832                 break;
3833         case IPC_RMID:
3834                 perms = MSGQ__DESTROY;
3835                 break;
3836         default:
3837                 return 0;
3838         }
3839
3840         err = ipc_has_perm(&msq->q_perm, perms);
3841         return err;
3842 }
3843
3844 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3845 {
3846         struct task_security_struct *tsec;
3847         struct ipc_security_struct *isec;
3848         struct msg_security_struct *msec;
3849         struct avc_audit_data ad;
3850         int rc;
3851
3852         tsec = current->security;
3853         isec = msq->q_perm.security;
3854         msec = msg->security;
3855
3856         /*
3857          * First time through, need to assign label to the message
3858          */
3859         if (msec->sid == SECINITSID_UNLABELED) {
3860                 /*
3861                  * Compute new sid based on current process and
3862                  * message queue this message will be stored in
3863                  */
3864                 rc = security_transition_sid(tsec->sid,
3865                                              isec->sid,
3866                                              SECCLASS_MSG,
3867                                              &msec->sid);
3868                 if (rc)
3869                         return rc;
3870         }
3871
3872         AVC_AUDIT_DATA_INIT(&ad, IPC);
3873         ad.u.ipc_id = msq->q_perm.key;
3874
3875         /* Can this process write to the queue? */
3876         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3877                           MSGQ__WRITE, &ad);
3878         if (!rc)
3879                 /* Can this process send the message */
3880                 rc = avc_has_perm(tsec->sid, msec->sid,
3881                                   SECCLASS_MSG, MSG__SEND, &ad);
3882         if (!rc)
3883                 /* Can the message be put in the queue? */
3884                 rc = avc_has_perm(msec->sid, isec->sid,
3885                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3886
3887         return rc;
3888 }
3889
3890 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3891                                     struct task_struct *target,
3892                                     long type, int mode)
3893 {
3894         struct task_security_struct *tsec;
3895         struct ipc_security_struct *isec;
3896         struct msg_security_struct *msec;
3897         struct avc_audit_data ad;
3898         int rc;
3899
3900         tsec = target->security;
3901         isec = msq->q_perm.security;
3902         msec = msg->security;
3903
3904         AVC_AUDIT_DATA_INIT(&ad, IPC);
3905         ad.u.ipc_id = msq->q_perm.key;
3906
3907         rc = avc_has_perm(tsec->sid, isec->sid,
3908                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3909         if (!rc)
3910                 rc = avc_has_perm(tsec->sid, msec->sid,
3911                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3912         return rc;
3913 }
3914
3915 /* Shared Memory security operations */
3916 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3917 {
3918         struct task_security_struct *tsec;
3919         struct ipc_security_struct *isec;
3920         struct avc_audit_data ad;
3921         int rc;
3922
3923         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3924         if (rc)
3925                 return rc;
3926
3927         tsec = current->security;
3928         isec = shp->shm_perm.security;
3929
3930         AVC_AUDIT_DATA_INIT(&ad, IPC);
3931         ad.u.ipc_id = shp->shm_perm.key;
3932
3933         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3934                           SHM__CREATE, &ad);
3935         if (rc) {
3936                 ipc_free_security(&shp->shm_perm);
3937                 return rc;
3938         }
3939         return 0;
3940 }
3941
3942 static void selinux_shm_free_security(struct shmid_kernel *shp)
3943 {
3944         ipc_free_security(&shp->shm_perm);
3945 }
3946
3947 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3948 {
3949         struct task_security_struct *tsec;
3950         struct ipc_security_struct *isec;
3951         struct avc_audit_data ad;
3952
3953         tsec = current->security;
3954         isec = shp->shm_perm.security;
3955
3956         AVC_AUDIT_DATA_INIT(&ad, IPC);
3957         ad.u.ipc_id = shp->shm_perm.key;
3958
3959         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3960                             SHM__ASSOCIATE, &ad);
3961 }
3962
3963 /* Note, at this point, shp is locked down */
3964 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3965 {
3966         int perms;
3967         int err;
3968
3969         switch(cmd) {
3970         case IPC_INFO:
3971         case SHM_INFO:
3972                 /* No specific object, just general system-wide information. */
3973                 return task_has_system(current, SYSTEM__IPC_INFO);
3974         case IPC_STAT:
3975         case SHM_STAT:
3976                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3977                 break;
3978         case IPC_SET:
3979                 perms = SHM__SETATTR;
3980                 break;
3981         case SHM_LOCK:
3982         case SHM_UNLOCK:
3983                 perms = SHM__LOCK;
3984                 break;
3985         case IPC_RMID:
3986                 perms = SHM__DESTROY;
