ad725213f5685f681c9dfe3aed8f73a1a2cb3d19
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71
72 #include "avc.h"
73 #include "objsec.h"
74 #include "netif.h"
75
76 #define XATTR_SELINUX_SUFFIX "selinux"
77 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
78
79 extern unsigned int policydb_loaded_version;
80 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
81
82 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
83 int selinux_enforcing = 0;
84
85 static int __init enforcing_setup(char *str)
86 {
87         selinux_enforcing = simple_strtol(str,NULL,0);
88         return 1;
89 }
90 __setup("enforcing=", enforcing_setup);
91 #endif
92
93 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
94 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
95
96 static int __init selinux_enabled_setup(char *str)
97 {
98         selinux_enabled = simple_strtol(str, NULL, 0);
99         return 1;
100 }
101 __setup("selinux=", selinux_enabled_setup);
102 #endif
103
104 /* Original (dummy) security module. */
105 static struct security_operations *original_ops = NULL;
106
107 /* Minimal support for a secondary security module,
108    just to allow the use of the dummy or capability modules.
109    The owlsm module can alternatively be used as a secondary
110    module as long as CONFIG_OWLSM_FD is not enabled. */
111 static struct security_operations *secondary_ops = NULL;
112
113 /* Lists of inode and superblock security structures initialized
114    before the policy was loaded. */
115 static LIST_HEAD(superblock_security_head);
116 static DEFINE_SPINLOCK(sb_security_lock);
117
118 /* Allocate and free functions for each kind of security blob. */
119
120 static int task_alloc_security(struct task_struct *task)
121 {
122         struct task_security_struct *tsec;
123
124         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
125         if (!tsec)
126                 return -ENOMEM;
127
128         memset(tsec, 0, sizeof(struct task_security_struct));
129         tsec->magic = SELINUX_MAGIC;
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140
141         if (!tsec || tsec->magic != SELINUX_MAGIC)
142                 return;
143
144         task->security = NULL;
145         kfree(tsec);
146 }
147
148 static int inode_alloc_security(struct inode *inode)
149 {
150         struct task_security_struct *tsec = current->security;
151         struct inode_security_struct *isec;
152
153         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154         if (!isec)
155                 return -ENOMEM;
156
157         memset(isec, 0, sizeof(struct inode_security_struct));
158         init_MUTEX(&isec->sem);
159         INIT_LIST_HEAD(&isec->list);
160         isec->magic = SELINUX_MAGIC;
161         isec->inode = inode;
162         isec->sid = SECINITSID_UNLABELED;
163         isec->sclass = SECCLASS_FILE;
164         if (tsec && tsec->magic == SELINUX_MAGIC)
165                 isec->task_sid = tsec->sid;
166         else
167                 isec->task_sid = SECINITSID_UNLABELED;
168         inode->i_security = isec;
169
170         return 0;
171 }
172
173 static void inode_free_security(struct inode *inode)
174 {
175         struct inode_security_struct *isec = inode->i_security;
176         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
177
178         if (!isec || isec->magic != SELINUX_MAGIC)
179                 return;
180
181         spin_lock(&sbsec->isec_lock);
182         if (!list_empty(&isec->list))
183                 list_del_init(&isec->list);
184         spin_unlock(&sbsec->isec_lock);
185
186         inode->i_security = NULL;
187         kfree(isec);
188 }
189
190 static int file_alloc_security(struct file *file)
191 {
192         struct task_security_struct *tsec = current->security;
193         struct file_security_struct *fsec;
194
195         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
196         if (!fsec)
197                 return -ENOMEM;
198
199         memset(fsec, 0, sizeof(struct file_security_struct));
200         fsec->magic = SELINUX_MAGIC;
201         fsec->file = file;
202         if (tsec && tsec->magic == SELINUX_MAGIC) {
203                 fsec->sid = tsec->sid;
204                 fsec->fown_sid = tsec->sid;
205         } else {
206                 fsec->sid = SECINITSID_UNLABELED;
207                 fsec->fown_sid = SECINITSID_UNLABELED;
208         }
209         file->f_security = fsec;
210
211         return 0;
212 }
213
214 static void file_free_security(struct file *file)
215 {
216         struct file_security_struct *fsec = file->f_security;
217
218         if (!fsec || fsec->magic != SELINUX_MAGIC)
219                 return;
220
221         file->f_security = NULL;
222         kfree(fsec);
223 }
224
225 static int superblock_alloc_security(struct super_block *sb)
226 {
227         struct superblock_security_struct *sbsec;
228
229         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
230         if (!sbsec)
231                 return -ENOMEM;
232
233         memset(sbsec, 0, sizeof(struct superblock_security_struct));
234         init_MUTEX(&sbsec->sem);
235         INIT_LIST_HEAD(&sbsec->list);
236         INIT_LIST_HEAD(&sbsec->isec_head);
237         spin_lock_init(&sbsec->isec_lock);
238         sbsec->magic = SELINUX_MAGIC;
239         sbsec->sb = sb;
240         sbsec->sid = SECINITSID_UNLABELED;
241         sbsec->def_sid = SECINITSID_FILE;
242         sb->s_security = sbsec;
243
244         return 0;
245 }
246
247 static void superblock_free_security(struct super_block *sb)
248 {
249         struct superblock_security_struct *sbsec = sb->s_security;
250
251         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
252                 return;
253
254         spin_lock(&sb_security_lock);
255         if (!list_empty(&sbsec->list))
256                 list_del_init(&sbsec->list);
257         spin_unlock(&sb_security_lock);
258
259         sb->s_security = NULL;
260         kfree(sbsec);
261 }
262
263 #ifdef CONFIG_SECURITY_NETWORK
264 static int sk_alloc_security(struct sock *sk, int family, int priority)
265 {
266         struct sk_security_struct *ssec;
267
268         if (family != PF_UNIX)
269                 return 0;
270
271         ssec = kmalloc(sizeof(*ssec), priority);
272         if (!ssec)
273                 return -ENOMEM;
274
275         memset(ssec, 0, sizeof(*ssec));
276         ssec->magic = SELINUX_MAGIC;
277         ssec->sk = sk;
278         ssec->peer_sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         return 0;
282 }
283
284 static void sk_free_security(struct sock *sk)
285 {
286         struct sk_security_struct *ssec = sk->sk_security;
287
288         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
289                 return;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294 #endif  /* CONFIG_SECURITY_NETWORK */
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, "context=%s"},
326         {Opt_fscontext, "fscontext=%s"},
327         {Opt_defcontext, "defcontext=%s"},
328 };
329
330 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
331
332 static int try_context_mount(struct super_block *sb, void *data)
333 {
334         char *context = NULL, *defcontext = NULL;
335         const char *name;
336         u32 sid;
337         int alloc = 0, rc = 0, seen = 0;
338         struct task_security_struct *tsec = current->security;
339         struct superblock_security_struct *sbsec = sb->s_security;
340
341         if (!data)
342                 goto out;
343
344         name = sb->s_type->name;
345
346         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
347
348                 /* NFS we understand. */
349                 if (!strcmp(name, "nfs")) {
350                         struct nfs_mount_data *d = data;
351
352                         if (d->version <  NFS_MOUNT_VERSION)
353                                 goto out;
354
355                         if (d->context[0]) {
356                                 context = d->context;
357                                 seen |= Opt_context;
358                         }
359                 } else
360                         goto out;
361
362         } else {
363                 /* Standard string-based options. */
364                 char *p, *options = data;
365
366                 while ((p = strsep(&options, ",")) != NULL) {
367                         int token;
368                         substring_t args[MAX_OPT_ARGS];
369
370                         if (!*p)
371                                 continue;
372
373                         token = match_token(p, tokens, args);
374
375                         switch (token) {
376                         case Opt_context:
377                                 if (seen) {
378                                         rc = -EINVAL;
379                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
380                                         goto out_free;
381                                 }
382                                 context = match_strdup(&args[0]);
383                                 if (!context) {
384                                         rc = -ENOMEM;
385                                         goto out_free;
386                                 }
387                                 if (!alloc)
388                                         alloc = 1;
389                                 seen |= Opt_context;
390                                 break;
391
392                         case Opt_fscontext:
393                                 if (seen & (Opt_context|Opt_fscontext)) {
394                                         rc = -EINVAL;
395                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396                                         goto out_free;
397                                 }
398                                 context = match_strdup(&args[0]);
399                                 if (!context) {
400                                         rc = -ENOMEM;
401                                         goto out_free;
402                                 }
403                                 if (!alloc)
404                                         alloc = 1;
405                                 seen |= Opt_fscontext;
406                                 break;
407
408                         case Opt_defcontext:
409                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410                                         rc = -EINVAL;
411                                         printk(KERN_WARNING "SELinux:  "
412                                                "defcontext option is invalid "
413                                                "for this filesystem type\n");
414                                         goto out_free;
415                                 }
416                                 if (seen & (Opt_context|Opt_defcontext)) {
417                                         rc = -EINVAL;
418                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419                                         goto out_free;
420                                 }
421                                 defcontext = match_strdup(&args[0]);
422                                 if (!defcontext) {
423                                         rc = -ENOMEM;
424                                         goto out_free;
425                                 }
426                                 if (!alloc)
427                                         alloc = 1;
428                                 seen |= Opt_defcontext;
429                                 break;
430
431                         default:
432                                 rc = -EINVAL;
433                                 printk(KERN_WARNING "SELinux:  unknown mount "
434                                        "option\n");
435                                 goto out_free;
436
437                         }
438                 }
439         }
440
441         if (!seen)
442                 goto out;
443
444         if (context) {
445                 rc = security_context_to_sid(context, strlen(context), &sid);
446                 if (rc) {
447                         printk(KERN_WARNING "SELinux: security_context_to_sid"
448                                "(%s) failed for (dev %s, type %s) errno=%d\n",
449                                context, sb->s_id, name, rc);
450                         goto out_free;
451                 }
452
453                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454                                   FILESYSTEM__RELABELFROM, NULL);
455                 if (rc)
456                         goto out_free;
457
458                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459                                   FILESYSTEM__RELABELTO, NULL);
460                 if (rc)
461                         goto out_free;
462
463                 sbsec->sid = sid;
464
465                 if (seen & Opt_context)
466                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
467         }
468
469         if (defcontext) {
470                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471                 if (rc) {
472                         printk(KERN_WARNING "SELinux: security_context_to_sid"
473                                "(%s) failed for (dev %s, type %s) errno=%d\n",
474                                defcontext, sb->s_id, name, rc);
475                         goto out_free;
476                 }
477
478                 if (sid == sbsec->def_sid)
479                         goto out_free;
480
481                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482                                   FILESYSTEM__RELABELFROM, NULL);
483                 if (rc)
484                         goto out_free;
485
486                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487                                   FILESYSTEM__ASSOCIATE, NULL);
488                 if (rc)
489                         goto out_free;
490
491                 sbsec->def_sid = sid;
492         }
493
494 out_free:
495         if (alloc) {
496                 kfree(context);
497                 kfree(defcontext);
498         }
499 out:
500         return rc;
501 }
502
503 static int superblock_doinit(struct super_block *sb, void *data)
504 {
505         struct superblock_security_struct *sbsec = sb->s_security;
506         struct dentry *root = sb->s_root;
507         struct inode *inode = root->d_inode;
508         int rc = 0;
509
510         down(&sbsec->sem);
511         if (sbsec->initialized)
512                 goto out;
513
514         if (!ss_initialized) {
515                 /* Defer initialization until selinux_complete_init,
516                    after the initial policy is loaded and the security
517                    server is ready to handle calls. */
518                 spin_lock(&sb_security_lock);
519                 if (list_empty(&sbsec->list))
520                         list_add(&sbsec->list, &superblock_security_head);
521                 spin_unlock(&sb_security_lock);
522                 goto out;
523         }
524
525         /* Determine the labeling behavior to use for this filesystem type. */
526         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527         if (rc) {
528                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
529                        __FUNCTION__, sb->s_type->name, rc);
530                 goto out;
531         }
532
533         rc = try_context_mount(sb, data);
534         if (rc)
535                 goto out;
536
537         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538                 /* Make sure that the xattr handler exists and that no
539                    error other than -ENODATA is returned by getxattr on
540                    the root directory.  -ENODATA is ok, as this may be
541                    the first boot of the SELinux kernel before we have
542                    assigned xattr values to the filesystem. */
543                 if (!inode->i_op->getxattr) {
544                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545                                "xattr support\n", sb->s_id, sb->s_type->name);
546                         rc = -EOPNOTSUPP;
547                         goto out;
548                 }
549                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550                 if (rc < 0 && rc != -ENODATA) {
551                         if (rc == -EOPNOTSUPP)
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) has no security xattr handler\n",
554                                        sb->s_id, sb->s_type->name);
555                         else
556                                 printk(KERN_WARNING "SELinux: (dev %s, type "
557                                        "%s) getxattr errno %d\n", sb->s_id,
558                                        sb->s_type->name, -rc);
559                         goto out;
560                 }
561         }
562
563         if (strcmp(sb->s_type->name, "proc") == 0)
564                 sbsec->proc = 1;
565
566         sbsec->initialized = 1;
567
568         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570                        sb->s_id, sb->s_type->name);
571         }
572         else {
573                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574                        sb->s_id, sb->s_type->name,
575                        labeling_behaviors[sbsec->behavior-1]);
576         }
577
578         /* Initialize the root inode. */
579         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580
581         /* Initialize any other inodes associated with the superblock, e.g.
