[PATCH] selinux: add executable heap check
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71
72 #include "avc.h"
73 #include "objsec.h"
74 #include "netif.h"
75
76 #define XATTR_SELINUX_SUFFIX "selinux"
77 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
78
79 extern unsigned int policydb_loaded_version;
80 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
81
82 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
83 int selinux_enforcing = 0;
84
85 static int __init enforcing_setup(char *str)
86 {
87         selinux_enforcing = simple_strtol(str,NULL,0);
88         return 1;
89 }
90 __setup("enforcing=", enforcing_setup);
91 #endif
92
93 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
94 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
95
96 static int __init selinux_enabled_setup(char *str)
97 {
98         selinux_enabled = simple_strtol(str, NULL, 0);
99         return 1;
100 }
101 __setup("selinux=", selinux_enabled_setup);
102 #endif
103
104 /* Original (dummy) security module. */
105 static struct security_operations *original_ops = NULL;
106
107 /* Minimal support for a secondary security module,
108    just to allow the use of the dummy or capability modules.
109    The owlsm module can alternatively be used as a secondary
110    module as long as CONFIG_OWLSM_FD is not enabled. */
111 static struct security_operations *secondary_ops = NULL;
112
113 /* Lists of inode and superblock security structures initialized
114    before the policy was loaded. */
115 static LIST_HEAD(superblock_security_head);
116 static DEFINE_SPINLOCK(sb_security_lock);
117
118 /* Allocate and free functions for each kind of security blob. */
119
120 static int task_alloc_security(struct task_struct *task)
121 {
122         struct task_security_struct *tsec;
123
124         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
125         if (!tsec)
126                 return -ENOMEM;
127
128         memset(tsec, 0, sizeof(struct task_security_struct));
129         tsec->magic = SELINUX_MAGIC;
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140
141         if (!tsec || tsec->magic != SELINUX_MAGIC)
142                 return;
143
144         task->security = NULL;
145         kfree(tsec);
146 }
147
148 static int inode_alloc_security(struct inode *inode)
149 {
150         struct task_security_struct *tsec = current->security;
151         struct inode_security_struct *isec;
152
153         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154         if (!isec)
155                 return -ENOMEM;
156
157         memset(isec, 0, sizeof(struct inode_security_struct));
158         init_MUTEX(&isec->sem);
159         INIT_LIST_HEAD(&isec->list);
160         isec->magic = SELINUX_MAGIC;
161         isec->inode = inode;
162         isec->sid = SECINITSID_UNLABELED;
163         isec->sclass = SECCLASS_FILE;
164         if (tsec && tsec->magic == SELINUX_MAGIC)
165                 isec->task_sid = tsec->sid;
166         else
167                 isec->task_sid = SECINITSID_UNLABELED;
168         inode->i_security = isec;
169
170         return 0;
171 }
172
173 static void inode_free_security(struct inode *inode)
174 {
175         struct inode_security_struct *isec = inode->i_security;
176         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
177
178         if (!isec || isec->magic != SELINUX_MAGIC)
179                 return;
180
181         spin_lock(&sbsec->isec_lock);
182         if (!list_empty(&isec->list))
183                 list_del_init(&isec->list);
184         spin_unlock(&sbsec->isec_lock);
185
186         inode->i_security = NULL;
187         kfree(isec);
188 }
189
190 static int file_alloc_security(struct file *file)
191 {
192         struct task_security_struct *tsec = current->security;
193         struct file_security_struct *fsec;
194
195         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
196         if (!fsec)
197                 return -ENOMEM;
198
199         memset(fsec, 0, sizeof(struct file_security_struct));
200         fsec->magic = SELINUX_MAGIC;
201         fsec->file = file;
202         if (tsec && tsec->magic == SELINUX_MAGIC) {
203                 fsec->sid = tsec->sid;
204                 fsec->fown_sid = tsec->sid;
205         } else {
206                 fsec->sid = SECINITSID_UNLABELED;
207                 fsec->fown_sid = SECINITSID_UNLABELED;
208         }
209         file->f_security = fsec;
210
211         return 0;
212 }
213
214 static void file_free_security(struct file *file)
215 {
216         struct file_security_struct *fsec = file->f_security;
217
218         if (!fsec || fsec->magic != SELINUX_MAGIC)
219                 return;
220
221         file->f_security = NULL;
222         kfree(fsec);
223 }
224
225 static int superblock_alloc_security(struct super_block *sb)
226 {
227         struct superblock_security_struct *sbsec;
228
229         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
230         if (!sbsec)
231                 return -ENOMEM;
232
233         memset(sbsec, 0, sizeof(struct superblock_security_struct));
234         init_MUTEX(&sbsec->sem);
235         INIT_LIST_HEAD(&sbsec->list);
236         INIT_LIST_HEAD(&sbsec->isec_head);
237         spin_lock_init(&sbsec->isec_lock);
238         sbsec->magic = SELINUX_MAGIC;
239         sbsec->sb = sb;
240         sbsec->sid = SECINITSID_UNLABELED;
241         sbsec->def_sid = SECINITSID_FILE;
242         sb->s_security = sbsec;
243
244         return 0;
245 }
246
247 static void superblock_free_security(struct super_block *sb)
248 {
249         struct superblock_security_struct *sbsec = sb->s_security;
250
251         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
252                 return;
253
254         spin_lock(&sb_security_lock);
255         if (!list_empty(&sbsec->list))
256                 list_del_init(&sbsec->list);
257         spin_unlock(&sb_security_lock);
258
259         sb->s_security = NULL;
260         kfree(sbsec);
261 }
262
263 #ifdef CONFIG_SECURITY_NETWORK
264 static int sk_alloc_security(struct sock *sk, int family, int priority)
265 {
266         struct sk_security_struct *ssec;
267
268         if (family != PF_UNIX)
269                 return 0;
270
271         ssec = kmalloc(sizeof(*ssec), priority);
272         if (!ssec)
273                 return -ENOMEM;
274
275         memset(ssec, 0, sizeof(*ssec));
276         ssec->magic = SELINUX_MAGIC;
277         ssec->sk = sk;
278         ssec->peer_sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         return 0;
282 }
283
284 static void sk_free_security(struct sock *sk)
285 {
286         struct sk_security_struct *ssec = sk->sk_security;
287
288         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
289                 return;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294 #endif  /* CONFIG_SECURITY_NETWORK */
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, "context=%s"},
326         {Opt_fscontext, "fscontext=%s"},
327         {Opt_defcontext, "defcontext=%s"},
328 };
329
330 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
331
332 static int try_context_mount(struct super_block *sb, void *data)
333 {
334         char *context = NULL, *defcontext = NULL;
335         const char *name;
336         u32 sid;
337         int alloc = 0, rc = 0, seen = 0;
338         struct task_security_struct *tsec = current->security;
339         struct superblock_security_struct *sbsec = sb->s_security;
340
341         if (!data)
342                 goto out;
343
344         name = sb->s_type->name;
345
346         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
347
348                 /* NFS we understand. */
349                 if (!strcmp(name, "nfs")) {
350                         struct nfs_mount_data *d = data;
351
352                         if (d->version <  NFS_MOUNT_VERSION)
353                                 goto out;
354
355                         if (d->context[0]) {
356                                 context = d->context;
357                                 seen |= Opt_context;
358                         }
359                 } else
360                         goto out;
361
362         } else {
363                 /* Standard string-based options. */
364                 char *p, *options = data;
365
366                 while ((p = strsep(&options, ",")) != NULL) {
367                         int token;
368                         substring_t args[MAX_OPT_ARGS];
369
370                         if (!*p)
371                                 continue;
372
373                         token = match_token(p, tokens, args);
374
375                         switch (token) {
376                         case Opt_context:
377                                 if (seen) {
378                                         rc = -EINVAL;
379                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
380                                         goto out_free;
381                                 }
382                                 context = match_strdup(&args[0]);
383                                 if (!context) {
384                                         rc = -ENOMEM;
385                                         goto out_free;
386                                 }
387                                 if (!alloc)
388                                         alloc = 1;
389                                 seen |= Opt_context;
390                                 break;
391
392                         case Opt_fscontext:
393                                 if (seen & (Opt_context|Opt_fscontext)) {
394                                         rc = -EINVAL;
395                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396                                         goto out_free;
397                                 }
398                                 context = match_strdup(&args[0]);
399                                 if (!context) {
400                                         rc = -ENOMEM;
401                                         goto out_free;
402                                 }
403                                 if (!alloc)
404                                         alloc = 1;
405                                 seen |= Opt_fscontext;
406                                 break;
407
408                         case Opt_defcontext:
409                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410                                         rc = -EINVAL;
411                                         printk(KERN_WARNING "SELinux:  "
412                                                "defcontext option is invalid "
413                                                "for this filesystem type\n");
414                                         goto out_free;
415                                 }
416                                 if (seen & (Opt_context|Opt_defcontext)) {
417                                         rc = -EINVAL;
418                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419                                         goto out_free;
420                                 }
421                                 defcontext = match_strdup(&args[0]);
422                                 if (!defcontext) {
423                                         rc = -ENOMEM;
424                                         goto out_free;
425                                 }
426                                 if (!alloc)
427                                         alloc = 1;
428                                 seen |= Opt_defcontext;
429                                 break;
430
431                         default:
432                                 rc = -EINVAL;
433                                 printk(KERN_WARNING "SELinux:  unknown mount "
434                                        "option\n");
435                                 goto out_free;
436
437                         }
438                 }
439         }
440
441         if (!seen)
442                 goto out;
443
444         if (context) {
445                 rc = security_context_to_sid(context, strlen(context), &sid);
446                 if (rc) {
447                         printk(KERN_WARNING "SELinux: security_context_to_sid"
448                                "(%s) failed for (dev %s, type %s) errno=%d\n",
449                                context, sb->s_id, name, rc);
450                         goto out_free;
451                 }
452
453                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454                                   FILESYSTEM__RELABELFROM, NULL);
455                 if (rc)
456                         goto out_free;
457
458                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459                                   FILESYSTEM__RELABELTO, NULL);
460                 if (rc)
461                         goto out_free;
462
463                 sbsec->sid = sid;
464
465                 if (seen & Opt_context)
466                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
467         }
468
469         if (defcontext) {
470                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471                 if (rc) {
472                         printk(KERN_WARNING "SELinux: security_context_to_sid"
473                                "(%s) failed for (dev %s, type %s) errno=%d\n",
474                                defcontext, sb->s_id, name, rc);
475                         goto out_free;
476                 }
477
478                 if (sid == sbsec->def_sid)
479                         goto out_free;
480
481                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482                                   FILESYSTEM__RELABELFROM, NULL);
483                 if (rc)
484                         goto out_free;
485
486                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487                                   FILESYSTEM__ASSOCIATE, NULL);
488                 if (rc)
489                         goto out_free;
490
491                 sbsec->def_sid = sid;
492         }
493
494 out_free:
495         if (alloc) {
496                 kfree(context);
497                 kfree(defcontext);
498         }
499 out:
500         return rc;
501 }
502
503 static int superblock_doinit(struct super_block *sb, void *data)
504 {
505         struct superblock_security_struct *sbsec = sb->s_security;
506         struct dentry *root = sb->s_root;
507         struct inode *inode = root->d_inode;
508         int rc = 0;
509
510         down(&sbsec->sem);
511         if (sbsec->initialized)
512                 goto out;
513
514         if (!ss_initialized) {
515                 /* Defer initialization until selinux_complete_init,
516                    after the initial policy is loaded and the security
517                    server is ready to handle calls. */
518                 spin_lock(&sb_security_lock);
519                 if (list_empty(&sbsec->list))
520                         list_add(&sbsec->list, &superblock_security_head);
521                 spin_unlock(&sb_security_lock);
522                 goto out;
523         }
524
525         /* Determine the labeling behavior to use for this filesystem type. */
526         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527         if (rc) {
528                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
529                        __FUNCTION__, sb->s_type->name, rc);
530                 goto out;
531         }
532
533         rc = try_context_mount(sb, data);
534         if (rc)
535                 goto out;
536
537         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538                 /* Make sure that the xattr handler exists and that no
539                    error other than -ENODATA is returned by getxattr on
540                    the root directory.  -ENODATA is ok, as this may be
541                    the first boot of the SELinux kernel before we have
542                    assigned xattr values to the filesystem. */
543                 if (!inode->i_op->getxattr) {
544                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545                                "xattr support\n", sb->s_id, sb->s_type->name);
546                         rc = -EOPNOTSUPP;
547                         goto out;
548                 }
549                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550                 if (rc < 0 && rc != -ENODATA) {
551                         if (rc == -EOPNOTSUPP)
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) has no security xattr handler\n",
554                                        sb->s_id, sb->s_type->name);
555                         else
556                                 printk(KERN_WARNING "SELinux: (dev %s, type "
557                                        "%s) getxattr errno %d\n", sb->s_id,
558                                        sb->s_type->name, -rc);
559                         goto out;
560                 }
561         }
562
563         if (strcmp(sb->s_type->name, "proc") == 0)
564                 sbsec->proc = 1;
565
566         sbsec->initialized = 1;
567
568         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570                        sb->s_id, sb->s_type->name);
571         }
572         else {
573                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574                        sb->s_id, sb->s_type->name,
575                        labeling_behaviors[sbsec->behavior-1]);
576         }
577
578         /* Initialize the root inode. */
579         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580
581         /* Initialize any other inodes associated with the superblock, e.g.