3987                 break;
3988         default:
3989                 return 0;
3990         }
3991
3992         err = ipc_has_perm(&shp->shm_perm, perms);
3993         return err;
3994 }
3995
3996 static int selinux_shm_shmat(struct shmid_kernel *shp,
3997                              char __user *shmaddr, int shmflg)
3998 {
3999         u32 perms;
4000         int rc;
4001
4002         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4003         if (rc)
4004                 return rc;
4005
4006         if (shmflg & SHM_RDONLY)
4007                 perms = SHM__READ;
4008         else
4009                 perms = SHM__READ | SHM__WRITE;
4010
4011         return ipc_has_perm(&shp->shm_perm, perms);
4012 }
4013
4014 /* Semaphore security operations */
4015 static int selinux_sem_alloc_security(struct sem_array *sma)
4016 {
4017         struct task_security_struct *tsec;
4018         struct ipc_security_struct *isec;
4019         struct avc_audit_data ad;
4020         int rc;
4021
4022         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4023         if (rc)
4024                 return rc;
4025
4026         tsec = current->security;
4027         isec = sma->sem_perm.security;
4028
4029         AVC_AUDIT_DATA_INIT(&ad, IPC);
4030         ad.u.ipc_id = sma->sem_perm.key;
4031
4032         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4033                           SEM__CREATE, &ad);
4034         if (rc) {
4035                 ipc_free_security(&sma->sem_perm);
4036                 return rc;
4037         }
4038         return 0;
4039 }
4040
4041 static void selinux_sem_free_security(struct sem_array *sma)
4042 {
4043         ipc_free_security(&sma->sem_perm);
4044 }
4045
4046 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4047 {
4048         struct task_security_struct *tsec;
4049         struct ipc_security_struct *isec;
4050         struct avc_audit_data ad;
4051
4052         tsec = current->security;
4053         isec = sma->sem_perm.security;
4054
4055         AVC_AUDIT_DATA_INIT(&ad, IPC);
4056         ad.u.ipc_id = sma->sem_perm.key;
4057
4058         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4059                             SEM__ASSOCIATE, &ad);
4060 }
4061
4062 /* Note, at this point, sma is locked down */
4063 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4064 {
4065         int err;
4066         u32 perms;
4067
4068         switch(cmd) {
4069         case IPC_INFO:
4070         case SEM_INFO:
4071                 /* No specific object, just general system-wide information. */
4072                 return task_has_system(current, SYSTEM__IPC_INFO);
4073         case GETPID:
4074         case GETNCNT:
4075         case GETZCNT:
4076                 perms = SEM__GETATTR;
4077                 break;
4078         case GETVAL:
4079         case GETALL:
4080                 perms = SEM__READ;
4081                 break;
4082         case SETVAL:
4083         case SETALL:
4084                 perms = SEM__WRITE;
4085                 break;
4086         case IPC_RMID:
4087                 perms = SEM__DESTROY;
4088                 break;
4089         case IPC_SET:
4090                 perms = SEM__SETATTR;
4091                 break;
4092         case IPC_STAT:
4093         case SEM_STAT:
4094                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4095                 break;
4096         default:
4097                 return 0;
4098         }
4099
4100         err = ipc_has_perm(&sma->sem_perm, perms);
4101         return err;
4102 }
4103
4104 static int selinux_sem_semop(struct sem_array *sma,
4105                              struct sembuf *sops, unsigned nsops, int alter)
4106 {
4107         u32 perms;
4108
4109         if (alter)
4110                 perms = SEM__READ | SEM__WRITE;
4111         else
4112                 perms = SEM__READ;
4113
4114         return ipc_has_perm(&sma->sem_perm, perms);
4115 }
4116
4117 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4118 {
4119         u32 av = 0;
4120
4121         av = 0;
4122         if (flag & S_IRUGO)
4123                 av |= IPC__UNIX_READ;
4124         if (flag & S_IWUGO)
4125                 av |= IPC__UNIX_WRITE;
4126
4127         if (av == 0)
4128                 return 0;
4129
4130         return ipc_has_perm(ipcp, av);
4131 }
4132
4133 /* module stacking operations */
4134 static int selinux_register_security (const char *name, struct security_operations *ops)
4135 {
4136         if (secondary_ops != original_ops) {
4137                 printk(KERN_INFO "%s:  There is already a secondary security "
4138                        "module registered.\n", __FUNCTION__);
4139                 return -EINVAL;
4140         }
4141
4142         secondary_ops = ops;
4143
4144         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4145                __FUNCTION__,
4146                name);
4147
4148         return 0;
4149 }
4150
4151 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4152 {
4153         if (ops != secondary_ops) {
4154                 printk (KERN_INFO "%s:  trying to unregister a security module "
4155                         "that is not registered.\n", __FUNCTION__);
4156                 return -EINVAL;
4157         }
4158
4159         secondary_ops = original_ops;
4160
4161         return 0;
4162 }
4163
4164 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4165 {
4166         if (inode)