582            inodes created prior to initial policy load or inodes created
583            during get_sb by a pseudo filesystem that directly
584            populates itself. */
585         spin_lock(&sbsec->isec_lock);
586 next_inode:
587         if (!list_empty(&sbsec->isec_head)) {
588                 struct inode_security_struct *isec =
589                                 list_entry(sbsec->isec_head.next,
590                                            struct inode_security_struct, list);
591                 struct inode *inode = isec->inode;
592                 spin_unlock(&sbsec->isec_lock);
593                 inode = igrab(inode);
594                 if (inode) {
595                         if (!IS_PRIVATE (inode))
596                                 inode_doinit(inode);
597                         iput(inode);
598                 }
599                 spin_lock(&sbsec->isec_lock);
600                 list_del_init(&isec->list);
601                 goto next_inode;
602         }
603         spin_unlock(&sbsec->isec_lock);
604 out:
605         up(&sbsec->sem);
606         return rc;
607 }
608
609 static inline u16 inode_mode_to_security_class(umode_t mode)
610 {
611         switch (mode & S_IFMT) {
612         case S_IFSOCK:
613                 return SECCLASS_SOCK_FILE;
614         case S_IFLNK:
615                 return SECCLASS_LNK_FILE;
616         case S_IFREG:
617                 return SECCLASS_FILE;
618         case S_IFBLK:
619                 return SECCLASS_BLK_FILE;
620         case S_IFDIR:
621                 return SECCLASS_DIR;
622         case S_IFCHR:
623                 return SECCLASS_CHR_FILE;
624         case S_IFIFO:
625                 return SECCLASS_FIFO_FILE;
626
627         }
628
629         return SECCLASS_FILE;
630 }
631
632 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
633 {
634         switch (family) {
635         case PF_UNIX:
636                 switch (type) {
637                 case SOCK_STREAM:
638                 case SOCK_SEQPACKET:
639                         return SECCLASS_UNIX_STREAM_SOCKET;
640                 case SOCK_DGRAM:
641                         return SECCLASS_UNIX_DGRAM_SOCKET;
642                 }
643                 break;
644         case PF_INET:
645         case PF_INET6:
646                 switch (type) {
647                 case SOCK_STREAM:
648                         return SECCLASS_TCP_SOCKET;
649                 case SOCK_DGRAM:
650                         return SECCLASS_UDP_SOCKET;
651                 case SOCK_RAW:
652                         return SECCLASS_RAWIP_SOCKET;
653                 }
654                 break;
655         case PF_NETLINK:
656                 switch (protocol) {
657                 case NETLINK_ROUTE:
658                         return SECCLASS_NETLINK_ROUTE_SOCKET;
659                 case NETLINK_FIREWALL:
660                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
661                 case NETLINK_TCPDIAG:
662                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
663                 case NETLINK_NFLOG:
664                         return SECCLASS_NETLINK_NFLOG_SOCKET;
665                 case NETLINK_XFRM:
666                         return SECCLASS_NETLINK_XFRM_SOCKET;
667                 case NETLINK_SELINUX:
668                         return SECCLASS_NETLINK_SELINUX_SOCKET;
669                 case NETLINK_AUDIT:
670                         return SECCLASS_NETLINK_AUDIT_SOCKET;
671                 case NETLINK_IP6_FW:
672                         return SECCLASS_NETLINK_IP6FW_SOCKET;
673                 case NETLINK_DNRTMSG:
674                         return SECCLASS_NETLINK_DNRT_SOCKET;
675                 case NETLINK_KOBJECT_UEVENT:
676                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
677                 default:
678                         return SECCLASS_NETLINK_SOCKET;
679                 }
680         case PF_PACKET:
681                 return SECCLASS_PACKET_SOCKET;
682         case PF_KEY:
683                 return SECCLASS_KEY_SOCKET;
684         }
685
686         return SECCLASS_SOCKET;
687 }
688
689 #ifdef CONFIG_PROC_FS
690 static int selinux_proc_get_sid(struct proc_dir_entry *de,
691                                 u16 tclass,
692                                 u32 *sid)
693 {
694         int buflen, rc;
695         char *buffer, *path, *end;
696
697         buffer = (char*)__get_free_page(GFP_KERNEL);
698         if (!buffer)
699                 return -ENOMEM;
700
701         buflen = PAGE_SIZE;
702         end = buffer+buflen;
703         *--end = '\0';
704         buflen--;
705         path = end-1;
706         *path = '/';
707         while (de && de != de->parent) {
708                 buflen -= de->namelen + 1;
709                 if (buflen < 0)
710                         break;
711                 end -= de->namelen;
712                 memcpy(end, de->name, de->namelen);
713                 *--end = '/';
714                 path = end;
715                 de = de->parent;
716         }
717         rc = security_genfs_sid("proc", path, tclass, sid);
718         free_page((unsigned long)buffer);
719         return rc;
720 }
721 #else
722 static int selinux_proc_get_sid(struct proc_dir_entry *de,
723                                 u16 tclass,
724                                 u32 *sid)
725 {
726         return -EINVAL;
727 }
728 #endif
729
730 /* The inode's security attributes must be initialized before first use. */
731 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
732 {
733         struct superblock_security_struct *sbsec = NULL;
734         struct inode_security_struct *isec = inode->i_security;
735         u32 sid;
736         struct dentry *dentry;
737 #define INITCONTEXTLEN 255
738         char *context = NULL;
739         unsigned len = 0;
740         int rc = 0;
741         int hold_sem = 0;
742
743         if (isec->initialized)
744                 goto out;
745
746         down(&isec->sem);
747         hold_sem = 1;
748         if (isec->initialized)
749                 goto out;
750
751         sbsec = inode->i_sb->s_security;
752         if (!sbsec->initialized) {
753                 /* Defer initialization until selinux_complete_init,
754                    after the initial policy is loaded and the security
755                    server is ready to handle calls. */
756                 spin_lock(&sbsec->isec_lock);
757                 if (list_empty(&isec->list))
758                         list_add(&isec->list, &sbsec->isec_head);
759                 spin_unlock(&sbsec->isec_lock);
760                 goto out;
761         }
762
763         switch (sbsec->behavior) {
764         case SECURITY_FS_USE_XATTR:
765                 if (!inode->i_op->getxattr) {
766                         isec->sid = sbsec->def_sid;
767                         break;
768                 }
769
770                 /* Need a dentry, since the xattr API requires one.
771                    Life would be simpler if we could just pass the inode. */
772                 if (opt_dentry) {
773                         /* Called from d_instantiate or d_splice_alias. */
774                         dentry = dget(opt_dentry);
775                 } else {
776                         /* Called from selinux_complete_init, try to find a dentry. */
777                         dentry = d_find_alias(inode);
778                 }
779                 if (!dentry) {
780                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
781                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
782                                inode->i_ino);
783                         goto out;
784                 }
785
786                 len = INITCONTEXTLEN;
787                 context = kmalloc(len, GFP_KERNEL);
788                 if (!context) {
789                         rc = -ENOMEM;
790                         dput(dentry);
791                         goto out;
792                 }
793                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
794                                            context, len);
795                 if (rc == -ERANGE) {
796                         /* Need a larger buffer.  Query for the right size. */
797                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
798                                                    NULL, 0);
799                         if (rc < 0) {
800                                 dput(dentry);
801                                 goto out;
802                         }
803                         kfree(context);
804                         len = rc;
805                         context = kmalloc(len, GFP_KERNEL);
806                         if (!context) {
807                                 rc = -ENOMEM;
808                                 dput(dentry);
809                                 goto out;
810                         }
811                         rc = inode->i_op->getxattr(dentry,
812                                                    XATTR_NAME_SELINUX,
813                                                    context, len);
814                 }
815                 dput(dentry);
816                 if (rc < 0) {
817                         if (rc != -ENODATA) {
818                                 printk(KERN_WARNING "%s:  getxattr returned "
819                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
820                                        -rc, inode->i_sb->s_id, inode->i_ino);
821                                 kfree(context);
822                                 goto out;
823                         }
824                         /* Map ENODATA to the default file SID */
825                         sid = sbsec->def_sid;
826                         rc = 0;
827                 } else {
828                         rc = security_context_to_sid(context, rc, &sid);
829                         if (rc) {
830                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
831                                        "returned %d for dev=%s ino=%ld\n",
832                                        __FUNCTION__, context, -rc,
833                                        inode->i_sb->s_id, inode->i_ino);
834                                 kfree(context);
835                                 /* Leave with the unlabeled SID */
836                                 rc = 0;
837                                 break;
838                         }
839                 }
840                 kfree(context);
841                 isec->sid = sid;
842                 break;
843         case SECURITY_FS_USE_TASK:
844                 isec->sid = isec->task_sid;
845                 break;
846         case SECURITY_FS_USE_TRANS:
847                 /* Default to the fs SID. */
848                 isec->sid = sbsec->sid;
849
850                 /* Try to obtain a transition SID. */
851                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
852                 rc = security_transition_sid(isec->task_sid,
853                                              sbsec->sid,
854                                              isec->sclass,
855                                              &sid);
856                 if (rc)
857                         goto out;
858                 isec->sid = sid;
859                 break;
860         default:
861                 /* Default to the fs SID. */
862                 isec->sid = sbsec->sid;
863
864                 if (sbsec->proc) {
865                         struct proc_inode *proci = PROC_I(inode);
866                         if (proci->pde) {
867                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
868                                 rc = selinux_proc_get_sid(proci->pde,
869                                                           isec->sclass,
870                                                           &sid);
871                                 if (rc)
872                                         goto out;
873                                 isec->sid = sid;
874                         }
875                 }
876                 break;
877         }
878
879         isec->initialized = 1;
880
881 out:
882         if (isec->sclass == SECCLASS_FILE)
883                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
884
885         if (hold_sem)
886                 up(&isec->sem);
887         return rc;
888 }
889
890 /* Convert a Linux signal to an access vector. */
891 static inline u32 signal_to_av(int sig)
892 {
893         u32 perm = 0;
894
895         switch (sig) {
896         case SIGCHLD:
897                 /* Commonly granted from child to parent. */
898                 perm = PROCESS__SIGCHLD;
899                 break;
900         case SIGKILL:
901                 /* Cannot be caught or ignored */
902                 perm = PROCESS__SIGKILL;
903                 break;
904         case SIGSTOP:
905                 /* Cannot be caught or ignored */
906                 perm = PROCESS__SIGSTOP;
907                 break;
908         default:
909                 /* All other signals. */
910                 perm = PROCESS__SIGNAL;
911                 break;
912         }
913
914         return perm;
915 }
916
917 /* Check permission betweeen a pair of tasks, e.g. signal checks,
918    fork check, ptrace check, etc. */
919 static int task_has_perm(struct task_struct *tsk1,
920                          struct task_struct *tsk2,
921                          u32 perms)
922 {
923         struct task_security_struct *tsec1, *tsec2;
924
925         tsec1 = tsk1->security;
926         tsec2 = tsk2->security;
927         return avc_has_perm(tsec1->sid, tsec2->sid,
928                             SECCLASS_PROCESS, perms, NULL);
929 }
930
931 /* Check whether a task is allowed to use a capability. */
932 static int task_has_capability(struct task_struct *tsk,
933                                int cap)
934 {
935         struct task_security_struct *tsec;
936         struct avc_audit_data ad;
937
938         tsec = tsk->security;
939
940         AVC_AUDIT_DATA_INIT(&ad,CAP);
941         ad.tsk = tsk;
942         ad.u.cap = cap;
943
944         return avc_has_perm(tsec->sid, tsec->sid,
945                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
946 }
947
948 /* Check whether a task is allowed to use a system operation. */
949 static int task_has_system(struct task_struct *tsk,
950                            u32 perms)
951 {
952         struct task_security_struct *tsec;
953
954         tsec = tsk->security;
955
956         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
957                             SECCLASS_SYSTEM, perms, NULL);
958 }
959
960 /* Check whether a task has a particular permission to an inode.
961    The 'adp' parameter is optional and allows other audit
962    data to be passed (e.g. the dentry). */
963 static int inode_has_perm(struct task_struct *tsk,
964                           struct inode *inode,
965                           u32 perms,
966                           struct avc_audit_data *adp)
967 {
968         struct task_security_struct *tsec;
969         struct inode_security_struct *isec;
970         struct avc_audit_data ad;
971
972         tsec = tsk->security;
973         isec = inode->i_security;
974
975         if (!adp) {
976                 adp = &ad;
977                 AVC_AUDIT_DATA_INIT(&ad, FS);
978                 ad.u.fs.inode = inode;
979         }
980
981         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
982 }
983
984 /* Same as inode_has_perm, but pass explicit audit data containing
985    the dentry to help the auditing code to more easily generate the
986    pathname if needed. */
987 static inline int dentry_has_perm(struct task_struct *tsk,
988                                   struct vfsmount *mnt,
989                                   struct dentry *dentry,
990                                   u32 av)
991 {
992         struct inode *inode = dentry->d_inode;
993         struct avc_audit_data ad;
994         AVC_AUDIT_DATA_INIT(&ad,FS);
995         ad.u.fs.mnt = mnt;
996         ad.u.fs.dentry = dentry;
997         return inode_has_perm(tsk, inode, av, &ad);
998 }
999
1000 /* Check whether a task can use an open file descriptor to
1001    access an inode in a given way.  Check access to the
1002    descriptor itself, and then use dentry_has_perm to
1003    check a particular permission to the file.
1004    Access to the descriptor is implicitly granted if it
1005    has the same SID as the process.  If av is zero, then
1006    access to the file is not checked, e.g. for cases
1007    where only the descriptor is affected like seek. */
1008 static inline int file_has_perm(struct task_struct *tsk,
1009                                 struct file *file,
1010                                 u32 av)
1011 {
1012         struct task_security_struct *tsec = tsk->security;
1013         struct file_security_struct *fsec = file->f_security;
1014         struct vfsmount *mnt = file->f_vfsmnt;
1015         struct dentry *dentry = file->f_dentry;
1016         struct inode *inode = dentry->d_inode;
1017         struct avc_audit_data ad;
1018         int rc;
1019
1020         AVC_AUDIT_DATA_INIT(&ad, FS);
1021         ad.u.fs.mnt = mnt;
1022         ad.u.fs.dentry = dentry;
1023
1024         if (tsec->sid != fsec->sid) {
1025                 rc = avc_has_perm(tsec->sid, fsec->sid,
1026                                   SECCLASS_FD,
1027                                   FD__USE,
1028                                   &ad);
1029                 if (rc)
1030                         return rc;
1031         }
1032
1033         /* av is zero if only checking access to the descriptor. */
1034         if (av)
1035                 return inode_has_perm(tsk, inode, av, &ad);
1036
1037         return 0;
1038 }
1039
1040 /* Check whether a task can create a file. */
1041 static int may_create(struct inode *dir,
1042                       struct dentry *dentry,
1043                       u16 tclass)
1044 {
1045         struct task_security_struct *tsec;
1046         struct inode_security_struct *dsec;
1047         struct superblock_security_struct *sbsec;
1048         u32 newsid;
1049         struct avc_audit_data ad;
1050         int rc;
1051
1052         tsec = current->security;
1053         dsec = dir->i_security;
1054         sbsec = dir->i_sb->s_security;
1055
1056         AVC_AUDIT_DATA_INIT(&ad, FS);
1057         ad.u.fs.dentry = dentry;
1058
1059         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1060                           DIR__ADD_NAME | DIR__SEARCH,
1061                           &ad);
1062         if (rc)
1063                 return rc;
1064
1065         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1066                 newsid = tsec->create_sid;
1067         } else {
1068                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1069                                              &newsid);
1070                 if (rc)
1071                         return rc;
1072         }
1073
1074         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1075         if (rc)
1076                 return rc;
1077
1078         return avc_has_perm(newsid, sbsec->sid,
1079                             SECCLASS_FILESYSTEM,
1080                             FILESYSTEM__ASSOCIATE, &ad);
1081 }
1082
1083 #define MAY_LINK   0
1084 #define MAY_UNLINK 1
1085 #define MAY_RMDIR  2
1086
1087 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1088 static int may_link(struct inode *dir,
1089                     struct dentry *dentry,
1090                     int kind)
1091
1092 {
1093         struct task_security_struct *tsec;
1094         struct inode_security_struct *dsec, *isec;
1095         struct avc_audit_data ad;
1096         u32 av;
1097         int rc;
1098
1099         tsec = current->security;
1100         dsec = dir->i_security;
1101         isec = dentry->d_inode->i_security;
1102
1103         AVC_AUDIT_DATA_INIT(&ad, FS);
1104         ad.u.fs.dentry = dentry;
1105
1106         av = DIR__SEARCH;
1107         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1108         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1109         if (rc)
1110                 return rc;
1111
1112         switch (kind) {
1113         case MAY_LINK:
1114                 av = FILE__LINK;
1115                 break;
1116         case MAY_UNLINK:
1117                 av = FILE__UNLINK;
1118                 break;
1119         case MAY_RMDIR:
1120                 av = DIR__RMDIR;
1121                 break;
1122         default:
1123                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1124                 return 0;
1125         }
1126
1127         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1128         return rc;
1129 }
1130
1131 static inline int may_rename(struct inode *old_dir,
1132                              struct dentry *old_dentry,
1133                              struct inode *new_dir,
1134                              struct dentry *new_dentry)
1135 {
1136         struct task_security_struct *tsec;
1137         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1138         struct avc_audit_data ad;
1139         u32 av;
1140         int old_is_dir, new_is_dir;
1141         int rc;
1142
1143         tsec = current->security;
1144         old_dsec = old_dir->i_security;
1145         old_isec = old_dentry->d_inode->i_security;
1146         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1147         new_dsec = new_dir->i_security;
1148
1149         AVC_AUDIT_DATA_INIT(&ad, FS);
1150
1151         ad.u.fs.dentry = old_dentry;
1152         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1153                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1154         if (rc)
1155                 return rc;
1156         rc = avc_has_perm(tsec->sid, old_isec->sid,
1157                           old_isec->sclass, FILE__RENAME, &ad);
1158         if (rc)
1159                 return rc;
1160         if (old_is_dir && new_dir != old_dir) {
1161                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1162                                   old_isec->sclass, DIR__REPARENT, &ad);
1163                 if (rc)
1164                         return rc;
1165         }
1166
1167         ad.u.fs.dentry = new_dentry;
1168         av = DIR__ADD_NAME | DIR__SEARCH;
1169         if (new_dentry->d_inode)
1170                 av |= DIR__REMOVE_NAME;
1171         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1172         if (rc)
1173                 return rc;
1174         if (new_dentry->d_inode) {
1175                 new_isec = new_dentry->d_inode->i_security;
1176                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1177                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1178                                   new_isec->sclass,