582            inodes created prior to initial policy load or inodes created
583            during get_sb by a pseudo filesystem that directly
584            populates itself. */
585         spin_lock(&sbsec->isec_lock);
586 next_inode:
587         if (!list_empty(&sbsec->isec_head)) {
588                 struct inode_security_struct *isec =
589                                 list_entry(sbsec->isec_head.next,
590                                            struct inode_security_struct, list);
591                 struct inode *inode = isec->inode;
592                 spin_unlock(&sbsec->isec_lock);
593                 inode = igrab(inode);
594                 if (inode) {
595                         if (!IS_PRIVATE (inode))
596                                 inode_doinit(inode);
597                         iput(inode);
598                 }
599                 spin_lock(&sbsec->isec_lock);
600                 list_del_init(&isec->list);
601                 goto next_inode;
602         }
603         spin_unlock(&sbsec->isec_lock);
604 out:
605         up(&sbsec->sem);
606         return rc;
607 }
608
609 static inline u16 inode_mode_to_security_class(umode_t mode)
610 {
611         switch (mode & S_IFMT) {
612         case S_IFSOCK:
613                 return SECCLASS_SOCK_FILE;
614         case S_IFLNK:
615                 return SECCLASS_LNK_FILE;
616         case S_IFREG:
617                 return SECCLASS_FILE;
618         case S_IFBLK:
619                 return SECCLASS_BLK_FILE;
620         case S_IFDIR:
621                 return SECCLASS_DIR;
622         case S_IFCHR:
623                 return SECCLASS_CHR_FILE;
624         case S_IFIFO:
625                 return SECCLASS_FIFO_FILE;
626
627         }
628
629         return SECCLASS_FILE;
630 }
631
632 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
633 {
634         switch (family) {
635         case PF_UNIX:
636                 switch (type) {
637                 case SOCK_STREAM:
638                 case SOCK_SEQPACKET:
639                         return SECCLASS_UNIX_STREAM_SOCKET;
640                 case SOCK_DGRAM:
641                         return SECCLASS_UNIX_DGRAM_SOCKET;
642                 }
643                 break;
644         case PF_INET:
645         case PF_INET6:
646                 switch (type) {
647                 case SOCK_STREAM:
648                         return SECCLASS_TCP_SOCKET;
649                 case SOCK_DGRAM:
650                         return SECCLASS_UDP_SOCKET;
651                 case SOCK_RAW:
652                         return SECCLASS_RAWIP_SOCKET;
653                 }
654                 break;
655         case PF_NETLINK:
656                 switch (protocol) {
657                 case NETLINK_ROUTE:
658                         return SECCLASS_NETLINK_ROUTE_SOCKET;
659                 case NETLINK_FIREWALL:
660                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
661                 case NETLINK_TCPDIAG:
662                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
663                 case NETLINK_NFLOG:
664                         return SECCLASS_NETLINK_NFLOG_SOCKET;
665                 case NETLINK_XFRM:
666                         return SECCLASS_NETLINK_XFRM_SOCKET;
667                 case NETLINK_SELINUX:
668                         return SECCLASS_NETLINK_SELINUX_SOCKET;
669                 case NETLINK_AUDIT:
670                         return SECCLASS_NETLINK_AUDIT_SOCKET;
671                 case NETLINK_IP6_FW:
672                         return SECCLASS_NETLINK_IP6FW_SOCKET;
673                 case NETLINK_DNRTMSG:
674                         return SECCLASS_NETLINK_DNRT_SOCKET;
675                 case NETLINK_KOBJECT_UEVENT:
676                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
677                 default:
678                         return SECCLASS_NETLINK_SOCKET;
679                 }
680         case PF_PACKET:
681                 return SECCLASS_PACKET_SOCKET;
682         case PF_KEY:
683                 return SECCLASS_KEY_SOCKET;
684         }
685
686         return SECCLASS_SOCKET;
687 }
688
689 #ifdef CONFIG_PROC_FS
690 static int selinux_proc_get_sid(struct proc_dir_entry *de,
691                                 u16 tclass,
692                                 u32 *sid)
693 {
694         int buflen, rc;
695         char *buffer, *path, *end;
696
697         buffer = (char*)__get_free_page(GFP_KERNEL);
698         if (!buffer)
699                 return -ENOMEM;
700
701         buflen = PAGE_SIZE;
702         end = buffer+buflen;
703         *--end = '\0';
704         buflen--;
705         path = end-1;
706         *path = '/';
707         while (de && de != de->parent) {
708                 buflen -= de->namelen + 1;
709                 if (buflen < 0)
710                         break;
711                 end -= de->namelen;
712                 memcpy(end, de->name, de->namelen);
713                 *--end = '/';
714                 path = end;
715                 de = de->parent;
716         }
717         rc = security_genfs_sid("proc", path, tclass, sid);
718         free_page((unsigned long)buffer);
719         return rc;
720 }
721 #else
722 static int selinux_proc_get_sid(struct proc_dir_entry *de,
723                                 u16 tclass,
724                                 u32 *sid)
725 {
726         return -EINVAL;
727 }
728 #endif
729
730 /* The inode's security attributes must be initialized before first use. */
731 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
732 {
733         struct superblock_security_struct *sbsec = NULL;
734         struct inode_security_struct *isec = inode->i_security;
735         u32 sid;
736         struct dentry *dentry;
737 #define INITCONTEXTLEN 255
738         char *context = NULL;
739         unsigned len = 0;
740         int rc = 0;
741         int hold_sem = 0;
742
743         if (isec->initialized)
744                 goto out;
745
746         down(&isec->sem);
747         hold_sem = 1;
748         if (isec->initialized)
749                 goto out;
750
751         sbsec = inode->i_sb->s_security;
752         if (!sbsec->initialized) {
753                 /* Defer initialization until selinux_complete_init,
754                    after the initial policy is loaded and the security
755                    server is ready to handle calls. */
756                 spin_lock(&sbsec->isec_lock);
757                 if (list_empty(&isec->list))
758                         list_add(&isec->list, &sbsec->isec_head);
759                 spin_unlock(&sbsec->isec_lock);
760                 goto out;
761         }
762
763         switch (sbsec->behavior) {
764         case SECURITY_FS_USE_XATTR:
765                 if (!inode->i_op->getxattr) {
766                         isec->sid = sbsec->def_sid;
767                         break;
768                 }
769
770                 /* Need a dentry, since the xattr API requires one.
771                    Life would be simpler if we could just pass the inode. */
772                 if (opt_dentry) {
773                         /* Called from d_instantiate or d_splice_alias. */
774                         dentry = dget(opt_dentry);
775                 } else {
776                         /* Called from selinux_complete_init, try to find a dentry. */
777                         dentry = d_find_alias(inode);
778                 }
779                 if (!dentry) {
780                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
781                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
782                                inode->i_ino);
783                         goto out;
784                 }
785
786                 len = INITCONTEXTLEN;
787                 context = kmalloc(len, GFP_KERNEL);
788                 if (!context) {
789                         rc = -ENOMEM;
790                         dput(dentry);
791                         goto out;
792                 }
793                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
794                                            context, len);
795                 if (rc == -ERANGE) {
796                         /* Need a larger buffer.  Query for the right size. */
797                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
798                                                    NULL, 0);
799                         if (rc < 0) {
800                                 dput(dentry);
801                                 goto out;
802                         }
803                         kfree(context);
804                         len = rc;
805                         context = kmalloc(len, GFP_KERNEL);
806                         if (!context) {
807                                 rc = -ENOMEM;
808                                 dput(dentry);
809                                 goto out;
810                         }
811                         rc = inode->i_op->getxattr(dentry,
812                                                    XATTR_NAME_SELINUX,
813                                                    context, len);
814                 }
815                 dput(dentry);
816                 if (rc < 0) {
817                         if (rc != -ENODATA) {
818                                 printk(KERN_WARNING "%s:  getxattr returned "
819                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
820                                        -rc, inode->i_sb->s_id, inode->i_ino);
821                                 kfree(context);
822                                 goto out;
823                         }
824                         /* Map ENODATA to the default file SID */
825                         sid = sbsec->def_sid;
826                         rc = 0;
827                 } else {
828                         rc = security_context_to_sid(context, rc, &sid);
829                         if (rc) {
830                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
831                                        "returned %d for dev=%s ino=%ld\n",
832                                        __FUNCTION__, context, -rc,
833                                        inode->i_sb->s_id, inode->i_ino);
834                                 kfree(context);
835                                 /* Leave with the unlabeled SID */
836                                 rc = 0;
837                                 break;
838                         }
839                 }
840                 kfree(context);
841                 isec->sid = sid;
842                 break;
843         case SECURITY_FS_USE_TASK:
844                 isec->sid = isec->task_sid;
845                 break;
846         case SECURITY_FS_USE_TRANS:
847                 /* Default to the fs SID. */
848                 isec->sid = sbsec->sid;
849
850                 /* Try to obtain a transition SID. */
851                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
852                 rc = security_transition_sid(isec->task_sid,
853                                              sbsec->sid,
854                                              isec->sclass,
855                                              &sid);
856                 if (rc)
857                         goto out;
858                 isec->sid = sid;
859                 break;
860         default:
861                 /* Default to the fs SID. */
862                 isec->sid = sbsec->sid;
863
864                 if (sbsec->proc) {
865                         struct proc_inode *proci = PROC_I(inode);
866                         if (proci->pde) {
867                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
868                                 rc = selinux_proc_get_sid(proci->pde,
869                                                           isec->sclass,
870                                                           &sid);
871                                 if (rc)
872                                         goto out;
873                                 isec->sid = sid;
874                         }
875                 }
876                 break;
877         }
878
879         isec->initialized = 1;
880
881 out:
882         if (isec->sclass == SECCLASS_FILE)
883                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
884
885         if (hold_sem)
886                 up(&isec->sem);
887         return rc;
888 }
889
890 /* Convert a Linux signal to an access vector. */
891 static inline u32 signal_to_av(int sig)
892 {
893         u32 perm = 0;
894
895         switch (sig) {
896         case SIGCHLD:
897                 /* Commonly granted from child to parent. */
898                 perm = PROCESS__SIGCHLD;
899                 break;
900         case SIGKILL:
901                 /* Cannot be caught or ignored */
902                 perm = PROCESS__SIGKILL;
903                 break;
904         case SIGSTOP:
905                 /* Cannot be caught or ignored */
906                 perm = PROCESS__SIGSTOP;
907                 break;
908         default:
909                 /* All other signals. */
910                 perm = PROCESS__SIGNAL;
911                 break;
912         }
913
914         return perm;
915 }
916
917 /* Check permission betweeen a pair of tasks, e.g. signal checks,
918    fork check, ptrace check, etc. */
919 static int task_has_perm(struct task_struct *tsk1,
920                          struct task_struct *tsk2,
921                          u32 perms)
922 {
923         struct task_security_struct *tsec1, *tsec2;
924
925         tsec1 = tsk1->security;
926         tsec2 = tsk2->security;
927         return avc_has_perm(tsec1->sid, tsec2->sid,
928                             SECCLASS_PROCESS, perms, NULL);
929 }
930
931 /* Check whether a task is allowed to use a capability. */
932 static int task_has_capability(struct task_struct *tsk,
933                                int cap)
934 {
935         struct task_security_struct *tsec;
936         struct avc_audit_data ad;
937
938         tsec = tsk->security;
939
940         AVC_AUDIT_DATA_INIT(&ad,CAP);
941         ad.tsk = tsk;
942         ad.u.cap = cap;
943
944         return avc_has_perm(tsec->sid, tsec->sid,
945                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
946 }
947
948 /* Check whether a task is allowed to use a system operation. */
949 static int task_has_system(struct task_struct *tsk,
950                            u32 perms)
951 {
952         struct task_security_struct *tsec;
953
954         tsec = tsk->security;
955
956         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
957                             SECCLASS_SYSTEM, perms, NULL);
958 }
959
960 /* Check whether a task has a particular permission to an inode.
961    The 'adp' parameter is optional and allows other audit
962    data to be passed (e.g. the dentry). */
963 static int inode_has_perm(struct task_struct *tsk,
964                           struct inode *inode,
965                           u32 perms,
966                           struct avc_audit_data *adp)
967 {
968         struct task_security_struct *tsec;
969         struct inode_security_struct *isec;
970         struct avc_audit_data ad;
971
972         tsec = tsk->security;
973         isec = inode->i_security;
974
975         if (!adp) {
976                 adp = &ad;
977                 AVC_AUDIT_DATA_INIT(&ad, FS);
978                 ad.u.fs.inode = inode;
979         }
980
981         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
982 }
983
984 /* Same as inode_has_perm, but pass explicit audit data containing
985    the dentry to help the auditing code to more easily generate the
986    pathname if needed. */
987 static inline int dentry_has_perm(struct task_struct *tsk,
988                                   struct vfsmount *mnt,
989                                   struct dentry *dentry,
990                                   u32 av)
991 {
992         struct inode *inode = dentry->d_inode;
993         struct avc_audit_data ad;
994         AVC_AUDIT_DATA_INIT(&ad,FS);
995         ad.u.fs.mnt = mnt;
996         ad.u.fs.dentry = dentry;
997         return inode_has_perm(tsk, inode, av, &ad);
998 }
999
1000 /* Check whether a task can use an open file descriptor to
1001    access an inode in a given way.  Check access to the
1002    descriptor itself, and then use dentry_has_perm to
1003    check a particular permission to the file.
1004    Access to the descriptor is implicitly granted if it
1005    has the same SID as the process.  If av is zero, then
1006    access to the file is not checked, e.g. for cases
1007    where only the descriptor is affected like seek. */
1008 static inline int file_has_perm(struct task_struct *tsk,
1009                                 struct file *file,
1010                                 u32 av)
1011 {
1012         struct task_security_struct *tsec = tsk->security;
1013         struct file_security_struct *fsec = file->f_security;
1014         struct vfsmount *mnt = file->f_vfsmnt;
1015         struct dentry *dentry = file->f_dentry;
1016         struct inode *inode = dentry->d_inode;
1017         struct avc_audit_data ad;
1018         int rc;
1019
1020         AVC_AUDIT_DATA_INIT(&ad, FS);
1021         ad.u.fs.mnt = mnt;
1022         ad.u.fs.dentry = dentry;
1023
1024         if (tsec->sid != fsec->sid) {
1025                 rc = avc_has_perm(tsec->sid, fsec->sid,
1026                                   SECCLASS_FD,
1027                                   FD__USE,
1028                                   &ad);
1029                 if (rc)
1030                         return rc;
1031         }
1032
1033         /* av is zero if only checking access to the descriptor. */
1034         if (av)
1035                 return inode_has_perm(tsk, inode, av, &ad);
1036
1037         return 0;
1038 }
1039
1040 /* Check whether a task can create a file. */
1041 static int may_create(struct inode *dir,
1042                       struct dentry *dentry,
1043                       u16 tclass)
1044 {
1045         struct task_security_struct *tsec;
1046         struct inode_security_struct *dsec;
1047         struct superblock_security_struct *sbsec;
1048         u32 newsid;
1049         struct avc_audit_data ad;
1050         int rc;
1051
1052         tsec = current->security;
1053         dsec = dir->i_security;
1054         sbsec = dir->i_sb->s_security;
1055
1056         AVC_AUDIT_DATA_INIT(&ad, FS);
1057         ad.u.fs.dentry = dentry;
1058
1059         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1060                           DIR__ADD_NAME | DIR__SEARCH,
1061                           &ad);
1062         if (rc)
1063                 return rc;
1064
1065         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1066                 newsid = tsec->create_sid;
1067         } else {
1068                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1069                                              &newsid);
1070                 if (rc)
1071                         return rc;
1072         }
1073
1074         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1075         if (rc)
1076                 return rc;
1077
1078         return avc_has_perm(newsid, sbsec->sid,
1079                             SECCLASS_FILESYSTEM,
1080                             FILESYSTEM__ASSOCIATE, &ad);
1081 }
1082
1083 #define MAY_LINK   0
1084 #define MAY_UNLINK 1
1085 #define MAY_RMDIR  2
1086
1087 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1088 static int may_link(struct inode *dir,
1089                     struct dentry *dentry,
1090                     int kind)
1091
1092 {
1093         struct task_security_struct *tsec;
1094         struct inode_security_struct *dsec, *isec;
1095         struct avc_audit_data ad;
1096         u32 av;
1097         int rc;
1098
1099         tsec = current->security;
1100         dsec = dir->i_security;
1101         isec = dentry->d_inode->i_security;
1102
1103         AVC_AUDIT_DATA_INIT(&ad, FS);
1104         ad.u.fs.dentry = dentry;
1105
1106         av = DIR__SEARCH;
1107         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1108         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1109         if (rc)
1110                 return rc;
1111
1112         switch (kind) {
1113         case MAY_LINK:
1114                 av = FILE__LINK;
1115                 break;
1116         case MAY_UNLINK:
1117                 av = FILE__UNLINK;
1118                 break;
1119         case MAY_RMDIR:
1120                 av = DIR__RMDIR;
1121                 break;
1122         default:
1123                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1124                 return 0;
1125         }
1126
1127         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1128         return rc;
1129 }
1130
1131 static inline int may_rename(struct inode *old_dir,
1132                              struct dentry *old_dentry,
1133                              struct inode *new_dir,
1134                              struct dentry *new_dentry)
1135 {
1136         struct task_security_struct *tsec;
1137         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1138         struct avc_audit_data ad;
1139         u32 av;
1140         int old_is_dir, new_is_dir;
1141         int rc;
1142
1143         tsec = current->security;
1144         old_dsec = old_dir->i_security;
1145         old_isec = old_dentry->d_inode->i_security;
1146         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1147         new_dsec = new_dir->i_security;
1148
1149         AVC_AUDIT_DATA_INIT(&ad, FS);
1150
1151         ad.u.fs.dentry = old_dentry;
1152         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1153                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1154         if (rc)
1155                 return rc;
1156         rc = avc_has_perm(tsec->sid, old_isec->sid,
1157                           old_isec->sclass, FILE__RENAME, &ad);
1158         if (rc)
1159                 return rc;
1160         if (old_is_dir && new_dir != old_dir) {
1161                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1162                                   old_isec->sclass, DIR__REPARENT, &ad);
1163                 if (rc)
1164                         return rc;
1165         }
1166
1167         ad.u.fs.dentry = new_dentry;
1168         av = DIR__ADD_NAME | DIR__SEARCH;
1169         if (new_dentry->d_inode)
1170                 av |= DIR__REMOVE_NAME;
1171         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1172         if (rc)
1173                 return rc;
1174         if (new_dentry->d_inode) {
1175                 new_isec = new_dentry->d_inode->i_security;
1176                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1177                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1178                                   new_isec->sclass,