4167                 inode_doinit_with_dentry(inode, dentry);
4168 }
4169
4170 static int selinux_getprocattr(struct task_struct *p,
4171                                char *name, void *value, size_t size)
4172 {
4173         struct task_security_struct *tsec;
4174         u32 sid;
4175         int error;
4176
4177         if (current != p) {
4178                 error = task_has_perm(current, p, PROCESS__GETATTR);
4179                 if (error)
4180                         return error;
4181         }
4182
4183         tsec = p->security;
4184
4185         if (!strcmp(name, "current"))
4186                 sid = tsec->sid;
4187         else if (!strcmp(name, "prev"))
4188                 sid = tsec->osid;
4189         else if (!strcmp(name, "exec"))
4190                 sid = tsec->exec_sid;
4191         else if (!strcmp(name, "fscreate"))
4192                 sid = tsec->create_sid;
4193         else if (!strcmp(name, "keycreate"))
4194                 sid = tsec->keycreate_sid;
4195         else if (!strcmp(name, "sockcreate"))
4196                 sid = tsec->sockcreate_sid;
4197         else
4198                 return -EINVAL;
4199
4200         if (!sid)
4201                 return 0;
4202
4203         return selinux_getsecurity(sid, value, size);
4204 }
4205
4206 static int selinux_setprocattr(struct task_struct *p,
4207                                char *name, void *value, size_t size)
4208 {
4209         struct task_security_struct *tsec;
4210         u32 sid = 0;
4211         int error;
4212         char *str = value;
4213
4214         if (current != p) {
4215                 /* SELinux only allows a process to change its own
4216                    security attributes. */
4217                 return -EACCES;
4218         }
4219
4220         /*
4221          * Basic control over ability to set these attributes at all.
4222          * current == p, but we'll pass them separately in case the
4223          * above restriction is ever removed.
4224          */
4225         if (!strcmp(name, "exec"))
4226                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4227         else if (!strcmp(name, "fscreate"))
4228                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4229         else if (!strcmp(name, "keycreate"))
4230                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4231         else if (!strcmp(name, "sockcreate"))
4232                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4233         else if (!strcmp(name, "current"))
4234                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4235         else
4236                 error = -EINVAL;
4237         if (error)
4238                 return error;
4239
4240         /* Obtain a SID for the context, if one was specified. */
4241         if (size && str[1] && str[1] != '\n') {
4242                 if (str[size-1] == '\n') {
4243                         str[size-1] = 0;
4244                         size--;
4245                 }
4246                 error = security_context_to_sid(value, size, &sid);
4247                 if (error)
4248                         return error;
4249         }
4250
4251         /* Permission checking based on the specified context is
4252            performed during the actual operation (execve,
4253            open/mkdir/...), when we know the full context of the
4254            operation.  See selinux_bprm_set_security for the execve
4255            checks and may_create for the file creation checks. The
4256            operation will then fail if the context is not permitted. */
4257         tsec = p->security;
4258         if (!strcmp(name, "exec"))
4259                 tsec->exec_sid = sid;
4260         else if (!strcmp(name, "fscreate"))
4261                 tsec->create_sid = sid;
4262         else if (!strcmp(name, "keycreate")) {
4263                 error = may_create_key(sid, p);
4264                 if (error)
4265                         return error;
4266                 tsec->keycreate_sid = sid;
4267         } else if (!strcmp(name, "sockcreate"))
4268                 tsec->sockcreate_sid = sid;
4269         else if (!strcmp(name, "current")) {
4270                 struct av_decision avd;
4271
4272                 if (sid == 0)
4273                         return -EINVAL;
4274
4275                 /* Only allow single threaded processes to change context */
4276                 if (atomic_read(&p->mm->mm_users) != 1) {
4277                         struct task_struct *g, *t;
4278                         struct mm_struct *mm = p->mm;
4279                         read_lock(&tasklist_lock);
4280                         do_each_thread(g, t)
4281                                 if (t->mm == mm && t != p) {
4282                                         read_unlock(&tasklist_lock);
4283                                         return -EPERM;
4284                                 }
4285                         while_each_thread(g, t);
4286                         read_unlock(&tasklist_lock);
4287                 }
4288
4289                 /* Check permissions for the transition. */
4290                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4291                                      PROCESS__DYNTRANSITION, NULL);
4292                 if (error)
4293                         return error;
4294
4295                 /* Check for ptracing, and update the task SID if ok.