1179                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1180                 if (rc)
1181                         return rc;
1182         }
1183
1184         return 0;
1185 }
1186
1187 /* Check whether a task can perform a filesystem operation. */
1188 static int superblock_has_perm(struct task_struct *tsk,
1189                                struct super_block *sb,
1190                                u32 perms,
1191                                struct avc_audit_data *ad)
1192 {
1193         struct task_security_struct *tsec;
1194         struct superblock_security_struct *sbsec;
1195
1196         tsec = tsk->security;
1197         sbsec = sb->s_security;
1198         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1199                             perms, ad);
1200 }
1201
1202 /* Convert a Linux mode and permission mask to an access vector. */
1203 static inline u32 file_mask_to_av(int mode, int mask)
1204 {
1205         u32 av = 0;
1206
1207         if ((mode & S_IFMT) != S_IFDIR) {
1208                 if (mask & MAY_EXEC)
1209                         av |= FILE__EXECUTE;
1210                 if (mask & MAY_READ)
1211                         av |= FILE__READ;
1212
1213                 if (mask & MAY_APPEND)
1214                         av |= FILE__APPEND;
1215                 else if (mask & MAY_WRITE)
1216                         av |= FILE__WRITE;
1217
1218         } else {
1219                 if (mask & MAY_EXEC)
1220                         av |= DIR__SEARCH;
1221                 if (mask & MAY_WRITE)
1222                         av |= DIR__WRITE;
1223                 if (mask & MAY_READ)
1224                         av |= DIR__READ;
1225         }
1226
1227         return av;
1228 }
1229
1230 /* Convert a Linux file to an access vector. */
1231 static inline u32 file_to_av(struct file *file)
1232 {
1233         u32 av = 0;
1234
1235         if (file->f_mode & FMODE_READ)
1236                 av |= FILE__READ;
1237         if (file->f_mode & FMODE_WRITE) {
1238                 if (file->f_flags & O_APPEND)
1239                         av |= FILE__APPEND;
1240                 else
1241                         av |= FILE__WRITE;
1242         }
1243
1244         return av;
1245 }
1246
1247 /* Set an inode's SID to a specified value. */
1248 static int inode_security_set_sid(struct inode *inode, u32 sid)
1249 {
1250         struct inode_security_struct *isec = inode->i_security;
1251         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1252
1253         if (!sbsec->initialized) {
1254                 /* Defer initialization to selinux_complete_init. */
1255                 return 0;
1256         }
1257
1258         down(&isec->sem);
1259         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1260         isec->sid = sid;
1261         isec->initialized = 1;
1262         up(&isec->sem);
1263         return 0;
1264 }
1265
1266 /* Set the security attributes on a newly created file. */
1267 static int post_create(struct inode *dir,
1268                        struct dentry *dentry)
1269 {
1270
1271         struct task_security_struct *tsec;
1272         struct inode *inode;
1273         struct inode_security_struct *dsec;
1274         struct superblock_security_struct *sbsec;
1275         u32 newsid;
1276         char *context;
1277         unsigned int len;
1278         int rc;
1279
1280         tsec = current->security;
1281         dsec = dir->i_security;
1282         sbsec = dir->i_sb->s_security;
1283
1284         inode = dentry->d_inode;
1285         if (!inode) {
1286                 /* Some file system types (e.g. NFS) may not instantiate
1287                    a dentry for all create operations (e.g. symlink),
1288                    so we have to check to see if the inode is non-NULL. */
1289                 printk(KERN_WARNING "post_create:  no inode, dir (dev=%s, "
1290                        "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1291                 return 0;
1292         }
1293
1294         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1295                 newsid = tsec->create_sid;
1296         } else {
1297                 rc = security_transition_sid(tsec->sid, dsec->sid,
1298                                              inode_mode_to_security_class(inode->i_mode),
1299                                              &newsid);
1300                 if (rc) {
1301                         printk(KERN_WARNING "post_create:  "
1302                                "security_transition_sid failed, rc=%d (dev=%s "
1303                                "ino=%ld)\n",
1304                                -rc, inode->i_sb->s_id, inode->i_ino);
1305                         return rc;
1306                 }
1307         }
1308
1309         rc = inode_security_set_sid(inode, newsid);
1310         if (rc) {
1311                 printk(KERN_WARNING "post_create:  inode_security_set_sid "
1312                        "failed, rc=%d (dev=%s ino=%ld)\n",
1313                        -rc, inode->i_sb->s_id, inode->i_ino);
1314                 return rc;
1315         }
1316
1317         if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1318             inode->i_op->setxattr) {
1319                 /* Use extended attributes. */
1320                 rc = security_sid_to_context(newsid, &context, &len);
1321                 if (rc) {
1322                         printk(KERN_WARNING "post_create:  sid_to_context "
1323                                "failed, rc=%d (dev=%s ino=%ld)\n",
1324                                -rc, inode->i_sb->s_id, inode->i_ino);
1325                         return rc;
1326                 }
1327                 down(&inode->i_sem);
1328                 rc = inode->i_op->setxattr(dentry,
1329                                            XATTR_NAME_SELINUX,
1330                                            context, len, 0);
1331                 up(&inode->i_sem);
1332                 kfree(context);
1333                 if (rc < 0) {
1334                         printk(KERN_WARNING "post_create:  setxattr failed, "
1335                                "rc=%d (dev=%s ino=%ld)\n",
1336                                -rc, inode->i_sb->s_id, inode->i_ino);
1337                         return rc;
1338                 }
1339         }
1340
1341         return 0;
1342 }
1343
1344
1345 /* Hook functions begin here. */
1346
1347 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1348 {
1349         struct task_security_struct *psec = parent->security;
1350         struct task_security_struct *csec = child->security;
1351         int rc;
1352
1353         rc = secondary_ops->ptrace(parent,child);
1354         if (rc)
1355                 return rc;
1356
1357         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1358         /* Save the SID of the tracing process for later use in apply_creds. */
1359         if (!rc)
1360                 csec->ptrace_sid = psec->sid;
1361         return rc;
1362 }
1363
1364 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1365                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1366 {
1367         int error;
1368
1369         error = task_has_perm(current, target, PROCESS__GETCAP);
1370         if (error)
1371                 return error;
1372
1373         return secondary_ops->capget(target, effective, inheritable, permitted);
1374 }
1375
1376 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1377                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1378 {
1379         int error;
1380
1381         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1382         if (error)
1383                 return error;
1384
1385         return task_has_perm(current, target, PROCESS__SETCAP);
1386 }
1387
1388 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1389                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1390 {
1391         secondary_ops->capset_set(target, effective, inheritable, permitted);
1392 }
1393
1394 static int selinux_capable(struct task_struct *tsk, int cap)
1395 {
1396         int rc;
1397
1398         rc = secondary_ops->capable(tsk, cap);
1399         if (rc)
1400                 return rc;
1401
1402         return task_has_capability(tsk,cap);
1403 }
1404
1405 static int selinux_sysctl(ctl_table *table, int op)
1406 {
1407         int error = 0;
1408         u32 av;
1409         struct task_security_struct *tsec;
1410         u32 tsid;
1411         int rc;
1412
1413         rc = secondary_ops->sysctl(table, op);
1414         if (rc)
1415                 return rc;
1416
1417         tsec = current->security;
1418
1419         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1420                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1421         if (rc) {
1422                 /* Default to the well-defined sysctl SID. */
1423                 tsid = SECINITSID_SYSCTL;
1424         }
1425
1426         /* The op values are "defined" in sysctl.c, thereby creating
1427          * a bad coupling between this module and sysctl.c */
1428         if(op == 001) {
1429                 error = avc_has_perm(tsec->sid, tsid,
1430                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1431         } else {
1432                 av = 0;
1433                 if (op & 004)
1434                         av |= FILE__READ;
1435                 if (op & 002)
1436                         av |= FILE__WRITE;
1437                 if (av)
1438                         error = avc_has_perm(tsec->sid, tsid,
1439                                              SECCLASS_FILE, av, NULL);
1440         }
1441
1442         return error;
1443 }
1444
1445 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1446 {
1447         int rc = 0;
1448
1449         if (!sb)
1450                 return 0;
1451
1452         switch (cmds) {
1453                 case Q_SYNC:
1454                 case Q_QUOTAON:
1455                 case Q_QUOTAOFF:
1456                 case Q_SETINFO:
1457                 case Q_SETQUOTA:
1458                         rc = superblock_has_perm(current,
1459                                                  sb,
1460                                                  FILESYSTEM__QUOTAMOD, NULL);
1461                         break;
1462                 case Q_GETFMT:
1463                 case Q_GETINFO:
1464                 case Q_GETQUOTA:
1465                         rc = superblock_has_perm(current,
1466                                                  sb,
1467                                                  FILESYSTEM__QUOTAGET, NULL);
1468                         break;
1469                 default:
1470                         rc = 0;  /* let the kernel handle invalid cmds */
1471                         break;
1472         }
1473         return rc;
1474 }
1475
1476 static int selinux_quota_on(struct dentry *dentry)
1477 {
1478         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1479 }
1480
1481 static int selinux_syslog(int type)
1482 {
1483         int rc;
1484
1485         rc = secondary_ops->syslog(type);
1486         if (rc)
1487                 return rc;
1488
1489         switch (type) {
1490                 case 3:         /* Read last kernel messages */
1491                 case 10:        /* Return size of the log buffer */
1492                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1493                         break;
1494                 case 6:         /* Disable logging to console */
1495                 case 7:         /* Enable logging to console */
1496                 case 8:         /* Set level of messages printed to console */
1497                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1498                         break;
1499                 case 0:         /* Close log */
1500                 case 1:         /* Open log */
1501                 case 2:         /* Read from log */
1502                 case 4:         /* Read/clear last kernel messages */
1503                 case 5:         /* Clear ring buffer */
1504                 default:
1505                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1506                         break;
1507         }
1508         return rc;
1509 }
1510
1511 /*
1512  * Check that a process has enough memory to allocate a new virtual
1513  * mapping. 0 means there is enough memory for the allocation to
1514  * succeed and -ENOMEM implies there is not.
1515  *
1516  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1517  * if the capability is granted, but __vm_enough_memory requires 1 if
1518  * the capability is granted.
1519  *
1520  * Do not audit the selinux permission check, as this is applied to all
1521  * processes that allocate mappings.
1522  */
1523 static int selinux_vm_enough_memory(long pages)
1524 {
1525         int rc, cap_sys_admin = 0;
1526         struct task_security_struct *tsec = current->security;
1527
1528         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1529         if (rc == 0)
1530                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1531                                         SECCLASS_CAPABILITY,
1532                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1533                                         NULL);
1534
1535         if (rc == 0)
1536                 cap_sys_admin = 1;
1537
1538         return __vm_enough_memory(pages, cap_sys_admin);
1539 }
1540
1541 /* binprm security operations */
1542
1543 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1544 {
1545         struct bprm_security_struct *bsec;
1546
1547         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1548         if (!bsec)
1549                 return -ENOMEM;
1550
1551         memset(bsec, 0, sizeof *bsec);
1552         bsec->magic = SELINUX_MAGIC;
1553         bsec->bprm = bprm;
1554         bsec->sid = SECINITSID_UNLABELED;
1555         bsec->set = 0;
1556
1557         bprm->security = bsec;
1558         return 0;
1559 }
1560
1561 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1562 {
1563         struct task_security_struct *tsec;
1564         struct inode *inode = bprm->file->f_dentry->d_inode;
1565         struct inode_security_struct *isec;
1566         struct bprm_security_struct *bsec;
1567         u32 newsid;
1568         struct avc_audit_data ad;
1569         int rc;
1570
1571         rc = secondary_ops->bprm_set_security(bprm);
1572         if (rc)
1573                 return rc;
1574
1575         bsec = bprm->security;
1576
1577         if (bsec->set)
1578                 return 0;
1579
1580         tsec = current->security;
1581         isec = inode->i_security;
1582
1583         /* Default to the current task SID. */
1584         bsec->sid = tsec->sid;
1585
1586         /* Reset create SID on execve. */
1587         tsec->create_sid = 0;
1588
1589         if (tsec->exec_sid) {
1590                 newsid = tsec->exec_sid;
1591                 /* Reset exec SID on execve. */
1592                 tsec->exec_sid = 0;
1593         } else {
1594                 /* Check for a default transition on this program. */
1595                 rc = security_transition_sid(tsec->sid, isec->sid,
1596                                              SECCLASS_PROCESS, &newsid);
1597                 if (rc)
1598                         return rc;
1599         }
1600
1601         AVC_AUDIT_DATA_INIT(&ad, FS);
1602         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1603         ad.u.fs.dentry = bprm->file->f_dentry;
1604
1605         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1606                 newsid = tsec->sid;
1607
1608         if (tsec->sid == newsid) {
1609                 rc = avc_has_perm(tsec->sid, isec->sid,
1610                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1611                 if (rc)
1612                         return rc;
1613         } else {
1614                 /* Check permissions for the transition. */
1615                 rc = avc_has_perm(tsec->sid, newsid,
1616                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1617                 if (rc)
1618                         return rc;
1619
1620                 rc = avc_has_perm(newsid, isec->sid,
1621                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1622                 if (rc)
1623                         return rc;
1624
1625                 /* Clear any possibly unsafe personality bits on exec: */
1626                 current->personality &= ~PER_CLEAR_ON_SETID;
1627
1628                 /* Set the security field to the new SID. */
1629                 bsec->sid = newsid;
1630         }
1631
1632         bsec->set = 1;
1633         return 0;
1634 }
1635
1636 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1637 {
1638         return secondary_ops->bprm_check_security(bprm);
1639 }
1640
1641
1642 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1643 {
1644         struct task_security_struct *tsec = current->security;
1645         int atsecure = 0;
1646
1647         if (tsec->osid != tsec->sid) {
1648                 /* Enable secure mode for SIDs transitions unless
1649                    the noatsecure permission is granted between
1650                    the two SIDs, i.e. ahp returns 0. */
1651                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1652                                          SECCLASS_PROCESS,
1653                                          PROCESS__NOATSECURE, NULL);
1654         }
1655
1656         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1657 }
1658
1659 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1660 {
1661         struct bprm_security_struct *bsec = bprm->security;
1662         bprm->security = NULL;
1663         kfree(bsec);
1664 }
1665
1666 extern struct vfsmount *selinuxfs_mount;
1667 extern struct dentry *selinux_null;
1668
1669 /* Derived from fs/exec.c:flush_old_files. */
1670 static inline void flush_unauthorized_files(struct files_struct * files)
1671 {
1672         struct avc_audit_data ad;
1673         struct file *file, *devnull = NULL;
1674         struct tty_struct *tty = current->signal->tty;
1675         long j = -1;
1676
1677         if (tty) {
1678                 file_list_lock();
1679                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1680                 if (file) {
1681                         /* Revalidate access to controlling tty.
1682                            Use inode_has_perm on the tty inode directly rather
1683                            than using file_has_perm, as this particular open
1684                            file may belong to another process and we are only
1685                            interested in the inode-based check here. */
1686                         struct inode *inode = file->f_dentry->d_inode;
1687                         if (inode_has_perm(current, inode,
1688                                            FILE__READ | FILE__WRITE, NULL)) {
1689                                 /* Reset controlling tty. */
1690                                 current->signal->tty = NULL;
1691                                 current->signal->tty_old_pgrp = 0;
1692                         }
1693                 }
1694                 file_list_unlock();
1695         }
1696
1697         /* Revalidate access to inherited open files. */
1698
1699         AVC_AUDIT_DATA_INIT(&ad,FS);
1700
1701         spin_lock(&files->file_lock);
1702         for (;;) {
1703                 unsigned long set, i;
1704                 int fd;
1705
1706                 j++;
1707                 i = j * __NFDBITS;
1708                 if (i >= files->max_fds || i >= files->max_fdset)
1709                         break;
1710                 set = files->open_fds->fds_bits[j];
1711                 if (!set)
1712                         continue;
1713                 spin_unlock(&files->file_lock);
1714                 for ( ; set ; i++,set >>= 1) {
1715                         if (set & 1) {
1716                                 file = fget(i);
1717                                 if (!file)
1718                                         continue;
1719                                 if (file_has_perm(current,
1720                                                   file,
1721                                                   file_to_av(file))) {
1722                                         sys_close(i);
1723                                         fd = get_unused_fd();
1724                                         if (fd != i) {
1725                                                 if (fd >= 0)
1726                                                         put_unused_fd(fd);
1727                                                 fput(file);
1728                                                 continue;
1729                                         }
1730                                         if (devnull) {
1731                                                 atomic_inc(&devnull->f_count);
1732                                         } else {
1733                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1734                                                 if (!devnull) {
1735                                                         put_unused_fd(fd);
1736                                                         fput(file);
1737                                                         continue;
1738                                                 }
1739                                         }
1740                                         fd_install(fd, devnull);
1741                                 }
1742                                 fput(file);
1743                         }
1744                 }
1745                 spin_lock(&files->file_lock);
1746
1747         }
1748         spin_unlock(&files->file_lock);
1749 }
1750
1751 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1752 {
1753         struct task_security_struct *tsec;
1754         struct bprm_security_struct *bsec;
1755         u32 sid;
1756         int rc;
1757
1758         secondary_ops->bprm_apply_creds(bprm, unsafe);
1759
1760         tsec = current->security;
1761
1762         bsec = bprm->security;
1763         sid = bsec->sid;
1764
1765         tsec->osid = tsec->sid;
1766         bsec->unsafe = 0;
1767         if (tsec->sid != sid) {
1768                 /* Check for shared state.  If not ok, leave SID
1769                    unchanged and kill. */
1770                 if (unsafe & LSM_UNSAFE_SHARE) {
1771                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1772                                         PROCESS__SHARE, NULL);
1773                         if (rc) {
1774                                 bsec->unsafe = 1;
1775                                 return;
1776                         }
1777                 }
1778
1779                 /* Check for ptracing, and update the task SID if ok.