1179                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1180                 if (rc)
1181                         return rc;
1182         }
1183
1184         return 0;
1185 }
1186
1187 /* Check whether a task can perform a filesystem operation. */
1188 static int superblock_has_perm(struct task_struct *tsk,
1189                                struct super_block *sb,
1190                                u32 perms,
1191                                struct avc_audit_data *ad)
1192 {
1193         struct task_security_struct *tsec;
1194         struct superblock_security_struct *sbsec;
1195
1196         tsec = tsk->security;
1197         sbsec = sb->s_security;
1198         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1199                             perms, ad);
1200 }
1201
1202 /* Convert a Linux mode and permission mask to an access vector. */
1203 static inline u32 file_mask_to_av(int mode, int mask)
1204 {
1205         u32 av = 0;
1206
1207         if ((mode & S_IFMT) != S_IFDIR) {
1208                 if (mask & MAY_EXEC)
1209                         av |= FILE__EXECUTE;
1210                 if (mask & MAY_READ)
1211                         av |= FILE__READ;
1212
1213                 if (mask & MAY_APPEND)
1214                         av |= FILE__APPEND;
1215                 else if (mask & MAY_WRITE)
1216                         av |= FILE__WRITE;
1217
1218         } else {
1219                 if (mask & MAY_EXEC)
1220                         av |= DIR__SEARCH;
1221                 if (mask & MAY_WRITE)
1222                         av |= DIR__WRITE;
1223                 if (mask & MAY_READ)
1224                         av |= DIR__READ;
1225         }
1226
1227         return av;
1228 }
1229
1230 /* Convert a Linux file to an access vector. */
1231 static inline u32 file_to_av(struct file *file)
1232 {
1233         u32 av = 0;
1234
1235         if (file->f_mode & FMODE_READ)
1236                 av |= FILE__READ;
1237         if (file->f_mode & FMODE_WRITE) {
1238                 if (file->f_flags & O_APPEND)
1239                         av |= FILE__APPEND;
1240                 else
1241                         av |= FILE__WRITE;
1242         }
1243
1244         return av;
1245 }
1246
1247 /* Set an inode's SID to a specified value. */
1248 static int inode_security_set_sid(struct inode *inode, u32 sid)
1249 {
1250         struct inode_security_struct *isec = inode->i_security;
1251         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1252
1253         if (!sbsec->initialized) {
1254                 /* Defer initialization to selinux_complete_init. */
1255                 return 0;
1256         }
1257
1258         down(&isec->sem);
1259         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1260         isec->sid = sid;
1261         isec->initialized = 1;
1262         up(&isec->sem);
1263         return 0;
1264 }
1265
1266 /* Set the security attributes on a newly created file. */
1267 static int post_create(struct inode *dir,
1268                        struct dentry *dentry)
1269 {
1270
1271         struct task_security_struct *tsec;
1272         struct inode *inode;
1273         struct inode_security_struct *dsec;
1274         struct superblock_security_struct *sbsec;
1275         u32 newsid;
1276         char *context;
1277         unsigned int len;
1278         int rc;
1279
1280         tsec = current->security;
1281         dsec = dir->i_security;
1282         sbsec = dir->i_sb->s_security;
1283
1284         inode = dentry->d_inode;
1285         if (!inode) {
1286                 /* Some file system types (e.g. NFS) may not instantiate
1287                    a dentry for all create operations (e.g. symlink),
1288                    so we have to check to see if the inode is non-NULL. */
1289                 printk(KERN_WARNING "post_create:  no inode, dir (dev=%s, "
1290                        "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1291                 return 0;
1292         }
1293
1294         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1295                 newsid = tsec->create_sid;
1296         } else {
1297                 rc = security_transition_sid(tsec->sid, dsec->sid,
1298                                              inode_mode_to_security_class(inode->i_mode),
1299                                              &newsid);
1300                 if (rc) {
1301                         printk(KERN_WARNING "post_create:  "
1302                                "security_transition_sid failed, rc=%d (dev=%s "
1303                                "ino=%ld)\n",
1304                                -rc, inode->i_sb->s_id, inode->i_ino);
1305                         return rc;
1306                 }
1307         }
1308
1309         rc = inode_security_set_sid(inode, newsid);
1310         if (rc) {
1311                 printk(KERN_WARNING "post_create:  inode_security_set_sid "
1312                        "failed, rc=%d (dev=%s ino=%ld)\n",
1313                        -rc, inode->i_sb->s_id, inode->i_ino);
1314                 return rc;
1315         }
1316
1317         if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1318             inode->i_op->setxattr) {
1319                 /* Use extended attributes. */
1320                 rc = security_sid_to_context(newsid, &context, &len);
1321                 if (rc) {
1322                         printk(KERN_WARNING "post_create:  sid_to_context "
1323                                "failed, rc=%d (dev=%s ino=%ld)\n",
1324                                -rc, inode->i_sb->s_id, inode->i_ino);
1325                         return rc;
1326                 }
1327                 down(&inode->i_sem);
1328                 rc = inode->i_op->setxattr(dentry,
1329                                            XATTR_NAME_SELINUX,
1330                                            context, len, 0);
1331                 up(&inode->i_sem);
1332                 kfree(context);
1333                 if (rc < 0) {
1334                         printk(KERN_WARNING "post_create:  setxattr failed, "
1335                                "rc=%d (dev=%s ino=%ld)\n",
1336                                -rc, inode->i_sb->s_id, inode->i_ino);
1337                         return rc;
1338                 }
1339         }
1340
1341         return 0;
1342 }
1343
1344
1345 /* Hook functions begin here. */
1346
1347 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1348 {
1349         struct task_security_struct *psec = parent->security;
1350         struct task_security_struct *csec = child->security;
1351         int rc;
1352
1353         rc = secondary_ops->ptrace(parent,child);
1354         if (rc)
1355                 return rc;
1356
1357         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1358         /* Save the SID of the tracing process for later use in apply_creds. */
1359         if (!rc)
1360                 csec->ptrace_sid = psec->sid;
1361         return rc;
1362 }
1363
1364 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1365                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1366 {
1367         int error;
1368
1369         error = task_has_perm(current, target, PROCESS__GETCAP);
1370         if (error)
1371                 return error;
1372
1373         return secondary_ops->capget(target, effective, inheritable, permitted);
1374 }
1375
1376 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1377                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1378 {
1379         int error;
1380
1381         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1382         if (error)
1383                 return error;
1384
1385         return task_has_perm(current, target, PROCESS__SETCAP);
1386 }
1387
1388 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1389                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1390 {
1391         secondary_ops->capset_set(target, effective, inheritable, permitted);
1392 }
1393
1394 static int selinux_capable(struct task_struct *tsk, int cap)
1395 {
1396         int rc;
1397
1398         rc = secondary_ops->capable(tsk, cap);
1399         if (rc)
1400                 return rc;
1401
1402         return task_has_capability(tsk,cap);
1403 }
1404
1405 static int selinux_sysctl(ctl_table *table, int op)
1406 {
1407         int error = 0;
1408         u32 av;
1409         struct task_security_struct *tsec;
1410         u32 tsid;
1411         int rc;
1412
1413         rc = secondary_ops->sysctl(table, op);
1414         if (rc)
1415                 return rc;
1416
1417         tsec = current->security;
1418
1419         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1420                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1421         if (rc) {
1422                 /* Default to the well-defined sysctl SID. */
1423                 tsid = SECINITSID_SYSCTL;
1424         }
1425
1426         /* The op values are "defined" in sysctl.c, thereby creating
1427          * a bad coupling between this module and sysctl.c */
1428         if(op == 001) {
1429                 error = avc_has_perm(tsec->sid, tsid,
1430                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1431         } else {
1432                 av = 0;
1433                 if (op & 004)
1434                         av |= FILE__READ;
1435                 if (op & 002)
1436                         av |= FILE__WRITE;
1437                 if (av)
1438                         error = avc_has_perm(tsec->sid, tsid,
1439                                              SECCLASS_FILE, av, NULL);
1440         }
1441
1442         return error;
1443 }
1444
1445 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1446 {
1447         int rc = 0;
1448
1449         if (!sb)
1450                 return 0;
1451
1452         switch (cmds) {
1453                 case Q_SYNC:
1454                 case Q_QUOTAON:
1455                 case Q_QUOTAOFF:
1456                 case Q_SETINFO:
1457                 case Q_SETQUOTA:
1458                         rc = superblock_has_perm(current,
1459                                                  sb,
1460                                                  FILESYSTEM__QUOTAMOD, NULL);
1461                         break;
1462                 case Q_GETFMT:
1463                 case Q_GETINFO:
1464                 case Q_GETQUOTA:
1465                         rc = superblock_has_perm(current,
1466                                                  sb,
1467                                                  FILESYSTEM__QUOTAGET, NULL);
1468                         break;
1469                 default:
1470                         rc = 0;  /* let the kernel handle invalid cmds */
1471                         break;
1472         }
1473         return rc;
1474 }
1475
1476 static int selinux_quota_on(struct dentry *dentry)
1477 {
1478         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1479 }
1480
1481 static int selinux_syslog(int type)
1482 {
1483         int rc;
1484
1485         rc = secondary_ops->syslog(type);
1486         if (rc)
1487                 return rc;
1488
1489         switch (type) {
1490                 case 3:         /* Read last kernel messages */
1491                 case 10:        /* Return size of the log buffer */
1492                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1493                         break;
1494                 case 6:         /* Disable logging to console */
1495                 case 7:         /* Enable logging to console */
1496                 case 8:         /* Set level of messages printed to console */
1497                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1498                         break;
1499                 case 0:         /* Close log */
1500                 case 1:         /* Open log */
1501                 case 2:         /* Read from log */
1502                 case 4:         /* Read/clear last kernel messages */
1503                 case 5:         /* Clear ring buffer */
1504                 default:
1505                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1506                         break;
1507         }
1508         return rc;
1509 }
1510
1511 /*
1512  * Check that a process has enough memory to allocate a new virtual
1513  * mapping. 0 means there is enough memory for the allocation to
1514  * succeed and -ENOMEM implies there is not.
1515  *
1516  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1517  * if the capability is granted, but __vm_enough_memory requires 1 if
1518  * the capability is granted.
1519  *
1520  * Do not audit the selinux permission check, as this is applied to all
1521  * processes that allocate mappings.
1522  */
1523 static int selinux_vm_enough_memory(long pages)
1524 {
1525         int rc, cap_sys_admin = 0;
1526         struct task_security_struct *tsec = current->security;
1527
1528         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1529         if (rc == 0)
1530                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1531                                         SECCLASS_CAPABILITY,
1532                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1533                                         NULL);
1534
1535         if (rc == 0)
1536                 cap_sys_admin = 1;
1537
1538         return __vm_enough_memory(pages, cap_sys_admin);
1539 }
1540
1541 /* binprm security operations */
1542
1543 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1544 {
1545         struct bprm_security_struct *bsec;
1546
1547         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1548         if (!bsec)
1549                 return -ENOMEM;
1550
1551         memset(bsec, 0, sizeof *bsec);
1552         bsec->magic = SELINUX_MAGIC;
1553         bsec->bprm = bprm;
1554         bsec->sid = SECINITSID_UNLABELED;
1555         bsec->set = 0;
1556
1557         bprm->security = bsec;
1558         return 0;
1559 }
1560
1561 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1562 {
1563         struct task_security_struct *tsec;
1564         struct inode *inode = bprm->file->f_dentry->d_inode;
1565         struct inode_security_struct *isec;
1566         struct bprm_security_struct *bsec;
1567         u32 newsid;
1568         struct avc_audit_data ad;
1569         int rc;
1570
1571         rc = secondary_ops->bprm_set_security(bprm);
1572         if (rc)
1573                 return rc;
1574
1575         bsec = bprm->security;
1576
1577         if (bsec->set)
1578                 return 0;
1579
1580         tsec = current->security;
1581         isec = inode->i_security;
1582
1583         /* Default to the current task SID. */
1584         bsec->sid = tsec->sid;
1585
1586         /* Reset create SID on execve. */
1587         tsec->create_sid = 0;
1588
1589         if (tsec->exec_sid) {
1590                 newsid = tsec->exec_sid;
1591                 /* Reset exec SID on execve. */
1592                 tsec->exec_sid = 0;
1593         } else {
1594                 /* Check for a default transition on this program. */
1595                 rc = security_transition_sid(tsec->sid, isec->sid,
1596                                              SECCLASS_PROCESS, &newsid);
1597                 if (rc)
1598                         return rc;
1599         }
1600
1601         AVC_AUDIT_DATA_INIT(&ad, FS);
1602         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1603         ad.u.fs.dentry = bprm->file->f_dentry;
1604
1605         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1606                 newsid = tsec->sid;
1607
1608         if (tsec->sid == newsid) {
1609                 rc = avc_has_perm(tsec->sid, isec->sid,
1610                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1611                 if (rc)
1612                         return rc;
1613         } else {
1614                 /* Check permissions for the transition. */
1615                 rc = avc_has_perm(tsec->sid, newsid,
1616                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1617                 if (rc)
1618                         return rc;
1619
1620                 rc = avc_has_perm(newsid, isec->sid,
1621                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1622                 if (rc)
1623                         return rc;
1624
1625                 /* Clear any possibly unsafe personality bits on exec: */
1626                 current->personality &= ~PER_CLEAR_ON_SETID;
1627
1628                 /* Set the security field to the new SID. */
1629                 bsec->sid = newsid;
1630         }
1631
1632         bsec->set = 1;
1633         return 0;
1634 }
1635
1636 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1637 {
1638         return secondary_ops->bprm_check_security(bprm);
1639 }
1640
1641
1642 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1643 {
1644         struct task_security_struct *tsec = current->security;
1645         int atsecure = 0;
1646
1647         if (tsec->osid != tsec->sid) {
1648                 /* Enable secure mode for SIDs transitions unless
1649                    the noatsecure permission is granted between
1650                    the two SIDs, i.e. ahp returns 0. */
1651                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1652                                          SECCLASS_PROCESS,
1653                                          PROCESS__NOATSECURE, NULL);
1654         }
1655
1656         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1657 }
1658
1659 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1660 {
1661         struct bprm_security_struct *bsec = bprm->security;
1662         bprm->security = NULL;
1663         kfree(bsec);
1664 }
1665
1666 extern struct vfsmount *selinuxfs_mount;
1667 extern struct dentry *selinux_null;
1668
1669 /* Derived from fs/exec.c:flush_old_files. */
1670 static inline void flush_unauthorized_files(struct files_struct * files)
1671 {
1672         struct avc_audit_data ad;
1673         struct file *file, *devnull = NULL;
1674         struct tty_struct *tty = current->signal->tty;
1675         long j = -1;
1676
1677         if (tty) {
1678                 file_list_lock();
1679                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1680                 if (file) {
1681                         /* Revalidate access to controlling tty.
1682                            Use inode_has_perm on the tty inode directly rather
1683                            than using file_has_perm, as this particular open
1684                            file may belong to another process and we are only
1685                            interested in the inode-based check here. */
1686                         struct inode *inode = file->f_dentry->d_inode;
1687                         if (inode_has_perm(current, inode,
1688                                            FILE__READ | FILE__WRITE, NULL)) {
1689                                 /* Reset controlling tty. */
1690                                 current->signal->tty = NULL;
1691                                 current->signal->tty_old_pgrp = 0;
1692                         }
1693                 }
1694                 file_list_unlock();
1695         }
1696
1697         /* Revalidate access to inherited open files. */
1698
1699         AVC_AUDIT_DATA_INIT(&ad,FS);
1700
1701         spin_lock(&files->file_lock);
1702         for (;;) {
1703                 unsigned long set, i;
1704                 int fd;
1705
1706                 j++;
1707                 i = j * __NFDBITS;
1708                 if (i >= files->max_fds || i >= files->max_fdset)
1709                         break;
1710                 set = files->open_fds->fds_bits[j];
1711                 if (!set)
1712                         continue;
1713                 spin_unlock(&files->file_lock);
1714                 for ( ; set ; i++,set >>= 1) {
1715                         if (set & 1) {
1716                                 file = fget(i);
1717                                 if (!file)
1718                                         continue;
1719                                 if (file_has_perm(current,
1720                                                   file,
1721                                                   file_to_av(file))) {
1722                                         sys_close(i);
1723                                         fd = get_unused_fd();
1724                                         if (fd != i) {
1725                                                 if (fd >= 0)
1726                                                         put_unused_fd(fd);
1727                                                 fput(file);
1728                                                 continue;
1729                                         }
1730                                         if (devnull) {
1731                                                 atomic_inc(&devnull->f_count);
1732                                         } else {
1733                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1734                                                 if (!devnull) {
1735                                                         put_unused_fd(fd);
1736                                                         fput(file);
1737                                                         continue;
1738                                                 }
1739                                         }
1740                                         fd_install(fd, devnull);
1741                                 }
1742                                 fput(file);
1743                         }
1744                 }
1745                 spin_lock(&files->file_lock);
1746
1747         }
1748         spin_unlock(&files->file_lock);
1749 }
1750
1751 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1752 {
1753         struct task_security_struct *tsec;
1754         struct bprm_security_struct *bsec;
1755         u32 sid;
1756         int rc;
1757
1758         secondary_ops->bprm_apply_creds(bprm, unsafe);
1759
1760         tsec = current->security;
1761
1762         bsec = bprm->security;
1763         sid = bsec->sid;
1764
1765         tsec->osid = tsec->sid;
1766         bsec->unsafe = 0;
1767         if (tsec->sid != sid) {
1768                 /* Check for shared state.  If not ok, leave SID
1769                    unchanged and kill. */
1770                 if (unsafe & LSM_UNSAFE_SHARE) {
1771                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1772                                         PROCESS__SHARE, NULL);
1773                         if (rc) {
1774                                 bsec->unsafe = 1;
1775                                 return;
1776                         }
1777                 }
1778
1779                 /* Check for ptracing, and update the task SID if ok.