4296                    Otherwise, leave SID unchanged and fail. */
4297                 task_lock(p);
4298                 if (p->ptrace & PT_PTRACED) {
4299                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4300                                                      SECCLASS_PROCESS,
4301                                                      PROCESS__PTRACE, &avd);
4302                         if (!error)
4303                                 tsec->sid = sid;
4304                         task_unlock(p);
4305                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4306                                   PROCESS__PTRACE, &avd, error, NULL);
4307                         if (error)
4308                                 return error;
4309                 } else {
4310                         tsec->sid = sid;
4311                         task_unlock(p);
4312                 }
4313         }
4314         else
4315                 return -EINVAL;
4316
4317         return size;
4318 }
4319
4320 #ifdef CONFIG_KEYS
4321
4322 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4323                              unsigned long flags)
4324 {
4325         struct task_security_struct *tsec = tsk->security;
4326         struct key_security_struct *ksec;
4327
4328         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4329         if (!ksec)
4330                 return -ENOMEM;
4331
4332         ksec->obj = k;
4333         if (tsec->keycreate_sid)
4334                 ksec->sid = tsec->keycreate_sid;
4335         else
4336                 ksec->sid = tsec->sid;
4337         k->security = ksec;
4338
4339         return 0;
4340 }
4341
4342 static void selinux_key_free(struct key *k)
4343 {
4344         struct key_security_struct *ksec = k->security;
4345
4346         k->security = NULL;
4347         kfree(ksec);
4348 }
4349
4350 static int selinux_key_permission(key_ref_t key_ref,
4351                             struct task_struct *ctx,
4352                             key_perm_t perm)
4353 {
4354         struct key *key;
4355         struct task_security_struct *tsec;
4356         struct key_security_struct *ksec;
4357
4358         key = key_ref_to_ptr(key_ref);
4359
4360         tsec = ctx->security;
4361         ksec = key->security;
4362
4363         /* if no specific permissions are requested, we skip the
4364            permission check. No serious, additional covert channels
4365            appear to be created. */
4366         if (perm == 0)
4367                 return 0;
4368
4369         return avc_has_perm(tsec->sid, ksec->sid,
4370                             SECCLASS_KEY, perm, NULL);
4371 }
4372
4373 #endif
4374
4375 static struct security_operations selinux_ops = {
4376         .ptrace =                       selinux_ptrace,
4377         .capget =                       selinux_capget,
4378         .capset_check =                 selinux_capset_check,
4379         .capset_set =                   selinux_capset_set,
4380         .sysctl =                       selinux_sysctl,
4381         .capable =                      selinux_capable,
4382         .quotactl =                     selinux_quotactl,
4383         .quota_on =                     selinux_quota_on,
4384         .syslog =                       selinux_syslog,
4385         .vm_enough_memory =             selinux_vm_enough_memory,
4386
4387         .netlink_send =                 selinux_netlink_send,
4388         .netlink_recv =                 selinux_netlink_recv,
4389
4390         .bprm_alloc_security =          selinux_bprm_alloc_security,
4391         .bprm_free_security =           selinux_bprm_free_security,
4392         .bprm_apply_creds =             selinux_bprm_apply_creds,
4393         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4394         .bprm_set_security =            selinux_bprm_set_security,
4395         .bprm_check_security =          selinux_bprm_check_security,
4396         .bprm_secureexec =              selinux_bprm_secureexec,
4397
4398         .sb_alloc_security =            selinux_sb_alloc_security,
4399         .sb_free_security =             selinux_sb_free_security,
4400         .sb_copy_data =                 selinux_sb_copy_data,
4401         .sb_kern_mount =                selinux_sb_kern_mount,
4402         .sb_statfs =                    selinux_sb_statfs,
4403         .sb_mount =                     selinux_mount,
4404         .sb_umount =                    selinux_umount,
4405
4406         .inode_alloc_security =         selinux_inode_alloc_security,
4407         .inode_free_security =          selinux_inode_free_security,
4408         .inode_init_security =          selinux_inode_init_security,