1780                    Otherwise, leave SID unchanged and kill. */
1781                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1782                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1783                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1784                                           NULL);
1785                         if (rc) {
1786                                 bsec->unsafe = 1;
1787                                 return;
1788                         }
1789                 }
1790                 tsec->sid = sid;
1791         }
1792 }
1793
1794 /*
1795  * called after apply_creds without the task lock held
1796  */
1797 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1798 {
1799         struct task_security_struct *tsec;
1800         struct rlimit *rlim, *initrlim;
1801         struct itimerval itimer;
1802         struct bprm_security_struct *bsec;
1803         int rc, i;
1804
1805         tsec = current->security;
1806         bsec = bprm->security;
1807
1808         if (bsec->unsafe) {
1809                 force_sig_specific(SIGKILL, current);
1810                 return;
1811         }
1812         if (tsec->osid == tsec->sid)
1813                 return;
1814
1815         /* Close files for which the new task SID is not authorized. */
1816         flush_unauthorized_files(current->files);
1817
1818         /* Check whether the new SID can inherit signal state
1819            from the old SID.  If not, clear itimers to avoid
1820            subsequent signal generation and flush and unblock
1821            signals. This must occur _after_ the task SID has
1822           been updated so that any kill done after the flush
1823           will be checked against the new SID. */
1824         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1825                           PROCESS__SIGINH, NULL);
1826         if (rc) {
1827                 memset(&itimer, 0, sizeof itimer);
1828                 for (i = 0; i < 3; i++)
1829                         do_setitimer(i, &itimer, NULL);
1830                 flush_signals(current);
1831                 spin_lock_irq(&current->sighand->siglock);
1832                 flush_signal_handlers(current, 1);
1833                 sigemptyset(&current->blocked);
1834                 recalc_sigpending();
1835                 spin_unlock_irq(&current->sighand->siglock);
1836         }
1837
1838         /* Check whether the new SID can inherit resource limits
1839            from the old SID.  If not, reset all soft limits to
1840            the lower of the current task's hard limit and the init
1841            task's soft limit.  Note that the setting of hard limits
1842            (even to lower them) can be controlled by the setrlimit
1843            check. The inclusion of the init task's soft limit into
1844            the computation is to avoid resetting soft limits higher
1845            than the default soft limit for cases where the default
1846            is lower than the hard limit, e.g. RLIMIT_CORE or
1847            RLIMIT_STACK.*/
1848         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1849                           PROCESS__RLIMITINH, NULL);
1850         if (rc) {
1851                 for (i = 0; i < RLIM_NLIMITS; i++) {
1852                         rlim = current->signal->rlim + i;
1853                         initrlim = init_task.signal->rlim+i;
1854                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1855                 }
1856                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1857                         /*
1858                          * This will cause RLIMIT_CPU calculations
1859                          * to be refigured.
1860                          */
1861                         current->it_prof_expires = jiffies_to_cputime(1);
1862                 }
1863         }
1864
1865         /* Wake up the parent if it is waiting so that it can
1866            recheck wait permission to the new task SID. */
1867         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1868 }
1869
1870 /* superblock security operations */
1871
1872 static int selinux_sb_alloc_security(struct super_block *sb)
1873 {
1874         return superblock_alloc_security(sb);
1875 }
1876
1877 static void selinux_sb_free_security(struct super_block *sb)
1878 {
1879         superblock_free_security(sb);
1880 }
1881
1882 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1883 {
1884         if (plen > olen)
1885                 return 0;
1886
1887         return !memcmp(prefix, option, plen);
1888 }
1889
1890 static inline int selinux_option(char *option, int len)
1891 {
1892         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1893                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1894                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1895 }
1896
1897 static inline void take_option(char **to, char *from, int *first, int len)
1898 {
1899         if (!*first) {
1900                 **to = ',';
1901                 *to += 1;
1902         }
1903         else
1904                 *first = 0;
1905         memcpy(*to, from, len);
1906         *to += len;
1907 }
1908
1909 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1910 {
1911         int fnosec, fsec, rc = 0;
1912         char *in_save, *in_curr, *in_end;
1913         char *sec_curr, *nosec_save, *nosec;
1914
1915         in_curr = orig;
1916         sec_curr = copy;
1917
1918         /* Binary mount data: just copy */
1919         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1920                 copy_page(sec_curr, in_curr);
1921                 goto out;
1922         }
1923
1924         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1925         if (!nosec) {
1926                 rc = -ENOMEM;
1927                 goto out;
1928         }
1929
1930         nosec_save = nosec;
1931         fnosec = fsec = 1;
1932         in_save = in_end = orig;
1933
1934         do {
1935                 if (*in_end == ',' || *in_end == '\0') {
1936                         int len = in_end - in_curr;
1937
1938                         if (selinux_option(in_curr, len))
1939                                 take_option(&sec_curr, in_curr, &fsec, len);
1940                         else
1941                                 take_option(&nosec, in_curr, &fnosec, len);
1942
1943                         in_curr = in_end + 1;
1944                 }
1945         } while (*in_end++);
1946
1947         copy_page(in_save, nosec_save);
1948         free_page((unsigned long)nosec_save);
1949 out:
1950         return rc;
1951 }
1952
1953 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1954 {
1955         struct avc_audit_data ad;
1956         int rc;
1957
1958         rc = superblock_doinit(sb, data);
1959         if (rc)
1960                 return rc;
1961
1962         AVC_AUDIT_DATA_INIT(&ad,FS);
1963         ad.u.fs.dentry = sb->s_root;
1964         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1965 }
1966
1967 static int selinux_sb_statfs(struct super_block *sb)
1968 {
1969         struct avc_audit_data ad;
1970
1971         AVC_AUDIT_DATA_INIT(&ad,FS);
1972         ad.u.fs.dentry = sb->s_root;
1973         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1974 }
1975
1976 static int selinux_mount(char * dev_name,
1977                          struct nameidata *nd,
1978                          char * type,
1979                          unsigned long flags,
1980                          void * data)
1981 {
1982         int rc;
1983
1984         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1985         if (rc)
1986                 return rc;
1987
1988         if (flags & MS_REMOUNT)
1989                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1990                                            FILESYSTEM__REMOUNT, NULL);
1991         else
1992                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1993                                        FILE__MOUNTON);
1994 }
1995
1996 static int selinux_umount(struct vfsmount *mnt, int flags)
1997 {
1998         int rc;
1999
2000         rc = secondary_ops->sb_umount(mnt, flags);
2001         if (rc)
2002                 return rc;
2003
2004         return superblock_has_perm(current,mnt->mnt_sb,
2005                                    FILESYSTEM__UNMOUNT,NULL);
2006 }
2007
2008 /* inode security operations */
2009
2010 static int selinux_inode_alloc_security(struct inode *inode)
2011 {
2012         return inode_alloc_security(inode);
2013 }
2014
2015 static void selinux_inode_free_security(struct inode *inode)
2016 {
2017         inode_free_security(inode);
2018 }
2019
2020 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2021 {
2022         return may_create(dir, dentry, SECCLASS_FILE);
2023 }
2024
2025 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2026 {
2027         post_create(dir, dentry);
2028 }
2029
2030 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2031 {
2032         int rc;
2033
2034         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2035         if (rc)
2036                 return rc;
2037         return may_link(dir, old_dentry, MAY_LINK);
2038 }
2039
2040 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2041 {
2042         return;
2043 }
2044
2045 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2046 {
2047         int rc;
2048
2049         rc = secondary_ops->inode_unlink(dir, dentry);
2050         if (rc)
2051                 return rc;
2052         return may_link(dir, dentry, MAY_UNLINK);
2053 }
2054
2055 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2056 {
2057         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2058 }
2059
2060 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2061 {
2062         post_create(dir, dentry);
2063 }
2064
2065 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2066 {
2067         return may_create(dir, dentry, SECCLASS_DIR);
2068 }
2069
2070 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2071 {
2072         post_create(dir, dentry);
2073 }
2074
2075 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2076 {
2077         return may_link(dir, dentry, MAY_RMDIR);
2078 }
2079
2080 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2081 {
2082         int rc;
2083
2084         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2085         if (rc)
2086                 return rc;
2087
2088         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2089 }
2090
2091 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2092 {
2093         post_create(dir, dentry);
2094 }
2095
2096 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2097                                 struct inode *new_inode, struct dentry *new_dentry)
2098 {
2099         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2100 }
2101
2102 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2103                                       struct inode *new_inode, struct dentry *new_dentry)
2104 {
2105         return;
2106 }
2107
2108 static int selinux_inode_readlink(struct dentry *dentry)
2109 {
2110         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2111 }
2112
2113 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2114 {
2115         int rc;
2116
2117         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2118         if (rc)
2119                 return rc;
2120         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2121 }
2122
2123 static int selinux_inode_permission(struct inode *inode, int mask,
2124                                     struct nameidata *nd)
2125 {
2126         int rc;
2127
2128         rc = secondary_ops->inode_permission(inode, mask, nd);
2129         if (rc)
2130                 return rc;
2131
2132         if (!mask) {
2133                 /* No permission to check.  Existence test. */
2134                 return 0;
2135         }
2136
2137         return inode_has_perm(current, inode,
2138                                file_mask_to_av(inode->i_mode, mask), NULL);
2139 }
2140
2141 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2142 {
2143         int rc;
2144
2145         rc = secondary_ops->inode_setattr(dentry, iattr);
2146         if (rc)
2147                 return rc;
2148
2149         if (iattr->ia_valid & ATTR_FORCE)
2150                 return 0;
2151
2152         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2153                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2154                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2155
2156         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2157 }
2158
2159 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2160 {
2161         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2162 }
2163
2164 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2165 {
2166         struct task_security_struct *tsec = current->security;
2167         struct inode *inode = dentry->d_inode;
2168         struct inode_security_struct *isec = inode->i_security;
2169         struct superblock_security_struct *sbsec;
2170         struct avc_audit_data ad;
2171         u32 newsid;
2172         int rc = 0;
2173
2174         if (strcmp(name, XATTR_NAME_SELINUX)) {
2175                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2176                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2177                     !capable(CAP_SYS_ADMIN)) {
2178                         /* A different attribute in the security namespace.
2179                            Restrict to administrator. */
2180                         return -EPERM;
2181                 }
2182
2183                 /* Not an attribute we recognize, so just check the
2184                    ordinary setattr permission. */
2185                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2186         }
2187
2188         sbsec = inode->i_sb->s_security;
2189         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2190                 return -EOPNOTSUPP;
2191
2192         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2193                 return -EPERM;
2194
2195         AVC_AUDIT_DATA_INIT(&ad,FS);
2196         ad.u.fs.dentry = dentry;
2197
2198         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2199                           FILE__RELABELFROM, &ad);
2200         if (rc)
2201                 return rc;
2202
2203         rc = security_context_to_sid(value, size, &newsid);
2204         if (rc)
2205                 return rc;
2206
2207         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2208                           FILE__RELABELTO, &ad);
2209         if (rc)
2210                 return rc;
2211
2212         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2213                                           isec->sclass);
2214         if (rc)
2215                 return rc;
2216
2217         return avc_has_perm(newsid,
2218                             sbsec->sid,
2219                             SECCLASS_FILESYSTEM,
2220                             FILESYSTEM__ASSOCIATE,
2221                             &ad);
2222 }
2223
2224 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2225                                         void *value, size_t size, int flags)
2226 {
2227         struct inode *inode = dentry->d_inode;
2228         struct inode_security_struct *isec = inode->i_security;
2229         u32 newsid;
2230         int rc;
2231
2232         if (strcmp(name, XATTR_NAME_SELINUX)) {
2233                 /* Not an attribute we recognize, so nothing to do. */
2234                 return;
2235         }
2236
2237         rc = security_context_to_sid(value, size, &newsid);
2238         if (rc) {
2239                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2240                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2241                 return;
2242         }
2243
2244         isec->sid = newsid;
2245         return;
2246 }
2247
2248 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2249 {
2250         struct inode *inode = dentry->d_inode;
2251         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2252
2253         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2254                 return -EOPNOTSUPP;
2255
2256         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2257 }
2258
2259 static int selinux_inode_listxattr (struct dentry *dentry)
2260 {
2261         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2262 }
2263
2264 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2265 {
2266         if (strcmp(name, XATTR_NAME_SELINUX)) {
2267                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2268                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2269                     !capable(CAP_SYS_ADMIN)) {
2270                         /* A different attribute in the security namespace.
2271                            Restrict to administrator. */
2272                         return -EPERM;
2273                 }
2274
2275                 /* Not an attribute we recognize, so just check the
2276                    ordinary setattr permission. Might want a separate
2277                    permission for removexattr. */
2278                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2279         }
2280
2281         /* No one is allowed to remove a SELinux security label.
2282            You can change the label, but all data must be labeled. */
2283         return -EACCES;
2284 }
2285
2286 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2287 {
2288         struct inode_security_struct *isec = inode->i_security;
2289         char *context;
2290         unsigned len;
2291         int rc;
2292
2293         /* Permission check handled by selinux_inode_getxattr hook.*/
2294
2295         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2296                 return -EOPNOTSUPP;
2297
2298         rc = security_sid_to_context(isec->sid, &context, &len);
2299         if (rc)
2300                 return rc;
2301
2302         if (!buffer || !size) {
2303                 kfree(context);
2304                 return len;
2305         }
2306         if (size < len) {
2307                 kfree(context);
2308                 return -ERANGE;
2309         }
2310         memcpy(buffer, context, len);
2311         kfree(context);
2312         return len;
2313 }
2314
2315 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2316                                      const void *value, size_t size, int flags)
2317 {
2318         struct inode_security_struct *isec = inode->i_security;
2319         u32 newsid;
2320         int rc;
2321
2322         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2323                 return -EOPNOTSUPP;
2324
2325         if (!value || !size)
2326                 return -EACCES;
2327
2328         rc = security_context_to_sid((void*)value, size, &newsid);
2329         if (rc)
2330                 return rc;
2331
2332         isec->sid = newsid;
2333         return 0;
2334 }
2335
2336 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2337 {
2338         const int len = sizeof(XATTR_NAME_SELINUX);
2339         if (buffer && len <= buffer_size)
2340                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2341         return len;
2342 }
2343
2344 /* file security operations */
2345
2346 static int selinux_file_permission(struct file *file, int mask)
2347 {
2348         struct inode *inode = file->f_dentry->d_inode;
2349
2350         if (!mask) {
2351                 /* No permission to check.  Existence test. */
2352                 return 0;
2353         }
2354
2355         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2356         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2357                 mask |= MAY_APPEND;
2358
2359         return file_has_perm(current, file,
2360                              file_mask_to_av(inode->i_mode, mask));
2361 }
2362
2363 static int selinux_file_alloc_security(struct file *file)
2364 {
2365         return file_alloc_security(file);
2366 }
2367
2368 static void selinux_file_free_security(struct file *file)
2369 {
2370         file_free_security(file);
2371 }
2372
2373 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2374                               unsigned long arg)
2375 {
2376         int error = 0;
2377
2378         switch (cmd) {
2379                 case FIONREAD:
2380                 /* fall through */
2381                 case FIBMAP:
2382                 /* fall through */
2383                 case FIGETBSZ:
2384                 /* fall through */
2385                 case EXT2_IOC_GETFLAGS:
2386                 /* fall through */
2387                 case EXT2_IOC_GETVERSION:
2388                         error = file_has_perm(current, file, FILE__GETATTR);
2389                         break;
2390
2391                 case EXT2_IOC_SETFLAGS:
2392                 /* fall through */
2393                 case EXT2_IOC_SETVERSION:
2394                         error = file_has_perm(current, file, FILE__SETATTR);
2395                         break;
2396
2397                 /* sys_ioctl() checks */
2398                 case FIONBIO:
2399                 /* fall through */
2400                 case FIOASYNC:
2401                         error = file_has_perm(current, file, 0);
2402                         break;
2403
2404                 case KDSKBENT:
2405                 case KDSKBSENT:
2406                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2407                         break;
2408
2409                 /* default case assumes that the command will go
2410                  * to the file's ioctl() function.