1780                    Otherwise, leave SID unchanged and kill. */
1781                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1782                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1783                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1784                                           NULL);
1785                         if (rc) {
1786                                 bsec->unsafe = 1;
1787                                 return;
1788                         }
1789                 }
1790                 tsec->sid = sid;
1791         }
1792 }
1793
1794 /*
1795  * called after apply_creds without the task lock held
1796  */
1797 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1798 {
1799         struct task_security_struct *tsec;
1800         struct rlimit *rlim, *initrlim;
1801         struct itimerval itimer;
1802         struct bprm_security_struct *bsec;
1803         int rc, i;
1804
1805         tsec = current->security;
1806         bsec = bprm->security;
1807
1808         if (bsec->unsafe) {
1809                 force_sig_specific(SIGKILL, current);
1810                 return;
1811         }
1812         if (tsec->osid == tsec->sid)
1813                 return;
1814
1815         /* Close files for which the new task SID is not authorized. */
1816         flush_unauthorized_files(current->files);
1817
1818         /* Check whether the new SID can inherit signal state
1819            from the old SID.  If not, clear itimers to avoid
1820            subsequent signal generation and flush and unblock
1821            signals. This must occur _after_ the task SID has
1822           been updated so that any kill done after the flush
1823           will be checked against the new SID. */
1824         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1825                           PROCESS__SIGINH, NULL);
1826         if (rc) {
1827                 memset(&itimer, 0, sizeof itimer);
1828                 for (i = 0; i < 3; i++)
1829                         do_setitimer(i, &itimer, NULL);
1830                 flush_signals(current);
1831                 spin_lock_irq(&current->sighand->siglock);
1832                 flush_signal_handlers(current, 1);
1833                 sigemptyset(&current->blocked);
1834                 recalc_sigpending();
1835                 spin_unlock_irq(&current->sighand->siglock);
1836         }
1837
1838         /* Check whether the new SID can inherit resource limits
1839            from the old SID.  If not, reset all soft limits to
1840            the lower of the current task's hard limit and the init
1841            task's soft limit.  Note that the setting of hard limits
1842            (even to lower them) can be controlled by the setrlimit
1843            check. The inclusion of the init task's soft limit into
1844            the computation is to avoid resetting soft limits higher
1845            than the default soft limit for cases where the default
1846            is lower than the hard limit, e.g. RLIMIT_CORE or
1847            RLIMIT_STACK.*/
1848         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1849                           PROCESS__RLIMITINH, NULL);
1850         if (rc) {
1851                 for (i = 0; i < RLIM_NLIMITS; i++) {
1852                         rlim = current->signal->rlim + i;
1853                         initrlim = init_task.signal->rlim+i;
1854                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1855                 }
1856                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1857                         /*
1858                          * This will cause RLIMIT_CPU calculations
1859                          * to be refigured.
1860                          */
1861                         current->it_prof_expires = jiffies_to_cputime(1);
1862                 }
1863         }
1864
1865         /* Wake up the parent if it is waiting so that it can
1866            recheck wait permission to the new task SID. */
1867         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1868 }
1869
1870 /* superblock security operations */
1871
1872 static int selinux_sb_alloc_security(struct super_block *sb)
1873 {
1874         return superblock_alloc_security(sb);
1875 }
1876
1877 static void selinux_sb_free_security(struct super_block *sb)
1878 {
1879         superblock_free_security(sb);
1880 }
1881
1882 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1883 {
1884         if (plen > olen)
1885                 return 0;
1886
1887         return !memcmp(prefix, option, plen);
1888 }
1889
1890 static inline int selinux_option(char *option, int len)
1891 {
1892         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1893                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1894                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1895 }
1896
1897 static inline void take_option(char **to, char *from, int *first, int len)
1898 {
1899         if (!*first) {
1900                 **to = ',';
1901                 *to += 1;
1902         }
1903         else
1904                 *first = 0;
1905         memcpy(*to, from, len);
1906         *to += len;
1907 }
1908
1909 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1910 {
1911         int fnosec, fsec, rc = 0;
1912         char *in_save, *in_curr, *in_end;
1913         char *sec_curr, *nosec_save, *nosec;
1914
1915         in_curr = orig;
1916         sec_curr = copy;
1917
1918         /* Binary mount data: just copy */
1919         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1920                 copy_page(sec_curr, in_curr);
1921                 goto out;
1922         }
1923
1924         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1925         if (!nosec) {
1926                 rc = -ENOMEM;
1927                 goto out;
1928         }
1929
1930         nosec_save = nosec;
1931         fnosec = fsec = 1;
1932         in_save = in_end = orig;
1933
1934         do {
1935                 if (*in_end == ',' || *in_end == '\0') {
1936                         int len = in_end - in_curr;
1937
1938                         if (selinux_option(in_curr, len))
1939                                 take_option(&sec_curr, in_curr, &fsec, len);
1940                         else
1941                                 take_option(&nosec, in_curr, &fnosec, len);
1942
1943                         in_curr = in_end + 1;
1944                 }
1945         } while (*in_end++);
1946
1947         copy_page(in_save, nosec_save);
1948         free_page((unsigned long)nosec_save);
1949 out:
1950         return rc;
1951 }
1952
1953 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1954 {
1955         struct avc_audit_data ad;
1956         int rc;
1957
1958         rc = superblock_doinit(sb, data);
1959         if (rc)
1960                 return rc;
1961
1962         AVC_AUDIT_DATA_INIT(&ad,FS);
1963         ad.u.fs.dentry = sb->s_root;
1964         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1965 }
1966
1967 static int selinux_sb_statfs(struct super_block *sb)
1968 {
1969         struct avc_audit_data ad;
1970
1971         AVC_AUDIT_DATA_INIT(&ad,FS);
1972         ad.u.fs.dentry = sb->s_root;
1973         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1974 }
1975
1976 static int selinux_mount(char * dev_name,
1977                          struct nameidata *nd,
1978                          char * type,
1979                          unsigned long flags,
1980                          void * data)
1981 {
1982         int rc;
1983
1984         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1985         if (rc)
1986                 return rc;
1987
1988         if (flags & MS_REMOUNT)
1989                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1990                                            FILESYSTEM__REMOUNT, NULL);
1991         else
1992                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1993                                        FILE__MOUNTON);
1994 }
1995
1996 static int selinux_umount(struct vfsmount *mnt, int flags)
1997 {
1998         int rc;
1999
2000         rc = secondary_ops->sb_umount(mnt, flags);
2001         if (rc)
2002                 return rc;
2003
2004         return superblock_has_perm(current,mnt->mnt_sb,
2005                                    FILESYSTEM__UNMOUNT,NULL);
2006 }
2007
2008 /* inode security operations */
2009
2010 static int selinux_inode_alloc_security(struct inode *inode)
2011 {
2012         return inode_alloc_security(inode);
2013 }
2014
2015 static void selinux_inode_free_security(struct inode *inode)
2016 {
2017         inode_free_security(inode);
2018 }
2019
2020 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2021 {
2022         return may_create(dir, dentry, SECCLASS_FILE);
2023 }
2024
2025 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2026 {
2027         post_create(dir, dentry);
2028 }
2029
2030 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2031 {
2032         int rc;
2033
2034         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2035         if (rc)
2036                 return rc;
2037         return may_link(dir, old_dentry, MAY_LINK);
2038 }
2039
2040 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2041 {
2042         return;
2043 }
2044
2045 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2046 {
2047         int rc;
2048
2049         rc = secondary_ops->inode_unlink(dir, dentry);
2050         if (rc)
2051                 return rc;
2052         return may_link(dir, dentry, MAY_UNLINK);
2053 }
2054
2055 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2056 {
2057         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2058 }
2059
2060 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2061 {
2062         post_create(dir, dentry);
2063 }
2064
2065 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2066 {
2067         return may_create(dir, dentry, SECCLASS_DIR);
2068 }
2069
2070 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2071 {
2072         post_create(dir, dentry);
2073 }
2074
2075 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2076 {
2077         return may_link(dir, dentry, MAY_RMDIR);
2078 }
2079
2080 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2081 {
2082         int rc;
2083
2084         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2085         if (rc)
2086                 return rc;
2087
2088         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2089 }
2090
2091 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2092 {
2093         post_create(dir, dentry);
2094 }
2095
2096 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2097                                 struct inode *new_inode, struct dentry *new_dentry)
2098 {
2099         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2100 }
2101
2102 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2103                                       struct inode *new_inode, struct dentry *new_dentry)
2104 {
2105         return;
2106 }
2107
2108 static int selinux_inode_readlink(struct dentry *dentry)
2109 {
2110         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2111 }
2112
2113 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2114 {
2115         int rc;
2116
2117         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2118         if (rc)
2119                 return rc;
2120         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2121 }
2122
2123 static int selinux_inode_permission(struct inode *inode, int mask,
2124                                     struct nameidata *nd)
2125 {
2126         int rc;
2127
2128         rc = secondary_ops->inode_permission(inode, mask, nd);
2129         if (rc)
2130                 return rc;
2131
2132         if (!mask) {
2133                 /* No permission to check.  Existence test. */
2134                 return 0;
2135         }
2136
2137         return inode_has_perm(current, inode,
2138                                file_mask_to_av(inode->i_mode, mask), NULL);
2139 }
2140
2141 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2142 {
2143         int rc;
2144
2145         rc = secondary_ops->inode_setattr(dentry, iattr);
2146         if (rc)
2147                 return rc;
2148
2149         if (iattr->ia_valid & ATTR_FORCE)
2150                 return 0;
2151
2152         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2153                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2154                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2155
2156         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2157 }
2158
2159 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2160 {
2161         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2162 }
2163
2164 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2165 {
2166         struct task_security_struct *tsec = current->security;
2167         struct inode *inode = dentry->d_inode;
2168         struct inode_security_struct *isec = inode->i_security;
2169         struct superblock_security_struct *sbsec;
2170         struct avc_audit_data ad;
2171         u32 newsid;
2172         int rc = 0;
2173
2174         if (strcmp(name, XATTR_NAME_SELINUX)) {
2175                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2176                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2177                     !capable(CAP_SYS_ADMIN)) {
2178                         /* A different attribute in the security namespace.
2179                            Restrict to administrator. */
2180                         return -EPERM;
2181                 }
2182
2183                 /* Not an attribute we recognize, so just check the
2184                    ordinary setattr permission. */
2185                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2186         }
2187
2188         sbsec = inode->i_sb->s_security;
2189         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2190                 return -EOPNOTSUPP;
2191
2192         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2193                 return -EPERM;
2194
2195         AVC_AUDIT_DATA_INIT(&ad,FS);
2196         ad.u.fs.dentry = dentry;
2197
2198         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2199                           FILE__RELABELFROM, &ad);
2200         if (rc)
2201                 return rc;
2202
2203         rc = security_context_to_sid(value, size, &newsid);
2204         if (rc)
2205                 return rc;
2206
2207         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2208                           FILE__RELABELTO, &ad);
2209         if (rc)
2210                 return rc;
2211
2212         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2213                                           isec->sclass);
2214         if (rc)
2215                 return rc;
2216
2217         return avc_has_perm(newsid,
2218                             sbsec->sid,
2219                             SECCLASS_FILESYSTEM,
2220                             FILESYSTEM__ASSOCIATE,
2221                             &ad);
2222 }
2223
2224 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2225                                         void *value, size_t size, int flags)
2226 {
2227         struct inode *inode = dentry->d_inode;
2228         struct inode_security_struct *isec = inode->i_security;
2229         u32 newsid;
2230         int rc;
2231
2232         if (strcmp(name, XATTR_NAME_SELINUX)) {
2233                 /* Not an attribute we recognize, so nothing to do. */
2234                 return;
2235         }
2236
2237         rc = security_context_to_sid(value, size, &newsid);
2238         if (rc) {
2239                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2240                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2241                 return;
2242         }
2243
2244         isec->sid = newsid;
2245         return;
2246 }
2247
2248 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2249 {
2250         struct inode *inode = dentry->d_inode;
2251         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2252
2253         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2254                 return -EOPNOTSUPP;
2255
2256         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2257 }
2258
2259 static int selinux_inode_listxattr (struct dentry *dentry)
2260 {
2261         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2262 }
2263
2264 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2265 {
2266         if (strcmp(name, XATTR_NAME_SELINUX)) {
2267                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2268                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2269                     !capable(CAP_SYS_ADMIN)) {
2270                         /* A different attribute in the security namespace.
2271                            Restrict to administrator. */
2272                         return -EPERM;
2273                 }
2274
2275                 /* Not an attribute we recognize, so just check the
2276                    ordinary setattr permission. Might want a separate
2277                    permission for removexattr. */
2278                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2279         }
2280
2281         /* No one is allowed to remove a SELinux security label.
2282            You can change the label, but all data must be labeled. */
2283         return -EACCES;
2284 }
2285
2286 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2287 {
2288         struct inode_security_struct *isec = inode->i_security;
2289         char *context;
2290         unsigned len;
2291         int rc;
2292
2293         /* Permission check handled by selinux_inode_getxattr hook.*/
2294
2295         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2296                 return -EOPNOTSUPP;
2297
2298         rc = security_sid_to_context(isec->sid, &context, &len);
2299         if (rc)
2300                 return rc;
2301
2302         if (!buffer || !size) {
2303                 kfree(context);
2304                 return len;
2305         }
2306         if (size < len) {
2307                 kfree(context);
2308                 return -ERANGE;
2309         }
2310         memcpy(buffer, context, len);
2311         kfree(context);
2312         return len;
2313 }
2314
2315 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2316                                      const void *value, size_t size, int flags)
2317 {
2318         struct inode_security_struct *isec = inode->i_security;
2319         u32 newsid;
2320         int rc;
2321
2322         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2323                 return -EOPNOTSUPP;
2324
2325         if (!value || !size)
2326                 return -EACCES;
2327
2328         rc = security_context_to_sid((void*)value, size, &newsid);
2329         if (rc)
2330                 return rc;
2331
2332         isec->sid = newsid;
2333         return 0;
2334 }
2335
2336 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2337 {
2338         const int len = sizeof(XATTR_NAME_SELINUX);
2339         if (buffer && len <= buffer_size)
2340                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2341         return len;
2342 }
2343
2344 /* file security operations */
2345
2346 static int selinux_file_permission(struct file *file, int mask)
2347 {
2348         struct inode *inode = file->f_dentry->d_inode;
2349
2350         if (!mask) {
2351                 /* No permission to check.  Existence test. */
2352                 return 0;
2353         }
2354
2355         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2356         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2357                 mask |= MAY_APPEND;
2358
2359         return file_has_perm(current, file,
2360                              file_mask_to_av(inode->i_mode, mask));
2361 }
2362
2363 static int selinux_file_alloc_security(struct file *file)
2364 {
2365         return file_alloc_security(file);
2366 }
2367
2368 static void selinux_file_free_security(struct file *file)
2369 {
2370         file_free_security(file);
2371 }
2372
2373 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2374                               unsigned long arg)
2375 {
2376         int error = 0;
2377
2378         switch (cmd) {
2379                 case FIONREAD:
2380                 /* fall through */
2381                 case FIBMAP:
2382                 /* fall through */
2383                 case FIGETBSZ:
2384                 /* fall through */
2385                 case EXT2_IOC_GETFLAGS:
2386                 /* fall through */
2387                 case EXT2_IOC_GETVERSION:
2388                         error = file_has_perm(current, file, FILE__GETATTR);
2389                         break;
2390
2391                 case EXT2_IOC_SETFLAGS:
2392                 /* fall through */
2393                 case EXT2_IOC_SETVERSION:
2394                         error = file_has_perm(current, file, FILE__SETATTR);
2395                         break;
2396
2397                 /* sys_ioctl() checks */
2398                 case FIONBIO:
2399                 /* fall through */
2400                 case FIOASYNC:
2401                         error = file_has_perm(current, file, 0);
2402                         break;
2403
2404                 case KDSKBENT:
2405                 case KDSKBSENT:
2406                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2407                         break;
2408
2409                 /* default case assumes that the command will go
2410                  * to the file's ioctl() function.