4409         .inode_create =                 selinux_inode_create,
4410         .inode_link =                   selinux_inode_link,
4411         .inode_unlink =                 selinux_inode_unlink,
4412         .inode_symlink =                selinux_inode_symlink,
4413         .inode_mkdir =                  selinux_inode_mkdir,
4414         .inode_rmdir =                  selinux_inode_rmdir,
4415         .inode_mknod =                  selinux_inode_mknod,
4416         .inode_rename =                 selinux_inode_rename,
4417         .inode_readlink =               selinux_inode_readlink,
4418         .inode_follow_link =            selinux_inode_follow_link,
4419         .inode_permission =             selinux_inode_permission,
4420         .inode_setattr =                selinux_inode_setattr,
4421         .inode_getattr =                selinux_inode_getattr,
4422         .inode_setxattr =               selinux_inode_setxattr,
4423         .inode_post_setxattr =          selinux_inode_post_setxattr,
4424         .inode_getxattr =               selinux_inode_getxattr,
4425         .inode_listxattr =              selinux_inode_listxattr,
4426         .inode_removexattr =            selinux_inode_removexattr,
4427         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4428         .inode_getsecurity =            selinux_inode_getsecurity,
4429         .inode_setsecurity =            selinux_inode_setsecurity,
4430         .inode_listsecurity =           selinux_inode_listsecurity,
4431
4432         .file_permission =              selinux_file_permission,
4433         .file_alloc_security =          selinux_file_alloc_security,
4434         .file_free_security =           selinux_file_free_security,
4435         .file_ioctl =                   selinux_file_ioctl,
4436         .file_mmap =                    selinux_file_mmap,
4437         .file_mprotect =                selinux_file_mprotect,
4438         .file_lock =                    selinux_file_lock,
4439         .file_fcntl =                   selinux_file_fcntl,
4440         .file_set_fowner =              selinux_file_set_fowner,
4441         .file_send_sigiotask =          selinux_file_send_sigiotask,
4442         .file_receive =                 selinux_file_receive,
4443
4444         .task_create =                  selinux_task_create,
4445         .task_alloc_security =          selinux_task_alloc_security,
4446         .task_free_security =           selinux_task_free_security,
4447         .task_setuid =                  selinux_task_setuid,
4448         .task_post_setuid =             selinux_task_post_setuid,
4449         .task_setgid =                  selinux_task_setgid,
4450         .task_setpgid =                 selinux_task_setpgid,
4451         .task_getpgid =                 selinux_task_getpgid,
4452         .task_getsid =                  selinux_task_getsid,
4453         .task_getsecid =                selinux_task_getsecid,
4454         .task_setgroups =               selinux_task_setgroups,
4455         .task_setnice =                 selinux_task_setnice,
4456         .task_setioprio =               selinux_task_setioprio,
4457         .task_getioprio =               selinux_task_getioprio,
4458         .task_setrlimit =               selinux_task_setrlimit,
4459         .task_setscheduler =            selinux_task_setscheduler,
4460         .task_getscheduler =            selinux_task_getscheduler,
4461         .task_movememory =              selinux_task_movememory,
4462         .task_kill =                    selinux_task_kill,
4463         .task_wait =                    selinux_task_wait,
4464         .task_prctl =                   selinux_task_prctl,
4465         .task_reparent_to_init =        selinux_task_reparent_to_init,
4466         .task_to_inode =                selinux_task_to_inode,
4467
4468         .ipc_permission =               selinux_ipc_permission,
4469
4470         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4471         .msg_msg_free_security =        selinux_msg_msg_free_security,
4472
4473         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4474         .msg_queue_free_security =      selinux_msg_queue_free_security,
4475         .msg_queue_associate =          selinux_msg_queue_associate,
4476         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4477         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4478         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4479
4480         .shm_alloc_security =           selinux_shm_alloc_security,
4481         .shm_free_security =            selinux_shm_free_security,
4482         .shm_associate =                selinux_shm_associate,
4483         .shm_shmctl =                   selinux_shm_shmctl,