2411                  */
2412                 default:
2413                         error = file_has_perm(current, file, FILE__IOCTL);
2414
2415         }
2416         return error;
2417 }
2418
2419 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2420 {
2421 #ifndef CONFIG_PPC32
2422         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2423                 /*
2424                  * We are making executable an anonymous mapping or a
2425                  * private file mapping that will also be writable.
2426                  * This has an additional check.
2427                  */
2428                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2429                 if (rc)
2430                         return rc;
2431         }
2432 #endif
2433
2434         if (file) {
2435                 /* read access is always possible with a mapping */
2436                 u32 av = FILE__READ;
2437
2438                 /* write access only matters if the mapping is shared */
2439                 if (shared && (prot & PROT_WRITE))
2440                         av |= FILE__WRITE;
2441
2442                 if (prot & PROT_EXEC)
2443                         av |= FILE__EXECUTE;
2444
2445                 return file_has_perm(current, file, av);
2446         }
2447         return 0;
2448 }
2449
2450 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2451                              unsigned long prot, unsigned long flags)
2452 {
2453         int rc;
2454
2455         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2456         if (rc)
2457                 return rc;
2458
2459         if (selinux_checkreqprot)
2460                 prot = reqprot;
2461
2462         return file_map_prot_check(file, prot,
2463                                    (flags & MAP_TYPE) == MAP_SHARED);
2464 }
2465
2466 static int selinux_file_mprotect(struct vm_area_struct *vma,
2467                                  unsigned long reqprot,
2468                                  unsigned long prot)
2469 {
2470         int rc;
2471
2472         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2473         if (rc)
2474                 return rc;
2475
2476         if (selinux_checkreqprot)
2477                 prot = reqprot;
2478
2479 #ifndef CONFIG_PPC32
2480         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2481                 /*
2482                  * We are making executable a file mapping that has
2483                  * had some COW done. Since pages might have been written,
2484                  * check ability to execute the possibly modified content.
2485                  * This typically should only occur for text relocations.
2486                  */
2487                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2488                 if (rc)
2489                         return rc;
2490         }
2491         if (!vma->vm_file && (prot & PROT_EXEC) &&
2492                 vma->vm_start <= vma->vm_mm->start_stack &&
2493                 vma->vm_end >= vma->vm_mm->start_stack) {
2494                 /* Attempt to make the process stack executable.
2495                  * This has an additional execstack check.
2496                  */
2497                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2498                 if (rc)
2499                         return rc;
2500         }
2501 #endif
2502
2503         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2504 }
2505
2506 static int selinux_file_lock(struct file *file, unsigned int cmd)
2507 {
2508         return file_has_perm(current, file, FILE__LOCK);
2509 }
2510
2511 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2512                               unsigned long arg)
2513 {
2514         int err = 0;
2515
2516         switch (cmd) {
2517                 case F_SETFL:
2518                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2519                                 err = -EINVAL;
2520                                 break;
2521                         }
2522
2523                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2524                                 err = file_has_perm(current, file,FILE__WRITE);
2525                                 break;
2526                         }
2527                         /* fall through */
2528                 case F_SETOWN:
2529                 case F_SETSIG:
2530                 case F_GETFL:
2531                 case F_GETOWN:
2532                 case F_GETSIG:
2533                         /* Just check FD__USE permission */
2534                         err = file_has_perm(current, file, 0);
2535                         break;
2536                 case F_GETLK:
2537                 case F_SETLK:
2538                 case F_SETLKW:
2539 #if BITS_PER_LONG == 32
2540                 case F_GETLK64:
2541                 case F_SETLK64:
2542                 case F_SETLKW64:
2543 #endif
2544                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2545                                 err = -EINVAL;
2546                                 break;
2547                         }
2548                         err = file_has_perm(current, file, FILE__LOCK);
2549                         break;
2550         }
2551
2552         return err;
2553 }
2554
2555 static int selinux_file_set_fowner(struct file *file)
2556 {
2557         struct task_security_struct *tsec;
2558         struct file_security_struct *fsec;
2559
2560         tsec = current->security;
2561         fsec = file->f_security;
2562         fsec->fown_sid = tsec->sid;
2563
2564         return 0;
2565 }
2566
2567 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2568                                        struct fown_struct *fown, int signum)
2569 {
2570         struct file *file;
2571         u32 perm;
2572         struct task_security_struct *tsec;
2573         struct file_security_struct *fsec;
2574
2575         /* struct fown_struct is never outside the context of a struct file */
2576         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2577
2578         tsec = tsk->security;
2579         fsec = file->f_security;
2580
2581         if (!signum)
2582                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2583         else
2584                 perm = signal_to_av(signum);
2585
2586         return avc_has_perm(fsec->fown_sid, tsec->sid,
2587                             SECCLASS_PROCESS, perm, NULL);
2588 }
2589
2590 static int selinux_file_receive(struct file *file)
2591 {
2592         return file_has_perm(current, file, file_to_av(file));
2593 }
2594
2595 /* task security operations */
2596
2597 static int selinux_task_create(unsigned long clone_flags)
2598 {
2599         int rc;
2600
2601         rc = secondary_ops->task_create(clone_flags);
2602         if (rc)
2603                 return rc;
2604
2605         return task_has_perm(current, current, PROCESS__FORK);
2606 }
2607
2608 static int selinux_task_alloc_security(struct task_struct *tsk)
2609 {
2610         struct task_security_struct *tsec1, *tsec2;
2611         int rc;
2612
2613         tsec1 = current->security;
2614
2615         rc = task_alloc_security(tsk);
2616         if (rc)
2617                 return rc;
2618         tsec2 = tsk->security;
2619
2620         tsec2->osid = tsec1->osid;
2621         tsec2->sid = tsec1->sid;
2622
2623         /* Retain the exec and create SIDs across fork */
2624         tsec2->exec_sid = tsec1->exec_sid;
2625         tsec2->create_sid = tsec1->create_sid;
2626
2627         /* Retain ptracer SID across fork, if any.
2628            This will be reset by the ptrace hook upon any
2629            subsequent ptrace_attach operations. */
2630         tsec2->ptrace_sid = tsec1->ptrace_sid;
2631
2632         return 0;
2633 }
2634
2635 static void selinux_task_free_security(struct task_struct *tsk)
2636 {
2637         task_free_security(tsk);
2638 }
2639
2640 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2641 {
2642         /* Since setuid only affects the current process, and
2643            since the SELinux controls are not based on the Linux
2644            identity attributes, SELinux does not need to control
2645            this operation.  However, SELinux does control the use
2646            of the CAP_SETUID and CAP_SETGID capabilities using the
2647            capable hook. */
2648         return 0;
2649 }
2650
2651 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2652 {
2653         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2654 }
2655
2656 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2657 {
2658         /* See the comment for setuid above. */
2659         return 0;
2660 }
2661
2662 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2663 {
2664         return task_has_perm(current, p, PROCESS__SETPGID);
2665 }
2666
2667 static int selinux_task_getpgid(struct task_struct *p)
2668 {
2669         return task_has_perm(current, p, PROCESS__GETPGID);
2670 }
2671
2672 static int selinux_task_getsid(struct task_struct *p)
2673 {
2674         return task_has_perm(current, p, PROCESS__GETSESSION);
2675 }
2676
2677 static int selinux_task_setgroups(struct group_info *group_info)
2678 {
2679         /* See the comment for setuid above. */
2680         return 0;
2681 }
2682
2683 static int selinux_task_setnice(struct task_struct *p, int nice)
2684 {
2685         int rc;
2686
2687         rc = secondary_ops->task_setnice(p, nice);
2688         if (rc)
2689                 return rc;
2690
2691         return task_has_perm(current,p, PROCESS__SETSCHED);
2692 }
2693
2694 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2695 {
2696         struct rlimit *old_rlim = current->signal->rlim + resource;
2697         int rc;
2698
2699         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2700         if (rc)
2701                 return rc;
2702
2703         /* Control the ability to change the hard limit (whether
2704            lowering or raising it), so that the hard limit can
2705            later be used as a safe reset point for the soft limit
2706            upon context transitions. See selinux_bprm_apply_creds. */
2707         if (old_rlim->rlim_max != new_rlim->rlim_max)
2708                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2709
2710         return 0;
2711 }
2712
2713 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2714 {
2715         return task_has_perm(current, p, PROCESS__SETSCHED);
2716 }
2717
2718 static int selinux_task_getscheduler(struct task_struct *p)
2719 {
2720         return task_has_perm(current, p, PROCESS__GETSCHED);
2721 }
2722
2723 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2724 {
2725         u32 perm;
2726         int rc;
2727
2728         rc = secondary_ops->task_kill(p, info, sig);
2729         if (rc)
2730                 return rc;
2731
2732         if (info && ((unsigned long)info == 1 ||
2733                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2734                 return 0;
2735
2736         if (!sig)
2737                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2738         else
2739                 perm = signal_to_av(sig);
2740
2741         return task_has_perm(current, p, perm);
2742 }
2743
2744 static int selinux_task_prctl(int option,
2745                               unsigned long arg2,
2746                               unsigned long arg3,
2747                               unsigned long arg4,
2748                               unsigned long arg5)
2749 {
2750         /* The current prctl operations do not appear to require
2751            any SELinux controls since they merely observe or modify
2752            the state of the current process. */
2753         return 0;
2754 }
2755
2756 static int selinux_task_wait(struct task_struct *p)
2757 {
2758         u32 perm;
2759
2760         perm = signal_to_av(p->exit_signal);
2761
2762         return task_has_perm(p, current, perm);
2763 }
2764
2765 static void selinux_task_reparent_to_init(struct task_struct *p)
2766 {
2767         struct task_security_struct *tsec;
2768
2769         secondary_ops->task_reparent_to_init(p);
2770
2771         tsec = p->security;
2772         tsec->osid = tsec->sid;
2773         tsec->sid = SECINITSID_KERNEL;
2774         return;
2775 }
2776
2777 static void selinux_task_to_inode(struct task_struct *p,
2778                                   struct inode *inode)
2779 {
2780         struct task_security_struct *tsec = p->security;
2781         struct inode_security_struct *isec = inode->i_security;
2782
2783         isec->sid = tsec->sid;
2784         isec->initialized = 1;
2785         return;
2786 }
2787
2788 #ifdef CONFIG_SECURITY_NETWORK
2789
2790 /* Returns error only if unable to parse addresses */
2791 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2792 {
2793         int offset, ihlen, ret = -EINVAL;
2794         struct iphdr _iph, *ih;
2795
2796         offset = skb->nh.raw - skb->data;
2797         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2798         if (ih == NULL)
2799                 goto out;
2800
2801         ihlen = ih->ihl * 4;
2802         if (ihlen < sizeof(_iph))
2803                 goto out;
2804
2805         ad->u.net.v4info.saddr = ih->saddr;
2806         ad->u.net.v4info.daddr = ih->daddr;
2807         ret = 0;
2808
2809         switch (ih->protocol) {
2810         case IPPROTO_TCP: {
2811                 struct tcphdr _tcph, *th;
2812
2813                 if (ntohs(ih->frag_off) & IP_OFFSET)
2814                         break;
2815
2816                 offset += ihlen;
2817                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2818                 if (th == NULL)
2819                         break;
2820
2821                 ad->u.net.sport = th->source;
2822                 ad->u.net.dport = th->dest;
2823                 break;
2824         }
2825         
2826         case IPPROTO_UDP: {
2827                 struct udphdr _udph, *uh;
2828                 
2829                 if (ntohs(ih->frag_off) & IP_OFFSET)
2830                         break;
2831                         
2832                 offset += ihlen;
2833                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2834                 if (uh == NULL)
2835                         break;  
2836
2837                 ad->u.net.sport = uh->source;
2838                 ad->u.net.dport = uh->dest;
2839                 break;
2840         }
2841
2842         default:
2843                 break;
2844         }
2845 out:
2846         return ret;
2847 }
2848
2849 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2850
2851 /* Returns error only if unable to parse addresses */
2852 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2853 {
2854         u8 nexthdr;
2855         int ret = -EINVAL, offset;
2856         struct ipv6hdr _ipv6h, *ip6;
2857
2858         offset = skb->nh.raw - skb->data;
2859         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2860         if (ip6 == NULL)
2861                 goto out;
2862
2863         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2864         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2865         ret = 0;
2866
2867         nexthdr = ip6->nexthdr;
2868         offset += sizeof(_ipv6h);
2869         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2870         if (offset < 0)
2871                 goto out;
2872
2873         switch (nexthdr) {
2874         case IPPROTO_TCP: {
2875                 struct tcphdr _tcph, *th;
2876
2877                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2878                 if (th == NULL)
2879                         break;
2880
2881                 ad->u.net.sport = th->source;
2882                 ad->u.net.dport = th->dest;
2883                 break;
2884         }
2885
2886         case IPPROTO_UDP: {
2887                 struct udphdr _udph, *uh;
2888
2889                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2890                 if (uh == NULL)
2891                         break;
2892
2893                 ad->u.net.sport = uh->source;
2894                 ad->u.net.dport = uh->dest;
2895                 break;
2896         }
2897
2898         /* includes fragments */
2899         default:
2900                 break;
2901         }
2902 out:
2903         return ret;
2904 }
2905
2906 #endif /* IPV6 */
2907
2908 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2909                              char **addrp, int *len, int src)
2910 {
2911         int ret = 0;
2912
2913         switch (ad->u.net.family) {
2914         case PF_INET:
2915                 ret = selinux_parse_skb_ipv4(skb, ad);
2916                 if (ret || !addrp)
2917                         break;
2918                 *len = 4;
2919                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2920                                         &ad->u.net.v4info.daddr);
2921                 break;
2922
2923 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2924         case PF_INET6:
2925                 ret = selinux_parse_skb_ipv6(skb, ad);
2926                 if (ret || !addrp)
2927                         break;
2928                 *len = 16;
2929                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2930                                         &ad->u.net.v6info.daddr);
2931                 break;
2932 #endif  /* IPV6 */
2933         default:
2934                 break;
2935         }
2936
2937         return ret;
2938 }
2939
2940 /* socket security operations */
2941 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2942                            u32 perms)
2943 {
2944         struct inode_security_struct *isec;
2945         struct task_security_struct *tsec;
2946         struct avc_audit_data ad;
2947         int err = 0;
2948
2949         tsec = task->security;
2950         isec = SOCK_INODE(sock)->i_security;
2951
2952         if (isec->sid == SECINITSID_KERNEL)
2953                 goto out;
2954
2955         AVC_AUDIT_DATA_INIT(&ad,NET);
2956         ad.u.net.sk = sock->sk;
2957         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2958
2959 out:
2960         return err;
2961 }
2962
2963 static int selinux_socket_create(int family, int type,
2964                                  int protocol, int kern)
2965 {
2966         int err = 0;
2967         struct task_security_struct *tsec;
2968
2969         if (kern)
2970                 goto out;
2971
2972         tsec = current->security;
2973         err = avc_has_perm(tsec->sid, tsec->sid,
2974                            socket_type_to_security_class(family, type,
2975                            protocol), SOCKET__CREATE, NULL);
2976
2977 out:
2978         return err;
2979 }
2980
2981 static void selinux_socket_post_create(struct socket *sock, int family,
2982                                        int type, int protocol, int kern)
2983 {
2984         struct inode_security_struct *isec;
2985         struct task_security_struct *tsec;
2986
2987         isec = SOCK_INODE(sock)->i_security;
2988
2989         tsec = current->security;
2990         isec->sclass = socket_type_to_security_class(family, type, protocol);
2991         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2992         isec->initialized = 1;
2993
2994         return;
2995 }
2996
2997 /* Range of port numbers used to automatically bind.