2411                  */
2412                 default:
2413                         error = file_has_perm(current, file, FILE__IOCTL);
2414
2415         }
2416         return error;
2417 }
2418
2419 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2420 {
2421 #ifndef CONFIG_PPC32
2422         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2423                 /*
2424                  * We are making executable an anonymous mapping or a
2425                  * private file mapping that will also be writable.
2426                  * This has an additional check.
2427                  */
2428                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2429                 if (rc)
2430                         return rc;
2431         }
2432 #endif
2433
2434         if (file) {
2435                 /* read access is always possible with a mapping */
2436                 u32 av = FILE__READ;
2437
2438                 /* write access only matters if the mapping is shared */
2439                 if (shared && (prot & PROT_WRITE))
2440                         av |= FILE__WRITE;
2441
2442                 if (prot & PROT_EXEC)
2443                         av |= FILE__EXECUTE;
2444
2445                 return file_has_perm(current, file, av);
2446         }
2447         return 0;
2448 }
2449
2450 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2451                              unsigned long prot, unsigned long flags)
2452 {
2453         int rc;
2454
2455         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2456         if (rc)
2457                 return rc;
2458
2459         if (selinux_checkreqprot)
2460                 prot = reqprot;
2461
2462         return file_map_prot_check(file, prot,
2463                                    (flags & MAP_TYPE) == MAP_SHARED);
2464 }
2465
2466 static int selinux_file_mprotect(struct vm_area_struct *vma,
2467                                  unsigned long reqprot,
2468                                  unsigned long prot)
2469 {
2470         int rc;
2471
2472         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2473         if (rc)
2474                 return rc;
2475
2476         if (selinux_checkreqprot)
2477                 prot = reqprot;
2478
2479 #ifndef CONFIG_PPC32
2480         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2481            (vma->vm_start >= vma->vm_mm->start_brk &&
2482             vma->vm_end <= vma->vm_mm->brk)) {
2483                 /*
2484                  * We are making an executable mapping in the brk region.
2485                  * This has an additional execheap check.
2486                  */
2487                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2488                 if (rc)
2489                         return rc;
2490         }
2491         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2492                 /*
2493                  * We are making executable a file mapping that has
2494                  * had some COW done. Since pages might have been written,
2495                  * check ability to execute the possibly modified content.
2496                  * This typically should only occur for text relocations.
2497                  */
2498                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2499                 if (rc)
2500                         return rc;
2501         }
2502         if (!vma->vm_file && (prot & PROT_EXEC) &&
2503                 vma->vm_start <= vma->vm_mm->start_stack &&
2504                 vma->vm_end >= vma->vm_mm->start_stack) {
2505                 /* Attempt to make the process stack executable.
2506                  * This has an additional execstack check.
2507                  */
2508                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2509                 if (rc)
2510                         return rc;
2511         }
2512 #endif
2513
2514         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2515 }
2516
2517 static int selinux_file_lock(struct file *file, unsigned int cmd)
2518 {
2519         return file_has_perm(current, file, FILE__LOCK);
2520 }
2521
2522 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2523                               unsigned long arg)
2524 {
2525         int err = 0;
2526
2527         switch (cmd) {
2528                 case F_SETFL:
2529                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2530                                 err = -EINVAL;
2531                                 break;
2532                         }
2533
2534                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2535                                 err = file_has_perm(current, file,FILE__WRITE);
2536                                 break;
2537                         }
2538                         /* fall through */
2539                 case F_SETOWN:
2540                 case F_SETSIG:
2541                 case F_GETFL:
2542                 case F_GETOWN:
2543                 case F_GETSIG:
2544                         /* Just check FD__USE permission */
2545                         err = file_has_perm(current, file, 0);
2546                         break;
2547                 case F_GETLK:
2548                 case F_SETLK:
2549                 case F_SETLKW:
2550 #if BITS_PER_LONG == 32
2551                 case F_GETLK64:
2552                 case F_SETLK64:
2553                 case F_SETLKW64:
2554 #endif
2555                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2556                                 err = -EINVAL;
2557                                 break;
2558                         }
2559                         err = file_has_perm(current, file, FILE__LOCK);
2560                         break;
2561         }
2562
2563         return err;
2564 }
2565
2566 static int selinux_file_set_fowner(struct file *file)
2567 {
2568         struct task_security_struct *tsec;
2569         struct file_security_struct *fsec;
2570
2571         tsec = current->security;
2572         fsec = file->f_security;
2573         fsec->fown_sid = tsec->sid;
2574
2575         return 0;
2576 }
2577
2578 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2579                                        struct fown_struct *fown, int signum)
2580 {
2581         struct file *file;
2582         u32 perm;
2583         struct task_security_struct *tsec;
2584         struct file_security_struct *fsec;
2585
2586         /* struct fown_struct is never outside the context of a struct file */
2587         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2588
2589         tsec = tsk->security;
2590         fsec = file->f_security;
2591
2592         if (!signum)
2593                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2594         else
2595                 perm = signal_to_av(signum);
2596
2597         return avc_has_perm(fsec->fown_sid, tsec->sid,
2598                             SECCLASS_PROCESS, perm, NULL);
2599 }
2600
2601 static int selinux_file_receive(struct file *file)
2602 {
2603         return file_has_perm(current, file, file_to_av(file));
2604 }
2605
2606 /* task security operations */
2607
2608 static int selinux_task_create(unsigned long clone_flags)
2609 {
2610         int rc;
2611
2612         rc = secondary_ops->task_create(clone_flags);
2613         if (rc)
2614                 return rc;
2615
2616         return task_has_perm(current, current, PROCESS__FORK);
2617 }
2618
2619 static int selinux_task_alloc_security(struct task_struct *tsk)
2620 {
2621         struct task_security_struct *tsec1, *tsec2;
2622         int rc;
2623
2624         tsec1 = current->security;
2625
2626         rc = task_alloc_security(tsk);
2627         if (rc)
2628                 return rc;
2629         tsec2 = tsk->security;
2630
2631         tsec2->osid = tsec1->osid;
2632         tsec2->sid = tsec1->sid;
2633
2634         /* Retain the exec and create SIDs across fork */
2635         tsec2->exec_sid = tsec1->exec_sid;
2636         tsec2->create_sid = tsec1->create_sid;
2637
2638         /* Retain ptracer SID across fork, if any.
2639            This will be reset by the ptrace hook upon any
2640            subsequent ptrace_attach operations. */
2641         tsec2->ptrace_sid = tsec1->ptrace_sid;
2642
2643         return 0;
2644 }
2645
2646 static void selinux_task_free_security(struct task_struct *tsk)
2647 {
2648         task_free_security(tsk);
2649 }
2650
2651 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2652 {
2653         /* Since setuid only affects the current process, and
2654            since the SELinux controls are not based on the Linux
2655            identity attributes, SELinux does not need to control
2656            this operation.  However, SELinux does control the use
2657            of the CAP_SETUID and CAP_SETGID capabilities using the
2658            capable hook. */
2659         return 0;
2660 }
2661
2662 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2663 {
2664         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2665 }
2666
2667 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2668 {
2669         /* See the comment for setuid above. */
2670         return 0;
2671 }
2672
2673 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2674 {
2675         return task_has_perm(current, p, PROCESS__SETPGID);
2676 }
2677
2678 static int selinux_task_getpgid(struct task_struct *p)
2679 {
2680         return task_has_perm(current, p, PROCESS__GETPGID);
2681 }
2682
2683 static int selinux_task_getsid(struct task_struct *p)
2684 {
2685         return task_has_perm(current, p, PROCESS__GETSESSION);
2686 }
2687
2688 static int selinux_task_setgroups(struct group_info *group_info)
2689 {
2690         /* See the comment for setuid above. */
2691         return 0;
2692 }
2693
2694 static int selinux_task_setnice(struct task_struct *p, int nice)
2695 {
2696         int rc;
2697
2698         rc = secondary_ops->task_setnice(p, nice);
2699         if (rc)
2700                 return rc;
2701
2702         return task_has_perm(current,p, PROCESS__SETSCHED);
2703 }
2704
2705 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2706 {
2707         struct rlimit *old_rlim = current->signal->rlim + resource;
2708         int rc;
2709
2710         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2711         if (rc)
2712                 return rc;
2713
2714         /* Control the ability to change the hard limit (whether
2715            lowering or raising it), so that the hard limit can
2716            later be used as a safe reset point for the soft limit
2717            upon context transitions. See selinux_bprm_apply_creds. */
2718         if (old_rlim->rlim_max != new_rlim->rlim_max)
2719                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2720
2721         return 0;
2722 }
2723
2724 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2725 {
2726         return task_has_perm(current, p, PROCESS__SETSCHED);
2727 }
2728
2729 static int selinux_task_getscheduler(struct task_struct *p)
2730 {
2731         return task_has_perm(current, p, PROCESS__GETSCHED);
2732 }
2733
2734 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2735 {
2736         u32 perm;
2737         int rc;
2738
2739         rc = secondary_ops->task_kill(p, info, sig);
2740         if (rc)
2741                 return rc;
2742
2743         if (info && ((unsigned long)info == 1 ||
2744                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2745                 return 0;
2746
2747         if (!sig)
2748                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2749         else
2750                 perm = signal_to_av(sig);
2751
2752         return task_has_perm(current, p, perm);
2753 }
2754
2755 static int selinux_task_prctl(int option,
2756                               unsigned long arg2,
2757                               unsigned long arg3,
2758                               unsigned long arg4,
2759                               unsigned long arg5)
2760 {
2761         /* The current prctl operations do not appear to require
2762            any SELinux controls since they merely observe or modify
2763            the state of the current process. */
2764         return 0;
2765 }
2766
2767 static int selinux_task_wait(struct task_struct *p)
2768 {
2769         u32 perm;
2770
2771         perm = signal_to_av(p->exit_signal);
2772
2773         return task_has_perm(p, current, perm);
2774 }
2775
2776 static void selinux_task_reparent_to_init(struct task_struct *p)
2777 {
2778         struct task_security_struct *tsec;
2779
2780         secondary_ops->task_reparent_to_init(p);
2781
2782         tsec = p->security;
2783         tsec->osid = tsec->sid;
2784         tsec->sid = SECINITSID_KERNEL;
2785         return;
2786 }
2787
2788 static void selinux_task_to_inode(struct task_struct *p,
2789                                   struct inode *inode)
2790 {
2791         struct task_security_struct *tsec = p->security;
2792         struct inode_security_struct *isec = inode->i_security;
2793
2794         isec->sid = tsec->sid;
2795         isec->initialized = 1;
2796         return;
2797 }
2798
2799 #ifdef CONFIG_SECURITY_NETWORK
2800
2801 /* Returns error only if unable to parse addresses */
2802 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2803 {
2804         int offset, ihlen, ret = -EINVAL;
2805         struct iphdr _iph, *ih;
2806
2807         offset = skb->nh.raw - skb->data;
2808         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2809         if (ih == NULL)
2810                 goto out;
2811
2812         ihlen = ih->ihl * 4;
2813         if (ihlen < sizeof(_iph))
2814                 goto out;
2815
2816         ad->u.net.v4info.saddr = ih->saddr;
2817         ad->u.net.v4info.daddr = ih->daddr;
2818         ret = 0;
2819
2820         switch (ih->protocol) {
2821         case IPPROTO_TCP: {
2822                 struct tcphdr _tcph, *th;
2823
2824                 if (ntohs(ih->frag_off) & IP_OFFSET)
2825                         break;
2826
2827                 offset += ihlen;
2828                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2829                 if (th == NULL)
2830                         break;
2831
2832                 ad->u.net.sport = th->source;
2833                 ad->u.net.dport = th->dest;
2834                 break;
2835         }
2836         
2837         case IPPROTO_UDP: {
2838                 struct udphdr _udph, *uh;
2839                 
2840                 if (ntohs(ih->frag_off) & IP_OFFSET)
2841                         break;
2842                         
2843                 offset += ihlen;
2844                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2845                 if (uh == NULL)
2846                         break;  
2847
2848                 ad->u.net.sport = uh->source;
2849                 ad->u.net.dport = uh->dest;
2850                 break;
2851         }
2852
2853         default:
2854                 break;
2855         }
2856 out:
2857         return ret;
2858 }
2859
2860 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2861
2862 /* Returns error only if unable to parse addresses */
2863 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2864 {
2865         u8 nexthdr;
2866         int ret = -EINVAL, offset;
2867         struct ipv6hdr _ipv6h, *ip6;
2868
2869         offset = skb->nh.raw - skb->data;
2870         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2871         if (ip6 == NULL)
2872                 goto out;
2873
2874         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2875         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2876         ret = 0;
2877
2878         nexthdr = ip6->nexthdr;
2879         offset += sizeof(_ipv6h);
2880         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2881         if (offset < 0)
2882                 goto out;
2883
2884         switch (nexthdr) {
2885         case IPPROTO_TCP: {
2886                 struct tcphdr _tcph, *th;
2887
2888                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2889                 if (th == NULL)
2890                         break;
2891
2892                 ad->u.net.sport = th->source;
2893                 ad->u.net.dport = th->dest;
2894                 break;
2895         }
2896
2897         case IPPROTO_UDP: {
2898                 struct udphdr _udph, *uh;
2899
2900                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2901                 if (uh == NULL)
2902                         break;
2903
2904                 ad->u.net.sport = uh->source;
2905                 ad->u.net.dport = uh->dest;
2906                 break;
2907         }
2908
2909         /* includes fragments */
2910         default:
2911                 break;
2912         }
2913 out:
2914         return ret;
2915 }
2916
2917 #endif /* IPV6 */
2918
2919 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2920                              char **addrp, int *len, int src)
2921 {
2922         int ret = 0;
2923
2924         switch (ad->u.net.family) {
2925         case PF_INET:
2926                 ret = selinux_parse_skb_ipv4(skb, ad);
2927                 if (ret || !addrp)
2928                         break;
2929                 *len = 4;
2930                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2931                                         &ad->u.net.v4info.daddr);
2932                 break;
2933
2934 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2935         case PF_INET6:
2936                 ret = selinux_parse_skb_ipv6(skb, ad);
2937                 if (ret || !addrp)
2938                         break;
2939                 *len = 16;
2940                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2941                                         &ad->u.net.v6info.daddr);
2942                 break;
2943 #endif  /* IPV6 */
2944         default:
2945                 break;
2946         }
2947
2948         return ret;
2949 }
2950
2951 /* socket security operations */
2952 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2953                            u32 perms)
2954 {
2955         struct inode_security_struct *isec;
2956         struct task_security_struct *tsec;
2957         struct avc_audit_data ad;
2958         int err = 0;
2959
2960         tsec = task->security;
2961         isec = SOCK_INODE(sock)->i_security;
2962
2963         if (isec->sid == SECINITSID_KERNEL)
2964                 goto out;
2965
2966         AVC_AUDIT_DATA_INIT(&ad,NET);
2967         ad.u.net.sk = sock->sk;
2968         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2969
2970 out:
2971         return err;
2972 }
2973
2974 static int selinux_socket_create(int family, int type,
2975                                  int protocol, int kern)
2976 {
2977         int err = 0;
2978         struct task_security_struct *tsec;
2979
2980         if (kern)
2981                 goto out;
2982
2983         tsec = current->security;
2984         err = avc_has_perm(tsec->sid, tsec->sid,
2985                            socket_type_to_security_class(family, type,
2986                            protocol), SOCKET__CREATE, NULL);
2987
2988 out:
2989         return err;
2990 }
2991
2992 static void selinux_socket_post_create(struct socket *sock, int family,
2993                                        int type, int protocol, int kern)
2994 {
2995         struct inode_security_struct *isec;
2996         struct task_security_struct *tsec;
2997
2998         isec = SOCK_INODE(sock)->i_security;
2999
3000         tsec = current->security;
3001         isec->sclass = socket_type_to_security_class(family, type, protocol);
3002         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
3003         isec->initialized = 1;
3004
3005         return;
3006 }
3007
3008 /* Range of port numbers used to automatically bind.