4484         .shm_shmat =                    selinux_shm_shmat,
4485
4486         .sem_alloc_security =           selinux_sem_alloc_security,
4487         .sem_free_security =            selinux_sem_free_security,
4488         .sem_associate =                selinux_sem_associate,
4489         .sem_semctl =                   selinux_sem_semctl,
4490         .sem_semop =                    selinux_sem_semop,
4491
4492         .register_security =            selinux_register_security,
4493         .unregister_security =          selinux_unregister_security,
4494
4495         .d_instantiate =                selinux_d_instantiate,
4496
4497         .getprocattr =                  selinux_getprocattr,
4498         .setprocattr =                  selinux_setprocattr,
4499
4500         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4501         .unix_may_send =                selinux_socket_unix_may_send,
4502
4503         .socket_create =                selinux_socket_create,
4504         .socket_post_create =           selinux_socket_post_create,
4505         .socket_bind =                  selinux_socket_bind,
4506         .socket_connect =               selinux_socket_connect,
4507         .socket_listen =                selinux_socket_listen,
4508         .socket_accept =                selinux_socket_accept,
4509         .socket_sendmsg =               selinux_socket_sendmsg,
4510         .socket_recvmsg =               selinux_socket_recvmsg,
4511         .socket_getsockname =           selinux_socket_getsockname,
4512         .socket_getpeername =           selinux_socket_getpeername,
4513         .socket_getsockopt =            selinux_socket_getsockopt,
4514         .socket_setsockopt =            selinux_socket_setsockopt,
4515         .socket_shutdown =              selinux_socket_shutdown,
4516         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4517         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4518         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4519         .sk_alloc_security =            selinux_sk_alloc_security,
4520         .sk_free_security =             selinux_sk_free_security,
4521         .sk_getsid =                    selinux_sk_getsid_security,
4522
4523 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4524         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4525         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4526         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4527         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4528         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4529         .xfrm_state_free_security =     selinux_xfrm_state_free,
4530         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4531         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4532 #endif
4533
4534 #ifdef CONFIG_KEYS
4535         .key_alloc =                    selinux_key_alloc,
4536         .key_free =                     selinux_key_free,
4537         .key_permission =               selinux_key_permission,
4538 #endif
4539 };
4540
4541 static __init int selinux_init(void)
4542 {
4543         struct task_security_struct *tsec;
4544
4545         if (!selinux_enabled) {
4546                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4547                 return 0;
4548         }
4549
4550         printk(KERN_INFO "SELinux:  Initializing.\n");
4551
4552         /* Set the security state for the initial task. */
4553         if (task_alloc_security(current))
4554                 panic("SELinux:  Failed to initialize initial task.\n");
4555         tsec = current->security;
4556         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4557
4558         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4559                                             sizeof(struct inode_security_struct),
4560                                             0, SLAB_PANIC, NULL, NULL);
4561         avc_init();
4562
4563         original_ops = secondary_ops = security_ops;
4564         if (!secondary_ops)
4565                 panic ("SELinux: No initial security operations\n");
4566         if (register_security (&selinux_ops))
4567                 panic("SELinux: Unable to register with kernel.\n");
4568
4569         if (selinux_enforcing) {
4570                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4571         } else {
4572                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4573         }
4574
4575 #ifdef CONFIG_KEYS
4576         /* Add security information to initial keyrings */
4577         selinux_key_alloc(&root_user_keyring, current,
4578                           KEY_ALLOC_NOT_IN_QUOTA);