2998    Need to determine whether we should perform a name_bind
2999    permission check between the socket and the port number. */
3000 #define ip_local_port_range_0 sysctl_local_port_range[0]
3001 #define ip_local_port_range_1 sysctl_local_port_range[1]
3002
3003 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3004 {
3005         u16 family;
3006         int err;
3007
3008         err = socket_has_perm(current, sock, SOCKET__BIND);
3009         if (err)
3010                 goto out;
3011
3012         /*
3013          * If PF_INET or PF_INET6, check name_bind permission for the port.
3014          */
3015         family = sock->sk->sk_family;
3016         if (family == PF_INET || family == PF_INET6) {
3017                 char *addrp;
3018                 struct inode_security_struct *isec;
3019                 struct task_security_struct *tsec;
3020                 struct avc_audit_data ad;
3021                 struct sockaddr_in *addr4 = NULL;
3022                 struct sockaddr_in6 *addr6 = NULL;
3023                 unsigned short snum;
3024                 struct sock *sk = sock->sk;
3025                 u32 sid, node_perm, addrlen;
3026
3027                 tsec = current->security;
3028                 isec = SOCK_INODE(sock)->i_security;
3029
3030                 if (family == PF_INET) {
3031                         addr4 = (struct sockaddr_in *)address;
3032                         snum = ntohs(addr4->sin_port);
3033                         addrlen = sizeof(addr4->sin_addr.s_addr);
3034                         addrp = (char *)&addr4->sin_addr.s_addr;
3035                 } else {
3036                         addr6 = (struct sockaddr_in6 *)address;
3037                         snum = ntohs(addr6->sin6_port);
3038                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3039                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3040                 }
3041
3042                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3043                            snum > ip_local_port_range_1)) {
3044                         err = security_port_sid(sk->sk_family, sk->sk_type,
3045                                                 sk->sk_protocol, snum, &sid);
3046                         if (err)
3047                                 goto out;
3048                         AVC_AUDIT_DATA_INIT(&ad,NET);
3049                         ad.u.net.sport = htons(snum);
3050                         ad.u.net.family = family;
3051                         err = avc_has_perm(isec->sid, sid,
3052                                            isec->sclass,
3053                                            SOCKET__NAME_BIND, &ad);
3054                         if (err)
3055                                 goto out;
3056                 }
3057                 
3058                 switch(sk->sk_protocol) {
3059                 case IPPROTO_TCP:
3060                         node_perm = TCP_SOCKET__NODE_BIND;
3061                         break;
3062                         
3063                 case IPPROTO_UDP:
3064                         node_perm = UDP_SOCKET__NODE_BIND;
3065                         break;
3066                         
3067                 default:
3068                         node_perm = RAWIP_SOCKET__NODE_BIND;
3069                         break;
3070                 }
3071                 
3072                 err = security_node_sid(family, addrp, addrlen, &sid);
3073                 if (err)
3074                         goto out;
3075                 
3076                 AVC_AUDIT_DATA_INIT(&ad,NET);
3077                 ad.u.net.sport = htons(snum);
3078                 ad.u.net.family = family;
3079
3080                 if (family == PF_INET)
3081                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3082                 else
3083                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3084
3085                 err = avc_has_perm(isec->sid, sid,
3086                                    isec->sclass, node_perm, &ad);
3087                 if (err)
3088                         goto out;
3089         }
3090 out:
3091         return err;
3092 }
3093
3094 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3095 {
3096         struct inode_security_struct *isec;
3097         int err;
3098
3099         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3100         if (err)
3101                 return err;
3102
3103         /*
3104          * If a TCP socket, check name_connect permission for the port.
3105          */
3106         isec = SOCK_INODE(sock)->i_security;
3107         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3108                 struct sock *sk = sock->sk;
3109                 struct avc_audit_data ad;
3110                 struct sockaddr_in *addr4 = NULL;
3111                 struct sockaddr_in6 *addr6 = NULL;
3112                 unsigned short snum;
3113                 u32 sid;
3114
3115                 if (sk->sk_family == PF_INET) {
3116                         addr4 = (struct sockaddr_in *)address;
3117                         if (addrlen != sizeof(struct sockaddr_in))
3118                                 return -EINVAL;
3119                         snum = ntohs(addr4->sin_port);
3120                 } else {
3121                         addr6 = (struct sockaddr_in6 *)address;
3122                         if (addrlen != sizeof(struct sockaddr_in6))
3123                                 return -EINVAL;
3124                         snum = ntohs(addr6->sin6_port);
3125                 }
3126
3127                 err = security_port_sid(sk->sk_family, sk->sk_type,
3128                                         sk->sk_protocol, snum, &sid);
3129                 if (err)
3130                         goto out;
3131
3132                 AVC_AUDIT_DATA_INIT(&ad,NET);
3133                 ad.u.net.dport = htons(snum);
3134                 ad.u.net.family = sk->sk_family;
3135                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3136                                    TCP_SOCKET__NAME_CONNECT, &ad);
3137                 if (err)
3138                         goto out;
3139         }
3140
3141 out:
3142         return err;
3143 }
3144
3145 static int selinux_socket_listen(struct socket *sock, int backlog)
3146 {
3147         return socket_has_perm(current, sock, SOCKET__LISTEN);
3148 }
3149
3150 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3151 {
3152         int err;
3153         struct inode_security_struct *isec;
3154         struct inode_security_struct *newisec;
3155
3156         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3157         if (err)
3158                 return err;
3159
3160         newisec = SOCK_INODE(newsock)->i_security;
3161
3162         isec = SOCK_INODE(sock)->i_security;
3163         newisec->sclass = isec->sclass;
3164         newisec->sid = isec->sid;
3165         newisec->initialized = 1;
3166
3167         return 0;
3168 }
3169
3170 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3171                                   int size)
3172 {
3173         return socket_has_perm(current, sock, SOCKET__WRITE);
3174 }
3175
3176 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3177                                   int size, int flags)
3178 {
3179         return socket_has_perm(current, sock, SOCKET__READ);
3180 }
3181
3182 static int selinux_socket_getsockname(struct socket *sock)
3183 {
3184         return socket_has_perm(current, sock, SOCKET__GETATTR);
3185 }
3186
3187 static int selinux_socket_getpeername(struct socket *sock)
3188 {
3189         return socket_has_perm(current, sock, SOCKET__GETATTR);
3190 }
3191
3192 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3193 {
3194         return socket_has_perm(current, sock, SOCKET__SETOPT);
3195 }
3196
3197 static int selinux_socket_getsockopt(struct socket *sock, int level,
3198                                      int optname)
3199 {
3200         return socket_has_perm(current, sock, SOCKET__GETOPT);
3201 }
3202
3203 static int selinux_socket_shutdown(struct socket *sock, int how)
3204 {
3205         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3206 }
3207
3208 static int selinux_socket_unix_stream_connect(struct socket *sock,
3209                                               struct socket *other,
3210                                               struct sock *newsk)
3211 {
3212         struct sk_security_struct *ssec;
3213         struct inode_security_struct *isec;
3214         struct inode_security_struct *other_isec;
3215         struct avc_audit_data ad;
3216         int err;
3217
3218         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3219         if (err)
3220                 return err;
3221
3222         isec = SOCK_INODE(sock)->i_security;
3223         other_isec = SOCK_INODE(other)->i_security;
3224
3225         AVC_AUDIT_DATA_INIT(&ad,NET);
3226         ad.u.net.sk = other->sk;
3227
3228         err = avc_has_perm(isec->sid, other_isec->sid,
3229                            isec->sclass,
3230                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3231         if (err)
3232                 return err;
3233
3234         /* connecting socket */
3235         ssec = sock->sk->sk_security;
3236         ssec->peer_sid = other_isec->sid;
3237         
3238         /* server child socket */
3239         ssec = newsk->sk_security;
3240         ssec->peer_sid = isec->sid;
3241         
3242         return 0;
3243 }
3244
3245 static int selinux_socket_unix_may_send(struct socket *sock,
3246                                         struct socket *other)
3247 {
3248         struct inode_security_struct *isec;
3249         struct inode_security_struct *other_isec;
3250         struct avc_audit_data ad;
3251         int err;
3252
3253         isec = SOCK_INODE(sock)->i_security;
3254         other_isec = SOCK_INODE(other)->i_security;
3255
3256         AVC_AUDIT_DATA_INIT(&ad,NET);
3257         ad.u.net.sk = other->sk;
3258
3259         err = avc_has_perm(isec->sid, other_isec->sid,
3260                            isec->sclass, SOCKET__SENDTO, &ad);
3261         if (err)
3262                 return err;
3263
3264         return 0;
3265 }
3266
3267 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3268 {
3269         u16 family;
3270         char *addrp;
3271         int len, err = 0;
3272         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3273         u32 sock_sid = 0;
3274         u16 sock_class = 0;
3275         struct socket *sock;
3276         struct net_device *dev;
3277         struct avc_audit_data ad;
3278
3279         family = sk->sk_family;
3280         if (family != PF_INET && family != PF_INET6)
3281                 goto out;
3282
3283         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3284         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3285                 family = PF_INET;
3286
3287         read_lock_bh(&sk->sk_callback_lock);
3288         sock = sk->sk_socket;
3289         if (sock) {
3290                 struct inode *inode;
3291                 inode = SOCK_INODE(sock);
3292                 if (inode) {
3293                         struct inode_security_struct *isec;
3294                         isec = inode->i_security;
3295                         sock_sid = isec->sid;
3296                         sock_class = isec->sclass;
3297                 }
3298         }
3299         read_unlock_bh(&sk->sk_callback_lock);
3300         if (!sock_sid)
3301                 goto out;
3302
3303         dev = skb->dev;
3304         if (!dev)
3305                 goto out;
3306
3307         err = sel_netif_sids(dev, &if_sid, NULL);
3308         if (err)
3309                 goto out;
3310
3311         switch (sock_class) {
3312         case SECCLASS_UDP_SOCKET:
3313                 netif_perm = NETIF__UDP_RECV;
3314                 node_perm = NODE__UDP_RECV;
3315                 recv_perm = UDP_SOCKET__RECV_MSG;
3316                 break;
3317         
3318         case SECCLASS_TCP_SOCKET:
3319                 netif_perm = NETIF__TCP_RECV;
3320                 node_perm = NODE__TCP_RECV;
3321                 recv_perm = TCP_SOCKET__RECV_MSG;
3322                 break;
3323         
3324         default:
3325                 netif_perm = NETIF__RAWIP_RECV;
3326                 node_perm = NODE__RAWIP_RECV;
3327                 break;
3328         }
3329
3330         AVC_AUDIT_DATA_INIT(&ad, NET);
3331         ad.u.net.netif = dev->name;
3332         ad.u.net.family = family;
3333
3334         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3335         if (err)
3336                 goto out;
3337
3338         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3339         if (err)
3340                 goto out;
3341         
3342         /* Fixme: this lookup is inefficient */
3343         err = security_node_sid(family, addrp, len, &node_sid);
3344         if (err)
3345                 goto out;
3346         
3347         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3348         if (err)
3349                 goto out;
3350
3351         if (recv_perm) {
3352                 u32 port_sid;
3353
3354                 /* Fixme: make this more efficient */
3355                 err = security_port_sid(sk->sk_family, sk->sk_type,
3356                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3357                                         &port_sid);
3358                 if (err)
3359                         goto out;
3360
3361                 err = avc_has_perm(sock_sid, port_sid,
3362                                    sock_class, recv_perm, &ad);
3363         }
3364 out:    
3365         return err;
3366 }
3367
3368 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3369                                      int __user *optlen, unsigned len)
3370 {
3371         int err = 0;
3372         char *scontext;
3373         u32 scontext_len;
3374         struct sk_security_struct *ssec;
3375         struct inode_security_struct *isec;
3376
3377         isec = SOCK_INODE(sock)->i_security;
3378         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3379                 err = -ENOPROTOOPT;
3380                 goto out;
3381         }
3382
3383         ssec = sock->sk->sk_security;
3384         
3385         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3386         if (err)
3387                 goto out;
3388
3389         if (scontext_len > len) {
3390                 err = -ERANGE;
3391                 goto out_len;
3392         }
3393
3394         if (copy_to_user(optval, scontext, scontext_len))
3395                 err = -EFAULT;
3396
3397 out_len:
3398         if (put_user(scontext_len, optlen))
3399                 err = -EFAULT;
3400
3401         kfree(scontext);
3402 out:    
3403         return err;
3404 }
3405
3406 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3407 {
3408         return sk_alloc_security(sk, family, priority);
3409 }
3410
3411 static void selinux_sk_free_security(struct sock *sk)
3412 {
3413         sk_free_security(sk);
3414 }
3415
3416 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3417 {
3418         int err = 0;
3419         u32 perm;
3420         struct nlmsghdr *nlh;
3421         struct socket *sock = sk->sk_socket;
3422         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3423         
3424         if (skb->len < NLMSG_SPACE(0)) {
3425                 err = -EINVAL;
3426                 goto out;
3427         }
3428         nlh = (struct nlmsghdr *)skb->data;
3429         
3430         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3431         if (err) {
3432                 if (err == -EINVAL) {
3433                         audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3434                                   "SELinux:  unrecognized netlink message"
3435                                   " type=%hu for sclass=%hu\n",
3436                                   nlh->nlmsg_type, isec->sclass);
3437                         if (!selinux_enforcing)
3438                                 err = 0;
3439                 }
3440
3441                 /* Ignore */
3442                 if (err == -ENOENT)
3443                         err = 0;
3444                 goto out;
3445         }
3446
3447         err = socket_has_perm(current, sock, perm);
3448 out:
3449         return err;
3450 }
3451
3452 #ifdef CONFIG_NETFILTER
3453
3454 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3455                                               struct sk_buff **pskb,
3456                                               const struct net_device *in,
3457                                               const struct net_device *out,
3458                                               int (*okfn)(struct sk_buff *),
3459                                               u16 family)
3460 {
3461         char *addrp;
3462         int len, err = NF_ACCEPT;
3463         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3464         struct sock *sk;
3465         struct socket *sock;
3466         struct inode *inode;
3467         struct sk_buff *skb = *pskb;
3468         struct inode_security_struct *isec;
3469         struct avc_audit_data ad;
3470         struct net_device *dev = (struct net_device *)out;
3471         
3472         sk = skb->sk;
3473         if (!sk)
3474                 goto out;
3475                 
3476         sock = sk->sk_socket;
3477         if (!sock)
3478                 goto out;
3479                 
3480         inode = SOCK_INODE(sock);
3481         if (!inode)
3482                 goto out;
3483
3484         err = sel_netif_sids(dev, &if_sid, NULL);
3485         if (err)
3486                 goto out;
3487
3488         isec = inode->i_security;
3489         
3490         switch (isec->sclass) {
3491         case SECCLASS_UDP_SOCKET:
3492                 netif_perm = NETIF__UDP_SEND;
3493                 node_perm = NODE__UDP_SEND;
3494                 send_perm = UDP_SOCKET__SEND_MSG;
3495                 break;
3496         
3497         case SECCLASS_TCP_SOCKET:
3498                 netif_perm = NETIF__TCP_SEND;
3499                 node_perm = NODE__TCP_SEND;
3500                 send_perm = TCP_SOCKET__SEND_MSG;
3501                 break;
3502         
3503         default:
3504                 netif_perm = NETIF__RAWIP_SEND;
3505                 node_perm = NODE__RAWIP_SEND;
3506                 break;
3507         }
3508
3509
3510         AVC_AUDIT_DATA_INIT(&ad, NET);
3511         ad.u.net.netif = dev->name;
3512         ad.u.net.family = family;
3513
3514         err = selinux_parse_skb(skb, &ad, &addrp,
3515                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3516         if (err != NF_ACCEPT)
3517                 goto out;
3518
3519         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3520                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3521         if (err != NF_ACCEPT)
3522                 goto out;
3523                 
3524         /* Fixme: this lookup is inefficient */
3525         err = security_node_sid(family, addrp, len,
3526                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3527         if (err != NF_ACCEPT)
3528                 goto out;
3529         
3530         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3531                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3532         if (err != NF_ACCEPT)
3533                 goto out;
3534
3535         if (send_perm) {
3536                 u32 port_sid;
3537                 
3538                 /* Fixme: make this more efficient */
3539                 err = security_port_sid(sk->sk_family,
3540                                         sk->sk_type,
3541                                         sk->sk_protocol,
3542                                         ntohs(ad.u.net.dport),
3543                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3544                 if (err != NF_ACCEPT)