3009    Need to determine whether we should perform a name_bind
3010    permission check between the socket and the port number. */
3011 #define ip_local_port_range_0 sysctl_local_port_range[0]
3012 #define ip_local_port_range_1 sysctl_local_port_range[1]
3013
3014 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3015 {
3016         u16 family;
3017         int err;
3018
3019         err = socket_has_perm(current, sock, SOCKET__BIND);
3020         if (err)
3021                 goto out;
3022
3023         /*
3024          * If PF_INET or PF_INET6, check name_bind permission for the port.
3025          */
3026         family = sock->sk->sk_family;
3027         if (family == PF_INET || family == PF_INET6) {
3028                 char *addrp;
3029                 struct inode_security_struct *isec;
3030                 struct task_security_struct *tsec;
3031                 struct avc_audit_data ad;
3032                 struct sockaddr_in *addr4 = NULL;
3033                 struct sockaddr_in6 *addr6 = NULL;
3034                 unsigned short snum;
3035                 struct sock *sk = sock->sk;
3036                 u32 sid, node_perm, addrlen;
3037
3038                 tsec = current->security;
3039                 isec = SOCK_INODE(sock)->i_security;
3040
3041                 if (family == PF_INET) {
3042                         addr4 = (struct sockaddr_in *)address;
3043                         snum = ntohs(addr4->sin_port);
3044                         addrlen = sizeof(addr4->sin_addr.s_addr);
3045                         addrp = (char *)&addr4->sin_addr.s_addr;
3046                 } else {
3047                         addr6 = (struct sockaddr_in6 *)address;
3048                         snum = ntohs(addr6->sin6_port);
3049                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3050                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3051                 }
3052
3053                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3054                            snum > ip_local_port_range_1)) {
3055                         err = security_port_sid(sk->sk_family, sk->sk_type,
3056                                                 sk->sk_protocol, snum, &sid);
3057                         if (err)
3058                                 goto out;
3059                         AVC_AUDIT_DATA_INIT(&ad,NET);
3060                         ad.u.net.sport = htons(snum);
3061                         ad.u.net.family = family;
3062                         err = avc_has_perm(isec->sid, sid,
3063                                            isec->sclass,
3064                                            SOCKET__NAME_BIND, &ad);
3065                         if (err)
3066                                 goto out;
3067                 }
3068                 
3069                 switch(sk->sk_protocol) {
3070                 case IPPROTO_TCP:
3071                         node_perm = TCP_SOCKET__NODE_BIND;
3072                         break;
3073                         
3074                 case IPPROTO_UDP:
3075                         node_perm = UDP_SOCKET__NODE_BIND;
3076                         break;
3077                         
3078                 default:
3079                         node_perm = RAWIP_SOCKET__NODE_BIND;
3080                         break;
3081                 }
3082                 
3083                 err = security_node_sid(family, addrp, addrlen, &sid);
3084                 if (err)
3085                         goto out;
3086                 
3087                 AVC_AUDIT_DATA_INIT(&ad,NET);
3088                 ad.u.net.sport = htons(snum);
3089                 ad.u.net.family = family;
3090
3091                 if (family == PF_INET)
3092                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3093                 else
3094                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3095
3096                 err = avc_has_perm(isec->sid, sid,
3097                                    isec->sclass, node_perm, &ad);
3098                 if (err)
3099                         goto out;
3100         }
3101 out:
3102         return err;
3103 }
3104
3105 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3106 {
3107         struct inode_security_struct *isec;
3108         int err;
3109
3110         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3111         if (err)
3112                 return err;
3113
3114         /*
3115          * If a TCP socket, check name_connect permission for the port.
3116          */
3117         isec = SOCK_INODE(sock)->i_security;
3118         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3119                 struct sock *sk = sock->sk;
3120                 struct avc_audit_data ad;
3121                 struct sockaddr_in *addr4 = NULL;
3122                 struct sockaddr_in6 *addr6 = NULL;
3123                 unsigned short snum;
3124                 u32 sid;
3125
3126                 if (sk->sk_family == PF_INET) {
3127                         addr4 = (struct sockaddr_in *)address;
3128                         if (addrlen != sizeof(struct sockaddr_in))
3129                                 return -EINVAL;
3130                         snum = ntohs(addr4->sin_port);
3131                 } else {
3132                         addr6 = (struct sockaddr_in6 *)address;
3133                         if (addrlen != sizeof(struct sockaddr_in6))
3134                                 return -EINVAL;
3135                         snum = ntohs(addr6->sin6_port);
3136                 }
3137
3138                 err = security_port_sid(sk->sk_family, sk->sk_type,
3139                                         sk->sk_protocol, snum, &sid);
3140                 if (err)
3141                         goto out;
3142
3143                 AVC_AUDIT_DATA_INIT(&ad,NET);
3144                 ad.u.net.dport = htons(snum);
3145                 ad.u.net.family = sk->sk_family;
3146                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3147                                    TCP_SOCKET__NAME_CONNECT, &ad);
3148                 if (err)
3149                         goto out;
3150         }
3151
3152 out:
3153         return err;
3154 }
3155
3156 static int selinux_socket_listen(struct socket *sock, int backlog)
3157 {
3158         return socket_has_perm(current, sock, SOCKET__LISTEN);
3159 }
3160
3161 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3162 {
3163         int err;
3164         struct inode_security_struct *isec;
3165         struct inode_security_struct *newisec;
3166
3167         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3168         if (err)
3169                 return err;
3170
3171         newisec = SOCK_INODE(newsock)->i_security;
3172
3173         isec = SOCK_INODE(sock)->i_security;
3174         newisec->sclass = isec->sclass;
3175         newisec->sid = isec->sid;
3176         newisec->initialized = 1;
3177
3178         return 0;
3179 }
3180
3181 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3182                                   int size)
3183 {
3184         return socket_has_perm(current, sock, SOCKET__WRITE);
3185 }
3186
3187 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3188                                   int size, int flags)
3189 {
3190         return socket_has_perm(current, sock, SOCKET__READ);
3191 }
3192
3193 static int selinux_socket_getsockname(struct socket *sock)
3194 {
3195         return socket_has_perm(current, sock, SOCKET__GETATTR);
3196 }
3197
3198 static int selinux_socket_getpeername(struct socket *sock)
3199 {
3200         return socket_has_perm(current, sock, SOCKET__GETATTR);
3201 }
3202
3203 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3204 {
3205         return socket_has_perm(current, sock, SOCKET__SETOPT);
3206 }
3207
3208 static int selinux_socket_getsockopt(struct socket *sock, int level,
3209                                      int optname)
3210 {
3211         return socket_has_perm(current, sock, SOCKET__GETOPT);
3212 }
3213
3214 static int selinux_socket_shutdown(struct socket *sock, int how)
3215 {
3216         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3217 }
3218
3219 static int selinux_socket_unix_stream_connect(struct socket *sock,
3220                                               struct socket *other,
3221                                               struct sock *newsk)
3222 {
3223         struct sk_security_struct *ssec;
3224         struct inode_security_struct *isec;
3225         struct inode_security_struct *other_isec;
3226         struct avc_audit_data ad;
3227         int err;
3228
3229         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3230         if (err)
3231                 return err;
3232
3233         isec = SOCK_INODE(sock)->i_security;
3234         other_isec = SOCK_INODE(other)->i_security;
3235
3236         AVC_AUDIT_DATA_INIT(&ad,NET);
3237         ad.u.net.sk = other->sk;
3238
3239         err = avc_has_perm(isec->sid, other_isec->sid,
3240                            isec->sclass,
3241                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3242         if (err)
3243                 return err;
3244
3245         /* connecting socket */
3246         ssec = sock->sk->sk_security;
3247         ssec->peer_sid = other_isec->sid;
3248         
3249         /* server child socket */
3250         ssec = newsk->sk_security;
3251         ssec->peer_sid = isec->sid;
3252         
3253         return 0;
3254 }
3255
3256 static int selinux_socket_unix_may_send(struct socket *sock,
3257                                         struct socket *other)
3258 {
3259         struct inode_security_struct *isec;
3260         struct inode_security_struct *other_isec;
3261         struct avc_audit_data ad;
3262         int err;
3263
3264         isec = SOCK_INODE(sock)->i_security;
3265         other_isec = SOCK_INODE(other)->i_security;
3266
3267         AVC_AUDIT_DATA_INIT(&ad,NET);
3268         ad.u.net.sk = other->sk;
3269
3270         err = avc_has_perm(isec->sid, other_isec->sid,
3271                            isec->sclass, SOCKET__SENDTO, &ad);
3272         if (err)
3273                 return err;
3274
3275         return 0;
3276 }
3277
3278 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3279 {
3280         u16 family;
3281         char *addrp;
3282         int len, err = 0;
3283         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3284         u32 sock_sid = 0;
3285         u16 sock_class = 0;
3286         struct socket *sock;
3287         struct net_device *dev;
3288         struct avc_audit_data ad;
3289
3290         family = sk->sk_family;
3291         if (family != PF_INET && family != PF_INET6)
3292                 goto out;
3293
3294         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3295         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3296                 family = PF_INET;
3297
3298         read_lock_bh(&sk->sk_callback_lock);
3299         sock = sk->sk_socket;
3300         if (sock) {
3301                 struct inode *inode;
3302                 inode = SOCK_INODE(sock);
3303                 if (inode) {
3304                         struct inode_security_struct *isec;
3305                         isec = inode->i_security;
3306                         sock_sid = isec->sid;
3307                         sock_class = isec->sclass;
3308                 }
3309         }
3310         read_unlock_bh(&sk->sk_callback_lock);
3311         if (!sock_sid)
3312                 goto out;
3313
3314         dev = skb->dev;
3315         if (!dev)
3316                 goto out;
3317
3318         err = sel_netif_sids(dev, &if_sid, NULL);
3319         if (err)
3320                 goto out;
3321
3322         switch (sock_class) {
3323         case SECCLASS_UDP_SOCKET:
3324                 netif_perm = NETIF__UDP_RECV;
3325                 node_perm = NODE__UDP_RECV;
3326                 recv_perm = UDP_SOCKET__RECV_MSG;
3327                 break;
3328         
3329         case SECCLASS_TCP_SOCKET:
3330                 netif_perm = NETIF__TCP_RECV;
3331                 node_perm = NODE__TCP_RECV;
3332                 recv_perm = TCP_SOCKET__RECV_MSG;
3333                 break;
3334         
3335         default:
3336                 netif_perm = NETIF__RAWIP_RECV;
3337                 node_perm = NODE__RAWIP_RECV;
3338                 break;
3339         }
3340
3341         AVC_AUDIT_DATA_INIT(&ad, NET);
3342         ad.u.net.netif = dev->name;
3343         ad.u.net.family = family;
3344
3345         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3346         if (err)
3347                 goto out;
3348
3349         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3350         if (err)
3351                 goto out;
3352         
3353         /* Fixme: this lookup is inefficient */
3354         err = security_node_sid(family, addrp, len, &node_sid);
3355         if (err)
3356                 goto out;
3357         
3358         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3359         if (err)
3360                 goto out;
3361
3362         if (recv_perm) {
3363                 u32 port_sid;
3364
3365                 /* Fixme: make this more efficient */
3366                 err = security_port_sid(sk->sk_family, sk->sk_type,
3367                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3368                                         &port_sid);
3369                 if (err)
3370                         goto out;
3371
3372                 err = avc_has_perm(sock_sid, port_sid,
3373                                    sock_class, recv_perm, &ad);
3374         }
3375 out:    
3376         return err;
3377 }
3378
3379 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3380                                      int __user *optlen, unsigned len)
3381 {
3382         int err = 0;
3383         char *scontext;
3384         u32 scontext_len;
3385         struct sk_security_struct *ssec;
3386         struct inode_security_struct *isec;
3387
3388         isec = SOCK_INODE(sock)->i_security;
3389         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3390                 err = -ENOPROTOOPT;
3391                 goto out;
3392         }
3393
3394         ssec = sock->sk->sk_security;
3395         
3396         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3397         if (err)
3398                 goto out;
3399
3400         if (scontext_len > len) {
3401                 err = -ERANGE;
3402                 goto out_len;
3403         }
3404
3405         if (copy_to_user(optval, scontext, scontext_len))
3406                 err = -EFAULT;
3407
3408 out_len:
3409         if (put_user(scontext_len, optlen))
3410                 err = -EFAULT;
3411
3412         kfree(scontext);
3413 out:    
3414         return err;
3415 }
3416
3417 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3418 {
3419         return sk_alloc_security(sk, family, priority);
3420 }
3421
3422 static void selinux_sk_free_security(struct sock *sk)
3423 {
3424         sk_free_security(sk);
3425 }
3426
3427 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3428 {
3429         int err = 0;
3430         u32 perm;
3431         struct nlmsghdr *nlh;
3432         struct socket *sock = sk->sk_socket;
3433         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3434         
3435         if (skb->len < NLMSG_SPACE(0)) {
3436                 err = -EINVAL;
3437                 goto out;
3438         }
3439         nlh = (struct nlmsghdr *)skb->data;
3440         
3441         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3442         if (err) {
3443                 if (err == -EINVAL) {
3444                         audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3445                                   "SELinux:  unrecognized netlink message"
3446                                   " type=%hu for sclass=%hu\n",
3447                                   nlh->nlmsg_type, isec->sclass);
3448                         if (!selinux_enforcing)
3449                                 err = 0;
3450                 }
3451
3452                 /* Ignore */
3453                 if (err == -ENOENT)
3454                         err = 0;
3455                 goto out;
3456         }
3457
3458         err = socket_has_perm(current, sock, perm);
3459 out:
3460         return err;
3461 }
3462
3463 #ifdef CONFIG_NETFILTER
3464
3465 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3466                                               struct sk_buff **pskb,
3467                                               const struct net_device *in,
3468                                               const struct net_device *out,
3469                                               int (*okfn)(struct sk_buff *),
3470                                               u16 family)
3471 {
3472         char *addrp;
3473         int len, err = NF_ACCEPT;
3474         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3475         struct sock *sk;
3476         struct socket *sock;
3477         struct inode *inode;
3478         struct sk_buff *skb = *pskb;
3479         struct inode_security_struct *isec;
3480         struct avc_audit_data ad;
3481         struct net_device *dev = (struct net_device *)out;
3482         
3483         sk = skb->sk;
3484         if (!sk)
3485                 goto out;
3486                 
3487         sock = sk->sk_socket;
3488         if (!sock)
3489                 goto out;
3490                 
3491         inode = SOCK_INODE(sock);
3492         if (!inode)
3493                 goto out;
3494
3495         err = sel_netif_sids(dev, &if_sid, NULL);
3496         if (err)
3497                 goto out;
3498
3499         isec = inode->i_security;
3500         
3501         switch (isec->sclass) {
3502         case SECCLASS_UDP_SOCKET:
3503                 netif_perm = NETIF__UDP_SEND;
3504                 node_perm = NODE__UDP_SEND;
3505                 send_perm = UDP_SOCKET__SEND_MSG;
3506                 break;
3507         
3508         case SECCLASS_TCP_SOCKET:
3509                 netif_perm = NETIF__TCP_SEND;
3510                 node_perm = NODE__TCP_SEND;
3511                 send_perm = TCP_SOCKET__SEND_MSG;
3512                 break;
3513         
3514         default:
3515                 netif_perm = NETIF__RAWIP_SEND;
3516                 node_perm = NODE__RAWIP_SEND;
3517                 break;
3518         }
3519
3520
3521         AVC_AUDIT_DATA_INIT(&ad, NET);
3522         ad.u.net.netif = dev->name;
3523         ad.u.net.family = family;
3524
3525         err = selinux_parse_skb(skb, &ad, &addrp,
3526                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3527         if (err != NF_ACCEPT)
3528                 goto out;
3529
3530         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3531                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3532         if (err != NF_ACCEPT)
3533                 goto out;
3534                 
3535         /* Fixme: this lookup is inefficient */
3536         err = security_node_sid(family, addrp, len,
3537                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3538         if (err != NF_ACCEPT)
3539                 goto out;
3540         
3541         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3542                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3543         if (err != NF_ACCEPT)
3544                 goto out;
3545
3546         if (send_perm) {
3547                 u32 port_sid;
3548                 
3549                 /* Fixme: make this more efficient */
3550                 err = security_port_sid(sk->sk_family,
3551                                         sk->sk_type,
3552                                         sk->sk_protocol,
3553                                         ntohs(ad.u.net.dport),
3554                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3555                 if (err != NF_ACCEPT)