4579         selinux_key_alloc(&root_session_keyring, current,
4580                           KEY_ALLOC_NOT_IN_QUOTA);
4581 #endif
4582
4583         return 0;
4584 }
4585
4586 void selinux_complete_init(void)
4587 {
4588         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4589
4590         /* Set up any superblocks initialized prior to the policy load. */
4591         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4592         spin_lock(&sb_lock);
4593         spin_lock(&sb_security_lock);
4594 next_sb:
4595         if (!list_empty(&superblock_security_head)) {
4596                 struct superblock_security_struct *sbsec =
4597                                 list_entry(superblock_security_head.next,
4598                                            struct superblock_security_struct,
4599                                            list);
4600                 struct super_block *sb = sbsec->sb;
4601                 sb->s_count++;
4602                 spin_unlock(&sb_security_lock);
4603                 spin_unlock(&sb_lock);
4604                 down_read(&sb->s_umount);
4605                 if (sb->s_root)
4606                         superblock_doinit(sb, NULL);
4607                 drop_super(sb);
4608                 spin_lock(&sb_lock);
4609                 spin_lock(&sb_security_lock);
4610                 list_del_init(&sbsec->list);
4611                 goto next_sb;
4612         }
4613         spin_unlock(&sb_security_lock);
4614         spin_unlock(&sb_lock);
4615 }
4616
4617 /* SELinux requires early initialization in order to label
4618    all processes and objects when they are created. */
4619 security_initcall(selinux_init);
4620
4621 #if defined(CONFIG_NETFILTER)
4622
4623 static struct nf_hook_ops selinux_ipv4_op = {
4624         .hook =         selinux_ipv4_postroute_last,
4625         .owner =        THIS_MODULE,
4626         .pf =           PF_INET,
4627         .hooknum =      NF_IP_POST_ROUTING,
4628         .priority =     NF_IP_PRI_SELINUX_LAST,
4629 };
4630
4631 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4632
4633 static struct nf_hook_ops selinux_ipv6_op = {
4634         .hook =         selinux_ipv6_postroute_last,
4635         .owner =        THIS_MODULE,
4636         .pf =           PF_INET6,
4637         .hooknum =      NF_IP6_POST_ROUTING,
4638         .priority =     NF_IP6_PRI_SELINUX_LAST,
4639 };
4640
4641 #endif  /* IPV6 */
4642
4643 static int __init selinux_nf_ip_init(void)
4644 {
4645         int err = 0;
4646
4647         if (!selinux_enabled)
4648                 goto out;
4649                 
4650         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4651         
4652         err = nf_register_hook(&selinux_ipv4_op);
4653         if (err)
4654                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4655
4656 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4657
4658         err = nf_register_hook(&selinux_ipv6_op);
4659         if (err)
4660                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4661
4662 #endif  /* IPV6 */
4663
4664 out:
4665         return err;
4666 }
4667
4668 __initcall(selinux_nf_ip_init);
4669
4670 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4671 static void selinux_nf_ip_exit(void)
4672 {
4673         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4674
4675         nf_unregister_hook(&selinux_ipv4_op);
4676 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4677         nf_unregister_hook(&selinux_ipv6_op);
4678 #endif  /* IPV6 */
4679 }
4680 #endif
4681
4682 #else /* CONFIG_NETFILTER */
4683
4684 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4685 #define selinux_nf_ip_exit()
4686 #endif
4687
4688 #endif /* CONFIG_NETFILTER */
4689
4690 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4691 int selinux_disable(void)
4692 {
4693         extern void exit_sel_fs(void);
4694         static int selinux_disabled = 0;
4695
4696         if (ss_initialized) {
4697                 /* Not permitted after initial policy load. */
4698                 return -EINVAL;
4699         }
4700
4701         if (selinux_disabled) {
4702                 /* Only do this once. */
4703                 return -EINVAL;
4704         }
4705
4706         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4707
4708         selinux_disabled = 1;
4709         selinux_enabled = 0;
4710
4711         /* Reset security_ops to the secondary module, dummy or capability. */
4712         security_ops = secondary_ops;
4713
4714         /* Unregister netfilter hooks. */
4715         selinux_nf_ip_exit();
4716
4717         /* Unregister selinuxfs. */
4718         exit_sel_fs();
4719
4720         return 0;
4721 }
4722 #endif
4723
4724