3545                         goto out;
3546
3547                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3548                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3549         }
3550
3551 out:
3552         return err;
3553 }
3554
3555 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3556                                                 struct sk_buff **pskb,
3557                                                 const struct net_device *in,
3558                                                 const struct net_device *out,
3559                                                 int (*okfn)(struct sk_buff *))
3560 {
3561         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3562 }
3563
3564 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3565
3566 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3567                                                 struct sk_buff **pskb,
3568                                                 const struct net_device *in,
3569                                                 const struct net_device *out,
3570                                                 int (*okfn)(struct sk_buff *))
3571 {
3572         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3573 }
3574
3575 #endif  /* IPV6 */
3576
3577 #endif  /* CONFIG_NETFILTER */
3578
3579 #else
3580
3581 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3582 {
3583         return 0;
3584 }
3585
3586 #endif  /* CONFIG_SECURITY_NETWORK */
3587
3588 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3589 {
3590         struct task_security_struct *tsec;
3591         struct av_decision avd;
3592         int err;
3593
3594         err = secondary_ops->netlink_send(sk, skb);
3595         if (err)
3596                 return err;
3597
3598         tsec = current->security;
3599
3600         avd.allowed = 0;
3601         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3602                                 SECCLASS_CAPABILITY, ~0, &avd);
3603         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3604
3605         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3606                 err = selinux_nlmsg_perm(sk, skb);
3607
3608         return err;
3609 }
3610
3611 static int selinux_netlink_recv(struct sk_buff *skb)
3612 {
3613         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3614                 return -EPERM;
3615         return 0;
3616 }
3617
3618 static int ipc_alloc_security(struct task_struct *task,
3619                               struct kern_ipc_perm *perm,
3620                               u16 sclass)
3621 {
3622         struct task_security_struct *tsec = task->security;
3623         struct ipc_security_struct *isec;
3624
3625         isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3626         if (!isec)
3627                 return -ENOMEM;
3628
3629         memset(isec, 0, sizeof(struct ipc_security_struct));
3630         isec->magic = SELINUX_MAGIC;
3631         isec->sclass = sclass;
3632         isec->ipc_perm = perm;
3633         if (tsec) {
3634                 isec->sid = tsec->sid;
3635         } else {
3636                 isec->sid = SECINITSID_UNLABELED;
3637         }
3638         perm->security = isec;
3639
3640         return 0;
3641 }
3642
3643 static void ipc_free_security(struct kern_ipc_perm *perm)
3644 {
3645         struct ipc_security_struct *isec = perm->security;
3646         if (!isec || isec->magic != SELINUX_MAGIC)
3647                 return;
3648
3649         perm->security = NULL;
3650         kfree(isec);
3651 }
3652
3653 static int msg_msg_alloc_security(struct msg_msg *msg)
3654 {
3655         struct msg_security_struct *msec;
3656
3657         msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3658         if (!msec)
3659                 return -ENOMEM;
3660
3661         memset(msec, 0, sizeof(struct msg_security_struct));
3662         msec->magic = SELINUX_MAGIC;
3663         msec->msg = msg;
3664         msec->sid = SECINITSID_UNLABELED;
3665         msg->security = msec;
3666
3667         return 0;
3668 }
3669
3670 static void msg_msg_free_security(struct msg_msg *msg)
3671 {
3672         struct msg_security_struct *msec = msg->security;
3673         if (!msec || msec->magic != SELINUX_MAGIC)
3674                 return;
3675
3676         msg->security = NULL;
3677         kfree(msec);
3678 }
3679
3680 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3681                         u32 perms)
3682 {
3683         struct task_security_struct *tsec;
3684         struct ipc_security_struct *isec;
3685         struct avc_audit_data ad;
3686
3687         tsec = current->security;
3688         isec = ipc_perms->security;
3689
3690         AVC_AUDIT_DATA_INIT(&ad, IPC);
3691         ad.u.ipc_id = ipc_perms->key;
3692
3693         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3694 }
3695
3696 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3697 {
3698         return msg_msg_alloc_security(msg);
3699 }
3700
3701 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3702 {
3703         msg_msg_free_security(msg);
3704 }
3705
3706 /* message queue security operations */
3707 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3708 {
3709         struct task_security_struct *tsec;
3710         struct ipc_security_struct *isec;
3711         struct avc_audit_data ad;
3712         int rc;
3713
3714         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3715         if (rc)
3716                 return rc;
3717
3718         tsec = current->security;
3719         isec = msq->q_perm.security;
3720
3721         AVC_AUDIT_DATA_INIT(&ad, IPC);
3722         ad.u.ipc_id = msq->q_perm.key;
3723
3724         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3725                           MSGQ__CREATE, &ad);
3726         if (rc) {
3727                 ipc_free_security(&msq->q_perm);
3728                 return rc;
3729         }
3730         return 0;
3731 }
3732
3733 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3734 {
3735         ipc_free_security(&msq->q_perm);
3736 }
3737
3738 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3739 {
3740         struct task_security_struct *tsec;
3741         struct ipc_security_struct *isec;
3742         struct avc_audit_data ad;
3743
3744         tsec = current->security;
3745         isec = msq->q_perm.security;
3746
3747         AVC_AUDIT_DATA_INIT(&ad, IPC);
3748         ad.u.ipc_id = msq->q_perm.key;
3749
3750         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3751                             MSGQ__ASSOCIATE, &ad);
3752 }
3753
3754 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3755 {
3756         int err;
3757         int perms;
3758
3759         switch(cmd) {
3760         case IPC_INFO:
3761         case MSG_INFO:
3762                 /* No specific object, just general system-wide information. */
3763                 return task_has_system(current, SYSTEM__IPC_INFO);
3764         case IPC_STAT:
3765         case MSG_STAT:
3766                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3767                 break;
3768         case IPC_SET:
3769                 perms = MSGQ__SETATTR;
3770                 break;
3771         case IPC_RMID:
3772                 perms = MSGQ__DESTROY;
3773                 break;
3774         default:
3775                 return 0;
3776         }
3777
3778         err = ipc_has_perm(&msq->q_perm, perms);
3779         return err;
3780 }
3781
3782 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3783 {
3784         struct task_security_struct *tsec;
3785         struct ipc_security_struct *isec;
3786         struct msg_security_struct *msec;
3787         struct avc_audit_data ad;
3788         int rc;
3789
3790         tsec = current->security;
3791         isec = msq->q_perm.security;
3792         msec = msg->security;
3793
3794         /*
3795          * First time through, need to assign label to the message
3796          */
3797         if (msec->sid == SECINITSID_UNLABELED) {
3798                 /*
3799                  * Compute new sid based on current process and
3800                  * message queue this message will be stored in
3801                  */
3802                 rc = security_transition_sid(tsec->sid,
3803                                              isec->sid,
3804                                              SECCLASS_MSG,
3805                                              &msec->sid);
3806                 if (rc)
3807                         return rc;
3808         }
3809
3810         AVC_AUDIT_DATA_INIT(&ad, IPC);
3811         ad.u.ipc_id = msq->q_perm.key;
3812
3813         /* Can this process write to the queue? */
3814         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3815                           MSGQ__WRITE, &ad);
3816         if (!rc)
3817                 /* Can this process send the message */
3818                 rc = avc_has_perm(tsec->sid, msec->sid,
3819                                   SECCLASS_MSG, MSG__SEND, &ad);
3820         if (!rc)
3821                 /* Can the message be put in the queue? */
3822                 rc = avc_has_perm(msec->sid, isec->sid,
3823                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3824
3825         return rc;
3826 }
3827
3828 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3829                                     struct task_struct *target,
3830                                     long type, int mode)
3831 {
3832         struct task_security_struct *tsec;
3833         struct ipc_security_struct *isec;
3834         struct msg_security_struct *msec;
3835         struct avc_audit_data ad;
3836         int rc;
3837
3838         tsec = target->security;
3839         isec = msq->q_perm.security;
3840         msec = msg->security;
3841
3842         AVC_AUDIT_DATA_INIT(&ad, IPC);
3843         ad.u.ipc_id = msq->q_perm.key;
3844
3845         rc = avc_has_perm(tsec->sid, isec->sid,
3846                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3847         if (!rc)
3848                 rc = avc_has_perm(tsec->sid, msec->sid,
3849                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3850         return rc;
3851 }
3852
3853 /* Shared Memory security operations */
3854 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3855 {
3856         struct task_security_struct *tsec;
3857         struct ipc_security_struct *isec;
3858         struct avc_audit_data ad;
3859         int rc;
3860
3861         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3862         if (rc)
3863                 return rc;
3864
3865         tsec = current->security;
3866         isec = shp->shm_perm.security;
3867
3868         AVC_AUDIT_DATA_INIT(&ad, IPC);
3869         ad.u.ipc_id = shp->shm_perm.key;
3870
3871         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3872                           SHM__CREATE, &ad);
3873         if (rc) {
3874                 ipc_free_security(&shp->shm_perm);
3875                 return rc;
3876         }
3877         return 0;
3878 }
3879
3880 static void selinux_shm_free_security(struct shmid_kernel *shp)
3881 {
3882         ipc_free_security(&shp->shm_perm);
3883 }
3884
3885 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3886 {
3887         struct task_security_struct *tsec;
3888         struct ipc_security_struct *isec;
3889         struct avc_audit_data ad;
3890
3891         tsec = current->security;
3892         isec = shp->shm_perm.security;
3893
3894         AVC_AUDIT_DATA_INIT(&ad, IPC);
3895         ad.u.ipc_id = shp->shm_perm.key;
3896
3897         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3898                             SHM__ASSOCIATE, &ad);
3899 }
3900
3901 /* Note, at this point, shp is locked down */
3902 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3903 {
3904         int perms;
3905         int err;
3906
3907         switch(cmd) {
3908         case IPC_INFO:
3909         case SHM_INFO:
3910                 /* No specific object, just general system-wide information. */
3911                 return task_has_system(current, SYSTEM__IPC_INFO);
3912         case IPC_STAT:
3913         case SHM_STAT:
3914                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3915                 break;
3916         case IPC_SET:
3917                 perms = SHM__SETATTR;
3918                 break;
3919         case SHM_LOCK:
3920         case SHM_UNLOCK:
3921                 perms = SHM__LOCK;
3922                 break;
3923         case IPC_RMID:
3924                 perms = SHM__DESTROY;
3925                 break;
3926         default:
3927                 return 0;
3928         }
3929
3930         err = ipc_has_perm(&shp->shm_perm, perms);
3931         return err;
3932 }
3933
3934 static int selinux_shm_shmat(struct shmid_kernel *shp,
3935                              char __user *shmaddr, int shmflg)
3936 {
3937         u32 perms;
3938         int rc;
3939
3940         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3941         if (rc)
3942                 return rc;
3943
3944         if (shmflg & SHM_RDONLY)
3945                 perms = SHM__READ;
3946         else
3947                 perms = SHM__READ | SHM__WRITE;
3948
3949         return ipc_has_perm(&shp->shm_perm, perms);
3950 }
3951
3952 /* Semaphore security operations */
3953 static int selinux_sem_alloc_security(struct sem_array *sma)
3954 {
3955         struct task_security_struct *tsec;
3956         struct ipc_security_struct *isec;
3957         struct avc_audit_data ad;
3958         int rc;
3959
3960         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3961         if (rc)
3962                 return rc;
3963
3964         tsec = current->security;
3965         isec = sma->sem_perm.security;
3966
3967         AVC_AUDIT_DATA_INIT(&ad, IPC);
3968         ad.u.ipc_id = sma->sem_perm.key;
3969
3970         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3971                           SEM__CREATE, &ad);
3972         if (rc) {
3973                 ipc_free_security(&sma->sem_perm);
3974                 return rc;
3975         }
3976         return 0;
3977 }
3978
3979 static void selinux_sem_free_security(struct sem_array *sma)
3980 {
3981         ipc_free_security(&sma->sem_perm);
3982 }
3983
3984 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3985 {
3986         struct task_security_struct *tsec;
3987         struct ipc_security_struct *isec;
3988         struct avc_audit_data ad;
3989
3990         tsec = current->security;
3991         isec = sma->sem_perm.security;
3992
3993         AVC_AUDIT_DATA_INIT(&ad, IPC);
3994         ad.u.ipc_id = sma->sem_perm.key;
3995
3996         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3997                             SEM__ASSOCIATE, &ad);
3998 }
3999
4000 /* Note, at this point, sma is locked down */
4001 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4002 {
4003         int err;
4004         u32 perms;
4005
4006         switch(cmd) {
4007         case IPC_INFO:
4008         case SEM_INFO:
4009                 /* No specific object, just general system-wide information. */
4010                 return task_has_system(current, SYSTEM__IPC_INFO);
4011         case GETPID:
4012         case GETNCNT:
4013         case GETZCNT:
4014                 perms = SEM__GETATTR;
4015                 break;
4016         case GETVAL:
4017         case GETALL:
4018                 perms = SEM__READ;
4019                 break;
4020         case SETVAL:
4021         case SETALL:
4022                 perms = SEM__WRITE;
4023                 break;
4024         case IPC_RMID:
4025                 perms = SEM__DESTROY;
4026                 break;
4027         case IPC_SET:
4028                 perms = SEM__SETATTR;
4029                 break;
4030         case IPC_STAT:
4031         case SEM_STAT:
4032                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4033                 break;
4034         default:
4035                 return 0;
4036         }
4037
4038         err = ipc_has_perm(&sma->sem_perm, perms);
4039         return err;
4040 }
4041
4042 static int selinux_sem_semop(struct sem_array *sma,
4043                              struct sembuf *sops, unsigned nsops, int alter)
4044 {
4045         u32 perms;
4046
4047         if (alter)
4048                 perms = SEM__READ | SEM__WRITE;
4049         else
4050                 perms = SEM__READ;
4051
4052         return ipc_has_perm(&sma->sem_perm, perms);
4053 }
4054
4055 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4056 {
4057         u32 av = 0;
4058
4059         av = 0;
4060         if (flag & S_IRUGO)
4061                 av |= IPC__UNIX_READ;
4062         if (flag & S_IWUGO)
4063                 av |= IPC__UNIX_WRITE;
4064
4065         if (av == 0)
4066                 return 0;
4067
4068         return ipc_has_perm(ipcp, av);
4069 }
4070
4071 /* module stacking operations */
4072 static int selinux_register_security (const char *name, struct security_operations *ops)
4073 {
4074         if (secondary_ops != original_ops) {
4075                 printk(KERN_INFO "%s:  There is already a secondary security "
4076                        "module registered.\n", __FUNCTION__);
4077                 return -EINVAL;
4078         }
4079
4080         secondary_ops = ops;
4081
4082         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4083                __FUNCTION__,
4084                name);
4085
4086         return 0;
4087 }
4088
4089 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4090 {
4091         if (ops != secondary_ops) {
4092                 printk (KERN_INFO "%s:  trying to unregister a security module "
4093                         "that is not registered.\n", __FUNCTION__);
4094                 return -EINVAL;
4095         }
4096
4097         secondary_ops = original_ops;
4098
4099         return 0;
4100 }
4101
4102 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4103 {
4104         if (inode)
4105                 inode_doinit_with_dentry(inode, dentry);
4106 }
4107
4108 static int selinux_getprocattr(struct task_struct *p,
4109                                char *name, void *value, size_t size)
4110 {
4111         struct task_security_struct *tsec;
4112         u32 sid, len;
4113         char *context;
4114         int error;
4115
4116         if (current != p) {
4117                 error = task_has_perm(current, p, PROCESS__GETATTR);
4118                 if (error)
4119                         return error;
4120         }
4121
4122         if (!size)
4123                 return -ERANGE;
4124
4125         tsec = p->security;
4126
4127         if (!strcmp(name, "current"))
4128                 sid = tsec->sid;
4129         else if (!strcmp(name, "prev"))
4130                 sid = tsec->osid;
4131         else if (!strcmp(name, "exec"))
4132                 sid = tsec->exec_sid;
4133         else if (!strcmp(name, "fscreate"))
4134                 sid = tsec->create_sid;
4135         else
4136                 return -EINVAL;
4137
4138         if (!sid)
4139                 return 0;
4140
4141         error = security_sid_to_context(sid, &context, &len);
4142         if (error)
4143                 return error;
4144         if (len > size) {
4145                 kfree(context);
4146                 return -ERANGE;
4147         }
4148         memcpy(value, context, len);
4149         kfree(context);
4150         return len;
4151 }
4152
4153 static int selinux_setprocattr(struct task_struct *p,
4154                                char *name, void *value, size_t size)
4155 {
4156         struct task_security_struct *tsec;
4157         u32 sid = 0;
4158         int error;
4159         char *str = value;
4160
4161         if (current != p) {
4162                 /* SELinux only allows a process to change its own
4163                    security attributes. */
4164                 return -EACCES;
4165         }
4166
4167         /*
4168          * Basic control over ability to set these attributes at all.