3556                         goto out;
3557
3558                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3559                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3560         }
3561
3562 out:
3563         return err;
3564 }
3565
3566 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3567                                                 struct sk_buff **pskb,
3568                                                 const struct net_device *in,
3569                                                 const struct net_device *out,
3570                                                 int (*okfn)(struct sk_buff *))
3571 {
3572         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3573 }
3574
3575 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3576
3577 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3578                                                 struct sk_buff **pskb,
3579                                                 const struct net_device *in,
3580                                                 const struct net_device *out,
3581                                                 int (*okfn)(struct sk_buff *))
3582 {
3583         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3584 }
3585
3586 #endif  /* IPV6 */
3587
3588 #endif  /* CONFIG_NETFILTER */
3589
3590 #else
3591
3592 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3593 {
3594         return 0;
3595 }
3596
3597 #endif  /* CONFIG_SECURITY_NETWORK */
3598
3599 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3600 {
3601         struct task_security_struct *tsec;
3602         struct av_decision avd;
3603         int err;
3604
3605         err = secondary_ops->netlink_send(sk, skb);
3606         if (err)
3607                 return err;
3608
3609         tsec = current->security;
3610
3611         avd.allowed = 0;
3612         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3613                                 SECCLASS_CAPABILITY, ~0, &avd);
3614         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3615
3616         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3617                 err = selinux_nlmsg_perm(sk, skb);
3618
3619         return err;
3620 }
3621
3622 static int selinux_netlink_recv(struct sk_buff *skb)
3623 {
3624         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3625                 return -EPERM;
3626         return 0;
3627 }
3628
3629 static int ipc_alloc_security(struct task_struct *task,
3630                               struct kern_ipc_perm *perm,
3631                               u16 sclass)
3632 {
3633         struct task_security_struct *tsec = task->security;
3634         struct ipc_security_struct *isec;
3635
3636         isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3637         if (!isec)
3638                 return -ENOMEM;
3639
3640         memset(isec, 0, sizeof(struct ipc_security_struct));
3641         isec->magic = SELINUX_MAGIC;
3642         isec->sclass = sclass;
3643         isec->ipc_perm = perm;
3644         if (tsec) {
3645                 isec->sid = tsec->sid;
3646         } else {
3647                 isec->sid = SECINITSID_UNLABELED;
3648         }
3649         perm->security = isec;
3650
3651         return 0;
3652 }
3653
3654 static void ipc_free_security(struct kern_ipc_perm *perm)
3655 {
3656         struct ipc_security_struct *isec = perm->security;
3657         if (!isec || isec->magic != SELINUX_MAGIC)
3658                 return;
3659
3660         perm->security = NULL;
3661         kfree(isec);
3662 }
3663
3664 static int msg_msg_alloc_security(struct msg_msg *msg)
3665 {
3666         struct msg_security_struct *msec;
3667
3668         msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3669         if (!msec)
3670                 return -ENOMEM;
3671
3672         memset(msec, 0, sizeof(struct msg_security_struct));
3673         msec->magic = SELINUX_MAGIC;
3674         msec->msg = msg;
3675         msec->sid = SECINITSID_UNLABELED;
3676         msg->security = msec;
3677
3678         return 0;
3679 }
3680
3681 static void msg_msg_free_security(struct msg_msg *msg)
3682 {
3683         struct msg_security_struct *msec = msg->security;
3684         if (!msec || msec->magic != SELINUX_MAGIC)
3685                 return;
3686
3687         msg->security = NULL;
3688         kfree(msec);
3689 }
3690
3691 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3692                         u32 perms)
3693 {
3694         struct task_security_struct *tsec;
3695         struct ipc_security_struct *isec;
3696         struct avc_audit_data ad;
3697
3698         tsec = current->security;
3699         isec = ipc_perms->security;
3700
3701         AVC_AUDIT_DATA_INIT(&ad, IPC);
3702         ad.u.ipc_id = ipc_perms->key;
3703
3704         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3705 }
3706
3707 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3708 {
3709         return msg_msg_alloc_security(msg);
3710 }
3711
3712 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3713 {
3714         msg_msg_free_security(msg);
3715 }
3716
3717 /* message queue security operations */
3718 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3719 {
3720         struct task_security_struct *tsec;
3721         struct ipc_security_struct *isec;
3722         struct avc_audit_data ad;
3723         int rc;
3724
3725         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3726         if (rc)
3727                 return rc;
3728
3729         tsec = current->security;
3730         isec = msq->q_perm.security;
3731
3732         AVC_AUDIT_DATA_INIT(&ad, IPC);
3733         ad.u.ipc_id = msq->q_perm.key;
3734
3735         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3736                           MSGQ__CREATE, &ad);
3737         if (rc) {
3738                 ipc_free_security(&msq->q_perm);
3739                 return rc;
3740         }
3741         return 0;
3742 }
3743
3744 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3745 {
3746         ipc_free_security(&msq->q_perm);
3747 }
3748
3749 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3750 {
3751         struct task_security_struct *tsec;
3752         struct ipc_security_struct *isec;
3753         struct avc_audit_data ad;
3754
3755         tsec = current->security;
3756         isec = msq->q_perm.security;
3757
3758         AVC_AUDIT_DATA_INIT(&ad, IPC);
3759         ad.u.ipc_id = msq->q_perm.key;
3760
3761         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3762                             MSGQ__ASSOCIATE, &ad);
3763 }
3764
3765 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3766 {
3767         int err;
3768         int perms;
3769
3770         switch(cmd) {
3771         case IPC_INFO:
3772         case MSG_INFO:
3773                 /* No specific object, just general system-wide information. */
3774                 return task_has_system(current, SYSTEM__IPC_INFO);
3775         case IPC_STAT:
3776         case MSG_STAT:
3777                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3778                 break;
3779         case IPC_SET:
3780                 perms = MSGQ__SETATTR;
3781                 break;
3782         case IPC_RMID:
3783                 perms = MSGQ__DESTROY;
3784                 break;
3785         default:
3786                 return 0;
3787         }
3788
3789         err = ipc_has_perm(&msq->q_perm, perms);
3790         return err;
3791 }
3792
3793 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3794 {
3795         struct task_security_struct *tsec;
3796         struct ipc_security_struct *isec;
3797         struct msg_security_struct *msec;
3798         struct avc_audit_data ad;
3799         int rc;
3800
3801         tsec = current->security;
3802         isec = msq->q_perm.security;
3803         msec = msg->security;
3804
3805         /*
3806          * First time through, need to assign label to the message
3807          */
3808         if (msec->sid == SECINITSID_UNLABELED) {
3809                 /*
3810                  * Compute new sid based on current process and
3811                  * message queue this message will be stored in
3812                  */
3813                 rc = security_transition_sid(tsec->sid,
3814                                              isec->sid,
3815                                              SECCLASS_MSG,
3816                                              &msec->sid);
3817                 if (rc)
3818                         return rc;
3819         }
3820
3821         AVC_AUDIT_DATA_INIT(&ad, IPC);
3822         ad.u.ipc_id = msq->q_perm.key;
3823
3824         /* Can this process write to the queue? */
3825         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3826                           MSGQ__WRITE, &ad);
3827         if (!rc)
3828                 /* Can this process send the message */
3829                 rc = avc_has_perm(tsec->sid, msec->sid,
3830                                   SECCLASS_MSG, MSG__SEND, &ad);
3831         if (!rc)
3832                 /* Can the message be put in the queue? */
3833                 rc = avc_has_perm(msec->sid, isec->sid,
3834                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3835
3836         return rc;
3837 }
3838
3839 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3840                                     struct task_struct *target,
3841                                     long type, int mode)
3842 {
3843         struct task_security_struct *tsec;
3844         struct ipc_security_struct *isec;
3845         struct msg_security_struct *msec;
3846         struct avc_audit_data ad;
3847         int rc;
3848
3849         tsec = target->security;
3850         isec = msq->q_perm.security;
3851         msec = msg->security;
3852
3853         AVC_AUDIT_DATA_INIT(&ad, IPC);
3854         ad.u.ipc_id = msq->q_perm.key;
3855
3856         rc = avc_has_perm(tsec->sid, isec->sid,
3857                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3858         if (!rc)
3859                 rc = avc_has_perm(tsec->sid, msec->sid,
3860                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3861         return rc;
3862 }
3863
3864 /* Shared Memory security operations */
3865 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3866 {
3867         struct task_security_struct *tsec;
3868         struct ipc_security_struct *isec;
3869         struct avc_audit_data ad;
3870         int rc;
3871
3872         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3873         if (rc)
3874                 return rc;
3875
3876         tsec = current->security;
3877         isec = shp->shm_perm.security;
3878
3879         AVC_AUDIT_DATA_INIT(&ad, IPC);
3880         ad.u.ipc_id = shp->shm_perm.key;
3881
3882         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3883                           SHM__CREATE, &ad);
3884         if (rc) {
3885                 ipc_free_security(&shp->shm_perm);
3886                 return rc;
3887         }
3888         return 0;
3889 }
3890
3891 static void selinux_shm_free_security(struct shmid_kernel *shp)
3892 {
3893         ipc_free_security(&shp->shm_perm);
3894 }
3895
3896 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3897 {
3898         struct task_security_struct *tsec;
3899         struct ipc_security_struct *isec;
3900         struct avc_audit_data ad;
3901
3902         tsec = current->security;
3903         isec = shp->shm_perm.security;
3904
3905         AVC_AUDIT_DATA_INIT(&ad, IPC);
3906         ad.u.ipc_id = shp->shm_perm.key;
3907
3908         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3909                             SHM__ASSOCIATE, &ad);
3910 }
3911
3912 /* Note, at this point, shp is locked down */
3913 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3914 {
3915         int perms;
3916         int err;
3917
3918         switch(cmd) {
3919         case IPC_INFO:
3920         case SHM_INFO:
3921                 /* No specific object, just general system-wide information. */
3922                 return task_has_system(current, SYSTEM__IPC_INFO);
3923         case IPC_STAT:
3924         case SHM_STAT:
3925                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3926                 break;
3927         case IPC_SET:
3928                 perms = SHM__SETATTR;
3929                 break;
3930         case SHM_LOCK:
3931         case SHM_UNLOCK:
3932                 perms = SHM__LOCK;
3933                 break;
3934         case IPC_RMID:
3935                 perms = SHM__DESTROY;
3936                 break;
3937         default:
3938                 return 0;
3939         }
3940
3941         err = ipc_has_perm(&shp->shm_perm, perms);
3942         return err;
3943 }
3944
3945 static int selinux_shm_shmat(struct shmid_kernel *shp,
3946                              char __user *shmaddr, int shmflg)
3947 {
3948         u32 perms;
3949         int rc;
3950
3951         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3952         if (rc)
3953                 return rc;
3954
3955         if (shmflg & SHM_RDONLY)
3956                 perms = SHM__READ;
3957         else
3958                 perms = SHM__READ | SHM__WRITE;
3959
3960         return ipc_has_perm(&shp->shm_perm, perms);
3961 }
3962
3963 /* Semaphore security operations */
3964 static int selinux_sem_alloc_security(struct sem_array *sma)
3965 {
3966         struct task_security_struct *tsec;
3967         struct ipc_security_struct *isec;
3968         struct avc_audit_data ad;
3969         int rc;
3970
3971         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3972         if (rc)
3973                 return rc;
3974
3975         tsec = current->security;
3976         isec = sma->sem_perm.security;
3977
3978         AVC_AUDIT_DATA_INIT(&ad, IPC);
3979         ad.u.ipc_id = sma->sem_perm.key;
3980
3981         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3982                           SEM__CREATE, &ad);
3983         if (rc) {
3984                 ipc_free_security(&sma->sem_perm);
3985                 return rc;
3986         }
3987         return 0;
3988 }
3989
3990 static void selinux_sem_free_security(struct sem_array *sma)
3991 {
3992         ipc_free_security(&sma->sem_perm);
3993 }
3994
3995 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3996 {
3997         struct task_security_struct *tsec;
3998         struct ipc_security_struct *isec;
3999         struct avc_audit_data ad;
4000
4001         tsec = current->security;
4002         isec = sma->sem_perm.security;
4003
4004         AVC_AUDIT_DATA_INIT(&ad, IPC);
4005         ad.u.ipc_id = sma->sem_perm.key;
4006
4007         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4008                             SEM__ASSOCIATE, &ad);
4009 }
4010
4011 /* Note, at this point, sma is locked down */
4012 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4013 {
4014         int err;
4015         u32 perms;
4016
4017         switch(cmd) {
4018         case IPC_INFO:
4019         case SEM_INFO:
4020                 /* No specific object, just general system-wide information. */
4021                 return task_has_system(current, SYSTEM__IPC_INFO);
4022         case GETPID:
4023         case GETNCNT:
4024         case GETZCNT:
4025                 perms = SEM__GETATTR;
4026                 break;
4027         case GETVAL:
4028         case GETALL:
4029                 perms = SEM__READ;
4030                 break;
4031         case SETVAL:
4032         case SETALL:
4033                 perms = SEM__WRITE;
4034                 break;
4035         case IPC_RMID:
4036                 perms = SEM__DESTROY;
4037                 break;
4038         case IPC_SET:
4039                 perms = SEM__SETATTR;
4040                 break;
4041         case IPC_STAT:
4042         case SEM_STAT:
4043                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4044                 break;
4045         default:
4046                 return 0;
4047         }
4048
4049         err = ipc_has_perm(&sma->sem_perm, perms);
4050         return err;
4051 }
4052
4053 static int selinux_sem_semop(struct sem_array *sma,
4054                              struct sembuf *sops, unsigned nsops, int alter)
4055 {
4056         u32 perms;
4057
4058         if (alter)
4059                 perms = SEM__READ | SEM__WRITE;
4060         else
4061                 perms = SEM__READ;
4062
4063         return ipc_has_perm(&sma->sem_perm, perms);
4064 }
4065
4066 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4067 {
4068         u32 av = 0;
4069
4070         av = 0;
4071         if (flag & S_IRUGO)
4072                 av |= IPC__UNIX_READ;
4073         if (flag & S_IWUGO)
4074                 av |= IPC__UNIX_WRITE;
4075
4076         if (av == 0)
4077                 return 0;
4078
4079         return ipc_has_perm(ipcp, av);
4080 }
4081
4082 /* module stacking operations */
4083 static int selinux_register_security (const char *name, struct security_operations *ops)
4084 {
4085         if (secondary_ops != original_ops) {
4086                 printk(KERN_INFO "%s:  There is already a secondary security "
4087                        "module registered.\n", __FUNCTION__);
4088                 return -EINVAL;
4089         }
4090
4091         secondary_ops = ops;
4092
4093         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4094                __FUNCTION__,
4095                name);
4096
4097         return 0;
4098 }
4099
4100 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4101 {
4102         if (ops != secondary_ops) {
4103                 printk (KERN_INFO "%s:  trying to unregister a security module "
4104                         "that is not registered.\n", __FUNCTION__);
4105                 return -EINVAL;
4106         }
4107
4108         secondary_ops = original_ops;
4109
4110         return 0;
4111 }
4112
4113 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4114 {
4115         if (inode)
4116                 inode_doinit_with_dentry(inode, dentry);
4117 }
4118
4119 static int selinux_getprocattr(struct task_struct *p,
4120                                char *name, void *value, size_t size)
4121 {
4122         struct task_security_struct *tsec;
4123         u32 sid, len;
4124         char *context;
4125         int error;
4126
4127         if (current != p) {
4128                 error = task_has_perm(current, p, PROCESS__GETATTR);
4129                 if (error)
4130                         return error;
4131         }
4132
4133         if (!size)
4134                 return -ERANGE;
4135
4136         tsec = p->security;
4137
4138         if (!strcmp(name, "current"))
4139                 sid = tsec->sid;
4140         else if (!strcmp(name, "prev"))
4141                 sid = tsec->osid;
4142         else if (!strcmp(name, "exec"))
4143                 sid = tsec->exec_sid;
4144         else if (!strcmp(name, "fscreate"))
4145                 sid = tsec->create_sid;
4146         else
4147                 return -EINVAL;
4148
4149         if (!sid)
4150                 return 0;
4151
4152         error = security_sid_to_context(sid, &context, &len);
4153         if (error)
4154                 return error;
4155         if (len > size) {
4156                 kfree(context);
4157                 return -ERANGE;
4158         }
4159         memcpy(value, context, len);
4160         kfree(context);
4161         return len;
4162 }
4163
4164 static int selinux_setprocattr(struct task_struct *p,
4165                                char *name, void *value, size_t size)
4166 {
4167         struct task_security_struct *tsec;
4168         u32 sid = 0;
4169         int error;
4170         char *str = value;
4171
4172         if (current != p) {
4173                 /* SELinux only allows a process to change its own
4174                    security attributes. */
4175                 return -EACCES;
4176         }
4177
4178         /*
4179          * Basic control over ability to set these attributes at all.
4180          * current == p, but we'll pass them separately in case the
4181          * above restriction is ever removed.
4182          */
4183         if (!strcmp(name, "exec"))
4184                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4185         else if (!strcmp(name, "fscreate"))
4186                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4187         else if (!strcmp(name, "current"))
4188                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4189         else
4190                 error = -EINVAL;
4191         if (error)
4192                 return error;
4193
4194         /* Obtain a SID for the context, if one was specified. */
4195         if (size && str[1] && str[1] != '\n') {
4196                 if (str[size-1] == '\n') {
4197                         str[size-1] = 0;
4198                         size--;
4199                 }
4200                 error = security_context_to_sid(value, size, &sid);
4201                 if (error)
4202                         return error;
4203         }
4204
4205         /* Permission checking based on the specified context is
4206            performed during the actual operation (execve,
4207            open/mkdir/...), when we know the full context of the
4208            operation.  See selinux_bprm_set_security for the execve
4209            checks and may_create for the file creation checks. The
4210            operation will then fail if the context is not permitted. */
4211         tsec = p->security;
4212         if (!strcmp(name, "exec"))
4213                 tsec->exec_sid = sid;
4214         else if (!strcmp(name, "fscreate"))
4215                 tsec->create_sid = sid;
4216         else if (!strcmp(name, "current")) {
4217                 struct av_decision avd;
4218
4219                 if (sid == 0)
4220                         return -EINVAL;
4221
4222                 /* Only allow single threaded processes to change context */
4223                 if (atomic_read(&p->mm->mm_users) != 1) {
4224                         struct task_struct *g, *t;
4225                         struct mm_struct *mm = p->mm;
4226                         read_lock(&tasklist_lock);
4227                         do_each_thread(g, t)
4228                                 if (t->mm == mm && t != p) {
4229                                         read_unlock(&tasklist_lock);
4230                                         return -EPERM;
4231                                 }
4232                         while_each_thread(g, t);
4233                         read_unlock(&tasklist_lock);
4234                 }
4235
4236                 /* Check permissions for the transition. */
4237                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4238                                      PROCESS__DYNTRANSITION, NULL);
4239                 if (error)
4240                         return error;
4241
4242                 /* Check for ptracing, and update the task SID if ok.
4243                    Otherwise, leave SID unchanged and fail. */
4244                 task_lock(p);
4245                 if (p->ptrace & PT_PTRACED) {
4246                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4247                                                      SECCLASS_PROCESS,
4248                                                      PROCESS__PTRACE, &avd);
4249                         if (!error)
4250                                 tsec->sid = sid;
4251                         task_unlock(p);
4252                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4253                                   PROCESS__PTRACE, &avd, error, NULL);
4254                         if (error)
4255                                 return error;
4256                 } else {
4257                         tsec->sid = sid;
4258                         task_unlock(p);
4259                 }
4260         }
4261         else
4262                 return -EINVAL;
4263
4264         return size;
4265 }
4266
4267 static struct security_operations selinux_ops = {
4268         .ptrace =                       selinux_ptrace,
4269         .capget =                       selinux_capget,
4270         .capset_check =                 selinux_capset_check,
4271         .capset_set =                   selinux_capset_set,
4272         .sysctl =                       selinux_sysctl,
4273         .capable =                      selinux_capable,
4274         .quotactl =                     selinux_quotactl,
4275         .quota_on =                     selinux_quota_on,
4276         .syslog =                       selinux_syslog,
4277         .vm_enough_memory =             selinux_vm_enough_memory,
4278
4279         .netlink_send =                 selinux_netlink_send,
4280         .netlink_recv =                 selinux_netlink_recv,
4281
4282         .bprm_alloc_security =          selinux_bprm_alloc_security,
4283         .bprm_free_security =           selinux_bprm_free_security,
4284         .bprm_apply_creds =             selinux_bprm_apply_creds,
4285         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4286         .bprm_set_security =            selinux_bprm_set_security,
4287         .bprm_check_security =          selinux_bprm_check_security,
4288         .bprm_secureexec =              selinux_bprm_secureexec,
4289
4290         .sb_alloc_security =            selinux_sb_alloc_security,
4291         .sb_free_security =             selinux_sb_free_security,
4292         .sb_copy_data =                 selinux_sb_copy_data,
4293         .sb_kern_mount =                selinux_sb_kern_mount,
4294         .sb_statfs =                    selinux_sb_statfs,
4295         .sb_mount =                     selinux_mount,
4296         .sb_umount =                    selinux_umount,
4297
4298         .inode_alloc_security =         selinux_inode_alloc_security,
4299         .inode_free_security =          selinux_inode_free_security,
4300         .inode_create =                 selinux_inode_create,
4301         .inode_post_create =            selinux_inode_post_create,
4302         .inode_link =                   selinux_inode_link,
4303         .inode_post_link =              selinux_inode_post_link,
4304         .inode_unlink =                 selinux_inode_unlink,
4305         .inode_symlink =                selinux_inode_symlink,
4306         .inode_post_symlink =           selinux_inode_post_symlink,
4307         .inode_mkdir =                  selinux_inode_mkdir,
4308         .inode_post_mkdir =             selinux_inode_post_mkdir,
4309         .inode_rmdir =                  selinux_inode_rmdir,
4310         .inode_mknod =                  selinux_inode_mknod,
4311         .inode_post_mknod =             selinux_inode_post_mknod,
4312         .inode_rename =                 selinux_inode_rename,
4313         .inode_post_rename =            selinux_inode_post_rename,
4314         .inode_readlink =               selinux_inode_readlink,
4315         .inode_follow_link =            selinux_inode_follow_link,
4316         .inode_permission =             selinux_inode_permission,
4317         .inode_setattr =                selinux_inode_setattr,
4318         .inode_getattr =                selinux_inode_getattr,
4319         .inode_setxattr =               selinux_inode_setxattr,
4320         .inode_post_setxattr =          selinux_inode_post_setxattr,
4321         .inode_getxattr =               selinux_inode_getxattr,
4322         .inode_listxattr =              selinux_inode_listxattr,
4323         .inode_removexattr =            selinux_inode_removexattr,
4324         .inode_getsecurity =            selinux_inode_getsecurity,
4325         .inode_setsecurity =            selinux_inode_setsecurity,
4326         .inode_listsecurity =           selinux_inode_listsecurity,
4327
4328         .file_permission =              selinux_file_permission,
4329         .file_alloc_security =          selinux_file_alloc_security,
4330         .file_free_security =           selinux_file_free_security,
4331         .file_ioctl =                   selinux_file_ioctl,
4332         .file_mmap =                    selinux_file_mmap,
4333         .file_mprotect =                selinux_file_mprotect,
4334         .file_lock =                    selinux_file_lock,
4335         .file_fcntl =                   selinux_file_fcntl,
4336         .file_set_fowner =              selinux_file_set_fowner,
4337         .file_send_sigiotask =          selinux_file_send_sigiotask,
4338         .file_receive =                 selinux_file_receive,
4339
4340         .task_create =                  selinux_task_create,
4341         .task_alloc_security =          selinux_task_alloc_security,
4342         .task_free_security =           selinux_task_free_security,
4343         .task_setuid =                  selinux_task_setuid,
4344         .task_post_setuid =             selinux_task_post_setuid,
4345         .task_setgid =                  selinux_task_setgid,
4346         .task_setpgid =                 selinux_task_setpgid,
4347         .task_getpgid =                 selinux_task_getpgid,
4348         .task_getsid =                  selinux_task_getsid,
4349         .task_setgroups =               selinux_task_setgroups,
4350         .task_setnice =                 selinux_task_setnice,
4351         .task_setrlimit =               selinux_task_setrlimit,
4352         .task_setscheduler =            selinux_task_setscheduler,
4353         .task_getscheduler =            selinux_task_getscheduler,
4354         .task_kill =                    selinux_task_kill,
4355         .task_wait =                    selinux_task_wait,
4356         .task_prctl =                   selinux_task_prctl,
4357         .task_reparent_to_init =        selinux_task_reparent_to_init,
4358         .task_to_inode =                selinux_task_to_inode,
4359
4360         .ipc_permission =               selinux_ipc_permission,
4361
4362         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4363         .msg_msg_free_security =        selinux_msg_msg_free_security,
4364
4365         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4366         .msg_queue_free_security =      selinux_msg_queue_free_security,
4367         .msg_queue_associate =          selinux_msg_queue_associate,
4368         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4369         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4370         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4371
4372         .shm_alloc_security =           selinux_shm_alloc_security,
4373         .shm_free_security =            selinux_shm_free_security,
4374         .shm_associate =                selinux_shm_associate,
4375         .shm_shmctl =                   selinux_shm_shmctl,
4376         .shm_shmat =                    selinux_shm_shmat,
4377
4378         .sem_alloc_security =           selinux_sem_alloc_security,
4379         .sem_free_security =            selinux_sem_free_security,
4380         .sem_associate =                selinux_sem_associate,
4381         .sem_semctl =                   selinux_sem_semctl,
4382         .sem_semop =                    selinux_sem_semop,
4383
4384         .register_security =            selinux_register_security,
4385         .unregister_security =          selinux_unregister_security,
4386
4387         .d_instantiate =                selinux_d_instantiate,
4388
4389         .getprocattr =                  selinux_getprocattr,
4390         .setprocattr =                  selinux_setprocattr,
4391
4392 #ifdef CONFIG_SECURITY_NETWORK
4393         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4394         .unix_may_send =                selinux_socket_unix_may_send,
4395
4396         .socket_create =                selinux_socket_create,
4397         .socket_post_create =           selinux_socket_post_create,
4398         .socket_bind =                  selinux_socket_bind,
4399         .socket_connect =               selinux_socket_connect,
4400         .socket_listen =                selinux_socket_listen,
4401         .socket_accept =                selinux_socket_accept,
4402         .socket_sendmsg =               selinux_socket_sendmsg,
4403         .socket_recvmsg =               selinux_socket_recvmsg,
4404         .socket_getsockname =           selinux_socket_getsockname,
4405         .socket_getpeername =           selinux_socket_getpeername,
4406         .socket_getsockopt =            selinux_socket_getsockopt,
4407         .socket_setsockopt =            selinux_socket_setsockopt,
4408         .socket_shutdown =              selinux_socket_shutdown,
4409         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4410         .socket_getpeersec =            selinux_socket_getpeersec,
4411         .sk_alloc_security =            selinux_sk_alloc_security,
4412         .sk_free_security =             selinux_sk_free_security,
4413 #endif
4414 };
4415
4416 static __init int selinux_init(void)
4417 {
4418         struct task_security_struct *tsec;
4419
4420         if (!selinux_enabled) {
4421                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4422                 return 0;
4423         }
4424
4425         printk(KERN_INFO "SELinux:  Initializing.\n");
4426
4427         /* Set the security state for the initial task. */
4428         if (task_alloc_security(current))
4429                 panic("SELinux:  Failed to initialize initial task.\n");
4430         tsec = current->security;
4431         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4432
4433         avc_init();
4434
4435         original_ops = secondary_ops = security_ops;
4436         if (!secondary_ops)
4437                 panic ("SELinux: No initial security operations\n");
4438         if (register_security (&selinux_ops))
4439                 panic("SELinux: Unable to register with kernel.\n");
4440
4441         if (selinux_enforcing) {
4442                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4443         } else {
4444                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4445         }
4446         return 0;
4447 }
4448
4449 void selinux_complete_init(void)
4450 {
4451         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4452
4453         /* Set up any superblocks initialized prior to the policy load. */
4454         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4455         spin_lock(&sb_security_lock);
4456 next_sb:
4457         if (!list_empty(&superblock_security_head)) {
4458                 struct superblock_security_struct *sbsec =
4459                                 list_entry(superblock_security_head.next,
4460                                            struct superblock_security_struct,
4461                                            list);
4462                 struct super_block *sb = sbsec->sb;
4463                 spin_lock(&sb_lock);
4464                 sb->s_count++;
4465                 spin_unlock(&sb_lock);
4466                 spin_unlock(&sb_security_lock);
4467                 down_read(&sb->s_umount);
4468                 if (sb->s_root)
4469                         superblock_doinit(sb, NULL);
4470                 drop_super(sb);
4471                 spin_lock(&sb_security_lock);
4472                 list_del_init(&sbsec->list);
4473                 goto next_sb;
4474         }
4475         spin_unlock(&sb_security_lock);
4476 }
4477
4478 /* SELinux requires early initialization in order to label
4479    all processes and objects when they are created. */
4480 security_initcall(selinux_init);
4481
4482 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4483
4484 static struct nf_hook_ops selinux_ipv4_op = {
4485         .hook =         selinux_ipv4_postroute_last,
4486         .owner =        THIS_MODULE,
4487         .pf =           PF_INET,
4488         .hooknum =      NF_IP_POST_ROUTING,
4489         .priority =     NF_IP_PRI_SELINUX_LAST,
4490 };
4491
4492 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4493
4494 static struct nf_hook_ops selinux_ipv6_op = {
4495         .hook =         selinux_ipv6_postroute_last,
4496         .owner =        THIS_MODULE,
4497         .pf =           PF_INET6,
4498         .hooknum =      NF_IP6_POST_ROUTING,
4499         .priority =     NF_IP6_PRI_SELINUX_LAST,
4500 };
4501
4502 #endif  /* IPV6 */
4503
4504 static int __init selinux_nf_ip_init(void)
4505 {
4506         int err = 0;
4507
4508         if (!selinux_enabled)
4509                 goto out;
4510                 
4511         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4512         
4513         err = nf_register_hook(&selinux_ipv4_op);
4514         if (err)
4515                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4516
4517 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4518
4519         err = nf_register_hook(&selinux_ipv6_op);
4520         if (err)
4521                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4522
4523 #endif  /* IPV6 */
4524 out:
4525         return err;
4526 }
4527
4528 __initcall(selinux_nf_ip_init);
4529
4530 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4531 static void selinux_nf_ip_exit(void)
4532 {
4533         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4534
4535         nf_unregister_hook(&selinux_ipv4_op);
4536 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4537         nf_unregister_hook(&selinux_ipv6_op);
4538 #endif  /* IPV6 */
4539 }
4540 #endif
4541
4542 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4543
4544 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4545 #define selinux_nf_ip_exit()
4546 #endif
4547
4548 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4549
4550 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4551 int selinux_disable(void)
4552 {
4553         extern void exit_sel_fs(void);
4554         static int selinux_disabled = 0;
4555
4556         if (ss_initialized) {
4557                 /* Not permitted after initial policy load. */
4558                 return -EINVAL;
4559         }
4560
4561         if (selinux_disabled) {
4562                 /* Only do this once. */
4563                 return -EINVAL;
4564         }
4565
4566         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4567
4568         selinux_disabled = 1;
4569
4570         /* Reset security_ops to the secondary module, dummy or capability. */
4571         security_ops = secondary_ops;
4572
4573         /* Unregister netfilter hooks. */
4574         selinux_nf_ip_exit();
4575
4576         /* Unregister selinuxfs. */
4577         exit_sel_fs();
4578
4579         return 0;
4580 }
4581 #endif
4582
4583