4169          * current == p, but we'll pass them separately in case the
4170          * above restriction is ever removed.
4171          */
4172         if (!strcmp(name, "exec"))
4173                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4174         else if (!strcmp(name, "fscreate"))
4175                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4176         else if (!strcmp(name, "current"))
4177                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4178         else
4179                 error = -EINVAL;
4180         if (error)
4181                 return error;
4182
4183         /* Obtain a SID for the context, if one was specified. */
4184         if (size && str[1] && str[1] != '\n') {
4185                 if (str[size-1] == '\n') {
4186                         str[size-1] = 0;
4187                         size--;
4188                 }
4189                 error = security_context_to_sid(value, size, &sid);
4190                 if (error)
4191                         return error;
4192         }
4193
4194         /* Permission checking based on the specified context is
4195            performed during the actual operation (execve,
4196            open/mkdir/...), when we know the full context of the
4197            operation.  See selinux_bprm_set_security for the execve
4198            checks and may_create for the file creation checks. The
4199            operation will then fail if the context is not permitted. */
4200         tsec = p->security;
4201         if (!strcmp(name, "exec"))
4202                 tsec->exec_sid = sid;
4203         else if (!strcmp(name, "fscreate"))
4204                 tsec->create_sid = sid;
4205         else if (!strcmp(name, "current")) {
4206                 struct av_decision avd;
4207
4208                 if (sid == 0)
4209                         return -EINVAL;
4210
4211                 /* Only allow single threaded processes to change context */
4212                 if (atomic_read(&p->mm->mm_users) != 1) {
4213                         struct task_struct *g, *t;
4214                         struct mm_struct *mm = p->mm;
4215                         read_lock(&tasklist_lock);
4216                         do_each_thread(g, t)
4217                                 if (t->mm == mm && t != p) {
4218                                         read_unlock(&tasklist_lock);
4219                                         return -EPERM;
4220                                 }
4221                         while_each_thread(g, t);
4222                         read_unlock(&tasklist_lock);
4223                 }
4224
4225                 /* Check permissions for the transition. */
4226                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4227                                      PROCESS__DYNTRANSITION, NULL);
4228                 if (error)
4229                         return error;
4230
4231                 /* Check for ptracing, and update the task SID if ok.
4232                    Otherwise, leave SID unchanged and fail. */
4233                 task_lock(p);
4234                 if (p->ptrace & PT_PTRACED) {
4235                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4236                                                      SECCLASS_PROCESS,
4237                                                      PROCESS__PTRACE, &avd);
4238                         if (!error)
4239                                 tsec->sid = sid;
4240                         task_unlock(p);
4241                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4242                                   PROCESS__PTRACE, &avd, error, NULL);
4243                         if (error)
4244                                 return error;
4245                 } else {
4246                         tsec->sid = sid;
4247                         task_unlock(p);
4248                 }
4249         }
4250         else
4251                 return -EINVAL;
4252
4253         return size;
4254 }
4255
4256 static struct security_operations selinux_ops = {
4257         .ptrace =                       selinux_ptrace,
4258         .capget =                       selinux_capget,
4259         .capset_check =                 selinux_capset_check,
4260         .capset_set =                   selinux_capset_set,
4261         .sysctl =                       selinux_sysctl,
4262         .capable =                      selinux_capable,
4263         .quotactl =                     selinux_quotactl,
4264         .quota_on =                     selinux_quota_on,
4265         .syslog =                       selinux_syslog,
4266         .vm_enough_memory =             selinux_vm_enough_memory,
4267
4268         .netlink_send =                 selinux_netlink_send,
4269         .netlink_recv =                 selinux_netlink_recv,
4270
4271         .bprm_alloc_security =          selinux_bprm_alloc_security,
4272         .bprm_free_security =           selinux_bprm_free_security,
4273         .bprm_apply_creds =             selinux_bprm_apply_creds,
4274         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4275         .bprm_set_security =            selinux_bprm_set_security,
4276         .bprm_check_security =          selinux_bprm_check_security,
4277         .bprm_secureexec =              selinux_bprm_secureexec,
4278
4279         .sb_alloc_security =            selinux_sb_alloc_security,
4280         .sb_free_security =             selinux_sb_free_security,
4281         .sb_copy_data =                 selinux_sb_copy_data,
4282         .sb_kern_mount =                selinux_sb_kern_mount,
4283         .sb_statfs =                    selinux_sb_statfs,
4284         .sb_mount =                     selinux_mount,
4285         .sb_umount =                    selinux_umount,
4286
4287         .inode_alloc_security =         selinux_inode_alloc_security,
4288         .inode_free_security =          selinux_inode_free_security,
4289         .inode_create =                 selinux_inode_create,
4290         .inode_post_create =            selinux_inode_post_create,
4291         .inode_link =                   selinux_inode_link,
4292         .inode_post_link =              selinux_inode_post_link,
4293         .inode_unlink =                 selinux_inode_unlink,
4294         .inode_symlink =                selinux_inode_symlink,
4295         .inode_post_symlink =           selinux_inode_post_symlink,
4296         .inode_mkdir =                  selinux_inode_mkdir,
4297         .inode_post_mkdir =             selinux_inode_post_mkdir,
4298         .inode_rmdir =                  selinux_inode_rmdir,
4299         .inode_mknod =                  selinux_inode_mknod,
4300         .inode_post_mknod =             selinux_inode_post_mknod,
4301         .inode_rename =                 selinux_inode_rename,
4302         .inode_post_rename =            selinux_inode_post_rename,
4303         .inode_readlink =               selinux_inode_readlink,
4304         .inode_follow_link =            selinux_inode_follow_link,
4305         .inode_permission =             selinux_inode_permission,
4306         .inode_setattr =                selinux_inode_setattr,
4307         .inode_getattr =                selinux_inode_getattr,
4308         .inode_setxattr =               selinux_inode_setxattr,
4309         .inode_post_setxattr =          selinux_inode_post_setxattr,
4310         .inode_getxattr =               selinux_inode_getxattr,
4311         .inode_listxattr =              selinux_inode_listxattr,
4312         .inode_removexattr =            selinux_inode_removexattr,
4313         .inode_getsecurity =            selinux_inode_getsecurity,
4314         .inode_setsecurity =            selinux_inode_setsecurity,
4315         .inode_listsecurity =           selinux_inode_listsecurity,
4316
4317         .file_permission =              selinux_file_permission,
4318         .file_alloc_security =          selinux_file_alloc_security,
4319         .file_free_security =           selinux_file_free_security,
4320         .file_ioctl =                   selinux_file_ioctl,
4321         .file_mmap =                    selinux_file_mmap,
4322         .file_mprotect =                selinux_file_mprotect,
4323         .file_lock =                    selinux_file_lock,
4324         .file_fcntl =                   selinux_file_fcntl,
4325         .file_set_fowner =              selinux_file_set_fowner,
4326         .file_send_sigiotask =          selinux_file_send_sigiotask,
4327         .file_receive =                 selinux_file_receive,
4328
4329         .task_create =                  selinux_task_create,
4330         .task_alloc_security =          selinux_task_alloc_security,
4331         .task_free_security =           selinux_task_free_security,
4332         .task_setuid =                  selinux_task_setuid,
4333         .task_post_setuid =             selinux_task_post_setuid,
4334         .task_setgid =                  selinux_task_setgid,
4335         .task_setpgid =                 selinux_task_setpgid,
4336         .task_getpgid =                 selinux_task_getpgid,
4337         .task_getsid =                  selinux_task_getsid,
4338         .task_setgroups =               selinux_task_setgroups,
4339         .task_setnice =                 selinux_task_setnice,
4340         .task_setrlimit =               selinux_task_setrlimit,
4341         .task_setscheduler =            selinux_task_setscheduler,
4342         .task_getscheduler =            selinux_task_getscheduler,
4343         .task_kill =                    selinux_task_kill,
4344         .task_wait =                    selinux_task_wait,
4345         .task_prctl =                   selinux_task_prctl,
4346         .task_reparent_to_init =        selinux_task_reparent_to_init,
4347         .task_to_inode =                selinux_task_to_inode,
4348
4349         .ipc_permission =               selinux_ipc_permission,
4350
4351         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4352         .msg_msg_free_security =        selinux_msg_msg_free_security,
4353
4354         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4355         .msg_queue_free_security =      selinux_msg_queue_free_security,
4356         .msg_queue_associate =          selinux_msg_queue_associate,
4357         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4358         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4359         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4360
4361         .shm_alloc_security =           selinux_shm_alloc_security,
4362         .shm_free_security =            selinux_shm_free_security,
4363         .shm_associate =                selinux_shm_associate,
4364         .shm_shmctl =                   selinux_shm_shmctl,
4365         .shm_shmat =                    selinux_shm_shmat,
4366
4367         .sem_alloc_security =           selinux_sem_alloc_security,
4368         .sem_free_security =            selinux_sem_free_security,
4369         .sem_associate =                selinux_sem_associate,
4370         .sem_semctl =                   selinux_sem_semctl,
4371         .sem_semop =                    selinux_sem_semop,
4372
4373         .register_security =            selinux_register_security,
4374         .unregister_security =          selinux_unregister_security,
4375
4376         .d_instantiate =                selinux_d_instantiate,
4377
4378         .getprocattr =                  selinux_getprocattr,
4379         .setprocattr =                  selinux_setprocattr,
4380
4381 #ifdef CONFIG_SECURITY_NETWORK
4382         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4383         .unix_may_send =                selinux_socket_unix_may_send,
4384
4385         .socket_create =                selinux_socket_create,
4386         .socket_post_create =           selinux_socket_post_create,
4387         .socket_bind =                  selinux_socket_bind,
4388         .socket_connect =               selinux_socket_connect,
4389         .socket_listen =                selinux_socket_listen,
4390         .socket_accept =                selinux_socket_accept,
4391         .socket_sendmsg =               selinux_socket_sendmsg,
4392         .socket_recvmsg =               selinux_socket_recvmsg,
4393         .socket_getsockname =           selinux_socket_getsockname,
4394         .socket_getpeername =           selinux_socket_getpeername,
4395         .socket_getsockopt =            selinux_socket_getsockopt,
4396         .socket_setsockopt =            selinux_socket_setsockopt,
4397         .socket_shutdown =              selinux_socket_shutdown,
4398         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4399         .socket_getpeersec =            selinux_socket_getpeersec,
4400         .sk_alloc_security =            selinux_sk_alloc_security,
4401         .sk_free_security =             selinux_sk_free_security,
4402 #endif
4403 };
4404
4405 static __init int selinux_init(void)
4406 {
4407         struct task_security_struct *tsec;
4408
4409         if (!selinux_enabled) {
4410                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4411                 return 0;
4412         }
4413
4414         printk(KERN_INFO "SELinux:  Initializing.\n");
4415
4416         /* Set the security state for the initial task. */
4417         if (task_alloc_security(current))
4418                 panic("SELinux:  Failed to initialize initial task.\n");
4419         tsec = current->security;
4420         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4421
4422         avc_init();
4423
4424         original_ops = secondary_ops = security_ops;
4425         if (!secondary_ops)
4426                 panic ("SELinux: No initial security operations\n");
4427         if (register_security (&selinux_ops))
4428                 panic("SELinux: Unable to register with kernel.\n");
4429
4430         if (selinux_enforcing) {
4431                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4432         } else {
4433                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4434         }
4435         return 0;
4436 }
4437
4438 void selinux_complete_init(void)
4439 {
4440         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4441
4442         /* Set up any superblocks initialized prior to the policy load. */
4443         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4444         spin_lock(&sb_security_lock);
4445 next_sb:
4446         if (!list_empty(&superblock_security_head)) {
4447                 struct superblock_security_struct *sbsec =
4448                                 list_entry(superblock_security_head.next,
4449                                            struct superblock_security_struct,
4450                                            list);
4451                 struct super_block *sb = sbsec->sb;
4452                 spin_lock(&sb_lock);
4453                 sb->s_count++;
4454                 spin_unlock(&sb_lock);
4455                 spin_unlock(&sb_security_lock);
4456                 down_read(&sb->s_umount);
4457                 if (sb->s_root)
4458                         superblock_doinit(sb, NULL);
4459                 drop_super(sb);
4460                 spin_lock(&sb_security_lock);
4461                 list_del_init(&sbsec->list);
4462                 goto next_sb;
4463         }
4464         spin_unlock(&sb_security_lock);
4465 }
4466
4467 /* SELinux requires early initialization in order to label
4468    all processes and objects when they are created. */
4469 security_initcall(selinux_init);
4470
4471 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4472
4473 static struct nf_hook_ops selinux_ipv4_op = {
4474         .hook =         selinux_ipv4_postroute_last,
4475         .owner =        THIS_MODULE,
4476         .pf =           PF_INET,
4477         .hooknum =      NF_IP_POST_ROUTING,
4478         .priority =     NF_IP_PRI_SELINUX_LAST,
4479 };
4480
4481 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4482
4483 static struct nf_hook_ops selinux_ipv6_op = {
4484         .hook =         selinux_ipv6_postroute_last,
4485         .owner =        THIS_MODULE,
4486         .pf =           PF_INET6,
4487         .hooknum =      NF_IP6_POST_ROUTING,
4488         .priority =     NF_IP6_PRI_SELINUX_LAST,
4489 };
4490
4491 #endif  /* IPV6 */
4492
4493 static int __init selinux_nf_ip_init(void)
4494 {
4495         int err = 0;
4496
4497         if (!selinux_enabled)
4498                 goto out;
4499                 
4500         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4501         
4502         err = nf_register_hook(&selinux_ipv4_op);
4503         if (err)
4504                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4505
4506 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4507
4508         err = nf_register_hook(&selinux_ipv6_op);
4509         if (err)
4510                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4511
4512 #endif  /* IPV6 */
4513 out:
4514         return err;
4515 }
4516
4517 __initcall(selinux_nf_ip_init);
4518
4519 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4520 static void selinux_nf_ip_exit(void)
4521 {
4522         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4523
4524         nf_unregister_hook(&selinux_ipv4_op);
4525 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4526         nf_unregister_hook(&selinux_ipv6_op);
4527 #endif  /* IPV6 */
4528 }
4529 #endif
4530
4531 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4532
4533 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4534 #define selinux_nf_ip_exit()
4535 #endif
4536
4537 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4538
4539 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4540 int selinux_disable(void)
4541 {
4542         extern void exit_sel_fs(void);
4543         static int selinux_disabled = 0;
4544
4545         if (ss_initialized) {
4546                 /* Not permitted after initial policy load. */
4547                 return -EINVAL;
4548         }
4549
4550         if (selinux_disabled) {
4551                 /* Only do this once. */
4552                 return -EINVAL;
4553         }
4554
4555         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4556
4557         selinux_disabled = 1;
4558
4559         /* Reset security_ops to the secondary module, dummy or capability. */
4560         security_ops = secondary_ops;
4561
4562         /* Unregister netfilter hooks. */
4563         selinux_nf_ip_exit();
4564
4565         /* Unregister selinuxfs. */
4566         exit_sel_fs();
4567
4568         return 0;
4569 }
4570 #endif
4571
4572